--- /dev/null
+From 1ef37deda985778884417708a3fe680eb45d7682 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 22:06:31 +0800
+Subject: acct: fix potential integer overflow in encode_comp_t()
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]
+
+The integer overflow is descripted with following codes:
+ > 317 static comp_t encode_comp_t(u64 value)
+ > 318 {
+ > 319 int exp, rnd;
+ ......
+ > 341 exp <<= MANTSIZE;
+ > 342 exp += value;
+ > 343 return exp;
+ > 344 }
+
+Currently comp_t is defined as type of '__u16', but the variable 'exp' is
+type of 'int', so overflow would happen when variable 'exp' in line 343 is
+greater than 65535.
+
+Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/acct.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/acct.c b/kernel/acct.c
+index 13706356ec54..67bde1633d8f 100644
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -350,6 +350,8 @@ static comp_t encode_comp_t(unsigned long value)
+ exp++;
+ }
+
++ if (exp > (((comp_t) ~0U) >> MANTSIZE))
++ return (comp_t) ~0U;
+ /*
+ * Clean it up and polish it off.
+ */
+--
+2.35.1
+
--- /dev/null
+From a6b61f8ffe0a55e0ca548f4d2d24824ce792dff3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 01:20:08 +0300
+Subject: ACPI: EC: Add quirk for the HP Pavilion Gaming 15-cx0041ur
+
+From: Mia Kanashi <chad@redpilled.dev>
+
+[ Upstream commit b423f240a66ad928c4cb5ec6055dfc90ce8d894e ]
+
+Added GPE quirk entry for the HP Pavilion Gaming 15-cx0041ur.
+There is a quirk entry for the 15-cx0xxx laptops, but this one has
+different DMI_PRODUCT_NAME.
+
+Notably backlight keys and other ACPI events now function correctly.
+
+Signed-off-by: Mia Kanashi <chad@redpilled.dev>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index c95e535035a0..fdc760e1e09e 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1879,6 +1879,16 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion Gaming Laptop 15-cx0xxx"),
+ },
+ },
++ {
++ /*
++ * HP Pavilion Gaming Laptop 15-cx0041ur
++ */
++ .callback = ec_honor_dsdt_gpe,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP 15-cx0041ur"),
++ },
++ },
+ {
+ /*
+ * Samsung hardware
+--
+2.35.1
+
--- /dev/null
+From 2d9d366372e0737a7d79681dffc47286850cd38f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 09:46:23 +0800
+Subject: ACPI: irq: Fix some kernel-doc issues
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit ebb92d58b90753e658059f5d8590d9048395491a ]
+
+The following commit change the second parameter of acpi_set_irq_model()
+but forgot to update the function description. Let's fix it.
+
+ commit 7327b16f5f56 ("APCI: irq: Add support for multiple GSI domains")
+
+Also add description of parameter 'gsi' for
+acpi_get_irq_source_fwhandle() to avoid the following build W=1 warning.
+
+ drivers/acpi/irq.c:108: warning: Function parameter or member 'gsi' not described in 'acpi_get_irq_source_fwhandle'
+
+Fixes: 7327b16f5f56 ("APCI: irq: Add support for multiple GSI domains")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/irq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/irq.c b/drivers/acpi/irq.c
+index dabe45eba055..0d9a17fdd83e 100644
+--- a/drivers/acpi/irq.c
++++ b/drivers/acpi/irq.c
+@@ -94,6 +94,7 @@ EXPORT_SYMBOL_GPL(acpi_unregister_gsi);
+ /**
+ * acpi_get_irq_source_fwhandle() - Retrieve fwhandle from IRQ resource source.
+ * @source: acpi_resource_source to use for the lookup.
++ * @gsi: GSI IRQ number
+ *
+ * Description:
+ * Retrieve the fwhandle of the device referenced by the given IRQ resource
+@@ -295,8 +296,8 @@ EXPORT_SYMBOL_GPL(acpi_irq_get);
+ /**
+ * acpi_set_irq_model - Setup the GSI irqdomain information
+ * @model: the value assigned to acpi_irq_model
+- * @fwnode: the irq_domain identifier for mapping and looking up
+- * GSI interrupts
++ * @fn: a dispatcher function that will return the domain fwnode
++ * for a given GSI
+ */
+ void __init acpi_set_irq_model(enum acpi_irq_model_id model,
+ struct fwnode_handle *(*fn)(u32))
+--
+2.35.1
+
--- /dev/null
+From 188a1e4ae5b9ad6ddd3d1913fa66c4691193f394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:32:18 +0800
+Subject: ACPI: pfr_telemetry: use ACPI_FREE() to free acpi_object
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 0f2aa7fc2a9aee05bafb965d5b1638d3e74b4c61 ]
+
+acpi_evaluate_dsm_typed()/acpi_evaluate_dsm() should be coupled
+with ACPI_FREE() to free the ACPI memory, because we need to
+track the allocation of acpi_object when ACPI_DBG_TRACK_ALLOCATIONS
+enabled, so use ACPI_FREE() instead of kfree().
+
+Fixes: b0013e037a8b ("ACPI: Introduce Platform Firmware Runtime Telemetry driver")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Reviewed-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pfr_telemetry.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/pfr_telemetry.c b/drivers/acpi/pfr_telemetry.c
+index 9abf350bd7a5..27fb6cdad75f 100644
+--- a/drivers/acpi/pfr_telemetry.c
++++ b/drivers/acpi/pfr_telemetry.c
+@@ -144,7 +144,7 @@ static int get_pfrt_log_data_info(struct pfrt_log_data_info *data_info,
+ ret = 0;
+
+ free_acpi_buffer:
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+@@ -180,7 +180,7 @@ static int set_pfrt_log_level(int level, struct pfrt_log_device *pfrt_log_dev)
+ ret = -EBUSY;
+ }
+
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+@@ -218,7 +218,7 @@ static int get_pfrt_log_level(struct pfrt_log_device *pfrt_log_dev)
+ ret = obj->integer.value;
+
+ free_acpi_buffer:
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From a212f71f06873c04bb75328c56be29536592dc1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:32:19 +0800
+Subject: ACPI: pfr_update: use ACPI_FREE() to free acpi_object
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit e335beed78ec82656dcb554f9fe560709f0dc408 ]
+
+acpi_evaluate_dsm_typed()/acpi_evaluate_dsm() should be coupled with
+ACPI_FREE() to free the ACPI memory, because we need to track the
+allocation of acpi_object when ACPI_DBG_TRACK_ALLOCATIONS enabled,
+so use ACPI_FREE() instead of kfree().
+
+Fixes: 0db89fa243e5 ("ACPI: Introduce Platform Firmware Runtime Update device driver")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Reviewed-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pfr_update.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/pfr_update.c b/drivers/acpi/pfr_update.c
+index 6bb0b778b5da..9d2bdc13253a 100644
+--- a/drivers/acpi/pfr_update.c
++++ b/drivers/acpi/pfr_update.c
+@@ -178,7 +178,7 @@ static int query_capability(struct pfru_update_cap_info *cap_hdr,
+ ret = 0;
+
+ free_acpi_buffer:
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+@@ -224,7 +224,7 @@ static int query_buffer(struct pfru_com_buf_info *info,
+ ret = 0;
+
+ free_acpi_buffer:
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+@@ -385,7 +385,7 @@ static int start_update(int action, struct pfru_device *pfru_dev)
+ ret = 0;
+
+ free_acpi_buffer:
+- kfree(out_obj);
++ ACPI_FREE(out_obj);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4d4d6652d3a41a23e87447ba3b13deb4a581b581 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 00:37:30 -0700
+Subject: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
+
+From: Li Zhong <floridsleeves@gmail.com>
+
+[ Upstream commit 2437513a814b3e93bd02879740a8a06e52e2cf7d ]
+
+The return value of acpi_fetch_acpi_dev() could be NULL, which would
+cause a NULL pointer dereference to occur in acpi_device_hid().
+
+Signed-off-by: Li Zhong <floridsleeves@gmail.com>
+[ rjw: Subject and changelog edits, added empty line after if () ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index 9f40917c49ef..4d1dd255c122 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -1134,6 +1134,9 @@ static int acpi_processor_get_lpi_info(struct acpi_processor *pr)
+ status = acpi_get_parent(handle, &pr_ahandle);
+ while (ACPI_SUCCESS(status)) {
+ d = acpi_fetch_acpi_dev(pr_ahandle);
++ if (!d)
++ break;
++
+ handle = pr_ahandle;
+
+ if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID))
+--
+2.35.1
+
--- /dev/null
+From 90e40d23c734df91cedaa911f06b0a86eaa2ee16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Nov 2022 19:24:03 +0100
+Subject: ACPI: x86: Add skip i2c clients quirk for Lenovo Yoga Tab 3 Pro
+ (YT3-X90F)
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit fe820db35275561d8bf86ad19044d40ffc95bc04 ]
+
+The Lenovo Yoga Tab 3 Pro (YT3-X90F) is a x86 (Cherry Trail) tablet which
+ships with Android x86 as factory OS. The Android x86 kernel fork ignores
+I2C devices described in the DSDT, except for the PMIC and Audio codecs.
+
+As usual the Lenovo Yoga Tab 3 Pro's DSDT contains a bunch of extra I2C
+devices which are not actually there, causing various resource conflicts.
+Add an ACPI_QUIRK_SKIP_I2C_CLIENTS quirk for the Lenovo Yoga Tab 3 Pro to
+the acpi_quirk_skip_dmi_ids table to woraround this.
+
+ACPI_QUIRK_SKIP_I2C_CLIENTS handling uses i2c_acpi_known_good_ids[],
+so that PMICs and Audio codecs will still be enumerated properly.
+The Lenovo Yoga Tab 3 Pro uses a Whiskey Cove PMIC, add the INT34D3 HID
+for this PMIC to the i2c_acpi_known_good_ids[] list.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index 950a93922ca8..fb999597a3f0 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -308,7 +308,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = {
+ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
+ },
+ {
+- /* Lenovo Yoga Tablet 1050F/L */
++ /* Lenovo Yoga Tablet 2 1050F/L */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corp."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "VALLEYVIEW C0 PLATFORM"),
+@@ -319,6 +319,16 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = {
+ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
+ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
+ },
++ {
++ /* Lenovo Yoga Tab 3 Pro X90F */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Blade3-10A-001"),
++ },
++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
++ },
+ {
+ /* Nextbook Ares 8 */
+ .matches = {
+@@ -348,6 +358,7 @@ static const struct acpi_device_id i2c_acpi_known_good_ids[] = {
+ { "10EC5640", 0 }, /* RealTek ALC5640 audio codec */
+ { "INT33F4", 0 }, /* X-Powers AXP288 PMIC */
+ { "INT33FD", 0 }, /* Intel Crystal Cove PMIC */
++ { "INT34D3", 0 }, /* Intel Whiskey Cove PMIC */
+ { "NPCE69A", 0 }, /* Asus Transformer keyboard dock */
+ {}
+ };
+--
+2.35.1
+
--- /dev/null
+From 15be295b9d34aa69d052d63920b20240f361c707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 12:02:02 +0100
+Subject: ACPI: x86: Add skip i2c clients quirk for Medion Lifetab S10346
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ecc6aaabcedc276128315f57755364106017c606 ]
+
+The Medion Lifetab S10346 is a x86 tablet which ships with Android x86 as
+factory OS. The Android x86 kernel fork ignores I2C devices described in
+the DSDT, except for the PMIC and Audio codecs.
+
+As usual the Medion Lifetab S10346's DSDT contains a bunch of extra I2C
+devices which are not actually there, causing various resource conflicts.
+Add an ACPI_QUIRK_SKIP_I2C_CLIENTS quirk for the Medion Lifetab S10346 to
+the acpi_quirk_skip_dmi_ids table to woraround this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index fb999597a3f0..ae60e4aae0ee 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -329,6 +329,17 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = {
+ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
+ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
+ },
++ {
++ /* Medion Lifetab S10346 */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++ DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
++ /* Way too generic, also match on BIOS data */
++ DMI_MATCH(DMI_BIOS_DATE, "10/22/2015"),
++ },
++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
++ },
+ {
+ /* Nextbook Ares 8 */
+ .matches = {
+--
+2.35.1
+
--- /dev/null
+From 7d1503f178bd7becb0fb9268cd4bebc7f895290e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 18:42:36 +0100
+Subject: ACPICA: Fix error code path in acpi_ds_call_control_method()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ]
+
+A use-after-free in acpi_ps_parse_aml() after a failing invocaion of
+acpi_ds_call_control_method() is reported by KASAN [1] and code
+inspection reveals that next_walk_state pushed to the thread by
+acpi_ds_create_walk_state() is freed on errors, but it is not popped
+from the thread beforehand. Thus acpi_ds_get_current_walk_state()
+called by acpi_ps_parse_aml() subsequently returns it as the new
+walk state which is incorrect.
+
+To address this, make acpi_ds_call_control_method() call
+acpi_ds_pop_walk_state() to pop next_walk_state from the thread before
+returning an error.
+
+Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1]
+Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsmethod.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
+index ae2e768830bf..9332bc688713 100644
+--- a/drivers/acpi/acpica/dsmethod.c
++++ b/drivers/acpi/acpica/dsmethod.c
+@@ -517,7 +517,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+ info = ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_evaluate_info));
+ if (!info) {
+ status = AE_NO_MEMORY;
+- goto cleanup;
++ goto pop_walk_state;
+ }
+
+ info->parameters = &this_walk_state->operands[0];
+@@ -529,7 +529,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+
+ ACPI_FREE(info);
+ if (ACPI_FAILURE(status)) {
+- goto cleanup;
++ goto pop_walk_state;
+ }
+
+ next_walk_state->method_nesting_depth =
+@@ -575,6 +575,12 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+
+ return_ACPI_STATUS(status);
+
++pop_walk_state:
++
++ /* On error, pop the walk state to be deleted from thread */
++
++ acpi_ds_pop_walk_state(thread);
++
+ cleanup:
+
+ /* On error, we must terminate the method properly */
+--
+2.35.1
+
--- /dev/null
+From 5278ccbbacef3a97ca9b08805bc49fc30c8224a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 16:05:14 +0800
+Subject: ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ]
+
+There is an use-after-free reported by KASAN:
+
+ BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
+ Read of size 1 at addr ffff888112afc460 by task modprobe/2111
+ CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ Call Trace:
+ <TASK>
+ kasan_report+0xae/0xe0
+ acpi_ut_remove_reference+0x3b/0x82
+ acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
+ acpi_ds_store_object_to_local+0x15d/0x3a0
+ acpi_ex_store+0x78d/0x7fd
+ acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
+ acpi_ps_parse_aml+0x217/0x8d5
+ ...
+ </TASK>
+
+The root cause of the problem is that the acpi_operand_object
+is freed when acpi_ut_walk_package_tree() fails in
+acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
+acpi_ut_copy_iobject_to_iobject(). The problem was introduced
+by "8aa5e56eeb61" commit, this commit is to fix memory leak in
+acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
+operation, lead to "acpi_operand_object" used after free.
+
+Fix it by removing acpi_ut_remove_reference() in
+acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
+is called to copy an internal package object into another internal
+package object, when it fails, the memory of acpi_operand_object
+should be freed by the caller.
+
+Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/utcopy.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
+index 400b9e15a709..63c17f420fb8 100644
+--- a/drivers/acpi/acpica/utcopy.c
++++ b/drivers/acpi/acpica/utcopy.c
+@@ -916,13 +916,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj,
+ status = acpi_ut_walk_package_tree(source_obj, dest_obj,
+ acpi_ut_copy_ielement_to_ielement,
+ walk_state);
+- if (ACPI_FAILURE(status)) {
+-
+- /* On failure, delete the destination package object */
+-
+- acpi_ut_remove_reference(dest_obj);
+- }
+-
+ return_ACPI_STATUS(status);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ad4af94e9662991e626efb0d45138d2a8786be8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 23:01:58 +0800
+Subject: af_unix: call proto_unregister() in the error path in af_unix_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 73e341e0281a35274629e9be27eae2f9b1b492bf ]
+
+If register unix_stream_proto returns error, unix_dgram_proto needs
+be unregistered.
+
+Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index d686804119c9..02fad8e8f4cd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -3724,6 +3724,7 @@ static int __init af_unix_init(void)
+ rc = proto_register(&unix_stream_proto, 1);
+ if (rc != 0) {
+ pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
++ proto_unregister(&unix_dgram_proto);
+ goto out;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b91924432d94c499f2ac13aaebea40eea4ccd964 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 18:18:48 -0400
+Subject: alpha: fix syscall entry in !AUDUT_SYSCALL case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ]
+
+We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is
+set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_
+thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to
+be set.
+
+Fixes: a9302e843944 "alpha: Enable system-call auditing support"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/kernel/entry.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
+index e227f3a29a43..c41a5a9c3b9f 100644
+--- a/arch/alpha/kernel/entry.S
++++ b/arch/alpha/kernel/entry.S
+@@ -469,8 +469,10 @@ entSys:
+ #ifdef CONFIG_AUDITSYSCALL
+ lda $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+ and $3, $6, $3
+-#endif
+ bne $3, strace
++#else
++ blbs $3, strace /* check for SYSCALL_TRACE in disguise */
++#endif
+ beq $4, 1f
+ ldq $27, 0($5)
+ 1: jsr $26, ($27), sys_ni_syscall
+--
+2.35.1
+
--- /dev/null
+From c6141e464589b0ea68571d7feec2cd009dbd7c7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 18:08:56 -0400
+Subject: alpha: fix TIF_NOTIFY_SIGNAL handling
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit e2c7554cc6d85f95e3c6635f270ec839ab9fe05e ]
+
+it needs to be added to _TIF_WORK_MASK, or we might not reach
+do_work_pending() in the first place...
+
+Fixes: 5a9a8897c253a "alpha: add support for TIF_NOTIFY_SIGNAL"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/thread_info.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/alpha/include/asm/thread_info.h b/arch/alpha/include/asm/thread_info.h
+index fdc485d7787a..084c27cb0c70 100644
+--- a/arch/alpha/include/asm/thread_info.h
++++ b/arch/alpha/include/asm/thread_info.h
+@@ -75,7 +75,7 @@ register struct thread_info *__current_thread_info __asm__("$8");
+
+ /* Work to do on interrupt/exception return. */
+ #define _TIF_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
+- _TIF_NOTIFY_RESUME)
++ _TIF_NOTIFY_RESUME | _TIF_NOTIFY_SIGNAL)
+
+ /* Work to do on any return to userspace. */
+ #define _TIF_ALLWORK_MASK (_TIF_WORK_MASK \
+--
+2.35.1
+
--- /dev/null
+From e2fa2c13978843f6452e40991ec9296a3d27999f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 10:14:29 +0800
+Subject: ALSA: asihpi: fix missing pci_disable_device()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release().
+
+Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
+index bb31b7fe867d..477a5b4b50bc 100644
+--- a/sound/pci/asihpi/hpioctl.c
++++ b/sound/pci/asihpi/hpioctl.c
+@@ -361,7 +361,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
+ pci_dev->device, pci_dev->subsystem_vendor,
+ pci_dev->subsystem_device, pci_dev->devfn);
+
+- if (pci_enable_device(pci_dev) < 0) {
++ if (pcim_enable_device(pci_dev) < 0) {
+ dev_err(&pci_dev->dev,
+ "pci_enable_device failed, disabling device\n");
+ return -EIO;
+--
+2.35.1
+
--- /dev/null
+From 54d56a952bdee2629f30b758be052e5979eea9f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 14:10:04 +0800
+Subject: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ]
+
+I got a null-ptr-defer error report when I do the following tests
+on the qemu platform:
+
+make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,
+CONFIG_SND_MTS64=m
+
+Then making test scripts:
+cat>test_mod1.sh<<EOF
+modprobe snd-mts64
+modprobe snd-mts64
+EOF
+
+Executing the script, perhaps several times, we will get a null-ptr-defer
+report, as follow:
+
+syzkaller:~# ./test_mod.sh
+snd_mts64: probe of snd_mts64.0 failed with error -5
+modprobe: ERROR: could not insert 'snd_mts64': No such device
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 0 P4D 0
+ Oops: 0002 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6
+ Call Trace:
+ <IRQ>
+ snd_mts64_interrupt+0x24/0xa0 [snd_mts64]
+ parport_irq_handler+0x37/0x50 [parport]
+ __handle_irq_event_percpu+0x39/0x190
+ handle_irq_event_percpu+0xa/0x30
+ handle_irq_event+0x2f/0x50
+ handle_edge_irq+0x99/0x1b0
+ __common_interrupt+0x5d/0x100
+ common_interrupt+0xa0/0xc0
+ </IRQ>
+ <TASK>
+ asm_common_interrupt+0x22/0x40
+ RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30
+ parport_claim+0xbd/0x230 [parport]
+ snd_mts64_probe+0x14a/0x465 [snd_mts64]
+ platform_probe+0x3f/0xa0
+ really_probe+0x129/0x2c0
+ __driver_probe_device+0x6d/0xc0
+ driver_probe_device+0x1a/0xa0
+ __device_attach_driver+0x7a/0xb0
+ bus_for_each_drv+0x62/0xb0
+ __device_attach+0xe4/0x180
+ bus_probe_device+0x82/0xa0
+ device_add+0x550/0x920
+ platform_device_add+0x106/0x220
+ snd_mts64_attach+0x2e/0x80 [snd_mts64]
+ port_check+0x14/0x20 [parport]
+ bus_for_each_dev+0x6e/0xc0
+ __parport_register_driver+0x7c/0xb0 [parport]
+ snd_mts64_module_init+0x31/0x1000 [snd_mts64]
+ do_one_initcall+0x3c/0x1f0
+ do_init_module+0x46/0x1c6
+ load_module+0x1d8d/0x1e10
+ __do_sys_finit_module+0xa2/0xf0
+ do_syscall_64+0x37/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+ Kernel panic - not syncing: Fatal exception in interrupt
+ Rebooting in 1 seconds..
+
+The mts wa not initialized during interrupt, we add check for
+mts to fix this bug.
+
+Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/drivers/mts64.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
+index d3bc9e8c407d..f0d34cf70c3e 100644
+--- a/sound/drivers/mts64.c
++++ b/sound/drivers/mts64.c
+@@ -815,6 +815,9 @@ static void snd_mts64_interrupt(void *private)
+ u8 status, data;
+ struct snd_rawmidi_substream *substream;
+
++ if (!mts)
++ return;
++
+ spin_lock(&mts->lock);
+ ret = mts64_read(mts->pardev->port);
+ data = ret & 0x00ff;
+--
+2.35.1
+
--- /dev/null
+From 6c11107421e8f445870ed734b6f0f6259032684a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:00:44 +0800
+Subject: ALSA: pcm: fix undefined behavior in bit shift for
+ SNDRV_PCM_RATE_KNOT
+
+From: Baisong Zhong <zhongbaisong@huawei.com>
+
+[ Upstream commit b5172e62458f8e6ff359e5f096044a488db90ac5 ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in sound/core/pcm_native.c:2676:21
+left shift of 1 by 31 places cannot be represented in type 'int'
+...
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x8d/0xcf
+ ubsan_epilogue+0xa/0x44
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x208
+ snd_pcm_open_substream+0x9f0/0xa90
+ snd_pcm_oss_open.part.26+0x313/0x670
+ snd_pcm_oss_open+0x30/0x40
+ soundcore_open+0x18b/0x2e0
+ chrdev_open+0xe2/0x270
+ do_dentry_open+0x2f7/0x620
+ path_openat+0xd66/0xe70
+ do_filp_open+0xe3/0x170
+ do_sys_openat2+0x357/0x4a0
+ do_sys_open+0x87/0xd0
+ do_syscall_64+0x34/0x80
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
+Link: https://lore.kernel.org/r/20221121110044.3115686-1-zhongbaisong@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/pcm.h | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/include/sound/pcm.h b/include/sound/pcm.h
+index 8c48a5bce88c..25695f5f795a 100644
+--- a/include/sound/pcm.h
++++ b/include/sound/pcm.h
+@@ -106,24 +106,24 @@ struct snd_pcm_ops {
+ #define SNDRV_PCM_POS_XRUN ((snd_pcm_uframes_t)-1)
+
+ /* If you change this don't forget to change rates[] table in pcm_native.c */
+-#define SNDRV_PCM_RATE_5512 (1<<0) /* 5512Hz */
+-#define SNDRV_PCM_RATE_8000 (1<<1) /* 8000Hz */
+-#define SNDRV_PCM_RATE_11025 (1<<2) /* 11025Hz */
+-#define SNDRV_PCM_RATE_16000 (1<<3) /* 16000Hz */
+-#define SNDRV_PCM_RATE_22050 (1<<4) /* 22050Hz */
+-#define SNDRV_PCM_RATE_32000 (1<<5) /* 32000Hz */
+-#define SNDRV_PCM_RATE_44100 (1<<6) /* 44100Hz */
+-#define SNDRV_PCM_RATE_48000 (1<<7) /* 48000Hz */
+-#define SNDRV_PCM_RATE_64000 (1<<8) /* 64000Hz */
+-#define SNDRV_PCM_RATE_88200 (1<<9) /* 88200Hz */
+-#define SNDRV_PCM_RATE_96000 (1<<10) /* 96000Hz */
+-#define SNDRV_PCM_RATE_176400 (1<<11) /* 176400Hz */
+-#define SNDRV_PCM_RATE_192000 (1<<12) /* 192000Hz */
+-#define SNDRV_PCM_RATE_352800 (1<<13) /* 352800Hz */
+-#define SNDRV_PCM_RATE_384000 (1<<14) /* 384000Hz */
+-
+-#define SNDRV_PCM_RATE_CONTINUOUS (1<<30) /* continuous range */
+-#define SNDRV_PCM_RATE_KNOT (1<<31) /* supports more non-continuos rates */
++#define SNDRV_PCM_RATE_5512 (1U<<0) /* 5512Hz */
++#define SNDRV_PCM_RATE_8000 (1U<<1) /* 8000Hz */
++#define SNDRV_PCM_RATE_11025 (1U<<2) /* 11025Hz */
++#define SNDRV_PCM_RATE_16000 (1U<<3) /* 16000Hz */
++#define SNDRV_PCM_RATE_22050 (1U<<4) /* 22050Hz */
++#define SNDRV_PCM_RATE_32000 (1U<<5) /* 32000Hz */
++#define SNDRV_PCM_RATE_44100 (1U<<6) /* 44100Hz */
++#define SNDRV_PCM_RATE_48000 (1U<<7) /* 48000Hz */
++#define SNDRV_PCM_RATE_64000 (1U<<8) /* 64000Hz */
++#define SNDRV_PCM_RATE_88200 (1U<<9) /* 88200Hz */
++#define SNDRV_PCM_RATE_96000 (1U<<10) /* 96000Hz */
++#define SNDRV_PCM_RATE_176400 (1U<<11) /* 176400Hz */
++#define SNDRV_PCM_RATE_192000 (1U<<12) /* 192000Hz */
++#define SNDRV_PCM_RATE_352800 (1U<<13) /* 352800Hz */
++#define SNDRV_PCM_RATE_384000 (1U<<14) /* 384000Hz */
++
++#define SNDRV_PCM_RATE_CONTINUOUS (1U<<30) /* continuous range */
++#define SNDRV_PCM_RATE_KNOT (1U<<31) /* supports more non-continuos rates */
+
+ #define SNDRV_PCM_RATE_8000_44100 (SNDRV_PCM_RATE_8000|SNDRV_PCM_RATE_11025|\
+ SNDRV_PCM_RATE_16000|SNDRV_PCM_RATE_22050|\
+--
+2.35.1
+
--- /dev/null
+From ff57c342d6e4fcaad791762ddabef3d82294c1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 14:21:22 +0100
+Subject: ALSA: pcm: Set missing stop_operating flag at undoing trigger start
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5c8cc93b06d1ff860327a273abf3ac006290d242 ]
+
+When a PCM trigger-start fails at snd_pcm_do_start(), PCM core tries
+to undo the action at snd_pcm_undo_start() by issuing the trigger STOP
+manually. At that point, we forgot to set the stop_operating flag,
+hence the sync-stop won't be issued at the next prepare or other
+calls.
+
+This patch adds the missing stop_operating flag at
+snd_pcm_undo_start().
+
+Fixes: 1e850beea278 ("ALSA: pcm: Add the support for sync-stop operation")
+Link: https://lore.kernel.org/r/b4e71631-4a94-613-27b2-fb595792630@carlh.net
+Link: https://lore.kernel.org/r/20221205132124.11585-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index ad0541e9e888..ac985cec5c16 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -1432,8 +1432,10 @@ static int snd_pcm_do_start(struct snd_pcm_substream *substream,
+ static void snd_pcm_undo_start(struct snd_pcm_substream *substream,
+ snd_pcm_state_t state)
+ {
+- if (substream->runtime->trigger_master == substream)
++ if (substream->runtime->trigger_master == substream) {
+ substream->ops->trigger(substream, SNDRV_PCM_TRIGGER_STOP);
++ substream->runtime->stop_operating = true;
++ }
+ }
+
+ static void snd_pcm_post_start(struct snd_pcm_substream *substream,
+--
+2.35.1
+
--- /dev/null
+From 61d10460b4b32ce3b2c5182cb1742dd6d9710423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:16:30 +0800
+Subject: ALSA: seq: fix undefined behavior in bit shift for
+ SNDRV_SEQ_FILTER_USE_EVENT
+
+From: Baisong Zhong <zhongbaisong@huawei.com>
+
+[ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22
+left shift of 1 by 31 places cannot be represented in type 'int'
+...
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x8d/0xcf
+ ubsan_epilogue+0xa/0x44
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x208
+ snd_seq_deliver_single_event.constprop.21+0x191/0x2f0
+ snd_seq_deliver_event+0x1a2/0x350
+ snd_seq_kernel_client_dispatch+0x8b/0xb0
+ snd_seq_client_notify_subscription+0x72/0xa0
+ snd_seq_ioctl_subscribe_port+0x128/0x160
+ snd_seq_kernel_client_ctl+0xce/0xf0
+ snd_seq_oss_create_client+0x109/0x15b
+ alsa_seq_oss_init+0x11c/0x1aa
+ do_one_initcall+0x80/0x440
+ kernel_init_freeable+0x370/0x3c3
+ kernel_init+0x1b/0x190
+ ret_from_fork+0x1f/0x30
+ </TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
+Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/sound/asequencer.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h
+index a75e14edc957..dbd60f48b4b0 100644
+--- a/include/uapi/sound/asequencer.h
++++ b/include/uapi/sound/asequencer.h
+@@ -344,10 +344,10 @@ typedef int __bitwise snd_seq_client_type_t;
+ #define KERNEL_CLIENT ((__force snd_seq_client_type_t) 2)
+
+ /* event filter flags */
+-#define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */
+-#define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */
+-#define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */
+-#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */
++#define SNDRV_SEQ_FILTER_BROADCAST (1U<<0) /* accept broadcast messages */
++#define SNDRV_SEQ_FILTER_MULTICAST (1U<<1) /* accept multicast messages */
++#define SNDRV_SEQ_FILTER_BOUNCE (1U<<2) /* accept bounce event in error */
++#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */
+
+ struct snd_seq_client_info {
+ int client; /* client number to inquire */
+--
+2.35.1
+
--- /dev/null
+From 58c33fe08fe075e3b6ef980c7f98cfa60dd16e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 20:10:32 +0530
+Subject: amdgpu/nv.c: Corrected typo in the video capabilities resolution
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Veerabadhran Gopalakrishnan <veerabadhran.gopalakrishnan@amd.com>
+
+[ Upstream commit 65009bf2b4d287ef7ad7e6eb082b7c3d35eb611f ]
+
+Corrected the typo in the 4K resolution parameters.
+
+Fixes: b3a24461f9fb15 ("amdgpu/nv.c - Added codec query for Beige Goby")
+Fixes: 9075096b09e590 ("amdgpu/nv.c - Optimize code for video codec support structure")
+Fixes: 9ac0edaa0f8323 ("drm/amdgpu: add vcn_4_0_0 video codec query")
+
+Signed-off-by: Veerabadhran Gopalakrishnan <veerabadhran.gopalakrishnan@amd.com>
+Acked-by: Luben Tuikov <luben.tuikov@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/nv.c | 28 ++++++++++++++--------------
+ drivers/gpu/drm/amd/amdgpu/soc15.c | 24 ++++++++++++------------
+ drivers/gpu/drm/amd/amdgpu/soc21.c | 2 +-
+ 3 files changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/nv.c b/drivers/gpu/drm/amd/amdgpu/nv.c
+index b3fba8dea63c..6853b93ac82e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/nv.c
++++ b/drivers/gpu/drm/amd/amdgpu/nv.c
+@@ -82,10 +82,10 @@ static const struct amdgpu_video_codecs nv_video_codecs_encode =
+ /* Navi1x */
+ static const struct amdgpu_video_codec_info nv_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+@@ -100,10 +100,10 @@ static const struct amdgpu_video_codecs nv_video_codecs_decode =
+ /* Sienna Cichlid */
+ static const struct amdgpu_video_codec_info sc_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+@@ -125,10 +125,10 @@ static struct amdgpu_video_codec_info sriov_sc_video_codecs_encode_array[] =
+
+ static struct amdgpu_video_codec_info sriov_sc_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+@@ -149,7 +149,7 @@ static struct amdgpu_video_codecs sriov_sc_video_codecs_decode =
+
+ /* Beige Goby*/
+ static const struct amdgpu_video_codec_info bg_video_codecs_decode_array[] = {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+ };
+@@ -166,7 +166,7 @@ static const struct amdgpu_video_codecs bg_video_codecs_encode = {
+
+ /* Yellow Carp*/
+ static const struct amdgpu_video_codec_info yc_video_codecs_decode_array[] = {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+diff --git a/drivers/gpu/drm/amd/amdgpu/soc15.c b/drivers/gpu/drm/amd/amdgpu/soc15.c
+index e3b2b6b4f1a6..7cd17dda32ce 100644
+--- a/drivers/gpu/drm/amd/amdgpu/soc15.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c
+@@ -103,10 +103,10 @@ static const struct amdgpu_video_codecs vega_video_codecs_encode =
+ /* Vega */
+ static const struct amdgpu_video_codec_info vega_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ };
+@@ -120,10 +120,10 @@ static const struct amdgpu_video_codecs vega_video_codecs_decode =
+ /* Raven */
+ static const struct amdgpu_video_codec_info rv_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)},
+@@ -138,10 +138,10 @@ static const struct amdgpu_video_codecs rv_video_codecs_decode =
+ /* Renoir, Arcturus */
+ static const struct amdgpu_video_codec_info rn_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4906, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4906, 5)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4906, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+diff --git a/drivers/gpu/drm/amd/amdgpu/soc21.c b/drivers/gpu/drm/amd/amdgpu/soc21.c
+index 9c3463b48139..6d21c975b73d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/soc21.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc21.c
+@@ -61,7 +61,7 @@ static const struct amdgpu_video_codecs vcn_4_0_0_video_codecs_encode =
+
+ static const struct amdgpu_video_codec_info vcn_4_0_0_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4906, 52)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+--
+2.35.1
+
--- /dev/null
+From 92386dfdb128ba4c0c4a0261294e0e68f06bc846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 15:56:57 +0300
+Subject: amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit d27252b5706e51188aed7647126e44dcf9e940c1 ]
+
+In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at
+2 but not checked for negative values so it results in an out of bounds
+read. This value comes from the user via sysfs.
+
+Fixes: d5bf26539494 ("drm/amd/powerplay: added vega20 overdrive support V3")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+index 97b3ad369046..b30684c84e20 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+@@ -2961,7 +2961,8 @@ static int vega20_odn_edit_dpm_table(struct pp_hwmgr *hwmgr,
+ data->od8_settings.od8_settings_array;
+ OverDriveTable_t *od_table =
+ &(data->smc_state_table.overdrive_table);
+- int32_t input_index, input_clk, input_vol, i;
++ int32_t input_clk, input_vol, i;
++ uint32_t input_index;
+ int od8_id;
+ int ret;
+
+--
+2.35.1
+
--- /dev/null
+From 84c4f473da89d69f1b5a8cac5ec808f943459b79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 09:15:03 +0800
+Subject: apparmor: fix a memleak in multi_transaction_new()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit c73275cf6834787ca090317f1d20dbfa3b7f05aa ]
+
+In multi_transaction_new(), the variable t is not freed or passed out
+on the failure of copy_from_user(t->data, buf, size), which could lead
+to a memleak.
+
+Fix this bug by adding a put_multi_transaction(t) in the error path.
+
+Fixes: 1dea3b41e84c5 ("apparmor: speed up transactional queries")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/apparmorfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index d066ccc219e2..7160e7aa58b9 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -868,8 +868,10 @@ static struct multi_transaction *multi_transaction_new(struct file *file,
+ if (!t)
+ return ERR_PTR(-ENOMEM);
+ kref_init(&t->count);
+- if (copy_from_user(t->data, buf, size))
++ if (copy_from_user(t->data, buf, size)) {
++ put_multi_transaction(t);
+ return ERR_PTR(-EFAULT);
++ }
+
+ return t;
+ }
+--
+2.35.1
+
--- /dev/null
+From 295da1e63c5559d04be9640d56afd6b254c3c390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 18:57:12 -0700
+Subject: apparmor: Fix abi check to include v8 abi
+
+From: John Johansen <john.johansen@canonical.com>
+
+[ Upstream commit 1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 ]
+
+The v8 abi is supported by the kernel but the userspace supported
+version check does not allow for it. This was missed when v8 was added
+due to a bug in the userspace compiler which was setting an older abi
+version for v8 encoding (which is forward compatible except on the
+network encoding). However it is possible to detect the network
+encoding by checking the policydb network support which the code
+does. The end result was that missing the abi flag worked until
+userspace was fixed and began correctly checking for the v8 abi
+version.
+
+Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 55d31bac4f35..9d26bbb90133 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -972,7 +972,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
+ * if not specified use previous version
+ * Mask off everything that is not kernel abi version
+ */
+- if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) {
++ if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v8)) {
+ audit_iface(NULL, NULL, NULL, "unsupported interface version",
+ e, error);
+ return error;
+--
+2.35.1
+
--- /dev/null
+From 9e947814d074c411885466c988cc3f4473242ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 03:39:55 -0700
+Subject: apparmor: fix lockdep warning when removing a namespace
+
+From: John Johansen <john.johansen@canonical.com>
+
+[ Upstream commit 9c4557efc558a68e4cd973490fd936d6e3414db8 ]
+
+Fix the following lockdep warning
+
+[ 1119.158984] ============================================
+[ 1119.158988] WARNING: possible recursive locking detected
+[ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N
+[ 1119.158999] --------------------------------------------
+[ 1119.159001] bash/80100 is trying to acquire lock:
+[ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140
+[ 1119.159028]
+ but task is already holding lock:
+[ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640
+[ 1119.159040]
+ other info that might help us debug this:
+[ 1119.159042] Possible unsafe locking scenario:
+
+[ 1119.159043] CPU0
+[ 1119.159045] ----
+[ 1119.159047] lock(&ns->lock/1);
+[ 1119.159051] lock(&ns->lock/1);
+[ 1119.159055]
+ *** DEADLOCK ***
+
+Which is caused by an incorrect lockdep nesting notation
+
+Fixes: feb3c766a3ab ("apparmor: fix possible recursive lock warning in __aa_create_ns")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 499c0209b6a4..fbdfcef91c61 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1170,7 +1170,7 @@ ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
+
+ if (!name) {
+ /* remove namespace - can only happen if fqname[0] == ':' */
+- mutex_lock_nested(&ns->parent->lock, ns->level);
++ mutex_lock_nested(&ns->parent->lock, ns->parent->level);
+ __aa_bump_ns_revision(ns);
+ __aa_remove_ns(ns);
+ mutex_unlock(&ns->parent->lock);
+--
+2.35.1
+
--- /dev/null
+From 62f030714c8d7a91596348967fe3171e8a4624f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 20:33:20 +0800
+Subject: apparmor: Fix memleak in alloc_ns()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit e9e6fa49dbab6d84c676666f3fe7d360497fd65b ]
+
+After changes in commit a1bd627b46d1 ("apparmor: share profile name on
+replacement"), the hname member of struct aa_policy is not valid slab
+object, but a subset of that, it can not be freed by kfree_sensitive(),
+use aa_policy_destroy() to fix it.
+
+Fixes: a1bd627b46d1 ("apparmor: share profile name on replacement")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/policy_ns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
+index 43beaad083fe..78700d94b453 100644
+--- a/security/apparmor/policy_ns.c
++++ b/security/apparmor/policy_ns.c
+@@ -134,7 +134,7 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
+ return ns;
+
+ fail_unconfined:
+- kfree_sensitive(ns->base.hname);
++ aa_policy_destroy(&ns->base);
+ fail_ns:
+ kfree_sensitive(ns);
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From 6a5bc45d0ef1a5bcfad8cd1fa77167dd38fb2bf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 04:01:28 -0700
+Subject: apparmor: Fix regression in stacking due to label flags
+
+From: John Johansen <john.johansen@canonical.com>
+
+[ Upstream commit 1f939c6bd1512d0b39b470396740added3cb403f ]
+
+The unconfined label flag is not being computed correctly. It
+should only be set if all the profiles in the vector are set, which
+is different than what is required for the debug and stale flag
+that are set if any on the profile flags are set.
+
+Fixes: c1ed5da19765 ("apparmor: allow label to carry debug flags")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/label.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/security/apparmor/label.c b/security/apparmor/label.c
+index 0f36ee907438..a67c5897ee25 100644
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -197,15 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n)
+ return false;
+ }
+
+-static long union_vec_flags(struct aa_profile **vec, int n, long mask)
++static long accum_vec_flags(struct aa_profile **vec, int n)
+ {
+- long u = 0;
++ long u = FLAG_UNCONFINED;
+ int i;
+
+ AA_BUG(!vec);
+
+ for (i = 0; i < n; i++) {
+- u |= vec[i]->label.flags & mask;
++ u |= vec[i]->label.flags & (FLAG_DEBUG1 | FLAG_DEBUG2 |
++ FLAG_STALE);
++ if (!(u & vec[i]->label.flags & FLAG_UNCONFINED))
++ u &= ~FLAG_UNCONFINED;
+ }
+
+ return u;
+@@ -1097,8 +1100,7 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
+ else if (k == b->size)
+ return aa_get_label(b);
+ }
+- new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |
+- FLAG_DEBUG1 | FLAG_DEBUG2);
++ new->flags |= accum_vec_flags(new->vec, new->size);
+ ls = labels_set(new);
+ write_lock_irqsave(&ls->lock, flags);
+ label = __label_insert(labels_set(new), new, false);
+--
+2.35.1
+
--- /dev/null
+From bd01307ed12cb2ad6f15b3556475f84b798eec70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 08:46:04 +0800
+Subject: apparmor: Use pointer to struct aa_label for lbs_cred
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 37923d4321b1e38170086da2c117f78f2b0f49c6 ]
+
+According to the implementations of cred_label() and set_cred_label(),
+we should use pointer to struct aa_label for lbs_cred instead of struct
+aa_task_ctx, this patch fixes it.
+
+Fixes: bbd3662a8348 ("Infrastructure management of the cred security blob")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/lsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index e29cade7b662..9eb7972e08e4 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -1194,10 +1194,10 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
+ #endif
+
+ /*
+- * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
++ * The cred blob is a pointer to, not an instance of, an aa_label.
+ */
+ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
+- .lbs_cred = sizeof(struct aa_task_ctx *),
++ .lbs_cred = sizeof(struct aa_label *),
+ .lbs_file = sizeof(struct aa_file_ctx),
+ .lbs_task = sizeof(struct aa_task_ctx),
+ };
+--
+2.35.1
+
--- /dev/null
+From 495d945f8c1f6c40fe690161ef4fd4da5fadedf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 23:57:36 +0100
+Subject: arch: arm64: apple: t8103: Use standard "iommu" node name
+
+From: Janne Grunau <j@jannau.net>
+
+[ Upstream commit 56d32c51dffac8a431b472a4c31efb8563b048d1 ]
+
+The PCIe iommu nodes use "dart" as node names. Replace it with the
+the standard "iommu" node name as all other iommu nodes.
+
+Fixes: 3c866bb79577 ("arm64: dts: apple: t8103: Add PCIe DARTs")
+Signed-off-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103.dtsi b/arch/arm64/boot/dts/apple/t8103.dtsi
+index 51a63b29d404..a4d195e9eb8c 100644
+--- a/arch/arm64/boot/dts/apple/t8103.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103.dtsi
+@@ -412,7 +412,7 @@ nvme@27bcc0000 {
+ resets = <&ps_ans2>;
+ };
+
+- pcie0_dart_0: dart@681008000 {
++ pcie0_dart_0: iommu@681008000 {
+ compatible = "apple,t8103-dart";
+ reg = <0x6 0x81008000 0x0 0x4000>;
+ #iommu-cells = <1>;
+@@ -421,7 +421,7 @@ pcie0_dart_0: dart@681008000 {
+ power-domains = <&ps_apcie_gp>;
+ };
+
+- pcie0_dart_1: dart@682008000 {
++ pcie0_dart_1: iommu@682008000 {
+ compatible = "apple,t8103-dart";
+ reg = <0x6 0x82008000 0x0 0x4000>;
+ #iommu-cells = <1>;
+@@ -430,7 +430,7 @@ pcie0_dart_1: dart@682008000 {
+ power-domains = <&ps_apcie_gp>;
+ };
+
+- pcie0_dart_2: dart@683008000 {
++ pcie0_dart_2: iommu@683008000 {
+ compatible = "apple,t8103-dart";
+ reg = <0x6 0x83008000 0x0 0x4000>;
+ #iommu-cells = <1>;
+--
+2.35.1
+
--- /dev/null
+From ecfc781996124a942b04d162416dd02c51aefa14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:49 +0200
+Subject: ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-370.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi
+index 46e6d3ed8f35..c042c416a94a 100644
+--- a/arch/arm/boot/dts/armada-370.dtsi
++++ b/arch/arm/boot/dts/armada-370.dtsi
+@@ -74,7 +74,7 @@ pcie0: pcie@1,0 {
+
+ pcie2: pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 50e8366a777ca93bf7030251825c7ff05a672a7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:51 +0200
+Subject: ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-375.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/armada-375.dtsi b/arch/arm/boot/dts/armada-375.dtsi
+index 7f2f24a29e6c..352a2f7ba311 100644
+--- a/arch/arm/boot/dts/armada-375.dtsi
++++ b/arch/arm/boot/dts/armada-375.dtsi
+@@ -582,7 +582,7 @@ pcie0: pcie@1,0 {
+
+ pcie1: pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 4feb30295b59d81bfbc4741c14708aa85e98f7fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:52 +0200
+Subject: ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-380.dtsi | 4 ++--
+ arch/arm/boot/dts/armada-385.dtsi | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-380.dtsi b/arch/arm/boot/dts/armada-380.dtsi
+index cff1269f3fbf..7146cc8f082a 100644
+--- a/arch/arm/boot/dts/armada-380.dtsi
++++ b/arch/arm/boot/dts/armada-380.dtsi
+@@ -79,7 +79,7 @@ pcie@1,0 {
+ /* x1 port */
+ pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -98,7 +98,7 @@ pcie@2,0 {
+ /* x1 port */
+ pcie@3,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
+ reg = <0x1800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+diff --git a/arch/arm/boot/dts/armada-385.dtsi b/arch/arm/boot/dts/armada-385.dtsi
+index 83392b92dae2..be8d607c59b2 100644
+--- a/arch/arm/boot/dts/armada-385.dtsi
++++ b/arch/arm/boot/dts/armada-385.dtsi
+@@ -93,7 +93,7 @@ pcie1_intc: interrupt-controller {
+ /* x1 port */
+ pcie2: pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -121,7 +121,7 @@ pcie2_intc: interrupt-controller {
+ /* x1 port */
+ pcie3: pcie@3,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
+ reg = <0x1800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -152,7 +152,7 @@ pcie3_intc: interrupt-controller {
+ */
+ pcie4: pcie@4,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
+ reg = <0x2000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 81f42ba5fcbc242b1755b08791b07c2c21599a5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 20:33:27 +0200
+Subject: ARM: dts: armada-38x: Fix compatible string for gpios
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit c4de4667f15d04ef5920bacf41e514ec7d1ef03d ]
+
+Armada 38x supports per CPU interrupts for gpios, like Armada XP. Pre-XP
+variants like Armada 370 do not support per CPU interrupts for gpios.
+
+So change compatible string for Armada 38x from "marvell,armada-370-gpio"
+which indicates pre-XP variant to "marvell,armadaxp-gpio" which indicates
+XP variant or new.
+
+Driver gpio-mvebu.c which handles both pre-XP and XP variants already
+provides support for per CPU interrupts on XP and newer variants.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 7cb2acb3fbae ("ARM: dts: mvebu: Add PWM properties for armada-38x")
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-38x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi
+index df3c8d1d8f64..9343de6947b3 100644
+--- a/arch/arm/boot/dts/armada-38x.dtsi
++++ b/arch/arm/boot/dts/armada-38x.dtsi
+@@ -292,7 +292,7 @@ sata3_pins: sata-pins-3 {
+ };
+
+ gpio0: gpio@18100 {
+- compatible = "marvell,armada-370-gpio",
++ compatible = "marvell,armadaxp-gpio",
+ "marvell,orion-gpio";
+ reg = <0x18100 0x40>, <0x181c0 0x08>;
+ reg-names = "gpio", "pwm";
+@@ -310,7 +310,7 @@ gpio0: gpio@18100 {
+ };
+
+ gpio1: gpio@18140 {
+- compatible = "marvell,armada-370-gpio",
++ compatible = "marvell,armadaxp-gpio",
+ "marvell,orion-gpio";
+ reg = <0x18140 0x40>, <0x181c8 0x08>;
+ reg-names = "gpio", "pwm";
+--
+2.35.1
+
--- /dev/null
+From e5c2169a03a1f68aa6fc7b0a6b0ccd1d17474404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:53 +0200
+Subject: ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-39x.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi
+index e0b7c2099831..9525e7b7f436 100644
+--- a/arch/arm/boot/dts/armada-39x.dtsi
++++ b/arch/arm/boot/dts/armada-39x.dtsi
+@@ -453,7 +453,7 @@ pcie@1,0 {
+ /* x1 port */
+ pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -472,7 +472,7 @@ pcie@2,0 {
+ /* x1 port */
+ pcie@3,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
+ reg = <0x1800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -494,7 +494,7 @@ pcie@3,0 {
+ */
+ pcie@4,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
+ reg = <0x2000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 582d7672f4704baaee0039fd242fee9b4b31af69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 20:33:28 +0200
+Subject: ARM: dts: armada-39x: Fix compatible string for gpios
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit d10886a4e6f85ee18d47a1066a52168461370ded ]
+
+Armada 39x supports per CPU interrupts for gpios, like Armada XP.
+
+So add compatible string "marvell,armadaxp-gpio" for Armada 39x GPIO nodes.
+
+Driver gpio-mvebu.c which handles both pre-XP and XP variants already
+provides support for per CPU interrupts on XP and newer variants.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: d81a914fc630 ("ARM: dts: mvebu: armada-39x: add missing nodes describing GPIO's")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-39x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi
+index 9525e7b7f436..9aad10fd3823 100644
+--- a/arch/arm/boot/dts/armada-39x.dtsi
++++ b/arch/arm/boot/dts/armada-39x.dtsi
+@@ -213,7 +213,7 @@ nand_pins: nand-pins {
+ };
+
+ gpio0: gpio@18100 {
+- compatible = "marvell,orion-gpio";
++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio";
+ reg = <0x18100 0x40>;
+ ngpios = <32>;
+ gpio-controller;
+@@ -227,7 +227,7 @@ gpio0: gpio@18100 {
+ };
+
+ gpio1: gpio@18140 {
+- compatible = "marvell,orion-gpio";
++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio";
+ reg = <0x18140 0x40>;
+ ngpios = <28>;
+ gpio-controller;
+--
+2.35.1
+
--- /dev/null
+From 6aee516fde57dd7435a465dab86f6d3d0976f28d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:50 +0200
+Subject: ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP")
+Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable")
+Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 ++++----
+ arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++++++++--------
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-xp-mv78230.dtsi b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
+index 8558bf6bb54c..d55fe162fc7f 100644
+--- a/arch/arm/boot/dts/armada-xp-mv78230.dtsi
++++ b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
+@@ -97,7 +97,7 @@ pcie1: pcie@1,0 {
+
+ pcie2: pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -115,7 +115,7 @@ pcie2: pcie@2,0 {
+
+ pcie3: pcie@3,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
+ reg = <0x1800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -133,7 +133,7 @@ pcie3: pcie@3,0 {
+
+ pcie4: pcie@4,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
+ reg = <0x2000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -151,7 +151,7 @@ pcie4: pcie@4,0 {
+
+ pcie5: pcie@5,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ reg = <0x2800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+index 2d85fe8ac327..fdcc81819940 100644
+--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi
++++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+@@ -112,7 +112,7 @@ pcie1: pcie@1,0 {
+
+ pcie2: pcie@2,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -130,7 +130,7 @@ pcie2: pcie@2,0 {
+
+ pcie3: pcie@3,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
+ reg = <0x1800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -148,7 +148,7 @@ pcie3: pcie@3,0 {
+
+ pcie4: pcie@4,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
+ reg = <0x2000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -166,7 +166,7 @@ pcie4: pcie@4,0 {
+
+ pcie5: pcie@5,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ reg = <0x2800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -184,7 +184,7 @@ pcie5: pcie@5,0 {
+
+ pcie6: pcie@6,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x84000 0 0x2000>;
++ assigned-addresses = <0x82003000 0 0x84000 0 0x2000>;
+ reg = <0x3000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -202,7 +202,7 @@ pcie6: pcie@6,0 {
+
+ pcie7: pcie@7,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x88000 0 0x2000>;
++ assigned-addresses = <0x82003800 0 0x88000 0 0x2000>;
+ reg = <0x3800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -220,7 +220,7 @@ pcie7: pcie@7,0 {
+
+ pcie8: pcie@8,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x8c000 0 0x2000>;
++ assigned-addresses = <0x82004000 0 0x8c000 0 0x2000>;
+ reg = <0x4000 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+@@ -238,7 +238,7 @@ pcie8: pcie@8,0 {
+
+ pcie9: pcie@9,0 {
+ device_type = "pci";
+- assigned-addresses = <0x82000800 0 0x42000 0 0x2000>;
++ assigned-addresses = <0x82004800 0 0x42000 0 0x2000>;
+ reg = <0x4800 0 0 0 0>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 56c05ea3b973deed52f440342ef1e6a52620548b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:55:35 -0500
+Subject: ARM: dts: aspeed: rainier,everest: Move reserved memory regions
+
+From: Adriana Kobylak <anoo@us.ibm.com>
+
+[ Upstream commit e184d42a6e085f95f5c4f1a4fbabebab2984cb68 ]
+
+Move the reserved regions to account for a decrease in DRAM when ECC is
+enabled. ECC takes 1/9th of memory.
+
+Running on HW with ECC off, u-boot prints:
+DRAM: already initialized, 1008 MiB (capacity:1024 MiB, VGA:16 MiB, ECC:off)
+
+And with ECC on, u-boot prints:
+DRAM: already initialized, 896 MiB (capacity:1024 MiB, VGA:16 MiB, ECC:on, ECC size:896 MiB)
+
+This implies that MCR54 is configured for ECC to be bounded at the
+bottom of a 16MiB VGA memory region:
+
+1024MiB - 16MiB (VGA) = 1008MiB
+1008MiB / 9 (for ECC) = 112MiB
+1008MiB - 112MiB = 896MiB (available DRAM)
+
+The flash_memory region currently starts at offset 896MiB:
+0xb8000000 (flash_memory offset) - 0x80000000 (base memory address) = 0x38000000 = 896MiB
+
+This is the end of the available DRAM with ECC enabled and therefore it
+needs to be moved.
+
+Since the flash_memory is 64MiB in size and needs to be 64MiB aligned,
+it can just be moved up by 64MiB and would sit right at the end of the
+available DRAM buffer.
+
+The ramoops region currently follows the flash_memory, but it can be
+moved to sit above flash_memory which would minimize the address-space
+fragmentation.
+
+Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Link: https://lore.kernel.org/r/20220916195535.1020185-1-anoo@linux.ibm.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts | 17 ++++++++---------
+ arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts | 16 +++++++++-------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts b/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts
+index a6a2bc3b855c..fcc890e3ad73 100644
+--- a/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts
+@@ -162,16 +162,9 @@ reserved-memory {
+ #size-cells = <1>;
+ ranges;
+
+- /* LPC FW cycle bridge region requires natural alignment */
+- flash_memory: region@b8000000 {
+- no-map;
+- reg = <0xb8000000 0x04000000>; /* 64M */
+- };
+-
+- /* 48MB region from the end of flash to start of vga memory */
+- ramoops@bc000000 {
++ ramoops@b3e00000 {
+ compatible = "ramoops";
+- reg = <0xbc000000 0x200000>; /* 16 * (4 * 0x8000) */
++ reg = <0xb3e00000 0x200000>; /* 16 * (4 * 0x8000) */
+ record-size = <0x8000>;
+ console-size = <0x8000>;
+ ftrace-size = <0x8000>;
+@@ -179,6 +172,12 @@ ramoops@bc000000 {
+ max-reason = <3>; /* KMSG_DUMP_EMERG */
+ };
+
++ /* LPC FW cycle bridge region requires natural alignment */
++ flash_memory: region@b4000000 {
++ no-map;
++ reg = <0xb4000000 0x04000000>; /* 64M */
++ };
++
+ /* VGA region is dictated by hardware strapping */
+ vga_memory: region@bf000000 {
+ no-map;
+diff --git a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts
+index bf59a9962379..4879da4cdbd2 100644
+--- a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts
+@@ -95,14 +95,9 @@ reserved-memory {
+ #size-cells = <1>;
+ ranges;
+
+- flash_memory: region@b8000000 {
+- no-map;
+- reg = <0xb8000000 0x04000000>; /* 64M */
+- };
+-
+- ramoops@bc000000 {
++ ramoops@b3e00000 {
+ compatible = "ramoops";
+- reg = <0xbc000000 0x200000>; /* 16 * (4 * 0x8000) */
++ reg = <0xb3e00000 0x200000>; /* 16 * (4 * 0x8000) */
+ record-size = <0x8000>;
+ console-size = <0x8000>;
+ ftrace-size = <0x8000>;
+@@ -110,6 +105,13 @@ ramoops@bc000000 {
+ max-reason = <3>; /* KMSG_DUMP_EMERG */
+ };
+
++ /* LPC FW cycle bridge region requires natural alignment */
++ flash_memory: region@b4000000 {
++ no-map;
++ reg = <0xb4000000 0x04000000>; /* 64M */
++ };
++
++ /* VGA region is dictated by hardware strapping */
+ vga_memory: region@bf000000 {
+ no-map;
+ compatible = "shared-dma-pool";
+--
+2.35.1
+
--- /dev/null
+From 69d834a0794770bdce08b9d7267f5e366184e885 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 00:30:48 +0200
+Subject: ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ]
+
+BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
+(PCI-to-PCI bridge) should match BDF in address part in that DT node name
+as specified resource belongs to Marvell PCIe Root Port itself.
+
+Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dove.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi
+index 89e0bdaf3a85..726d353eda68 100644
+--- a/arch/arm/boot/dts/dove.dtsi
++++ b/arch/arm/boot/dts/dove.dtsi
+@@ -129,7 +129,7 @@ pcie0: pcie@1 {
+ pcie1: pcie@2 {
+ device_type = "pci";
+ status = "disabled";
+- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
+ reg = <0x1000 0 0 0 0>;
+ clocks = <&gate_clk 5>;
+ marvell,pcie-port = <1>;
+--
+2.35.1
+
--- /dev/null
+From cdcbb69c953ac2c0eb6e3f71ef1680f40505e63e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 23:15:52 +0100
+Subject: ARM: dts: nuvoton: Remove bogus unit addresses from fixed-partition
+ nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+[ Upstream commit ea3ce4cf076ba11bb591c8013c5315136cae52c8 ]
+
+The unit addresses do not correspond to the nodes' reg properties,
+because they don't have any.
+
+Fixes: e42b650f828d ("ARM: dts: nuvoton: Add new device nodes to NPCM750 EVB")
+Fixes: ee33e2fb3d70 ("ARM: dts: nuvoton: Add Quanta GBS BMC Device Tree")
+Fixes: 59f5abe09f0a ("ARM: dts: nuvoton: Add Quanta GSJ BMC")
+Fixes: 14579c76f5ca ("ARM: dts: nuvoton: Add Fii Kudo system")
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20221031221553.163273-1-j.neuschaefer@gmx.net
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nuvoton-npcm730-gbs.dts | 2 +-
+ arch/arm/boot/dts/nuvoton-npcm730-gsj.dts | 2 +-
+ arch/arm/boot/dts/nuvoton-npcm730-kudo.dts | 6 +++---
+ arch/arm/boot/dts/nuvoton-npcm750-evb.dts | 4 ++--
+ arch/arm/boot/dts/nuvoton-npcm750-runbmc-olympus.dts | 6 +++---
+ 5 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/dts/nuvoton-npcm730-gbs.dts b/arch/arm/boot/dts/nuvoton-npcm730-gbs.dts
+index d10669fcd527..9e9eba8bad5e 100644
+--- a/arch/arm/boot/dts/nuvoton-npcm730-gbs.dts
++++ b/arch/arm/boot/dts/nuvoton-npcm730-gbs.dts
+@@ -366,7 +366,7 @@ flash@0 {
+ spi-max-frequency = <20000000>;
+ spi-rx-bus-width = <2>;
+ label = "bmc";
+- partitions@80000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+diff --git a/arch/arm/boot/dts/nuvoton-npcm730-gsj.dts b/arch/arm/boot/dts/nuvoton-npcm730-gsj.dts
+index 491606c4f044..2a394cc15284 100644
+--- a/arch/arm/boot/dts/nuvoton-npcm730-gsj.dts
++++ b/arch/arm/boot/dts/nuvoton-npcm730-gsj.dts
+@@ -142,7 +142,7 @@ flash@0 {
+ reg = <0>;
+ spi-rx-bus-width = <2>;
+
+- partitions@80000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+diff --git a/arch/arm/boot/dts/nuvoton-npcm730-kudo.dts b/arch/arm/boot/dts/nuvoton-npcm730-kudo.dts
+index a0c2d7652625..f7b38bee039b 100644
+--- a/arch/arm/boot/dts/nuvoton-npcm730-kudo.dts
++++ b/arch/arm/boot/dts/nuvoton-npcm730-kudo.dts
+@@ -388,7 +388,7 @@ flash@0 {
+ spi-max-frequency = <5000000>;
+ spi-rx-bus-width = <2>;
+ label = "bmc";
+- partitions@80000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+@@ -422,7 +422,7 @@ flash@1 {
+ reg = <1>;
+ spi-max-frequency = <5000000>;
+ spi-rx-bus-width = <2>;
+- partitions@88000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+@@ -447,7 +447,7 @@ flash@0 {
+ reg = <0>;
+ spi-max-frequency = <5000000>;
+ spi-rx-bus-width = <2>;
+- partitions@A0000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+diff --git a/arch/arm/boot/dts/nuvoton-npcm750-evb.dts b/arch/arm/boot/dts/nuvoton-npcm750-evb.dts
+index 3dad32834e5e..f53d45fa1de8 100644
+--- a/arch/arm/boot/dts/nuvoton-npcm750-evb.dts
++++ b/arch/arm/boot/dts/nuvoton-npcm750-evb.dts
+@@ -74,7 +74,7 @@ flash@0 {
+ spi-rx-bus-width = <2>;
+ reg = <0>;
+ spi-max-frequency = <5000000>;
+- partitions@80000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+@@ -135,7 +135,7 @@ flash@0 {
+ spi-rx-bus-width = <2>;
+ reg = <0>;
+ spi-max-frequency = <5000000>;
+- partitions@A0000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+diff --git a/arch/arm/boot/dts/nuvoton-npcm750-runbmc-olympus.dts b/arch/arm/boot/dts/nuvoton-npcm750-runbmc-olympus.dts
+index 132e702281fc..87359ab05db3 100644
+--- a/arch/arm/boot/dts/nuvoton-npcm750-runbmc-olympus.dts
++++ b/arch/arm/boot/dts/nuvoton-npcm750-runbmc-olympus.dts
+@@ -107,7 +107,7 @@ flash@0 {
+ reg = <0>;
+ spi-rx-bus-width = <2>;
+
+- partitions@80000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+@@ -146,7 +146,7 @@ flash@1 {
+ reg = <1>;
+ npcm,fiu-rx-bus-width = <2>;
+
+- partitions@88000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+@@ -173,7 +173,7 @@ flash@0 {
+ reg = <0>;
+ spi-rx-bus-width = <2>;
+
+- partitions@A0000000 {
++ partitions {
+ compatible = "fixed-partitions";
+ #address-cells = <1>;
+ #size-cells = <1>;
+--
+2.35.1
+
--- /dev/null
+From 2cf94951271331b9069219a6f31eb69f279e2f63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 21:06:57 +0200
+Subject: ARM: dts: qcom: apq8064: fix coresight compatible
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit a42b1ee868361f1cb0492f1bdaefb43e0751e468 ]
+
+There's a typo missing the arm, prefix of arm,coresight-etb10. Fix it to
+make devicetree validation happier.
+
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Fixes: 7a5c275fd821 ("ARM: dts: qcom: Add apq8064 CoreSight components")
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221013190657.48499-3-luca@z3ntu.xyz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index ada4c828bf2f..095849423de1 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -1580,7 +1580,7 @@ wifi {
+ };
+
+ etb@1a01000 {
+- compatible = "coresight-etb10", "arm,primecell";
++ compatible = "arm,coresight-etb10", "arm,primecell";
+ reg = <0x1a01000 0x1000>;
+
+ clocks = <&rpmcc RPM_QDSS_CLK>;
+--
+2.35.1
+
--- /dev/null
+From 8171cb28b34dcfe01d4c8a3a78800473e86b170d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 18:10:06 +0100
+Subject: arm: dts: spear600: Fix clcd interrupt
+
+From: Kory Maincent <kory.maincent@bootlin.com>
+
+[ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ]
+
+Interrupt 12 of the Interrupt controller belongs to the SMI controller,
+the right one for the display controller is the interrupt 13.
+
+Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes")
+Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/spear600.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi
+index fd41243a0b2c..9d5a04a46b14 100644
+--- a/arch/arm/boot/dts/spear600.dtsi
++++ b/arch/arm/boot/dts/spear600.dtsi
+@@ -47,7 +47,7 @@ clcd: clcd@fc200000 {
+ compatible = "arm,pl110", "arm,primecell";
+ reg = <0xfc200000 0x1000>;
+ interrupt-parent = <&vic1>;
+- interrupts = <12>;
++ interrupts = <13>;
+ status = "disabled";
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 2b67118a7a520b3c808aaa299f35277dcc6d06b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 04:37:45 +0200
+Subject: ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 3b835f1b8acef53c8882b25f40f48d7f5982c938 ]
+
+The Avenger96 is populated with STM32MP157A DHCOR SoM, drop the
+stm32mp15xc.dtsi which should only be included in DTs of devices
+which are populated with STM32MP15xC/F SoC as the stm32mp15xc.dtsi
+enables CRYP block not present in the STM32MP15xA/D SoC .
+
+Fixes: 7e76f82acd9e1 ("ARM: dts: stm32: Split Avenger96 into DHCOR SoM and Avenger96 board")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts b/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
+index 2e3c9fbb4eb3..275167f26fd9 100644
+--- a/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
++++ b/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
+@@ -13,7 +13,6 @@
+ /dts-v1/;
+
+ #include "stm32mp157.dtsi"
+-#include "stm32mp15xc.dtsi"
+ #include "stm32mp15xx-dhcor-som.dtsi"
+ #include "stm32mp15xx-dhcor-avenger96.dtsi"
+
+--
+2.35.1
+
--- /dev/null
+From eb6bbd1b1f6669d5426e0f3de74d65c9739ce4cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 12:00:57 +0200
+Subject: ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit d5d577e3d50713ad11d98dbdaa48bb494346c26d ]
+
+The WLAN regulator uses 'gpios' property instead of 'gpio' to specify
+regulator enable GPIO. While the former is also currently handled by
+the Linux kernel regulator-fixed driver, the later is the correct one
+per DT bindings. Update the DT to use the later.
+
+Fixes: 7dd5cbba42c93 ("ARM: dts: stm32: Enable WiFi on AV96")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
+index 90933077d66d..b6957cbdeff5 100644
+--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
+@@ -100,7 +100,7 @@ wlan_pwr: regulator-wlan {
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+
+- gpios = <&gpioz 3 GPIO_ACTIVE_HIGH>;
++ gpio = <&gpioz 3 GPIO_ACTIVE_HIGH>;
+ enable-active-high;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 05979d8a003c18aafd4886a4bc1485ede2358d4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 15:09:26 +0200
+Subject: ARM: dts: turris-omnia: Add ethernet aliases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit f1f3e530c59a7e8c5f06172f4c28b945a6b4bfb8 ]
+
+This allows bootloader to correctly pass MAC addresses used by bootloader
+to individual interfaces into kernel device tree.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-385-turris-omnia.dts | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+index a41902e3815c..96bd40351c3b 100644
+--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+@@ -23,6 +23,12 @@ chosen {
+ stdout-path = &uart0;
+ };
+
++ aliases {
++ ethernet0 = ð0;
++ ethernet1 = ð1;
++ ethernet2 = ð2;
++ };
++
+ memory {
+ device_type = "memory";
+ reg = <0x00000000 0x40000000>; /* 1024 MB */
+--
+2.35.1
+
--- /dev/null
+From 240b281be32917646d1b78a13a80a1055a678ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 14:21:02 +0200
+Subject: ARM: dts: turris-omnia: Add switch port 6 node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit f87db2005f73876602211af0ee156817019b6bda ]
+
+Switch port 6 is connected to eth0, so add appropriate device tree node for it.
+
+Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-385-turris-omnia.dts | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+index 96bd40351c3b..0b64d7505dca 100644
+--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+@@ -461,7 +461,17 @@ fixed-link {
+ };
+ };
+
+- /* port 6 is connected to eth0 */
++ ports@6 {
++ reg = <6>;
++ label = "cpu";
++ ethernet = <ð0>;
++ phy-mode = "rgmii-id";
++
++ fixed-link {
++ speed = <1000>;
++ full-duplex;
++ };
++ };
+ };
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From b28558f025cc840e5a979affc08e41e5cd16dfdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 16:51:17 -0800
+Subject: ARM: mmp: fix timer_read delay
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ]
+
+timer_read() was using an empty 100-iteration loop to wait for the
+TMR_CVWR register to capture the latest timer counter value. The delay
+wasn't long enough. This resulted in CPU idle time being extremely
+underreported on PXA168 with CONFIG_NO_HZ_IDLE=y.
+
+Switch to the approach used in the vendor kernel, which implements the
+capture delay by reading TMR_CVWR a few times instead.
+
+Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line")
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-mmp/time.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
+index 41b2e8abc9e6..708816caf859 100644
+--- a/arch/arm/mach-mmp/time.c
++++ b/arch/arm/mach-mmp/time.c
+@@ -43,18 +43,21 @@
+ static void __iomem *mmp_timer_base = TIMERS_VIRT_BASE;
+
+ /*
+- * FIXME: the timer needs some delay to stablize the counter capture
++ * Read the timer through the CVWR register. Delay is required after requesting
++ * a read. The CR register cannot be directly read due to metastability issues
++ * documented in the PXA168 software manual.
+ */
+ static inline uint32_t timer_read(void)
+ {
+- int delay = 100;
++ uint32_t val;
++ int delay = 3;
+
+ __raw_writel(1, mmp_timer_base + TMR_CVWR(1));
+
+ while (delay--)
+- cpu_relax();
++ val = __raw_readl(mmp_timer_base + TMR_CVWR(1));
+
+- return __raw_readl(mmp_timer_base + TMR_CVWR(1));
++ return val;
+ }
+
+ static u64 notrace mmp_read_sched_clock(void)
+--
+2.35.1
+
--- /dev/null
+From 06356cf7576228cf5fcba9c7a3dcdfc15d846be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 13:58:26 +0200
+Subject: arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 21aad8ba615e9c39cee6c5d0b76726f63791926c ]
+
+MCP7940MT-I/MNY RTC has connected interrupt line to GPIO2_5.
+
+Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
+index ada164d423f3..200f97e1c4c9 100644
+--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
++++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
+@@ -125,9 +125,12 @@ &i2c0 {
+ /delete-property/ mrvl,i2c-fast-mode;
+ status = "okay";
+
++ /* MCP7940MT-I/MNY RTC */
+ rtc@6f {
+ compatible = "microchip,mcp7940x";
+ reg = <0x6f>;
++ interrupt-parent = <&gpiosb>;
++ interrupts = <5 0>; /* GPIO2_5 */
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From dbdc60a9513cd92b7b178719cd73a03749f72560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 16:10:21 +0530
+Subject: arm64: dts: fsd: fix drive strength macros as per FSD HW UM
+
+From: Padmanabhan Rajanbabu <p.rajanbabu@samsung.com>
+
+[ Upstream commit 574d6c59daefb51729b0640465f007f6c9600358 ]
+
+Drive strength macros defined for FSD platform is not reflecting actual
+names and values as per HW UM. FSD SoC pinctrl has following four levels
+of drive-strength and their corresponding values:
+Level-1 <-> 0
+Level-2 <-> 1
+Level-4 <-> 2
+Level-6 <-> 3
+
+The commit 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support")
+used drive strength macros defined for Exynos4 SoC family. For some IPs
+the macros values of Exynos4 matched and worked well, but Exynos4 SoC
+family drive-strength (names and values) is not exactly matching with
+FSD SoC.
+
+Fix the drive strength macros to reflect actual names and values given
+in FSD HW UM.
+
+Fixes: 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support")
+Signed-off-by: Padmanabhan Rajanbabu <p.rajanbabu@samsung.com>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Link: https://lore.kernel.org/r/20221013104024.50179-2-p.rajanbabu@samsung.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi | 8 ++++----
+ arch/arm64/boot/dts/tesla/fsd-pinctrl.h | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi b/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
+index d0abb9aa0e9e..4e151d419909 100644
+--- a/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
++++ b/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
+@@ -55,14 +55,14 @@ ufs_rst_n: ufs-rst-n-pins {
+ samsung,pins = "gpf5-0";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_NONE>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV2>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ ufs_refclk_out: ufs-refclk-out-pins {
+ samsung,pins = "gpf5-1";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_NONE>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV2>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+ };
+
+@@ -239,14 +239,14 @@ pwm0_out: pwm0-out-pins {
+ samsung,pins = "gpb6-1";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV2>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ pwm1_out: pwm1-out-pins {
+ samsung,pins = "gpb6-5";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV2>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c0_bus: hs-i2c0-bus-pins {
+diff --git a/arch/arm64/boot/dts/tesla/fsd-pinctrl.h b/arch/arm64/boot/dts/tesla/fsd-pinctrl.h
+index 6ffbda362493..c397d02208a0 100644
+--- a/arch/arm64/boot/dts/tesla/fsd-pinctrl.h
++++ b/arch/arm64/boot/dts/tesla/fsd-pinctrl.h
+@@ -16,9 +16,9 @@
+ #define FSD_PIN_PULL_UP 3
+
+ #define FSD_PIN_DRV_LV1 0
+-#define FSD_PIN_DRV_LV2 2
+-#define FSD_PIN_DRV_LV3 1
+-#define FSD_PIN_DRV_LV4 3
++#define FSD_PIN_DRV_LV2 1
++#define FSD_PIN_DRV_LV4 2
++#define FSD_PIN_DRV_LV6 3
+
+ #define FSD_PIN_FUNC_INPUT 0
+ #define FSD_PIN_FUNC_OUTPUT 1
+--
+2.35.1
+
--- /dev/null
+From 6da1f575cc94abbc83f1a09190467eaa23112762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 16:10:22 +0530
+Subject: arm64: dts: fsd: fix drive strength values as per FSD HW UM
+
+From: Padmanabhan Rajanbabu <p.rajanbabu@samsung.com>
+
+[ Upstream commit 21f6546e8bf68a847601e2710378e2224bf49704 ]
+
+Drive strength values used for HSI2C, SPI and UART are not reflecting
+the default values recommended by FSD HW UM.
+
+Fixes: 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support")
+Signed-off-by: Padmanabhan Rajanbabu <p.rajanbabu@samsung.com>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Link: https://lore.kernel.org/r/20221013104024.50179-3-p.rajanbabu@samsung.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi | 26 +++++++++++-----------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi b/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
+index 4e151d419909..e3852c946352 100644
+--- a/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
++++ b/arch/arm64/boot/dts/tesla/fsd-pinctrl.dtsi
+@@ -253,91 +253,91 @@ hs_i2c0_bus: hs-i2c0-bus-pins {
+ samsung,pins = "gpb0-0", "gpb0-1";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c1_bus: hs-i2c1-bus-pins {
+ samsung,pins = "gpb0-2", "gpb0-3";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c2_bus: hs-i2c2-bus-pins {
+ samsung,pins = "gpb0-4", "gpb0-5";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c3_bus: hs-i2c3-bus-pins {
+ samsung,pins = "gpb0-6", "gpb0-7";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c4_bus: hs-i2c4-bus-pins {
+ samsung,pins = "gpb1-0", "gpb1-1";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c5_bus: hs-i2c5-bus-pins {
+ samsung,pins = "gpb1-2", "gpb1-3";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c6_bus: hs-i2c6-bus-pins {
+ samsung,pins = "gpb1-4", "gpb1-5";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ hs_i2c7_bus: hs-i2c7-bus-pins {
+ samsung,pins = "gpb1-6", "gpb1-7";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ uart0_data: uart0-data-pins {
+ samsung,pins = "gpb7-0", "gpb7-1";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_NONE>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ uart1_data: uart1-data-pins {
+ samsung,pins = "gpb7-4", "gpb7-5";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_NONE>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ spi0_bus: spi0-bus-pins {
+ samsung,pins = "gpb4-0", "gpb4-2", "gpb4-3";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ spi1_bus: spi1-bus-pins {
+ samsung,pins = "gpb4-4", "gpb4-6", "gpb4-7";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+
+ spi2_bus: spi2-bus-pins {
+ samsung,pins = "gpb5-0", "gpb5-2", "gpb5-3";
+ samsung,pin-function = <FSD_PIN_FUNC_2>;
+ samsung,pin-pud = <FSD_PIN_PULL_UP>;
+- samsung,pin-drv = <FSD_PIN_DRV_LV1>;
++ samsung,pin-drv = <FSD_PIN_DRV_LV4>;
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From dee8101324880120867947d131a2a08c8c2bf54b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:12 +0200
+Subject: arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 5f535cc583759c9c60d4cc9b8d221762e2d75387 ]
+
+Update its unit name to oscillator-26m and remove the unneeded unit
+address to fix a unit_address_vs_reg warning.
+
+Fixes: 464c510f60c6 ("arm64: dts: mediatek: add mt6797 support")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-9-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6797.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6797.dtsi b/arch/arm64/boot/dts/mediatek/mt6797.dtsi
+index 15616231022a..c3677d77e0a4 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6797.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6797.dtsi
+@@ -95,7 +95,7 @@ cpu9: cpu@201 {
+ };
+ };
+
+- clk26m: oscillator@0 {
++ clk26m: oscillator-26m {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <26000000>;
+--
+2.35.1
+
--- /dev/null
+From 49c16ef628f615e27c9120cb5cdaa1008d75a2d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 11:34:03 +0200
+Subject: arm64: dts: mediatek: mt8195: Fix CPUs capacity-dmips-mhz
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 513c43328b189874fdfee3ae99cac81e5502e7f7 ]
+
+The capacity-dmips-mhz parameter was miscalculated: this SoC runs
+the first (Cortex-A55) cluster at a maximum of 2000MHz and the
+second (Cortex-A78) cluster at a maximum of 3000MHz.
+
+In order to calculate the right capacity-dmips-mhz, the following
+test was performed:
+1. CPUFREQ governor was set to 'performance' on both clusters
+2. Ran dhrystone with 500000000 iterations for 10 times on each cluster
+3. Calculate the mean result for each cluster
+4. Calculate DMIPS/MHz: dmips_mhz = dmips_per_second / cpu_mhz
+5. Scale results to 1024:
+ result_c0 = (dmips_mhz_c0 - min_dmips_mhz(c0, c1)) /
+ (max_dmips_mhz(c0, c1) - min_dmips_mhz(c0, c1)) * 1024
+
+The mean results for this SoC are:
+Cluster 0 (LITTLE): 11990400 Dhry/s
+Cluster 1 (BIG): 59809036 Dhry/s
+
+The calculated scaled results are:
+Cluster 0: 307,934312801831 (rounded to 308)
+Cluster 1: 1024
+
+Fixes: 37f2582883be ("arm64: dts: Add mediatek SoC mt8195 and evaluation board")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221005093404.33102-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 066c14989708..e694ddb74f7d 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -27,7 +27,7 @@ cpu0: cpu@0 {
+ reg = <0x000>;
+ enable-method = "psci";
+ clock-frequency = <1701000000>;
+- capacity-dmips-mhz = <578>;
++ capacity-dmips-mhz = <308>;
+ cpu-idle-states = <&cpu_off_l &cluster_off_l>;
+ next-level-cache = <&l2_0>;
+ #cooling-cells = <2>;
+@@ -39,7 +39,7 @@ cpu1: cpu@100 {
+ reg = <0x100>;
+ enable-method = "psci";
+ clock-frequency = <1701000000>;
+- capacity-dmips-mhz = <578>;
++ capacity-dmips-mhz = <308>;
+ cpu-idle-states = <&cpu_off_l &cluster_off_l>;
+ next-level-cache = <&l2_0>;
+ #cooling-cells = <2>;
+@@ -51,7 +51,7 @@ cpu2: cpu@200 {
+ reg = <0x200>;
+ enable-method = "psci";
+ clock-frequency = <1701000000>;
+- capacity-dmips-mhz = <578>;
++ capacity-dmips-mhz = <308>;
+ cpu-idle-states = <&cpu_off_l &cluster_off_l>;
+ next-level-cache = <&l2_0>;
+ #cooling-cells = <2>;
+@@ -63,7 +63,7 @@ cpu3: cpu@300 {
+ reg = <0x300>;
+ enable-method = "psci";
+ clock-frequency = <1701000000>;
+- capacity-dmips-mhz = <578>;
++ capacity-dmips-mhz = <308>;
+ cpu-idle-states = <&cpu_off_l &cluster_off_l>;
+ next-level-cache = <&l2_0>;
+ #cooling-cells = <2>;
+--
+2.35.1
+
--- /dev/null
+From 392374b38a6c8510f0ad76a53445ed6942c301cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:11 +0200
+Subject: arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 509438336ce75c8b4e6ce8e8d507dc77d0783bdd ]
+
+Fix the pinctrl submodes and optee node to remove unneeded unit address,
+fixing all unit_address_vs_reg warnings.
+
+Fixes: 9983822c8cf9 ("arm64: dts: mediatek: add pumpkin board dts")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-8-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+index 8ee1529683a3..ec8dfb3d1c6d 100644
+--- a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
++++ b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+@@ -17,7 +17,7 @@ chosen {
+ };
+
+ firmware {
+- optee: optee@4fd00000 {
++ optee: optee {
+ compatible = "linaro,optee-tz";
+ method = "smc";
+ };
+@@ -209,7 +209,7 @@ pins_cmd_dat {
+ };
+ };
+
+- i2c0_pins_a: i2c0@0 {
++ i2c0_pins_a: i2c0 {
+ pins1 {
+ pinmux = <MT8516_PIN_58_SDA0__FUNC_SDA0_0>,
+ <MT8516_PIN_59_SCL0__FUNC_SCL0_0>;
+@@ -217,7 +217,7 @@ pins1 {
+ };
+ };
+
+- i2c2_pins_a: i2c2@0 {
++ i2c2_pins_a: i2c2 {
+ pins1 {
+ pinmux = <MT8516_PIN_60_SDA2__FUNC_SDA2_0>,
+ <MT8516_PIN_61_SCL2__FUNC_SCL2_0>;
+--
+2.35.1
+
--- /dev/null
+From 9752891fb840e11c3f493891e71dc242814c387e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:10 +0200
+Subject: arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit ec1ae39a8d25cfb067b5459fac7c5b7b9bce6f6a ]
+
+Update the names to regulator-usb-p{0-3}-vbus to fix unit_address_vs_reg
+warnings for those.
+
+Fixes: 1724f4cc5133 ("arm64: dts: Add USB3 related nodes for MT2712")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-7-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+index 638908773706..d31a194124c9 100644
+--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
++++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+@@ -50,7 +50,7 @@ extcon_usb1: extcon_iddig1 {
+ id-gpio = <&pio 14 GPIO_ACTIVE_HIGH>;
+ };
+
+- usb_p0_vbus: regulator@2 {
++ usb_p0_vbus: regulator-usb-p0-vbus {
+ compatible = "regulator-fixed";
+ regulator-name = "p0_vbus";
+ regulator-min-microvolt = <5000000>;
+@@ -59,7 +59,7 @@ usb_p0_vbus: regulator@2 {
+ enable-active-high;
+ };
+
+- usb_p1_vbus: regulator@3 {
++ usb_p1_vbus: regulator-usb-p1-vbus {
+ compatible = "regulator-fixed";
+ regulator-name = "p1_vbus";
+ regulator-min-microvolt = <5000000>;
+@@ -68,7 +68,7 @@ usb_p1_vbus: regulator@3 {
+ enable-active-high;
+ };
+
+- usb_p2_vbus: regulator@4 {
++ usb_p2_vbus: regulator-usb-p2-vbus {
+ compatible = "regulator-fixed";
+ regulator-name = "p2_vbus";
+ regulator-min-microvolt = <5000000>;
+@@ -77,7 +77,7 @@ usb_p2_vbus: regulator@4 {
+ enable-active-high;
+ };
+
+- usb_p3_vbus: regulator@5 {
++ usb_p3_vbus: regulator-usb-p3-vbus {
+ compatible = "regulator-fixed";
+ regulator-name = "p3_vbus";
+ regulator-min-microvolt = <5000000>;
+--
+2.35.1
+
--- /dev/null
+From 57ae403a4c6864dd724483c3e1421240d1db257f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:09 +0200
+Subject: arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 377063156893bf6c088309ac799fe5c6dce2822d ]
+
+Update the names to regulator-vproc-buck{0,1} to fix unit_addres_vs_reg
+warnings for those.
+
+Fixes: f75dd8bdd344 ("arm64: dts: mediatek: add mt2712 cpufreq related device nodes")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-6-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+index 9b1af9c80130..638908773706 100644
+--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
++++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+@@ -26,14 +26,14 @@ chosen {
+ stdout-path = "serial0:921600n8";
+ };
+
+- cpus_fixed_vproc0: fixedregulator@0 {
++ cpus_fixed_vproc0: regulator-vproc-buck0 {
+ compatible = "regulator-fixed";
+ regulator-name = "vproc_buck0";
+ regulator-min-microvolt = <1000000>;
+ regulator-max-microvolt = <1000000>;
+ };
+
+- cpus_fixed_vproc1: fixedregulator@1 {
++ cpus_fixed_vproc1: regulator-vproc-buck1 {
+ compatible = "regulator-fixed";
+ regulator-name = "vproc_buck1";
+ regulator-min-microvolt = <1000000>;
+--
+2.35.1
+
--- /dev/null
+From 0f7abaf6693998168bfe7b282f1c47ca80a6f539 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:08 +0200
+Subject: arm64: dts: mt2712e: Fix unit address for pinctrl node
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 1d4516f53a611b362db7ba7a8889923d469f57e1 ]
+
+The unit address for the pinctrl node is (0x)1000b000 and not
+(0x)10005000, which is the syscfg_pctl_a address instead.
+
+This fixes the following warning:
+arch/arm64/boot/dts/mediatek/mt2712e.dtsi:264.40-267.4: Warning
+(unique_unit_address): /syscfg_pctl_a@10005000: duplicate
+unit-address (also used in node /pinctrl@10005000)
+
+Fixes: f0c64340b748 ("arm64: dts: mt2712: add pintcrl device node.")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-5-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+index dcd3df8eb4da..2ebefd144d6f 100644
+--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+@@ -266,7 +266,7 @@ syscfg_pctl_a: syscfg_pctl_a@10005000 {
+ reg = <0 0x10005000 0 0x1000>;
+ };
+
+- pio: pinctrl@10005000 {
++ pio: pinctrl@1000b000 {
+ compatible = "mediatek,mt2712-pinctrl";
+ reg = <0 0x1000b000 0 0x1000>;
+ mediatek,pctl-regmap = <&syscfg_pctl_a>;
+--
+2.35.1
+
--- /dev/null
+From 3d6a509277f96909a34ba96600003c32c5b9ff97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:07 +0200
+Subject: arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit e4495a0a8b3d84816c9a46edf3ce060bbf267475 ]
+
+Rename the fixed-clock oscillators to remove the unit address.
+
+This solves unit_address_vs_reg warnings.
+
+Fixes: 5d4839709c8e ("arm64: dts: mt2712: Add clock controller device nodes")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-4-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+index 4797537cb368..dcd3df8eb4da 100644
+--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+@@ -160,70 +160,70 @@ sys_clk: dummyclk {
+ #clock-cells = <0>;
+ };
+
+- clk26m: oscillator@0 {
++ clk26m: oscillator-26m {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <26000000>;
+ clock-output-names = "clk26m";
+ };
+
+- clk32k: oscillator@1 {
++ clk32k: oscillator-32k {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <32768>;
+ clock-output-names = "clk32k";
+ };
+
+- clkfpc: oscillator@2 {
++ clkfpc: oscillator-50m {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <50000000>;
+ clock-output-names = "clkfpc";
+ };
+
+- clkaud_ext_i_0: oscillator@3 {
++ clkaud_ext_i_0: oscillator-aud0 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <6500000>;
+ clock-output-names = "clkaud_ext_i_0";
+ };
+
+- clkaud_ext_i_1: oscillator@4 {
++ clkaud_ext_i_1: oscillator-aud1 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <196608000>;
+ clock-output-names = "clkaud_ext_i_1";
+ };
+
+- clkaud_ext_i_2: oscillator@5 {
++ clkaud_ext_i_2: oscillator-aud2 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <180633600>;
+ clock-output-names = "clkaud_ext_i_2";
+ };
+
+- clki2si0_mck_i: oscillator@6 {
++ clki2si0_mck_i: oscillator-i2s0 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <30000000>;
+ clock-output-names = "clki2si0_mck_i";
+ };
+
+- clki2si1_mck_i: oscillator@7 {
++ clki2si1_mck_i: oscillator-i2s1 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <30000000>;
+ clock-output-names = "clki2si1_mck_i";
+ };
+
+- clki2si2_mck_i: oscillator@8 {
++ clki2si2_mck_i: oscillator-i2s2 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <30000000>;
+ clock-output-names = "clki2si2_mck_i";
+ };
+
+- clktdmin_mclk_i: oscillator@9 {
++ clktdmin_mclk_i: oscillator-mclk {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <30000000>;
+--
+2.35.1
+
--- /dev/null
+From 2b00143330409dc450062beb4bb002cbb00fc150 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:06 +0200
+Subject: arm64: dts: mt6779: Fix devicetree build warnings
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 4d759c524c15dc4151e40b9e3f368147fda7b789 ]
+
+Rename fixed-clock oscillators to oscillator-26m and oscillator-32k
+and remove the unit address to fix the unit_address_vs_reg warning;
+fix the unit address for interrupt and intpol controllers by
+removing a leading zero in their unit address.
+
+This commit fixes the following warnings:
+
+(unit_address_vs_reg): /oscillator@0: node has a unit name, but
+no reg or ranges property
+(unit_address_vs_reg): /oscillator@1: node has a unit name, but
+no reg or ranges property
+(simple_bus_reg): /soc/interrupt-controller@0c000000: simple-bus
+unit address format error, expected "c000000"
+(simple_bus_reg): /soc/intpol-controller@0c53a650: simple-bus
+unit address format error, expected "c53a650"
+
+Fixes: 4c7a6260775d ("arm64: dts: add dts nodes for MT6779")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-3-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6779.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6779.dtsi b/arch/arm64/boot/dts/mediatek/mt6779.dtsi
+index 9bdf5145966c..dde9ce137b4f 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6779.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6779.dtsi
+@@ -88,14 +88,14 @@ pmu {
+ interrupts = <GIC_PPI 7 IRQ_TYPE_LEVEL_LOW 0>;
+ };
+
+- clk26m: oscillator@0 {
++ clk26m: oscillator-26m {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <26000000>;
+ clock-output-names = "clk26m";
+ };
+
+- clk32k: oscillator@1 {
++ clk32k: oscillator-32k {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+ clock-frequency = <32768>;
+@@ -117,7 +117,7 @@ soc {
+ compatible = "simple-bus";
+ ranges;
+
+- gic: interrupt-controller@0c000000 {
++ gic: interrupt-controller@c000000 {
+ compatible = "arm,gic-v3";
+ #interrupt-cells = <4>;
+ interrupt-parent = <&gic>;
+@@ -138,7 +138,7 @@ ppi_cluster1: interrupt-partition-1 {
+
+ };
+
+- sysirq: intpol-controller@0c53a650 {
++ sysirq: intpol-controller@c53a650 {
+ compatible = "mediatek,mt6779-sysirq",
+ "mediatek,mt6577-sysirq";
+ interrupt-controller;
+--
+2.35.1
+
--- /dev/null
+From 36c5b331d60ecb23dc518db7e16594521f217202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:22:05 +0200
+Subject: arm64: dts: mt7896a: Fix unit_address_vs_reg warning for oscillator
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 7898d047b1eb2bec2622668cd70181442a580c6d ]
+
+Rename the oscillator fixed-clock to oscillator-40m and remove
+the unit address to fix warnings.
+
+arch/arm64/boot/dts/mediatek/mt7986a.dtsi:17.23-22.4: Warning
+(unit_address_vs_reg): /oscillator@0: node has a unit name,
+but no reg or ranges property
+
+Fixes: 1f9986b258c2 ("arm64: dts: mediatek: add clock support for mt7986a")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221013152212.416661-2-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+index 12c259ec042e..25b297bbb1b0 100644
+--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+@@ -13,7 +13,7 @@ / {
+ #address-cells = <2>;
+ #size-cells = <2>;
+
+- clk40m: oscillator@0 {
++ clk40m: oscillator-40m {
+ compatible = "fixed-clock";
+ clock-frequency = <40000000>;
+ #clock-cells = <0>;
+--
+2.35.1
+
--- /dev/null
+From 23231ebb8ba080774b9fc0ddb4a485609d57773c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 17:10:22 +0200
+Subject: arm64: dts: mt7986: fix trng node name
+
+From: Frank Wunderlich <frank-w@public-files.de>
+
+[ Upstream commit 07ce611c705217507c2a036bba8695cbd82c9e36 ]
+
+Binding requires node name to be rng not trng:
+
+trng@1020f000: $nodename:0: 'trng@1020f000' does not match '^rng@[0-9a-f]+$'
+
+Fixes: 50137c150f5f ("arm64: dts: mediatek: add basic mt7986 support")
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221027151022.5541-1-linux@fw-web.de
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+index e3a407d03551..12c259ec042e 100644
+--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+@@ -162,7 +162,7 @@ sgmiisys1: syscon@10070000 {
+ #clock-cells = <1>;
+ };
+
+- trng: trng@1020f000 {
++ trng: rng@1020f000 {
+ compatible = "mediatek,mt7986-rng",
+ "mediatek,mt7623-rng";
+ reg = <0 0x1020f000 0 0x100>;
+--
+2.35.1
+
--- /dev/null
+From 4770263d7360988f452c3d0f7f814fbf314c004d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 12:11:19 +0200
+Subject: arm64: dts: mt8183: Fix Mali GPU clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit ad2631b5645a1d0ca9bf6fecf71f77e3b0071ee5 ]
+
+The actual clock feeding into the Mali GPU on the MT8183 is from the
+clock gate in the MFGCFG block, not CLK_TOP_MFGPLL_CK from the TOPCKGEN
+block, which itself is simply a pass-through placeholder for the MFGPLL
+in the APMIXEDSYS block.
+
+Fix the hardware description with the correct clock reference.
+
+Fixes: a8168cebf1bc ("arm64: dts: mt8183: Add node for the Mali GPU")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20220927101128.44758-2-angelogioacchino.delregno@collabora.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183.dtsi b/arch/arm64/boot/dts/mediatek/mt8183.dtsi
+index 9d32871973a2..85fb61324be8 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183.dtsi
+@@ -1670,7 +1670,7 @@ gpu: gpu@13040000 {
+ <GIC_SPI 278 IRQ_TYPE_LEVEL_LOW>;
+ interrupt-names = "job", "mmu", "gpu";
+
+- clocks = <&topckgen CLK_TOP_MFGPLL_CK>;
++ clocks = <&mfgcfg CLK_MFG_BG3D>;
+
+ power-domains =
+ <&spm MT8183_POWER_DOMAIN_MFG_CORE0>,
+--
+2.35.1
+
--- /dev/null
+From 7d9e5a9587877671a944855f4657520ad1688e4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 14:46:26 +0200
+Subject: arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 4871d3c38893c8a585e3e96364b7fb91cda8322e ]
+
+When BLSPI1 (originally SPI0, later renamed in commit f82c48d46852
+("arm64: dts: qcom: ipq6018: correct QUP peripheral labels")) was added,
+the device node lacked respective pin configuration assignment.
+
+Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221006124659.217540-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts b/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
+index 1ba2eca33c7b..6a716c83e5f1 100644
+--- a/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
++++ b/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
+@@ -37,6 +37,8 @@ &blsp1_i2c3 {
+
+ &blsp1_spi1 {
+ cs-select = <0>;
++ pinctrl-0 = <&spi_0_pins>;
++ pinctrl-names = "default";
+ status = "okay";
+
+ flash@0 {
+--
+2.35.1
+
--- /dev/null
+From e12ef969db4b65e624eb25f27688ecbdc929b3ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 16:03:40 +0200
+Subject: arm64: dts: qcom: msm8916: Drop MSS fallback compatible
+
+From: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+
+[ Upstream commit ff02ac621634e82c0c34d02a79d402ae700cdfd0 ]
+
+MSM8916 was originally using the "qcom,q6v5-pil" compatible for the
+MSS remoteproc. Later it was decided to use SoC-specific compatibles
+instead, so "qcom,msm8916-mss-pil" is now the preferred compatible.
+
+Commit 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific
+compatibles to SCM/MSS") updated the MSM8916 device tree to make use of
+the new compatible but still kept the old "qcom,q6v5-pil" as fallback.
+
+This is inconsistent with other SoCs and conflicts with the description
+in the binding documentation (which says that only one compatible should
+be present). Also, it has no functional advantage since older kernels
+could not handle this DT anyway (e.g. "power-domains" in the MSS node is
+only supported by kernels that also support "qcom,msm8916-mss-pil").
+
+Make this consistent with other SoCs by using only the
+"qcom,msm8916-mss-pil" compatible.
+
+Fixes: 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific compatibles to SCM/MSS")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220718140344.1831731-2-stephan.gerhold@kernkonzept.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index 48bc2e09128d..863a60b63641 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -1331,7 +1331,7 @@ bam_dmux_dma: dma-controller@4044000 {
+ };
+
+ mpss: remoteproc@4080000 {
+- compatible = "qcom,msm8916-mss-pil", "qcom,q6v5-pil";
++ compatible = "qcom,msm8916-mss-pil";
+ reg = <0x04080000 0x100>,
+ <0x04020000 0x040>;
+
+--
+2.35.1
+
--- /dev/null
+From f83a05c8f0d41ed1521f8db0015f6365fcb3bab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jul 2022 17:04:16 +0300
+Subject: arm64: dts: qcom: msm8996: Add MSM8996 Pro support
+
+From: Yassine Oudjana <y.oudjana@protonmail.com>
+
+[ Upstream commit 8898c9748a872866f8c2973e719b26bf7c6ab64e ]
+
+Qualcomm MSM8996 Pro is a variant of MSM8996 with higher frequencies
+supported both on CPU and GPU. There are other minor hardware
+differencies in the CPU and GPU regulators and bus fabrics.
+
+However this results in significant differences between 8996 and 8996
+Pro CPU OPP tables. Judging from msm-3.18 there are only few common
+frequencies supported by both msm8996 and msm8996pro. Rather than
+hacking the tables for msm8996, split msm8996pro support into a separate
+file. Later this would allow having additional customizations for the
+CBF, CPR, retulators, etc.
+
+[DB: dropped all non-CPU-OPP changes]
+
+Fixes: 90173a954a22 ("arm64: dts: qcom: msm8996: Add CPU opps")
+Signed-off-by: Yassine Oudjana <y.oudjana@protonmail.com>
+[DB: Realigned supported-hw to keep compat with current cpufreq driver]
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220724140421.1933004-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 82 +++----
+ arch/arm64/boot/dts/qcom/msm8996pro.dtsi | 266 +++++++++++++++++++++++
+ 2 files changed, 307 insertions(+), 41 deletions(-)
+ create mode 100644 arch/arm64/boot/dts/qcom/msm8996pro.dtsi
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index 742eac4ce9b3..41c09895268e 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -143,82 +143,82 @@ cluster0_opp: opp-table-cluster0 {
+ /* Nominal fmax for now */
+ opp-307200000 {
+ opp-hz = /bits/ 64 <307200000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-422400000 {
+ opp-hz = /bits/ 64 <422400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-480000000 {
+ opp-hz = /bits/ 64 <480000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-556800000 {
+ opp-hz = /bits/ 64 <556800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-652800000 {
+ opp-hz = /bits/ 64 <652800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-729600000 {
+ opp-hz = /bits/ 64 <729600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-844800000 {
+ opp-hz = /bits/ 64 <844800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-960000000 {
+ opp-hz = /bits/ 64 <960000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1036800000 {
+ opp-hz = /bits/ 64 <1036800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1113600000 {
+ opp-hz = /bits/ 64 <1113600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1190400000 {
+ opp-hz = /bits/ 64 <1190400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1228800000 {
+ opp-hz = /bits/ 64 <1228800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1324800000 {
+ opp-hz = /bits/ 64 <1324800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1401600000 {
+ opp-hz = /bits/ 64 <1401600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1478400000 {
+ opp-hz = /bits/ 64 <1478400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1593600000 {
+ opp-hz = /bits/ 64 <1593600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ };
+@@ -231,127 +231,127 @@ cluster1_opp: opp-table-cluster1 {
+ /* Nominal fmax for now */
+ opp-307200000 {
+ opp-hz = /bits/ 64 <307200000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-403200000 {
+ opp-hz = /bits/ 64 <403200000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-480000000 {
+ opp-hz = /bits/ 64 <480000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-556800000 {
+ opp-hz = /bits/ 64 <556800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-652800000 {
+ opp-hz = /bits/ 64 <652800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-729600000 {
+ opp-hz = /bits/ 64 <729600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-806400000 {
+ opp-hz = /bits/ 64 <806400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-883200000 {
+ opp-hz = /bits/ 64 <883200000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-940800000 {
+ opp-hz = /bits/ 64 <940800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1036800000 {
+ opp-hz = /bits/ 64 <1036800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1113600000 {
+ opp-hz = /bits/ 64 <1113600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1190400000 {
+ opp-hz = /bits/ 64 <1190400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1248000000 {
+ opp-hz = /bits/ 64 <1248000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1324800000 {
+ opp-hz = /bits/ 64 <1324800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1401600000 {
+ opp-hz = /bits/ 64 <1401600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1478400000 {
+ opp-hz = /bits/ 64 <1478400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1555200000 {
+ opp-hz = /bits/ 64 <1555200000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1632000000 {
+ opp-hz = /bits/ 64 <1632000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1708800000 {
+ opp-hz = /bits/ 64 <1708800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1785600000 {
+ opp-hz = /bits/ 64 <1785600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1824000000 {
+ opp-hz = /bits/ 64 <1824000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1920000000 {
+ opp-hz = /bits/ 64 <1920000000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1996800000 {
+ opp-hz = /bits/ 64 <1996800000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-2073600000 {
+ opp-hz = /bits/ 64 <2073600000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ opp-2150400000 {
+ opp-hz = /bits/ 64 <2150400000>;
+- opp-supported-hw = <0x77>;
++ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
+ };
+diff --git a/arch/arm64/boot/dts/qcom/msm8996pro.dtsi b/arch/arm64/boot/dts/qcom/msm8996pro.dtsi
+new file mode 100644
+index 000000000000..63e1b4ec7a36
+--- /dev/null
++++ b/arch/arm64/boot/dts/qcom/msm8996pro.dtsi
+@@ -0,0 +1,266 @@
++// SPDX-License-Identifier: BSD-3-Clause
++/*
++ * Copyright (c) 2022, Linaro Limited
++ */
++
++#include "msm8996.dtsi"
++
++/ {
++ /delete-node/ opp-table-cluster0;
++ /delete-node/ opp-table-cluster1;
++
++ /*
++ * On MSM8996 Pro the cpufreq driver shifts speed bins into the high
++ * nibble of supported hw, so speed bin 0 becomes 0x10, speed bin 1
++ * becomes 0x20, speed 2 becomes 0x40.
++ */
++
++ cluster0_opp: opp-table-cluster0 {
++ compatible = "operating-points-v2-kryo-cpu";
++ nvmem-cells = <&speedbin_efuse>;
++ opp-shared;
++
++ opp-307200000 {
++ opp-hz = /bits/ 64 <307200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-384000000 {
++ opp-hz = /bits/ 64 <384000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-460800000 {
++ opp-hz = /bits/ 64 <460800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-537600000 {
++ opp-hz = /bits/ 64 <537600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-614400000 {
++ opp-hz = /bits/ 64 <614400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-691200000 {
++ opp-hz = /bits/ 64 <691200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-768000000 {
++ opp-hz = /bits/ 64 <768000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-844800000 {
++ opp-hz = /bits/ 64 <844800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-902400000 {
++ opp-hz = /bits/ 64 <902400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-979200000 {
++ opp-hz = /bits/ 64 <979200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1056000000 {
++ opp-hz = /bits/ 64 <1056000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1132800000 {
++ opp-hz = /bits/ 64 <1132800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1209600000 {
++ opp-hz = /bits/ 64 <1209600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1286400000 {
++ opp-hz = /bits/ 64 <1286400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1363200000 {
++ opp-hz = /bits/ 64 <1363200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1440000000 {
++ opp-hz = /bits/ 64 <1440000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1516800000 {
++ opp-hz = /bits/ 64 <1516800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1593600000 {
++ opp-hz = /bits/ 64 <1593600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1996800000 {
++ opp-hz = /bits/ 64 <1996800000>;
++ opp-supported-hw = <0x20>;
++ clock-latency-ns = <200000>;
++ };
++ opp-2188800000 {
++ opp-hz = /bits/ 64 <2188800000>;
++ opp-supported-hw = <0x10>;
++ clock-latency-ns = <200000>;
++ };
++ };
++
++ cluster1_opp: opp-table-cluster1 {
++ compatible = "operating-points-v2-kryo-cpu";
++ nvmem-cells = <&speedbin_efuse>;
++ opp-shared;
++
++ opp-307200000 {
++ opp-hz = /bits/ 64 <307200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-384000000 {
++ opp-hz = /bits/ 64 <384000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-460800000 {
++ opp-hz = /bits/ 64 <460800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-537600000 {
++ opp-hz = /bits/ 64 <537600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-614400000 {
++ opp-hz = /bits/ 64 <614400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-691200000 {
++ opp-hz = /bits/ 64 <691200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-748800000 {
++ opp-hz = /bits/ 64 <748800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-825600000 {
++ opp-hz = /bits/ 64 <825600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-902400000 {
++ opp-hz = /bits/ 64 <902400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-979200000 {
++ opp-hz = /bits/ 64 <979200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1056000000 {
++ opp-hz = /bits/ 64 <1056000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1132800000 {
++ opp-hz = /bits/ 64 <1132800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1209600000 {
++ opp-hz = /bits/ 64 <1209600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1286400000 {
++ opp-hz = /bits/ 64 <1286400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1363200000 {
++ opp-hz = /bits/ 64 <1363200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1440000000 {
++ opp-hz = /bits/ 64 <1440000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1516800000 {
++ opp-hz = /bits/ 64 <1516800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1593600000 {
++ opp-hz = /bits/ 64 <1593600000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1670400000 {
++ opp-hz = /bits/ 64 <1670400000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1747200000 {
++ opp-hz = /bits/ 64 <1747200000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1824000000 {
++ opp-hz = /bits/ 64 <1824000000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1900800000 {
++ opp-hz = /bits/ 64 <1900800000>;
++ opp-supported-hw = <0x70>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1977600000 {
++ opp-hz = /bits/ 64 <1977600000>;
++ opp-supported-hw = <0x30>;
++ clock-latency-ns = <200000>;
++ };
++ opp-2054400000 {
++ opp-hz = /bits/ 64 <2054400000>;
++ opp-supported-hw = <0x30>;
++ clock-latency-ns = <200000>;
++ };
++ opp-2150400000 {
++ opp-hz = /bits/ 64 <2150400000>;
++ opp-supported-hw = <0x30>;
++ clock-latency-ns = <200000>;
++ };
++ opp-2246400000 {
++ opp-hz = /bits/ 64 <2246400000>;
++ opp-supported-hw = <0x10>;
++ clock-latency-ns = <200000>;
++ };
++ opp-2342400000 {
++ opp-hz = /bits/ 64 <2342400000>;
++ opp-supported-hw = <0x10>;
++ clock-latency-ns = <200000>;
++ };
++ };
++};
+--
+2.35.1
+
--- /dev/null
+From e14a01a887dee26ec3beba0e9520e84fc958eecc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jul 2022 17:04:20 +0300
+Subject: arm64: dts: qcom: msm8996: fix GPU OPP table
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 0d440d811e6e2f37093e54db55bc27fe66678170 ]
+
+Fix Adreno OPP table according to the msm-3.18. Enable 624 MHz for the
+speed bin 3 and 560 MHz for bins 2 and 3.
+
+Fixes: 69cc3114ab0f ("arm64: dts: Add Adreno GPU definitions")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220724140421.1933004-7-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index 24791ed436c5..c8b9d7d60774 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -1228,17 +1228,17 @@ gpu_opp_table: opp-table {
+ compatible = "operating-points-v2";
+
+ /*
+- * 624Mhz and 560Mhz are only available on speed
+- * bin (1 << 0). All the rest are available on
+- * all bins of the hardware
++ * 624Mhz is only available on speed bins 0 and 3.
++ * 560Mhz is only available on speed bins 0, 2 and 3.
++ * All the rest are available on all bins of the hardware.
+ */
+ opp-624000000 {
+ opp-hz = /bits/ 64 <624000000>;
+- opp-supported-hw = <0x01>;
++ opp-supported-hw = <0x09>;
+ };
+ opp-560000000 {
+ opp-hz = /bits/ 64 <560000000>;
+- opp-supported-hw = <0x01>;
++ opp-supported-hw = <0x0d>;
+ };
+ opp-510000000 {
+ opp-hz = /bits/ 64 <510000000>;
+--
+2.35.1
+
--- /dev/null
+From ae065a33886ef7bc6d5278b9f0d6ff21fa7ffe94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 00:46:47 -0700
+Subject: arm64: dts: qcom: msm8996: fix sound card reset line polarity
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 76d21ffc5d425bf7ea9888652c49d7dbda15f356 ]
+
+When resetting the block, the reset line is being driven low and then
+high, which means that the line in DTS should be annotated as "active
+low". It will become important when wcd9335 driver will be converted
+to gpiod API that respects declared line polarities.
+
+Fixes: f3eb39a55a1f ("arm64: dts: db820c: Add sound card support")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221027074652.1044235-1-dmitry.torokhov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index d3cf0677ea28..5cf04c350a62 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -3358,7 +3358,7 @@ wcd9335: codec@1{
+ interrupt-names = "intr1", "intr2";
+ interrupt-controller;
+ #interrupt-cells = <1>;
+- reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_LOW>;
+
+ slim-ifc-dev = <&tasha_ifd>;
+
+--
+2.35.1
+
--- /dev/null
+From b91adb4760ad9fdc992f7879690bac1ea347c607 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jul 2022 17:04:18 +0300
+Subject: arm64: dts: qcom: msm8996: fix supported-hw in cpufreq OPP tables
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 0154caaa2b748e7414a4ec3c6ee60e8f483b2d4f ]
+
+Adjust MSM8996 cpufreq tables according to tables in msm-3.18. Some of
+the frequencies are not supported on speed bins other than 0. Also other
+speed bins support intermediate topmost frequencies, not supported on
+speed bin 0. Implement all these differencies.
+
+Fixes: 90173a954a22 ("arm64: dts: qcom: msm8996: Add CPU opps")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220724140421.1933004-5-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 38 ++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index 41c09895268e..24791ed436c5 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -203,22 +203,32 @@ opp-1228800000 {
+ };
+ opp-1324800000 {
+ opp-hz = /bits/ 64 <1324800000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x5>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1363200000 {
++ opp-hz = /bits/ 64 <1363200000>;
++ opp-supported-hw = <0x2>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1401600000 {
+ opp-hz = /bits/ 64 <1401600000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x5>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1478400000 {
+ opp-hz = /bits/ 64 <1478400000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1497600000 {
++ opp-hz = /bits/ 64 <1497600000>;
++ opp-supported-hw = <0x04>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1593600000 {
+ opp-hz = /bits/ 64 <1593600000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
+ clock-latency-ns = <200000>;
+ };
+ };
+@@ -329,29 +339,39 @@ opp-1785600000 {
+ opp-supported-hw = <0x7>;
+ clock-latency-ns = <200000>;
+ };
++ opp-1804800000 {
++ opp-hz = /bits/ 64 <1804800000>;
++ opp-supported-hw = <0x6>;
++ clock-latency-ns = <200000>;
++ };
+ opp-1824000000 {
+ opp-hz = /bits/ 64 <1824000000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
++ clock-latency-ns = <200000>;
++ };
++ opp-1900800000 {
++ opp-hz = /bits/ 64 <1900800000>;
++ opp-supported-hw = <0x4>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1920000000 {
+ opp-hz = /bits/ 64 <1920000000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
+ clock-latency-ns = <200000>;
+ };
+ opp-1996800000 {
+ opp-hz = /bits/ 64 <1996800000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
+ clock-latency-ns = <200000>;
+ };
+ opp-2073600000 {
+ opp-hz = /bits/ 64 <2073600000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
+ clock-latency-ns = <200000>;
+ };
+ opp-2150400000 {
+ opp-hz = /bits/ 64 <2150400000>;
+- opp-supported-hw = <0x7>;
++ opp-supported-hw = <0x1>;
+ clock-latency-ns = <200000>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 946cbab2f4a008d7080f09e918e407b9df6b8dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 08:32:26 +0100
+Subject: arm64: dts: qcom: pm6350: Include header for KEY_POWER
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit f6e2d6914c7c095660a9c7c503328eebab1e2557 ]
+
+Make pm6350.dtsi self-contained by including input.h, needed for the
+KEY_POWER constant used to define the power key.
+
+Fixes: d8a3c775d7cd ("arm64: dts: qcom: Add PM6350 PMIC")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Reviewed-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221030073232.22726-5-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/pm6350.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/pm6350.dtsi b/arch/arm64/boot/dts/qcom/pm6350.dtsi
+index ecf9b9919182..68245d78d2b9 100644
+--- a/arch/arm64/boot/dts/qcom/pm6350.dtsi
++++ b/arch/arm64/boot/dts/qcom/pm6350.dtsi
+@@ -3,6 +3,7 @@
+ * Copyright (c) 2021, Luca Weiss <luca@z3ntu.xyz>
+ */
+
++#include <dt-bindings/input/input.h>
+ #include <dt-bindings/spmi/spmi.h>
+
+ &spmi_bus {
+--
+2.35.1
+
--- /dev/null
+From b0aceb7317ce94b5f206ff9f5fe21430ff1247b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 21:01:45 +0200
+Subject: arm64: dts: qcom: pm660: Use unique ADC5_VCOIN address in node name
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 02549ba5de0a09a27616496c3512db5af4ad7862 ]
+
+The register address in the node name is shadowing vph_pwr@83, whereas
+the ADC5_VCOIN register resolves to 0x85. Fix this copy-paste
+discrepancy.
+
+Fixes: 4bf097540506 ("arm64: dts: qcom: pm660: Add VADC and temp alarm nodes")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220926190148.283805-3-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/pm660.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/pm660.dtsi b/arch/arm64/boot/dts/qcom/pm660.dtsi
+index d0eefbb51663..d8c9ece20cd9 100644
+--- a/arch/arm64/boot/dts/qcom/pm660.dtsi
++++ b/arch/arm64/boot/dts/qcom/pm660.dtsi
+@@ -163,7 +163,7 @@ vadc_vph_pwr: vph_pwr@83 {
+ qcom,pre-scaling = <1 3>;
+ };
+
+- vcoin: vcoin@83 {
++ vcoin: vcoin@85 {
+ reg = <ADC5_VCOIN>;
+ qcom,decimation = <1024>;
+ qcom,pre-scaling = <1 3>;
+--
+2.35.1
+
--- /dev/null
+From f91321db48322311a1cf0e881efbc8e44a842cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 18:51:33 -0400
+Subject: arm64: dts: qcom: sc7180-trogdor-homestar: fully configure secondary
+ I2S pins
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 59e787935cfe6f562fbb9117e2df4076eaf810d8 ]
+
+The Trogdor Homestar DTSI adds additional GPIO52 pin to secondary I2S pins
+("sec_mi2s_active") and configures it to "mi2s_1" function.
+
+The Trogdor DTSI (which is included by Homestar) configures drive
+strength and bias for all "sec_mi2s_active" pins, thus the intention was
+to apply this configuration also to GPIO52 on Homestar.
+
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Fixes: be0416a3f917 ("arm64: dts: qcom: Add sc7180-trogdor-homestar")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221020225135.31750-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7180-trogdor-homestar.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-homestar.dtsi b/arch/arm64/boot/dts/qcom/sc7180-trogdor-homestar.dtsi
+index 1bd6c7dcd9e9..bfab67f4a7c9 100644
+--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-homestar.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-homestar.dtsi
+@@ -194,6 +194,12 @@ pinmux {
+ pins = "gpio49", "gpio50", "gpio51", "gpio52";
+ function = "mi2s_1";
+ };
++
++ pinconf {
++ pins = "gpio49", "gpio50", "gpio51", "gpio52";
++ drive-strength = <2>;
++ bias-pull-down;
++ };
+ };
+
+ &ts_reset_l {
+--
+2.35.1
+
--- /dev/null
+From 21aef9ce0381507123b8639f38642ea8dfd9610a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 07:44:12 -0400
+Subject: arm64: dts: qcom: sdm630: fix UART1 pin bias
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 780f836fe071a9e8703fe6a05ae00129acf83391 ]
+
+There is no "bias-no-pull" property. Assume intentions were disabling
+bias.
+
+Fixes: b190fb010664 ("arm64: dts: qcom: sdm630: Add sdm630 dts file")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221010114417.29859-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm630.dtsi b/arch/arm64/boot/dts/qcom/sdm630.dtsi
+index 1bc9091cad2a..12f01815230b 100644
+--- a/arch/arm64/boot/dts/qcom/sdm630.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm630.dtsi
+@@ -773,7 +773,7 @@ rx-cts-rts {
+ pins = "gpio17", "gpio18", "gpio19";
+ function = "gpio";
+ drive-strength = <2>;
+- bias-no-pull;
++ bias-disable;
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 067ae70075977f547bf400541a714e6ecf426880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 07:44:14 -0400
+Subject: arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 9bce41fab14da8f21027dc9847535ef5e22cbe8b ]
+
+There is no "bias-no-pull" property. Assume intentions were disabling
+bias.
+
+Fixes: 79e7739f7b87 ("arm64: dts: qcom: sdm845-cheza: add initial cheza dt")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221010114417.29859-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
+index b5eb8f7eca1d..b5f11fbcc300 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
+@@ -1436,7 +1436,7 @@ ap_suspend_l_assert: ap_suspend_l_assert {
+ config {
+ pins = "gpio126";
+ function = "gpio";
+- bias-no-pull;
++ bias-disable;
+ drive-strength = <2>;
+ output-low;
+ };
+@@ -1446,7 +1446,7 @@ ap_suspend_l_deassert: ap_suspend_l_deassert {
+ config {
+ pins = "gpio126";
+ function = "gpio";
+- bias-no-pull;
++ bias-disable;
+ drive-strength = <2>;
+ output-high;
+ };
+--
+2.35.1
+
--- /dev/null
+From 0f53c84610d2e7d122cdf1c123762bb546584d13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 21:20:39 +0200
+Subject: arm64: dts: qcom: sdm845-xiaomi-polaris: fix codec pin conf name
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 58c4a0b6f4bdf8c3c2b4aad7f980e4019cc0fc83 ]
+
+Fix typo in the codec's pin name to be configured. Mismatched name
+caused the pin configuration to be ignored.
+
+Fixes: be497abe19bf ("arm64: dts: qcom: Add support for Xiaomi Mi Mix2s")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Molly Sophia <mollysophia379@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220930192039.240486-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+index dba7c2693ff5..2611a5c40ba3 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+@@ -628,7 +628,7 @@ sde_dsi_suspend: sde-dsi-suspend {
+ };
+
+ wcd_intr_default: wcd-intr-default {
+- pins = "goui54";
++ pins = "gpio54";
+ function = "gpio";
+ input-enable;
+ bias-pull-down;
+--
+2.35.1
+
--- /dev/null
+From d2129faba085731f753087fa6c7a384babac353b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 12:36:46 -0400
+Subject: arm64: dts: qcom: sm6125: fix SDHCI CQE reg names
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 3de1172624b3c4ca65730bc34333ab493510b3e1 ]
+
+SM6125 comes with SDCC (SDHCI controller) v5, so the second range of
+registers is cqhci, not core.
+
+Fixes: cff4bbaf2a2d ("arm64: dts: qcom: Add support for SM6125")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Tested-by: Marijn Suijten <marijn.suijten@somainline.org> # Sony Xperia 10 II
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221026163646.37433-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm6125.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm6125.dtsi b/arch/arm64/boot/dts/qcom/sm6125.dtsi
+index 8c582a9e4ada..012722408682 100644
+--- a/arch/arm64/boot/dts/qcom/sm6125.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm6125.dtsi
+@@ -458,7 +458,7 @@ rpm_msg_ram: sram@45f0000 {
+ sdhc_1: mmc@4744000 {
+ compatible = "qcom,sm6125-sdhci", "qcom,sdhci-msm-v5";
+ reg = <0x04744000 0x1000>, <0x04745000 0x1000>;
+- reg-names = "hc", "core";
++ reg-names = "hc", "cqhci";
+
+ interrupts = <GIC_SPI 348 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 352 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From c028175bda799fcd0212c5ce26b3bd414dabfcdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 08:32:32 +0100
+Subject: arm64: dts: qcom: sm6350: Add apps_smmu with streamID to SDHCI 1/2
+ nodes
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 7372b944a6ba5ac86628eaacc89ed4f103435cb9 ]
+
+When enabling the APPS SMMU the mainline driver reconfigures the SMMU
+from its bootloader configuration, losing the stream mapping for (among
+which) the SDHCI hardware and breaking its ADMA feature. This feature
+can be disabled with:
+
+ sdhci.debug_quirks=0x40
+
+But it is of course desired to have this feature enabled and working
+through the SMMU.
+
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Reviewed-by: Luca Weiss <luca.weiss@fairphone.com>
+Tested-by: Luca Weiss <luca.weiss@fairphone.com> # sm7225-fairphone-fp4
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221030073232.22726-11-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm6350.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm6350.dtsi b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+index ec64b6a12e20..4ec19f8ba928 100644
+--- a/arch/arm64/boot/dts/qcom/sm6350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+@@ -482,6 +482,7 @@ sdhc_1: mmc@7c4000 {
+ interrupts = <GIC_SPI 641 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 644 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "hc_irq", "pwr_irq";
++ iommus = <&apps_smmu 0x60 0x0>;
+
+ clocks = <&gcc GCC_SDCC1_AHB_CLK>,
+ <&gcc GCC_SDCC1_APPS_CLK>,
+@@ -928,6 +929,7 @@ sdhc_2: mmc@8804000 {
+ interrupts = <GIC_SPI 204 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 222 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "hc_irq", "pwr_irq";
++ iommus = <&apps_smmu 0x560 0x0>;
+
+ clocks = <&gcc GCC_SDCC2_AHB_CLK>,
+ <&gcc GCC_SDCC2_APPS_CLK>,
+--
+2.35.1
+
--- /dev/null
+From 7863a1ad0e83726879b3c9296aa1a90db64d8405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 17:25:11 +0200
+Subject: arm64: dts: qcom: sm6350: drop bogus DP PHY clock
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 95fade4016cbd57ee050ab226c8f0483af1753c4 ]
+
+The QMP pipe clock is used by the USB part of the PHY so drop the
+corresponding properties from the DP child node.
+
+Fixes: 23737b9557fe ("arm64: dts: qcom: sm6350: Add USB1 nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221026152511.9661-3-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm6350.dtsi | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm6350.dtsi b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+index d06aefdf3d9e..ec64b6a12e20 100644
+--- a/arch/arm64/boot/dts/qcom/sm6350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+@@ -1011,9 +1011,6 @@ dp_phy: dp-phy@88ea200 {
+ <0 0x088eaa00 0 0x100>;
+ #phy-cells = <0>;
+ #clock-cells = <1>;
+- clocks = <&gcc GCC_USB3_PRIM_PHY_PIPE_CLK>;
+- clock-names = "pipe0";
+- clock-output-names = "usb3_phy_pipe_clk_src";
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 9e77cf2afa93b9fe030c3f9687ad51277eb6834e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 11:15:04 +0200
+Subject: arm64: dts: qcom: sm8150: fix UFS PHY registers
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 36a31b3a8d9ba1707a23de8d8dc1ceaef4eda695 ]
+
+The sizes of the UFS PHY register regions are too small and does
+specifically not cover all registers used by the Linux driver.
+
+As Linux maps these regions as full pages this is currently not an issue
+on Linux, but let's update the sizes to match the vendor driver.
+
+Fixes: 3834a2e92229 ("arm64: dts: qcom: sm8150: Add ufs nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221024091507.20342-2-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8150.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8150.dtsi b/arch/arm64/boot/dts/qcom/sm8150.dtsi
+index 916f12b799b7..3df80dde9249 100644
+--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi
+@@ -2038,11 +2038,11 @@ ufs_mem_phy: phy@1d87000 {
+ status = "disabled";
+
+ ufs_mem_phy_lanes: phy@1d87400 {
+- reg = <0 0x01d87400 0 0x108>,
+- <0 0x01d87600 0 0x1e0>,
+- <0 0x01d87c00 0 0x1dc>,
+- <0 0x01d87800 0 0x108>,
+- <0 0x01d87a00 0 0x1e0>;
++ reg = <0 0x01d87400 0 0x16c>,
++ <0 0x01d87600 0 0x200>,
++ <0 0x01d87c00 0 0x200>,
++ <0 0x01d87800 0 0x16c>,
++ <0 0x01d87a00 0 0x200>;
+ #phy-cells = <0>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From aace118558c687430818ca3dec307d48bb51eebd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 17:34:20 +0200
+Subject: arm64: dts: qcom: sm8250: correct LPASS pin pull down
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 195a0a11d66d6c696cbcf398d6bc3f3a3a462f7c ]
+
+The pull-down property is actually bias-pull-down.
+
+Fixes: 3160c1b894d9 ("arm64: dts: qcom: sm8250: add lpass lpi pin controller node")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220927153429.55365-4-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index 052b4dbc1ee4..f4abca3a0843 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -2447,7 +2447,7 @@ data {
+ pins = "gpio7";
+ function = "dmic1_data";
+ drive-strength = <2>;
+- pull-down;
++ bias-pull-down;
+ input-enable;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 4a4e9c2ebab2eb1f99ba062b3a59d0f258fb055f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 17:25:10 +0200
+Subject: arm64: dts: qcom: sm8250: drop bogus DP PHY clock
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit bb9f23e46ddcebe1bc68a43a0f7acfc1865a6472 ]
+
+The QMP pipe clock is used by the USB part of the PHY so drop the
+corresponding properties from the DP child node.
+
+Fixes: 5aa0d1becd5b ("arm64: dts: qcom: sm8250: switch usb1 qmp phy to USB3+DP mode")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221026152511.9661-2-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index 7df2abd40525..ab6c4c354338 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -2890,9 +2890,6 @@ dp_phy: dp-phy@88ea200 {
+ <0 0x088eaa00 0 0x100>;
+ #phy-cells = <0>;
+ #clock-cells = <1>;
+- clocks = <&gcc GCC_USB3_PRIM_PHY_PIPE_CLK>;
+- clock-names = "pipe0";
+- clock-output-names = "usb3_phy_pipe_clk_src";
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From cce089d70978ce6c51f9238ab48966840b8b3696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 11:15:05 +0200
+Subject: arm64: dts: qcom: sm8250: fix UFS PHY registers
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 7f8b37dd4e7bf50160529530d9789b846153df71 ]
+
+The sizes of the UFS PHY register regions are too small and does
+specifically not cover all registers used by the Linux driver.
+
+As Linux maps these regions as full pages this is currently not an issue
+on Linux, but let's update the sizes to match the vendor driver.
+
+Fixes: b7e2fba06622 ("arm64: dts: qcom: sm8250: Add UFS controller and PHY")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221024091507.20342-3-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index f4abca3a0843..7df2abd40525 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -2172,11 +2172,11 @@ ufs_mem_phy: phy@1d87000 {
+ status = "disabled";
+
+ ufs_mem_phy_lanes: phy@1d87400 {
+- reg = <0 0x01d87400 0 0x108>,
+- <0 0x01d87600 0 0x1e0>,
+- <0 0x01d87c00 0 0x1dc>,
+- <0 0x01d87800 0 0x108>,
+- <0 0x01d87a00 0 0x1e0>;
++ reg = <0 0x01d87400 0 0x16c>,
++ <0 0x01d87600 0 0x200>,
++ <0 0x01d87c00 0 0x200>,
++ <0 0x01d87800 0 0x16c>,
++ <0 0x01d87a00 0 0x200>;
+ #phy-cells = <0>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 61ba54c9a15e51ba0020e8d9c3abfb2cdb29431a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 00:46:49 -0700
+Subject: arm64: dts: qcom: sm8250-mtp: fix reset line polarity
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 15d9fcbb3e6e8420c7d1ae331405780c5d9c1c25 ]
+
+The driver for the codec, when resetting the chip, first drives the line
+low, and then high. This means that the line is active low. Change the
+annotation in the DTS accordingly.
+
+Fixes: 36c9d012f193 ("arm64: dts: qcom: use GPIO flags for tlmm")
+Fixes: 5a263cf629a8 ("arm64: dts: qcom: sm8250-mtp: Add wcd9380 audio codec node")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221027074652.1044235-3-dmitry.torokhov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250-mtp.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
+index a102aa5efa32..a05fe468e0b4 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
++++ b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
+@@ -635,7 +635,7 @@ &soc {
+ wcd938x: codec {
+ compatible = "qcom,wcd9380-codec";
+ #sound-dai-cells = <1>;
+- reset-gpios = <&tlmm 32 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&tlmm 32 GPIO_ACTIVE_LOW>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-rxtx-supply = <&vreg_s4a_1p8>;
+ vdd-io-supply = <&vreg_s4a_1p8>;
+--
+2.35.1
+
--- /dev/null
+From a8e71ab4f085a33b19accabf5abaf5b2edcfea06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 21:29:40 +0200
+Subject: arm64: dts: qcom: sm8250-sony-xperia-edo: fix touchscreen
+ bias-disable
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 7ff4a646fae3697b039c6b684786a1e309e8445c ]
+
+The property to disable bias is "bias-disable".
+
+Fixes: e76c7e1f15fe ("arm64: dts: qcom: sm8250-edo: Add Samsung touchscreen")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220930192954.242546-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi
+index 5428aab3058d..e4769dcfaad7 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi
+@@ -619,7 +619,7 @@ ts_int_default: ts-int-default {
+ pins = "gpio39";
+ function = "gpio";
+ drive-strength = <2>;
+- bias-disabled;
++ bias-disable;
+ input-enable;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 4d1e70b2a4b7045b35ab8071ed0a49ff576679ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 11:15:06 +0200
+Subject: arm64: dts: qcom: sm8350: fix UFS PHY registers
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit b3c7839b698cc617e97dd2e4f1eeb4adc280fe58 ]
+
+The sizes of the UFS PHY register regions are too small and does
+specifically not cover all registers used by the Linux driver.
+
+As Linux maps these regions as full pages this is currently not an issue
+on Linux, but let's update the sizes to match the vendor driver.
+
+Fixes: 59c7cf814783 ("arm64: dts: qcom: sm8350: Add UFS nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221024091507.20342-4-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8350.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+index d9b08dfc2980..eace5b2ee381 100644
+--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+@@ -2142,11 +2142,11 @@ ufs_mem_phy: phy@1d87000 {
+ status = "disabled";
+
+ ufs_mem_phy_lanes: phy@1d87400 {
+- reg = <0 0x01d87400 0 0x108>,
+- <0 0x01d87600 0 0x1e0>,
+- <0 0x01d87c00 0 0x1dc>,
+- <0 0x01d87800 0 0x108>,
+- <0 0x01d87a00 0 0x1e0>;
++ reg = <0 0x01d87400 0 0x188>,
++ <0 0x01d87600 0 0x200>,
++ <0 0x01d87c00 0 0x200>,
++ <0 0x01d87800 0 0x188>,
++ <0 0x01d87a00 0 0x200>;
+ #phy-cells = <0>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From ac66bd556e06a8a165e763be52b5d57da63bf35b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 11:15:07 +0200
+Subject: arm64: dts: qcom: sm8450: fix UFS PHY registers
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 7af949211a0554bbc06163b081fc2cb516674880 ]
+
+The sizes of the UFS PHY register regions are too small and does
+specifically not cover all registers used by the Linux driver.
+
+As Linux maps these regions as full pages this is currently not an issue
+on Linux, but let's update the sizes to match the vendor driver.
+
+Fixes: 07fa917a335e ("arm64: dts: qcom: sm8450: add ufs nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221024091507.20342-5-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8450.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
+index 8a6c0f3e7bb7..ed3e1eff4f58 100644
+--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
+@@ -3131,11 +3131,11 @@ ufs_mem_phy: phy@1d87000 {
+ status = "disabled";
+
+ ufs_mem_phy_lanes: phy@1d87400 {
+- reg = <0 0x01d87400 0 0x108>,
+- <0 0x01d87600 0 0x1e0>,
+- <0 0x01d87c00 0 0x1dc>,
+- <0 0x01d87800 0 0x108>,
+- <0 0x01d87a00 0 0x1e0>;
++ reg = <0 0x01d87400 0 0x188>,
++ <0 0x01d87600 0 0x200>,
++ <0 0x01d87c00 0 0x200>,
++ <0 0x01d87800 0 0x188>,
++ <0 0x01d87a00 0 0x200>;
+ #phy-cells = <0>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 36940521213cda252bd7b5a8e19a05a864054d85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 17:39:45 +0200
+Subject: arm64: dts: qcom: use GPIO flags for tlmm
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 36c9d012f193747d42af80b634217addd974c522 ]
+
+Use respective GPIO_ACTIVE_LOW/HIGH flags for tlmm GPIOs. Include
+gpio.h header if this is first usage of that flag.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220802153947.44457-4-krzysztof.kozlowski@linaro.org
+Stable-dep-of: 76d21ffc5d42 ("arm64: dts: qcom: msm8996: fix sound card reset line polarity")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts | 2 +-
+ arch/arm64/boot/dts/qcom/msm8994-sony-xperia-kitakami.dtsi | 2 +-
+ arch/arm64/boot/dts/qcom/msm8994.dtsi | 3 ++-
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 ++-
+ arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 4 ++--
+ arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts | 2 +-
+ arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 4 ++--
+ arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 2 +-
+ arch/arm64/boot/dts/qcom/sdm850-samsung-w737.dts | 2 +-
+ arch/arm64/boot/dts/qcom/sm8250-mtp.dts | 2 +-
+ 10 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts b/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts
+index 567b33106556..92f264891d84 100644
+--- a/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts
++++ b/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts
+@@ -368,7 +368,7 @@ &sdhc2 {
+
+ bus-width = <4>;
+
+- cd-gpios = <&tlmm 38 0x1>;
++ cd-gpios = <&tlmm 38 GPIO_ACTIVE_LOW>;
+
+ vmmc-supply = <&vreg_l21a_2p95>;
+ vqmmc-supply = <&vreg_l13a_2p95>;
+diff --git a/arch/arm64/boot/dts/qcom/msm8994-sony-xperia-kitakami.dtsi b/arch/arm64/boot/dts/qcom/msm8994-sony-xperia-kitakami.dtsi
+index f430d797196f..ff60b7004d26 100644
+--- a/arch/arm64/boot/dts/qcom/msm8994-sony-xperia-kitakami.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8994-sony-xperia-kitakami.dtsi
+@@ -471,7 +471,7 @@ &sdhc1 {
+ &sdhc2 {
+ status = "okay";
+
+- cd-gpios = <&tlmm 100 0>;
++ cd-gpios = <&tlmm 100 GPIO_ACTIVE_HIGH>;
+ vmmc-supply = <&pm8994_l21>;
+ vqmmc-supply = <&pm8994_l13>;
+ };
+diff --git a/arch/arm64/boot/dts/qcom/msm8994.dtsi b/arch/arm64/boot/dts/qcom/msm8994.dtsi
+index 8bc6c070e306..86ef0091caff 100644
+--- a/arch/arm64/boot/dts/qcom/msm8994.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8994.dtsi
+@@ -6,6 +6,7 @@
+ #include <dt-bindings/clock/qcom,gcc-msm8994.h>
+ #include <dt-bindings/clock/qcom,mmcc-msm8994.h>
+ #include <dt-bindings/clock/qcom,rpmcc.h>
++#include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/power/qcom-rpmpd.h>
+
+ / {
+@@ -502,7 +503,7 @@ sdhc2: mmc@f98a4900 {
+ pinctrl-0 = <&sdc2_clk_on &sdc2_cmd_on &sdc2_data_on>;
+ pinctrl-1 = <&sdc2_clk_off &sdc2_cmd_off &sdc2_data_off>;
+
+- cd-gpios = <&tlmm 100 0>;
++ cd-gpios = <&tlmm 100 GPIO_ACTIVE_HIGH>;
+ bus-width = <4>;
+ status = "disabled";
+ };
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index c8b9d7d60774..d3cf0677ea28 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -7,6 +7,7 @@
+ #include <dt-bindings/clock/qcom,mmcc-msm8996.h>
+ #include <dt-bindings/clock/qcom,rpmcc.h>
+ #include <dt-bindings/interconnect/qcom,msm8996.h>
++#include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/power/qcom-rpmpd.h>
+ #include <dt-bindings/soc/qcom,apr.h>
+ #include <dt-bindings/thermal/thermal.h>
+@@ -3357,7 +3358,7 @@ wcd9335: codec@1{
+ interrupt-names = "intr1", "intr2";
+ interrupt-controller;
+ #interrupt-cells = <1>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+
+ slim-ifc-dev = <&tasha_ifd>;
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+index c6e2c571b452..b2eddcd87506 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+@@ -1081,7 +1081,7 @@ &wcd9340{
+ pinctrl-names = "default";
+ clock-names = "extclk";
+ clocks = <&rpmhcc RPMH_LN_BB_CLK2>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-buck-sido-supply = <&vreg_s4a_1p8>;
+ vdd-tx-supply = <&vreg_s4a_1p8>;
+@@ -1255,7 +1255,7 @@ camera@60 {
+ reg = <0x60>;
+
+ // CAM3_RST_N
+- enable-gpios = <&tlmm 21 0>;
++ enable-gpios = <&tlmm 21 GPIO_ACTIVE_HIGH>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&cam3_default>;
+ gpios = <&tlmm 16 0>,
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
+index 82c27f90d300..0f470cf1ed1c 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium.dts
+@@ -546,7 +546,7 @@ &wcd9340{
+ pinctrl-names = "default";
+ clock-names = "extclk";
+ clocks = <&rpmhcc RPMH_LN_BB_CLK2>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-buck-sido-supply = <&vreg_s4a_1p8>;
+ vdd-tx-supply = <&vreg_s4a_1p8>;
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+index 2611a5c40ba3..1cc477c30945 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+@@ -126,7 +126,7 @@ vreg_tp_vddio: vreg-tp-vddio {
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+
+- gpio = <&tlmm 23 0>;
++ gpio = <&tlmm 23 GPIO_ACTIVE_HIGH>;
+ regulator-always-on;
+ regulator-boot-on;
+ enable-active-high;
+@@ -712,7 +712,7 @@ &wcd9340 {
+ pinctrl-names = "default";
+ clock-names = "extclk";
+ clocks = <&rpmhcc RPMH_LN_BB_CLK2>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+ vdd-buck-sido-supply = <&vreg_s4a_1p8>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-tx-supply = <&vreg_s4a_1p8>;
+diff --git a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
+index a7af1bed4312..be59a8ba9c1f 100644
+--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
++++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
+@@ -772,7 +772,7 @@ &wcd9340{
+ pinctrl-names = "default";
+ clock-names = "extclk";
+ clocks = <&rpmhcc RPMH_LN_BB_CLK2>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-buck-sido-supply = <&vreg_s4a_1p8>;
+ vdd-tx-supply = <&vreg_s4a_1p8>;
+diff --git a/arch/arm64/boot/dts/qcom/sdm850-samsung-w737.dts b/arch/arm64/boot/dts/qcom/sdm850-samsung-w737.dts
+index b0315eeb1320..f954fe5cb61a 100644
+--- a/arch/arm64/boot/dts/qcom/sdm850-samsung-w737.dts
++++ b/arch/arm64/boot/dts/qcom/sdm850-samsung-w737.dts
+@@ -704,7 +704,7 @@ &wcd9340{
+ pinctrl-names = "default";
+ clock-names = "extclk";
+ clocks = <&rpmhcc RPMH_LN_BB_CLK2>;
+- reset-gpios = <&tlmm 64 0>;
++ reset-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-buck-sido-supply = <&vreg_s4a_1p8>;
+ vdd-tx-supply = <&vreg_s4a_1p8>;
+diff --git a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
+index 7ab3627cc347..a102aa5efa32 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
++++ b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts
+@@ -635,7 +635,7 @@ &soc {
+ wcd938x: codec {
+ compatible = "qcom,wcd9380-codec";
+ #sound-dai-cells = <1>;
+- reset-gpios = <&tlmm 32 0>;
++ reset-gpios = <&tlmm 32 GPIO_ACTIVE_HIGH>;
+ vdd-buck-supply = <&vreg_s4a_1p8>;
+ vdd-rxtx-supply = <&vreg_s4a_1p8>;
+ vdd-io-supply = <&vreg_s4a_1p8>;
+--
+2.35.1
+
--- /dev/null
+From ee83246cfb8fce8018c7dff233c16a3316d2acf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:34:39 +0100
+Subject: arm64: dts: renesas: r8a779f0: Fix HSCIF "brg_int" clock
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit a5101ef18b4d0751588f61d939694bad183cc240 ]
+
+As serial communication requires a clean clock signal, the High Speed
+Serial Communication Interfaces with FIFO (HSCIF) are clocked by a clock
+that is not affected by Spread Spectrum or Fractional Multiplication.
+
+Hence change the clock input for the HSCIF Baud Rate Generator internal
+clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the
+same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81.
+
+Fixes: 01a787f78bfd ("arm64: dts: renesas: r8a779f0: Add HSCIF nodes")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20221103143440.46449-4-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a779f0.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a779f0.dtsi b/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
+index 384817ffa4de..6ee5f0a54b13 100644
+--- a/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
+@@ -442,7 +442,7 @@ hscif0: serial@e6540000 {
+ reg = <0 0xe6540000 0 0x60>;
+ interrupts = <GIC_SPI 245 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 514>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x31>, <&dmac0 0x30>,
+@@ -459,7 +459,7 @@ hscif1: serial@e6550000 {
+ reg = <0 0xe6550000 0 0x60>;
+ interrupts = <GIC_SPI 246 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 515>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x33>, <&dmac0 0x32>,
+@@ -476,7 +476,7 @@ hscif2: serial@e6560000 {
+ reg = <0 0xe6560000 0 0x60>;
+ interrupts = <GIC_SPI 247 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 516>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x35>, <&dmac0 0x34>,
+@@ -493,7 +493,7 @@ hscif3: serial@e66a0000 {
+ reg = <0 0xe66a0000 0 0x60>;
+ interrupts = <GIC_SPI 248 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 517>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x37>, <&dmac0 0x36>,
+--
+2.35.1
+
--- /dev/null
+From e786eca96a1da079ef27d4db4e6ec43cdcf80778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:34:40 +0100
+Subject: arm64: dts: renesas: r8a779f0: Fix SCIF "brg_int" clock
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 64416ef0b0c4d73349035d1b3206eed3d2047ee0 ]
+
+As serial communication requires a clean clock signal, the Serial
+Communication Interfaces with FIFO (SCIF) are clocked by a clock that is
+not affected by Spread Spectrum or Fractional Multiplication.
+
+Hence change the clock input for the SCIF Baud Rate Generator internal
+clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the
+same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81.
+
+Fixes: c62331e8222f ("arm64: dts: renesas: Add Renesas R8A779F0 SoC support")
+Fixes: 40753144256b ("arm64: dts: renesas: r8a779f0: Add SCIF nodes")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20221103143440.46449-5-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a779f0.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a779f0.dtsi b/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
+index 6ee5f0a54b13..d4f3ebfe841a 100644
+--- a/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a779f0.dtsi
+@@ -522,7 +522,7 @@ scif0: serial@e6e60000 {
+ reg = <0 0xe6e60000 0 64>;
+ interrupts = <GIC_SPI 249 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 702>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3_PER>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x51>, <&dmac0 0x50>,
+@@ -539,7 +539,7 @@ scif1: serial@e6e68000 {
+ reg = <0 0xe6e68000 0 64>;
+ interrupts = <GIC_SPI 250 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 703>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3_PER>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x53>, <&dmac0 0x52>,
+@@ -556,7 +556,7 @@ scif3: serial@e6c50000 {
+ reg = <0 0xe6c50000 0 64>;
+ interrupts = <GIC_SPI 252 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 704>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3_PER>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x57>, <&dmac0 0x56>,
+@@ -573,7 +573,7 @@ scif4: serial@e6c40000 {
+ reg = <0 0xe6c40000 0 64>;
+ interrupts = <GIC_SPI 253 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 705>,
+- <&cpg CPG_CORE R8A779F0_CLK_S0D3_PER>,
++ <&cpg CPG_CORE R8A779F0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ dmas = <&dmac0 0x59>, <&dmac0 0x58>,
+--
+2.35.1
+
--- /dev/null
+From 98dacbe37aaa4f3083cae1ad0d94bc72ab0496e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Oct 2022 17:20:03 +0200
+Subject: arm64: dts: renesas: r8a779g0: Fix HSCIF0 "brg_int" clock
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit a4290d407aa9fd174d8053878783d466d3124e38 ]
+
+As serial communication requires a clock signal, the High Speed Serial
+Communication Interfaces with FIFO (HSCIF) are clocked by a clock that
+is not affected by Spread Spectrum or Fractional Multiplication.
+
+Hence change the clock input for the HSCIF0 Baud Rate Generator internal
+clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the
+same clock rate), cfr. R-Car V4H Hardware User's Manual rev. 0.54.
+
+Fixes: 987da486d84a5643 ("arm64: dts: renesas: Add Renesas R8A779G0 SoC support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/a5bd4148f92806f7c8e577d383370f810315f586.1665155947.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a779g0.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a779g0.dtsi b/arch/arm64/boot/dts/renesas/r8a779g0.dtsi
+index 1c15726cff8b..4bd3cb107b38 100644
+--- a/arch/arm64/boot/dts/renesas/r8a779g0.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a779g0.dtsi
+@@ -87,7 +87,7 @@ hscif0: serial@e6540000 {
+ reg = <0 0xe6540000 0 96>;
+ interrupts = <GIC_SPI 246 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 514>,
+- <&cpg CPG_CORE R8A779G0_CLK_S0D3_PER>,
++ <&cpg CPG_CORE R8A779G0_CLK_SASYNCPERD1>,
+ <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ power-domains = <&sysc R8A779G0_PD_ALWAYS_ON>;
+--
+2.35.1
+
--- /dev/null
+From 36d53e30adda83786a6eaae80e6ad41914c7c12c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 23:06:46 +0000
+Subject: arm64: dts: renesas: r9a09g011: Fix unit address format error
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit 278f5015a3deaa2ea0db6070bbc2a8edf2455643 ]
+
+Although the HW User Manual for RZ/V2M states in the "Address Map"
+section that the interrupt controller is assigned addresses starting
+from 0x82000000, the memory locations from 0x82000000 0x0x8200FFFF
+are marked as reserved in the "Interrupt Controller (GIC)" section
+and are currently not used by the device tree, leading to the below
+warning:
+
+arch/arm64/boot/dts/renesas/r9a09g011.dtsi:51.38-63.5: Warning
+(simple_bus_reg): /soc/interrupt-controller@82000000: simple-bus unit
+address format error, expected "82010000"
+
+Fix the unit address accordingly.
+
+Fixes: fb1929b98f2e ("arm64: dts: renesas: Add initial DTSI for RZ/V2M SoC")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Link: https://lore.kernel.org/r/20221103230648.53748-2-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g011.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g011.dtsi b/arch/arm64/boot/dts/renesas/r9a09g011.dtsi
+index d4cc5459fbb7..4ce0f3944649 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g011.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g011.dtsi
+@@ -48,7 +48,7 @@ soc: soc {
+ #size-cells = <2>;
+ ranges;
+
+- gic: interrupt-controller@82000000 {
++ gic: interrupt-controller@82010000 {
+ compatible = "arm,gic-400";
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+--
+2.35.1
+
--- /dev/null
+From 4eeb39bb4687d0222299221ae91027855b8cf965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 20:55:18 +0530
+Subject: arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
+
+From: Jayesh Choudhary <j-choudhary@ti.com>
+
+[ Upstream commit b86833ab3653dbb0dc453eec4eef8615e63de4e2 ]
+
+crypto driver itself is not dma-coherent. So drop it.
+
+Fixes: b366b2409c97 ("arm64: dts: ti: k3-am6: Add crypto accelarator node")
+Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
+Link: https://lore.kernel.org/r/20221031152520.355653-2-j-choudhary@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+index 8919fede3cd7..ef960386c62c 100644
+--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+@@ -120,7 +120,6 @@ crypto: crypto@4e00000 {
+ dmas = <&main_udmap 0xc000>, <&main_udmap 0x4000>,
+ <&main_udmap 0x4001>;
+ dma-names = "tx", "rx1", "rx2";
+- dma-coherent;
+
+ rng: rng@4e10000 {
+ compatible = "inside-secure,safexcel-eip76";
+--
+2.35.1
+
--- /dev/null
+From cd39f52759b171874f33afd34d42df53819bab4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 20:55:19 +0530
+Subject: arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
+
+From: Jayesh Choudhary <j-choudhary@ti.com>
+
+[ Upstream commit 26c5012403f3f1fd3bf8f7d3389ee539ae5cc162 ]
+
+crypto driver itself is not dma-coherent. So drop it.
+
+Fixes: 8ebcaaae8017 ("arm64: dts: ti: k3-j721e-main: Add crypto accelerator node")
+Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
+Link: https://lore.kernel.org/r/20221031152520.355653-3-j-choudhary@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+index 43b6cf5791ee..75789c0f82bd 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+@@ -337,7 +337,6 @@ main_crypto: crypto@4e00000 {
+ dmas = <&main_udmap 0xc000>, <&main_udmap 0x4000>,
+ <&main_udmap 0x4001>;
+ dma-names = "tx", "rx1", "rx2";
+- dma-coherent;
+
+ rng: rng@4e10000 {
+ compatible = "inside-secure,safexcel-eip76";
+--
+2.35.1
+
--- /dev/null
+From b4b3d84214c54cc458dba3b2f9bf42b4f40526fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 12:59:50 +0530
+Subject: arm64: dts: ti: k3-j721s2: Fix the interrupt ranges property for main
+ & wkup gpio intr
+
+From: Keerthy <j-keerthy@ti.com>
+
+[ Upstream commit b8aa36c22da7d64c5a5d89ccb4a2abb9aeaab2e3 ]
+
+The parent's input irq number is wrongly subtracted with 32 instead of
+using the exact numbers in:
+
+https://software-dl.ti.com/tisci/esd/latest/5_soc_doc/j721s2/interrupt_cfg.html
+
+The GPIO interrupts are not working because of that. The toggling works
+fine but interrupts are not firing. Fix the parent's input irq that
+specifies the base for parent irq.
+
+Tested for MAIN_GPIO0_6 interrupt on the j721s2 EVM.
+
+Fixes: b8545f9d3a54 ("arm64: dts: ti: Add initial support for J721S2 SoC")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Vaishnav Achath <vaishnav.a@ti.com>
+Link: https://lore.kernel.org/r/20220922072950.9157-1-j-keerthy@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi | 2 +-
+ arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi
+index 34e7d577ae13..c89f28235812 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721s2-main.dtsi
+@@ -60,7 +60,7 @@ main_gpio_intr: interrupt-controller@a00000 {
+ #interrupt-cells = <1>;
+ ti,sci = <&sms>;
+ ti,sci-dev-id = <148>;
+- ti,interrupt-ranges = <8 360 56>;
++ ti,interrupt-ranges = <8 392 56>;
+ };
+
+ main_pmx0: pinctrl@11c000 {
+diff --git a/arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi b/arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi
+index 4d1bfabd1313..f0644851602c 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721s2-mcu-wakeup.dtsi
+@@ -65,7 +65,7 @@ wkup_gpio_intr: interrupt-controller@42200000 {
+ #interrupt-cells = <1>;
+ ti,sci = <&sms>;
+ ti,sci-dev-id = <125>;
+- ti,interrupt-ranges = <16 928 16>;
++ ti,interrupt-ranges = <16 960 16>;
+ };
+
+ mcu_conf: syscon@40f00000 {
+--
+2.35.1
+
--- /dev/null
+From 9ccfffaff481a1f79705c1b9d6613c5478f623d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 14:40:42 +0000
+Subject: arm64: make is_ttbrX_addr() noinstr-safe
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit d8c1d798a2e5091128c391c6dadcc9be334af3f5 ]
+
+We use is_ttbr0_addr() in noinstr code, but as it's only marked as
+inline, it's theoretically possible for the compiler to place it
+out-of-line and instrument it, which would be problematic.
+
+Mark is_ttbr0_addr() as __always_inline such that that can safely be
+used from noinstr code. For consistency, do the same to is_ttbr1_addr().
+Note that while is_ttbr1_addr() calls arch_kasan_reset_tag(), this is a
+macro (and its callees are either macros or __always_inline), so there
+is not a risk of transient instrumentation.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221114144042.3001140-1-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/processor.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
+index 86eb0bfe3b38..d9144b6e078c 100644
+--- a/arch/arm64/include/asm/processor.h
++++ b/arch/arm64/include/asm/processor.h
+@@ -308,13 +308,13 @@ static inline void compat_start_thread(struct pt_regs *regs, unsigned long pc,
+ }
+ #endif
+
+-static inline bool is_ttbr0_addr(unsigned long addr)
++static __always_inline bool is_ttbr0_addr(unsigned long addr)
+ {
+ /* entry assembly clears tags for TTBR0 addrs */
+ return addr < TASK_SIZE;
+ }
+
+-static inline bool is_ttbr1_addr(unsigned long addr)
++static __always_inline bool is_ttbr1_addr(unsigned long addr)
+ {
+ /* TTBR1 addresses may have a tag if KASAN_SW_TAGS is in use */
+ return arch_kasan_reset_tag(addr) >= PAGE_OFFSET;
+--
+2.35.1
+
--- /dev/null
+From b0bdc9418531ecccb25c592456e8ba7b48875b56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 10:44:11 +0000
+Subject: arm64: mm: kfence: only handle translation faults
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 0bb1fbffc631064db567ccaeb9ed6b6df6342b66 ]
+
+Alexander noted that KFENCE only expects to handle faults from invalid page
+table entries (i.e. translation faults), but arm64's fault handling logic will
+call kfence_handle_page_fault() for other types of faults, including alignment
+faults caused by unaligned atomics. This has the unfortunate property of
+causing those other faults to be reported as "KFENCE: use-after-free",
+which is misleading and hinders debugging.
+
+Fix this by only forwarding unhandled translation faults to the KFENCE
+code, similar to what x86 does already.
+
+Alexander has verified that this passes all the tests in the KFENCE test
+suite and avoids bogus reports on misaligned atomics.
+
+Link: https://lore.kernel.org/all/20221102081620.1465154-1-zhongbaisong@huawei.com/
+Fixes: 840b23986344 ("arm64, kfence: enable KFENCE for ARM64")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20221114104411.2853040-1-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/fault.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index c33f1fad2745..89628bd370d9 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -353,6 +353,11 @@ static bool is_el1_mte_sync_tag_check_fault(unsigned long esr)
+ return false;
+ }
+
++static bool is_translation_fault(unsigned long esr)
++{
++ return (esr & ESR_ELx_FSC_TYPE) == ESR_ELx_FSC_FAULT;
++}
++
+ static void __do_kernel_fault(unsigned long addr, unsigned long esr,
+ struct pt_regs *regs)
+ {
+@@ -385,7 +390,8 @@ static void __do_kernel_fault(unsigned long addr, unsigned long esr,
+ } else if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+- if (kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, regs))
++ if (is_translation_fault(esr) &&
++ kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, regs))
+ return;
+
+ msg = "paging request";
+--
+2.35.1
+
--- /dev/null
+From 644a53aa5b53e6db07ee94604c58251e4af6d862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 11:52:47 +0300
+Subject: ASoC: amd: yc: Add Xiaomi Redmi Book Pro 14 2022 into DMI table
+
+From: Artem Lukyanov <dukzcry@ya.ru>
+
+[ Upstream commit c1dd6bf6199752890d8c59d895dd45094da51d1f ]
+
+This model requires an additional detection quirk to enable the
+internal microphone - BIOS doesn't seem to support AcpDmicConnected
+(nothing in acpidump output).
+
+Signed-off-by: Artem Lukyanov <dukzcry@ya.ru>
+Link: https://lore.kernel.org/r/20221130085247.85126-1-dukzcry@ya.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index d9715bea965e..1f0b5527c594 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -213,6 +213,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17 R5 AMD"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "TIMI"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Redmi Book Pro 14 2022"),
++ }
++ },
+ {}
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 86b65cae3b93800b4173e76e2d32249b202438aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 14:19:43 +0200
+Subject: ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit 953dbd1cef18ce9ac0d69c1bd735b929fe52a17e ]
+
+KBL-R RVP platforms also use combojack, so we need to enable that
+configuration for them.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20221010121955.718168-4-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt298.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/codecs/rt298.c b/sound/soc/codecs/rt298.c
+index b0b53d4f07df..5f36064ed6e6 100644
+--- a/sound/soc/codecs/rt298.c
++++ b/sound/soc/codecs/rt298.c
+@@ -1166,6 +1166,13 @@ static const struct dmi_system_id force_combo_jack_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Geminilake")
+ }
+ },
++ {
++ .ident = "Intel Kabylake R RVP",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Kabylake Client platform")
++ }
++ },
+ { }
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 1033e939a080de912652b3798052e8608676417a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 16:18:29 -0800
+Subject: ASoC: codecs: wsa883x: use correct header file
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 5f52ceddc40cd61b1dd2ecf735624deaf05f779f ]
+
+Fix build errors when GPIOLIB is not set/enabled:
+
+../sound/soc/codecs/wsa883x.c: In function 'wsa883x_probe':
+../sound/soc/codecs/wsa883x.c:1394:25: error: implicit declaration of function 'devm_gpiod_get_optional'; did you mean 'devm_regulator_get_optional'? [-Werror=implicit-function-declaration]
+ wsa883x->sd_n = devm_gpiod_get_optional(&pdev->dev, "powerdown",
+../sound/soc/codecs/wsa883x.c:1395:49: error: 'GPIOD_FLAGS_BIT_NONEXCLUSIVE' undeclared (first use in this function)
+ GPIOD_FLAGS_BIT_NONEXCLUSIVE);
+../sound/soc/codecs/wsa883x.c:1414:9: error: implicit declaration of function 'gpiod_direction_output'; did you mean 'gpio_direction_output'? [-Werror=implicit-function-declaration]
+ gpiod_direction_output(wsa883x->sd_n, 1);
+
+Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Banajit Goswami <bgoswami@quicinc.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: alsa-devel@alsa-project.org
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221108001829.5100-1-rdunlap@infradead.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wsa883x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c
+index cb1d0a3e90e6..9dfa0ac08e6f 100644
+--- a/sound/soc/codecs/wsa883x.c
++++ b/sound/soc/codecs/wsa883x.c
+@@ -7,7 +7,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/delay.h>
+ #include <linux/device.h>
+-#include <linux/gpio.h>
++#include <linux/gpio/consumer.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+--
+2.35.1
+
--- /dev/null
+From 8209a0bf968e21e4c7c8fa9e4f2f2bcd66527393 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 14:35:12 +0100
+Subject: ASoC: codecs: wsa883x: Use proper shutdown GPIO polarity
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit ec5dba73f7ba10797904cf18092d2e6975a22147 ]
+
+The shutdown GPIO is active low (SD_N), but this depends on actual board
+layout. Linux drivers should only care about logical state, where high
+(1) means shutdown and low (0) means do not shutdown.
+
+Invert the GPIO to match logical value.
+
+Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221110133512.478831-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wsa883x.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c
+index 63e1d7aa6137..cb1d0a3e90e6 100644
+--- a/sound/soc/codecs/wsa883x.c
++++ b/sound/soc/codecs/wsa883x.c
+@@ -1393,7 +1393,7 @@ static int wsa883x_probe(struct sdw_slave *pdev,
+ }
+
+ wsa883x->sd_n = devm_gpiod_get_optional(&pdev->dev, "powerdown",
+- GPIOD_FLAGS_BIT_NONEXCLUSIVE);
++ GPIOD_FLAGS_BIT_NONEXCLUSIVE | GPIOD_OUT_HIGH);
+ if (IS_ERR(wsa883x->sd_n)) {
+ dev_err(&pdev->dev, "Shutdown Control GPIO not found\n");
+ ret = PTR_ERR(wsa883x->sd_n);
+@@ -1411,7 +1411,7 @@ static int wsa883x_probe(struct sdw_slave *pdev,
+ pdev->prop.sink_ports = GENMASK(WSA883X_MAX_SWR_PORTS, 0);
+ pdev->prop.sink_dpn_prop = wsa_sink_dpn_prop;
+ pdev->prop.scp_int1_mask = SDW_SCP_INT1_BUS_CLASH | SDW_SCP_INT1_PARITY;
+- gpiod_direction_output(wsa883x->sd_n, 1);
++ gpiod_direction_output(wsa883x->sd_n, 0);
+
+ wsa883x->regmap = devm_regmap_init_sdw(pdev, &wsa883x_regmap_config);
+ if (IS_ERR(wsa883x->regmap)) {
+--
+2.35.1
+
--- /dev/null
+From 5331eab3c206a29e75f222432c6ad897d1e82397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 18:00:14 -0400
+Subject: ASoC: dt-bindings: rt5682: Set sound-dai-cells to 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit 07b16192f3f01d002d8ff37dcd4372980330ea93 ]
+
+Commit 0adccaf1eac9 ("ASoC: dt-bindings: rt5682: Add #sound-dai-cells")
+defined the sound-dai-cells property as 0. However, rt5682 has two DAIs,
+AIF1 and AIF2, and therefore should have sound-dai-cells set to 1. Fix
+it.
+
+Fixes: 0adccaf1eac9 ("ASoC: dt-bindings: rt5682: Add #sound-dai-cells")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221024220015.1759428-4-nfraprado@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/sound/rt5682.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/sound/rt5682.txt b/Documentation/devicetree/bindings/sound/rt5682.txt
+index c5f2b8febcee..6b87db68337c 100644
+--- a/Documentation/devicetree/bindings/sound/rt5682.txt
++++ b/Documentation/devicetree/bindings/sound/rt5682.txt
+@@ -46,7 +46,7 @@ Optional properties:
+
+ - realtek,dmic-clk-driving-high : Set the high driving of the DMIC clock out.
+
+-- #sound-dai-cells: Should be set to '<0>'.
++- #sound-dai-cells: Should be set to '<1>'.
+
+ Pins on the device (for linking into audio routes) for RT5682:
+
+--
+2.35.1
+
--- /dev/null
+From b20e33df5faf3606de6ffc435401eafc82d55011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 00:46:48 -0700
+Subject: ASoC: dt-bindings: wcd9335: fix reset line polarity in example
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 34cb111f8a7b98b5fec809dd194003bca20ef1b2 ]
+
+When resetting the block, the reset line is being driven low and then
+high, which means that the line in DTS should be annotated as "active
+low".
+
+Fixes: 1877c9fda1b7 ("ASoC: dt-bindings: add dt bindings for wcd9335 audio codec")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221027074652.1044235-2-dmitry.torokhov@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/sound/qcom,wcd9335.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
+index 5d6ea66a863f..1f75feec3dec 100644
+--- a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
++++ b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
+@@ -109,7 +109,7 @@ audio-codec@1{
+ reg = <1 0>;
+ interrupts = <&msmgpio 54 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "intr2"
+- reset-gpios = <&msmgpio 64 0>;
++ reset-gpios = <&msmgpio 64 GPIO_ACTIVE_LOW>;
+ slim-ifc-dev = <&wc9335_ifd>;
+ clock-names = "mclk", "native";
+ clocks = <&rpmcc RPM_SMD_DIV_CLK1>,
+--
+2.35.1
+
--- /dev/null
+From b4469f5a2a8370a378c30030979d1ccd18f6c69a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 14:19:44 +0200
+Subject: ASoC: Intel: avs: Add quirk for KBL-R RVP platform
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit 9d0737fa0e7530313634c0ecd75f09a95ba8d44a ]
+
+KBL-R RVPs contain built-in rt298 codec which requires different PLL
+clock and .dai_fmt configuration than seen on other boards.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20221010121955.718168-5-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/rt298.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/avs/boards/rt298.c b/sound/soc/intel/avs/boards/rt298.c
+index b28d36872dcb..58c9d9edecf0 100644
+--- a/sound/soc/intel/avs/boards/rt298.c
++++ b/sound/soc/intel/avs/boards/rt298.c
+@@ -6,6 +6,7 @@
+ // Amadeusz Slawinski <amadeuszx.slawinski@linux.intel.com>
+ //
+
++#include <linux/dmi.h>
+ #include <linux/module.h>
+ #include <sound/jack.h>
+ #include <sound/pcm.h>
+@@ -14,6 +15,16 @@
+ #include <sound/soc-acpi.h>
+ #include "../../../codecs/rt298.h"
+
++static const struct dmi_system_id kblr_dmi_table[] = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_MATCH(DMI_BOARD_NAME, "Kabylake R DDR4 RVP"),
++ },
++ },
++ {}
++};
++
+ static const struct snd_kcontrol_new card_controls[] = {
+ SOC_DAPM_PIN_SWITCH("Headphone Jack"),
+ SOC_DAPM_PIN_SWITCH("Mic Jack"),
+@@ -96,9 +107,15 @@ avs_rt298_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_param
+ {
+ struct snd_soc_pcm_runtime *rtd = substream->private_data;
+ struct snd_soc_dai *codec_dai = asoc_rtd_to_codec(rtd, 0);
++ unsigned int clk_freq;
+ int ret;
+
+- ret = snd_soc_dai_set_sysclk(codec_dai, RT298_SCLK_S_PLL, 19200000, SND_SOC_CLOCK_IN);
++ if (dmi_first_match(kblr_dmi_table))
++ clk_freq = 24000000;
++ else
++ clk_freq = 19200000;
++
++ ret = snd_soc_dai_set_sysclk(codec_dai, RT298_SCLK_S_PLL, clk_freq, SND_SOC_CLOCK_IN);
+ if (ret < 0)
+ dev_err(rtd->dev, "Set codec sysclk failed: %d\n", ret);
+
+@@ -139,7 +156,10 @@ static int avs_create_dai_link(struct device *dev, const char *platform_name, in
+ dl->platforms = platform;
+ dl->num_platforms = 1;
+ dl->id = 0;
+- dl->dai_fmt = SND_SOC_DAIFMT_DSP_A | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS;
++ if (dmi_first_match(kblr_dmi_table))
++ dl->dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS;
++ else
++ dl->dai_fmt = SND_SOC_DAIFMT_DSP_A | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS;
+ dl->init = avs_rt298_codec_init;
+ dl->be_hw_params_fixup = avs_rt298_be_fixup;
+ dl->ops = &avs_rt298_ops;
+--
+2.35.1
+
--- /dev/null
+From cd31722abe437f029a446aca26e9dc4dd6462464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 14:19:41 +0200
+Subject: ASoC: Intel: avs: Fix DMA mask assignment
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 83375566a7a7042cb34b24986d100f46bfa0c1e5 ]
+
+Spelling error leads to incorrect behavior when setting up DMA mask.
+
+Fixes: a5bbbde2b81e ("ASoC: Intel: avs: Use helper function to set up DMA")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20221010121955.718168-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/core.c b/sound/soc/intel/avs/core.c
+index c50c20fd681a..58db13374166 100644
+--- a/sound/soc/intel/avs/core.c
++++ b/sound/soc/intel/avs/core.c
+@@ -440,7 +440,7 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ if (bus->mlcap)
+ snd_hdac_ext_bus_get_ml_capabilities(bus);
+
+- if (!dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64)))
++ if (dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64)))
+ dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32));
+ dma_set_max_seg_size(dev, UINT_MAX);
+
+--
+2.35.1
+
--- /dev/null
+From 62639ddf544a8da6d14283bc5a6a7b8a352687ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 14:19:42 +0200
+Subject: ASoC: Intel: avs: Fix potential RX buffer overflow
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 23ae34e033b2c0e5e88237af82b163b296fd6aa9 ]
+
+If an event caused firmware to return invalid RX size for
+LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.
+Fix by utilizing min_t().
+
+Reported-by: CoolStar <coolstarorganization@gmail.com>
+Fixes: f14a1c5a9f83 ("ASoC: Intel: avs: Add module management requests")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20221010121955.718168-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/ipc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
+index 020d85c7520d..77da206f7dbb 100644
+--- a/sound/soc/intel/avs/ipc.c
++++ b/sound/soc/intel/avs/ipc.c
+@@ -192,7 +192,8 @@ static void avs_dsp_receive_rx(struct avs_dev *adev, u64 header)
+ /* update size in case of LARGE_CONFIG_GET */
+ if (msg.msg_target == AVS_MOD_MSG &&
+ msg.global_msg_type == AVS_MOD_LARGE_CONFIG_GET)
+- ipc->rx.size = msg.ext.large_config.data_off_size;
++ ipc->rx.size = min_t(u32, AVS_MAILBOX_SIZE,
++ msg.ext.large_config.data_off_size);
+
+ memcpy_fromio(ipc->rx.data, avs_uplink_addr(adev), ipc->rx.size);
+ trace_avs_msg_payload(ipc->rx.data, ipc->rx.size);
+--
+2.35.1
+
--- /dev/null
+From 692e422f8f231cdf4debed8f2e83e6301a2299bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 12:55:49 +0100
+Subject: ASoC: Intel: avs: Lock substream before snd_pcm_stop()
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit c30c8f9d51ec24b36e2c65a6307a5c8cbc5a0ebc ]
+
+snd_pcm_stop() shall be called with stream lock held to prevent any
+races between nonatomic streaming operations.
+
+Fixes: 2f1f570cd730 ("ASoC: Intel: avs: Coredump and recovery flow")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20221116115550.1100398-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/ipc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
+index 77da206f7dbb..306f0dc4eaf5 100644
+--- a/sound/soc/intel/avs/ipc.c
++++ b/sound/soc/intel/avs/ipc.c
+@@ -123,7 +123,10 @@ static void avs_dsp_recovery(struct avs_dev *adev)
+ if (!substream || !substream->runtime)
+ continue;
+
++ /* No need for _irq() as we are in nonatomic context. */
++ snd_pcm_stream_lock(substream);
+ snd_pcm_stop(substream, SNDRV_PCM_STATE_DISCONNECTED);
++ snd_pcm_stream_unlock(substream);
+ }
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From d77ed2feac97d4d2e49c79ae689c811fec0cb939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 11:49:16 +0100
+Subject: ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 4cbb264d4e9136acab2c8fd39e39ab1b1402b84b ]
+
+If the device does not come straight from reset, we might receive an IRQ
+before we are ready to handle it.
+
+Fixes:
+
+[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4
+[ 2.522601] Call trace:
+[ 2.525040] regmap_read+0x1c/0x80
+[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0
+...
+[ 2.598921] start_kernel+0x338/0x42c
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Fixes: ee0bcaff109f ("ASoC: mediatek: Add AFE platform driver")
+Link: https://lore.kernel.org/r/20221128-mt8173-afe-v1-0-70728221628f@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+index dcaeeeb8aac7..bc155dd937e0 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+@@ -1070,16 +1070,6 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
+
+ afe->dev = &pdev->dev;
+
+- irq_id = platform_get_irq(pdev, 0);
+- if (irq_id <= 0)
+- return irq_id < 0 ? irq_id : -ENXIO;
+- ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler,
+- 0, "Afe_ISR_Handle", (void *)afe);
+- if (ret) {
+- dev_err(afe->dev, "could not request_irq\n");
+- return ret;
+- }
+-
+ afe->base_addr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(afe->base_addr))
+ return PTR_ERR(afe->base_addr);
+@@ -1185,6 +1175,16 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
+ if (ret)
+ goto err_cleanup_components;
+
++ irq_id = platform_get_irq(pdev, 0);
++ if (irq_id <= 0)
++ return irq_id < 0 ? irq_id : -ENXIO;
++ ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler,
++ 0, "Afe_ISR_Handle", (void *)afe);
++ if (ret) {
++ dev_err(afe->dev, "could not request_irq\n");
++ goto err_pm_disable;
++ }
++
+ dev_info(&pdev->dev, "MT8173 AFE driver initialized.\n");
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From b0cf6af0c1c97aad720c51386dd15e2852a3444c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 11:07:50 +0800
+Subject: ASoC: mediatek: mtk-btcvsd: Add checks for write and read of
+ mtk_btcvsd_snd
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit d067b3378a78c9c3048ac535e31c171b6f5b5846 ]
+
+As the mtk_btcvsd_snd_write and mtk_btcvsd_snd_read may return error,
+it should be better to catch the exception.
+
+Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20221116030750.40500-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/common/mtk-btcvsd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/mediatek/common/mtk-btcvsd.c b/sound/soc/mediatek/common/mtk-btcvsd.c
+index d884bb7c0fc7..1c28b41e4311 100644
+--- a/sound/soc/mediatek/common/mtk-btcvsd.c
++++ b/sound/soc/mediatek/common/mtk-btcvsd.c
+@@ -1038,11 +1038,9 @@ static int mtk_pcm_btcvsd_copy(struct snd_soc_component *component,
+ struct mtk_btcvsd_snd *bt = snd_soc_component_get_drvdata(component);
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- mtk_btcvsd_snd_write(bt, buf, count);
++ return mtk_btcvsd_snd_write(bt, buf, count);
+ else
+- mtk_btcvsd_snd_read(bt, buf, count);
+-
+- return 0;
++ return mtk_btcvsd_snd_read(bt, buf, count);
+ }
+
+ /* kcontrol */
+--
+2.35.1
+
--- /dev/null
+From 0725cf9007787a9da0ee9c0153f7201b23ebc38a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:04:02 +0800
+Subject: ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by going to
+err_pm instead of err_clk.
+
+Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/pcm512x.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c
+index 767463e82665..89059a673cf0 100644
+--- a/sound/soc/codecs/pcm512x.c
++++ b/sound/soc/codecs/pcm512x.c
+@@ -1634,7 +1634,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
+ if (val > 6) {
+ dev_err(dev, "Invalid pll-in\n");
+ ret = -EINVAL;
+- goto err_clk;
++ goto err_pm;
+ }
+ pcm512x->pll_in = val;
+ }
+@@ -1643,7 +1643,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
+ if (val > 6) {
+ dev_err(dev, "Invalid pll-out\n");
+ ret = -EINVAL;
+- goto err_clk;
++ goto err_pm;
+ }
+ pcm512x->pll_out = val;
+ }
+@@ -1652,12 +1652,12 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
+ dev_err(dev,
+ "Error: both pll-in and pll-out, or none\n");
+ ret = -EINVAL;
+- goto err_clk;
++ goto err_pm;
+ }
+ if (pcm512x->pll_in && pcm512x->pll_in == pcm512x->pll_out) {
+ dev_err(dev, "Error: pll-in == pll-out\n");
+ ret = -EINVAL;
+- goto err_clk;
++ goto err_pm;
+ }
+ }
+ #endif
+--
+2.35.1
+
--- /dev/null
+From 48d557f3fd866ea6e19b5d033796be12601dd61a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 16:56:29 +0800
+Subject: ASoC: pxa: fix null-pointer dereference in filter()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ]
+
+kasprintf() would return NULL pointer when kmalloc() fail to allocate.
+Need to check the return pointer before calling strcmp().
+
+Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/pxa/mmp-pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c
+index 5d520e18e512..99b245e3079a 100644
+--- a/sound/soc/pxa/mmp-pcm.c
++++ b/sound/soc/pxa/mmp-pcm.c
+@@ -98,7 +98,7 @@ static bool filter(struct dma_chan *chan, void *param)
+
+ devname = kasprintf(GFP_KERNEL, "%s.%d", dma_data->dma_res->name,
+ dma_data->ssp_id);
+- if ((strcmp(dev_name(chan->device->dev), devname) == 0) &&
++ if (devname && (strcmp(dev_name(chan->device->dev), devname) == 0) &&
+ (chan->chan_id == dma_data->dma_res->start)) {
+ found = true;
+ }
+--
+2.35.1
+
--- /dev/null
+From 19ca3ae12acde279dd43b7075c8390318b5a1ee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 14:05:10 +0000
+Subject: ASoC: qcom: Add checks for devm_kcalloc
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 1bf5ee979076ceb121ee51c95197d890b1cee7f4 ]
+
+As the devm_kcalloc may return NULL, the return value needs to be checked
+to avoid NULL poineter dereference.
+
+Fixes: 24caf8d9eb10 ("ASoC: qcom: lpass-sc7180: Add platform driver for lpass audio")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221124140510.63468-1-yuancan@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-sc7180.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/qcom/lpass-sc7180.c b/sound/soc/qcom/lpass-sc7180.c
+index 77a556b27cf0..24a1c121cb2e 100644
+--- a/sound/soc/qcom/lpass-sc7180.c
++++ b/sound/soc/qcom/lpass-sc7180.c
+@@ -131,6 +131,9 @@ static int sc7180_lpass_init(struct platform_device *pdev)
+
+ drvdata->clks = devm_kcalloc(dev, variant->num_clks,
+ sizeof(*drvdata->clks), GFP_KERNEL);
++ if (!drvdata->clks)
++ return -ENOMEM;
++
+ drvdata->num_clks = variant->num_clks;
+
+ for (i = 0; i < drvdata->num_clks; i++)
+--
+2.35.1
+
--- /dev/null
+From 4d4c01c86697b73baa9e77275355385ef0bb3aa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 20:53:06 +0000
+Subject: ata: libata: fix NCQ autosense logic
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 7390896b3484d44cbdb8bc4859964314ac66d3c9 ]
+
+Currently, the logic if we should call ata_scsi_set_sense()
+(and set flag ATA_QCFLAG_SENSE_VALID to indicate that we have
+successfully added sense data to the struct ata_queued_cmd)
+looks like this:
+
+if (dev->class == ATA_DEV_ZAC &&
+ ((qc->result_tf.status & ATA_SENSE) || qc->result_tf.auxiliary))
+
+The problem with this is that a drive can support the NCQ command
+error log without supporting NCQ autosense.
+
+On such a drive, if the failing command has sense data, the status
+field in the NCQ command error log will have the ATA_SENSE bit set.
+
+It is just that this sense data is not included in the NCQ command
+error log when NCQ autosense is not supported. Instead the sense
+data has to be fetched using the REQUEST SENSE DATA EXT command.
+
+Therefore, we should only add the sense data if the drive supports
+NCQ autosense AND the ATA_SENSE bit is set in the status field.
+
+Fix this, and at the same time, remove the duplicated ATA_DEV_ZAC
+check. The struct ata_taskfile supplied to ata_eh_read_log_10h()
+is memset:ed before calling the function, so simply checking if
+qc->result_tf.auxiliary is set is sufficient to tell us that the
+log actually contained sense data.
+
+Fixes: d238ffd59d3c ("libata: do not attempt to retrieve sense code twice")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sata.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
+index 13b9d0fdd42c..8e292e2abb04 100644
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -1392,7 +1392,8 @@ static int ata_eh_read_log_10h(struct ata_device *dev,
+ tf->hob_lbah = buf[10];
+ tf->nsect = buf[12];
+ tf->hob_nsect = buf[13];
+- if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id))
++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id) &&
++ (tf->status & ATA_SENSE))
+ tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16];
+
+ return 0;
+@@ -1456,8 +1457,12 @@ void ata_eh_analyze_ncq_error(struct ata_link *link)
+ memcpy(&qc->result_tf, &tf, sizeof(tf));
+ qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
+ qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
+- if (dev->class == ATA_DEV_ZAC &&
+- ((qc->result_tf.status & ATA_SENSE) || qc->result_tf.auxiliary)) {
++
++ /*
++ * If the device supports NCQ autosense, ata_eh_read_log_10h() will have
++ * stored the sense data in qc->result_tf.auxiliary.
++ */
++ if (qc->result_tf.auxiliary) {
+ char sense_key, asc, ascq;
+
+ sense_key = (qc->result_tf.auxiliary >> 16) & 0xff;
+--
+2.35.1
+
--- /dev/null
+From 2b5f8bf239185327866673a881112d89d2df68c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 10:10:29 -0800
+Subject: bfq: fix waker_bfqq inconsistency crash
+
+From: Khazhismel Kumykov <khazhy@chromium.org>
+
+[ Upstream commit a1795c2ccb1e4c49220d2a0d381540024d71647c ]
+
+This fixes crashes in bfq_add_bfqq_busy due to waker_bfqq being NULL,
+but woken_list_node still being hashed. This would happen when
+bfq_init_rq() expects a brand new allocated queue to be returned from
+bfq_get_bfqq_handle_split() and unconditionally updates waker_bfqq
+without resetting woken_list_node. Since we can always return oom_bfqq
+when attempting to allocate, we cannot assume waker_bfqq starts as NULL.
+
+Avoid setting woken_bfqq for oom_bfqq entirely, as it's not useful.
+
+Crashes would have a stacktrace like:
+[160595.656560] bfq_add_bfqq_busy+0x110/0x1ec
+[160595.661142] bfq_add_request+0x6bc/0x980
+[160595.666602] bfq_insert_request+0x8ec/0x1240
+[160595.671762] bfq_insert_requests+0x58/0x9c
+[160595.676420] blk_mq_sched_insert_request+0x11c/0x198
+[160595.682107] blk_mq_submit_bio+0x270/0x62c
+[160595.686759] __submit_bio_noacct_mq+0xec/0x178
+[160595.691926] submit_bio+0x120/0x184
+[160595.695990] ext4_mpage_readpages+0x77c/0x7c8
+[160595.701026] ext4_readpage+0x60/0xb0
+[160595.705158] filemap_read_page+0x54/0x114
+[160595.711961] filemap_fault+0x228/0x5f4
+[160595.716272] do_read_fault+0xe0/0x1f0
+[160595.720487] do_fault+0x40/0x1c8
+
+Tested by injecting random failures into bfq_get_queue, crashes go away
+completely.
+
+Fixes: 8ef3fc3a043c ("block, bfq: make shared queues inherit wakers")
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221108181030.1611703-1-khazhy@google.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index c740b41fe0a4..68872a61706a 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6786,6 +6786,12 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ bfqq = bfq_get_bfqq_handle_split(bfqd, bic, bio,
+ true, is_sync,
+ NULL);
++ if (unlikely(bfqq == &bfqd->oom_bfqq))
++ bfqq_already_existing = true;
++ } else
++ bfqq_already_existing = true;
++
++ if (!bfqq_already_existing) {
+ bfqq->waker_bfqq = old_bfqq->waker_bfqq;
+ bfqq->tentative_waker_bfqq = NULL;
+
+@@ -6799,8 +6805,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ if (bfqq->waker_bfqq)
+ hlist_add_head(&bfqq->woken_list_node,
+ &bfqq->waker_bfqq->woken_list);
+- } else
+- bfqq_already_existing = true;
++ }
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0c8c24eb7d113ef7d3b19abe13cff4789aca8241 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 10:51:23 +0800
+Subject: binfmt_misc: fix shift-out-of-bounds in check_special_flags
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ]
+
+UBSAN reported a shift-out-of-bounds warning:
+
+ left shift of 1 by 31 places cannot be represented in type 'int'
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
+ ubsan_epilogue+0xa/0x44 lib/ubsan.c:151
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322
+ check_special_flags fs/binfmt_misc.c:241 [inline]
+ create_entry fs/binfmt_misc.c:456 [inline]
+ bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654
+ vfs_write+0x11e/0x580 fs/read_write.c:582
+ ksys_write+0xcf/0x120 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0033:0x4194e1
+
+Since the type of Node's flags is unsigned long, we should define these
+macros with same type too.
+
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_misc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
+index e1eae7ea823a..bb202ad369d5 100644
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -44,10 +44,10 @@ static LIST_HEAD(entries);
+ static int enabled = 1;
+
+ enum {Enabled, Magic};
+-#define MISC_FMT_PRESERVE_ARGV0 (1 << 31)
+-#define MISC_FMT_OPEN_BINARY (1 << 30)
+-#define MISC_FMT_CREDENTIALS (1 << 29)
+-#define MISC_FMT_OPEN_FILE (1 << 28)
++#define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
++#define MISC_FMT_OPEN_BINARY (1UL << 30)
++#define MISC_FMT_CREDENTIALS (1UL << 29)
++#define MISC_FMT_OPEN_FILE (1UL << 28)
+
+ typedef struct {
+ struct list_head list;
+--
+2.35.1
+
--- /dev/null
+From 4b2c661b8e504a4e7f15f4c76d71787aed506cf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 05:26:33 +0100
+Subject: blk-crypto: pass a gendisk to blk_crypto_sysfs_{,un}register
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 450deb93df7d457cdd93594a1987f9650c749b96 ]
+
+Prepare for changes to the block layer sysfs handling by passing the
+readily available gendisk to blk_crypto_sysfs_{,un}register.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20221114042637.1009333-2-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-crypto-internal.h | 10 ++++++----
+ block/blk-crypto-sysfs.c | 7 ++++---
+ block/blk-sysfs.c | 4 ++--
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/block/blk-crypto-internal.h b/block/blk-crypto-internal.h
+index e6818ffaddbf..b8a00847171f 100644
+--- a/block/blk-crypto-internal.h
++++ b/block/blk-crypto-internal.h
+@@ -21,9 +21,9 @@ extern const struct blk_crypto_mode blk_crypto_modes[];
+
+ #ifdef CONFIG_BLK_INLINE_ENCRYPTION
+
+-int blk_crypto_sysfs_register(struct request_queue *q);
++int blk_crypto_sysfs_register(struct gendisk *disk);
+
+-void blk_crypto_sysfs_unregister(struct request_queue *q);
++void blk_crypto_sysfs_unregister(struct gendisk *disk);
+
+ void bio_crypt_dun_increment(u64 dun[BLK_CRYPTO_DUN_ARRAY_SIZE],
+ unsigned int inc);
+@@ -67,12 +67,14 @@ static inline bool blk_crypto_rq_is_encrypted(struct request *rq)
+
+ #else /* CONFIG_BLK_INLINE_ENCRYPTION */
+
+-static inline int blk_crypto_sysfs_register(struct request_queue *q)
++static inline int blk_crypto_sysfs_register(struct gendisk *disk)
+ {
+ return 0;
+ }
+
+-static inline void blk_crypto_sysfs_unregister(struct request_queue *q) { }
++static inline void blk_crypto_sysfs_unregister(struct gendisk *disk)
++{
++}
+
+ static inline bool bio_crypt_rq_ctx_compatible(struct request *rq,
+ struct bio *bio)
+diff --git a/block/blk-crypto-sysfs.c b/block/blk-crypto-sysfs.c
+index fd93bd2f33b7..e05f145cd797 100644
+--- a/block/blk-crypto-sysfs.c
++++ b/block/blk-crypto-sysfs.c
+@@ -126,8 +126,9 @@ static struct kobj_type blk_crypto_ktype = {
+ * If the request_queue has a blk_crypto_profile, create the "crypto"
+ * subdirectory in sysfs (/sys/block/$disk/queue/crypto/).
+ */
+-int blk_crypto_sysfs_register(struct request_queue *q)
++int blk_crypto_sysfs_register(struct gendisk *disk)
+ {
++ struct request_queue *q = disk->queue;
+ struct blk_crypto_kobj *obj;
+ int err;
+
+@@ -149,9 +150,9 @@ int blk_crypto_sysfs_register(struct request_queue *q)
+ return 0;
+ }
+
+-void blk_crypto_sysfs_unregister(struct request_queue *q)
++void blk_crypto_sysfs_unregister(struct gendisk *disk)
+ {
+- kobject_put(q->crypto_kobject);
++ kobject_put(disk->queue->crypto_kobject);
+ }
+
+ static int __init blk_crypto_sysfs_init(void)
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 8822b4b6bed2..c8a1119c3950 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -833,7 +833,7 @@ int blk_register_queue(struct gendisk *disk)
+ goto put_dev;
+ }
+
+- ret = blk_crypto_sysfs_register(q);
++ ret = blk_crypto_sysfs_register(disk);
+ if (ret)
+ goto put_dev;
+
+@@ -910,7 +910,7 @@ void blk_unregister_queue(struct gendisk *disk)
+ */
+ if (queue_is_mq(q))
+ blk_mq_sysfs_unregister(disk);
+- blk_crypto_sysfs_unregister(q);
++ blk_crypto_sysfs_unregister(disk);
+
+ mutex_lock(&q->sysfs_lock);
+ elv_unregister_queue(q);
+--
+2.35.1
+
--- /dev/null
+From 424aa521e25e77c9e3d3660dce0be8707352a5c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 20:04:53 +0200
+Subject: blk-iocost: simplify ioc_name
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 9df3e65139b923dfe98f76b7057882c7afb2d3e4 ]
+
+Just directly dereference the disk name instead of going through multiple
+hoops to find the same value.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Andreas Herrmann <aherrmann@suse.de>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20220921180501.1539876-10-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iocost.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/block/blk-iocost.c b/block/blk-iocost.c
+index 7936e5f5821c..cba9d3ad58e1 100644
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -664,17 +664,13 @@ static struct ioc *q_to_ioc(struct request_queue *q)
+ return rqos_to_ioc(rq_qos_id(q, RQ_QOS_COST));
+ }
+
+-static const char *q_name(struct request_queue *q)
+-{
+- if (blk_queue_registered(q))
+- return kobject_name(q->kobj.parent);
+- else
+- return "<unknown>";
+-}
+-
+ static const char __maybe_unused *ioc_name(struct ioc *ioc)
+ {
+- return q_name(ioc->rqos.q);
++ struct gendisk *disk = ioc->rqos.q->disk;
++
++ if (!disk)
++ return "<unknown>";
++ return disk->disk_name;
+ }
+
+ static struct ioc_gq *pd_to_iocg(struct blkg_policy_data *pd)
+--
+2.35.1
+
--- /dev/null
+From dbe0e68e1a1a2d634dd3b7a4564f2a7098079960 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 13:19:57 +0800
+Subject: blk-mq: avoid double ->queue_rq() because of early timeout
+
+From: David Jeffery <djeffery@redhat.com>
+
+[ Upstream commit 82c229476b8f6afd7e09bc4dc77d89dc19ff7688 ]
+
+David Jeffery found one double ->queue_rq() issue, so far it can
+be triggered in VM use case because of long vmexit latency or preempt
+latency of vCPU pthread or long page fault in vCPU pthread, then block
+IO req could be timed out before queuing the request to hardware but after
+calling blk_mq_start_request() during ->queue_rq(), then timeout handler
+may handle it by requeue, then double ->queue_rq() is caused, and kernel
+panic.
+
+So far, it is driver's responsibility to cover the race between timeout
+and completion, so it seems supposed to be solved in driver in theory,
+given driver has enough knowledge.
+
+But it is really one common problem, lots of driver could have similar
+issue, and could be hard to fix all affected drivers, even it isn't easy
+for driver to handle the race. So David suggests this patch by draining
+in-progress ->queue_rq() for solving this issue.
+
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Keith Busch <kbusch@kernel.org>
+Cc: virtualization@lists.linux-foundation.org
+Cc: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20221026051957.358818-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 56 +++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 88975170cc32..05e33c51702d 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1442,7 +1442,13 @@ static void blk_mq_rq_timed_out(struct request *req)
+ blk_add_timer(req);
+ }
+
+-static bool blk_mq_req_expired(struct request *rq, unsigned long *next)
++struct blk_expired_data {
++ bool has_timedout_rq;
++ unsigned long next;
++ unsigned long timeout_start;
++};
++
++static bool blk_mq_req_expired(struct request *rq, struct blk_expired_data *expired)
+ {
+ unsigned long deadline;
+
+@@ -1452,13 +1458,13 @@ static bool blk_mq_req_expired(struct request *rq, unsigned long *next)
+ return false;
+
+ deadline = READ_ONCE(rq->deadline);
+- if (time_after_eq(jiffies, deadline))
++ if (time_after_eq(expired->timeout_start, deadline))
+ return true;
+
+- if (*next == 0)
+- *next = deadline;
+- else if (time_after(*next, deadline))
+- *next = deadline;
++ if (expired->next == 0)
++ expired->next = deadline;
++ else if (time_after(expired->next, deadline))
++ expired->next = deadline;
+ return false;
+ }
+
+@@ -1472,7 +1478,7 @@ void blk_mq_put_rq_ref(struct request *rq)
+
+ static bool blk_mq_check_expired(struct request *rq, void *priv)
+ {
+- unsigned long *next = priv;
++ struct blk_expired_data *expired = priv;
+
+ /*
+ * blk_mq_queue_tag_busy_iter() has locked the request, so it cannot
+@@ -1481,7 +1487,18 @@ static bool blk_mq_check_expired(struct request *rq, void *priv)
+ * it was completed and reallocated as a new request after returning
+ * from blk_mq_check_expired().
+ */
+- if (blk_mq_req_expired(rq, next))
++ if (blk_mq_req_expired(rq, expired)) {
++ expired->has_timedout_rq = true;
++ return false;
++ }
++ return true;
++}
++
++static bool blk_mq_handle_expired(struct request *rq, void *priv)
++{
++ struct blk_expired_data *expired = priv;
++
++ if (blk_mq_req_expired(rq, expired))
+ blk_mq_rq_timed_out(rq);
+ return true;
+ }
+@@ -1490,7 +1507,9 @@ static void blk_mq_timeout_work(struct work_struct *work)
+ {
+ struct request_queue *q =
+ container_of(work, struct request_queue, timeout_work);
+- unsigned long next = 0;
++ struct blk_expired_data expired = {
++ .timeout_start = jiffies,
++ };
+ struct blk_mq_hw_ctx *hctx;
+ unsigned long i;
+
+@@ -1510,10 +1529,23 @@ static void blk_mq_timeout_work(struct work_struct *work)
+ if (!percpu_ref_tryget(&q->q_usage_counter))
+ return;
+
+- blk_mq_queue_tag_busy_iter(q, blk_mq_check_expired, &next);
++ /* check if there is any timed-out request */
++ blk_mq_queue_tag_busy_iter(q, blk_mq_check_expired, &expired);
++ if (expired.has_timedout_rq) {
++ /*
++ * Before walking tags, we must ensure any submit started
++ * before the current time has finished. Since the submit
++ * uses srcu or rcu, wait for a synchronization point to
++ * ensure all running submits have finished
++ */
++ blk_mq_wait_quiesce_done(q);
++
++ expired.next = 0;
++ blk_mq_queue_tag_busy_iter(q, blk_mq_handle_expired, &expired);
++ }
+
+- if (next != 0) {
+- mod_timer(&q->timeout, next);
++ if (expired.next != 0) {
++ mod_timer(&q->timeout, expired.next);
+ } else {
+ /*
+ * Request timeouts are handled as a forward rolling timer. If
+--
+2.35.1
+
--- /dev/null
+From e06fd7d2df30982c63a4e9044ca71aa0b9b1d829 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 10:29:40 +0800
+Subject: blk-mq: fix possible memleak when register 'hctx' failed
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ]
+
+There's issue as follows when do fault injection test:
+unreferenced object 0xffff888132a9f400 (size 512):
+ comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....
+ 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............
+ backtrace:
+ [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0
+ [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0
+ [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230
+ [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910
+ [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0
+ [<00000000a2a34657>] 0xffffffffa2ad310f
+ [<00000000b173f718>] 0xffffffffa2af824a
+ [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0
+ [<00000000f32fdf93>] do_init_module+0xdf/0x320
+ [<00000000cbe8541e>] load_module+0x3006/0x3390
+ [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000a1a29ae8>] do_syscall_64+0x35/0x80
+ [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Fault injection context as follows:
+ kobject_add
+ blk_mq_register_hctx
+ blk_mq_sysfs_register
+ blk_register_queue
+ device_add_disk
+ null_add_dev.part.0 [null_blk]
+
+As 'blk_mq_register_hctx' may already add some objects when failed halfway,
+but there isn't do fallback, caller don't know which objects add failed.
+To solve above issue just do fallback when add objects failed halfway in
+'blk_mq_register_hctx'.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq-sysfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
+index 93997d297d42..4515288fbe35 100644
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -185,7 +185,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
+ {
+ struct request_queue *q = hctx->queue;
+ struct blk_mq_ctx *ctx;
+- int i, ret;
++ int i, j, ret;
+
+ if (!hctx->nr_ctx)
+ return 0;
+@@ -197,9 +197,16 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
+ hctx_for_each_ctx(hctx, ctx, i) {
+ ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu);
+ if (ret)
+- break;
++ goto out;
+ }
+
++ return 0;
++out:
++ hctx_for_each_ctx(hctx, ctx, j) {
++ if (j < i)
++ kobject_del(&ctx->kobj);
++ }
++ kobject_del(&hctx->kobj);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b026ab41394c0bc83c5614f5aed463e0a27b1ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 16:00:47 +0100
+Subject: blk-mq: move the srcu_struct used for quiescing to the tagset
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 80bd4a7aab4c9ce59bf5e35fdf52aa23d8a3c9f5 ]
+
+All I/O submissions have fairly similar latencies, and a tagset-wide
+quiesce is a fairly common operation.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Chao Leng <lengchao@huawei.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Link: https://lore.kernel.org/r/20221101150050.3510-12-hch@lst.de
+[axboe: fix whitespace]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 27 +++++----------------------
+ block/blk-mq.c | 33 +++++++++++++++++++++++++--------
+ block/blk-mq.h | 14 +++++++-------
+ block/blk-sysfs.c | 9 ++-------
+ block/blk.h | 9 +--------
+ block/genhd.c | 2 +-
+ include/linux/blk-mq.h | 4 ++++
+ include/linux/blkdev.h | 9 ---------
+ 8 files changed, 45 insertions(+), 62 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 2fbdf17f2206..adc5fc562348 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -66,7 +66,6 @@ DEFINE_IDA(blk_queue_ida);
+ * For queue allocation
+ */
+ struct kmem_cache *blk_requestq_cachep;
+-struct kmem_cache *blk_requestq_srcu_cachep;
+
+ /*
+ * Controlling structure to kblockd
+@@ -374,26 +373,20 @@ static void blk_timeout_work(struct work_struct *work)
+ {
+ }
+
+-struct request_queue *blk_alloc_queue(int node_id, bool alloc_srcu)
++struct request_queue *blk_alloc_queue(int node_id)
+ {
+ struct request_queue *q;
+
+- q = kmem_cache_alloc_node(blk_get_queue_kmem_cache(alloc_srcu),
+- GFP_KERNEL | __GFP_ZERO, node_id);
++ q = kmem_cache_alloc_node(blk_requestq_cachep, GFP_KERNEL | __GFP_ZERO,
++ node_id);
+ if (!q)
+ return NULL;
+
+- if (alloc_srcu) {
+- blk_queue_flag_set(QUEUE_FLAG_HAS_SRCU, q);
+- if (init_srcu_struct(q->srcu) != 0)
+- goto fail_q;
+- }
+-
+ q->last_merge = NULL;
+
+ q->id = ida_alloc(&blk_queue_ida, GFP_KERNEL);
+ if (q->id < 0)
+- goto fail_srcu;
++ goto fail_q;
+
+ q->stats = blk_alloc_queue_stats();
+ if (!q->stats)
+@@ -435,11 +428,8 @@ struct request_queue *blk_alloc_queue(int node_id, bool alloc_srcu)
+ blk_free_queue_stats(q->stats);
+ fail_id:
+ ida_free(&blk_queue_ida, q->id);
+-fail_srcu:
+- if (alloc_srcu)
+- cleanup_srcu_struct(q->srcu);
+ fail_q:
+- kmem_cache_free(blk_get_queue_kmem_cache(alloc_srcu), q);
++ kmem_cache_free(blk_requestq_cachep, q);
+ return NULL;
+ }
+
+@@ -1198,9 +1188,6 @@ int __init blk_dev_init(void)
+ sizeof_field(struct request, cmd_flags));
+ BUILD_BUG_ON(REQ_OP_BITS + REQ_FLAG_BITS > 8 *
+ sizeof_field(struct bio, bi_opf));
+- BUILD_BUG_ON(ALIGN(offsetof(struct request_queue, srcu),
+- __alignof__(struct request_queue)) !=
+- sizeof(struct request_queue));
+
+ /* used for unplugging and affects IO latency/throughput - HIGHPRI */
+ kblockd_workqueue = alloc_workqueue("kblockd",
+@@ -1211,10 +1198,6 @@ int __init blk_dev_init(void)
+ blk_requestq_cachep = kmem_cache_create("request_queue",
+ sizeof(struct request_queue), 0, SLAB_PANIC, NULL);
+
+- blk_requestq_srcu_cachep = kmem_cache_create("request_queue_srcu",
+- sizeof(struct request_queue) +
+- sizeof(struct srcu_struct), 0, SLAB_PANIC, NULL);
+-
+ blk_debugfs_root = debugfs_create_dir("block", NULL);
+
+ return 0;
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 3f1f5e3e0951..88975170cc32 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -261,8 +261,8 @@ EXPORT_SYMBOL_GPL(blk_mq_quiesce_queue_nowait);
+ */
+ void blk_mq_wait_quiesce_done(struct request_queue *q)
+ {
+- if (blk_queue_has_srcu(q))
+- synchronize_srcu(q->srcu);
++ if (q->tag_set->flags & BLK_MQ_F_BLOCKING)
++ synchronize_srcu(q->tag_set->srcu);
+ else
+ synchronize_rcu();
+ }
+@@ -3886,7 +3886,7 @@ static struct request_queue *blk_mq_init_queue_data(struct blk_mq_tag_set *set,
+ struct request_queue *q;
+ int ret;
+
+- q = blk_alloc_queue(set->numa_node, set->flags & BLK_MQ_F_BLOCKING);
++ q = blk_alloc_queue(set->numa_node);
+ if (!q)
+ return ERR_PTR(-ENOMEM);
+ q->queuedata = queuedata;
+@@ -4058,9 +4058,6 @@ static void blk_mq_update_poll_flag(struct request_queue *q)
+ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
+ struct request_queue *q)
+ {
+- WARN_ON_ONCE(blk_queue_has_srcu(q) !=
+- !!(set->flags & BLK_MQ_F_BLOCKING));
+-
+ /* mark the queue as mq asap */
+ q->mq_ops = set->ops;
+
+@@ -4317,8 +4314,18 @@ int blk_mq_alloc_tag_set(struct blk_mq_tag_set *set)
+ if (set->nr_maps == 1 && set->nr_hw_queues > nr_cpu_ids)
+ set->nr_hw_queues = nr_cpu_ids;
+
+- if (blk_mq_alloc_tag_set_tags(set, set->nr_hw_queues) < 0)
+- return -ENOMEM;
++ if (set->flags & BLK_MQ_F_BLOCKING) {
++ set->srcu = kmalloc(sizeof(*set->srcu), GFP_KERNEL);
++ if (!set->srcu)
++ return -ENOMEM;
++ ret = init_srcu_struct(set->srcu);
++ if (ret)
++ goto out_free_srcu;
++ }
++
++ ret = blk_mq_alloc_tag_set_tags(set, set->nr_hw_queues);
++ if (ret)
++ goto out_cleanup_srcu;
+
+ ret = -ENOMEM;
+ for (i = 0; i < set->nr_maps; i++) {
+@@ -4350,6 +4357,12 @@ int blk_mq_alloc_tag_set(struct blk_mq_tag_set *set)
+ }
+ kfree(set->tags);
+ set->tags = NULL;
++out_cleanup_srcu:
++ if (set->flags & BLK_MQ_F_BLOCKING)
++ cleanup_srcu_struct(set->srcu);
++out_free_srcu:
++ if (set->flags & BLK_MQ_F_BLOCKING)
++ kfree(set->srcu);
+ return ret;
+ }
+ EXPORT_SYMBOL(blk_mq_alloc_tag_set);
+@@ -4389,6 +4402,10 @@ void blk_mq_free_tag_set(struct blk_mq_tag_set *set)
+
+ kfree(set->tags);
+ set->tags = NULL;
++ if (set->flags & BLK_MQ_F_BLOCKING) {
++ cleanup_srcu_struct(set->srcu);
++ kfree(set->srcu);
++ }
+ }
+ EXPORT_SYMBOL(blk_mq_free_tag_set);
+
+diff --git a/block/blk-mq.h b/block/blk-mq.h
+index 8ca453ac243d..1a88ad9428b7 100644
+--- a/block/blk-mq.h
++++ b/block/blk-mq.h
+@@ -376,17 +376,17 @@ static inline bool hctx_may_queue(struct blk_mq_hw_ctx *hctx,
+ /* run the code block in @dispatch_ops with rcu/srcu read lock held */
+ #define __blk_mq_run_dispatch_ops(q, check_sleep, dispatch_ops) \
+ do { \
+- if (!blk_queue_has_srcu(q)) { \
+- rcu_read_lock(); \
+- (dispatch_ops); \
+- rcu_read_unlock(); \
+- } else { \
++ if ((q)->tag_set->flags & BLK_MQ_F_BLOCKING) { \
+ int srcu_idx; \
+ \
+ might_sleep_if(check_sleep); \
+- srcu_idx = srcu_read_lock((q)->srcu); \
++ srcu_idx = srcu_read_lock((q)->tag_set->srcu); \
+ (dispatch_ops); \
+- srcu_read_unlock((q)->srcu, srcu_idx); \
++ srcu_read_unlock((q)->tag_set->srcu, srcu_idx); \
++ } else { \
++ rcu_read_lock(); \
++ (dispatch_ops); \
++ rcu_read_unlock(); \
+ } \
+ } while (0)
+
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index e1f009aba6fd..8822b4b6bed2 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -739,10 +739,8 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr,
+
+ static void blk_free_queue_rcu(struct rcu_head *rcu_head)
+ {
+- struct request_queue *q = container_of(rcu_head, struct request_queue,
+- rcu_head);
+-
+- kmem_cache_free(blk_get_queue_kmem_cache(blk_queue_has_srcu(q)), q);
++ kmem_cache_free(blk_requestq_cachep,
++ container_of(rcu_head, struct request_queue, rcu_head));
+ }
+
+ /**
+@@ -779,9 +777,6 @@ static void blk_release_queue(struct kobject *kobj)
+ if (queue_is_mq(q))
+ blk_mq_release(q);
+
+- if (blk_queue_has_srcu(q))
+- cleanup_srcu_struct(q->srcu);
+-
+ ida_free(&blk_queue_ida, q->id);
+ call_rcu(&q->rcu_head, blk_free_queue_rcu);
+ }
+diff --git a/block/blk.h b/block/blk.h
+index ff0bec16f0fa..5040c5b4ee70 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -27,7 +27,6 @@ struct blk_flush_queue {
+ };
+
+ extern struct kmem_cache *blk_requestq_cachep;
+-extern struct kmem_cache *blk_requestq_srcu_cachep;
+ extern struct kobj_type blk_queue_ktype;
+ extern struct ida blk_queue_ida;
+
+@@ -421,13 +420,7 @@ int bio_add_hw_page(struct request_queue *q, struct bio *bio,
+ struct page *page, unsigned int len, unsigned int offset,
+ unsigned int max_sectors, bool *same_page);
+
+-static inline struct kmem_cache *blk_get_queue_kmem_cache(bool srcu)
+-{
+- if (srcu)
+- return blk_requestq_srcu_cachep;
+- return blk_requestq_cachep;
+-}
+-struct request_queue *blk_alloc_queue(int node_id, bool alloc_srcu);
++struct request_queue *blk_alloc_queue(int node_id);
+
+ int disk_scan_partitions(struct gendisk *disk, fmode_t mode);
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 28654723bc2b..d4715ea7dc39 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -1402,7 +1402,7 @@ struct gendisk *__blk_alloc_disk(int node, struct lock_class_key *lkclass)
+ struct request_queue *q;
+ struct gendisk *disk;
+
+- q = blk_alloc_queue(node, false);
++ q = blk_alloc_queue(node);
+ if (!q)
+ return NULL;
+
+diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h
+index 1532cd07a597..21f7b889f54e 100644
+--- a/include/linux/blk-mq.h
++++ b/include/linux/blk-mq.h
+@@ -7,6 +7,7 @@
+ #include <linux/lockdep.h>
+ #include <linux/scatterlist.h>
+ #include <linux/prefetch.h>
++#include <linux/srcu.h>
+
+ struct blk_mq_tags;
+ struct blk_flush_queue;
+@@ -496,6 +497,8 @@ enum hctx_type {
+ * @tag_list_lock: Serializes tag_list accesses.
+ * @tag_list: List of the request queues that use this tag set. See also
+ * request_queue.tag_set_list.
++ * @srcu: Use as lock when type of the request queue is blocking
++ * (BLK_MQ_F_BLOCKING).
+ */
+ struct blk_mq_tag_set {
+ struct blk_mq_queue_map map[HCTX_MAX_TYPES];
+@@ -516,6 +519,7 @@ struct blk_mq_tag_set {
+
+ struct mutex tag_list_lock;
+ struct list_head tag_list;
++ struct srcu_struct *srcu;
+ };
+
+ /**
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index e6bf06dc0770..0526f1c49fc6 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -22,7 +22,6 @@
+ #include <linux/blkzoned.h>
+ #include <linux/sched.h>
+ #include <linux/sbitmap.h>
+-#include <linux/srcu.h>
+ #include <linux/uuid.h>
+ #include <linux/xarray.h>
+
+@@ -544,18 +543,11 @@ struct request_queue {
+ struct mutex debugfs_mutex;
+
+ bool mq_sysfs_init_done;
+-
+- /**
+- * @srcu: Sleepable RCU. Use as lock when type of the request queue
+- * is blocking (BLK_MQ_F_BLOCKING). Must be the last member
+- */
+- struct srcu_struct srcu[];
+ };
+
+ /* Keep blk_queue_flag_name[] in sync with the definitions below */
+ #define QUEUE_FLAG_STOPPED 0 /* queue is stopped */
+ #define QUEUE_FLAG_DYING 1 /* queue being torn down */
+-#define QUEUE_FLAG_HAS_SRCU 2 /* SRCU is allocated */
+ #define QUEUE_FLAG_NOMERGES 3 /* disable merge attempts */
+ #define QUEUE_FLAG_SAME_COMP 4 /* complete on same CPU-group */
+ #define QUEUE_FLAG_FAIL_IO 5 /* fake timeout */
+@@ -591,7 +583,6 @@ bool blk_queue_flag_test_and_set(unsigned int flag, struct request_queue *q);
+
+ #define blk_queue_stopped(q) test_bit(QUEUE_FLAG_STOPPED, &(q)->queue_flags)
+ #define blk_queue_dying(q) test_bit(QUEUE_FLAG_DYING, &(q)->queue_flags)
+-#define blk_queue_has_srcu(q) test_bit(QUEUE_FLAG_HAS_SRCU, &(q)->queue_flags)
+ #define blk_queue_init_done(q) test_bit(QUEUE_FLAG_INIT_DONE, &(q)->queue_flags)
+ #define blk_queue_nomerges(q) test_bit(QUEUE_FLAG_NOMERGES, &(q)->queue_flags)
+ #define blk_queue_noxmerges(q) \
+--
+2.35.1
+
--- /dev/null
+From 8103c0b56366884f01997ee98474326b813ad0cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 12:04:10 +0800
+Subject: blktrace: Fix output non-blktrace event when blk_classic option
+ enabled
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ]
+
+When the blk_classic option is enabled, non-blktrace events must be
+filtered out. Otherwise, events of other types are output in the blktrace
+classic format, which is unexpected.
+
+The problem can be triggered in the following ways:
+
+ # echo 1 > /sys/kernel/debug/tracing/options/blk_classic
+ # echo 1 > /sys/kernel/debug/tracing/events/enable
+ # echo blk > /sys/kernel/debug/tracing/current_tracer
+ # cat /sys/kernel/debug/tracing/trace_pipe
+
+Fixes: c71a89615411 ("blktrace: add ftrace plugin")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index 7f5eb295fe19..ee22a3b1c181 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1546,7 +1546,8 @@ blk_trace_event_print_binary(struct trace_iterator *iter, int flags,
+
+ static enum print_line_t blk_tracer_print_line(struct trace_iterator *iter)
+ {
+- if (!(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
++ if ((iter->ent->type != TRACE_BLK) ||
++ !(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
+ return TRACE_TYPE_UNHANDLED;
+
+ return print_one_line(iter, true);
+--
+2.35.1
+
--- /dev/null
+From af01406cd0a3ee49b96c8ee520c2f814b6606675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 11:04:30 +0800
+Subject: block, bfq: fix possible uaf for 'bfqq->bic'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ]
+
+Our test report a uaf for 'bfqq->bic' in 5.10:
+
+==================================================================
+BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30
+
+CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014
+Call Trace:
+ bfq_select_queue+0x378/0xa30
+ bfq_dispatch_request+0xe8/0x130
+ blk_mq_do_dispatch_sched+0x62/0xb0
+ __blk_mq_sched_dispatch_requests+0x215/0x2a0
+ blk_mq_sched_dispatch_requests+0x8f/0xd0
+ __blk_mq_run_hw_queue+0x98/0x180
+ __blk_mq_delay_run_hw_queue+0x22b/0x240
+ blk_mq_run_hw_queue+0xe3/0x190
+ blk_mq_sched_insert_requests+0x107/0x200
+ blk_mq_flush_plug_list+0x26e/0x3c0
+ blk_finish_plug+0x63/0x90
+ __iomap_dio_rw+0x7b5/0x910
+ iomap_dio_rw+0x36/0x80
+ ext4_dio_read_iter+0x146/0x190 [ext4]
+ ext4_file_read_iter+0x1e2/0x230 [ext4]
+ new_sync_read+0x29f/0x400
+ vfs_read+0x24e/0x2d0
+ ksys_read+0xd5/0x1b0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+changes that move process to a new cgroup will allocate a new bfqq to
+use, however, the old bfqq and new bfqq can point to the same bic:
+
+1) Initial state, two process with io in the same cgroup.
+
+Process 1 Process 2
+ (BIC1) (BIC2)
+ | Λ | Λ
+ | | | |
+ V | V |
+ bfqq1 bfqq2
+
+2) bfqq1 is merged to bfqq2.
+
+Process 1 Process 2
+ (BIC1) (BIC2)
+ | |
+ \-------------\|
+ V
+ bfqq1 bfqq2(coop)
+
+3) Process 1 exit, then issue new io(denoce IOA) from Process 2.
+
+ (BIC2)
+ | Λ
+ | |
+ V |
+ bfqq2(coop)
+
+4) Before IOA is completed, move Process 2 to another cgroup and issue io.
+
+Process 2
+ (BIC2)
+ Λ
+ |\--------------\
+ | V
+ bfqq2 bfqq3
+
+Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.
+If all the requests are completed, and Process 2 exit, BIC2 will be
+freed while there is no guarantee that bfqq2 will be freed before BIC2.
+
+Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
+
+Fixes: 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221214030430.3304151-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 68872a61706a..528ca21044a5 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -386,6 +386,12 @@ static void bfq_put_stable_ref(struct bfq_queue *bfqq);
+
+ void bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync)
+ {
++ struct bfq_queue *old_bfqq = bic->bfqq[is_sync];
++
++ /* Clear bic pointer if bfqq is detached from this bic */
++ if (old_bfqq && old_bfqq->bic == bic)
++ old_bfqq->bic = NULL;
++
+ /*
+ * If bfqq != NULL, then a non-stable queue merge between
+ * bic->bfqq and bfqq is happening here. This causes troubles
+@@ -5379,7 +5385,6 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ unsigned long flags;
+
+ spin_lock_irqsave(&bfqd->lock, flags);
+- bfqq->bic = NULL;
+ bfq_exit_bfqq(bfqd, bfqq);
+ bic_set_bfqq(bic, NULL, is_sync);
+ spin_unlock_irqrestore(&bfqd->lock, flags);
+--
+2.35.1
+
--- /dev/null
+From a8a4382473b6b730a459a920348cb5ad68ba1e59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:10:45 +0800
+Subject: block: clear ->slave_dir when dropping the main slave_dir reference
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit d90db3b1c8676bc88b4309c5a571333de2263b8e ]
+
+Zero out the pointer to ->slave_dir so that the holder code doesn't
+incorrectly treat the object as alive when add_disk failed or after
+del_gendisk was called.
+
+Fixes: 89f871af1b26 ("dm: delay registering the gendisk")
+Reported-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Link: https://lore.kernel.org/r/20221115141054.1051801-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 044ff97381e3..28654723bc2b 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -522,6 +522,7 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+ rq_qos_exit(disk->queue);
+ out_put_slave_dir:
+ kobject_put(disk->slave_dir);
++ disk->slave_dir = NULL;
+ out_put_holder_dir:
+ kobject_put(disk->part0->bd_holder_dir);
+ out_del_integrity:
+@@ -618,6 +619,7 @@ void del_gendisk(struct gendisk *disk)
+
+ kobject_put(disk->part0->bd_holder_dir);
+ kobject_put(disk->slave_dir);
++ disk->slave_dir = NULL;
+
+ part_stat_set_all(disk->part0, 0);
+ disk->part0->bd_stamp = 0;
+--
+2.35.1
+
--- /dev/null
+From 03483a014ed2cecaba0e02ac736db0e5da640551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 05:26:34 +0100
+Subject: block: factor out a blk_debugfs_remove helper
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 6fc75f309d291d328b4ea2f91bef0ff56e4bc7c2 ]
+
+Split the debugfs removal from blk_unregister_queue into a helper so that
+the it can be reused for blk_register_queue error handling.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221114042637.1009333-3-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-sysfs.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index c8a1119c3950..4825eaa4363a 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -797,6 +797,19 @@ struct kobj_type blk_queue_ktype = {
+ .release = blk_release_queue,
+ };
+
++static void blk_debugfs_remove(struct gendisk *disk)
++{
++ struct request_queue *q = disk->queue;
++
++ mutex_lock(&q->debugfs_mutex);
++ blk_trace_shutdown(q);
++ debugfs_remove_recursive(q->debugfs_dir);
++ q->debugfs_dir = NULL;
++ q->sched_debugfs_dir = NULL;
++ q->rqos_debugfs_dir = NULL;
++ mutex_unlock(&q->debugfs_mutex);
++}
++
+ /**
+ * blk_register_queue - register a block layer queue with sysfs
+ * @disk: Disk of which the request queue should be registered with sysfs.
+@@ -922,11 +935,5 @@ void blk_unregister_queue(struct gendisk *disk)
+ kobject_del(&q->kobj);
+ mutex_unlock(&q->sysfs_dir_lock);
+
+- mutex_lock(&q->debugfs_mutex);
+- blk_trace_shutdown(q);
+- debugfs_remove_recursive(q->debugfs_dir);
+- q->debugfs_dir = NULL;
+- q->sched_debugfs_dir = NULL;
+- q->rqos_debugfs_dir = NULL;
+- mutex_unlock(&q->debugfs_mutex);
++ blk_debugfs_remove(disk);
+ }
+--
+2.35.1
+
--- /dev/null
+From 2aa320938830cd91d5f595f84c736a8f56d2c0e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 05:26:35 +0100
+Subject: block: fix error unwinding in blk_register_queue
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 40602997be26887bdfa3d58659c3acb4579099e9 ]
+
+blk_register_queue fails to handle errors from blk_mq_sysfs_register,
+leaks various resources on errors and accidentally sets queue refs percpu
+refcount to percpu mode on kobject_add failure. Fix all that by
+properly unwinding on errors.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221114042637.1009333-4-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-sysfs.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 4825eaa4363a..02931b6f25c5 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -820,13 +820,15 @@ int blk_register_queue(struct gendisk *disk)
+ int ret;
+
+ mutex_lock(&q->sysfs_dir_lock);
+-
+ ret = kobject_add(&q->kobj, &disk_to_dev(disk)->kobj, "queue");
+ if (ret < 0)
+- goto unlock;
++ goto out_unlock_dir;
+
+- if (queue_is_mq(q))
+- blk_mq_sysfs_register(disk);
++ if (queue_is_mq(q)) {
++ ret = blk_mq_sysfs_register(disk);
++ if (ret)
++ goto out_del_queue_kobj;
++ }
+ mutex_lock(&q->sysfs_lock);
+
+ mutex_lock(&q->debugfs_mutex);
+@@ -838,17 +840,17 @@ int blk_register_queue(struct gendisk *disk)
+
+ ret = disk_register_independent_access_ranges(disk);
+ if (ret)
+- goto put_dev;
++ goto out_debugfs_remove;
+
+ if (q->elevator) {
+ ret = elv_register_queue(q, false);
+ if (ret)
+- goto put_dev;
++ goto out_unregister_ia_ranges;
+ }
+
+ ret = blk_crypto_sysfs_register(disk);
+ if (ret)
+- goto put_dev;
++ goto out_elv_unregister;
+
+ blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);
+ wbt_enable_default(q);
+@@ -859,8 +861,6 @@ int blk_register_queue(struct gendisk *disk)
+ if (q->elevator)
+ kobject_uevent(&q->elevator->kobj, KOBJ_ADD);
+ mutex_unlock(&q->sysfs_lock);
+-
+-unlock:
+ mutex_unlock(&q->sysfs_dir_lock);
+
+ /*
+@@ -879,13 +879,17 @@ int blk_register_queue(struct gendisk *disk)
+
+ return ret;
+
+-put_dev:
++out_elv_unregister:
+ elv_unregister_queue(q);
++out_unregister_ia_ranges:
+ disk_unregister_independent_access_ranges(disk);
++out_debugfs_remove:
++ blk_debugfs_remove(disk);
+ mutex_unlock(&q->sysfs_lock);
+- mutex_unlock(&q->sysfs_dir_lock);
++out_del_queue_kobj:
+ kobject_del(&q->kobj);
+-
++out_unlock_dir:
++ mutex_unlock(&q->sysfs_dir_lock);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 73552cce158716c61be4dfc1d006ceac44b9c775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:16:29 +0800
+Subject: block: fix use-after-free of q->q_usage_counter
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit d36a9ea5e7766961e753ee38d4c331bbe6ef659b ]
+
+For blk-mq, queue release handler is usually called after
+blk_mq_freeze_queue_wait() returns. However, the
+q_usage_counter->release() handler may not be run yet at that time, so
+this can cause a use-after-free.
+
+Fix the issue by moving percpu_ref_exit() into blk_free_queue_rcu().
+Since ->release() is called with rcu read lock held, it is agreed that
+the race should be covered in caller per discussion from the two links.
+
+Reported-by: Zhang Wensheng <zhangwensheng@huaweicloud.com>
+Reported-by: Zhong Jinghua <zhongjinghua@huawei.com>
+Link: https://lore.kernel.org/linux-block/Y5prfOjyyjQKUrtH@T590/T/#u
+Link: https://lore.kernel.org/lkml/Y4%2FmzMd4evRg9yDi@fedora/
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Yu Kuai <yukuai3@huawei.com>
+Cc: Dennis Zhou <dennis@kernel.org>
+Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20221215021629.74870-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 818002b8be7c..3459fe316a34 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -255,14 +255,15 @@ EXPORT_SYMBOL_GPL(blk_clear_pm_only);
+
+ static void blk_free_queue_rcu(struct rcu_head *rcu_head)
+ {
+- kmem_cache_free(blk_requestq_cachep,
+- container_of(rcu_head, struct request_queue, rcu_head));
++ struct request_queue *q = container_of(rcu_head,
++ struct request_queue, rcu_head);
++
++ percpu_ref_exit(&q->q_usage_counter);
++ kmem_cache_free(blk_requestq_cachep, q);
+ }
+
+ static void blk_free_queue(struct request_queue *q)
+ {
+- percpu_ref_exit(&q->q_usage_counter);
+-
+ if (q->poll_stat)
+ blk_stat_remove_callback(q, q->poll_cb);
+ blk_stat_free_callback(q->poll_cb);
+--
+2.35.1
+
--- /dev/null
+From 3c93e8c2961b28620ee655ac56add38e18869042 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 05:26:37 +0100
+Subject: block: mark blk_put_queue as potentially blocking
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 63f93fd6fa5717769a78d6d7bea6f7f9a1ccca8e ]
+
+We can't just say that the last reference release may block, as any
+reference dropped could be the last one. So move the might_sleep() from
+blk_free_queue to blk_put_queue and update the documentation.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221114042637.1009333-6-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 3920e101654f..818002b8be7c 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -261,8 +261,6 @@ static void blk_free_queue_rcu(struct rcu_head *rcu_head)
+
+ static void blk_free_queue(struct request_queue *q)
+ {
+- might_sleep();
+-
+ percpu_ref_exit(&q->q_usage_counter);
+
+ if (q->poll_stat)
+@@ -286,11 +284,11 @@ static void blk_free_queue(struct request_queue *q)
+ * Decrements the refcount of the request_queue and free it when the refcount
+ * reaches 0.
+ *
+- * Context: Any context, but the last reference must not be dropped from
+- * atomic context.
++ * Context: Can sleep.
+ */
+ void blk_put_queue(struct request_queue *q)
+ {
++ might_sleep();
+ if (refcount_dec_and_test(&q->refs))
+ blk_free_queue(q);
+ }
+--
+2.35.1
+
--- /dev/null
+From ea647559f200f259accf0abdf468ab691de8bc97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 05:26:36 +0100
+Subject: block: untangle request_queue refcounting from sysfs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 2bd85221a625b316114bafaab527770b607095d3 ]
+
+The kobject embedded into the request_queue is used for the queue
+directory in sysfs, but that is a child of the gendisks directory and is
+intimately tied to it. Move this kobject to the gendisk and use a
+refcount_t in the request_queue for the actual request_queue refcounting
+that is completely unrelated to the device model.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221114042637.1009333-5-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: d36a9ea5e776 ("block: fix use-after-free of q->q_usage_counter")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 42 ++++++++++++++++----
+ block/blk-crypto-sysfs.c | 4 +-
+ block/blk-ia-ranges.c | 3 +-
+ block/blk-sysfs.c | 86 +++++++++++-----------------------------
+ block/blk.h | 4 --
+ block/bsg.c | 11 +++--
+ block/elevator.c | 2 +-
+ include/linux/blkdev.h | 6 +--
+ 8 files changed, 71 insertions(+), 87 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index adc5fc562348..3920e101654f 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -60,12 +60,12 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(block_split);
+ EXPORT_TRACEPOINT_SYMBOL_GPL(block_unplug);
+ EXPORT_TRACEPOINT_SYMBOL_GPL(block_rq_insert);
+
+-DEFINE_IDA(blk_queue_ida);
++static DEFINE_IDA(blk_queue_ida);
+
+ /*
+ * For queue allocation
+ */
+-struct kmem_cache *blk_requestq_cachep;
++static struct kmem_cache *blk_requestq_cachep;
+
+ /*
+ * Controlling structure to kblockd
+@@ -253,19 +253,46 @@ void blk_clear_pm_only(struct request_queue *q)
+ }
+ EXPORT_SYMBOL_GPL(blk_clear_pm_only);
+
++static void blk_free_queue_rcu(struct rcu_head *rcu_head)
++{
++ kmem_cache_free(blk_requestq_cachep,
++ container_of(rcu_head, struct request_queue, rcu_head));
++}
++
++static void blk_free_queue(struct request_queue *q)
++{
++ might_sleep();
++
++ percpu_ref_exit(&q->q_usage_counter);
++
++ if (q->poll_stat)
++ blk_stat_remove_callback(q, q->poll_cb);
++ blk_stat_free_callback(q->poll_cb);
++
++ blk_free_queue_stats(q->stats);
++ kfree(q->poll_stat);
++
++ if (queue_is_mq(q))
++ blk_mq_release(q);
++
++ ida_free(&blk_queue_ida, q->id);
++ call_rcu(&q->rcu_head, blk_free_queue_rcu);
++}
++
+ /**
+ * blk_put_queue - decrement the request_queue refcount
+ * @q: the request_queue structure to decrement the refcount for
+ *
+- * Decrements the refcount of the request_queue kobject. When this reaches 0
+- * we'll have blk_release_queue() called.
++ * Decrements the refcount of the request_queue and free it when the refcount
++ * reaches 0.
+ *
+ * Context: Any context, but the last reference must not be dropped from
+ * atomic context.
+ */
+ void blk_put_queue(struct request_queue *q)
+ {
+- kobject_put(&q->kobj);
++ if (refcount_dec_and_test(&q->refs))
++ blk_free_queue(q);
+ }
+ EXPORT_SYMBOL(blk_put_queue);
+
+@@ -400,8 +427,7 @@ struct request_queue *blk_alloc_queue(int node_id)
+ INIT_WORK(&q->timeout_work, blk_timeout_work);
+ INIT_LIST_HEAD(&q->icq_list);
+
+- kobject_init(&q->kobj, &blk_queue_ktype);
+-
++ refcount_set(&q->refs, 1);
+ mutex_init(&q->debugfs_mutex);
+ mutex_init(&q->sysfs_lock);
+ mutex_init(&q->sysfs_dir_lock);
+@@ -445,7 +471,7 @@ bool blk_get_queue(struct request_queue *q)
+ {
+ if (unlikely(blk_queue_dying(q)))
+ return false;
+- kobject_get(&q->kobj);
++ refcount_inc(&q->refs);
+ return true;
+ }
+ EXPORT_SYMBOL(blk_get_queue);
+diff --git a/block/blk-crypto-sysfs.c b/block/blk-crypto-sysfs.c
+index e05f145cd797..55268edc0625 100644
+--- a/block/blk-crypto-sysfs.c
++++ b/block/blk-crypto-sysfs.c
+@@ -140,8 +140,8 @@ int blk_crypto_sysfs_register(struct gendisk *disk)
+ return -ENOMEM;
+ obj->profile = q->crypto_profile;
+
+- err = kobject_init_and_add(&obj->kobj, &blk_crypto_ktype, &q->kobj,
+- "crypto");
++ err = kobject_init_and_add(&obj->kobj, &blk_crypto_ktype,
++ &disk->queue_kobj, "crypto");
+ if (err) {
+ kobject_put(&obj->kobj);
+ return err;
+diff --git a/block/blk-ia-ranges.c b/block/blk-ia-ranges.c
+index 2bd1d311033b..2141931ddd37 100644
+--- a/block/blk-ia-ranges.c
++++ b/block/blk-ia-ranges.c
+@@ -123,7 +123,8 @@ int disk_register_independent_access_ranges(struct gendisk *disk)
+ */
+ WARN_ON(iars->sysfs_registered);
+ ret = kobject_init_and_add(&iars->kobj, &blk_ia_ranges_ktype,
+- &q->kobj, "%s", "independent_access_ranges");
++ &disk->queue_kobj, "%s",
++ "independent_access_ranges");
+ if (ret) {
+ disk->ia_ranges = NULL;
+ kobject_put(&iars->kobj);
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 02931b6f25c5..f32c195c9767 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -680,8 +680,8 @@ static struct attribute *queue_attrs[] = {
+ static umode_t queue_attr_visible(struct kobject *kobj, struct attribute *attr,
+ int n)
+ {
+- struct request_queue *q =
+- container_of(kobj, struct request_queue, kobj);
++ struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj);
++ struct request_queue *q = disk->queue;
+
+ if (attr == &queue_io_timeout_entry.attr &&
+ (!q->mq_ops || !q->mq_ops->timeout))
+@@ -707,8 +707,8 @@ static ssize_t
+ queue_attr_show(struct kobject *kobj, struct attribute *attr, char *page)
+ {
+ struct queue_sysfs_entry *entry = to_queue(attr);
+- struct request_queue *q =
+- container_of(kobj, struct request_queue, kobj);
++ struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj);
++ struct request_queue *q = disk->queue;
+ ssize_t res;
+
+ if (!entry->show)
+@@ -724,63 +724,19 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr,
+ const char *page, size_t length)
+ {
+ struct queue_sysfs_entry *entry = to_queue(attr);
+- struct request_queue *q;
++ struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj);
++ struct request_queue *q = disk->queue;
+ ssize_t res;
+
+ if (!entry->store)
+ return -EIO;
+
+- q = container_of(kobj, struct request_queue, kobj);
+ mutex_lock(&q->sysfs_lock);
+ res = entry->store(q, page, length);
+ mutex_unlock(&q->sysfs_lock);
+ return res;
+ }
+
+-static void blk_free_queue_rcu(struct rcu_head *rcu_head)
+-{
+- kmem_cache_free(blk_requestq_cachep,
+- container_of(rcu_head, struct request_queue, rcu_head));
+-}
+-
+-/**
+- * blk_release_queue - releases all allocated resources of the request_queue
+- * @kobj: pointer to a kobject, whose container is a request_queue
+- *
+- * This function releases all allocated resources of the request queue.
+- *
+- * The struct request_queue refcount is incremented with blk_get_queue() and
+- * decremented with blk_put_queue(). Once the refcount reaches 0 this function
+- * is called.
+- *
+- * Drivers exist which depend on the release of the request_queue to be
+- * synchronous, it should not be deferred.
+- *
+- * Context: can sleep
+- */
+-static void blk_release_queue(struct kobject *kobj)
+-{
+- struct request_queue *q =
+- container_of(kobj, struct request_queue, kobj);
+-
+- might_sleep();
+-
+- percpu_ref_exit(&q->q_usage_counter);
+-
+- if (q->poll_stat)
+- blk_stat_remove_callback(q, q->poll_cb);
+- blk_stat_free_callback(q->poll_cb);
+-
+- blk_free_queue_stats(q->stats);
+- kfree(q->poll_stat);
+-
+- if (queue_is_mq(q))
+- blk_mq_release(q);
+-
+- ida_free(&blk_queue_ida, q->id);
+- call_rcu(&q->rcu_head, blk_free_queue_rcu);
+-}
+-
+ static const struct sysfs_ops queue_sysfs_ops = {
+ .show = queue_attr_show,
+ .store = queue_attr_store,
+@@ -791,10 +747,15 @@ static const struct attribute_group *blk_queue_attr_groups[] = {
+ NULL
+ };
+
+-struct kobj_type blk_queue_ktype = {
++static void blk_queue_release(struct kobject *kobj)
++{
++ /* nothing to do here, all data is associated with the parent gendisk */
++}
++
++static struct kobj_type blk_queue_ktype = {
+ .default_groups = blk_queue_attr_groups,
+ .sysfs_ops = &queue_sysfs_ops,
+- .release = blk_release_queue,
++ .release = blk_queue_release,
+ };
+
+ static void blk_debugfs_remove(struct gendisk *disk)
+@@ -820,20 +781,20 @@ int blk_register_queue(struct gendisk *disk)
+ int ret;
+
+ mutex_lock(&q->sysfs_dir_lock);
+- ret = kobject_add(&q->kobj, &disk_to_dev(disk)->kobj, "queue");
++ kobject_init(&disk->queue_kobj, &blk_queue_ktype);
++ ret = kobject_add(&disk->queue_kobj, &disk_to_dev(disk)->kobj, "queue");
+ if (ret < 0)
+- goto out_unlock_dir;
++ goto out_put_queue_kobj;
+
+ if (queue_is_mq(q)) {
+ ret = blk_mq_sysfs_register(disk);
+ if (ret)
+- goto out_del_queue_kobj;
++ goto out_put_queue_kobj;
+ }
+ mutex_lock(&q->sysfs_lock);
+
+ mutex_lock(&q->debugfs_mutex);
+- q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent),
+- blk_debugfs_root);
++ q->debugfs_dir = debugfs_create_dir(disk->disk_name, blk_debugfs_root);
+ if (queue_is_mq(q))
+ blk_mq_debugfs_register(q);
+ mutex_unlock(&q->debugfs_mutex);
+@@ -857,7 +818,7 @@ int blk_register_queue(struct gendisk *disk)
+ blk_throtl_register_queue(q);
+
+ /* Now everything is ready and send out KOBJ_ADD uevent */
+- kobject_uevent(&q->kobj, KOBJ_ADD);
++ kobject_uevent(&disk->queue_kobj, KOBJ_ADD);
+ if (q->elevator)
+ kobject_uevent(&q->elevator->kobj, KOBJ_ADD);
+ mutex_unlock(&q->sysfs_lock);
+@@ -886,9 +847,8 @@ int blk_register_queue(struct gendisk *disk)
+ out_debugfs_remove:
+ blk_debugfs_remove(disk);
+ mutex_unlock(&q->sysfs_lock);
+-out_del_queue_kobj:
+- kobject_del(&q->kobj);
+-out_unlock_dir:
++out_put_queue_kobj:
++ kobject_put(&disk->queue_kobj);
+ mutex_unlock(&q->sysfs_dir_lock);
+ return ret;
+ }
+@@ -935,8 +895,8 @@ void blk_unregister_queue(struct gendisk *disk)
+ mutex_unlock(&q->sysfs_lock);
+
+ /* Now that we've deleted all child objects, we can delete the queue. */
+- kobject_uevent(&q->kobj, KOBJ_REMOVE);
+- kobject_del(&q->kobj);
++ kobject_uevent(&disk->queue_kobj, KOBJ_REMOVE);
++ kobject_del(&disk->queue_kobj);
+ mutex_unlock(&q->sysfs_dir_lock);
+
+ blk_debugfs_remove(disk);
+diff --git a/block/blk.h b/block/blk.h
+index 5040c5b4ee70..bf20ed1c3054 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -26,10 +26,6 @@ struct blk_flush_queue {
+ spinlock_t mq_flush_lock;
+ };
+
+-extern struct kmem_cache *blk_requestq_cachep;
+-extern struct kobj_type blk_queue_ktype;
+-extern struct ida blk_queue_ida;
+-
+ bool is_flush_rq(struct request *req);
+
+ struct blk_flush_queue *blk_alloc_flush_queue(int node, int cmd_size,
+diff --git a/block/bsg.c b/block/bsg.c
+index 2ab1351eb082..8eba57b9bb46 100644
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -175,8 +175,10 @@ static void bsg_device_release(struct device *dev)
+
+ void bsg_unregister_queue(struct bsg_device *bd)
+ {
+- if (bd->queue->kobj.sd)
+- sysfs_remove_link(&bd->queue->kobj, "bsg");
++ struct gendisk *disk = bd->queue->disk;
++
++ if (disk && disk->queue_kobj.sd)
++ sysfs_remove_link(&disk->queue_kobj, "bsg");
+ cdev_device_del(&bd->cdev, &bd->device);
+ put_device(&bd->device);
+ }
+@@ -216,8 +218,9 @@ struct bsg_device *bsg_register_queue(struct request_queue *q,
+ if (ret)
+ goto out_put_device;
+
+- if (q->kobj.sd) {
+- ret = sysfs_create_link(&q->kobj, &bd->device.kobj, "bsg");
++ if (q->disk && q->disk->queue_kobj.sd) {
++ ret = sysfs_create_link(&q->disk->queue_kobj, &bd->device.kobj,
++ "bsg");
+ if (ret)
+ goto out_device_del;
+ }
+diff --git a/block/elevator.c b/block/elevator.c
+index bd71f0fc4e4b..ac096f494911 100644
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -499,7 +499,7 @@ int elv_register_queue(struct request_queue *q, bool uevent)
+
+ lockdep_assert_held(&q->sysfs_lock);
+
+- error = kobject_add(&e->kobj, &q->kobj, "%s", "iosched");
++ error = kobject_add(&e->kobj, &q->disk->queue_kobj, "iosched");
+ if (!error) {
+ struct elv_fs_entry *attr = e->type->elevator_attrs;
+ if (attr) {
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 0526f1c49fc6..c712841ef64b 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -155,6 +155,7 @@ struct gendisk {
+ unsigned open_partitions; /* number of open partitions */
+
+ struct backing_dev_info *bdi;
++ struct kobject queue_kobj; /* the queue/ directory */
+ struct kobject *slave_dir;
+ #ifdef CONFIG_BLOCK_HOLDER_DEPRECATED
+ struct list_head slave_bdevs;
+@@ -437,10 +438,7 @@ struct request_queue {
+
+ struct gendisk *disk;
+
+- /*
+- * queue kobject
+- */
+- struct kobject kobj;
++ refcount_t refs;
+
+ /*
+ * mq queue kobject
+--
+2.35.1
+
--- /dev/null
+From 9659543befaf55b242ba861eb4350e65f242ff21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 22:13:01 +0100
+Subject: Bluetooth: Add quirk to disable extended scanning
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 392fca352c7a95e2828d49e7500e26d0c87ca265 ]
+
+Broadcom 4377 controllers found in Apple x86 Macs with the T2 chip
+claim to support extended scanning when querying supported states,
+
+< HCI Command: LE Read Supported St.. (0x08|0x001c) plen 0
+> HCI Event: Command Complete (0x0e) plen 12
+ LE Read Supported States (0x08|0x001c) ncmd 1
+ Status: Success (0x00)
+ States: 0x000003ffffffffff
+[...]
+ LE Set Extended Scan Parameters (Octet 37 - Bit 5)
+ LE Set Extended Scan Enable (Octet 37 - Bit 6)
+[...]
+
+, but then fail to actually implement the extended scanning:
+
+< HCI Command: LE Set Extended Sca.. (0x08|0x0041) plen 8
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement (0x00)
+ PHYs: 0x01
+ Entry 0: LE 1M
+ Type: Active (0x01)
+ Interval: 11.250 msec (0x0012)
+ Window: 11.250 msec (0x0012)
+> HCI Event: Command Complete (0x0e) plen 4
+ LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1
+ Status: Unknown HCI Command (0x01)
+
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 10 ++++++++++
+ include/net/bluetooth/hci_core.h | 4 +++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 4518c63e9d17..78c55b69919d 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -274,6 +274,16 @@ enum {
+ * during the hdev->setup vendor callback.
+ */
+ HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN,
++
++ /*
++ * When this quirk is set, the HCI_OP_LE_SET_EXT_SCAN_ENABLE command is
++ * disabled. This is required for some Broadcom controllers which
++ * erroneously claim to support extended scanning.
++ *
++ * This quirk can be set before hci_register_dev is called or
++ * during the hdev->setup vendor callback.
++ */
++ HCI_QUIRK_BROKEN_EXT_SCAN,
+ };
+
+ /* HCI device flags */
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index e7862903187d..29d1254f9856 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1681,7 +1681,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
+
+ /* Use ext scanning if set ext scan param and ext scan enable is supported */
+ #define use_ext_scan(dev) (((dev)->commands[37] & 0x20) && \
+- ((dev)->commands[37] & 0x40))
++ ((dev)->commands[37] & 0x40) && \
++ !test_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &(dev)->quirks))
++
+ /* Use ext create connection if command is supported */
+ #define use_ext_conn(dev) ((dev)->commands[37] & 0x80)
+
+--
+2.35.1
+
--- /dev/null
+From 865776449ed62ca0138ebf5a82e0ebd72f408e2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 22:13:02 +0100
+Subject: Bluetooth: Add quirk to disable MWS Transport Configuration
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit ffcb0a445ec2d5753751437706aa0a7ea8351099 ]
+
+Broadcom 4378/4387 controllers found in Apple Silicon Macs claim to
+support getting MWS Transport Layer Configuration,
+
+< HCI Command: Read Local Supported... (0x04|0x0002) plen 0
+> HCI Event: Command Complete (0x0e) plen 68
+ Read Local Supported Commands (0x04|0x0002) ncmd 1
+ Status: Success (0x00)
+[...]
+ Get MWS Transport Layer Configuration (Octet 30 - Bit 3)]
+[...]
+
+, but then don't actually allow the required command:
+
+> HCI Event: Command Complete (0x0e) plen 15
+ Get MWS Transport Layer Configuration (0x05|0x000c) ncmd 1
+ Status: Command Disallowed (0x0c)
+ Number of transports: 0
+ Baud rate list: 0 entries
+ 00 00 00 00 00 00 00 00 00 00
+
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 10 ++++++++++
+ include/net/bluetooth/hci_core.h | 3 +++
+ net/bluetooth/hci_sync.c | 2 +-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 78c55b69919d..dd455ce06770 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -284,6 +284,16 @@ enum {
+ * during the hdev->setup vendor callback.
+ */
+ HCI_QUIRK_BROKEN_EXT_SCAN,
++
++ /*
++ * When this quirk is set, the HCI_OP_GET_MWS_TRANSPORT_CONFIG command is
++ * disabled. This is required for some Broadcom controllers which
++ * erroneously claim to support MWS Transport Layer Configuration.
++ *
++ * This quirk can be set before hci_register_dev is called or
++ * during the hdev->setup vendor callback.
++ */
++ HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG,
+ };
+
+ /* HCI device flags */
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 29d1254f9856..6afb4771ce35 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1711,6 +1711,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
+ ((dev)->le_features[3] & HCI_LE_CIS_PERIPHERAL)
+ #define bis_capable(dev) ((dev)->le_features[3] & HCI_LE_ISO_BROADCASTER)
+
++#define mws_transport_config_capable(dev) (((dev)->commands[30] & 0x08) && \
++ (!test_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &(dev)->quirks)))
++
+ /* ----- HCI protocols ----- */
+ #define HCI_PROTO_DEFER 0x01
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index a5e89e1b5452..117537f3e7ad 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -3940,7 +3940,7 @@ static int hci_read_local_pairing_opts_sync(struct hci_dev *hdev)
+ /* Get MWS transport configuration if the HCI command is supported */
+ static int hci_get_mws_transport_config_sync(struct hci_dev *hdev)
+ {
+- if (!(hdev->commands[30] & 0x08))
++ if (!mws_transport_config_capable(hdev))
+ return 0;
+
+ return __hci_cmd_sync_status(hdev, HCI_OP_GET_MWS_TRANSPORT_CONFIG,
+--
+2.35.1
+
--- /dev/null
+From ad3e8986570cf4a573aec1f9c6367d42cab2f0c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 21:53:57 +0800
+Subject: Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit cee50ce899de415baf4da3ed38b7d4f13c3170d1 ]
+
+skb allocated by __hci_cmd_sync would not be used whether in checking
+for supported iBT hardware variants or after, we should free it in all
+error branches, this patch makes the case read version failed or default
+error case free skb before return.
+
+Fixes: c86c7285bb08 ("Bluetooth: btintel: Fix the legacy bootloader returns tlv based version")
+Fixes: 019a1caa7fd2 ("Bluetooth: btintel: Refactoring setup routine for bootloader devices")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index d44a96667517..0c2542cee294 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -2522,7 +2522,7 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+ */
+ err = btintel_read_version(hdev, &ver);
+ if (err)
+- return err;
++ break;
+
+ /* Apply the device specific HCI quirks
+ *
+@@ -2563,7 +2563,8 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+ default:
+ bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
+ INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
+- return -EINVAL;
++ err = -EINVAL;
++ break;
+ }
+
+ exit_error:
+--
+2.35.1
+
--- /dev/null
+From dea7f5b1ab0151a521c11cdafffc504b4dc97009 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 20:59:10 +0800
+Subject: Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 882b5893f910..a132e7aba605 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -788,13 +788,13 @@ static inline void btusb_free_frags(struct btusb_data *data)
+
+ spin_lock_irqsave(&data->rxlock, flags);
+
+- kfree_skb(data->evt_skb);
++ dev_kfree_skb_irq(data->evt_skb);
+ data->evt_skb = NULL;
+
+- kfree_skb(data->acl_skb);
++ dev_kfree_skb_irq(data->acl_skb);
+ data->acl_skb = NULL;
+
+- kfree_skb(data->sco_skb);
++ dev_kfree_skb_irq(data->sco_skb);
+ data->sco_skb = NULL;
+
+ spin_unlock_irqrestore(&data->rxlock, flags);
+--
+2.35.1
+
--- /dev/null
+From 2f18fd9cda2db03b0a69d5675199611be1a78a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 08:00:03 +0100
+Subject: Bluetooth: Fix EALREADY and ELOOP cases in bt_status()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 63db780a93eb802ece1bbf61ab5894ad8827b56e ]
+
+'err' is known to be <0 at this point.
+
+So, some cases can not be reached because of a missing "-".
+Add it.
+
+Fixes: ca2045e059c3 ("Bluetooth: Add bt_status")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/lib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
+index 469a0c95b6e8..53a796ac078c 100644
+--- a/net/bluetooth/lib.c
++++ b/net/bluetooth/lib.c
+@@ -170,7 +170,7 @@ __u8 bt_status(int err)
+ case -EMLINK:
+ return 0x09;
+
+- case EALREADY:
++ case -EALREADY:
+ return 0x0b;
+
+ case -EBUSY:
+@@ -191,7 +191,7 @@ __u8 bt_status(int err)
+ case -ECONNABORTED:
+ return 0x16;
+
+- case ELOOP:
++ case -ELOOP:
+ return 0x17;
+
+ case -EPROTONOSUPPORT:
+--
+2.35.1
+
--- /dev/null
+From fe2e17bcc9234182ffe35ae4372a380466604f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:47:05 +0100
+Subject: Bluetooth: hci_bcm: Add CYW4373A0 support
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 02d056a3404e20245a69dcb4022a0930085fc5ec ]
+
+CYW4373A0 is a Wi-Fi + Bluetooth combo device from Cypress.
+This chip is present e.g. on muRata 2AE module.
+
+This chip has additional quirk where the HCI command 0xfc45, used on
+older chips to switch UART clock from 24 MHz to 48 MHz, to support
+baudrates over 3 Mbdps, is no longer recognized by this newer chip.
+This newer chip can configure the 4 Mbdps baudrate without the need
+to issue HCI command 0xfc45, so add flag to indicate this and do not
+issue the command on this chip to avoid failure to set 4 Mbdps baud
+rate.
+
+It is not clear whether there is a way to determine which chip does
+and which chip does not support the HCI command 0xfc45, other than
+trial and error.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcm.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
+index d7e0b75db8a6..2b6c0e1922cb 100644
+--- a/drivers/bluetooth/hci_bcm.c
++++ b/drivers/bluetooth/hci_bcm.c
+@@ -53,11 +53,13 @@
+ * struct bcm_device_data - device specific data
+ * @no_early_set_baudrate: Disallow set baudrate before driver setup()
+ * @drive_rts_on_open: drive RTS signal on ->open() when platform requires it
++ * @no_uart_clock_set: UART clock set command for >3Mbps mode is unavailable
+ * @max_autobaud_speed: max baudrate supported by device in autobaud mode
+ */
+ struct bcm_device_data {
+ bool no_early_set_baudrate;
+ bool drive_rts_on_open;
++ bool no_uart_clock_set;
+ u32 max_autobaud_speed;
+ };
+
+@@ -100,6 +102,7 @@ struct bcm_device_data {
+ * @is_suspended: whether flow control is currently disabled
+ * @no_early_set_baudrate: don't set_baudrate before setup()
+ * @drive_rts_on_open: drive RTS signal on ->open() when platform requires it
++ * @no_uart_clock_set: UART clock set command for >3Mbps mode is unavailable
+ * @pcm_int_params: keep the initial PCM configuration
+ * @use_autobaud_mode: start Bluetooth device in autobaud mode
+ * @max_autobaud_speed: max baudrate supported by device in autobaud mode
+@@ -140,6 +143,7 @@ struct bcm_device {
+ #endif
+ bool no_early_set_baudrate;
+ bool drive_rts_on_open;
++ bool no_uart_clock_set;
+ bool use_autobaud_mode;
+ u8 pcm_int_params[5];
+ u32 max_autobaud_speed;
+@@ -172,10 +176,11 @@ static inline void host_set_baudrate(struct hci_uart *hu, unsigned int speed)
+ static int bcm_set_baudrate(struct hci_uart *hu, unsigned int speed)
+ {
+ struct hci_dev *hdev = hu->hdev;
++ struct bcm_data *bcm = hu->priv;
+ struct sk_buff *skb;
+ struct bcm_update_uart_baud_rate param;
+
+- if (speed > 3000000) {
++ if (speed > 3000000 && !bcm->dev->no_uart_clock_set) {
+ struct bcm_write_uart_clock_setting clock;
+
+ clock.type = BCM_UART_CLOCK_48MHZ;
+@@ -1529,6 +1534,7 @@ static int bcm_serdev_probe(struct serdev_device *serdev)
+ bcmdev->max_autobaud_speed = data->max_autobaud_speed;
+ bcmdev->no_early_set_baudrate = data->no_early_set_baudrate;
+ bcmdev->drive_rts_on_open = data->drive_rts_on_open;
++ bcmdev->no_uart_clock_set = data->no_uart_clock_set;
+ }
+
+ return hci_uart_register_device(&bcmdev->serdev_hu, &bcm_proto);
+@@ -1550,6 +1556,10 @@ static struct bcm_device_data bcm43438_device_data = {
+ .drive_rts_on_open = true,
+ };
+
++static struct bcm_device_data cyw4373a0_device_data = {
++ .no_uart_clock_set = true,
++};
++
+ static struct bcm_device_data cyw55572_device_data = {
+ .max_autobaud_speed = 921600,
+ };
+@@ -1566,6 +1576,7 @@ static const struct of_device_id bcm_bluetooth_of_match[] = {
+ { .compatible = "brcm,bcm4349-bt", .data = &bcm43438_device_data },
+ { .compatible = "brcm,bcm43540-bt", .data = &bcm4354_device_data },
+ { .compatible = "brcm,bcm4335a0" },
++ { .compatible = "cypress,cyw4373a0-bt", .data = &cyw4373a0_device_data },
+ { .compatible = "infineon,cyw55572-bt", .data = &cyw55572_device_data },
+ { },
+ };
+--
+2.35.1
+
--- /dev/null
+From 7d125ddcba455c1c015d7330040c831e79abe805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:33 +0800
+Subject: Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index cf4a56095817..8055f63603f4 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -378,7 +378,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
+ i++;
+
+ __skb_unlink(skb, &bcsp->unack);
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ }
+
+ if (skb_queue_empty(&bcsp->unack))
+--
+2.35.1
+
--- /dev/null
+From 44dc8f3b9212678f58cd3a254010cbc6a4696bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 17:11:57 -0800
+Subject: Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 50757a259ba78c4e938b5735e76ffec6cd0c942e ]
+
+When attempting to connect multiple ISO sockets without using
+DEFER_SETUP may result in the following crash:
+
+BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
+Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
+
+CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
+6.0.0-rc7-02243-gb84a13ff4eda #4373
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
+BIOS 1.16.0-1.fc36 04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x19/0x27
+ kasan_report+0xbc/0xf0
+ ? hci_create_cis_sync+0x18b/0x2b0
+ hci_create_cis_sync+0x18b/0x2b0
+ ? get_link_mode+0xd0/0xd0
+ ? __ww_mutex_lock_slowpath+0x10/0x10
+ ? mutex_lock+0xe0/0xe0
+ ? get_link_mode+0xd0/0xd0
+ hci_cmd_sync_work+0x111/0x190
+ process_one_work+0x427/0x650
+ worker_thread+0x87/0x750
+ ? process_one_work+0x650/0x650
+ kthread+0x14e/0x180
+ ? kthread_exit+0x50/0x50
+ ret_from_fork+0x22/0x30
+ </TASK>
+
+Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index f26ed278d9e3..67360444eee6 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1817,7 +1817,7 @@ static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
+ continue;
+
+ /* Check if all CIS(s) belonging to a CIG are ready */
+- if (conn->link->state != BT_CONNECTED ||
++ if (!conn->link || conn->link->state != BT_CONNECTED ||
+ conn->state != BT_CONNECT) {
+ cmd.cp.num_cis = 0;
+ break;
+--
+2.35.1
+
--- /dev/null
+From 694fbaa79c39a80fcdfaa182296a3f4308b6a810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:34 +0800
+Subject: Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 995d950872af..9f8b49ff2d33 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3978,7 +3978,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
+ *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
+ else
+ *req_complete = bt_cb(skb)->hci.req_complete;
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ }
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ }
+--
+2.35.1
+
--- /dev/null
+From 565fdac798e53e2aa52db65c56f77fe2e3a4cf92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 10:16:56 +0800
+Subject: Bluetooth: hci_core: fix error handling in hci_register_dev()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0d75da38e060d21f948b3df5f5e349c962cf1ed2 ]
+
+If hci_register_suspend_notifier() returns error, the hdev and rfkill
+are leaked. We could disregard the error and print a warning message
+instead to avoid leaks, as it just means we won't be handing suspend
+requests.
+
+Fixes: 9952d90ea288 ("Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index c8ea03edd081..995d950872af 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2653,7 +2653,7 @@ int hci_register_dev(struct hci_dev *hdev)
+
+ error = hci_register_suspend_notifier(hdev);
+ if (error)
+- goto err_wqueue;
++ BT_WARN("register suspend notifier failed error:%d\n", error);
+
+ queue_work(hdev->req_workqueue, &hdev->power_on);
+
+--
+2.35.1
+
--- /dev/null
+From 6c50328ae2f2df422692c9ec0961e1cfd18a28ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:32 +0800
+Subject: Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_h5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
+index c5a0409ef84f..6455bc4fb5bb 100644
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -313,7 +313,7 @@ static void h5_pkt_cull(struct h5 *h5)
+ break;
+
+ __skb_unlink(skb, &h5->unack);
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ }
+
+ if (skb_queue_empty(&h5->unack))
+--
+2.35.1
+
--- /dev/null
+From 5870ee8c5d562f95fe3106b442626e79d12500e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:31 +0800
+Subject: Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8f458f783dfbb19c1f1cb58ed06eeb701f52091b ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 166d2f6a4332 ("[Bluetooth] Add UART driver for Texas Instruments' BRF63xx chips")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
+index 4eb420a9ed04..5abc01a2acf7 100644
+--- a/drivers/bluetooth/hci_ll.c
++++ b/drivers/bluetooth/hci_ll.c
+@@ -345,7 +345,7 @@ static int ll_enqueue(struct hci_uart *hu, struct sk_buff *skb)
+ default:
+ BT_ERR("illegal hcill state: %ld (losing packet)",
+ ll->hcill_state);
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ break;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5144227d6c39b0cd6f337f52941264ee8ef5d762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:30 +0800
+Subject: Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 8df11016fd51..bae9b2a408d9 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -912,7 +912,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
+ default:
+ BT_ERR("Illegal tx state: %d (losing packet)",
+ qca->tx_ibs_state);
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ break;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 656ee5864702cf22386340436e72abe52c95f9ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 17:48:56 -0700
+Subject: Bluetooth: MGMT: Fix error report for ADD_EXT_ADV_PARAMS
+
+From: Inga Stotland <inga.stotland@intel.com>
+
+[ Upstream commit 3b1c7c00b8c22b3cb79532252c59eb0b287bb86d ]
+
+When validating the parameter length for MGMT_OP_ADD_EXT_ADV_PARAMS
+command, use the correct op code in error status report:
+was MGMT_OP_ADD_ADVERTISING, changed to MGMT_OP_ADD_EXT_ADV_PARAMS.
+
+Fixes: 12410572833a2 ("Bluetooth: Break add adv into two mgmt commands")
+Signed-off-by: Inga Stotland <inga.stotland@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 3d1cd0666968..22bfeb5b2b3b 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -8385,7 +8385,7 @@ static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
+ * extra parameters we don't know about will be ignored in this request.
+ */
+ if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
+- return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
+ MGMT_STATUS_INVALID_PARAMS);
+
+ flags = __le32_to_cpu(cp->flags);
+--
+2.35.1
+
--- /dev/null
+From f994bf11a1561f46bac2f6db0d23ee3bb170f26a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:18:35 +0800
+Subject: Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0ba18967d4544955b2eff2fbc4f2a8750c4df90a ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave().
+
+Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/rfcomm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
+index 7324764384b6..8d6fce9005bd 100644
+--- a/net/bluetooth/rfcomm/core.c
++++ b/net/bluetooth/rfcomm/core.c
+@@ -590,7 +590,7 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
+
+ ret = rfcomm_dlc_send_frag(d, frag);
+ if (ret < 0) {
+- kfree_skb(frag);
++ dev_kfree_skb_irq(frag);
+ goto unlock;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f1f4039c11f2672cfc15f6ca1c7b1d3a509bac2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 11:56:45 +0800
+Subject: bonding: add missed __rcu annotation for curr_active_slave
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3d0b738fc5adf9f380702ac1424672e4b32c3781 ]
+
+There is one direct accesses to bond->curr_active_slave in
+bond_miimon_commit(). Protected it by rcu_access_pointer()
+since the later of this function also use this one.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: e95cc44763a4 ("bonding: do failover when high prio link up")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 445c23e424f7..36a8db140388 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2698,7 +2698,7 @@ static void bond_miimon_commit(struct bonding *bond)
+
+ bond_miimon_link_change(bond, slave, BOND_LINK_UP);
+
+- if (!bond->curr_active_slave || slave == primary)
++ if (!rcu_access_pointer(bond->curr_active_slave) || slave == primary)
+ goto do_failover;
+
+ continue;
+--
+2.35.1
+
--- /dev/null
+From 9aeb2b92a8a091fbb05ebbd2b9ce8dde3b071833 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 11:56:46 +0800
+Subject: bonding: do failover when high prio link up
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit e95cc44763a41d5c715ef16742bcb1d8e6524a62 ]
+
+Currently, when a high prio link enslaved, or when current link down,
+the high prio port could be selected. But when high prio link up, the
+new active slave reselection is not triggered. Fix it by checking link's
+prio when getting up. Making the do_failover after looping all slaves as
+there may be multi high prio slaves up.
+
+Reported-by: Liang Li <liali@redhat.com>
+Fixes: 0a2ff7cc8ad4 ("Bonding: add per-port priority for failover re-selection")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 36a8db140388..771f2a533d3f 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2653,8 +2653,9 @@ static void bond_miimon_link_change(struct bonding *bond,
+
+ static void bond_miimon_commit(struct bonding *bond)
+ {
+- struct list_head *iter;
+ struct slave *slave, *primary;
++ bool do_failover = false;
++ struct list_head *iter;
+
+ bond_for_each_slave(bond, slave, iter) {
+ switch (slave->link_new_state) {
+@@ -2698,8 +2699,9 @@ static void bond_miimon_commit(struct bonding *bond)
+
+ bond_miimon_link_change(bond, slave, BOND_LINK_UP);
+
+- if (!rcu_access_pointer(bond->curr_active_slave) || slave == primary)
+- goto do_failover;
++ if (!rcu_access_pointer(bond->curr_active_slave) || slave == primary ||
++ slave->prio > rcu_dereference(bond->curr_active_slave)->prio)
++ do_failover = true;
+
+ continue;
+
+@@ -2720,7 +2722,7 @@ static void bond_miimon_commit(struct bonding *bond)
+ bond_miimon_link_change(bond, slave, BOND_LINK_DOWN);
+
+ if (slave == rcu_access_pointer(bond->curr_active_slave))
+- goto do_failover;
++ do_failover = true;
+
+ continue;
+
+@@ -2731,8 +2733,9 @@ static void bond_miimon_commit(struct bonding *bond)
+
+ continue;
+ }
++ }
+
+-do_failover:
++ if (do_failover) {
+ block_netpoll_tx();
+ bond_select_active_slave(bond);
+ unblock_netpoll_tx();
+@@ -3530,6 +3533,7 @@ static int bond_ab_arp_inspect(struct bonding *bond)
+ */
+ static void bond_ab_arp_commit(struct bonding *bond)
+ {
++ bool do_failover = false;
+ struct list_head *iter;
+ unsigned long last_tx;
+ struct slave *slave;
+@@ -3559,8 +3563,9 @@ static void bond_ab_arp_commit(struct bonding *bond)
+ slave_info(bond->dev, slave->dev, "link status definitely up\n");
+
+ if (!rtnl_dereference(bond->curr_active_slave) ||
+- slave == rtnl_dereference(bond->primary_slave))
+- goto do_failover;
++ slave == rtnl_dereference(bond->primary_slave) ||
++ slave->prio > rtnl_dereference(bond->curr_active_slave)->prio)
++ do_failover = true;
+
+ }
+
+@@ -3579,7 +3584,7 @@ static void bond_ab_arp_commit(struct bonding *bond)
+
+ if (slave == rtnl_dereference(bond->curr_active_slave)) {
+ RCU_INIT_POINTER(bond->current_arp_slave, NULL);
+- goto do_failover;
++ do_failover = true;
+ }
+
+ continue;
+@@ -3603,8 +3608,9 @@ static void bond_ab_arp_commit(struct bonding *bond)
+ slave->link_new_state);
+ continue;
+ }
++ }
+
+-do_failover:
++ if (do_failover) {
+ block_netpoll_tx();
+ bond_select_active_slave(bond);
+ unblock_netpoll_tx();
+--
+2.35.1
+
--- /dev/null
+From 0f8fd7cc0fe32cb92852ab8fcee915f6e7974d13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 16:24:29 -0500
+Subject: bonding: fix link recovery in mode 2 when updelay is nonzero
+
+From: Jonathan Toppins <jtoppins@redhat.com>
+
+[ Upstream commit f8a65ab2f3ff7410921ebbf0dc55453102c33c56 ]
+
+Before this change when a bond in mode 2 lost link, all of its slaves
+lost link, the bonding device would never recover even after the
+expiration of updelay. This change removes the updelay when the bond
+currently has no usable links. Conforming to bonding.txt section 13.1
+paragraph 4.
+
+Fixes: 41f891004063 ("bonding: ignore updelay param when there is no active slave")
+Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index c2939621b683..2ad17c840a2a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2536,7 +2536,16 @@ static int bond_miimon_inspect(struct bonding *bond)
+ struct slave *slave;
+ bool ignore_updelay;
+
+- ignore_updelay = !rcu_dereference(bond->curr_active_slave);
++ if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) {
++ ignore_updelay = !rcu_dereference(bond->curr_active_slave);
++ } else {
++ struct bond_up_slave *usable_slaves;
++
++ usable_slaves = rcu_dereference(bond->usable_slaves);
++
++ if (usable_slaves && usable_slaves->count == 0)
++ ignore_updelay = true;
++ }
+
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
+--
+2.35.1
+
--- /dev/null
+From 54cf9ed3da53b30cd864b622eb4807d90b771e4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 14:06:14 +0300
+Subject: bonding: uninitialized variable in bond_miimon_inspect()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ]
+
+The "ignore_updelay" variable needs to be initialized to false.
+
+Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 2ad17c840a2a..445c23e424f7 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2531,10 +2531,10 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in
+ /* called with rcu_read_lock() */
+ static int bond_miimon_inspect(struct bonding *bond)
+ {
++ bool ignore_updelay = false;
+ int link_state, commit = 0;
+ struct list_head *iter;
+ struct slave *slave;
+- bool ignore_updelay;
+
+ if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) {
+ ignore_updelay = !rcu_dereference(bond->curr_active_slave);
+--
+2.35.1
+
--- /dev/null
+From 1107217e3848acaff883e07443f59718c5a2fe5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 00:39:52 +0530
+Subject: bpf: Clobber stack slot when writing over spilled PTR_TO_BTF_ID
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit 261f4664caffdeb9dff4e83ee3c0334b1c3a552f ]
+
+When support was added for spilled PTR_TO_BTF_ID to be accessed by
+helper memory access, the stack slot was not overwritten to STACK_MISC
+(and that too is only safe when env->allow_ptr_leaks is true).
+
+This means that helpers who take ARG_PTR_TO_MEM and write to it may
+essentially overwrite the value while the verifier continues to track
+the slot for spilled register.
+
+This can cause issues when PTR_TO_BTF_ID is spilled to stack, and then
+overwritten by helper write access, which can then be passed to BPF
+helpers or kfuncs.
+
+Handle this by falling back to the case introduced in a later commit,
+which will also handle PTR_TO_BTF_ID along with other pointer types,
+i.e. cd17d38f8b28 ("bpf: Permits pointers on stack for helper calls").
+
+Finally, include a comment on why REG_LIVE_WRITTEN is not being set when
+clobber is set to true. In short, the reason is that while when clobber
+is unset, we know that we won't be writing, when it is true, we *may*
+write to any of the stack slots in that range. It may be a partial or
+complete write, to just one or many stack slots.
+
+We cannot be sure, hence to be conservative, we leave things as is and
+never set REG_LIVE_WRITTEN for any stack slot. However, clobber still
+needs to reset them to STACK_MISC assuming writes happened. However read
+marks still need to be propagated upwards from liveness point of view,
+as parent stack slot's contents may still continue to matter to child
+states.
+
+Cc: Yonghong Song <yhs@meta.com>
+Fixes: 1d68f22b3d53 ("bpf: Handle spilled PTR_TO_BTF_ID properly when checking stack_boundary")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20221103191013.1236066-4-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index b781075dd510..65c627571e33 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5142,10 +5142,6 @@ static int check_stack_range_initialized(
+ goto mark;
+ }
+
+- if (is_spilled_reg(&state->stack[spi]) &&
+- base_type(state->stack[spi].spilled_ptr.type) == PTR_TO_BTF_ID)
+- goto mark;
+-
+ if (is_spilled_reg(&state->stack[spi]) &&
+ (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
+ env->allow_ptr_leaks)) {
+@@ -5176,6 +5172,11 @@ static int check_stack_range_initialized(
+ mark_reg_read(env, &state->stack[spi].spilled_ptr,
+ state->stack[spi].spilled_ptr.parent,
+ REG_LIVE_READ64);
++ /* We do not set REG_LIVE_WRITTEN for stack slot, as we can not
++ * be sure that whether stack slot is written to or not. Hence,
++ * we must still conservatively propagate reads upwards even if
++ * helper may write to the entire memory range.
++ */
+ }
+ return update_stack_depth(env, state, min_off);
+ }
+--
+2.35.1
+
--- /dev/null
+From e1084acae72f2dc0f26d3b996e69a86bc48beb70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 11:35:40 +0100
+Subject: bpf: Do not zero-extend kfunc return values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit d35af0a7feb077c43ff0233bba5a8c6e75b73e35 ]
+
+In BPF all global functions, and BPF helpers return a 64-bit
+value. For kfunc calls, this is not the case, and they can return
+e.g. 32-bit values.
+
+The return register R0 for kfuncs calls can therefore be marked as
+subreg_def != DEF_NOT_SUBREG. In general, if a register is marked with
+subreg_def != DEF_NOT_SUBREG, some archs (where bpf_jit_needs_zext()
+returns true) require the verifier to insert explicit zero-extension
+instructions.
+
+For kfuncs calls, however, the caller should do sign/zero extension
+for return values. In other words, the compiler is responsible to
+insert proper instructions, not the verifier.
+
+An example, provided by Yonghong Song:
+
+$ cat t.c
+extern unsigned foo(void);
+unsigned bar1(void) {
+ return foo();
+}
+unsigned bar2(void) {
+ if (foo()) return 10; else return 20;
+}
+
+$ clang -target bpf -mcpu=v3 -O2 -c t.c && llvm-objdump -d t.o
+t.o: file format elf64-bpf
+
+Disassembly of section .text:
+
+0000000000000000 <bar1>:
+ 0: 85 10 00 00 ff ff ff ff call -0x1
+ 1: 95 00 00 00 00 00 00 00 exit
+
+0000000000000010 <bar2>:
+ 2: 85 10 00 00 ff ff ff ff call -0x1
+ 3: bc 01 00 00 00 00 00 00 w1 = w0
+ 4: b4 00 00 00 14 00 00 00 w0 = 0x14
+ 5: 16 01 01 00 00 00 00 00 if w1 == 0x0 goto +0x1 <LBB1_2>
+ 6: b4 00 00 00 0a 00 00 00 w0 = 0xa
+
+0000000000000038 <LBB1_2>:
+ 7: 95 00 00 00 00 00 00 00 exit
+
+If the return value of 'foo()' is used in the BPF program, the proper
+zero-extension will be done.
+
+Currently, the verifier correctly marks, say, a 32-bit return value as
+subreg_def != DEF_NOT_SUBREG, but will fail performing the actual
+zero-extension, due to a verifier bug in
+opt_subreg_zext_lo32_rnd_hi32(). load_reg is not properly set to R0,
+and the following path will be taken:
+
+ if (WARN_ON(load_reg == -1)) {
+ verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n");
+ return -EFAULT;
+ }
+
+A longer discussion from v1 can be found in the link below.
+
+Correct the verifier by avoiding doing explicit zero-extension of R0
+for kfunc calls. Note that R0 will still be marked as a sub-register
+for return values smaller than 64-bit.
+
+Fixes: 83a2881903f3 ("bpf: Account for BPF_FETCH in insn_has_def32()")
+Link: https://lore.kernel.org/bpf/20221202103620.1915679-1-bjorn@kernel.org/
+Suggested-by: Yonghong Song <yhs@meta.com>
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20221207103540.396496-1-bjorn@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 7a1ca0e58043..57f76b597012 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -13299,6 +13299,10 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
+ if (!bpf_jit_needs_zext() && !is_cmpxchg_insn(&insn))
+ continue;
+
++ /* Zero-extension is done by the caller. */
++ if (bpf_pseudo_kfunc_call(&insn))
++ continue;
++
+ if (WARN_ON(load_reg == -1)) {
+ verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n");
+ return -EFAULT;
+--
+2.35.1
+
--- /dev/null
+From 401a813ee018a13f77ae9d3d81020ee20031718c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 07:57:59 -0800
+Subject: bpf: Fix a BTF_ID_LIST bug with CONFIG_DEBUG_INFO_BTF not set
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit beb3d47d1d3d7185bb401af628ad32ee204a9526 ]
+
+With CONFIG_DEBUG_INFO_BTF not set, we hit the following compilation error,
+ /.../kernel/bpf/verifier.c:8196:23: error: array index 6 is past the end of the array
+ (that has type 'u32[5]' (aka 'unsigned int[5]')) [-Werror,-Warray-bounds]
+ if (meta->func_id == special_kfunc_list[KF_bpf_cast_to_kern_ctx])
+ ^ ~~~~~~~~~~~~~~~~~~~~~~~
+ /.../kernel/bpf/verifier.c:8174:1: note: array 'special_kfunc_list' declared here
+ BTF_ID_LIST(special_kfunc_list)
+ ^
+ /.../include/linux/btf_ids.h:207:27: note: expanded from macro 'BTF_ID_LIST'
+ #define BTF_ID_LIST(name) static u32 __maybe_unused name[5];
+ ^
+ /.../kernel/bpf/verifier.c:8443:19: error: array index 5 is past the end of the array
+ (that has type 'u32[5]' (aka 'unsigned int[5]')) [-Werror,-Warray-bounds]
+ btf_id == special_kfunc_list[KF_bpf_list_pop_back];
+ ^ ~~~~~~~~~~~~~~~~~~~~
+ /.../kernel/bpf/verifier.c:8174:1: note: array 'special_kfunc_list' declared here
+ BTF_ID_LIST(special_kfunc_list)
+ ^
+ /.../include/linux/btf_ids.h:207:27: note: expanded from macro 'BTF_ID_LIST'
+ #define BTF_ID_LIST(name) static u32 __maybe_unused name[5];
+ ...
+
+Fix the problem by increase the size of BTF_ID_LIST to 16 to avoid compilation error
+and also prevent potentially unintended issue due to out-of-bound access.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20221123155759.2669749-1-yhs@fb.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/btf_ids.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/btf_ids.h b/include/linux/btf_ids.h
+index 2aea877d644f..2b9872008428 100644
+--- a/include/linux/btf_ids.h
++++ b/include/linux/btf_ids.h
+@@ -204,7 +204,7 @@ extern struct btf_id_set8 name;
+
+ #else
+
+-#define BTF_ID_LIST(name) static u32 __maybe_unused name[5];
++#define BTF_ID_LIST(name) static u32 __maybe_unused name[16];
+ #define BTF_ID(prefix, name)
+ #define BTF_ID_FLAGS(prefix, name, ...)
+ #define BTF_ID_UNUSED
+--
+2.35.1
+
--- /dev/null
+From 5ea56a56f2211b5e5bafc33e74d6aa2f771aeb0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 00:39:53 +0530
+Subject: bpf: Fix slot type check in check_stack_write_var_off
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit f5e477a861e4a20d8a1c5f7a245f3a3c3c376b03 ]
+
+For the case where allow_ptr_leaks is false, code is checking whether
+slot type is STACK_INVALID and STACK_SPILL and rejecting other cases.
+This is a consequence of incorrectly checking for register type instead
+of the slot type (NOT_INIT and SCALAR_VALUE respectively). Fix the
+check.
+
+Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20221103191013.1236066-5-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 65c627571e33..95479562a64a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3169,14 +3169,17 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env,
+ stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
+ mark_stack_slot_scratched(env, spi);
+
+- if (!env->allow_ptr_leaks
+- && *stype != NOT_INIT
+- && *stype != SCALAR_VALUE) {
+- /* Reject the write if there's are spilled pointers in
+- * range. If we didn't reject here, the ptr status
+- * would be erased below (even though not all slots are
+- * actually overwritten), possibly opening the door to
+- * leaks.
++ if (!env->allow_ptr_leaks && *stype != STACK_MISC && *stype != STACK_ZERO) {
++ /* Reject the write if range we may write to has not
++ * been initialized beforehand. If we didn't reject
++ * here, the ptr status would be erased below (even
++ * though not all slots are actually overwritten),
++ * possibly opening the door to leaks.
++ *
++ * We do however catch STACK_INVALID case below, and
++ * only allow reading possibly uninitialized memory
++ * later for CAP_PERFMON, as the write may not happen to
++ * that slot.
+ */
+ verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",
+ insn_idx, i);
+--
+2.35.1
+
--- /dev/null
+From eda00cf3fadeab90b8881e413ade1ac76c60fbf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 15:55:37 -0700
+Subject: bpf: make sure skb->len != 0 when redirecting to a tunneling device
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ]
+
+syzkaller managed to trigger another case where skb->len == 0
+when we enter __dev_queue_xmit:
+
+WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
+WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295
+
+Call Trace:
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
+ __bpf_tx_skb net/core/filter.c:2115 [inline]
+ __bpf_redirect_no_mac net/core/filter.c:2140 [inline]
+ __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
+ ____bpf_clone_redirect net/core/filter.c:2447 [inline]
+ bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
+ bpf_prog_48159a89cb4a9a16+0x59/0x5e
+ bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
+ __bpf_prog_run include/linux/filter.h:596 [inline]
+ bpf_prog_run include/linux/filter.h:603 [inline]
+ bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
+ bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
+ bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
+ __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
+ __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
+ __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
+ do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
+ entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+The reproducer doesn't really reproduce outside of syzkaller
+environment, so I'm taking a guess here. It looks like we
+do generate correct ETH_HLEN-sized packet, but we redirect
+the packet to the tunneling device. Before we do so, we
+__skb_pull l2 header and arrive again at skb->len == 0.
+Doesn't seem like we can do anything better than having
+an explicit check after __skb_pull?
+
+Cc: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 5ac3ecc2edb8..3aae1885b970 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2130,6 +2130,10 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
+
+ if (mlen) {
+ __skb_pull(skb, mlen);
++ if (unlikely(!skb->len)) {
++ kfree_skb(skb);
++ return -ERANGE;
++ }
+
+ /* At ingress, the mac header has already been pulled once.
+ * At egress, skb_pospull_rcsum has to be done in case that
+--
+2.35.1
+
--- /dev/null
+From 52d76b4a26087d6a90c00de82ab883da3f545e8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:03:39 -0800
+Subject: bpf: Move skb->len == 0 checks into __bpf_redirect
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 114039b342014680911c35bd6b72624180fd669a ]
+
+To avoid potentially breaking existing users.
+
+Both mac/no-mac cases have to be amended; mac_header >= network_header
+is not enough (verified with a new test, see next patch).
+
+Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 3 ---
+ net/core/filter.c | 7 ++++++-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index b422238f9f86..5d53332ea3c9 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -939,9 +939,6 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
+ {
+ struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
+
+- if (!skb->len)
+- return -EINVAL;
+-
+ if (!__skb)
+ return 0;
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index c191db80ce93..5ac3ecc2edb8 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2123,6 +2123,11 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
+ {
+ unsigned int mlen = skb_network_offset(skb);
+
++ if (unlikely(skb->len <= mlen)) {
++ kfree_skb(skb);
++ return -ERANGE;
++ }
++
+ if (mlen) {
+ __skb_pull(skb, mlen);
+
+@@ -2144,7 +2149,7 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
+ u32 flags)
+ {
+ /* Verify that a link layer header is carried */
+- if (unlikely(skb->mac_header >= skb->network_header)) {
++ if (unlikely(skb->mac_header >= skb->network_header || skb->len == 0)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
+--
+2.35.1
+
--- /dev/null
+From 52b277e0ba2c57b32a07aea92fdaeb1de9ab64c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:54:22 -0800
+Subject: bpf: Prevent decl_tag from being referenced in func_proto arg
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit f17472d4599697d701aa239b4c475a506bccfd19 ]
+
+Syzkaller managed to hit another decl_tag issue:
+
+ btf_func_proto_check kernel/bpf/btf.c:4506 [inline]
+ btf_check_all_types kernel/bpf/btf.c:4734 [inline]
+ btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763
+ btf_parse kernel/bpf/btf.c:5042 [inline]
+ btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709
+ bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342
+ __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034
+ __do_sys_bpf kernel/bpf/syscall.c:5093 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:5091 [inline]
+ __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091
+ do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
+
+This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being
+referenced in func_proto") but for the argument.
+
+Reported-by: syzbot+8dd0551dda6020944c5d@syzkaller.appspotmail.com
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20221123035422.872531-2-sdf@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 0d23d4bcd81c..44e93c3abebd 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -4481,6 +4481,11 @@ static int btf_func_proto_check(struct btf_verifier_env *env,
+ break;
+ }
+
++ if (btf_type_is_resolve_source_only(arg_type)) {
++ btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1);
++ return -EINVAL;
++ }
++
+ if (args[i].name_off &&
+ (!btf_name_offset_valid(btf, args[i].name_off) ||
+ !btf_name_valid_identifier(btf, args[i].name_off))) {
+--
+2.35.1
+
--- /dev/null
+From eaad0dc4c83ba54e9470936ff699033a7c7d75ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 12:57:14 -0500
+Subject: bpf: prevent leak of lsm program after failed attach
+
+From: Milan Landaverde <milan@mdaverde.com>
+
+[ Upstream commit e89f3edffb860a0f54a9ed16deadb7a4a1fa3862 ]
+
+In [0], we added the ability to bpf_prog_attach LSM programs to cgroups,
+but in our validation to make sure the prog is meant to be attached to
+BPF_LSM_CGROUP, we return too early if the check fails. This results in
+lack of decrementing prog's refcnt (through bpf_prog_put)
+leaving the LSM program alive past the point of the expected lifecycle.
+This fix allows for the decrement to take place.
+
+[0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/
+
+Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
+Signed-off-by: Milan Landaverde <milan@mdaverde.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20221213175714.31963-1-milan@mdaverde.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 0e758911d963..6b6fb7237ebe 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3505,9 +3505,9 @@ static int bpf_prog_attach(const union bpf_attr *attr)
+ case BPF_PROG_TYPE_LSM:
+ if (ptype == BPF_PROG_TYPE_LSM &&
+ prog->expected_attach_type != BPF_LSM_CGROUP)
+- return -EINVAL;
+-
+- ret = cgroup_bpf_prog_attach(attr, ptype, prog);
++ ret = -EINVAL;
++ else
++ ret = cgroup_bpf_prog_attach(attr, ptype, prog);
+ break;
+ default:
+ ret = -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From c087704691a5b45967f4eb5bb5ea54613ecd664e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 09:36:45 -0700
+Subject: bpf: propagate precision across all frames, not just the last one
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 529409ea92d590659be487ba0839710329bd8074 ]
+
+When equivalent completed state is found and it has additional precision
+restrictions, BPF verifier propagates precision to
+currently-being-verified state chain (i.e., including parent states) so
+that if some of the states in the chain are not yet completed, necessary
+precision restrictions are enforced.
+
+Unfortunately, right now this happens only for the last frame (deepest
+active subprogram's frame), not all the frames. This can lead to
+incorrect matching of states due to missing precision marker. Currently
+this doesn't seem possible as BPF verifier forces everything to precise
+when validated BPF program has any subprograms. But with the next patch
+lifting this restriction, this becomes problematic.
+
+In fact, without this fix, we'll start getting failure in one of the
+existing test_verifier test cases:
+
+ #906/p precise: cross frame pruning FAIL
+ Unexpected success to load!
+ verification time 48 usec
+ stack depth 0+0
+ processed 26 insns (limit 1000000) max_states_per_insn 3 total_states 17 peak_states 17 mark_read 8
+
+This patch adds precision propagation across all frames.
+
+Fixes: a3ce685dd01a ("bpf: fix precision tracking")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20221104163649.121784-3-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 71 ++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 05414615c008..7a1ca0e58043 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2751,7 +2751,7 @@ static void mark_all_scalars_precise(struct bpf_verifier_env *env,
+ }
+ }
+
+-static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
++static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno,
+ int spi)
+ {
+ struct bpf_verifier_state *st = env->cur_state;
+@@ -2768,7 +2768,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
+ if (!env->bpf_capable)
+ return 0;
+
+- func = st->frame[st->curframe];
++ func = st->frame[frame];
+ if (regno >= 0) {
+ reg = &func->regs[regno];
+ if (reg->type != SCALAR_VALUE) {
+@@ -2849,7 +2849,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
+ break;
+
+ new_marks = false;
+- func = st->frame[st->curframe];
++ func = st->frame[frame];
+ bitmap_from_u64(mask, reg_mask);
+ for_each_set_bit(i, mask, 32) {
+ reg = &func->regs[i];
+@@ -2915,12 +2915,17 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
+
+ static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
+ {
+- return __mark_chain_precision(env, regno, -1);
++ return __mark_chain_precision(env, env->cur_state->curframe, regno, -1);
+ }
+
+-static int mark_chain_precision_stack(struct bpf_verifier_env *env, int spi)
++static int mark_chain_precision_frame(struct bpf_verifier_env *env, int frame, int regno)
+ {
+- return __mark_chain_precision(env, -1, spi);
++ return __mark_chain_precision(env, frame, regno, -1);
++}
++
++static int mark_chain_precision_stack_frame(struct bpf_verifier_env *env, int frame, int spi)
++{
++ return __mark_chain_precision(env, frame, -1, spi);
+ }
+
+ static bool is_spillable_regtype(enum bpf_reg_type type)
+@@ -11702,34 +11707,36 @@ static int propagate_precision(struct bpf_verifier_env *env,
+ {
+ struct bpf_reg_state *state_reg;
+ struct bpf_func_state *state;
+- int i, err = 0;
++ int i, err = 0, fr;
+
+- state = old->frame[old->curframe];
+- state_reg = state->regs;
+- for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
+- if (state_reg->type != SCALAR_VALUE ||
+- !state_reg->precise)
+- continue;
+- if (env->log.level & BPF_LOG_LEVEL2)
+- verbose(env, "propagating r%d\n", i);
+- err = mark_chain_precision(env, i);
+- if (err < 0)
+- return err;
+- }
++ for (fr = old->curframe; fr >= 0; fr--) {
++ state = old->frame[fr];
++ state_reg = state->regs;
++ for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
++ if (state_reg->type != SCALAR_VALUE ||
++ !state_reg->precise)
++ continue;
++ if (env->log.level & BPF_LOG_LEVEL2)
++ verbose(env, "frame %d: propagating r%d\n", i, fr);
++ err = mark_chain_precision_frame(env, fr, i);
++ if (err < 0)
++ return err;
++ }
+
+- for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
+- if (!is_spilled_reg(&state->stack[i]))
+- continue;
+- state_reg = &state->stack[i].spilled_ptr;
+- if (state_reg->type != SCALAR_VALUE ||
+- !state_reg->precise)
+- continue;
+- if (env->log.level & BPF_LOG_LEVEL2)
+- verbose(env, "propagating fp%d\n",
+- (-i - 1) * BPF_REG_SIZE);
+- err = mark_chain_precision_stack(env, i);
+- if (err < 0)
+- return err;
++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
++ if (!is_spilled_reg(&state->stack[i]))
++ continue;
++ state_reg = &state->stack[i].spilled_ptr;
++ if (state_reg->type != SCALAR_VALUE ||
++ !state_reg->precise)
++ continue;
++ if (env->log.level & BPF_LOG_LEVEL2)
++ verbose(env, "frame %d: propagating fp%d\n",
++ (-i - 1) * BPF_REG_SIZE, fr);
++ err = mark_chain_precision_stack_frame(env, fr, i);
++ if (err < 0)
++ return err;
++ }
+ }
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8bd2e0414d177ff2e644a30ee7acec86bbcfc48e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 09:36:44 -0700
+Subject: bpf: propagate precision in ALU/ALU64 operations
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit a3b666bfa9c9edc05bca62a87abafe0936bd7f97 ]
+
+When processing ALU/ALU64 operations (apart from BPF_MOV, which is
+handled correctly already; and BPF_NEG and BPF_END are special and don't
+have source register), if destination register is already marked
+precise, this causes problem with potentially missing precision tracking
+for the source register. E.g., when we have r1 >>= r5 and r1 is marked
+precise, but r5 isn't, this will lead to r5 staying as imprecise. This
+is due to the precision backtracking logic stopping early when it sees
+r1 is already marked precise. If r1 wasn't precise, we'd keep
+backtracking and would add r5 to the set of registers that need to be
+marked precise. So there is a discrepancy here which can lead to invalid
+and incompatible states matched due to lack of precision marking on r5.
+If r1 wasn't precise, precision backtracking would correctly mark both
+r1 and r5 as precise.
+
+This is simple to fix, though. During the forward instruction simulation
+pass, for arithmetic operations of `scalar <op>= scalar` form (where
+<op> is ALU or ALU64 operations), if destination register is already
+precise, mark source register as precise. This applies only when both
+involved registers are SCALARs. `ptr += scalar` and `scalar += ptr`
+cases are already handled correctly.
+
+This does have (negative) effect on some selftest programs and few
+Cilium programs. ~/baseline-tmp-results.csv are veristat results with
+this patch, while ~/baseline-results.csv is without it. See post
+scriptum for instructions on how to make Cilium programs testable with
+veristat. Correctness has a price.
+
+$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/baseline-tmp-results.csv | grep -v '+0'
+File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
+----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
+bpf_cubic.bpf.linked1.o bpf_cubic_cong_avoid 997 1700 +703 (+70.51%) 62 90 +28 (+45.16%)
+test_l4lb.bpf.linked1.o balancer_ingress 4559 5469 +910 (+19.96%) 118 126 +8 (+6.78%)
+----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
+
+$ ./veristat -C -e file,prog,verdict,insns,states ~/baseline-results-cilium.csv ~/baseline-tmp-results-cilium.csv | grep -v '+0'
+File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
+------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
+bpf_host.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
+bpf_host.o tail_nodeport_nat_ipv6_egress 3396 3446 +50 (+1.47%) 201 203 +2 (+1.00%)
+bpf_lxc.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
+bpf_overlay.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
+bpf_xdp.o tail_lb_ipv4 71736 73442 +1706 (+2.38%) 4295 4370 +75 (+1.75%)
+------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
+
+P.S. To make Cilium ([0]) programs libbpf-compatible and thus
+veristat-loadable, apply changes from topmost commit in [1], which does
+minimal changes to Cilium source code, mostly around SEC() annotations
+and BPF map definitions.
+
+ [0] https://github.com/cilium/cilium/
+ [1] https://github.com/anakryiko/cilium/commits/libbpf-friendliness
+
+Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20221104163649.121784-2-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 95479562a64a..05414615c008 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -9061,6 +9061,11 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
+ return err;
+ return adjust_ptr_min_max_vals(env, insn,
+ dst_reg, src_reg);
++ } else if (dst_reg->precise) {
++ /* if dst_reg is precise, src_reg should be precise as well */
++ err = mark_chain_precision(env, insn->src_reg);
++ if (err)
++ return err;
+ }
+ } else {
+ /* Pretend the src is a reg with a known value, since we only
+--
+2.35.1
+
--- /dev/null
+From dda0a3ac94d50bdb6cc2b290bf467b4c31495df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 00:02:53 +0100
+Subject: bpf: Resolve fext program type when checking map compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 1c123c567fb138ebd187480b7fc0610fcb0851f5 ]
+
+The bpf_prog_map_compatible() check makes sure that BPF program types are
+not mixed inside BPF map types that can contain programs (tail call maps,
+cpumaps and devmaps). It does this by setting the fields of the map->owner
+struct to the values of the first program being checked against, and
+rejecting any subsequent programs if the values don't match.
+
+One of the values being set in the map owner struct is the program type,
+and since the code did not resolve the prog type for fext programs, the map
+owner type would be set to PROG_TYPE_EXT and subsequent loading of programs
+of the target type into the map would fail.
+
+This bug is seen in particular for XDP programs that are loaded as
+PROG_TYPE_EXT using libxdp; these cannot insert programs into devmaps and
+cpumaps because the check fails as described above.
+
+Fix the bug by resolving the fext program type to its target program type
+as elsewhere in the verifier.
+
+v3:
+- Add Yonghong's ACK
+
+Fixes: f45d5b6ce2e8 ("bpf: generalise tail call map compatibility check")
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20221214230254.790066-1-toke@redhat.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index c4600a5781de..7d315c94b80a 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2088,6 +2088,7 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx,
+ bool bpf_prog_map_compatible(struct bpf_map *map,
+ const struct bpf_prog *fp)
+ {
++ enum bpf_prog_type prog_type = resolve_prog_type(fp);
+ bool ret;
+
+ if (fp->kprobe_override)
+@@ -2098,12 +2099,12 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
+ /* There's no owner yet where we could check for
+ * compatibility.
+ */
+- map->owner.type = fp->type;
++ map->owner.type = prog_type;
+ map->owner.jited = fp->jited;
+ map->owner.xdp_has_frags = fp->aux->xdp_has_frags;
+ ret = true;
+ } else {
+- ret = map->owner.type == fp->type &&
++ ret = map->owner.type == prog_type &&
+ map->owner.jited == fp->jited &&
+ map->owner.xdp_has_frags == fp->aux->xdp_has_frags;
+ }
+--
+2.35.1
+
--- /dev/null
+From 66f35310cd4f9705392e19fa3513077f23052153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 18:40:40 +0800
+Subject: bpf, sockmap: Fix data loss caused by using apply_bytes on ingress
+ redirect
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit 9072931f020bfd907d6d89ee21ff1481cd78b407 ]
+
+Use apply_bytes on ingress redirect, when apply_bytes is less than
+the length of msg data, some data may be skipped and lost in
+bpf_tcp_ingress().
+
+If there is still data in the scatterlist that has not been consumed,
+we cannot move the msg iter.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/1669718441-2654-4-git-send-email-yangpc@wangsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 275c5ca9e04d..94aad3870c5f 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -45,8 +45,11 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
+ tmp->sg.end = i;
+ if (apply) {
+ apply_bytes -= size;
+- if (!apply_bytes)
++ if (!apply_bytes) {
++ if (sge->length)
++ sk_msg_iter_var_prev(i);
+ break;
++ }
+ }
+ } while (i != msg->sg.end);
+
+--
+2.35.1
+
--- /dev/null
+From dcaff90f556d2d9e0f822480f31d3a54a917202a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 18:40:39 +0800
+Subject: bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit a351d6087bf7d3d8440d58d3bf244ec64b89394a ]
+
+When redirecting, we use sk_msg_to_ingress() to get the BPF_F_INGRESS
+flag from the msg->flags. If apply_bytes is used and it is larger than
+the current data being processed, sk_psock_msg_verdict() will not be
+called when sendmsg() is called again. At this time, the msg->flags is 0,
+and we lost the BPF_F_INGRESS flag.
+
+So we need to save the BPF_F_INGRESS flag in sk_psock and use it when
+redirection.
+
+Fixes: 8934ce2fd081 ("bpf: sockmap redirect ingress support")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/1669718441-2654-3-git-send-email-yangpc@wangsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 1 +
+ include/net/tcp.h | 4 ++--
+ net/core/skmsg.c | 9 ++++++---
+ net/ipv4/tcp_bpf.c | 11 ++++++-----
+ net/tls/tls_sw.c | 6 ++++--
+ 5 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index 70d6cb94e580..84f787416a54 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -82,6 +82,7 @@ struct sk_psock {
+ u32 apply_bytes;
+ u32 cork_bytes;
+ u32 eval;
++ bool redir_ingress; /* undefined if sk_redir is null */
+ struct sk_msg *cork;
+ struct sk_psock_progs progs;
+ #if IS_ENABLED(CONFIG_BPF_STREAM_PARSER)
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 95c1d51393ac..3cde7b4a401f 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2284,8 +2284,8 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore);
+ void tcp_bpf_clone(const struct sock *sk, struct sock *newsk);
+ #endif /* CONFIG_BPF_SYSCALL */
+
+-int tcp_bpf_sendmsg_redir(struct sock *sk, struct sk_msg *msg, u32 bytes,
+- int flags);
++int tcp_bpf_sendmsg_redir(struct sock *sk, bool ingress,
++ struct sk_msg *msg, u32 bytes, int flags);
+ #endif /* CONFIG_NET_SOCK_MSG */
+
+ #if !defined(CONFIG_BPF_SYSCALL) || !defined(CONFIG_NET_SOCK_MSG)
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index e6b9ced3eda8..53d0251788aa 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -886,13 +886,16 @@ int sk_psock_msg_verdict(struct sock *sk, struct sk_psock *psock,
+ ret = sk_psock_map_verd(ret, msg->sk_redir);
+ psock->apply_bytes = msg->apply_bytes;
+ if (ret == __SK_REDIRECT) {
+- if (psock->sk_redir)
++ if (psock->sk_redir) {
+ sock_put(psock->sk_redir);
+- psock->sk_redir = msg->sk_redir;
+- if (!psock->sk_redir) {
++ psock->sk_redir = NULL;
++ }
++ if (!msg->sk_redir) {
+ ret = __SK_DROP;
+ goto out;
+ }
++ psock->redir_ingress = sk_msg_to_ingress(msg);
++ psock->sk_redir = msg->sk_redir;
+ sock_hold(psock->sk_redir);
+ }
+ out:
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index f3e868f4cd9e..275c5ca9e04d 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -131,10 +131,9 @@ static int tcp_bpf_push_locked(struct sock *sk, struct sk_msg *msg,
+ return ret;
+ }
+
+-int tcp_bpf_sendmsg_redir(struct sock *sk, struct sk_msg *msg,
+- u32 bytes, int flags)
++int tcp_bpf_sendmsg_redir(struct sock *sk, bool ingress,
++ struct sk_msg *msg, u32 bytes, int flags)
+ {
+- bool ingress = sk_msg_to_ingress(msg);
+ struct sk_psock *psock = sk_psock_get(sk);
+ int ret;
+
+@@ -276,7 +275,7 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ struct sk_msg *msg, int *copied, int flags)
+ {
+- bool cork = false, enospc = sk_msg_full(msg);
++ bool cork = false, enospc = sk_msg_full(msg), redir_ingress;
+ struct sock *sk_redir;
+ u32 tosend, origsize, sent, delta = 0;
+ u32 eval;
+@@ -322,6 +321,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ sk_msg_apply_bytes(psock, tosend);
+ break;
+ case __SK_REDIRECT:
++ redir_ingress = psock->redir_ingress;
+ sk_redir = psock->sk_redir;
+ sk_msg_apply_bytes(psock, tosend);
+ if (!psock->apply_bytes) {
+@@ -338,7 +338,8 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ release_sock(sk);
+
+ origsize = msg->sg.size;
+- ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags);
++ ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,
++ msg, tosend, flags);
+ sent = origsize - msg->sg.size;
+
+ if (eval == __SK_REDIRECT)
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index fe27241cd13f..0ee1df154fee 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -792,7 +792,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ struct sk_psock *psock;
+ struct sock *sk_redir;
+ struct tls_rec *rec;
+- bool enospc, policy;
++ bool enospc, policy, redir_ingress;
+ int err = 0, send;
+ u32 delta = 0;
+
+@@ -837,6 +837,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ }
+ break;
+ case __SK_REDIRECT:
++ redir_ingress = psock->redir_ingress;
+ sk_redir = psock->sk_redir;
+ memcpy(&msg_redir, msg, sizeof(*msg));
+ if (msg->apply_bytes < send)
+@@ -846,7 +847,8 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ sk_msg_return_zero(sk, msg, send);
+ msg->sg.size -= send;
+ release_sock(sk);
+- err = tcp_bpf_sendmsg_redir(sk_redir, &msg_redir, send, flags);
++ err = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,
++ &msg_redir, send, flags);
+ lock_sock(sk);
+ if (err < 0) {
+ *copied -= sk_msg_free_nocharge(sk, &msg_redir);
+--
+2.35.1
+
--- /dev/null
+From cd4733f78200ce4dd04011b838c3ecb4974efde1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 11:16:40 +0000
+Subject: bpf, sockmap: fix race in sock_map_free()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0a182f8d607464911756b4dbef5d6cad8de22469 ]
+
+sock_map_free() calls release_sock(sk) without owning a reference
+on the socket. This can cause use-after-free as syzbot found [1]
+
+Jakub Sitnicki already took care of a similar issue
+in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash:
+Synchronize delete from bucket list on map free")
+
+[1]
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
+Modules linked in:
+CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Workqueue: events_unbound bpf_map_free_deferred
+RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
+Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff
+RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246
+RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0
+RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
+RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5
+R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004
+R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf
+FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+__refcount_dec include/linux/refcount.h:344 [inline]
+refcount_dec include/linux/refcount.h:359 [inline]
+__sock_put include/net/sock.h:779 [inline]
+tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092
+release_sock+0xaf/0x1c0 net/core/sock.c:3468
+sock_map_free+0x219/0x2c0 net/core/sock_map.c:356
+process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
+worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
+kthread+0x266/0x300 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+</TASK>
+
+Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Song Liu <songliubraving@fb.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20221202111640.2745533-1-edumazet@google.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 632df0c52562..bfc300103212 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -349,11 +349,13 @@ static void sock_map_free(struct bpf_map *map)
+
+ sk = xchg(psk, NULL);
+ if (sk) {
++ sock_hold(sk);
+ lock_sock(sk);
+ rcu_read_lock();
+ sock_map_unref(sk, psk);
+ rcu_read_unlock();
+ release_sock(sk);
++ sock_put(sk);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 9eaa2b8505efa8ba757f6db31a97aaf9c94cb0ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 18:40:38 +0800
+Subject: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit 7a9841ca025275b5b0edfb0b618934abb6ceec15 ]
+
+In tcp_bpf_send_verdict() redirection, the eval variable is assigned to
+__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,
+sock_put() will be called multiple times.
+
+We should reset the eval variable to __SK_NONE every time more_data
+starts.
+
+This causes:
+
+IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7
+------------[ cut here ]------------
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110
+Modules linked in:
+CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1
+Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014
+Call Trace:
+ <TASK>
+ __tcp_transmit_skb+0xa1b/0xb90
+ ? __alloc_skb+0x8c/0x1a0
+ ? __kmalloc_node_track_caller+0x184/0x320
+ tcp_write_xmit+0x22a/0x1110
+ __tcp_push_pending_frames+0x32/0xf0
+ do_tcp_sendpages+0x62d/0x640
+ tcp_bpf_push+0xae/0x2c0
+ tcp_bpf_sendmsg_redir+0x260/0x410
+ ? preempt_count_add+0x70/0xa0
+ tcp_bpf_send_verdict+0x386/0x4b0
+ tcp_bpf_sendmsg+0x21b/0x3b0
+ sock_sendmsg+0x58/0x70
+ __sys_sendto+0xfa/0x170
+ ? xfd_validate_state+0x1d/0x80
+ ? switch_fpu_return+0x59/0xe0
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x37/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: cd9733f5d75c ("tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/1669718441-2654-2-git-send-email-yangpc@wangsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index cf9c3e8f7ccb..f3e868f4cd9e 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -279,7 +279,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ bool cork = false, enospc = sk_msg_full(msg);
+ struct sock *sk_redir;
+ u32 tosend, origsize, sent, delta = 0;
+- u32 eval = __SK_NONE;
++ u32 eval;
+ int ret;
+
+ more_data:
+@@ -310,6 +310,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ tosend = msg->sg.size;
+ if (psock->apply_bytes && psock->apply_bytes < tosend)
+ tosend = psock->apply_bytes;
++ eval = __SK_NONE;
+
+ switch (psock->eval) {
+ case __SK_PASS:
+--
+2.35.1
+
--- /dev/null
+From 7c6a99583a4fd9b6bcf060a62e02760f5363d5f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 11:19:06 +0400
+Subject: bpftool: Fix memory leak in do_build_table_cb
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit fa55ef14ef4fe06198c0ce811b603aec24134bc2 ]
+
+strdup() allocates memory for path. We need to release the memory in the
+following error path. Add free() to avoid memory leak.
+
+Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20221206071906.806384-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index 3bdbc0ce75b1..e54487e4005d 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -499,6 +499,7 @@ static int do_build_table_cb(const char *fpath, const struct stat *sb,
+ if (err) {
+ p_err("failed to append entry to hashmap for ID %u, path '%s': %s",
+ pinned_info.id, path, strerror(errno));
++ free(path);
+ goto out_close;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 14c059eb4ac26adb8063bf1503a688d5977c49c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 22:10:00 -0500
+Subject: brcmfmac: return error when getting invalid max_flowrings from dongle
+
+From: Wright Feng <wright.feng@cypress.com>
+
+[ Upstream commit 2aca4f3734bd717e04943ddf340d49ab62299a00 ]
+
+When firmware hit trap at initialization, host will read abnormal
+max_flowrings number from dongle, and it will cause kernel panic when
+doing iowrite to initialize dongle ring.
+To detect this error at early stage, we directly return error when getting
+invalid max_flowrings(>256).
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Ian Lin <ian.lin@infineon.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220929031001.9962-3-ian.lin@infineon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+index 7fc8d47f2281..5b1813c02411 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -1120,6 +1120,10 @@ static int brcmf_pcie_init_ringbuffers(struct brcmf_pciedev_info *devinfo)
+ BRCMF_NROF_H2D_COMMON_MSGRINGS;
+ max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS;
+ }
++ if (max_flowrings > 256) {
++ brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings);
++ return -EIO;
++ }
+
+ if (devinfo->dma_idx_sz != 0) {
+ bufsz = (max_submissionrings + max_completionrings) *
+--
+2.35.1
+
--- /dev/null
+From 372d0cbb507eb97a8950611ec3e9ac6a3a409475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:36 +0200
+Subject: can: kvaser_usb: Add struct kvaser_usb_busparams
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit 00e5786177649c1e3110f9454fdd34e336597265 ]
+
+Add struct kvaser_usb_busparams containing the busparameters used in
+CMD_{SET,GET}_BUSPARAMS* commands.
+
+Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-11-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Stable-dep-of: 39d3df6b0ea8 ("can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 8 +++++
+ .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 32 +++++++------------
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 18 ++++-------
+ 3 files changed, 27 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+index d9c5dd5da908..778b61c90c2b 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+@@ -76,6 +76,14 @@ struct kvaser_usb_tx_urb_context {
+ u32 echo_index;
+ };
+
++struct kvaser_usb_busparams {
++ __le32 bitrate;
++ u8 tseg1;
++ u8 tseg2;
++ u8 sjw;
++ u8 nsamples;
++} __packed;
++
+ struct kvaser_usb {
+ struct usb_device *udev;
+ struct usb_interface *intf;
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+index 3abfaa77e893..b8ae29872217 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+@@ -196,17 +196,9 @@ struct kvaser_cmd_chip_state_event {
+ #define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01
+ #define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02
+ struct kvaser_cmd_set_busparams {
+- __le32 bitrate;
+- u8 tseg1;
+- u8 tseg2;
+- u8 sjw;
+- u8 nsamples;
++ struct kvaser_usb_busparams busparams_arb;
+ u8 reserved0[4];
+- __le32 bitrate_d;
+- u8 tseg1_d;
+- u8 tseg2_d;
+- u8 sjw_d;
+- u8 nsamples_d;
++ struct kvaser_usb_busparams busparams_data;
+ u8 canfd_mode;
+ u8 reserved1[7];
+ } __packed;
+@@ -1538,11 +1530,11 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
+ return -ENOMEM;
+
+ cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ;
+- cmd->set_busparams_req.bitrate = cpu_to_le32(bt->bitrate);
+- cmd->set_busparams_req.sjw = (u8)sjw;
+- cmd->set_busparams_req.tseg1 = (u8)tseg1;
+- cmd->set_busparams_req.tseg2 = (u8)tseg2;
+- cmd->set_busparams_req.nsamples = 1;
++ cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate);
++ cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw;
++ cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1;
++ cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2;
++ cmd->set_busparams_req.busparams_arb.nsamples = 1;
+
+ kvaser_usb_hydra_set_cmd_dest_he
+ (cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
+@@ -1572,11 +1564,11 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
+ return -ENOMEM;
+
+ cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ;
+- cmd->set_busparams_req.bitrate_d = cpu_to_le32(dbt->bitrate);
+- cmd->set_busparams_req.sjw_d = (u8)sjw;
+- cmd->set_busparams_req.tseg1_d = (u8)tseg1;
+- cmd->set_busparams_req.tseg2_d = (u8)tseg2;
+- cmd->set_busparams_req.nsamples_d = 1;
++ cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate);
++ cmd->set_busparams_req.busparams_data.sjw = (u8)sjw;
++ cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1;
++ cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2;
++ cmd->set_busparams_req.busparams_data.nsamples = 1;
+
+ if (priv->can.ctrlmode & CAN_CTRLMODE_FD) {
+ if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO)
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index fa940be4e1b0..996d58b97af1 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -164,11 +164,7 @@ struct usbcan_cmd_softinfo {
+ struct kvaser_cmd_busparams {
+ u8 tid;
+ u8 channel;
+- __le32 bitrate;
+- u8 tseg1;
+- u8 tseg2;
+- u8 sjw;
+- u8 no_samp;
++ struct kvaser_usb_busparams busparams;
+ } __packed;
+
+ struct kvaser_cmd_tx_can {
+@@ -1699,15 +1695,15 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
+ cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams);
+ cmd->u.busparams.channel = priv->channel;
+ cmd->u.busparams.tid = 0xff;
+- cmd->u.busparams.bitrate = cpu_to_le32(bt->bitrate);
+- cmd->u.busparams.sjw = bt->sjw;
+- cmd->u.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
+- cmd->u.busparams.tseg2 = bt->phase_seg2;
++ cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate);
++ cmd->u.busparams.busparams.sjw = bt->sjw;
++ cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
++ cmd->u.busparams.busparams.tseg2 = bt->phase_seg2;
+
+ if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
+- cmd->u.busparams.no_samp = 3;
++ cmd->u.busparams.busparams.nsamples = 3;
+ else
+- cmd->u.busparams.no_samp = 1;
++ cmd->u.busparams.busparams.nsamples = 1;
+
+ rc = kvaser_usb_send_cmd(dev, cmd, cmd->len);
+
+--
+2.35.1
+
--- /dev/null
+From 5a576806939506527fd89cab558908e1f89fdf0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:37 +0200
+Subject: can: kvaser_usb: Compare requested bittiming parameters with actual
+ parameters in do_set_{,data}_bittiming
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit 39d3df6b0ea80f9b515c632ca07b39b1c156edee ]
+
+The device will respond with a CMD_ERROR_EVENT command, with error_code
+KVASER_USB_{LEAF,HYDRA}_ERROR_EVENT_PARAM, if the CMD_SET_BUSPARAMS_REQ
+contains invalid bittiming parameters.
+However, this command does not contain any channel reference.
+
+To check if the CMD_SET_BUSPARAMS_REQ was successful, redback and compare
+the requested bittiming parameters with the device reported parameters.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family")
+Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Co-developed-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-12-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 15 +-
+ .../net/can/usb/kvaser_usb/kvaser_usb_core.c | 96 ++++++++++-
+ .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 150 +++++++++++++++---
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 64 ++++++--
+ 4 files changed, 284 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+index 778b61c90c2b..ff10b3790d84 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+@@ -119,9 +119,12 @@ struct kvaser_usb_net_priv {
+ struct net_device *netdev;
+ int channel;
+
+- struct completion start_comp, stop_comp, flush_comp;
++ struct completion start_comp, stop_comp, flush_comp,
++ get_busparams_comp;
+ struct usb_anchor tx_submitted;
+
++ struct kvaser_usb_busparams busparams_nominal, busparams_data;
++
+ spinlock_t tx_contexts_lock; /* lock for active_tx_contexts */
+ int active_tx_contexts;
+ struct kvaser_usb_tx_urb_context tx_contexts[];
+@@ -131,7 +134,9 @@ struct kvaser_usb_net_priv {
+ * struct kvaser_usb_dev_ops - Device specific functions
+ * @dev_set_mode: used for can.do_set_mode
+ * @dev_set_bittiming: used for can.do_set_bittiming
++ * @dev_get_busparams: readback arbitration busparams
+ * @dev_set_data_bittiming: used for can.do_set_data_bittiming
++ * @dev_get_data_busparams: readback data busparams
+ * @dev_get_berr_counter: used for can.do_get_berr_counter
+ *
+ * @dev_setup_endpoints: setup USB in and out endpoints
+@@ -153,8 +158,12 @@ struct kvaser_usb_net_priv {
+ */
+ struct kvaser_usb_dev_ops {
+ int (*dev_set_mode)(struct net_device *netdev, enum can_mode mode);
+- int (*dev_set_bittiming)(struct net_device *netdev);
+- int (*dev_set_data_bittiming)(struct net_device *netdev);
++ int (*dev_set_bittiming)(const struct net_device *netdev,
++ const struct kvaser_usb_busparams *busparams);
++ int (*dev_get_busparams)(struct kvaser_usb_net_priv *priv);
++ int (*dev_set_data_bittiming)(const struct net_device *netdev,
++ const struct kvaser_usb_busparams *busparams);
++ int (*dev_get_data_busparams)(struct kvaser_usb_net_priv *priv);
+ int (*dev_get_berr_counter)(const struct net_device *netdev,
+ struct can_berr_counter *bec);
+ int (*dev_setup_endpoints)(struct kvaser_usb *dev);
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index 0ebdfb77c50f..3a2bfaad1406 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -440,10 +440,6 @@ static int kvaser_usb_open(struct net_device *netdev)
+ if (err)
+ return err;
+
+- err = kvaser_usb_setup_rx_urbs(dev);
+- if (err)
+- goto error;
+-
+ err = ops->dev_set_opt_mode(priv);
+ if (err)
+ goto error;
+@@ -534,6 +530,93 @@ static int kvaser_usb_close(struct net_device *netdev)
+ return 0;
+ }
+
++static int kvaser_usb_set_bittiming(struct net_device *netdev)
++{
++ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
++ struct kvaser_usb *dev = priv->dev;
++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
++ struct can_bittiming *bt = &priv->can.bittiming;
++
++ struct kvaser_usb_busparams busparams;
++ int tseg1 = bt->prop_seg + bt->phase_seg1;
++ int tseg2 = bt->phase_seg2;
++ int sjw = bt->sjw;
++ int err = -EOPNOTSUPP;
++
++ busparams.bitrate = cpu_to_le32(bt->bitrate);
++ busparams.sjw = (u8)sjw;
++ busparams.tseg1 = (u8)tseg1;
++ busparams.tseg2 = (u8)tseg2;
++ if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
++ busparams.nsamples = 3;
++ else
++ busparams.nsamples = 1;
++
++ err = ops->dev_set_bittiming(netdev, &busparams);
++ if (err)
++ return err;
++
++ err = kvaser_usb_setup_rx_urbs(priv->dev);
++ if (err)
++ return err;
++
++ err = ops->dev_get_busparams(priv);
++ if (err) {
++ /* Treat EOPNOTSUPP as success */
++ if (err == -EOPNOTSUPP)
++ err = 0;
++ return err;
++ }
++
++ if (memcmp(&busparams, &priv->busparams_nominal,
++ sizeof(priv->busparams_nominal)) != 0)
++ err = -EINVAL;
++
++ return err;
++}
++
++static int kvaser_usb_set_data_bittiming(struct net_device *netdev)
++{
++ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
++ struct kvaser_usb *dev = priv->dev;
++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
++ struct can_bittiming *dbt = &priv->can.data_bittiming;
++
++ struct kvaser_usb_busparams busparams;
++ int tseg1 = dbt->prop_seg + dbt->phase_seg1;
++ int tseg2 = dbt->phase_seg2;
++ int sjw = dbt->sjw;
++ int err;
++
++ if (!ops->dev_set_data_bittiming ||
++ !ops->dev_get_data_busparams)
++ return -EOPNOTSUPP;
++
++ busparams.bitrate = cpu_to_le32(dbt->bitrate);
++ busparams.sjw = (u8)sjw;
++ busparams.tseg1 = (u8)tseg1;
++ busparams.tseg2 = (u8)tseg2;
++ busparams.nsamples = 1;
++
++ err = ops->dev_set_data_bittiming(netdev, &busparams);
++ if (err)
++ return err;
++
++ err = kvaser_usb_setup_rx_urbs(priv->dev);
++ if (err)
++ return err;
++
++ err = ops->dev_get_data_busparams(priv);
++ if (err)
++ return err;
++
++ if (memcmp(&busparams, &priv->busparams_data,
++ sizeof(priv->busparams_data)) != 0)
++ err = -EINVAL;
++
++ return err;
++}
++
+ static void kvaser_usb_write_bulk_callback(struct urb *urb)
+ {
+ struct kvaser_usb_tx_urb_context *context = urb->context;
+@@ -734,6 +817,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+ init_completion(&priv->start_comp);
+ init_completion(&priv->stop_comp);
+ init_completion(&priv->flush_comp);
++ init_completion(&priv->get_busparams_comp);
+ priv->can.ctrlmode_supported = 0;
+
+ priv->dev = dev;
+@@ -746,7 +830,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+ priv->can.state = CAN_STATE_STOPPED;
+ priv->can.clock.freq = dev->cfg->clock.freq;
+ priv->can.bittiming_const = dev->cfg->bittiming_const;
+- priv->can.do_set_bittiming = ops->dev_set_bittiming;
++ priv->can.do_set_bittiming = kvaser_usb_set_bittiming;
+ priv->can.do_set_mode = ops->dev_set_mode;
+ if ((driver_info->quirks & KVASER_USB_QUIRK_HAS_TXRX_ERRORS) ||
+ (priv->dev->card_data.capabilities & KVASER_USB_CAP_BERR_CAP))
+@@ -758,7 +842,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+
+ if (priv->can.ctrlmode_supported & CAN_CTRLMODE_FD) {
+ priv->can.data_bittiming_const = dev->cfg->data_bittiming_const;
+- priv->can.do_set_data_bittiming = ops->dev_set_data_bittiming;
++ priv->can.do_set_data_bittiming = kvaser_usb_set_data_bittiming;
+ }
+
+ netdev->flags |= IFF_ECHO;
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+index b8ae29872217..52ef76bd9bdb 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+@@ -45,6 +45,8 @@ static const struct kvaser_usb_dev_cfg kvaser_usb_hydra_dev_cfg_rt;
+
+ /* Minihydra command IDs */
+ #define CMD_SET_BUSPARAMS_REQ 16
++#define CMD_GET_BUSPARAMS_REQ 17
++#define CMD_GET_BUSPARAMS_RESP 18
+ #define CMD_GET_CHIP_STATE_REQ 19
+ #define CMD_CHIP_STATE_EVENT 20
+ #define CMD_SET_DRIVERMODE_REQ 21
+@@ -196,13 +198,26 @@ struct kvaser_cmd_chip_state_event {
+ #define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01
+ #define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02
+ struct kvaser_cmd_set_busparams {
+- struct kvaser_usb_busparams busparams_arb;
++ struct kvaser_usb_busparams busparams_nominal;
+ u8 reserved0[4];
+ struct kvaser_usb_busparams busparams_data;
+ u8 canfd_mode;
+ u8 reserved1[7];
+ } __packed;
+
++/* Busparam type */
++#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN 0x00
++#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD 0x01
++struct kvaser_cmd_get_busparams_req {
++ u8 type;
++ u8 reserved[27];
++} __packed;
++
++struct kvaser_cmd_get_busparams_res {
++ struct kvaser_usb_busparams busparams;
++ u8 reserved[20];
++} __packed;
++
+ /* Ctrl modes */
+ #define KVASER_USB_HYDRA_CTRLMODE_NORMAL 0x01
+ #define KVASER_USB_HYDRA_CTRLMODE_LISTEN 0x02
+@@ -273,6 +288,8 @@ struct kvaser_cmd {
+ struct kvaser_cmd_error_event error_event;
+
+ struct kvaser_cmd_set_busparams set_busparams_req;
++ struct kvaser_cmd_get_busparams_req get_busparams_req;
++ struct kvaser_cmd_get_busparams_res get_busparams_res;
+
+ struct kvaser_cmd_chip_state_event chip_state_event;
+
+@@ -355,6 +372,10 @@ struct kvaser_cmd_ext {
+ } __packed;
+ } __packed;
+
++struct kvaser_usb_net_hydra_priv {
++ int pending_get_busparams_type;
++};
++
+ static const struct can_bittiming_const kvaser_usb_hydra_kcan_bittiming_c = {
+ .name = "kvaser_usb_kcan",
+ .tseg1_min = 1,
+@@ -832,6 +853,39 @@ static void kvaser_usb_hydra_flush_queue_reply(const struct kvaser_usb *dev,
+ complete(&priv->flush_comp);
+ }
+
++static void kvaser_usb_hydra_get_busparams_reply(const struct kvaser_usb *dev,
++ const struct kvaser_cmd *cmd)
++{
++ struct kvaser_usb_net_priv *priv;
++ struct kvaser_usb_net_hydra_priv *hydra;
++
++ priv = kvaser_usb_hydra_net_priv_from_cmd(dev, cmd);
++ if (!priv)
++ return;
++
++ hydra = priv->sub_priv;
++ if (!hydra)
++ return;
++
++ switch (hydra->pending_get_busparams_type) {
++ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN:
++ memcpy(&priv->busparams_nominal, &cmd->get_busparams_res.busparams,
++ sizeof(priv->busparams_nominal));
++ break;
++ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD:
++ memcpy(&priv->busparams_data, &cmd->get_busparams_res.busparams,
++ sizeof(priv->busparams_nominal));
++ break;
++ default:
++ dev_warn(&dev->intf->dev, "Unknown get_busparams_type %d\n",
++ hydra->pending_get_busparams_type);
++ break;
++ }
++ hydra->pending_get_busparams_type = -1;
++
++ complete(&priv->get_busparams_comp);
++}
++
+ static void
+ kvaser_usb_hydra_bus_status_to_can_state(const struct kvaser_usb_net_priv *priv,
+ u8 bus_status,
+@@ -1318,6 +1372,10 @@ static void kvaser_usb_hydra_handle_cmd_std(const struct kvaser_usb *dev,
+ kvaser_usb_hydra_state_event(dev, cmd);
+ break;
+
++ case CMD_GET_BUSPARAMS_RESP:
++ kvaser_usb_hydra_get_busparams_reply(dev, cmd);
++ break;
++
+ case CMD_ERROR_EVENT:
+ kvaser_usb_hydra_error_event(dev, cmd);
+ break;
+@@ -1514,15 +1572,58 @@ static int kvaser_usb_hydra_set_mode(struct net_device *netdev,
+ return err;
+ }
+
+-static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
++static int kvaser_usb_hydra_get_busparams(struct kvaser_usb_net_priv *priv,
++ int busparams_type)
++{
++ struct kvaser_usb *dev = priv->dev;
++ struct kvaser_usb_net_hydra_priv *hydra = priv->sub_priv;
++ struct kvaser_cmd *cmd;
++ int err;
++
++ if (!hydra)
++ return -EINVAL;
++
++ cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
++ if (!cmd)
++ return -ENOMEM;
++
++ cmd->header.cmd_no = CMD_GET_BUSPARAMS_REQ;
++ kvaser_usb_hydra_set_cmd_dest_he
++ (cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
++ kvaser_usb_hydra_set_cmd_transid
++ (cmd, kvaser_usb_hydra_get_next_transid(dev));
++ cmd->get_busparams_req.type = busparams_type;
++ hydra->pending_get_busparams_type = busparams_type;
++
++ reinit_completion(&priv->get_busparams_comp);
++
++ err = kvaser_usb_send_cmd(dev, cmd, kvaser_usb_hydra_cmd_size(cmd));
++ if (err)
++ return err;
++
++ if (!wait_for_completion_timeout(&priv->get_busparams_comp,
++ msecs_to_jiffies(KVASER_USB_TIMEOUT)))
++ return -ETIMEDOUT;
++
++ return err;
++}
++
++static int kvaser_usb_hydra_get_nominal_busparams(struct kvaser_usb_net_priv *priv)
++{
++ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN);
++}
++
++static int kvaser_usb_hydra_get_data_busparams(struct kvaser_usb_net_priv *priv)
++{
++ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD);
++}
++
++static int kvaser_usb_hydra_set_bittiming(const struct net_device *netdev,
++ const struct kvaser_usb_busparams *busparams)
+ {
+ struct kvaser_cmd *cmd;
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+- struct can_bittiming *bt = &priv->can.bittiming;
+ struct kvaser_usb *dev = priv->dev;
+- int tseg1 = bt->prop_seg + bt->phase_seg1;
+- int tseg2 = bt->phase_seg2;
+- int sjw = bt->sjw;
+ int err;
+
+ cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
+@@ -1530,11 +1631,8 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
+ return -ENOMEM;
+
+ cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ;
+- cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate);
+- cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw;
+- cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1;
+- cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2;
+- cmd->set_busparams_req.busparams_arb.nsamples = 1;
++ memcpy(&cmd->set_busparams_req.busparams_nominal, busparams,
++ sizeof(cmd->set_busparams_req.busparams_nominal));
+
+ kvaser_usb_hydra_set_cmd_dest_he
+ (cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
+@@ -1548,15 +1646,12 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
+ return err;
+ }
+
+-static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
++static int kvaser_usb_hydra_set_data_bittiming(const struct net_device *netdev,
++ const struct kvaser_usb_busparams *busparams)
+ {
+ struct kvaser_cmd *cmd;
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+- struct can_bittiming *dbt = &priv->can.data_bittiming;
+ struct kvaser_usb *dev = priv->dev;
+- int tseg1 = dbt->prop_seg + dbt->phase_seg1;
+- int tseg2 = dbt->phase_seg2;
+- int sjw = dbt->sjw;
+ int err;
+
+ cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
+@@ -1564,11 +1659,8 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
+ return -ENOMEM;
+
+ cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ;
+- cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate);
+- cmd->set_busparams_req.busparams_data.sjw = (u8)sjw;
+- cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1;
+- cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2;
+- cmd->set_busparams_req.busparams_data.nsamples = 1;
++ memcpy(&cmd->set_busparams_req.busparams_data, busparams,
++ sizeof(cmd->set_busparams_req.busparams_data));
+
+ if (priv->can.ctrlmode & CAN_CTRLMODE_FD) {
+ if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO)
+@@ -1675,6 +1767,19 @@ static int kvaser_usb_hydra_init_card(struct kvaser_usb *dev)
+ return 0;
+ }
+
++static int kvaser_usb_hydra_init_channel(struct kvaser_usb_net_priv *priv)
++{
++ struct kvaser_usb_net_hydra_priv *hydra;
++
++ hydra = devm_kzalloc(&priv->dev->intf->dev, sizeof(*hydra), GFP_KERNEL);
++ if (!hydra)
++ return -ENOMEM;
++
++ priv->sub_priv = hydra;
++
++ return 0;
++}
++
+ static int kvaser_usb_hydra_get_software_info(struct kvaser_usb *dev)
+ {
+ struct kvaser_cmd cmd;
+@@ -2019,10 +2124,13 @@ kvaser_usb_hydra_frame_to_cmd(const struct kvaser_usb_net_priv *priv,
+ const struct kvaser_usb_dev_ops kvaser_usb_hydra_dev_ops = {
+ .dev_set_mode = kvaser_usb_hydra_set_mode,
+ .dev_set_bittiming = kvaser_usb_hydra_set_bittiming,
++ .dev_get_busparams = kvaser_usb_hydra_get_nominal_busparams,
+ .dev_set_data_bittiming = kvaser_usb_hydra_set_data_bittiming,
++ .dev_get_data_busparams = kvaser_usb_hydra_get_data_busparams,
+ .dev_get_berr_counter = kvaser_usb_hydra_get_berr_counter,
+ .dev_setup_endpoints = kvaser_usb_hydra_setup_endpoints,
+ .dev_init_card = kvaser_usb_hydra_init_card,
++ .dev_init_channel = kvaser_usb_hydra_init_channel,
+ .dev_get_software_info = kvaser_usb_hydra_get_software_info,
+ .dev_get_software_details = kvaser_usb_hydra_get_software_details,
+ .dev_get_card_info = kvaser_usb_hydra_get_card_info,
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 996d58b97af1..b423fd4c7989 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -57,6 +57,8 @@
+ #define CMD_RX_EXT_MESSAGE 14
+ #define CMD_TX_EXT_MESSAGE 15
+ #define CMD_SET_BUS_PARAMS 16
++#define CMD_GET_BUS_PARAMS 17
++#define CMD_GET_BUS_PARAMS_REPLY 18
+ #define CMD_GET_CHIP_STATE 19
+ #define CMD_CHIP_STATE_EVENT 20
+ #define CMD_SET_CTRL_MODE 21
+@@ -376,6 +378,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
+ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
++ [CMD_GET_BUS_PARAMS_REPLY] = kvaser_fsize(u.busparams),
+ [CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
+ /* ignored events: */
+ [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
+@@ -1463,6 +1466,25 @@ static void kvaser_usb_leaf_stop_chip_reply(const struct kvaser_usb *dev,
+ complete(&priv->stop_comp);
+ }
+
++static void kvaser_usb_leaf_get_busparams_reply(const struct kvaser_usb *dev,
++ const struct kvaser_cmd *cmd)
++{
++ struct kvaser_usb_net_priv *priv;
++ u8 channel = cmd->u.busparams.channel;
++
++ if (channel >= dev->nchannels) {
++ dev_err(&dev->intf->dev,
++ "Invalid channel number (%d)\n", channel);
++ return;
++ }
++
++ priv = dev->nets[channel];
++ memcpy(&priv->busparams_nominal, &cmd->u.busparams.busparams,
++ sizeof(priv->busparams_nominal));
++
++ complete(&priv->get_busparams_comp);
++}
++
+ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+ {
+@@ -1505,6 +1527,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
+ kvaser_usb_leaf_error_event(dev, cmd);
+ break;
+
++ case CMD_GET_BUS_PARAMS_REPLY:
++ kvaser_usb_leaf_get_busparams_reply(dev, cmd);
++ break;
++
+ /* Ignored commands */
+ case CMD_USBCAN_CLOCK_OVERFLOW_EVENT:
+ if (dev->driver_info->family != KVASER_USBCAN)
+@@ -1679,10 +1705,10 @@ static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv)
+ cancel_delayed_work_sync(&leaf->chip_state_req_work);
+ }
+
+-static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
++static int kvaser_usb_leaf_set_bittiming(const struct net_device *netdev,
++ const struct kvaser_usb_busparams *busparams)
+ {
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+- struct can_bittiming *bt = &priv->can.bittiming;
+ struct kvaser_usb *dev = priv->dev;
+ struct kvaser_cmd *cmd;
+ int rc;
+@@ -1695,15 +1721,8 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
+ cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams);
+ cmd->u.busparams.channel = priv->channel;
+ cmd->u.busparams.tid = 0xff;
+- cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate);
+- cmd->u.busparams.busparams.sjw = bt->sjw;
+- cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
+- cmd->u.busparams.busparams.tseg2 = bt->phase_seg2;
+-
+- if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
+- cmd->u.busparams.busparams.nsamples = 3;
+- else
+- cmd->u.busparams.busparams.nsamples = 1;
++ memcpy(&cmd->u.busparams.busparams, busparams,
++ sizeof(cmd->u.busparams.busparams));
+
+ rc = kvaser_usb_send_cmd(dev, cmd, cmd->len);
+
+@@ -1711,6 +1730,27 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
+ return rc;
+ }
+
++static int kvaser_usb_leaf_get_busparams(struct kvaser_usb_net_priv *priv)
++{
++ int err;
++
++ if (priv->dev->driver_info->family == KVASER_USBCAN)
++ return -EOPNOTSUPP;
++
++ reinit_completion(&priv->get_busparams_comp);
++
++ err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_GET_BUS_PARAMS,
++ priv->channel);
++ if (err)
++ return err;
++
++ if (!wait_for_completion_timeout(&priv->get_busparams_comp,
++ msecs_to_jiffies(KVASER_USB_TIMEOUT)))
++ return -ETIMEDOUT;
++
++ return 0;
++}
++
+ static int kvaser_usb_leaf_set_mode(struct net_device *netdev,
+ enum can_mode mode)
+ {
+@@ -1772,7 +1812,9 @@ static int kvaser_usb_leaf_setup_endpoints(struct kvaser_usb *dev)
+ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
+ .dev_set_mode = kvaser_usb_leaf_set_mode,
+ .dev_set_bittiming = kvaser_usb_leaf_set_bittiming,
++ .dev_get_busparams = kvaser_usb_leaf_get_busparams,
+ .dev_set_data_bittiming = NULL,
++ .dev_get_data_busparams = NULL,
+ .dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter,
+ .dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints,
+ .dev_init_card = kvaser_usb_leaf_init_card,
+--
+2.35.1
+
--- /dev/null
+From ea2ab31ebeffd1ae03eb9b2bdc43cc73ed0df71f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:28 +0200
+Subject: can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit 35364f5b41a4917fe94a3f393d149b63ec583297 ]
+
+Use the CMD_GET_CAPABILITIES_REQ command to query the device for certain
+capabilities. We are only interested in LISTENONLY mode and wither the
+device reports CAN error counters.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Reported-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-3-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 144 +++++++++++++++++-
+ 1 file changed, 143 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 19958037720f..33ff62cd1729 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -74,6 +74,8 @@
+ #define CMD_TX_ACKNOWLEDGE 50
+ #define CMD_CAN_ERROR_EVENT 51
+ #define CMD_FLUSH_QUEUE_REPLY 68
++#define CMD_GET_CAPABILITIES_REQ 95
++#define CMD_GET_CAPABILITIES_RESP 96
+
+ #define CMD_LEAF_LOG_MESSAGE 106
+
+@@ -83,6 +85,8 @@
+ #define KVASER_USB_LEAF_SWOPTION_FREQ_32_MHZ_CLK BIT(5)
+ #define KVASER_USB_LEAF_SWOPTION_FREQ_24_MHZ_CLK BIT(6)
+
++#define KVASER_USB_LEAF_SWOPTION_EXT_CAP BIT(12)
++
+ /* error factors */
+ #define M16C_EF_ACKE BIT(0)
+ #define M16C_EF_CRCE BIT(1)
+@@ -278,6 +282,28 @@ struct leaf_cmd_log_message {
+ u8 data[8];
+ } __packed;
+
++/* Sub commands for cap_req and cap_res */
++#define KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE 0x02
++#define KVASER_USB_LEAF_CAP_CMD_ERR_REPORT 0x05
++struct kvaser_cmd_cap_req {
++ __le16 padding0;
++ __le16 cap_cmd;
++ __le16 padding1;
++ __le16 channel;
++} __packed;
++
++/* Status codes for cap_res */
++#define KVASER_USB_LEAF_CAP_STAT_OK 0x00
++#define KVASER_USB_LEAF_CAP_STAT_NOT_IMPL 0x01
++#define KVASER_USB_LEAF_CAP_STAT_UNAVAIL 0x02
++struct kvaser_cmd_cap_res {
++ __le16 padding;
++ __le16 cap_cmd;
++ __le16 status;
++ __le32 mask;
++ __le32 value;
++} __packed;
++
+ struct kvaser_cmd {
+ u8 len;
+ u8 id;
+@@ -295,6 +321,8 @@ struct kvaser_cmd {
+ struct leaf_cmd_chip_state_event chip_state_event;
+ struct leaf_cmd_error_event error_event;
+ struct leaf_cmd_log_message log_message;
++ struct kvaser_cmd_cap_req cap_req;
++ struct kvaser_cmd_cap_res cap_res;
+ } __packed leaf;
+
+ union {
+@@ -324,6 +352,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
+ [CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
++ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
+ /* ignored events: */
+ [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
+ };
+@@ -606,6 +635,9 @@ static void kvaser_usb_leaf_get_software_info_leaf(struct kvaser_usb *dev,
+ dev->fw_version = le32_to_cpu(softinfo->fw_version);
+ dev->max_tx_urbs = le16_to_cpu(softinfo->max_outstanding_tx);
+
++ if (sw_options & KVASER_USB_LEAF_SWOPTION_EXT_CAP)
++ dev->card_data.capabilities |= KVASER_USB_CAP_EXT_CAP;
++
+ if (dev->driver_info->quirks & KVASER_USB_QUIRK_IGNORE_CLK_FREQ) {
+ /* Firmware expects bittiming parameters calculated for 16MHz
+ * clock, regardless of the actual clock
+@@ -693,6 +725,116 @@ static int kvaser_usb_leaf_get_card_info(struct kvaser_usb *dev)
+ return 0;
+ }
+
++static int kvaser_usb_leaf_get_single_capability(struct kvaser_usb *dev,
++ u16 cap_cmd_req, u16 *status)
++{
++ struct kvaser_usb_dev_card_data *card_data = &dev->card_data;
++ struct kvaser_cmd *cmd;
++ u32 value = 0;
++ u32 mask = 0;
++ u16 cap_cmd_res;
++ int err;
++ int i;
++
++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
++ if (!cmd)
++ return -ENOMEM;
++
++ cmd->id = CMD_GET_CAPABILITIES_REQ;
++ cmd->u.leaf.cap_req.cap_cmd = cpu_to_le16(cap_cmd_req);
++ cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_cap_req);
++
++ err = kvaser_usb_send_cmd(dev, cmd, cmd->len);
++ if (err)
++ goto end;
++
++ err = kvaser_usb_leaf_wait_cmd(dev, CMD_GET_CAPABILITIES_RESP, cmd);
++ if (err)
++ goto end;
++
++ *status = le16_to_cpu(cmd->u.leaf.cap_res.status);
++
++ if (*status != KVASER_USB_LEAF_CAP_STAT_OK)
++ goto end;
++
++ cap_cmd_res = le16_to_cpu(cmd->u.leaf.cap_res.cap_cmd);
++ switch (cap_cmd_res) {
++ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE:
++ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT:
++ value = le32_to_cpu(cmd->u.leaf.cap_res.value);
++ mask = le32_to_cpu(cmd->u.leaf.cap_res.mask);
++ break;
++ default:
++ dev_warn(&dev->intf->dev, "Unknown capability command %u\n",
++ cap_cmd_res);
++ break;
++ }
++
++ for (i = 0; i < dev->nchannels; i++) {
++ if (BIT(i) & (value & mask)) {
++ switch (cap_cmd_res) {
++ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE:
++ card_data->ctrlmode_supported |=
++ CAN_CTRLMODE_LISTENONLY;
++ break;
++ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT:
++ card_data->capabilities |=
++ KVASER_USB_CAP_BERR_CAP;
++ break;
++ }
++ }
++ }
++
++end:
++ kfree(cmd);
++
++ return err;
++}
++
++static int kvaser_usb_leaf_get_capabilities_leaf(struct kvaser_usb *dev)
++{
++ int err;
++ u16 status;
++
++ if (!(dev->card_data.capabilities & KVASER_USB_CAP_EXT_CAP)) {
++ dev_info(&dev->intf->dev,
++ "No extended capability support. Upgrade device firmware.\n");
++ return 0;
++ }
++
++ err = kvaser_usb_leaf_get_single_capability(dev,
++ KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE,
++ &status);
++ if (err)
++ return err;
++ if (status)
++ dev_info(&dev->intf->dev,
++ "KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE failed %u\n",
++ status);
++
++ err = kvaser_usb_leaf_get_single_capability(dev,
++ KVASER_USB_LEAF_CAP_CMD_ERR_REPORT,
++ &status);
++ if (err)
++ return err;
++ if (status)
++ dev_info(&dev->intf->dev,
++ "KVASER_USB_LEAF_CAP_CMD_ERR_REPORT failed %u\n",
++ status);
++
++ return 0;
++}
++
++static int kvaser_usb_leaf_get_capabilities(struct kvaser_usb *dev)
++{
++ int err = 0;
++
++ if (dev->driver_info->family == KVASER_LEAF)
++ err = kvaser_usb_leaf_get_capabilities_leaf(dev);
++
++ return err;
++}
++
+ static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+ {
+@@ -1486,7 +1628,7 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
+ .dev_get_software_info = kvaser_usb_leaf_get_software_info,
+ .dev_get_software_details = NULL,
+ .dev_get_card_info = kvaser_usb_leaf_get_card_info,
+- .dev_get_capabilities = NULL,
++ .dev_get_capabilities = kvaser_usb_leaf_get_capabilities,
+ .dev_set_opt_mode = kvaser_usb_leaf_set_opt_mode,
+ .dev_start_chip = kvaser_usb_leaf_start_chip,
+ .dev_stop_chip = kvaser_usb_leaf_stop_chip,
+--
+2.35.1
+
--- /dev/null
+From ab5472acde86866df753ae5695d8dc690024702b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:30 +0200
+Subject: can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit b24cb2d169e0c9dce664a959e1f2aa9781285dc9 ]
+
+The device will send an error event command, to indicate certain errors.
+This indicates a misbehaving driver, and should never occur.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Co-developed-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-5-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 99 +++++++++++++++++++
+ 1 file changed, 99 insertions(+)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index a1d4ac8d4a08..5d96ab85d04c 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -70,6 +70,7 @@
+ #define CMD_GET_CARD_INFO_REPLY 35
+ #define CMD_GET_SOFTWARE_INFO 38
+ #define CMD_GET_SOFTWARE_INFO_REPLY 39
++#define CMD_ERROR_EVENT 45
+ #define CMD_FLUSH_QUEUE 48
+ #define CMD_TX_ACKNOWLEDGE 50
+ #define CMD_CAN_ERROR_EVENT 51
+@@ -258,6 +259,28 @@ struct usbcan_cmd_can_error_event {
+ __le16 time;
+ } __packed;
+
++/* CMD_ERROR_EVENT error codes */
++#define KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL 0x8
++#define KVASER_USB_LEAF_ERROR_EVENT_PARAM 0x9
++
++struct leaf_cmd_error_event {
++ u8 tid;
++ u8 error_code;
++ __le16 timestamp[3];
++ __le16 padding;
++ __le16 info1;
++ __le16 info2;
++} __packed;
++
++struct usbcan_cmd_error_event {
++ u8 tid;
++ u8 error_code;
++ __le16 info1;
++ __le16 info2;
++ __le16 timestamp;
++ __le16 padding;
++} __packed;
++
+ struct kvaser_cmd_ctrl_mode {
+ u8 tid;
+ u8 channel;
+@@ -321,6 +344,7 @@ struct kvaser_cmd {
+ struct leaf_cmd_chip_state_event chip_state_event;
+ struct leaf_cmd_can_error_event can_error_event;
+ struct leaf_cmd_log_message log_message;
++ struct leaf_cmd_error_event error_event;
+ struct kvaser_cmd_cap_req cap_req;
+ struct kvaser_cmd_cap_res cap_res;
+ } __packed leaf;
+@@ -330,6 +354,7 @@ struct kvaser_cmd {
+ struct usbcan_cmd_rx_can rx_can;
+ struct usbcan_cmd_chip_state_event chip_state_event;
+ struct usbcan_cmd_can_error_event can_error_event;
++ struct usbcan_cmd_error_event error_event;
+ } __packed usbcan;
+
+ struct kvaser_cmd_tx_can tx_can;
+@@ -353,6 +378,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
+ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
++ [CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
+ /* ignored events: */
+ [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
+ };
+@@ -367,6 +393,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = {
+ [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event),
++ [CMD_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event),
+ /* ignored events: */
+ [CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY,
+ };
+@@ -1304,6 +1331,74 @@ static void kvaser_usb_leaf_rx_can_msg(const struct kvaser_usb *dev,
+ netif_rx(skb);
+ }
+
++static void kvaser_usb_leaf_error_event_parameter(const struct kvaser_usb *dev,
++ const struct kvaser_cmd *cmd)
++{
++ u16 info1 = 0;
++
++ switch (dev->driver_info->family) {
++ case KVASER_LEAF:
++ info1 = le16_to_cpu(cmd->u.leaf.error_event.info1);
++ break;
++ case KVASER_USBCAN:
++ info1 = le16_to_cpu(cmd->u.usbcan.error_event.info1);
++ break;
++ }
++
++ /* info1 will contain the offending cmd_no */
++ switch (info1) {
++ case CMD_SET_CTRL_MODE:
++ dev_warn(&dev->intf->dev,
++ "CMD_SET_CTRL_MODE error in parameter\n");
++ break;
++
++ case CMD_SET_BUS_PARAMS:
++ dev_warn(&dev->intf->dev,
++ "CMD_SET_BUS_PARAMS error in parameter\n");
++ break;
++
++ default:
++ dev_warn(&dev->intf->dev,
++ "Unhandled parameter error event cmd_no (%u)\n",
++ info1);
++ break;
++ }
++}
++
++static void kvaser_usb_leaf_error_event(const struct kvaser_usb *dev,
++ const struct kvaser_cmd *cmd)
++{
++ u8 error_code = 0;
++
++ switch (dev->driver_info->family) {
++ case KVASER_LEAF:
++ error_code = cmd->u.leaf.error_event.error_code;
++ break;
++ case KVASER_USBCAN:
++ error_code = cmd->u.usbcan.error_event.error_code;
++ break;
++ }
++
++ switch (error_code) {
++ case KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL:
++ /* Received additional CAN message, when firmware TX queue is
++ * already full. Something is wrong with the driver.
++ * This should never happen!
++ */
++ dev_err(&dev->intf->dev,
++ "Received error event TX_QUEUE_FULL\n");
++ break;
++ case KVASER_USB_LEAF_ERROR_EVENT_PARAM:
++ kvaser_usb_leaf_error_event_parameter(dev, cmd);
++ break;
++
++ default:
++ dev_warn(&dev->intf->dev,
++ "Unhandled error event (%d)\n", error_code);
++ break;
++ }
++}
++
+ static void kvaser_usb_leaf_start_chip_reply(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+ {
+@@ -1382,6 +1477,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
+ kvaser_usb_leaf_tx_acknowledge(dev, cmd);
+ break;
+
++ case CMD_ERROR_EVENT:
++ kvaser_usb_leaf_error_event(dev, cmd);
++ break;
++
+ /* Ignored commands */
+ case CMD_USBCAN_CLOCK_OVERFLOW_EVENT:
+ if (dev->driver_info->family != KVASER_USBCAN)
+--
+2.35.1
+
--- /dev/null
+From 362749bc7748c61e609c86f7be241352f9995fab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:29 +0200
+Subject: can: kvaser_usb: kvaser_usb_leaf: Rename
+ {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit 7ea56128dbf904a3359bcf9289cccdfa3c85c7e8 ]
+
+Prepare for handling CMD_ERROR_EVENT. Rename struct
+{leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Reported-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 38 +++++++++----------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 33ff62cd1729..a1d4ac8d4a08 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -234,7 +234,7 @@ struct kvaser_cmd_tx_acknowledge_header {
+ u8 tid;
+ } __packed;
+
+-struct leaf_cmd_error_event {
++struct leaf_cmd_can_error_event {
+ u8 tid;
+ u8 flags;
+ __le16 time[3];
+@@ -246,7 +246,7 @@ struct leaf_cmd_error_event {
+ u8 error_factor;
+ } __packed;
+
+-struct usbcan_cmd_error_event {
++struct usbcan_cmd_can_error_event {
+ u8 tid;
+ u8 padding;
+ u8 tx_errors_count_ch0;
+@@ -319,7 +319,7 @@ struct kvaser_cmd {
+ struct leaf_cmd_softinfo softinfo;
+ struct leaf_cmd_rx_can rx_can;
+ struct leaf_cmd_chip_state_event chip_state_event;
+- struct leaf_cmd_error_event error_event;
++ struct leaf_cmd_can_error_event can_error_event;
+ struct leaf_cmd_log_message log_message;
+ struct kvaser_cmd_cap_req cap_req;
+ struct kvaser_cmd_cap_res cap_res;
+@@ -329,7 +329,7 @@ struct kvaser_cmd {
+ struct usbcan_cmd_softinfo softinfo;
+ struct usbcan_cmd_rx_can rx_can;
+ struct usbcan_cmd_chip_state_event chip_state_event;
+- struct usbcan_cmd_error_event error_event;
++ struct usbcan_cmd_can_error_event can_error_event;
+ } __packed usbcan;
+
+ struct kvaser_cmd_tx_can tx_can;
+@@ -351,7 +351,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
+ [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.leaf.rx_can),
+ [CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
+- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
++ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
+ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
+ /* ignored events: */
+ [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
+@@ -366,7 +366,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = {
+ [CMD_RX_STD_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
+ [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event),
+- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event),
++ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event),
+ /* ignored events: */
+ [CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY,
+ };
+@@ -1132,11 +1132,11 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev,
+
+ case CMD_CAN_ERROR_EVENT:
+ es.channel = 0;
+- es.status = cmd->u.usbcan.error_event.status_ch0;
+- es.txerr = cmd->u.usbcan.error_event.tx_errors_count_ch0;
+- es.rxerr = cmd->u.usbcan.error_event.rx_errors_count_ch0;
++ es.status = cmd->u.usbcan.can_error_event.status_ch0;
++ es.txerr = cmd->u.usbcan.can_error_event.tx_errors_count_ch0;
++ es.rxerr = cmd->u.usbcan.can_error_event.rx_errors_count_ch0;
+ es.usbcan.other_ch_status =
+- cmd->u.usbcan.error_event.status_ch1;
++ cmd->u.usbcan.can_error_event.status_ch1;
+ kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es);
+
+ /* The USBCAN firmware supports up to 2 channels.
+@@ -1144,13 +1144,13 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev,
+ */
+ if (dev->nchannels == MAX_USBCAN_NET_DEVICES) {
+ es.channel = 1;
+- es.status = cmd->u.usbcan.error_event.status_ch1;
++ es.status = cmd->u.usbcan.can_error_event.status_ch1;
+ es.txerr =
+- cmd->u.usbcan.error_event.tx_errors_count_ch1;
++ cmd->u.usbcan.can_error_event.tx_errors_count_ch1;
+ es.rxerr =
+- cmd->u.usbcan.error_event.rx_errors_count_ch1;
++ cmd->u.usbcan.can_error_event.rx_errors_count_ch1;
+ es.usbcan.other_ch_status =
+- cmd->u.usbcan.error_event.status_ch0;
++ cmd->u.usbcan.can_error_event.status_ch0;
+ kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es);
+ }
+ break;
+@@ -1167,11 +1167,11 @@ static void kvaser_usb_leaf_leaf_rx_error(const struct kvaser_usb *dev,
+
+ switch (cmd->id) {
+ case CMD_CAN_ERROR_EVENT:
+- es.channel = cmd->u.leaf.error_event.channel;
+- es.status = cmd->u.leaf.error_event.status;
+- es.txerr = cmd->u.leaf.error_event.tx_errors_count;
+- es.rxerr = cmd->u.leaf.error_event.rx_errors_count;
+- es.leaf.error_factor = cmd->u.leaf.error_event.error_factor;
++ es.channel = cmd->u.leaf.can_error_event.channel;
++ es.status = cmd->u.leaf.can_error_event.status;
++ es.txerr = cmd->u.leaf.can_error_event.tx_errors_count;
++ es.rxerr = cmd->u.leaf.can_error_event.rx_errors_count;
++ es.leaf.error_factor = cmd->u.leaf.can_error_event.error_factor;
+ break;
+ case CMD_LEAF_LOG_MESSAGE:
+ es.channel = cmd->u.leaf.log_message.channel;
+--
+2.35.1
+
--- /dev/null
+From e108c65c08424372ad166376575722b90c27e991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:35 +0200
+Subject: can: kvaser_usb_leaf: Fix bogus restart events
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit 90904d326269a38fe5dd895fb2db7c03199654c4 ]
+
+When auto-restart is enabled, the kvaser_usb_leaf driver considers
+transition from any state >= CAN_STATE_BUS_OFF as a bus-off recovery
+event (restart).
+
+However, these events may occur at interface startup time before
+kvaser_usb_open() has set the state to CAN_STATE_ERROR_ACTIVE, causing
+restarts counter to increase and CAN_ERR_RESTARTED to be sent despite no
+actual restart having occurred.
+
+Fix that by making the auto-restart condition checks more strict so that
+they only trigger when the interface was actually in the BUS_OFF state.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Tested-by: Jimmy Assarsson <extja@kvaser.com>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-10-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 4f9c76f4d0da..fa940be4e1b0 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -898,7 +898,7 @@ static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev,
+ context = &priv->tx_contexts[tid % dev->max_tx_urbs];
+
+ /* Sometimes the state change doesn't come after a bus-off event */
+- if (priv->can.restart_ms && priv->can.state >= CAN_STATE_BUS_OFF) {
++ if (priv->can.restart_ms && priv->can.state == CAN_STATE_BUS_OFF) {
+ struct sk_buff *skb;
+ struct can_frame *cf;
+
+@@ -998,7 +998,7 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
+ }
+
+ if (priv->can.restart_ms &&
+- cur_state >= CAN_STATE_BUS_OFF &&
++ cur_state == CAN_STATE_BUS_OFF &&
+ new_state < CAN_STATE_BUS_OFF)
+ priv->can.can_stats.restarts++;
+
+@@ -1088,7 +1088,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+ }
+
+ if (priv->can.restart_ms &&
+- old_state >= CAN_STATE_BUS_OFF &&
++ old_state == CAN_STATE_BUS_OFF &&
+ new_state < CAN_STATE_BUS_OFF) {
+ cf->can_id |= CAN_ERR_RESTARTED;
+ netif_carrier_on(priv->netdev);
+--
+2.35.1
+
--- /dev/null
+From 4aaa6d1a8df17df0994d55fd5e0478e473158d3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:32 +0200
+Subject: can: kvaser_usb_leaf: Fix improved state not being reported
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit 8d21f5927ae604881f98587fabf6753f88730968 ]
+
+The tested 0bfd:0017 Kvaser Memorator Professional HS/HS FW 2.0.50 and
+0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 do not seem to send
+any unsolicited events when error counters decrease or when the device
+transitions from ERROR_PASSIVE to ERROR_ACTIVE (or WARNING).
+
+This causes the interface to e.g. indefinitely stay in the ERROR_PASSIVE
+state.
+
+Fix that by asking for chip state (inc. counters) event every 0.5 secs
+when error counters are non-zero.
+
+Since there are non-error-counter devices, also always poll in
+ERROR_PASSIVE even if the counters show zero.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Tested-by: Jimmy Assarsson <extja@kvaser.com>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-7-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 7 +++
+ .../net/can/usb/kvaser_usb/kvaser_usb_core.c | 19 +++++-
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 58 +++++++++++++++++++
+ 3 files changed, 81 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+index f6c0938027ec..d9c5dd5da908 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+@@ -104,6 +104,9 @@ struct kvaser_usb_net_priv {
+ struct can_priv can;
+ struct can_berr_counter bec;
+
++ /* subdriver-specific data */
++ void *sub_priv;
++
+ struct kvaser_usb *dev;
+ struct net_device *netdev;
+ int channel;
+@@ -125,6 +128,8 @@ struct kvaser_usb_net_priv {
+ *
+ * @dev_setup_endpoints: setup USB in and out endpoints
+ * @dev_init_card: initialize card
++ * @dev_init_channel: initialize channel
++ * @dev_remove_channel: uninitialize channel
+ * @dev_get_software_info: get software info
+ * @dev_get_software_details: get software details
+ * @dev_get_card_info: get card info
+@@ -146,6 +151,8 @@ struct kvaser_usb_dev_ops {
+ struct can_berr_counter *bec);
+ int (*dev_setup_endpoints)(struct kvaser_usb *dev);
+ int (*dev_init_card)(struct kvaser_usb *dev);
++ int (*dev_init_channel)(struct kvaser_usb_net_priv *priv);
++ void (*dev_remove_channel)(struct kvaser_usb_net_priv *priv);
+ int (*dev_get_software_info)(struct kvaser_usb *dev);
+ int (*dev_get_software_details)(struct kvaser_usb *dev);
+ int (*dev_get_card_info)(struct kvaser_usb *dev);
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index 802e27c0eced..0ebdfb77c50f 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -684,6 +684,7 @@ static const struct ethtool_ops kvaser_usb_ethtool_ops_hwts = {
+
+ static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev)
+ {
++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
+ int i;
+
+ for (i = 0; i < dev->nchannels; i++) {
+@@ -699,6 +700,9 @@ static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev)
+ if (!dev->nets[i])
+ continue;
+
++ if (ops->dev_remove_channel)
++ ops->dev_remove_channel(dev->nets[i]);
++
+ free_candev(dev->nets[i]->netdev);
+ }
+ }
+@@ -772,17 +776,26 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+
+ dev->nets[channel] = priv;
+
++ if (ops->dev_init_channel) {
++ err = ops->dev_init_channel(priv);
++ if (err)
++ goto err;
++ }
++
+ err = register_candev(netdev);
+ if (err) {
+ dev_err(&dev->intf->dev, "Failed to register CAN device\n");
+- free_candev(netdev);
+- dev->nets[channel] = NULL;
+- return err;
++ goto err;
+ }
+
+ netdev_dbg(netdev, "device registered\n");
+
+ return 0;
++
++err:
++ free_candev(netdev);
++ dev->nets[channel] = NULL;
++ return err;
+ }
+
+ static int kvaser_usb_probe(struct usb_interface *intf,
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index a6a26085bc15..993fcc19637d 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -21,6 +21,7 @@
+ #include <linux/types.h>
+ #include <linux/units.h>
+ #include <linux/usb.h>
++#include <linux/workqueue.h>
+
+ #include <linux/can.h>
+ #include <linux/can/dev.h>
+@@ -56,6 +57,7 @@
+ #define CMD_RX_EXT_MESSAGE 14
+ #define CMD_TX_EXT_MESSAGE 15
+ #define CMD_SET_BUS_PARAMS 16
++#define CMD_GET_CHIP_STATE 19
+ #define CMD_CHIP_STATE_EVENT 20
+ #define CMD_SET_CTRL_MODE 21
+ #define CMD_RESET_CHIP 24
+@@ -421,6 +423,12 @@ struct kvaser_usb_err_summary {
+ };
+ };
+
++struct kvaser_usb_net_leaf_priv {
++ struct kvaser_usb_net_priv *net;
++
++ struct delayed_work chip_state_req_work;
++};
++
+ static const struct can_bittiming_const kvaser_usb_leaf_m16c_bittiming_const = {
+ .name = "kvaser_usb_ucii",
+ .tseg1_min = 4,
+@@ -943,6 +951,16 @@ static int kvaser_usb_leaf_simple_cmd_async(struct kvaser_usb_net_priv *priv,
+ return err;
+ }
+
++static void kvaser_usb_leaf_chip_state_req_work(struct work_struct *work)
++{
++ struct kvaser_usb_net_leaf_priv *leaf =
++ container_of(work, struct kvaser_usb_net_leaf_priv,
++ chip_state_req_work.work);
++ struct kvaser_usb_net_priv *priv = leaf->net;
++
++ kvaser_usb_leaf_simple_cmd_async(priv, CMD_GET_CHIP_STATE);
++}
++
+ static void
+ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
+ const struct kvaser_usb_err_summary *es,
+@@ -1014,6 +1032,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+ struct sk_buff *skb;
+ struct net_device_stats *stats;
+ struct kvaser_usb_net_priv *priv;
++ struct kvaser_usb_net_leaf_priv *leaf;
+ enum can_state old_state, new_state;
+
+ if (es->channel >= dev->nchannels) {
+@@ -1023,6 +1042,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+ }
+
+ priv = dev->nets[es->channel];
++ leaf = priv->sub_priv;
+ stats = &priv->netdev->stats;
+
+ /* Update all of the CAN interface's state and error counters before
+@@ -1039,6 +1059,14 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+ kvaser_usb_leaf_rx_error_update_can_state(priv, es, &tmp_cf);
+ new_state = priv->can.state;
+
++ /* If there are errors, request status updates periodically as we do
++ * not get automatic notifications of improved state.
++ */
++ if (new_state < CAN_STATE_BUS_OFF &&
++ (es->rxerr || es->txerr || new_state == CAN_STATE_ERROR_PASSIVE))
++ schedule_delayed_work(&leaf->chip_state_req_work,
++ msecs_to_jiffies(500));
++
+ skb = alloc_can_err_skb(priv->netdev, &cf);
+ if (!skb) {
+ stats->rx_dropped++;
+@@ -1573,10 +1601,13 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv)
+
+ static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv)
+ {
++ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv;
+ int err;
+
+ reinit_completion(&priv->stop_comp);
+
++ cancel_delayed_work(&leaf->chip_state_req_work);
++
+ err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP,
+ priv->channel);
+ if (err)
+@@ -1623,6 +1654,31 @@ static int kvaser_usb_leaf_init_card(struct kvaser_usb *dev)
+ return 0;
+ }
+
++static int kvaser_usb_leaf_init_channel(struct kvaser_usb_net_priv *priv)
++{
++ struct kvaser_usb_net_leaf_priv *leaf;
++
++ leaf = devm_kzalloc(&priv->dev->intf->dev, sizeof(*leaf), GFP_KERNEL);
++ if (!leaf)
++ return -ENOMEM;
++
++ leaf->net = priv;
++ INIT_DELAYED_WORK(&leaf->chip_state_req_work,
++ kvaser_usb_leaf_chip_state_req_work);
++
++ priv->sub_priv = leaf;
++
++ return 0;
++}
++
++static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv)
++{
++ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv;
++
++ if (leaf)
++ cancel_delayed_work_sync(&leaf->chip_state_req_work);
++}
++
+ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
+ {
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+@@ -1720,6 +1776,8 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
+ .dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter,
+ .dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints,
+ .dev_init_card = kvaser_usb_leaf_init_card,
++ .dev_init_channel = kvaser_usb_leaf_init_channel,
++ .dev_remove_channel = kvaser_usb_leaf_remove_channel,
+ .dev_get_software_info = kvaser_usb_leaf_get_software_info,
+ .dev_get_software_details = NULL,
+ .dev_get_card_info = kvaser_usb_leaf_get_card_info,
+--
+2.35.1
+
--- /dev/null
+From 0c622ae066bc6236e9fb6b51d827fd62b4184a94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:33 +0200
+Subject: can: kvaser_usb_leaf: Fix wrong CAN state after stopping
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit a11249acf802341294557895d8e5f6aef080253f ]
+
+0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 sends a
+CMD_CHIP_STATE_EVENT indicating bus-off after stopping the device,
+causing a stopped device to appear as CAN_STATE_BUS_OFF instead of
+CAN_STATE_STOPPED.
+
+Fix that by not handling error events on stopped devices.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Tested-by: Jimmy Assarsson <extja@kvaser.com>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-8-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 993fcc19637d..4f9c76f4d0da 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -1045,6 +1045,10 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+ leaf = priv->sub_priv;
+ stats = &priv->netdev->stats;
+
++ /* Ignore e.g. state change to bus-off reported just after stopping */
++ if (!netif_running(priv->netdev))
++ return;
++
+ /* Update all of the CAN interface's state and error counters before
+ * trying any memory allocation that can actually fail with -ENOMEM.
+ *
+--
+2.35.1
+
--- /dev/null
+From d74fd8c12b34a18144a145cf8ad0016da4f063d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 20:52:31 +0200
+Subject: can: kvaser_usb_leaf: Set Warning state even without bus errors
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit df1b7af2761b935f63b4a53e789d41ed859edf61 ]
+
+kvaser_usb_leaf_rx_error_update_can_state() sets error state according
+to error counters when the hardware does not indicate a specific state
+directly.
+
+However, this is currently gated behind a check for
+M16C_STATE_BUS_ERROR which does not always seem to be set when error
+counters are increasing, and may not be set when error counters are
+decreasing.
+
+This causes the CAN_STATE_ERROR_WARNING state to not be set in some
+cases even when appropriate.
+
+Change the code to set error state from counters even without
+M16C_STATE_BUS_ERROR.
+
+The Error-Passive case seems superfluous as it is already set via
+M16C_STATE_BUS_PASSIVE flag above, but it is kept for now.
+
+Tested with 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Tested-by: Jimmy Assarsson <extja@kvaser.com>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://lore.kernel.org/all/20221010185237.319219-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 20 ++++++++-----------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index 5d96ab85d04c..a6a26085bc15 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -961,20 +961,16 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
+ new_state = CAN_STATE_BUS_OFF;
+ } else if (es->status & M16C_STATE_BUS_PASSIVE) {
+ new_state = CAN_STATE_ERROR_PASSIVE;
+- } else if (es->status & M16C_STATE_BUS_ERROR) {
++ } else if ((es->status & M16C_STATE_BUS_ERROR) &&
++ cur_state >= CAN_STATE_BUS_OFF) {
+ /* Guard against spurious error events after a busoff */
+- if (cur_state < CAN_STATE_BUS_OFF) {
+- if (es->txerr >= 128 || es->rxerr >= 128)
+- new_state = CAN_STATE_ERROR_PASSIVE;
+- else if (es->txerr >= 96 || es->rxerr >= 96)
+- new_state = CAN_STATE_ERROR_WARNING;
+- else if (cur_state > CAN_STATE_ERROR_ACTIVE)
+- new_state = CAN_STATE_ERROR_ACTIVE;
+- }
+- }
+-
+- if (!es->status)
++ } else if (es->txerr >= 128 || es->rxerr >= 128) {
++ new_state = CAN_STATE_ERROR_PASSIVE;
++ } else if (es->txerr >= 96 || es->rxerr >= 96) {
++ new_state = CAN_STATE_ERROR_WARNING;
++ } else {
+ new_state = CAN_STATE_ERROR_ACTIVE;
++ }
+
+ if (new_state != cur_state) {
+ tx_state = (es->txerr >= es->rxerr) ? new_state : 0;
+--
+2.35.1
+
--- /dev/null
+From d8332c62dbcb87905c3537b1557e275afd169789 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 15:36:31 +0530
+Subject: can: m_can: Call the RAM init directly from m_can_chip_config
+
+From: Vivek Yadav <vivek.2311@samsung.com>
+
+[ Upstream commit eaacfeaca7ad0804b9a6eff7afeba93a87db7638 ]
+
+When we try to access the mcan message ram addresses during the probe,
+hclk is gated by any other drivers or disabled, because of that probe
+gets failed.
+
+Move the mram init functionality to mcan chip config called by
+m_can_start from mcan open function, by that time clocks are
+enabled.
+
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Vivek Yadav <vivek.2311@samsung.com>
+Link: https://lore.kernel.org/all/20221207100632.96200-2-vivek.2311@samsung.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Stable-dep-of: 67727a17a6b3 ("can: tcan4x5x: Fix use of register error status mask")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 32 +++++++++++++++++++++-----
+ drivers/net/can/m_can/m_can_platform.c | 4 ----
+ drivers/net/can/m_can/tcan4x5x-core.c | 5 ----
+ 3 files changed, 26 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 153d8fd08bd8..a562f36a99f8 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1233,10 +1233,17 @@ static int m_can_set_bittiming(struct net_device *dev)
+ * - setup bittiming
+ * - configure timestamp generation
+ */
+-static void m_can_chip_config(struct net_device *dev)
++static int m_can_chip_config(struct net_device *dev)
+ {
+ struct m_can_classdev *cdev = netdev_priv(dev);
+ u32 cccr, test;
++ int err;
++
++ err = m_can_init_ram(cdev);
++ if (err) {
++ dev_err(cdev->dev, "Message RAM configuration failed\n");
++ return err;
++ }
+
+ m_can_config_endisable(cdev, true);
+
+@@ -1360,18 +1367,25 @@ static void m_can_chip_config(struct net_device *dev)
+
+ if (cdev->ops->init)
+ cdev->ops->init(cdev);
++
++ return 0;
+ }
+
+-static void m_can_start(struct net_device *dev)
++static int m_can_start(struct net_device *dev)
+ {
+ struct m_can_classdev *cdev = netdev_priv(dev);
++ int ret;
+
+ /* basic m_can configuration */
+- m_can_chip_config(dev);
++ ret = m_can_chip_config(dev);
++ if (ret)
++ return ret;
+
+ cdev->can.state = CAN_STATE_ERROR_ACTIVE;
+
+ m_can_enable_all_interrupts(cdev);
++
++ return 0;
+ }
+
+ static int m_can_set_mode(struct net_device *dev, enum can_mode mode)
+@@ -1800,7 +1814,9 @@ static int m_can_open(struct net_device *dev)
+ }
+
+ /* start the m_can controller */
+- m_can_start(dev);
++ err = m_can_start(dev);
++ if (err)
++ goto exit_irq_fail;
+
+ if (!cdev->is_peripheral)
+ napi_enable(&cdev->napi);
+@@ -2059,9 +2075,13 @@ int m_can_class_resume(struct device *dev)
+ ret = m_can_clk_start(cdev);
+ if (ret)
+ return ret;
++ ret = m_can_start(ndev);
++ if (ret) {
++ m_can_clk_stop(cdev);
++
++ return ret;
++ }
+
+- m_can_init_ram(cdev);
+- m_can_start(ndev);
+ netif_device_attach(ndev);
+ netif_start_queue(ndev);
+ }
+diff --git a/drivers/net/can/m_can/m_can_platform.c b/drivers/net/can/m_can/m_can_platform.c
+index eee47bad0592..de6d8e01bf2e 100644
+--- a/drivers/net/can/m_can/m_can_platform.c
++++ b/drivers/net/can/m_can/m_can_platform.c
+@@ -140,10 +140,6 @@ static int m_can_plat_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, mcan_class);
+
+- ret = m_can_init_ram(mcan_class);
+- if (ret)
+- goto probe_fail;
+-
+ pm_runtime_enable(mcan_class->dev);
+ ret = m_can_class_register(mcan_class);
+ if (ret)
+diff --git a/drivers/net/can/m_can/tcan4x5x-core.c b/drivers/net/can/m_can/tcan4x5x-core.c
+index 1fec394b3517..a77f4d4f6299 100644
+--- a/drivers/net/can/m_can/tcan4x5x-core.c
++++ b/drivers/net/can/m_can/tcan4x5x-core.c
+@@ -229,11 +229,6 @@ static int tcan4x5x_init(struct m_can_classdev *cdev)
+ if (ret)
+ return ret;
+
+- /* Zero out the MCAN buffers */
+- ret = m_can_init_ram(cdev);
+- if (ret)
+- return ret;
+-
+ ret = regmap_update_bits(tcan4x5x->regmap, TCAN4X5X_CONFIG,
+ TCAN4X5X_MODE_SEL_MASK, TCAN4X5X_MODE_NORMAL);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 9b09d7047b7e1f137db323fb6656cea900bd7e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 12:57:26 +0100
+Subject: can: tcan4x5x: Fix use of register error status mask
+
+From: Markus Schneider-Pargmann <msp@baylibre.com>
+
+[ Upstream commit 67727a17a6b375d68fe569b77e6516b034b834c0 ]
+
+TCAN4X5X_ERROR_STATUS is not a status register that needs clearing
+during interrupt handling. Instead this is a masking register that masks
+error interrupts. Writing TCAN4X5X_CLEAR_ALL_INT to this register
+effectively masks everything.
+
+Rename the register and mask all error interrupts only once by writing
+to the register in tcan4x5x_init.
+
+Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel")
+Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Link: https://lore.kernel.org/all/20221206115728.1056014-10-msp@baylibre.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/tcan4x5x-core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/can/m_can/tcan4x5x-core.c b/drivers/net/can/m_can/tcan4x5x-core.c
+index a77f4d4f6299..2342aa011647 100644
+--- a/drivers/net/can/m_can/tcan4x5x-core.c
++++ b/drivers/net/can/m_can/tcan4x5x-core.c
+@@ -10,7 +10,7 @@
+ #define TCAN4X5X_DEV_ID1 0x04
+ #define TCAN4X5X_REV 0x08
+ #define TCAN4X5X_STATUS 0x0C
+-#define TCAN4X5X_ERROR_STATUS 0x10
++#define TCAN4X5X_ERROR_STATUS_MASK 0x10
+ #define TCAN4X5X_CONTROL 0x14
+
+ #define TCAN4X5X_CONFIG 0x800
+@@ -204,12 +204,7 @@ static int tcan4x5x_clear_interrupts(struct m_can_classdev *cdev)
+ if (ret)
+ return ret;
+
+- ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_INT_FLAGS,
+- TCAN4X5X_CLEAR_ALL_INT);
+- if (ret)
+- return ret;
+-
+- return tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_ERROR_STATUS,
++ return tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_INT_FLAGS,
+ TCAN4X5X_CLEAR_ALL_INT);
+ }
+
+@@ -229,6 +224,11 @@ static int tcan4x5x_init(struct m_can_classdev *cdev)
+ if (ret)
+ return ret;
+
++ ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_ERROR_STATUS_MASK,
++ TCAN4X5X_CLEAR_ALL_INT);
++ if (ret)
++ return ret;
++
+ ret = regmap_update_bits(tcan4x5x->regmap, TCAN4X5X_CONFIG,
+ TCAN4X5X_MODE_SEL_MASK, TCAN4X5X_MODE_NORMAL);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 53642df9a2f9fadf53d9183962e091bb79bd4d4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 12:57:25 +0100
+Subject: can: tcan4x5x: Remove invalid write in clear_interrupts
+
+From: Markus Schneider-Pargmann <msp@baylibre.com>
+
+[ Upstream commit 40c9e4f676abbe194541d88e796341c92d5a13c0 ]
+
+Register 0x824 TCAN4X5X_MCAN_INT_REG is a read-only register. Any writes
+to this register do not have any effect.
+
+Remove this write. The m_can driver aldready clears the interrupts in
+m_can_isr() by writing to M_CAN_IR which is translated to register
+0x1050 which is a writable version of this register.
+
+Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel")
+Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Link: https://lore.kernel.org/all/20221206115728.1056014-9-msp@baylibre.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/tcan4x5x-core.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/net/can/m_can/tcan4x5x-core.c b/drivers/net/can/m_can/tcan4x5x-core.c
+index 41645a24384c..1fec394b3517 100644
+--- a/drivers/net/can/m_can/tcan4x5x-core.c
++++ b/drivers/net/can/m_can/tcan4x5x-core.c
+@@ -204,11 +204,6 @@ static int tcan4x5x_clear_interrupts(struct m_can_classdev *cdev)
+ if (ret)
+ return ret;
+
+- ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_MCAN_INT_REG,
+- TCAN4X5X_ENABLE_MCAN_INT);
+- if (ret)
+- return ret;
+-
+ ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_INT_FLAGS,
+ TCAN4X5X_CLEAR_ALL_INT);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 1ad5f9ad6df0f4c7948a76fe250f80c11d72f5be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 11:02:37 +0800
+Subject: chardev: fix error handling in cdev_device_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ]
+
+While doing fault injection test, I got the following report:
+
+------------[ cut here ]------------
+kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called.
+WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0
+CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:kobject_put+0x23d/0x4e0
+Call Trace:
+ <TASK>
+ cdev_device_add+0x15e/0x1b0
+ __iio_device_register+0x13b4/0x1af0 [industrialio]
+ __devm_iio_device_register+0x22/0x90 [industrialio]
+ max517_probe+0x3d8/0x6b4 [max517]
+ i2c_device_probe+0xa81/0xc00
+
+When device_add() is injected fault and returns error, if dev->devt is not set,
+cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt
+in error path.
+
+Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/char_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/char_dev.c b/fs/char_dev.c
+index ba0ded7842a7..3f667292608c 100644
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -547,7 +547,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev)
+ }
+
+ rc = device_add(dev);
+- if (rc)
++ if (rc && dev->devt)
+ cdev_del(cdev);
+
+ return rc;
+--
+2.35.1
+
--- /dev/null
+From 1a5c40748621f21be26569d1fbf3fc2466e2ad20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Dec 2022 18:18:55 -0300
+Subject: cifs: fix oops during encryption
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+[ Upstream commit f7f291e14dde32a07b1f0aa06921d28f875a7b54 ]
+
+When running xfstests against Azure the following oops occurred on an
+arm64 system
+
+ Unable to handle kernel write to read-only memory at virtual address
+ ffff0001221cf000
+ Mem abort info:
+ ESR = 0x9600004f
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x0f: level 3 permission fault
+ Data abort info:
+ ISV = 0, ISS = 0x0000004f
+ CM = 0, WnR = 1
+ swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
+ [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
+ pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
+ Internal error: Oops: 9600004f [#1] PREEMPT SMP
+ ...
+ pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
+ pc : __memcpy+0x40/0x230
+ lr : scatterwalk_copychunks+0xe0/0x200
+ sp : ffff800014e92de0
+ x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
+ x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
+ x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
+ x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
+ x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
+ x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
+ x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
+ x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
+ x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
+ x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
+ Call trace:
+ __memcpy+0x40/0x230
+ scatterwalk_map_and_copy+0x98/0x100
+ crypto_ccm_encrypt+0x150/0x180
+ crypto_aead_encrypt+0x2c/0x40
+ crypt_message+0x750/0x880
+ smb3_init_transform_rq+0x298/0x340
+ smb_send_rqst.part.11+0xd8/0x180
+ smb_send_rqst+0x3c/0x100
+ compound_send_recv+0x534/0xbc0
+ smb2_query_info_compound+0x32c/0x440
+ smb2_set_ea+0x438/0x4c0
+ cifs_xattr_set+0x5d4/0x7c0
+
+This is because in scatterwalk_copychunks(), we attempted to write to
+a buffer (@sign) that was allocated in the stack (vmalloc area) by
+crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
+crossing a page boundary.
+
+To simply fix it, we could just pass @sign kmalloc'd from
+crypt_message() and then we're done. Luckily, we don't seem to pass
+any other vmalloc'd buffers in smb_rqst::rq_iov...
+
+Instead, let's map the correct pages and offsets from vmalloc buffers
+as well in cifs_sg_set_buf() and then avoiding such oopses.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsglob.h | 68 +++++++++++++++++++++
+ fs/cifs/cifsproto.h | 4 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb2ops.c | 143 +++++++++++++++++++++-----------------------
+ 4 files changed, 140 insertions(+), 79 deletions(-)
+
+diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
+index 333022028bb0..b52dca800eac 100644
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -13,6 +13,8 @@
+ #include <linux/in6.h>
+ #include <linux/inet.h>
+ #include <linux/slab.h>
++#include <linux/scatterlist.h>
++#include <linux/mm.h>
+ #include <linux/mempool.h>
+ #include <linux/workqueue.h>
+ #include <linux/utsname.h>
+@@ -2147,4 +2149,70 @@ static inline void move_cifs_info_to_smb2(struct smb2_file_all_info *dst, const
+ dst->FileNameLength = src->FileNameLength;
+ }
+
++static inline unsigned int cifs_get_num_sgs(const struct smb_rqst *rqst,
++ int num_rqst,
++ const u8 *sig)
++{
++ unsigned int len, skip;
++ unsigned int nents = 0;
++ unsigned long addr;
++ int i, j;
++
++ /* Assumes the first rqst has a transform header as the first iov.
++ * I.e.
++ * rqst[0].rq_iov[0] is transform header
++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
++ */
++ for (i = 0; i < num_rqst; i++) {
++ /*
++ * The first rqst has a transform header where the
++ * first 20 bytes are not part of the encrypted blob.
++ */
++ for (j = 0; j < rqst[i].rq_nvec; j++) {
++ struct kvec *iov = &rqst[i].rq_iov[j];
++
++ skip = (i == 0) && (j == 0) ? 20 : 0;
++ addr = (unsigned long)iov->iov_base + skip;
++ if (unlikely(is_vmalloc_addr((void *)addr))) {
++ len = iov->iov_len - skip;
++ nents += DIV_ROUND_UP(offset_in_page(addr) + len,
++ PAGE_SIZE);
++ } else {
++ nents++;
++ }
++ }
++ nents += rqst[i].rq_npages;
++ }
++ nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE);
++ return nents;
++}
++
++/* We can not use the normal sg_set_buf() as we will sometimes pass a
++ * stack object as buf.
++ */
++static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg,
++ const void *buf,
++ unsigned int buflen)
++{
++ unsigned long addr = (unsigned long)buf;
++ unsigned int off = offset_in_page(addr);
++
++ addr &= PAGE_MASK;
++ if (unlikely(is_vmalloc_addr((void *)addr))) {
++ do {
++ unsigned int len = min_t(unsigned int, buflen, PAGE_SIZE - off);
++
++ sg_set_page(sg++, vmalloc_to_page((void *)addr), len, off);
++
++ off = 0;
++ addr += PAGE_SIZE;
++ buflen -= len;
++ } while (buflen);
++ } else {
++ sg_set_page(sg++, virt_to_page(addr), buflen, off);
++ }
++ return sg;
++}
++
+ #endif /* _CIFS_GLOB_H */
+diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+index 372ff64a285b..edf6f18ec8b7 100644
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -601,8 +601,8 @@ int cifs_alloc_hash(const char *name, struct crypto_shash **shash,
+ struct sdesc **sdesc);
+ void cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc);
+
+-extern void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
+- unsigned int *len, unsigned int *offset);
++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
++ unsigned int *len, unsigned int *offset);
+ struct cifs_chan *
+ cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server);
+ int cifs_try_adding_channels(struct cifs_sb_info *cifs_sb, struct cifs_ses *ses);
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index 3a117e2269a0..1efb5ca9fd80 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -1137,8 +1137,8 @@ cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
+ * @len: Where to store the length for this page:
+ * @offset: Where to store the offset for this page
+ */
+-void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
+- unsigned int *len, unsigned int *offset)
++void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
++ unsigned int *len, unsigned int *offset)
+ {
+ *len = rqst->rq_pagesz;
+ *offset = (page == 0) ? rqst->rq_offset : 0;
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index d454164e7f48..74052b51655e 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4182,69 +4182,82 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len,
+ memcpy(&tr_hdr->SessionId, &shdr->SessionId, 8);
+ }
+
+-/* We can not use the normal sg_set_buf() as we will sometimes pass a
+- * stack object as buf.
+- */
+-static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
+- unsigned int buflen)
++static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst *rqst,
++ int num_rqst, const u8 *sig, u8 **iv,
++ struct aead_request **req, struct scatterlist **sgl,
++ unsigned int *num_sgs)
+ {
+- void *addr;
+- /*
+- * VMAP_STACK (at least) puts stack into the vmalloc address space
+- */
+- if (is_vmalloc_addr(buf))
+- addr = vmalloc_to_page(buf);
+- else
+- addr = virt_to_page(buf);
+- sg_set_page(sg, addr, buflen, offset_in_page(buf));
++ unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
++ unsigned int iv_size = crypto_aead_ivsize(tfm);
++ unsigned int len;
++ u8 *p;
++
++ *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
++
++ len = iv_size;
++ len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
++ len = ALIGN(len, crypto_tfm_ctx_alignment());
++ len += req_size;
++ len = ALIGN(len, __alignof__(struct scatterlist));
++ len += *num_sgs * sizeof(**sgl);
++
++ p = kmalloc(len, GFP_ATOMIC);
++ if (!p)
++ return NULL;
++
++ *iv = (u8 *)PTR_ALIGN(p, crypto_aead_alignmask(tfm) + 1);
++ *req = (struct aead_request *)PTR_ALIGN(*iv + iv_size,
++ crypto_tfm_ctx_alignment());
++ *sgl = (struct scatterlist *)PTR_ALIGN((u8 *)*req + req_size,
++ __alignof__(struct scatterlist));
++ return p;
+ }
+
+-/* Assumes the first rqst has a transform header as the first iov.
+- * I.e.
+- * rqst[0].rq_iov[0] is transform header
+- * rqst[0].rq_iov[1+] data to be encrypted/decrypted
+- * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
+- */
+-static struct scatterlist *
+-init_sg(int num_rqst, struct smb_rqst *rqst, u8 *sign)
++static void *smb2_get_aead_req(struct crypto_aead *tfm, const struct smb_rqst *rqst,
++ int num_rqst, const u8 *sig, u8 **iv,
++ struct aead_request **req, struct scatterlist **sgl)
+ {
+- unsigned int sg_len;
++ unsigned int off, len, skip;
+ struct scatterlist *sg;
+- unsigned int i;
+- unsigned int j;
+- unsigned int idx = 0;
+- int skip;
+-
+- sg_len = 1;
+- for (i = 0; i < num_rqst; i++)
+- sg_len += rqst[i].rq_nvec + rqst[i].rq_npages;
++ unsigned int num_sgs;
++ unsigned long addr;
++ int i, j;
++ void *p;
+
+- sg = kmalloc_array(sg_len, sizeof(struct scatterlist), GFP_KERNEL);
+- if (!sg)
++ p = smb2_aead_req_alloc(tfm, rqst, num_rqst, sig, iv, req, sgl, &num_sgs);
++ if (!p)
+ return NULL;
+
+- sg_init_table(sg, sg_len);
++ sg_init_table(*sgl, num_sgs);
++ sg = *sgl;
++
++ /* Assumes the first rqst has a transform header as the first iov.
++ * I.e.
++ * rqst[0].rq_iov[0] is transform header
++ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
++ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
++ */
+ for (i = 0; i < num_rqst; i++) {
++ /*
++ * The first rqst has a transform header where the
++ * first 20 bytes are not part of the encrypted blob.
++ */
+ for (j = 0; j < rqst[i].rq_nvec; j++) {
+- /*
+- * The first rqst has a transform header where the
+- * first 20 bytes are not part of the encrypted blob
+- */
+- skip = (i == 0) && (j == 0) ? 20 : 0;
+- smb2_sg_set_buf(&sg[idx++],
+- rqst[i].rq_iov[j].iov_base + skip,
+- rqst[i].rq_iov[j].iov_len - skip);
+- }
++ struct kvec *iov = &rqst[i].rq_iov[j];
+
++ skip = (i == 0) && (j == 0) ? 20 : 0;
++ addr = (unsigned long)iov->iov_base + skip;
++ len = iov->iov_len - skip;
++ sg = cifs_sg_set_buf(sg, (void *)addr, len);
++ }
+ for (j = 0; j < rqst[i].rq_npages; j++) {
+- unsigned int len, offset;
+-
+- rqst_page_get_length(&rqst[i], j, &len, &offset);
+- sg_set_page(&sg[idx++], rqst[i].rq_pages[j], len, offset);
++ rqst_page_get_length(&rqst[i], j, &len, &off);
++ sg_set_page(sg++, rqst[i].rq_pages[j], len, off);
+ }
+ }
+- smb2_sg_set_buf(&sg[idx], sign, SMB2_SIGNATURE_SIZE);
+- return sg;
++ cifs_sg_set_buf(sg, sig, SMB2_SIGNATURE_SIZE);
++
++ return p;
+ }
+
+ static int
+@@ -4290,11 +4303,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
+ u8 sign[SMB2_SIGNATURE_SIZE] = {};
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+- char *iv;
+- unsigned int iv_len;
++ u8 *iv;
+ DECLARE_CRYPTO_WAIT(wait);
+ struct crypto_aead *tfm;
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
++ void *creq;
+
+ rc = smb2_get_enc_key(server, le64_to_cpu(tr_hdr->SessionId), enc, key);
+ if (rc) {
+@@ -4329,32 +4342,15 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
+ return rc;
+ }
+
+- req = aead_request_alloc(tfm, GFP_KERNEL);
+- if (!req) {
+- cifs_server_dbg(VFS, "%s: Failed to alloc aead request\n", __func__);
++ creq = smb2_get_aead_req(tfm, rqst, num_rqst, sign, &iv, &req, &sg);
++ if (unlikely(!creq))
+ return -ENOMEM;
+- }
+
+ if (!enc) {
+ memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE);
+ crypt_len += SMB2_SIGNATURE_SIZE;
+ }
+
+- sg = init_sg(num_rqst, rqst, sign);
+- if (!sg) {
+- cifs_server_dbg(VFS, "%s: Failed to init sg\n", __func__);
+- rc = -ENOMEM;
+- goto free_req;
+- }
+-
+- iv_len = crypto_aead_ivsize(tfm);
+- iv = kzalloc(iv_len, GFP_KERNEL);
+- if (!iv) {
+- cifs_server_dbg(VFS, "%s: Failed to alloc iv\n", __func__);
+- rc = -ENOMEM;
+- goto free_sg;
+- }
+-
+ if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE);
+@@ -4363,6 +4359,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
+ memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES_CCM_NONCE);
+ }
+
++ aead_request_set_tfm(req, tfm);
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+@@ -4375,11 +4372,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
+
+- kfree_sensitive(iv);
+-free_sg:
+- kfree_sensitive(sg);
+-free_req:
+- kfree_sensitive(req);
++ kfree_sensitive(creq);
+ return rc;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e4469058d117d3c5541e98f30ef5510239c0a71d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Oct 2022 18:43:50 -0300
+Subject: cifs: improve symlink handling for smb2+
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+[ Upstream commit 76894f3e2f71177747b8b4763fb180e800279585 ]
+
+When creating inode for symlink, the client used to send below
+requests to fill it in:
+
+ * create+query_info+close (STATUS_STOPPED_ON_SYMLINK)
+ * create(+reparse_flag)+query_info+close (set file attrs)
+ * create+ioctl(get_reparse)+close (query reparse tag)
+
+and then for every access to the symlink dentry, the ->link() method
+would send another:
+
+ * create+ioctl(get_reparse)+close (parse symlink)
+
+So, in order to improve:
+
+ (i) Get rid of unnecessary roundtrips and then resolve symlinks as
+ follows:
+
+ * create+query_info+close (STATUS_STOPPED_ON_SYMLINK +
+ parse symlink + get reparse tag)
+ * create(+reparse_flag)+query_info+close (set file attrs)
+
+ (ii) Set the resolved symlink target directly in inode->i_link and
+ use simple_get_link() for ->link() to simply return it.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Stable-dep-of: f7f291e14dde ("cifs: fix oops during encryption")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsfs.c | 9 ++-
+ fs/cifs/cifsglob.h | 46 +++++++++---
+ fs/cifs/cifsproto.h | 13 ++--
+ fs/cifs/dir.c | 30 +++-----
+ fs/cifs/file.c | 41 ++++++-----
+ fs/cifs/inode.c | 170 ++++++++++++++++++++++++++------------------
+ fs/cifs/link.c | 107 +---------------------------
+ fs/cifs/readdir.c | 2 +
+ fs/cifs/smb1ops.c | 56 +++++++++------
+ fs/cifs/smb2file.c | 127 +++++++++++++++++++++++++++------
+ fs/cifs/smb2inode.c | 169 ++++++++++++++++++++++---------------------
+ fs/cifs/smb2ops.c | 109 ++++++----------------------
+ fs/cifs/smb2pdu.h | 3 +
+ fs/cifs/smb2proto.h | 22 +++---
+ 14 files changed, 451 insertions(+), 453 deletions(-)
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index ccad85feb24e..ad683048e5ce 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -396,6 +396,7 @@ cifs_alloc_inode(struct super_block *sb)
+ cifs_inode->epoch = 0;
+ spin_lock_init(&cifs_inode->open_file_lock);
+ generate_random_uuid(cifs_inode->lease_key);
++ cifs_inode->symlink_target = NULL;
+
+ /*
+ * Can not set i_flags here - they get immediately overwritten to zero
+@@ -412,7 +413,11 @@ cifs_alloc_inode(struct super_block *sb)
+ static void
+ cifs_free_inode(struct inode *inode)
+ {
+- kmem_cache_free(cifs_inode_cachep, CIFS_I(inode));
++ struct cifsInodeInfo *cinode = CIFS_I(inode);
++
++ if (S_ISLNK(inode->i_mode))
++ kfree(cinode->symlink_target);
++ kmem_cache_free(cifs_inode_cachep, cinode);
+ }
+
+ static void
+@@ -1139,7 +1144,7 @@ const struct inode_operations cifs_file_inode_ops = {
+ };
+
+ const struct inode_operations cifs_symlink_inode_ops = {
+- .get_link = cifs_get_link,
++ .get_link = simple_get_link,
+ .permission = cifs_permission,
+ .listxattr = cifs_listxattr,
+ };
+diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
+index ae7f571a7dba..333022028bb0 100644
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -195,6 +195,19 @@ struct cifs_cred {
+ struct cifs_ace *aces;
+ };
+
++struct cifs_open_info_data {
++ char *symlink_target;
++ union {
++ struct smb2_file_all_info fi;
++ struct smb311_posix_qinfo posix_fi;
++ };
++};
++
++static inline void cifs_free_open_info(struct cifs_open_info_data *data)
++{
++ kfree(data->symlink_target);
++}
++
+ /*
+ *****************************************************************
+ * Except the CIFS PDUs themselves all the
+@@ -317,20 +330,20 @@ struct smb_version_operations {
+ int (*is_path_accessible)(const unsigned int, struct cifs_tcon *,
+ struct cifs_sb_info *, const char *);
+ /* query path data from the server */
+- int (*query_path_info)(const unsigned int, struct cifs_tcon *,
+- struct cifs_sb_info *, const char *,
+- FILE_ALL_INFO *, bool *, bool *);
++ int (*query_path_info)(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse);
+ /* query file data from the server */
+- int (*query_file_info)(const unsigned int, struct cifs_tcon *,
+- struct cifs_fid *, FILE_ALL_INFO *);
++ int (*query_file_info)(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifsFileInfo *cfile, struct cifs_open_info_data *data);
+ /* query reparse tag from srv to determine which type of special file */
+ int (*query_reparse_tag)(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, const char *path,
+ __u32 *reparse_tag);
+ /* get server index number */
+- int (*get_srv_inum)(const unsigned int, struct cifs_tcon *,
+- struct cifs_sb_info *, const char *,
+- u64 *uniqueid, FILE_ALL_INFO *);
++ int (*get_srv_inum)(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path, u64 *uniqueid,
++ struct cifs_open_info_data *data);
+ /* set size by path */
+ int (*set_path_size)(const unsigned int, struct cifs_tcon *,
+ const char *, __u64, struct cifs_sb_info *, bool);
+@@ -379,8 +392,8 @@ struct smb_version_operations {
+ struct cifs_sb_info *, const char *,
+ char **, bool);
+ /* open a file for non-posix mounts */
+- int (*open)(const unsigned int, struct cifs_open_parms *,
+- __u32 *, FILE_ALL_INFO *);
++ int (*open)(const unsigned int xid, struct cifs_open_parms *oparms, __u32 *oplock,
++ void *buf);
+ /* set fid protocol-specific info */
+ void (*set_fid)(struct cifsFileInfo *, struct cifs_fid *, __u32);
+ /* close a file */
+@@ -1133,6 +1146,7 @@ struct cifs_fattr {
+ struct timespec64 cf_mtime;
+ struct timespec64 cf_ctime;
+ u32 cf_cifstag;
++ char *cf_symlink_target;
+ };
+
+ /*
+@@ -1395,6 +1409,7 @@ struct cifsFileInfo {
+ struct work_struct put; /* work for the final part of _put */
+ struct delayed_work deferred;
+ bool deferred_close_scheduled; /* Flag to indicate close is scheduled */
++ char *symlink_target;
+ };
+
+ struct cifs_io_parms {
+@@ -1553,6 +1568,7 @@ struct cifsInodeInfo {
+ struct list_head deferred_closes; /* list of deferred closes */
+ spinlock_t deferred_lock; /* protection on deferred list */
+ bool lease_granted; /* Flag to indicate whether lease or oplock is granted. */
++ char *symlink_target;
+ };
+
+ static inline struct cifsInodeInfo *
+@@ -2121,4 +2137,14 @@ static inline size_t ntlmssp_workstation_name_size(const struct cifs_ses *ses)
+ return sizeof(ses->workstation_name);
+ }
+
++static inline void move_cifs_info_to_smb2(struct smb2_file_all_info *dst, const FILE_ALL_INFO *src)
++{
++ memcpy(dst, src, (size_t)((u8 *)&src->AccessFlags - (u8 *)src));
++ dst->AccessFlags = src->AccessFlags;
++ dst->CurrentByteOffset = src->CurrentByteOffset;
++ dst->Mode = src->Mode;
++ dst->AlignmentRequirement = src->AlignmentRequirement;
++ dst->FileNameLength = src->FileNameLength;
++}
++
+ #endif /* _CIFS_GLOB_H */
+diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+index 71386978858e..372ff64a285b 100644
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -182,10 +182,9 @@ extern int cifs_unlock_range(struct cifsFileInfo *cfile,
+ extern int cifs_push_mandatory_locks(struct cifsFileInfo *cfile);
+
+ extern void cifs_down_write(struct rw_semaphore *sem);
+-extern struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid,
+- struct file *file,
+- struct tcon_link *tlink,
+- __u32 oplock);
++struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
++ struct tcon_link *tlink, __u32 oplock,
++ const char *symlink_target);
+ extern int cifs_posix_open(const char *full_path, struct inode **inode,
+ struct super_block *sb, int mode,
+ unsigned int f_flags, __u32 *oplock, __u16 *netfid,
+@@ -200,9 +199,9 @@ extern int cifs_fattr_to_inode(struct inode *inode, struct cifs_fattr *fattr);
+ extern struct inode *cifs_iget(struct super_block *sb,
+ struct cifs_fattr *fattr);
+
+-extern int cifs_get_inode_info(struct inode **inode, const char *full_path,
+- FILE_ALL_INFO *data, struct super_block *sb,
+- int xid, const struct cifs_fid *fid);
++int cifs_get_inode_info(struct inode **inode, const char *full_path,
++ struct cifs_open_info_data *data, struct super_block *sb, int xid,
++ const struct cifs_fid *fid);
+ extern int smb311_posix_get_inode_info(struct inode **pinode, const char *search_path,
+ struct super_block *sb, unsigned int xid);
+ extern int cifs_get_inode_info_unix(struct inode **pinode,
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 05c78a18ade0..c85816cf2d9b 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -165,10 +165,9 @@ check_name(struct dentry *direntry, struct cifs_tcon *tcon)
+
+ /* Inode operations in similar order to how they appear in Linux file fs.h */
+
+-static int
+-cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+- struct tcon_link *tlink, unsigned oflags, umode_t mode,
+- __u32 *oplock, struct cifs_fid *fid)
++static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
++ struct tcon_link *tlink, unsigned int oflags, umode_t mode, __u32 *oplock,
++ struct cifs_fid *fid, struct cifs_open_info_data *buf)
+ {
+ int rc = -ENOENT;
+ int create_options = CREATE_NOT_DIR;
+@@ -177,7 +176,6 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+ struct cifs_tcon *tcon = tlink_tcon(tlink);
+ const char *full_path;
+ void *page = alloc_dentry_path();
+- FILE_ALL_INFO *buf = NULL;
+ struct inode *newinode = NULL;
+ int disposition;
+ struct TCP_Server_Info *server = tcon->ses->server;
+@@ -290,12 +288,6 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+ goto out;
+ }
+
+- buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+- if (buf == NULL) {
+- rc = -ENOMEM;
+- goto out;
+- }
+-
+ /*
+ * if we're not using unix extensions, see if we need to set
+ * ATTR_READONLY on the create call
+@@ -364,8 +356,7 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+ {
+ #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
+ /* TODO: Add support for calling POSIX query info here, but passing in fid */
+- rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb,
+- xid, fid);
++ rc = cifs_get_inode_info(&newinode, full_path, buf, inode->i_sb, xid, fid);
+ if (newinode) {
+ if (server->ops->set_lease_key)
+ server->ops->set_lease_key(newinode, fid);
+@@ -402,7 +393,6 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
+ d_add(direntry, newinode);
+
+ out:
+- kfree(buf);
+ free_dentry_path(page);
+ return rc;
+
+@@ -427,6 +417,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
+ struct cifs_pending_open open;
+ __u32 oplock;
+ struct cifsFileInfo *file_info;
++ struct cifs_open_info_data buf = {};
+
+ if (unlikely(cifs_forced_shutdown(CIFS_SB(inode->i_sb))))
+ return -EIO;
+@@ -484,8 +475,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
+ cifs_add_pending_open(&fid, tlink, &open);
+
+ rc = cifs_do_create(inode, direntry, xid, tlink, oflags, mode,
+- &oplock, &fid);
+-
++ &oplock, &fid, &buf);
+ if (rc) {
+ cifs_del_pending_open(&open);
+ goto out;
+@@ -510,7 +500,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
+ file->f_op = &cifs_file_direct_ops;
+ }
+
+- file_info = cifs_new_fileinfo(&fid, file, tlink, oplock);
++ file_info = cifs_new_fileinfo(&fid, file, tlink, oplock, buf.symlink_target);
+ if (file_info == NULL) {
+ if (server->ops->close)
+ server->ops->close(xid, tcon, &fid);
+@@ -526,6 +516,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
+ cifs_put_tlink(tlink);
+ out_free_xid:
+ free_xid(xid);
++ cifs_free_open_info(&buf);
+ return rc;
+ }
+
+@@ -547,6 +538,7 @@ int cifs_create(struct user_namespace *mnt_userns, struct inode *inode,
+ struct TCP_Server_Info *server;
+ struct cifs_fid fid;
+ __u32 oplock;
++ struct cifs_open_info_data buf = {};
+
+ cifs_dbg(FYI, "cifs_create parent inode = 0x%p name is: %pd and dentry = 0x%p\n",
+ inode, direntry, direntry);
+@@ -567,11 +559,11 @@ int cifs_create(struct user_namespace *mnt_userns, struct inode *inode,
+ if (server->ops->new_lease_key)
+ server->ops->new_lease_key(&fid);
+
+- rc = cifs_do_create(inode, direntry, xid, tlink, oflags, mode,
+- &oplock, &fid);
++ rc = cifs_do_create(inode, direntry, xid, tlink, oflags, mode, &oplock, &fid, &buf);
+ if (!rc && server->ops->close)
+ server->ops->close(xid, tcon, &fid);
+
++ cifs_free_open_info(&buf);
+ cifs_put_tlink(tlink);
+ out_free_xid:
+ free_xid(xid);
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 5c045dd69784..391fd2580dab 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -209,16 +209,14 @@ int cifs_posix_open(const char *full_path, struct inode **pinode,
+ }
+ #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
+
+-static int
+-cifs_nt_open(const char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
+- struct cifs_tcon *tcon, unsigned int f_flags, __u32 *oplock,
+- struct cifs_fid *fid, unsigned int xid)
++static int cifs_nt_open(const char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
++ struct cifs_tcon *tcon, unsigned int f_flags, __u32 *oplock,
++ struct cifs_fid *fid, unsigned int xid, struct cifs_open_info_data *buf)
+ {
+ int rc;
+ int desired_access;
+ int disposition;
+ int create_options = CREATE_NOT_DIR;
+- FILE_ALL_INFO *buf;
+ struct TCP_Server_Info *server = tcon->ses->server;
+ struct cifs_open_parms oparms;
+
+@@ -255,10 +253,6 @@ cifs_nt_open(const char *full_path, struct inode *inode, struct cifs_sb_info *ci
+
+ /* BB pass O_SYNC flag through on file attributes .. BB */
+
+- buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+- if (!buf)
+- return -ENOMEM;
+-
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (f_flags & O_SYNC)
+ create_options |= CREATE_WRITE_THROUGH;
+@@ -276,9 +270,8 @@ cifs_nt_open(const char *full_path, struct inode *inode, struct cifs_sb_info *ci
+ oparms.reconnect = false;
+
+ rc = server->ops->open(xid, &oparms, oplock, buf);
+-
+ if (rc)
+- goto out;
++ return rc;
+
+ /* TODO: Add support for calling posix query info but with passing in fid */
+ if (tcon->unix_ext)
+@@ -294,8 +287,6 @@ cifs_nt_open(const char *full_path, struct inode *inode, struct cifs_sb_info *ci
+ rc = -EOPENSTALE;
+ }
+
+-out:
+- kfree(buf);
+ return rc;
+ }
+
+@@ -325,9 +316,9 @@ cifs_down_write(struct rw_semaphore *sem)
+
+ static void cifsFileInfo_put_work(struct work_struct *work);
+
+-struct cifsFileInfo *
+-cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
+- struct tcon_link *tlink, __u32 oplock)
++struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
++ struct tcon_link *tlink, __u32 oplock,
++ const char *symlink_target)
+ {
+ struct dentry *dentry = file_dentry(file);
+ struct inode *inode = d_inode(dentry);
+@@ -347,6 +338,15 @@ cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
+ return NULL;
+ }
+
++ if (symlink_target) {
++ cfile->symlink_target = kstrdup(symlink_target, GFP_KERNEL);
++ if (!cfile->symlink_target) {
++ kfree(fdlocks);
++ kfree(cfile);
++ return NULL;
++ }
++ }
++
+ INIT_LIST_HEAD(&fdlocks->locks);
+ fdlocks->cfile = cfile;
+ cfile->llist = fdlocks;
+@@ -440,6 +440,7 @@ static void cifsFileInfo_put_final(struct cifsFileInfo *cifs_file)
+ cifs_put_tlink(cifs_file->tlink);
+ dput(cifs_file->dentry);
+ cifs_sb_deactive(sb);
++ kfree(cifs_file->symlink_target);
+ kfree(cifs_file);
+ }
+
+@@ -572,6 +573,7 @@ int cifs_open(struct inode *inode, struct file *file)
+ bool posix_open_ok = false;
+ struct cifs_fid fid;
+ struct cifs_pending_open open;
++ struct cifs_open_info_data data = {};
+
+ xid = get_xid();
+
+@@ -662,15 +664,15 @@ int cifs_open(struct inode *inode, struct file *file)
+ if (server->ops->get_lease_key)
+ server->ops->get_lease_key(inode, &fid);
+
+- rc = cifs_nt_open(full_path, inode, cifs_sb, tcon,
+- file->f_flags, &oplock, &fid, xid);
++ rc = cifs_nt_open(full_path, inode, cifs_sb, tcon, file->f_flags, &oplock, &fid,
++ xid, &data);
+ if (rc) {
+ cifs_del_pending_open(&open);
+ goto out;
+ }
+ }
+
+- cfile = cifs_new_fileinfo(&fid, file, tlink, oplock);
++ cfile = cifs_new_fileinfo(&fid, file, tlink, oplock, data.symlink_target);
+ if (cfile == NULL) {
+ if (server->ops->close)
+ server->ops->close(xid, tcon, &fid);
+@@ -712,6 +714,7 @@ int cifs_open(struct inode *inode, struct file *file)
+ free_dentry_path(page);
+ free_xid(xid);
+ cifs_put_tlink(tlink);
++ cifs_free_open_info(&data);
+ return rc;
+ }
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index bac08c20f559..c1ea821899f8 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -210,6 +210,17 @@ cifs_fattr_to_inode(struct inode *inode, struct cifs_fattr *fattr)
+ */
+ inode->i_blocks = (512 - 1 + fattr->cf_bytes) >> 9;
+ }
++
++ if (S_ISLNK(fattr->cf_mode)) {
++ kfree(cifs_i->symlink_target);
++ cifs_i->symlink_target = fattr->cf_symlink_target;
++ fattr->cf_symlink_target = NULL;
++
++ if (unlikely(!cifs_i->symlink_target))
++ inode->i_link = ERR_PTR(-EOPNOTSUPP);
++ else
++ inode->i_link = cifs_i->symlink_target;
++ }
+ spin_unlock(&inode->i_lock);
+
+ if (fattr->cf_flags & CIFS_FATTR_DFS_REFERRAL)
+@@ -347,13 +358,20 @@ cifs_get_file_info_unix(struct file *filp)
+ int rc;
+ unsigned int xid;
+ FILE_UNIX_BASIC_INFO find_data;
+- struct cifs_fattr fattr;
++ struct cifs_fattr fattr = {};
+ struct inode *inode = file_inode(filp);
+ struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ struct cifsFileInfo *cfile = filp->private_data;
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+
+ xid = get_xid();
++
++ if (cfile->symlink_target) {
++ fattr.cf_symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
++ if (!fattr.cf_symlink_target)
++ return -ENOMEM;
++ }
++
+ rc = CIFSSMBUnixQFileInfo(xid, tcon, cfile->fid.netfid, &find_data);
+ if (!rc) {
+ cifs_unix_basic_to_fattr(&fattr, &find_data, cifs_sb);
+@@ -378,6 +396,7 @@ int cifs_get_inode_info_unix(struct inode **pinode,
+ FILE_UNIX_BASIC_INFO find_data;
+ struct cifs_fattr fattr;
+ struct cifs_tcon *tcon;
++ struct TCP_Server_Info *server;
+ struct tcon_link *tlink;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+
+@@ -387,10 +406,12 @@ int cifs_get_inode_info_unix(struct inode **pinode,
+ if (IS_ERR(tlink))
+ return PTR_ERR(tlink);
+ tcon = tlink_tcon(tlink);
++ server = tcon->ses->server;
+
+ /* could have done a find first instead but this returns more info */
+ rc = CIFSSMBUnixQPathInfo(xid, tcon, full_path, &find_data,
+ cifs_sb->local_nls, cifs_remap(cifs_sb));
++ cifs_dbg(FYI, "%s: query path info: rc = %d\n", __func__, rc);
+ cifs_put_tlink(tlink);
+
+ if (!rc) {
+@@ -410,6 +431,17 @@ int cifs_get_inode_info_unix(struct inode **pinode,
+ cifs_dbg(FYI, "check_mf_symlink: %d\n", tmprc);
+ }
+
++ if (S_ISLNK(fattr.cf_mode) && !fattr.cf_symlink_target) {
++ if (!server->ops->query_symlink)
++ return -EOPNOTSUPP;
++ rc = server->ops->query_symlink(xid, tcon, cifs_sb, full_path,
++ &fattr.cf_symlink_target, false);
++ if (rc) {
++ cifs_dbg(FYI, "%s: query_symlink: %d\n", __func__, rc);
++ goto cgiiu_exit;
++ }
++ }
++
+ if (*pinode == NULL) {
+ /* get new inode */
+ cifs_fill_uniqueid(sb, &fattr);
+@@ -432,6 +464,7 @@ int cifs_get_inode_info_unix(struct inode **pinode,
+ }
+
+ cgiiu_exit:
++ kfree(fattr.cf_symlink_target);
+ return rc;
+ }
+ #else
+@@ -601,10 +634,10 @@ static int cifs_sfu_mode(struct cifs_fattr *fattr, const unsigned char *path,
+ }
+
+ /* Fill a cifs_fattr struct with info from POSIX info struct */
+-static void
+-smb311_posix_info_to_fattr(struct cifs_fattr *fattr, struct smb311_posix_qinfo *info,
+- struct super_block *sb, bool adjust_tz, bool symlink)
++static void smb311_posix_info_to_fattr(struct cifs_fattr *fattr, struct cifs_open_info_data *data,
++ struct super_block *sb, bool adjust_tz, bool symlink)
+ {
++ struct smb311_posix_qinfo *info = &data->posix_fi;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+
+@@ -639,6 +672,8 @@ smb311_posix_info_to_fattr(struct cifs_fattr *fattr, struct smb311_posix_qinfo *
+ if (symlink) {
+ fattr->cf_mode |= S_IFLNK;
+ fattr->cf_dtype = DT_LNK;
++ fattr->cf_symlink_target = data->symlink_target;
++ data->symlink_target = NULL;
+ } else if (fattr->cf_cifsattrs & ATTR_DIRECTORY) {
+ fattr->cf_mode |= S_IFDIR;
+ fattr->cf_dtype = DT_DIR;
+@@ -655,13 +690,11 @@ smb311_posix_info_to_fattr(struct cifs_fattr *fattr, struct smb311_posix_qinfo *
+ fattr->cf_mode, fattr->cf_uniqueid, fattr->cf_nlink);
+ }
+
+-
+-/* Fill a cifs_fattr struct with info from FILE_ALL_INFO */
+-static void
+-cifs_all_info_to_fattr(struct cifs_fattr *fattr, FILE_ALL_INFO *info,
+- struct super_block *sb, bool adjust_tz,
+- bool symlink, u32 reparse_tag)
++static void cifs_open_info_to_fattr(struct cifs_fattr *fattr, struct cifs_open_info_data *data,
++ struct super_block *sb, bool adjust_tz, bool symlink,
++ u32 reparse_tag)
+ {
++ struct smb2_file_all_info *info = &data->fi;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+ struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+
+@@ -703,7 +736,8 @@ cifs_all_info_to_fattr(struct cifs_fattr *fattr, FILE_ALL_INFO *info,
+ } else if (reparse_tag == IO_REPARSE_TAG_LX_BLK) {
+ fattr->cf_mode |= S_IFBLK | cifs_sb->ctx->file_mode;
+ fattr->cf_dtype = DT_BLK;
+- } else if (symlink) { /* TODO add more reparse tag checks */
++ } else if (symlink || reparse_tag == IO_REPARSE_TAG_SYMLINK ||
++ reparse_tag == IO_REPARSE_TAG_NFS) {
+ fattr->cf_mode = S_IFLNK;
+ fattr->cf_dtype = DT_LNK;
+ } else if (fattr->cf_cifsattrs & ATTR_DIRECTORY) {
+@@ -735,6 +769,11 @@ cifs_all_info_to_fattr(struct cifs_fattr *fattr, FILE_ALL_INFO *info,
+ }
+ }
+
++ if (S_ISLNK(fattr->cf_mode)) {
++ fattr->cf_symlink_target = data->symlink_target;
++ data->symlink_target = NULL;
++ }
++
+ fattr->cf_uid = cifs_sb->ctx->linux_uid;
+ fattr->cf_gid = cifs_sb->ctx->linux_gid;
+ }
+@@ -744,23 +783,28 @@ cifs_get_file_info(struct file *filp)
+ {
+ int rc;
+ unsigned int xid;
+- FILE_ALL_INFO find_data;
++ struct cifs_open_info_data data = {};
+ struct cifs_fattr fattr;
+ struct inode *inode = file_inode(filp);
+ struct cifsFileInfo *cfile = filp->private_data;
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+ struct TCP_Server_Info *server = tcon->ses->server;
++ bool symlink = false;
++ u32 tag = 0;
+
+ if (!server->ops->query_file_info)
+ return -ENOSYS;
+
+ xid = get_xid();
+- rc = server->ops->query_file_info(xid, tcon, &cfile->fid, &find_data);
++ rc = server->ops->query_file_info(xid, tcon, cfile, &data);
+ switch (rc) {
+ case 0:
+ /* TODO: add support to query reparse tag */
+- cifs_all_info_to_fattr(&fattr, &find_data, inode->i_sb, false,
+- false, 0 /* no reparse tag */);
++ if (data.symlink_target) {
++ symlink = true;
++ tag = IO_REPARSE_TAG_SYMLINK;
++ }
++ cifs_open_info_to_fattr(&fattr, &data, inode->i_sb, false, symlink, tag);
+ break;
+ case -EREMOTE:
+ cifs_create_dfs_fattr(&fattr, inode->i_sb);
+@@ -789,6 +833,7 @@ cifs_get_file_info(struct file *filp)
+ /* if filetype is different, return error */
+ rc = cifs_fattr_to_inode(inode, &fattr);
+ cgfi_exit:
++ cifs_free_open_info(&data);
+ free_xid(xid);
+ return rc;
+ }
+@@ -860,14 +905,9 @@ cifs_backup_query_path_info(int xid,
+ }
+ #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
+
+-static void
+-cifs_set_fattr_ino(int xid,
+- struct cifs_tcon *tcon,
+- struct super_block *sb,
+- struct inode **inode,
+- const char *full_path,
+- FILE_ALL_INFO *data,
+- struct cifs_fattr *fattr)
++static void cifs_set_fattr_ino(int xid, struct cifs_tcon *tcon, struct super_block *sb,
++ struct inode **inode, const char *full_path,
++ struct cifs_open_info_data *data, struct cifs_fattr *fattr)
+ {
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+ struct TCP_Server_Info *server = tcon->ses->server;
+@@ -885,11 +925,8 @@ cifs_set_fattr_ino(int xid,
+ * If we have an inode pass a NULL tcon to ensure we don't
+ * make a round trip to the server. This only works for SMB2+.
+ */
+- rc = server->ops->get_srv_inum(xid,
+- *inode ? NULL : tcon,
+- cifs_sb, full_path,
+- &fattr->cf_uniqueid,
+- data);
++ rc = server->ops->get_srv_inum(xid, *inode ? NULL : tcon, cifs_sb, full_path,
++ &fattr->cf_uniqueid, data);
+ if (rc) {
+ /*
+ * If that fails reuse existing ino or generate one
+@@ -923,14 +960,10 @@ static inline bool is_inode_cache_good(struct inode *ino)
+ return ino && CIFS_CACHE_READ(CIFS_I(ino)) && CIFS_I(ino)->time != 0;
+ }
+
+-int
+-cifs_get_inode_info(struct inode **inode,
+- const char *full_path,
+- FILE_ALL_INFO *in_data,
+- struct super_block *sb, int xid,
+- const struct cifs_fid *fid)
++int cifs_get_inode_info(struct inode **inode, const char *full_path,
++ struct cifs_open_info_data *data, struct super_block *sb, int xid,
++ const struct cifs_fid *fid)
+ {
+-
+ struct cifs_tcon *tcon;
+ struct TCP_Server_Info *server;
+ struct tcon_link *tlink;
+@@ -938,8 +971,7 @@ cifs_get_inode_info(struct inode **inode,
+ bool adjust_tz = false;
+ struct cifs_fattr fattr = {0};
+ bool is_reparse_point = false;
+- FILE_ALL_INFO *data = in_data;
+- FILE_ALL_INFO *tmp_data = NULL;
++ struct cifs_open_info_data tmp_data = {};
+ void *smb1_backup_rsp_buf = NULL;
+ int rc = 0;
+ int tmprc = 0;
+@@ -960,21 +992,15 @@ cifs_get_inode_info(struct inode **inode,
+ cifs_dbg(FYI, "No need to revalidate cached inode sizes\n");
+ goto out;
+ }
+- tmp_data = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+- if (!tmp_data) {
+- rc = -ENOMEM;
+- goto out;
+- }
+- rc = server->ops->query_path_info(xid, tcon, cifs_sb,
+- full_path, tmp_data,
+- &adjust_tz, &is_reparse_point);
++ rc = server->ops->query_path_info(xid, tcon, cifs_sb, full_path, &tmp_data,
++ &adjust_tz, &is_reparse_point);
+ #ifdef CONFIG_CIFS_DFS_UPCALL
+ if (rc == -ENOENT && is_tcon_dfs(tcon))
+ rc = cifs_dfs_query_info_nonascii_quirk(xid, tcon,
+ cifs_sb,
+ full_path);
+ #endif
+- data = tmp_data;
++ data = &tmp_data;
+ }
+
+ /*
+@@ -988,14 +1014,24 @@ cifs_get_inode_info(struct inode **inode,
+ * since we have to check if its reparse tag matches a known
+ * special file type e.g. symlink or fifo or char etc.
+ */
+- if ((le32_to_cpu(data->Attributes) & ATTR_REPARSE) &&
+- server->ops->query_reparse_tag) {
+- rc = server->ops->query_reparse_tag(xid, tcon, cifs_sb,
+- full_path, &reparse_tag);
+- cifs_dbg(FYI, "reparse tag 0x%x\n", reparse_tag);
++ if (is_reparse_point && data->symlink_target) {
++ reparse_tag = IO_REPARSE_TAG_SYMLINK;
++ } else if ((le32_to_cpu(data->fi.Attributes) & ATTR_REPARSE) &&
++ server->ops->query_reparse_tag) {
++ tmprc = server->ops->query_reparse_tag(xid, tcon, cifs_sb, full_path,
++ &reparse_tag);
++ if (tmprc)
++ cifs_dbg(FYI, "%s: query_reparse_tag: rc = %d\n", __func__, tmprc);
++ if (server->ops->query_symlink) {
++ tmprc = server->ops->query_symlink(xid, tcon, cifs_sb, full_path,
++ &data->symlink_target,
++ is_reparse_point);
++ if (tmprc)
++ cifs_dbg(FYI, "%s: query_symlink: rc = %d\n", __func__,
++ tmprc);
++ }
+ }
+- cifs_all_info_to_fattr(&fattr, data, sb, adjust_tz,
+- is_reparse_point, reparse_tag);
++ cifs_open_info_to_fattr(&fattr, data, sb, adjust_tz, is_reparse_point, reparse_tag);
+ break;
+ case -EREMOTE:
+ /* DFS link, no metadata available on this server */
+@@ -1014,18 +1050,20 @@ cifs_get_inode_info(struct inode **inode,
+ */
+ if (backup_cred(cifs_sb) && is_smb1_server(server)) {
+ /* for easier reading */
++ FILE_ALL_INFO *fi;
+ FILE_DIRECTORY_INFO *fdi;
+ SEARCH_ID_FULL_DIR_INFO *si;
+
+ rc = cifs_backup_query_path_info(xid, tcon, sb,
+ full_path,
+ &smb1_backup_rsp_buf,
+- &data);
++ &fi);
+ if (rc)
+ goto out;
+
+- fdi = (FILE_DIRECTORY_INFO *)data;
+- si = (SEARCH_ID_FULL_DIR_INFO *)data;
++ move_cifs_info_to_smb2(&data->fi, fi);
++ fdi = (FILE_DIRECTORY_INFO *)fi;
++ si = (SEARCH_ID_FULL_DIR_INFO *)fi;
+
+ cifs_dir_info_to_fattr(&fattr, fdi, cifs_sb);
+ fattr.cf_uniqueid = le64_to_cpu(si->UniqueId);
+@@ -1123,7 +1161,8 @@ cifs_get_inode_info(struct inode **inode,
+ out:
+ cifs_buf_release(smb1_backup_rsp_buf);
+ cifs_put_tlink(tlink);
+- kfree(tmp_data);
++ cifs_free_open_info(&tmp_data);
++ kfree(fattr.cf_symlink_target);
+ return rc;
+ }
+
+@@ -1138,7 +1177,7 @@ smb311_posix_get_inode_info(struct inode **inode,
+ bool adjust_tz = false;
+ struct cifs_fattr fattr = {0};
+ bool symlink = false;
+- struct smb311_posix_qinfo *data = NULL;
++ struct cifs_open_info_data data = {};
+ int rc = 0;
+ int tmprc = 0;
+
+@@ -1155,15 +1194,9 @@ smb311_posix_get_inode_info(struct inode **inode,
+ cifs_dbg(FYI, "No need to revalidate cached inode sizes\n");
+ goto out;
+ }
+- data = kmalloc(sizeof(struct smb311_posix_qinfo), GFP_KERNEL);
+- if (!data) {
+- rc = -ENOMEM;
+- goto out;
+- }
+
+- rc = smb311_posix_query_path_info(xid, tcon, cifs_sb,
+- full_path, data,
+- &adjust_tz, &symlink);
++ rc = smb311_posix_query_path_info(xid, tcon, cifs_sb, full_path, &data, &adjust_tz,
++ &symlink);
+
+ /*
+ * 2. Convert it to internal cifs metadata (fattr)
+@@ -1171,7 +1204,7 @@ smb311_posix_get_inode_info(struct inode **inode,
+
+ switch (rc) {
+ case 0:
+- smb311_posix_info_to_fattr(&fattr, data, sb, adjust_tz, symlink);
++ smb311_posix_info_to_fattr(&fattr, &data, sb, adjust_tz, symlink);
+ break;
+ case -EREMOTE:
+ /* DFS link, no metadata available on this server */
+@@ -1228,7 +1261,8 @@ smb311_posix_get_inode_info(struct inode **inode,
+ }
+ out:
+ cifs_put_tlink(tlink);
+- kfree(data);
++ cifs_free_open_info(&data);
++ kfree(fattr.cf_symlink_target);
+ return rc;
+ }
+
+diff --git a/fs/cifs/link.c b/fs/cifs/link.c
+index 6803cb27eecc..8042dbdd182b 100644
+--- a/fs/cifs/link.c
++++ b/fs/cifs/link.c
+@@ -202,40 +202,6 @@ create_mf_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ return rc;
+ }
+
+-static int
+-query_mf_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const unsigned char *path,
+- char **symlinkinfo)
+-{
+- int rc;
+- u8 *buf = NULL;
+- unsigned int link_len = 0;
+- unsigned int bytes_read = 0;
+-
+- buf = kmalloc(CIFS_MF_SYMLINK_FILE_SIZE, GFP_KERNEL);
+- if (!buf)
+- return -ENOMEM;
+-
+- if (tcon->ses->server->ops->query_mf_symlink)
+- rc = tcon->ses->server->ops->query_mf_symlink(xid, tcon,
+- cifs_sb, path, buf, &bytes_read);
+- else
+- rc = -ENOSYS;
+-
+- if (rc)
+- goto out;
+-
+- if (bytes_read == 0) { /* not a symlink */
+- rc = -EINVAL;
+- goto out;
+- }
+-
+- rc = parse_mf_symlink(buf, bytes_read, &link_len, symlinkinfo);
+-out:
+- kfree(buf);
+- return rc;
+-}
+-
+ int
+ check_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, struct cifs_fattr *fattr,
+@@ -245,6 +211,7 @@ check_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
+ u8 *buf = NULL;
+ unsigned int link_len = 0;
+ unsigned int bytes_read = 0;
++ char *symlink = NULL;
+
+ if (!couldbe_mf_symlink(fattr))
+ /* it's not a symlink */
+@@ -266,7 +233,7 @@ check_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
+ if (bytes_read == 0) /* not a symlink */
+ goto out;
+
+- rc = parse_mf_symlink(buf, bytes_read, &link_len, NULL);
++ rc = parse_mf_symlink(buf, bytes_read, &link_len, &symlink);
+ if (rc == -EINVAL) {
+ /* it's not a symlink */
+ rc = 0;
+@@ -281,6 +248,7 @@ check_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
+ fattr->cf_mode &= ~S_IFMT;
+ fattr->cf_mode |= S_IFLNK | S_IRWXU | S_IRWXG | S_IRWXO;
+ fattr->cf_dtype = DT_LNK;
++ fattr->cf_symlink_target = symlink;
+ out:
+ kfree(buf);
+ return rc;
+@@ -600,75 +568,6 @@ cifs_hardlink(struct dentry *old_file, struct inode *inode,
+ return rc;
+ }
+
+-const char *
+-cifs_get_link(struct dentry *direntry, struct inode *inode,
+- struct delayed_call *done)
+-{
+- int rc = -ENOMEM;
+- unsigned int xid;
+- const char *full_path;
+- void *page;
+- char *target_path = NULL;
+- struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+- struct tcon_link *tlink = NULL;
+- struct cifs_tcon *tcon;
+- struct TCP_Server_Info *server;
+-
+- if (!direntry)
+- return ERR_PTR(-ECHILD);
+-
+- xid = get_xid();
+-
+- tlink = cifs_sb_tlink(cifs_sb);
+- if (IS_ERR(tlink)) {
+- free_xid(xid);
+- return ERR_CAST(tlink);
+- }
+- tcon = tlink_tcon(tlink);
+- server = tcon->ses->server;
+-
+- page = alloc_dentry_path();
+- full_path = build_path_from_dentry(direntry, page);
+- if (IS_ERR(full_path)) {
+- free_xid(xid);
+- cifs_put_tlink(tlink);
+- free_dentry_path(page);
+- return ERR_CAST(full_path);
+- }
+-
+- cifs_dbg(FYI, "Full path: %s inode = 0x%p\n", full_path, inode);
+-
+- rc = -EACCES;
+- /*
+- * First try Minshall+French Symlinks, if configured
+- * and fallback to UNIX Extensions Symlinks.
+- */
+- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MF_SYMLINKS)
+- rc = query_mf_symlink(xid, tcon, cifs_sb, full_path,
+- &target_path);
+-
+- if (rc != 0 && server->ops->query_symlink) {
+- struct cifsInodeInfo *cifsi = CIFS_I(inode);
+- bool reparse_point = false;
+-
+- if (cifsi->cifsAttrs & ATTR_REPARSE)
+- reparse_point = true;
+-
+- rc = server->ops->query_symlink(xid, tcon, cifs_sb, full_path,
+- &target_path, reparse_point);
+- }
+-
+- free_dentry_path(page);
+- free_xid(xid);
+- cifs_put_tlink(tlink);
+- if (rc != 0) {
+- kfree(target_path);
+- return ERR_PTR(rc);
+- }
+- set_delayed_call(done, kfree_link, target_path);
+- return target_path;
+-}
+-
+ int
+ cifs_symlink(struct user_namespace *mnt_userns, struct inode *inode,
+ struct dentry *direntry, const char *symname)
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 8e060c00c969..6a78bcc51e81 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -994,6 +994,8 @@ static int cifs_filldir(char *find_entry, struct file *file,
+ cifs_unix_basic_to_fattr(&fattr,
+ &((FILE_UNIX_INFO *)find_entry)->basic,
+ cifs_sb);
++ if (S_ISLNK(fattr.cf_mode))
++ fattr.cf_flags |= CIFS_FATTR_NEED_REVAL;
+ break;
+ case SMB_FIND_FILE_INFO_STANDARD:
+ cifs_std_info_to_fattr(&fattr,
+diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
+index f36b2d2d40ca..50480751e521 100644
+--- a/fs/cifs/smb1ops.c
++++ b/fs/cifs/smb1ops.c
+@@ -542,31 +542,32 @@ cifs_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
+ return rc;
+ }
+
+-static int
+-cifs_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- FILE_ALL_INFO *data, bool *adjustTZ, bool *symlink)
++static int cifs_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjustTZ, bool *symlink)
+ {
+ int rc;
++ FILE_ALL_INFO fi = {};
+
+ *symlink = false;
+
+ /* could do find first instead but this returns more info */
+- rc = CIFSSMBQPathInfo(xid, tcon, full_path, data, 0 /* not legacy */,
+- cifs_sb->local_nls, cifs_remap(cifs_sb));
++ rc = CIFSSMBQPathInfo(xid, tcon, full_path, &fi, 0 /* not legacy */, cifs_sb->local_nls,
++ cifs_remap(cifs_sb));
+ /*
+ * BB optimize code so we do not make the above call when server claims
+ * no NT SMB support and the above call failed at least once - set flag
+ * in tcon or mount.
+ */
+ if ((rc == -EOPNOTSUPP) || (rc == -EINVAL)) {
+- rc = SMBQueryInformation(xid, tcon, full_path, data,
+- cifs_sb->local_nls,
++ rc = SMBQueryInformation(xid, tcon, full_path, &fi, cifs_sb->local_nls,
+ cifs_remap(cifs_sb));
++ if (!rc)
++ move_cifs_info_to_smb2(&data->fi, &fi);
+ *adjustTZ = true;
+ }
+
+- if (!rc && (le32_to_cpu(data->Attributes) & ATTR_REPARSE)) {
++ if (!rc && (le32_to_cpu(fi.Attributes) & ATTR_REPARSE)) {
+ int tmprc;
+ int oplock = 0;
+ struct cifs_fid fid;
+@@ -592,10 +593,9 @@ cifs_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+ return rc;
+ }
+
+-static int
+-cifs_get_srv_inum(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- u64 *uniqueid, FILE_ALL_INFO *data)
++static int cifs_get_srv_inum(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ u64 *uniqueid, struct cifs_open_info_data *unused)
+ {
+ /*
+ * We can not use the IndexNumber field by default from Windows or
+@@ -613,11 +613,22 @@ cifs_get_srv_inum(const unsigned int xid, struct cifs_tcon *tcon,
+ cifs_remap(cifs_sb));
+ }
+
+-static int
+-cifs_query_file_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_fid *fid, FILE_ALL_INFO *data)
++static int cifs_query_file_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifsFileInfo *cfile, struct cifs_open_info_data *data)
+ {
+- return CIFSSMBQFileInfo(xid, tcon, fid->netfid, data);
++ int rc;
++ FILE_ALL_INFO fi = {};
++
++ if (cfile->symlink_target) {
++ data->symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
++ if (!data->symlink_target)
++ return -ENOMEM;
++ }
++
++ rc = CIFSSMBQFileInfo(xid, tcon, cfile->fid.netfid, &fi);
++ if (!rc)
++ move_cifs_info_to_smb2(&data->fi, &fi);
++ return rc;
+ }
+
+ static void
+@@ -702,19 +713,20 @@ cifs_mkdir_setinfo(struct inode *inode, const char *full_path,
+ cifsInode->cifsAttrs = dosattrs;
+ }
+
+-static int
+-cifs_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
+- __u32 *oplock, FILE_ALL_INFO *buf)
++static int cifs_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 *oplock,
++ void *buf)
+ {
++ FILE_ALL_INFO *fi = buf;
++
+ if (!(oparms->tcon->ses->capabilities & CAP_NT_SMBS))
+ return SMBLegacyOpen(xid, oparms->tcon, oparms->path,
+ oparms->disposition,
+ oparms->desired_access,
+ oparms->create_options,
+- &oparms->fid->netfid, oplock, buf,
++ &oparms->fid->netfid, oplock, fi,
+ oparms->cifs_sb->local_nls,
+ cifs_remap(oparms->cifs_sb));
+- return CIFS_open(xid, oparms, oplock, buf);
++ return CIFS_open(xid, oparms, oplock, fi);
+ }
+
+ static void
+diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
+index 9dfd2dd612c2..4992b43616a7 100644
+--- a/fs/cifs/smb2file.c
++++ b/fs/cifs/smb2file.c
+@@ -20,40 +20,125 @@
+ #include "cifs_unicode.h"
+ #include "fscache.h"
+ #include "smb2proto.h"
++#include "smb2status.h"
+
+-int
+-smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
+- __u32 *oplock, FILE_ALL_INFO *buf)
++static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
++{
++ struct smb2_err_rsp *err = iov->iov_base;
++ struct smb2_symlink_err_rsp *sym = ERR_PTR(-EINVAL);
++ u32 len;
++
++ if (err->ErrorContextCount) {
++ struct smb2_error_context_rsp *p, *end;
++
++ len = (u32)err->ErrorContextCount * (offsetof(struct smb2_error_context_rsp,
++ ErrorContextData) +
++ sizeof(struct smb2_symlink_err_rsp));
++ if (le32_to_cpu(err->ByteCount) < len || iov->iov_len < len + sizeof(*err))
++ return ERR_PTR(-EINVAL);
++
++ p = (struct smb2_error_context_rsp *)err->ErrorData;
++ end = (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
++ do {
++ if (le32_to_cpu(p->ErrorId) == SMB2_ERROR_ID_DEFAULT) {
++ sym = (struct smb2_symlink_err_rsp *)&p->ErrorContextData;
++ break;
++ }
++ cifs_dbg(FYI, "%s: skipping unhandled error context: 0x%x\n",
++ __func__, le32_to_cpu(p->ErrorId));
++
++ len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
++ p = (struct smb2_error_context_rsp *)((u8 *)&p->ErrorContextData + len);
++ } while (p < end);
++ } else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
++ iov->iov_len >= SMB2_SYMLINK_STRUCT_SIZE) {
++ sym = (struct smb2_symlink_err_rsp *)err->ErrorData;
++ }
++
++ if (!IS_ERR(sym) && (le32_to_cpu(sym->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
++ le32_to_cpu(sym->ReparseTag) != IO_REPARSE_TAG_SYMLINK))
++ sym = ERR_PTR(-EINVAL);
++
++ return sym;
++}
++
++int smb2_parse_symlink_response(struct cifs_sb_info *cifs_sb, const struct kvec *iov, char **path)
++{
++ struct smb2_symlink_err_rsp *sym;
++ unsigned int sub_offs, sub_len;
++ unsigned int print_offs, print_len;
++ char *s;
++
++ if (!cifs_sb || !iov || !iov->iov_base || !iov->iov_len || !path)
++ return -EINVAL;
++
++ sym = symlink_data(iov);
++ if (IS_ERR(sym))
++ return PTR_ERR(sym);
++
++ sub_len = le16_to_cpu(sym->SubstituteNameLength);
++ sub_offs = le16_to_cpu(sym->SubstituteNameOffset);
++ print_len = le16_to_cpu(sym->PrintNameLength);
++ print_offs = le16_to_cpu(sym->PrintNameOffset);
++
++ if (iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offs + sub_len ||
++ iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + print_offs + print_len)
++ return -EINVAL;
++
++ s = cifs_strndup_from_utf16((char *)sym->PathBuffer + sub_offs, sub_len, true,
++ cifs_sb->local_nls);
++ if (!s)
++ return -ENOMEM;
++ convert_delimiter(s, '/');
++ cifs_dbg(FYI, "%s: symlink target: %s\n", __func__, s);
++
++ *path = s;
++ return 0;
++}
++
++int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 *oplock, void *buf)
+ {
+ int rc;
+ __le16 *smb2_path;
+- struct smb2_file_all_info *smb2_data = NULL;
+ __u8 smb2_oplock;
++ struct cifs_open_info_data *data = buf;
++ struct smb2_file_all_info file_info = {};
++ struct smb2_file_all_info *smb2_data = data ? &file_info : NULL;
++ struct kvec err_iov = {};
++ int err_buftype = CIFS_NO_BUFFER;
+ struct cifs_fid *fid = oparms->fid;
+ struct network_resiliency_req nr_ioctl_req;
+
+ smb2_path = cifs_convert_path_to_utf16(oparms->path, oparms->cifs_sb);
+- if (smb2_path == NULL) {
+- rc = -ENOMEM;
+- goto out;
+- }
+-
+- smb2_data = kzalloc(sizeof(struct smb2_file_all_info) + PATH_MAX * 2,
+- GFP_KERNEL);
+- if (smb2_data == NULL) {
+- rc = -ENOMEM;
+- goto out;
+- }
++ if (smb2_path == NULL)
++ return -ENOMEM;
+
+ oparms->desired_access |= FILE_READ_ATTRIBUTES;
+ smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
+
+- rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL,
+- NULL, NULL);
++ rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov,
++ &err_buftype);
++ if (rc && data) {
++ struct smb2_hdr *hdr = err_iov.iov_base;
++
++ if (unlikely(!err_iov.iov_base || err_buftype == CIFS_NO_BUFFER))
++ rc = -ENOMEM;
++ else if (hdr->Status == STATUS_STOPPED_ON_SYMLINK && oparms->cifs_sb) {
++ rc = smb2_parse_symlink_response(oparms->cifs_sb, &err_iov,
++ &data->symlink_target);
++ if (!rc) {
++ memset(smb2_data, 0, sizeof(*smb2_data));
++ oparms->create_options |= OPEN_REPARSE_POINT;
++ rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data,
++ NULL, NULL, NULL);
++ oparms->create_options &= ~OPEN_REPARSE_POINT;
++ }
++ }
++ }
++
+ if (rc)
+ goto out;
+
+-
+ if (oparms->tcon->use_resilient) {
+ /* default timeout is 0, servers pick default (120 seconds) */
+ nr_ioctl_req.Timeout =
+@@ -73,7 +158,7 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
+ rc = 0;
+ }
+
+- if (buf) {
++ if (smb2_data) {
+ /* if open response does not have IndexNumber field - get it */
+ if (smb2_data->IndexNumber == 0) {
+ rc = SMB2_get_srv_num(xid, oparms->tcon,
+@@ -89,12 +174,12 @@ smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms,
+ rc = 0;
+ }
+ }
+- move_smb2_info_to_cifs(buf, smb2_data);
++ memcpy(&data->fi, smb2_data, sizeof(data->fi));
+ }
+
+ *oplock = smb2_oplock;
+ out:
+- kfree(smb2_data);
++ free_rsp_buf(err_buftype, err_iov.iov_base);
+ kfree(smb2_path);
+ return rc;
+ }
+diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c
+index b83f59051b26..7b14ece0d895 100644
+--- a/fs/cifs/smb2inode.c
++++ b/fs/cifs/smb2inode.c
+@@ -24,6 +24,7 @@
+ #include "smb2pdu.h"
+ #include "smb2proto.h"
+ #include "cached_dir.h"
++#include "smb2status.h"
+
+ static void
+ free_set_inf_compound(struct smb_rqst *rqst)
+@@ -50,13 +51,15 @@ struct cop_vars {
+ /*
+ * note: If cfile is passed, the reference to it is dropped here.
+ * So make sure that you do not reuse cfile after return from this func.
++ *
++ * If passing @err_iov and @err_buftype, ensure to make them both large enough (>= 3) to hold all
++ * error responses. Caller is also responsible for freeing them up.
+ */
+-static int
+-smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- __u32 desired_access, __u32 create_disposition,
+- __u32 create_options, umode_t mode, void *ptr, int command,
+- struct cifsFileInfo *cfile)
++static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ __u32 desired_access, __u32 create_disposition, __u32 create_options,
++ umode_t mode, void *ptr, int command, struct cifsFileInfo *cfile,
++ struct kvec *err_iov, int *err_buftype)
+ {
+ struct cop_vars *vars = NULL;
+ struct kvec *rsp_iov;
+@@ -70,6 +73,7 @@ smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+ int num_rqst = 0;
+ int resp_buftype[3];
+ struct smb2_query_info_rsp *qi_rsp = NULL;
++ struct cifs_open_info_data *idata;
+ int flags = 0;
+ __u8 delete_pending[8] = {1, 0, 0, 0, 0, 0, 0, 0};
+ unsigned int size[2];
+@@ -385,14 +389,19 @@ smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+
+ switch (command) {
+ case SMB2_OP_QUERY_INFO:
++ idata = ptr;
++ if (rc == 0 && cfile && cfile->symlink_target) {
++ idata->symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
++ if (!idata->symlink_target)
++ rc = -ENOMEM;
++ }
+ if (rc == 0) {
+ qi_rsp = (struct smb2_query_info_rsp *)
+ rsp_iov[1].iov_base;
+ rc = smb2_validate_and_copy_iov(
+ le16_to_cpu(qi_rsp->OutputBufferOffset),
+ le32_to_cpu(qi_rsp->OutputBufferLength),
+- &rsp_iov[1], sizeof(struct smb2_file_all_info),
+- ptr);
++ &rsp_iov[1], sizeof(idata->fi), (char *)&idata->fi);
+ }
+ if (rqst[1].rq_iov)
+ SMB2_query_info_free(&rqst[1]);
+@@ -406,13 +415,19 @@ smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+ tcon->tid);
+ break;
+ case SMB2_OP_POSIX_QUERY_INFO:
++ if (rc == 0 && cfile && cfile->symlink_target) {
++ idata->symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
++ if (!idata->symlink_target)
++ rc = -ENOMEM;
++ }
+ if (rc == 0) {
+ qi_rsp = (struct smb2_query_info_rsp *)
+ rsp_iov[1].iov_base;
+ rc = smb2_validate_and_copy_iov(
+ le16_to_cpu(qi_rsp->OutputBufferOffset),
+ le32_to_cpu(qi_rsp->OutputBufferLength),
+- &rsp_iov[1], sizeof(struct smb311_posix_qinfo) /* add SIDs */, ptr);
++ &rsp_iov[1], sizeof(idata->posix_fi) /* add SIDs */,
++ (char *)&idata->posix_fi);
+ }
+ if (rqst[1].rq_iov)
+ SMB2_query_info_free(&rqst[1]);
+@@ -477,42 +492,33 @@ smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
+ free_set_inf_compound(rqst);
+ break;
+ }
+- free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
+- free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
+- free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
++
++ if (rc && err_iov && err_buftype) {
++ memcpy(err_iov, rsp_iov, 3 * sizeof(*err_iov));
++ memcpy(err_buftype, resp_buftype, 3 * sizeof(*err_buftype));
++ } else {
++ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
++ free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
++ free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
++ }
+ kfree(vars);
+ return rc;
+ }
+
+-void
+-move_smb2_info_to_cifs(FILE_ALL_INFO *dst, struct smb2_file_all_info *src)
+-{
+- memcpy(dst, src, (size_t)(&src->CurrentByteOffset) - (size_t)src);
+- dst->CurrentByteOffset = src->CurrentByteOffset;
+- dst->Mode = src->Mode;
+- dst->AlignmentRequirement = src->AlignmentRequirement;
+- dst->IndexNumber1 = 0; /* we don't use it */
+-}
+-
+-int
+-smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- FILE_ALL_INFO *data, bool *adjust_tz, bool *reparse)
++int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse)
+ {
+ int rc;
+- struct smb2_file_all_info *smb2_data;
+ __u32 create_options = 0;
+ struct cifsFileInfo *cfile;
+ struct cached_fid *cfid = NULL;
++ struct kvec err_iov[3] = {};
++ int err_buftype[3] = {};
+
+ *adjust_tz = false;
+ *reparse = false;
+
+- smb2_data = kzalloc(sizeof(struct smb2_file_all_info) + PATH_MAX * 2,
+- GFP_KERNEL);
+- if (smb2_data == NULL)
+- return -ENOMEM;
+-
+ if (strcmp(full_path, ""))
+ rc = -ENOENT;
+ else
+@@ -520,63 +526,58 @@ smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+ /* If it is a root and its handle is cached then use it */
+ if (!rc) {
+ if (cfid->file_all_info_is_valid) {
+- move_smb2_info_to_cifs(data,
+- &cfid->file_all_info);
++ memcpy(&data->fi, &cfid->file_all_info, sizeof(data->fi));
+ } else {
+- rc = SMB2_query_info(xid, tcon,
+- cfid->fid.persistent_fid,
+- cfid->fid.volatile_fid, smb2_data);
+- if (!rc)
+- move_smb2_info_to_cifs(data, smb2_data);
++ rc = SMB2_query_info(xid, tcon, cfid->fid.persistent_fid,
++ cfid->fid.volatile_fid, &data->fi);
+ }
+ close_cached_dir(cfid);
+- goto out;
++ return rc;
+ }
+
+ cifs_get_readable_path(tcon, full_path, &cfile);
+- rc = smb2_compound_op(xid, tcon, cifs_sb, full_path,
+- FILE_READ_ATTRIBUTES, FILE_OPEN, create_options,
+- ACL_NO_MODE, smb2_data, SMB2_OP_QUERY_INFO, cfile);
++ rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, FILE_READ_ATTRIBUTES, FILE_OPEN,
++ create_options, ACL_NO_MODE, data, SMB2_OP_QUERY_INFO, cfile,
++ err_iov, err_buftype);
+ if (rc == -EOPNOTSUPP) {
++ if (err_iov[0].iov_base && err_buftype[0] != CIFS_NO_BUFFER &&
++ ((struct smb2_hdr *)err_iov[0].iov_base)->Command == SMB2_CREATE &&
++ ((struct smb2_hdr *)err_iov[0].iov_base)->Status == STATUS_STOPPED_ON_SYMLINK) {
++ rc = smb2_parse_symlink_response(cifs_sb, err_iov, &data->symlink_target);
++ if (rc)
++ goto out;
++ }
+ *reparse = true;
+ create_options |= OPEN_REPARSE_POINT;
+
+ /* Failed on a symbolic link - query a reparse point info */
+ cifs_get_readable_path(tcon, full_path, &cfile);
+- rc = smb2_compound_op(xid, tcon, cifs_sb, full_path,
+- FILE_READ_ATTRIBUTES, FILE_OPEN,
+- create_options, ACL_NO_MODE,
+- smb2_data, SMB2_OP_QUERY_INFO, cfile);
++ rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, FILE_READ_ATTRIBUTES,
++ FILE_OPEN, create_options, ACL_NO_MODE, data,
++ SMB2_OP_QUERY_INFO, cfile, NULL, NULL);
+ }
+- if (rc)
+- goto out;
+
+- move_smb2_info_to_cifs(data, smb2_data);
+ out:
+- kfree(smb2_data);
++ free_rsp_buf(err_buftype[0], err_iov[0].iov_base);
++ free_rsp_buf(err_buftype[1], err_iov[1].iov_base);
++ free_rsp_buf(err_buftype[2], err_iov[2].iov_base);
+ return rc;
+ }
+
+
+-int
+-smb311_posix_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- struct smb311_posix_qinfo *data, bool *adjust_tz, bool *reparse)
++int smb311_posix_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse)
+ {
+ int rc;
+ __u32 create_options = 0;
+ struct cifsFileInfo *cfile;
+- struct smb311_posix_qinfo *smb2_data;
++ struct kvec err_iov[3] = {};
++ int err_buftype[3] = {};
+
+ *adjust_tz = false;
+ *reparse = false;
+
+- /* BB TODO: Make struct larger when add support for parsing owner SIDs */
+- smb2_data = kzalloc(sizeof(struct smb311_posix_qinfo),
+- GFP_KERNEL);
+- if (smb2_data == NULL)
+- return -ENOMEM;
+-
+ /*
+ * BB TODO: Add support for using the cached root handle.
+ * Create SMB2_query_posix_info worker function to do non-compounded query
+@@ -585,29 +586,32 @@ smb311_posix_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+ */
+
+ cifs_get_readable_path(tcon, full_path, &cfile);
+- rc = smb2_compound_op(xid, tcon, cifs_sb, full_path,
+- FILE_READ_ATTRIBUTES, FILE_OPEN, create_options,
+- ACL_NO_MODE, smb2_data, SMB2_OP_POSIX_QUERY_INFO, cfile);
++ rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, FILE_READ_ATTRIBUTES, FILE_OPEN,
++ create_options, ACL_NO_MODE, data, SMB2_OP_POSIX_QUERY_INFO, cfile,
++ err_iov, err_buftype);
+ if (rc == -EOPNOTSUPP) {
+ /* BB TODO: When support for special files added to Samba re-verify this path */
++ if (err_iov[0].iov_base && err_buftype[0] != CIFS_NO_BUFFER &&
++ ((struct smb2_hdr *)err_iov[0].iov_base)->Command == SMB2_CREATE &&
++ ((struct smb2_hdr *)err_iov[0].iov_base)->Status == STATUS_STOPPED_ON_SYMLINK) {
++ rc = smb2_parse_symlink_response(cifs_sb, err_iov, &data->symlink_target);
++ if (rc)
++ goto out;
++ }
+ *reparse = true;
+ create_options |= OPEN_REPARSE_POINT;
+
+ /* Failed on a symbolic link - query a reparse point info */
+ cifs_get_readable_path(tcon, full_path, &cfile);
+- rc = smb2_compound_op(xid, tcon, cifs_sb, full_path,
+- FILE_READ_ATTRIBUTES, FILE_OPEN,
+- create_options, ACL_NO_MODE,
+- smb2_data, SMB2_OP_POSIX_QUERY_INFO, cfile);
++ rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, FILE_READ_ATTRIBUTES,
++ FILE_OPEN, create_options, ACL_NO_MODE, data,
++ SMB2_OP_POSIX_QUERY_INFO, cfile, NULL, NULL);
+ }
+- if (rc)
+- goto out;
+-
+- /* TODO: will need to allow for the 2 SIDs when add support for getting owner UID/GID */
+- memcpy(data, smb2_data, sizeof(struct smb311_posix_qinfo));
+
+ out:
+- kfree(smb2_data);
++ free_rsp_buf(err_buftype[0], err_iov[0].iov_base);
++ free_rsp_buf(err_buftype[1], err_iov[1].iov_base);
++ free_rsp_buf(err_buftype[2], err_iov[2].iov_base);
+ return rc;
+ }
+
+@@ -619,7 +623,7 @@ smb2_mkdir(const unsigned int xid, struct inode *parent_inode, umode_t mode,
+ return smb2_compound_op(xid, tcon, cifs_sb, name,
+ FILE_WRITE_ATTRIBUTES, FILE_CREATE,
+ CREATE_NOT_FILE, mode, NULL, SMB2_OP_MKDIR,
+- NULL);
++ NULL, NULL, NULL);
+ }
+
+ void
+@@ -641,7 +645,7 @@ smb2_mkdir_setinfo(struct inode *inode, const char *name,
+ tmprc = smb2_compound_op(xid, tcon, cifs_sb, name,
+ FILE_WRITE_ATTRIBUTES, FILE_CREATE,
+ CREATE_NOT_FILE, ACL_NO_MODE,
+- &data, SMB2_OP_SET_INFO, cfile);
++ &data, SMB2_OP_SET_INFO, cfile, NULL, NULL);
+ if (tmprc == 0)
+ cifs_i->cifsAttrs = dosattrs;
+ }
+@@ -652,7 +656,7 @@ smb2_rmdir(const unsigned int xid, struct cifs_tcon *tcon, const char *name,
+ {
+ return smb2_compound_op(xid, tcon, cifs_sb, name, DELETE, FILE_OPEN,
+ CREATE_NOT_FILE, ACL_NO_MODE,
+- NULL, SMB2_OP_RMDIR, NULL);
++ NULL, SMB2_OP_RMDIR, NULL, NULL, NULL);
+ }
+
+ int
+@@ -661,7 +665,7 @@ smb2_unlink(const unsigned int xid, struct cifs_tcon *tcon, const char *name,
+ {
+ return smb2_compound_op(xid, tcon, cifs_sb, name, DELETE, FILE_OPEN,
+ CREATE_DELETE_ON_CLOSE | OPEN_REPARSE_POINT,
+- ACL_NO_MODE, NULL, SMB2_OP_DELETE, NULL);
++ ACL_NO_MODE, NULL, SMB2_OP_DELETE, NULL, NULL, NULL);
+ }
+
+ static int
+@@ -680,7 +684,7 @@ smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
+ }
+ rc = smb2_compound_op(xid, tcon, cifs_sb, from_name, access,
+ FILE_OPEN, 0, ACL_NO_MODE, smb2_to_name,
+- command, cfile);
++ command, cfile, NULL, NULL);
+ smb2_rename_path:
+ kfree(smb2_to_name);
+ return rc;
+@@ -720,7 +724,7 @@ smb2_set_path_size(const unsigned int xid, struct cifs_tcon *tcon,
+ cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
+ return smb2_compound_op(xid, tcon, cifs_sb, full_path,
+ FILE_WRITE_DATA, FILE_OPEN, 0, ACL_NO_MODE,
+- &eof, SMB2_OP_SET_EOF, cfile);
++ &eof, SMB2_OP_SET_EOF, cfile, NULL, NULL);
+ }
+
+ int
+@@ -746,7 +750,8 @@ smb2_set_file_info(struct inode *inode, const char *full_path,
+ cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
+ rc = smb2_compound_op(xid, tcon, cifs_sb, full_path,
+ FILE_WRITE_ATTRIBUTES, FILE_OPEN,
+- 0, ACL_NO_MODE, buf, SMB2_OP_SET_INFO, cfile);
++ 0, ACL_NO_MODE, buf, SMB2_OP_SET_INFO, cfile,
++ NULL, NULL);
+ cifs_put_tlink(tlink);
+ return rc;
+ }
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 2a0eb9b7dd7a..d454164e7f48 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -831,33 +831,25 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
+ return rc;
+ }
+
+-static int
+-smb2_get_srv_inum(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb, const char *full_path,
+- u64 *uniqueid, FILE_ALL_INFO *data)
++static int smb2_get_srv_inum(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ u64 *uniqueid, struct cifs_open_info_data *data)
+ {
+- *uniqueid = le64_to_cpu(data->IndexNumber);
++ *uniqueid = le64_to_cpu(data->fi.IndexNumber);
+ return 0;
+ }
+
+-static int
+-smb2_query_file_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_fid *fid, FILE_ALL_INFO *data)
++static int smb2_query_file_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifsFileInfo *cfile, struct cifs_open_info_data *data)
+ {
+- int rc;
+- struct smb2_file_all_info *smb2_data;
++ struct cifs_fid *fid = &cfile->fid;
+
+- smb2_data = kzalloc(sizeof(struct smb2_file_all_info) + PATH_MAX * 2,
+- GFP_KERNEL);
+- if (smb2_data == NULL)
+- return -ENOMEM;
+-
+- rc = SMB2_query_info(xid, tcon, fid->persistent_fid, fid->volatile_fid,
+- smb2_data);
+- if (!rc)
+- move_smb2_info_to_cifs(data, smb2_data);
+- kfree(smb2_data);
+- return rc;
++ if (cfile->symlink_target) {
++ data->symlink_target = kstrdup(cfile->symlink_target, GFP_KERNEL);
++ if (!data->symlink_target)
++ return -ENOMEM;
++ }
++ return SMB2_query_info(xid, tcon, fid->persistent_fid, fid->volatile_fid, &data->fi);
+ }
+
+ #ifdef CONFIG_CIFS_XATTR
+@@ -2836,9 +2828,6 @@ parse_reparse_point(struct reparse_data_buffer *buf,
+ }
+ }
+
+-#define SMB2_SYMLINK_STRUCT_SIZE \
+- (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
+-
+ static int
+ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, const char *full_path,
+@@ -2850,13 +2839,7 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_open_parms oparms;
+ struct cifs_fid fid;
+ struct kvec err_iov = {NULL, 0};
+- struct smb2_err_rsp *err_buf = NULL;
+- struct smb2_symlink_err_rsp *symlink;
+ struct TCP_Server_Info *server = cifs_pick_channel(tcon->ses);
+- unsigned int sub_len;
+- unsigned int sub_offset;
+- unsigned int print_len;
+- unsigned int print_offset;
+ int flags = CIFS_CP_CREATE_CLOSE_OP;
+ struct smb_rqst rqst[3];
+ int resp_buftype[3];
+@@ -2973,47 +2956,7 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ goto querty_exit;
+ }
+
+- err_buf = err_iov.iov_base;
+- if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) ||
+- err_iov.iov_len < SMB2_SYMLINK_STRUCT_SIZE) {
+- rc = -EINVAL;
+- goto querty_exit;
+- }
+-
+- symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData;
+- if (le32_to_cpu(symlink->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
+- le32_to_cpu(symlink->ReparseTag) != IO_REPARSE_TAG_SYMLINK) {
+- rc = -EINVAL;
+- goto querty_exit;
+- }
+-
+- /* open must fail on symlink - reset rc */
+- rc = 0;
+- sub_len = le16_to_cpu(symlink->SubstituteNameLength);
+- sub_offset = le16_to_cpu(symlink->SubstituteNameOffset);
+- print_len = le16_to_cpu(symlink->PrintNameLength);
+- print_offset = le16_to_cpu(symlink->PrintNameOffset);
+-
+- if (err_iov.iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
+- rc = -EINVAL;
+- goto querty_exit;
+- }
+-
+- if (err_iov.iov_len <
+- SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
+- rc = -EINVAL;
+- goto querty_exit;
+- }
+-
+- *target_path = cifs_strndup_from_utf16(
+- (char *)symlink->PathBuffer + sub_offset,
+- sub_len, true, cifs_sb->local_nls);
+- if (!(*target_path)) {
+- rc = -ENOMEM;
+- goto querty_exit;
+- }
+- convert_delimiter(*target_path, '/');
+- cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
++ rc = smb2_parse_symlink_response(cifs_sb, &err_iov, target_path);
+
+ querty_exit:
+ cifs_dbg(FYI, "query symlink rc %d\n", rc);
+@@ -5124,7 +5067,7 @@ smb2_make_node(unsigned int xid, struct inode *inode,
+ {
+ struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ int rc = -EPERM;
+- FILE_ALL_INFO *buf = NULL;
++ struct cifs_open_info_data buf = {};
+ struct cifs_io_parms io_parms = {0};
+ __u32 oplock = 0;
+ struct cifs_fid fid;
+@@ -5140,7 +5083,7 @@ smb2_make_node(unsigned int xid, struct inode *inode,
+ * and was used by default in earlier versions of Windows
+ */
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
+- goto out;
++ return rc;
+
+ /*
+ * TODO: Add ability to create instead via reparse point. Windows (e.g.
+@@ -5149,16 +5092,10 @@ smb2_make_node(unsigned int xid, struct inode *inode,
+ */
+
+ if (!S_ISCHR(mode) && !S_ISBLK(mode))
+- goto out;
++ return rc;
+
+ cifs_dbg(FYI, "sfu compat create special file\n");
+
+- buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+- if (buf == NULL) {
+- rc = -ENOMEM;
+- goto out;
+- }
+-
+ oparms.tcon = tcon;
+ oparms.cifs_sb = cifs_sb;
+ oparms.desired_access = GENERIC_WRITE;
+@@ -5173,21 +5110,21 @@ smb2_make_node(unsigned int xid, struct inode *inode,
+ oplock = REQ_OPLOCK;
+ else
+ oplock = 0;
+- rc = tcon->ses->server->ops->open(xid, &oparms, &oplock, buf);
++ rc = tcon->ses->server->ops->open(xid, &oparms, &oplock, &buf);
+ if (rc)
+- goto out;
++ return rc;
+
+ /*
+ * BB Do not bother to decode buf since no local inode yet to put
+ * timestamps in, but we can reuse it safely.
+ */
+
+- pdev = (struct win_dev *)buf;
++ pdev = (struct win_dev *)&buf.fi;
+ io_parms.pid = current->tgid;
+ io_parms.tcon = tcon;
+ io_parms.offset = 0;
+ io_parms.length = sizeof(struct win_dev);
+- iov[1].iov_base = buf;
++ iov[1].iov_base = &buf.fi;
+ iov[1].iov_len = sizeof(struct win_dev);
+ if (S_ISCHR(mode)) {
+ memcpy(pdev->type, "IntxCHR", 8);
+@@ -5206,8 +5143,8 @@ smb2_make_node(unsigned int xid, struct inode *inode,
+ d_drop(dentry);
+
+ /* FIXME: add code here to set EAs */
+-out:
+- kfree(buf);
++
++ cifs_free_open_info(&buf);
+ return rc;
+ }
+
+diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
+index f57881b8464f..1237bb86e93a 100644
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -56,6 +56,9 @@ struct smb2_rdma_crypto_transform {
+
+ #define COMPOUND_FID 0xFFFFFFFFFFFFFFFFULL
+
++#define SMB2_SYMLINK_STRUCT_SIZE \
++ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
++
+ #define SYMLINK_ERROR_TAG 0x4c4d5953
+
+ struct smb2_symlink_err_rsp {
+diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
+index 3f740f24b96a..7818d0b83567 100644
+--- a/fs/cifs/smb2proto.h
++++ b/fs/cifs/smb2proto.h
+@@ -53,16 +53,12 @@ extern bool smb2_is_valid_oplock_break(char *buffer,
+ struct TCP_Server_Info *srv);
+ extern int smb3_handle_read_data(struct TCP_Server_Info *server,
+ struct mid_q_entry *mid);
+-
+-extern void move_smb2_info_to_cifs(FILE_ALL_INFO *dst,
+- struct smb2_file_all_info *src);
+ extern int smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, const char *path,
+ __u32 *reparse_tag);
+-extern int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb,
+- const char *full_path, FILE_ALL_INFO *data,
+- bool *adjust_tz, bool *symlink);
++int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse);
+ extern int smb2_set_path_size(const unsigned int xid, struct cifs_tcon *tcon,
+ const char *full_path, __u64 size,
+ struct cifs_sb_info *cifs_sb, bool set_alloc);
+@@ -95,9 +91,9 @@ extern int smb3_query_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb,
+ const unsigned char *path, char *pbuf,
+ unsigned int *pbytes_read);
+-extern int smb2_open_file(const unsigned int xid,
+- struct cifs_open_parms *oparms,
+- __u32 *oplock, FILE_ALL_INFO *buf);
++int smb2_parse_symlink_response(struct cifs_sb_info *cifs_sb, const struct kvec *iov, char **path);
++int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 *oplock,
++ void *buf);
+ extern int smb2_unlock_range(struct cifsFileInfo *cfile,
+ struct file_lock *flock, const unsigned int xid);
+ extern int smb2_push_mandatory_locks(struct cifsFileInfo *cfile);
+@@ -278,9 +274,9 @@ extern int smb2_query_info_compound(const unsigned int xid,
+ struct kvec *rsp, int *buftype,
+ struct cifs_sb_info *cifs_sb);
+ /* query path info from the server using SMB311 POSIX extensions*/
+-extern int smb311_posix_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+- struct cifs_sb_info *sb, const char *path, struct smb311_posix_qinfo *qinf,
+- bool *adjust_tx, bool *symlink);
++int smb311_posix_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb, const char *full_path,
++ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse);
+ int posix_info_parse(const void *beg, const void *end,
+ struct smb2_posix_info_parsed *out);
+ int posix_info_sid_size(const void *beg, const void *end);
+--
+2.35.1
+
--- /dev/null
+From 32b54aef7a4481967d9bedabf05e003a3b84f45a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 15:10:35 -0300
+Subject: cifs: replace kfree() with kfree_sensitive() for sensitive data
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+[ Upstream commit a4e430c8c8ba96be8c6ec4f2eb108bb8bcbee069 ]
+
+Replace kfree with kfree_sensitive, or prepend memzero_explicit() in
+other cases, when freeing sensitive material that could still be left
+in memory.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Link: https://lore.kernel.org/r/202209201529.ec633796-oliver.sang@intel.com
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Stable-dep-of: f7f291e14dde ("cifs: fix oops during encryption")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsencrypt.c | 12 ++++++------
+ fs/cifs/connect.c | 6 +++---
+ fs/cifs/fs_context.c | 12 ++++++++++--
+ fs/cifs/misc.c | 2 +-
+ fs/cifs/sess.c | 24 +++++++++++++++---------
+ fs/cifs/smb2ops.c | 6 +++---
+ fs/cifs/smb2pdu.c | 19 ++++++++++++++-----
+ 7 files changed, 52 insertions(+), 29 deletions(-)
+
+diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
+index 46f5718754f9..d848bc0aac27 100644
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -679,7 +679,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+ unlock:
+ cifs_server_unlock(ses->server);
+ setup_ntlmv2_rsp_ret:
+- kfree(tiblob);
++ kfree_sensitive(tiblob);
+
+ return rc;
+ }
+@@ -753,14 +753,14 @@ cifs_crypto_secmech_release(struct TCP_Server_Info *server)
+ server->secmech.ccmaesdecrypt = NULL;
+ }
+
+- kfree(server->secmech.sdesccmacaes);
++ kfree_sensitive(server->secmech.sdesccmacaes);
+ server->secmech.sdesccmacaes = NULL;
+- kfree(server->secmech.sdeschmacsha256);
++ kfree_sensitive(server->secmech.sdeschmacsha256);
+ server->secmech.sdeschmacsha256 = NULL;
+- kfree(server->secmech.sdeschmacmd5);
++ kfree_sensitive(server->secmech.sdeschmacmd5);
+ server->secmech.sdeschmacmd5 = NULL;
+- kfree(server->secmech.sdescmd5);
++ kfree_sensitive(server->secmech.sdescmd5);
+ server->secmech.sdescmd5 = NULL;
+- kfree(server->secmech.sdescsha512);
++ kfree_sensitive(server->secmech.sdescsha512);
+ server->secmech.sdescsha512 = NULL;
+ }
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 317ca1be9c4c..816161f51b29 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -311,7 +311,7 @@ cifs_abort_connection(struct TCP_Server_Info *server)
+ }
+ server->sequence_number = 0;
+ server->session_estab = false;
+- kfree(server->session_key.response);
++ kfree_sensitive(server->session_key.response);
+ server->session_key.response = NULL;
+ server->session_key.len = 0;
+ server->lstrp = jiffies;
+@@ -1580,7 +1580,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
+
+ cifs_crypto_secmech_release(server);
+
+- kfree(server->session_key.response);
++ kfree_sensitive(server->session_key.response);
+ server->session_key.response = NULL;
+ server->session_key.len = 0;
+ kfree(server->hostname);
+@@ -4141,7 +4141,7 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
+ if (ses->auth_key.response) {
+ cifs_dbg(FYI, "Free previous auth_key.response = %p\n",
+ ses->auth_key.response);
+- kfree(ses->auth_key.response);
++ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
+ }
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index 0e13dec86b25..45119597c765 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -791,6 +791,13 @@ do { \
+ cifs_sb->ctx->field = NULL; \
+ } while (0)
+
++#define STEAL_STRING_SENSITIVE(cifs_sb, ctx, field) \
++do { \
++ kfree_sensitive(ctx->field); \
++ ctx->field = cifs_sb->ctx->field; \
++ cifs_sb->ctx->field = NULL; \
++} while (0)
++
+ static int smb3_reconfigure(struct fs_context *fc)
+ {
+ struct smb3_fs_context *ctx = smb3_fc2context(fc);
+@@ -811,7 +818,7 @@ static int smb3_reconfigure(struct fs_context *fc)
+ STEAL_STRING(cifs_sb, ctx, UNC);
+ STEAL_STRING(cifs_sb, ctx, source);
+ STEAL_STRING(cifs_sb, ctx, username);
+- STEAL_STRING(cifs_sb, ctx, password);
++ STEAL_STRING_SENSITIVE(cifs_sb, ctx, password);
+ STEAL_STRING(cifs_sb, ctx, domainname);
+ STEAL_STRING(cifs_sb, ctx, nodename);
+ STEAL_STRING(cifs_sb, ctx, iocharset);
+@@ -1162,7 +1169,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ }
+ break;
+ case Opt_pass:
+- kfree(ctx->password);
++ kfree_sensitive(ctx->password);
+ ctx->password = NULL;
+ if (strlen(param->string) == 0)
+ break;
+@@ -1470,6 +1477,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ return 0;
+
+ cifs_parse_mount_err:
++ kfree_sensitive(ctx->password);
+ return -EINVAL;
+ }
+
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index 35085fa86636..3a117e2269a0 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -1123,7 +1123,7 @@ cifs_alloc_hash(const char *name,
+ void
+ cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
+ {
+- kfree(*sdesc);
++ kfree_sensitive(*sdesc);
+ *sdesc = NULL;
+ if (*shash)
+ crypto_free_shash(*shash);
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index 6a85136da27c..22e281bc65ad 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -1214,6 +1214,12 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
+ static void
+ sess_free_buffer(struct sess_data *sess_data)
+ {
++ int i;
++
++ /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
++ for (i = 0; i < 3; i++)
++ if (sess_data->iov[i].iov_base)
++ memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
+
+ free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+@@ -1375,7 +1381,7 @@ sess_auth_ntlmv2(struct sess_data *sess_data)
+ sess_data->result = rc;
+ sess_data->func = NULL;
+ sess_free_buffer(sess_data);
+- kfree(ses->auth_key.response);
++ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ }
+
+@@ -1514,7 +1520,7 @@ sess_auth_kerberos(struct sess_data *sess_data)
+ sess_data->result = rc;
+ sess_data->func = NULL;
+ sess_free_buffer(sess_data);
+- kfree(ses->auth_key.response);
++ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ }
+
+@@ -1649,7 +1655,7 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
+ rc = decode_ntlmssp_challenge(bcc_ptr, blob_len, ses);
+
+ out_free_ntlmsspblob:
+- kfree(ntlmsspblob);
++ kfree_sensitive(ntlmsspblob);
+ out:
+ sess_free_buffer(sess_data);
+
+@@ -1659,9 +1665,9 @@ sess_auth_rawntlmssp_negotiate(struct sess_data *sess_data)
+ }
+
+ /* Else error. Cleanup */
+- kfree(ses->auth_key.response);
++ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+- kfree(ses->ntlmssp);
++ kfree_sensitive(ses->ntlmssp);
+ ses->ntlmssp = NULL;
+
+ sess_data->func = NULL;
+@@ -1760,7 +1766,7 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
+ }
+
+ out_free_ntlmsspblob:
+- kfree(ntlmsspblob);
++ kfree_sensitive(ntlmsspblob);
+ out:
+ sess_free_buffer(sess_data);
+
+@@ -1768,9 +1774,9 @@ sess_auth_rawntlmssp_authenticate(struct sess_data *sess_data)
+ rc = sess_establish_session(sess_data);
+
+ /* Cleanup */
+- kfree(ses->auth_key.response);
++ kfree_sensitive(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+- kfree(ses->ntlmssp);
++ kfree_sensitive(ses->ntlmssp);
+ ses->ntlmssp = NULL;
+
+ sess_data->func = NULL;
+@@ -1846,7 +1852,7 @@ int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
+ rc = sess_data->result;
+
+ out:
+- kfree(sess_data);
++ kfree_sensitive(sess_data);
+ return rc;
+ }
+ #endif /* CONFIG_CIFS_ALLOW_INSECURE_LEGACY */
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index b724bf42b540..2a0eb9b7dd7a 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4432,11 +4432,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
+
+- kfree(iv);
++ kfree_sensitive(iv);
+ free_sg:
+- kfree(sg);
++ kfree_sensitive(sg);
+ free_req:
+- kfree(req);
++ kfree_sensitive(req);
+ return rc;
+ }
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 92a1d0695ebd..dd1aeb2316ac 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1345,6 +1345,13 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_data *sess_data)
+ static void
+ SMB2_sess_free_buffer(struct SMB2_sess_data *sess_data)
+ {
++ int i;
++
++ /* zero the session data before freeing, as it might contain sensitive info (keys, etc) */
++ for (i = 0; i < 2; i++)
++ if (sess_data->iov[i].iov_base)
++ memzero_explicit(sess_data->iov[i].iov_base, sess_data->iov[i].iov_len);
++
+ free_rsp_buf(sess_data->buf0_type, sess_data->iov[0].iov_base);
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+ }
+@@ -1477,6 +1484,8 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data)
+ out_put_spnego_key:
+ key_invalidate(spnego_key);
+ key_put(spnego_key);
++ if (rc)
++ kfree_sensitive(ses->auth_key.response);
+ out:
+ sess_data->result = rc;
+ sess_data->func = NULL;
+@@ -1573,7 +1582,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
+ }
+
+ out:
+- kfree(ntlmssp_blob);
++ memzero_explicit(ntlmssp_blob, blob_length);
+ SMB2_sess_free_buffer(sess_data);
+ if (!rc) {
+ sess_data->result = 0;
+@@ -1581,7 +1590,7 @@ SMB2_sess_auth_rawntlmssp_negotiate(struct SMB2_sess_data *sess_data)
+ return;
+ }
+ out_err:
+- kfree(ses->ntlmssp);
++ kfree_sensitive(ses->ntlmssp);
+ ses->ntlmssp = NULL;
+ sess_data->result = rc;
+ sess_data->func = NULL;
+@@ -1657,9 +1666,9 @@ SMB2_sess_auth_rawntlmssp_authenticate(struct SMB2_sess_data *sess_data)
+ }
+ #endif
+ out:
+- kfree(ntlmssp_blob);
++ memzero_explicit(ntlmssp_blob, blob_length);
+ SMB2_sess_free_buffer(sess_data);
+- kfree(ses->ntlmssp);
++ kfree_sensitive(ses->ntlmssp);
+ ses->ntlmssp = NULL;
+ sess_data->result = rc;
+ sess_data->func = NULL;
+@@ -1737,7 +1746,7 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
+ cifs_server_dbg(VFS, "signing requested but authenticated as guest\n");
+ rc = sess_data->result;
+ out:
+- kfree(sess_data);
++ kfree_sensitive(sess_data);
+ return rc;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a773fd5fbeb8eb22f089947c050597c9110dfaae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 16:28:03 +0800
+Subject: class: fix possible memory leak in __class_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 ]
+
+If class_add_groups() returns error, the 'cp->subsys' need be
+unregister, and the 'cp' need be freed.
+
+We can not call kset_unregister() here, because the 'cls' will
+be freed in callback function class_release() and it's also
+freed in caller's error path, it will cause double free.
+
+So fix this by calling kobject_del() and kfree_const(name) to
+cleanup kobject. Besides, call kfree() to free the 'cp'.
+
+Fault injection test can trigger this:
+
+unreferenced object 0xffff888102fa8190 (size 8):
+ comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
+ hex dump (first 8 bytes):
+ 70 6b 74 63 64 76 64 00 pktcdvd.
+ backtrace:
+ [<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320
+ [<000000005e4d70bc>] kstrdup+0x3a/0x70
+ [<00000000c2e5e85a>] kstrdup_const+0x68/0x80
+ [<000000000049a8c7>] kvasprintf_const+0x10b/0x190
+ [<0000000029123163>] kobject_set_name_vargs+0x56/0x150
+ [<00000000747219c9>] kobject_set_name+0xab/0xe0
+ [<0000000005f1ea4e>] __class_register+0x15c/0x49a
+
+unreferenced object 0xffff888037274000 (size 1024):
+ comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
+ hex dump (first 32 bytes):
+ 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ backtrace:
+ [<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0
+ [<00000000ecf3dd95>] __class_register+0x86/0x49a
+
+Fixes: ced6473e7486 ("driver core: class: add class_groups support")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221026082803.3458760-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/class.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/base/class.c b/drivers/base/class.c
+index 8feb85e186e3..e394e3e473b5 100644
+--- a/drivers/base/class.c
++++ b/drivers/base/class.c
+@@ -192,6 +192,11 @@ int __class_register(struct class *cls, struct lock_class_key *key)
+ }
+ error = class_add_groups(class_get(cls), cls->class_groups);
+ class_put(cls);
++ if (error) {
++ kobject_del(&cp->subsys.kobj);
++ kfree_const(cp->subsys.kobj.name);
++ kfree(cp);
++ }
+ return error;
+ }
+ EXPORT_SYMBOL_GPL(__class_register);
+--
+2.35.1
+
--- /dev/null
+From 98ea8fee391a93efde8f2a46791d048e987db567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 19:10:11 +0100
+Subject: clk: imx: imxrt1050: fix IMXRT1050_CLK_LCDIF_APB offsets
+
+From: Giulio Benetti <giulio.benetti@benettiengineering.com>
+
+[ Upstream commit 3095c02f95e537c553e0b30948c2f6c7cbed87ee ]
+
+Fix IMXRT1050_CLK_LCDIF_APB offsets.
+
+Fixes: 7154b046d8f3 ("clk: imx: Add initial support for i.MXRT1050 clock driver")
+Cc: Jesse Taube <mr.bossman075@gmail.com>
+Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117181014.851505-1-giulio.benetti@benettiengineering.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imxrt1050.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imxrt1050.c b/drivers/clk/imx/clk-imxrt1050.c
+index 9539d35588ee..26108e9f7e67 100644
+--- a/drivers/clk/imx/clk-imxrt1050.c
++++ b/drivers/clk/imx/clk-imxrt1050.c
+@@ -140,7 +140,7 @@ static int imxrt1050_clocks_probe(struct platform_device *pdev)
+ hws[IMXRT1050_CLK_USDHC1] = imx_clk_hw_gate2("usdhc1", "usdhc1_podf", ccm_base + 0x80, 2);
+ hws[IMXRT1050_CLK_USDHC2] = imx_clk_hw_gate2("usdhc2", "usdhc2_podf", ccm_base + 0x80, 4);
+ hws[IMXRT1050_CLK_LPUART1] = imx_clk_hw_gate2("lpuart1", "lpuart_podf", ccm_base + 0x7c, 24);
+- hws[IMXRT1050_CLK_LCDIF_APB] = imx_clk_hw_gate2("lcdif", "lcdif_podf", ccm_base + 0x74, 10);
++ hws[IMXRT1050_CLK_LCDIF_APB] = imx_clk_hw_gate2("lcdif", "lcdif_podf", ccm_base + 0x70, 28);
+ hws[IMXRT1050_CLK_DMA] = imx_clk_hw_gate("dma", "ipg", ccm_base + 0x7C, 6);
+ hws[IMXRT1050_CLK_DMA_MUX] = imx_clk_hw_gate("dmamux0", "ipg", ccm_base + 0x7C, 7);
+ imx_check_clk_hws(hws, IMXRT1050_CLK_END);
+--
+2.35.1
+
--- /dev/null
+From bfa535cd0340325126b1041c598dd0f13e311624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:36:35 +0100
+Subject: clk: imx: rename video_pll1 to video_pll
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit bedcf9d1dcf88ed38731f0ac9620e5a421e1e9d6 ]
+
+Unlike audio_pll1 and audio_pll2, there is no video_pll2. Further, the
+name used in the RM is video_pll. So, let's rename "video_pll1" to
+"video_pll" to be consistent with the RM and avoid misunderstandings.
+
+The IMX8MN_VIDEO_PLL1* constants have not been removed to ensure
+backward compatibility of the patch.
+
+No functional changes intended.
+
+Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Acked-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117113637.1978703-4-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 96 ++++++++++++------------
+ include/dt-bindings/clock/imx8mn-clock.h | 12 ++-
+ 2 files changed, 56 insertions(+), 52 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index 0fae97e61e2c..b80af5d1ef46 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -27,7 +27,7 @@ static u32 share_count_nand;
+ static const char * const pll_ref_sels[] = { "osc_24m", "dummy", "dummy", "dummy", };
+ static const char * const audio_pll1_bypass_sels[] = {"audio_pll1", "audio_pll1_ref_sel", };
+ static const char * const audio_pll2_bypass_sels[] = {"audio_pll2", "audio_pll2_ref_sel", };
+-static const char * const video_pll1_bypass_sels[] = {"video_pll1", "video_pll1_ref_sel", };
++static const char * const video_pll_bypass_sels[] = {"video_pll", "video_pll_ref_sel", };
+ static const char * const dram_pll_bypass_sels[] = {"dram_pll", "dram_pll_ref_sel", };
+ static const char * const gpu_pll_bypass_sels[] = {"gpu_pll", "gpu_pll_ref_sel", };
+ static const char * const m7_alt_pll_bypass_sels[] = {"m7_alt_pll", "m7_alt_pll_ref_sel", };
+@@ -41,23 +41,23 @@ static const char * const imx8mn_a53_sels[] = {"osc_24m", "arm_pll_out", "sys_pl
+ static const char * const imx8mn_a53_core_sels[] = {"arm_a53_div", "arm_pll_out", };
+
+ static const char * const imx8mn_m7_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll2_250m", "m7_alt_pll_out",
+- "sys_pll1_800m", "audio_pll1_out", "video_pll1_out", "sys_pll3_out", };
++ "sys_pll1_800m", "audio_pll1_out", "video_pll_out", "sys_pll3_out", };
+
+ static const char * const imx8mn_gpu_core_sels[] = {"osc_24m", "gpu_pll_out", "sys_pll1_800m",
+ "sys_pll3_out", "sys_pll2_1000m", "audio_pll1_out",
+- "video_pll1_out", "audio_pll2_out", };
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_gpu_shader_sels[] = {"osc_24m", "gpu_pll_out", "sys_pll1_800m",
+ "sys_pll3_out", "sys_pll2_1000m", "audio_pll1_out",
+- "video_pll1_out", "audio_pll2_out", };
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_main_axi_sels[] = {"osc_24m", "sys_pll2_333m", "sys_pll1_800m",
+ "sys_pll2_250m", "sys_pll2_1000m", "audio_pll1_out",
+- "video_pll1_out", "sys_pll1_100m",};
++ "video_pll_out", "sys_pll1_100m",};
+
+ static const char * const imx8mn_enet_axi_sels[] = {"osc_24m", "sys_pll1_266m", "sys_pll1_800m",
+ "sys_pll2_250m", "sys_pll2_200m", "audio_pll1_out",
+- "video_pll1_out", "sys_pll3_out", };
++ "video_pll_out", "sys_pll3_out", };
+
+ static const char * const imx8mn_nand_usdhc_sels[] = {"osc_24m", "sys_pll1_266m", "sys_pll1_800m",
+ "sys_pll2_200m", "sys_pll1_133m", "sys_pll3_out",
+@@ -77,23 +77,23 @@ static const char * const imx8mn_usb_bus_sels[] = {"osc_24m", "sys_pll2_500m", "
+
+ static const char * const imx8mn_gpu_axi_sels[] = {"osc_24m", "sys_pll1_800m", "gpu_pll_out",
+ "sys_pll3_out", "sys_pll2_1000m", "audio_pll1_out",
+- "video_pll1_out", "audio_pll2_out", };
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_gpu_ahb_sels[] = {"osc_24m", "sys_pll1_800m", "gpu_pll_out",
+ "sys_pll3_out", "sys_pll2_1000m", "audio_pll1_out",
+- "video_pll1_out", "audio_pll2_out", };
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_noc_sels[] = {"osc_24m", "sys_pll1_800m", "sys_pll3_out",
+ "sys_pll2_1000m", "sys_pll2_500m", "audio_pll1_out",
+- "video_pll1_out", "audio_pll2_out", };
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_ahb_sels[] = {"osc_24m", "sys_pll1_133m", "sys_pll1_800m",
+ "sys_pll1_400m", "sys_pll2_125m", "sys_pll3_out",
+- "audio_pll1_out", "video_pll1_out", };
++ "audio_pll1_out", "video_pll_out", };
+
+ static const char * const imx8mn_audio_ahb_sels[] = {"osc_24m", "sys_pll2_500m", "sys_pll1_800m",
+ "sys_pll2_1000m", "sys_pll2_166m", "sys_pll3_out",
+- "audio_pll1_out", "video_pll1_out", };
++ "audio_pll1_out", "video_pll_out", };
+
+ static const char * const imx8mn_dram_alt_sels[] = {"osc_24m", "sys_pll1_800m", "sys_pll1_100m",
+ "sys_pll2_500m", "sys_pll2_1000m", "sys_pll3_out",
+@@ -103,49 +103,49 @@ static const char * const imx8mn_dram_apb_sels[] = {"osc_24m", "sys_pll2_200m",
+ "sys_pll1_160m", "sys_pll1_800m", "sys_pll3_out",
+ "sys_pll2_250m", "audio_pll2_out", };
+
+-static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll1_out", "audio_pll2_out",
++static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll_out", "audio_pll2_out",
+ "audio_pll1_out", "sys_pll1_800m", "sys_pll2_1000m",
+ "sys_pll3_out", "clk_ext4", };
+
+ static const char * const imx8mn_sai2_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai3_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext2", "clk_ext3", };
+
+ static const char * const imx8mn_sai6_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai7_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_spdif1_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "dummy",
++ "video_pll_out", "sys_pll1_133m", "dummy",
+ "clk_ext2", "clk_ext3", };
+
+ static const char * const imx8mn_enet_ref_sels[] = {"osc_24m", "sys_pll2_125m", "sys_pll2_50m",
+ "sys_pll2_100m", "sys_pll1_160m", "audio_pll1_out",
+- "video_pll1_out", "clk_ext4", };
++ "video_pll_out", "clk_ext4", };
+
+ static const char * const imx8mn_enet_timer_sels[] = {"osc_24m", "sys_pll2_100m", "audio_pll1_out",
+ "clk_ext1", "clk_ext2", "clk_ext3",
+- "clk_ext4", "video_pll1_out", };
++ "clk_ext4", "video_pll_out", };
+
+ static const char * const imx8mn_enet_phy_sels[] = {"osc_24m", "sys_pll2_50m", "sys_pll2_125m",
+- "sys_pll2_200m", "sys_pll2_500m", "video_pll1_out",
++ "sys_pll2_200m", "sys_pll2_500m", "video_pll_out",
+ "audio_pll2_out", };
+
+ static const char * const imx8mn_nand_sels[] = {"osc_24m", "sys_pll2_500m", "audio_pll1_out",
+ "sys_pll1_400m", "audio_pll2_out", "sys_pll3_out",
+- "sys_pll2_250m", "video_pll1_out", };
++ "sys_pll2_250m", "video_pll_out", };
+
+ static const char * const imx8mn_qspi_sels[] = {"osc_24m", "sys_pll1_400m", "sys_pll2_333m",
+ "sys_pll2_500m", "audio_pll2_out", "sys_pll1_266m",
+@@ -160,19 +160,19 @@ static const char * const imx8mn_usdhc2_sels[] = {"osc_24m", "sys_pll1_400m", "s
+ "audio_pll2_out", "sys_pll1_100m", };
+
+ static const char * const imx8mn_i2c1_sels[] = {"osc_24m", "sys_pll1_160m", "sys_pll2_50m",
+- "sys_pll3_out", "audio_pll1_out", "video_pll1_out",
++ "sys_pll3_out", "audio_pll1_out", "video_pll_out",
+ "audio_pll2_out", "sys_pll1_133m", };
+
+ static const char * const imx8mn_i2c2_sels[] = {"osc_24m", "sys_pll1_160m", "sys_pll2_50m",
+- "sys_pll3_out", "audio_pll1_out", "video_pll1_out",
++ "sys_pll3_out", "audio_pll1_out", "video_pll_out",
+ "audio_pll2_out", "sys_pll1_133m", };
+
+ static const char * const imx8mn_i2c3_sels[] = {"osc_24m", "sys_pll1_160m", "sys_pll2_50m",
+- "sys_pll3_out", "audio_pll1_out", "video_pll1_out",
++ "sys_pll3_out", "audio_pll1_out", "video_pll_out",
+ "audio_pll2_out", "sys_pll1_133m", };
+
+ static const char * const imx8mn_i2c4_sels[] = {"osc_24m", "sys_pll1_160m", "sys_pll2_50m",
+- "sys_pll3_out", "audio_pll1_out", "video_pll1_out",
++ "sys_pll3_out", "audio_pll1_out", "video_pll_out",
+ "audio_pll2_out", "sys_pll1_133m", };
+
+ static const char * const imx8mn_uart1_sels[] = {"osc_24m", "sys_pll1_80m", "sys_pll2_200m",
+@@ -213,42 +213,42 @@ static const char * const imx8mn_ecspi2_sels[] = {"osc_24m", "sys_pll2_200m", "s
+
+ static const char * const imx8mn_pwm1_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_160m",
+ "sys_pll1_40m", "sys_pll3_out", "clk_ext1",
+- "sys_pll1_80m", "video_pll1_out", };
++ "sys_pll1_80m", "video_pll_out", };
+
+ static const char * const imx8mn_pwm2_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_160m",
+ "sys_pll1_40m", "sys_pll3_out", "clk_ext1",
+- "sys_pll1_80m", "video_pll1_out", };
++ "sys_pll1_80m", "video_pll_out", };
+
+ static const char * const imx8mn_pwm3_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_160m",
+ "sys_pll1_40m", "sys_pll3_out", "clk_ext2",
+- "sys_pll1_80m", "video_pll1_out", };
++ "sys_pll1_80m", "video_pll_out", };
+
+ static const char * const imx8mn_pwm4_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_160m",
+ "sys_pll1_40m", "sys_pll3_out", "clk_ext2",
+- "sys_pll1_80m", "video_pll1_out", };
++ "sys_pll1_80m", "video_pll_out", };
+
+ static const char * const imx8mn_gpt1_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_gpt2_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_gpt3_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_gpt4_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_gpt5_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_gpt6_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_400m",
+- "sys_pll1_40m", "video_pll1_out", "sys_pll1_80m",
++ "sys_pll1_40m", "video_pll_out", "sys_pll1_80m",
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_wdog_sels[] = {"osc_24m", "sys_pll1_133m", "sys_pll1_160m",
+@@ -261,15 +261,15 @@ static const char * const imx8mn_wrclk_sels[] = {"osc_24m", "sys_pll1_40m", "m7_
+
+ static const char * const imx8mn_dsi_core_sels[] = {"osc_24m", "sys_pll1_266m", "sys_pll2_250m",
+ "sys_pll1_800m", "sys_pll2_1000m", "sys_pll3_out",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_dsi_phy_sels[] = {"osc_24m", "sys_pll2_125m", "sys_pll2_100m",
+ "sys_pll1_800m", "sys_pll2_1000m", "clk_ext2",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_dsi_dbi_sels[] = {"osc_24m", "sys_pll1_266m", "sys_pll2_100m",
+ "sys_pll1_800m", "sys_pll2_1000m", "sys_pll3_out",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_usdhc3_sels[] = {"osc_24m", "sys_pll1_400m", "sys_pll1_800m",
+ "sys_pll2_500m", "sys_pll3_out", "sys_pll1_266m",
+@@ -277,15 +277,15 @@ static const char * const imx8mn_usdhc3_sels[] = {"osc_24m", "sys_pll1_400m", "s
+
+ static const char * const imx8mn_camera_pixel_sels[] = {"osc_24m", "sys_pll1_266m", "sys_pll2_250m",
+ "sys_pll1_800m", "sys_pll2_1000m", "sys_pll3_out",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_csi1_phy_sels[] = {"osc_24m", "sys_pll2_333m", "sys_pll2_100m",
+ "sys_pll1_800m", "sys_pll2_1000m", "clk_ext2",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_csi2_phy_sels[] = {"osc_24m", "sys_pll2_333m", "sys_pll2_100m",
+ "sys_pll1_800m", "sys_pll2_1000m", "clk_ext2",
+- "audio_pll2_out", "video_pll1_out", };
++ "audio_pll2_out", "video_pll_out", };
+
+ static const char * const imx8mn_csi2_esc_sels[] = {"osc_24m", "sys_pll2_100m", "sys_pll1_80m",
+ "sys_pll1_800m", "sys_pll2_1000m", "sys_pll3_out",
+@@ -306,9 +306,9 @@ static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "du
+ "dummy", "sys_pll1_80m", };
+ static const char * const imx8mn_clko2_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll1_400m",
+ "sys_pll2_166m", "sys_pll3_out", "audio_pll1_out",
+- "video_pll1_out", "osc_32k", };
++ "video_pll_out", "osc_32k", };
+
+-static const char * const clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll1_out",
++static const char * const clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll_out",
+ "dummy", "dummy", "gpu_pll_out", "dummy",
+ "arm_pll_out", "sys_pll1", "sys_pll2", "sys_pll3",
+ "dummy", "dummy", "osc_24m", "dummy", "osc_32k"};
+@@ -349,7 +349,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+
+ hws[IMX8MN_AUDIO_PLL1_REF_SEL] = imx_clk_hw_mux("audio_pll1_ref_sel", base + 0x0, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_AUDIO_PLL2_REF_SEL] = imx_clk_hw_mux("audio_pll2_ref_sel", base + 0x14, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+- hws[IMX8MN_VIDEO_PLL1_REF_SEL] = imx_clk_hw_mux("video_pll1_ref_sel", base + 0x28, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
++ hws[IMX8MN_VIDEO_PLL_REF_SEL] = imx_clk_hw_mux("video_pll_ref_sel", base + 0x28, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_DRAM_PLL_REF_SEL] = imx_clk_hw_mux("dram_pll_ref_sel", base + 0x50, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_GPU_PLL_REF_SEL] = imx_clk_hw_mux("gpu_pll_ref_sel", base + 0x64, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_M7_ALT_PLL_REF_SEL] = imx_clk_hw_mux("m7_alt_pll_ref_sel", base + 0x74, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+@@ -358,7 +358,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+
+ hws[IMX8MN_AUDIO_PLL1] = imx_clk_hw_pll14xx("audio_pll1", "audio_pll1_ref_sel", base, &imx_1443x_pll);
+ hws[IMX8MN_AUDIO_PLL2] = imx_clk_hw_pll14xx("audio_pll2", "audio_pll2_ref_sel", base + 0x14, &imx_1443x_pll);
+- hws[IMX8MN_VIDEO_PLL1] = imx_clk_hw_pll14xx("video_pll1", "video_pll1_ref_sel", base + 0x28, &imx_1443x_pll);
++ hws[IMX8MN_VIDEO_PLL] = imx_clk_hw_pll14xx("video_pll", "video_pll_ref_sel", base + 0x28, &imx_1443x_pll);
+ hws[IMX8MN_DRAM_PLL] = imx_clk_hw_pll14xx("dram_pll", "dram_pll_ref_sel", base + 0x50, &imx_1443x_dram_pll);
+ hws[IMX8MN_GPU_PLL] = imx_clk_hw_pll14xx("gpu_pll", "gpu_pll_ref_sel", base + 0x64, &imx_1416x_pll);
+ hws[IMX8MN_M7_ALT_PLL] = imx_clk_hw_pll14xx("m7_alt_pll", "m7_alt_pll_ref_sel", base + 0x74, &imx_1416x_pll);
+@@ -370,7 +370,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ /* PLL bypass out */
+ hws[IMX8MN_AUDIO_PLL1_BYPASS] = imx_clk_hw_mux_flags("audio_pll1_bypass", base, 16, 1, audio_pll1_bypass_sels, ARRAY_SIZE(audio_pll1_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_AUDIO_PLL2_BYPASS] = imx_clk_hw_mux_flags("audio_pll2_bypass", base + 0x14, 16, 1, audio_pll2_bypass_sels, ARRAY_SIZE(audio_pll2_bypass_sels), CLK_SET_RATE_PARENT);
+- hws[IMX8MN_VIDEO_PLL1_BYPASS] = imx_clk_hw_mux_flags("video_pll1_bypass", base + 0x28, 16, 1, video_pll1_bypass_sels, ARRAY_SIZE(video_pll1_bypass_sels), CLK_SET_RATE_PARENT);
++ hws[IMX8MN_VIDEO_PLL_BYPASS] = imx_clk_hw_mux_flags("video_pll_bypass", base + 0x28, 16, 1, video_pll_bypass_sels, ARRAY_SIZE(video_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_DRAM_PLL_BYPASS] = imx_clk_hw_mux_flags("dram_pll_bypass", base + 0x50, 16, 1, dram_pll_bypass_sels, ARRAY_SIZE(dram_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_GPU_PLL_BYPASS] = imx_clk_hw_mux_flags("gpu_pll_bypass", base + 0x64, 28, 1, gpu_pll_bypass_sels, ARRAY_SIZE(gpu_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_M7_ALT_PLL_BYPASS] = imx_clk_hw_mux_flags("m7_alt_pll_bypass", base + 0x74, 28, 1, m7_alt_pll_bypass_sels, ARRAY_SIZE(m7_alt_pll_bypass_sels), CLK_SET_RATE_PARENT);
+@@ -380,7 +380,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ /* PLL out gate */
+ hws[IMX8MN_AUDIO_PLL1_OUT] = imx_clk_hw_gate("audio_pll1_out", "audio_pll1_bypass", base, 13);
+ hws[IMX8MN_AUDIO_PLL2_OUT] = imx_clk_hw_gate("audio_pll2_out", "audio_pll2_bypass", base + 0x14, 13);
+- hws[IMX8MN_VIDEO_PLL1_OUT] = imx_clk_hw_gate("video_pll1_out", "video_pll1_bypass", base + 0x28, 13);
++ hws[IMX8MN_VIDEO_PLL_OUT] = imx_clk_hw_gate("video_pll_out", "video_pll_bypass", base + 0x28, 13);
+ hws[IMX8MN_DRAM_PLL_OUT] = imx_clk_hw_gate("dram_pll_out", "dram_pll_bypass", base + 0x50, 13);
+ hws[IMX8MN_GPU_PLL_OUT] = imx_clk_hw_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 11);
+ hws[IMX8MN_M7_ALT_PLL_OUT] = imx_clk_hw_gate("m7_alt_pll_out", "m7_alt_pll_bypass", base + 0x74, 11);
+diff --git a/include/dt-bindings/clock/imx8mn-clock.h b/include/dt-bindings/clock/imx8mn-clock.h
+index 694e3c050d04..04809edab33c 100644
+--- a/include/dt-bindings/clock/imx8mn-clock.h
++++ b/include/dt-bindings/clock/imx8mn-clock.h
+@@ -16,7 +16,8 @@
+ #define IMX8MN_CLK_EXT4 7
+ #define IMX8MN_AUDIO_PLL1_REF_SEL 8
+ #define IMX8MN_AUDIO_PLL2_REF_SEL 9
+-#define IMX8MN_VIDEO_PLL1_REF_SEL 10
++#define IMX8MN_VIDEO_PLL_REF_SEL 10
++#define IMX8MN_VIDEO_PLL1_REF_SEL IMX8MN_VIDEO_PLL_REF_SEL
+ #define IMX8MN_DRAM_PLL_REF_SEL 11
+ #define IMX8MN_GPU_PLL_REF_SEL 12
+ #define IMX8MN_M7_ALT_PLL_REF_SEL 13
+@@ -27,7 +28,8 @@
+ #define IMX8MN_SYS_PLL3_REF_SEL 17
+ #define IMX8MN_AUDIO_PLL1 18
+ #define IMX8MN_AUDIO_PLL2 19
+-#define IMX8MN_VIDEO_PLL1 20
++#define IMX8MN_VIDEO_PLL 20
++#define IMX8MN_VIDEO_PLL1 IMX8MN_VIDEO_PLL
+ #define IMX8MN_DRAM_PLL 21
+ #define IMX8MN_GPU_PLL 22
+ #define IMX8MN_M7_ALT_PLL 23
+@@ -38,7 +40,8 @@
+ #define IMX8MN_SYS_PLL3 27
+ #define IMX8MN_AUDIO_PLL1_BYPASS 28
+ #define IMX8MN_AUDIO_PLL2_BYPASS 29
+-#define IMX8MN_VIDEO_PLL1_BYPASS 30
++#define IMX8MN_VIDEO_PLL_BYPASS 30
++#define IMX8MN_VIDEO_PLL1_BYPASS IMX8MN_VIDEO_PLL_BYPASS
+ #define IMX8MN_DRAM_PLL_BYPASS 31
+ #define IMX8MN_GPU_PLL_BYPASS 32
+ #define IMX8MN_M7_ALT_PLL_BYPASS 33
+@@ -49,7 +52,8 @@
+ #define IMX8MN_SYS_PLL3_BYPASS 37
+ #define IMX8MN_AUDIO_PLL1_OUT 38
+ #define IMX8MN_AUDIO_PLL2_OUT 39
+-#define IMX8MN_VIDEO_PLL1_OUT 40
++#define IMX8MN_VIDEO_PLL_OUT 40
++#define IMX8MN_VIDEO_PLL1_OUT IMX8MN_VIDEO_PLL_OUT
+ #define IMX8MN_DRAM_PLL_OUT 41
+ #define IMX8MN_GPU_PLL_OUT 42
+ #define IMX8MN_M7_ALT_PLL_OUT 43
+--
+2.35.1
+
--- /dev/null
+From a5870707181cfe099bf7a2da10ea690d99884449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:36:34 +0100
+Subject: clk: imx: replace osc_hdmi with dummy
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit e7fa365ff66f16772dc06b480cd78f858d10856b ]
+
+There is no occurrence of the hdmi oscillator in the reference manual
+(document IMX8MNRM Rev 2, 07/2022). Further, if we consider the indexes
+76-81 and 134 of the "Clock Root" table of chapter 5 of the RM, there is
+no entry for the source select bits 101b, which is the setting referenced
+by "osc_hdmi".
+Fix by renaming "osc_hdmi" with "dummy", a clock which has already been
+used for missing source select bits.
+
+Tested on the BSH SystemMaster (SMM) S2 board.
+
+Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Acked-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117113637.1978703-3-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index 72f9563a0ff6..0fae97e61e2c 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -108,27 +108,27 @@ static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll1_out
+ "sys_pll3_out", "clk_ext4", };
+
+ static const char * const imx8mn_sai2_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai3_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext2", "clk_ext3", };
+
+ static const char * const imx8mn_sai6_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_sai7_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext3", "clk_ext4", };
+
+ static const char * const imx8mn_spdif1_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
++ "video_pll1_out", "sys_pll1_133m", "dummy",
+ "clk_ext2", "clk_ext3", };
+
+ static const char * const imx8mn_enet_ref_sels[] = {"osc_24m", "sys_pll2_125m", "sys_pll2_50m",
+--
+2.35.1
+
--- /dev/null
+From 4969b07b621af12602aaee5bf0f9f0bba8301643 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:36:37 +0100
+Subject: clk: imx8mn: fix imx8mn_enet_phy_sels clocks list
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 2626cf67f20b28446dfc3a5b9493dd535cdb747b ]
+
+According to the "Clock Root" table of the reference manual (document
+IMX8MNRM Rev 2, 07/2022):
+
+ Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX])
+ ... ... ...
+ ENET_PHY_REF_CLK_ROOT 0xAA80 000 - 24M_REF_CLK
+ 001 - SYSTEM_PLL2_DIV20
+ 010 - SYSTEM_PLL2_DIV8
+ 011 - SYSTEM_PLL2_DIV5
+ 100 - SYSTEM_PLL2_DIV2
+ 101 - AUDIO_PLL1_CLK
+ 110 - VIDEO_PLL_CLK
+ 111 - AUDIO_PLL2_CLK
+ ... ... ...
+
+while the imx8mn_enet_phy_sels list didn't contained audio_pll1_out for
+source select bits 101b.
+
+Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Acked-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117113637.1978703-6-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index 37128c35198d..2afea905f7f3 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -140,8 +140,8 @@ static const char * const imx8mn_enet_timer_sels[] = {"osc_24m", "sys_pll2_100m"
+ "clk_ext4", "video_pll_out", };
+
+ static const char * const imx8mn_enet_phy_sels[] = {"osc_24m", "sys_pll2_50m", "sys_pll2_125m",
+- "sys_pll2_200m", "sys_pll2_500m", "video_pll_out",
+- "audio_pll2_out", };
++ "sys_pll2_200m", "sys_pll2_500m", "audio_pll1_out",
++ "video_pll_out", "audio_pll2_out", };
+
+ static const char * const imx8mn_nand_sels[] = {"osc_24m", "sys_pll2_500m", "audio_pll1_out",
+ "sys_pll1_400m", "audio_pll2_out", "sys_pll3_out",
+--
+2.35.1
+
--- /dev/null
+From dbec7a555da6926892a27fdf58c7f01a5f928268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:36:36 +0100
+Subject: clk: imx8mn: fix imx8mn_sai2_sels clocks list
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 34d996747a74e3a86990f9f9c48de09159d78edb ]
+
+According to the "Clock Root" table of the reference manual (document
+IMX8MNRM Rev 2, 07/2022):
+
+ Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX])
+ ... ... ...
+ SAI2_CLK_ROOT 0xA600 000 - 24M_REF_CLK
+ 001 - AUDIO_PLL1_CLK
+ 010 - AUDIO_PLL2_CLK
+ 011 - VIDEO_PLL_CLK
+ 100 - SYSTEM_PLL1_DIV6
+ 110 - EXT_CLK_2
+ 111 - EXT_CLK_3
+ ... ... ...
+
+while the imx8mn_sai2_sels list contained clk_ext3 and clk_ext4 for
+source select bits 110b and 111b.
+
+Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Acked-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117113637.1978703-5-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index b80af5d1ef46..37128c35198d 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -109,7 +109,7 @@ static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll_out"
+
+ static const char * const imx8mn_sai2_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+ "video_pll_out", "sys_pll1_133m", "dummy",
+- "clk_ext3", "clk_ext4", };
++ "clk_ext2", "clk_ext3", };
+
+ static const char * const imx8mn_sai3_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
+ "video_pll_out", "sys_pll1_133m", "dummy",
+--
+2.35.1
+
--- /dev/null
+From 48a7d132f402c2902736e9bfedf80bc5f36d538c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:36:33 +0100
+Subject: clk: imx8mn: rename vpu_pll to m7_alt_pll
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit a429c60baefd95ab43a2ce7f25d5b2d7a2e431df ]
+
+The IMX8MN platform does not have any video processing unit (VPU), and
+indeed in the reference manual (document IMX8MNRM Rev 2, 07/2022) there
+is no occurrence of its pll. From an analysis of the code and the RM
+itself, I think vpu pll is used instead of m7 alternate pll, probably
+for copy and paste of code taken from modules of similar architectures.
+
+As an example for all, if we consider the second row of the "Clock Root"
+table of chapter 5 (Clocks and Power Management) of the RM:
+
+ Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX])
+ ... ... ...
+ ARM_M7_CLK_ROOT 0x8080 000 - 24M_REF_CLK
+ 001 - SYSTEM_PLL2_DIV5
+ 010 - SYSTEM_PLL2_DIV4
+ 011 - M7_ALT_PLL_CLK
+ 100 - SYSTEM_PLL1_CLK
+ 101 - AUDIO_PLL1_CLK
+ 110 - VIDEO_PLL_CLK
+ 111 - SYSTEM_PLL3_CLK
+ ... ... ...
+
+but in the source code, the imx8mn_m7_sels clocks list contains vpu_pll
+for the source select bits 011b.
+
+So, let's rename "vpu_pll" to "m7_alt_pll" to be consistent with the RM.
+
+The IMX8MN_VPU_* constants have not been removed to ensure backward
+compatibility of the patch.
+
+No functional changes intended.
+
+Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Acked-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221117113637.1978703-2-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 16 ++++++++--------
+ include/dt-bindings/clock/imx8mn-clock.h | 12 ++++++++----
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index d37c45b676ab..72f9563a0ff6 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -30,7 +30,7 @@ static const char * const audio_pll2_bypass_sels[] = {"audio_pll2", "audio_pll2_
+ static const char * const video_pll1_bypass_sels[] = {"video_pll1", "video_pll1_ref_sel", };
+ static const char * const dram_pll_bypass_sels[] = {"dram_pll", "dram_pll_ref_sel", };
+ static const char * const gpu_pll_bypass_sels[] = {"gpu_pll", "gpu_pll_ref_sel", };
+-static const char * const vpu_pll_bypass_sels[] = {"vpu_pll", "vpu_pll_ref_sel", };
++static const char * const m7_alt_pll_bypass_sels[] = {"m7_alt_pll", "m7_alt_pll_ref_sel", };
+ static const char * const arm_pll_bypass_sels[] = {"arm_pll", "arm_pll_ref_sel", };
+ static const char * const sys_pll3_bypass_sels[] = {"sys_pll3", "sys_pll3_ref_sel", };
+
+@@ -40,7 +40,7 @@ static const char * const imx8mn_a53_sels[] = {"osc_24m", "arm_pll_out", "sys_pl
+
+ static const char * const imx8mn_a53_core_sels[] = {"arm_a53_div", "arm_pll_out", };
+
+-static const char * const imx8mn_m7_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll2_250m", "vpu_pll_out",
++static const char * const imx8mn_m7_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll2_250m", "m7_alt_pll_out",
+ "sys_pll1_800m", "audio_pll1_out", "video_pll1_out", "sys_pll3_out", };
+
+ static const char * const imx8mn_gpu_core_sels[] = {"osc_24m", "gpu_pll_out", "sys_pll1_800m",
+@@ -252,10 +252,10 @@ static const char * const imx8mn_gpt6_sels[] = {"osc_24m", "sys_pll2_100m", "sys
+ "audio_pll1_out", "clk_ext1", };
+
+ static const char * const imx8mn_wdog_sels[] = {"osc_24m", "sys_pll1_133m", "sys_pll1_160m",
+- "vpu_pll_out", "sys_pll2_125m", "sys_pll3_out",
++ "m7_alt_pll_out", "sys_pll2_125m", "sys_pll3_out",
+ "sys_pll1_80m", "sys_pll2_166m", };
+
+-static const char * const imx8mn_wrclk_sels[] = {"osc_24m", "sys_pll1_40m", "vpu_pll_out",
++static const char * const imx8mn_wrclk_sels[] = {"osc_24m", "sys_pll1_40m", "m7_alt_pll_out",
+ "sys_pll3_out", "sys_pll2_200m", "sys_pll1_266m",
+ "sys_pll2_500m", "sys_pll1_100m", };
+
+@@ -352,7 +352,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ hws[IMX8MN_VIDEO_PLL1_REF_SEL] = imx_clk_hw_mux("video_pll1_ref_sel", base + 0x28, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_DRAM_PLL_REF_SEL] = imx_clk_hw_mux("dram_pll_ref_sel", base + 0x50, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_GPU_PLL_REF_SEL] = imx_clk_hw_mux("gpu_pll_ref_sel", base + 0x64, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+- hws[IMX8MN_VPU_PLL_REF_SEL] = imx_clk_hw_mux("vpu_pll_ref_sel", base + 0x74, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
++ hws[IMX8MN_M7_ALT_PLL_REF_SEL] = imx_clk_hw_mux("m7_alt_pll_ref_sel", base + 0x74, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_ARM_PLL_REF_SEL] = imx_clk_hw_mux("arm_pll_ref_sel", base + 0x84, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+ hws[IMX8MN_SYS_PLL3_REF_SEL] = imx_clk_hw_mux("sys_pll3_ref_sel", base + 0x114, 0, 2, pll_ref_sels, ARRAY_SIZE(pll_ref_sels));
+
+@@ -361,7 +361,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ hws[IMX8MN_VIDEO_PLL1] = imx_clk_hw_pll14xx("video_pll1", "video_pll1_ref_sel", base + 0x28, &imx_1443x_pll);
+ hws[IMX8MN_DRAM_PLL] = imx_clk_hw_pll14xx("dram_pll", "dram_pll_ref_sel", base + 0x50, &imx_1443x_dram_pll);
+ hws[IMX8MN_GPU_PLL] = imx_clk_hw_pll14xx("gpu_pll", "gpu_pll_ref_sel", base + 0x64, &imx_1416x_pll);
+- hws[IMX8MN_VPU_PLL] = imx_clk_hw_pll14xx("vpu_pll", "vpu_pll_ref_sel", base + 0x74, &imx_1416x_pll);
++ hws[IMX8MN_M7_ALT_PLL] = imx_clk_hw_pll14xx("m7_alt_pll", "m7_alt_pll_ref_sel", base + 0x74, &imx_1416x_pll);
+ hws[IMX8MN_ARM_PLL] = imx_clk_hw_pll14xx("arm_pll", "arm_pll_ref_sel", base + 0x84, &imx_1416x_pll);
+ hws[IMX8MN_SYS_PLL1] = imx_clk_hw_fixed("sys_pll1", 800000000);
+ hws[IMX8MN_SYS_PLL2] = imx_clk_hw_fixed("sys_pll2", 1000000000);
+@@ -373,7 +373,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ hws[IMX8MN_VIDEO_PLL1_BYPASS] = imx_clk_hw_mux_flags("video_pll1_bypass", base + 0x28, 16, 1, video_pll1_bypass_sels, ARRAY_SIZE(video_pll1_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_DRAM_PLL_BYPASS] = imx_clk_hw_mux_flags("dram_pll_bypass", base + 0x50, 16, 1, dram_pll_bypass_sels, ARRAY_SIZE(dram_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_GPU_PLL_BYPASS] = imx_clk_hw_mux_flags("gpu_pll_bypass", base + 0x64, 28, 1, gpu_pll_bypass_sels, ARRAY_SIZE(gpu_pll_bypass_sels), CLK_SET_RATE_PARENT);
+- hws[IMX8MN_VPU_PLL_BYPASS] = imx_clk_hw_mux_flags("vpu_pll_bypass", base + 0x74, 28, 1, vpu_pll_bypass_sels, ARRAY_SIZE(vpu_pll_bypass_sels), CLK_SET_RATE_PARENT);
++ hws[IMX8MN_M7_ALT_PLL_BYPASS] = imx_clk_hw_mux_flags("m7_alt_pll_bypass", base + 0x74, 28, 1, m7_alt_pll_bypass_sels, ARRAY_SIZE(m7_alt_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_ARM_PLL_BYPASS] = imx_clk_hw_mux_flags("arm_pll_bypass", base + 0x84, 28, 1, arm_pll_bypass_sels, ARRAY_SIZE(arm_pll_bypass_sels), CLK_SET_RATE_PARENT);
+ hws[IMX8MN_SYS_PLL3_BYPASS] = imx_clk_hw_mux_flags("sys_pll3_bypass", base + 0x114, 28, 1, sys_pll3_bypass_sels, ARRAY_SIZE(sys_pll3_bypass_sels), CLK_SET_RATE_PARENT);
+
+@@ -383,7 +383,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev)
+ hws[IMX8MN_VIDEO_PLL1_OUT] = imx_clk_hw_gate("video_pll1_out", "video_pll1_bypass", base + 0x28, 13);
+ hws[IMX8MN_DRAM_PLL_OUT] = imx_clk_hw_gate("dram_pll_out", "dram_pll_bypass", base + 0x50, 13);
+ hws[IMX8MN_GPU_PLL_OUT] = imx_clk_hw_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 11);
+- hws[IMX8MN_VPU_PLL_OUT] = imx_clk_hw_gate("vpu_pll_out", "vpu_pll_bypass", base + 0x74, 11);
++ hws[IMX8MN_M7_ALT_PLL_OUT] = imx_clk_hw_gate("m7_alt_pll_out", "m7_alt_pll_bypass", base + 0x74, 11);
+ hws[IMX8MN_ARM_PLL_OUT] = imx_clk_hw_gate("arm_pll_out", "arm_pll_bypass", base + 0x84, 11);
+ hws[IMX8MN_SYS_PLL3_OUT] = imx_clk_hw_gate("sys_pll3_out", "sys_pll3_bypass", base + 0x114, 11);
+
+diff --git a/include/dt-bindings/clock/imx8mn-clock.h b/include/dt-bindings/clock/imx8mn-clock.h
+index 07b8a282c268..694e3c050d04 100644
+--- a/include/dt-bindings/clock/imx8mn-clock.h
++++ b/include/dt-bindings/clock/imx8mn-clock.h
+@@ -19,7 +19,8 @@
+ #define IMX8MN_VIDEO_PLL1_REF_SEL 10
+ #define IMX8MN_DRAM_PLL_REF_SEL 11
+ #define IMX8MN_GPU_PLL_REF_SEL 12
+-#define IMX8MN_VPU_PLL_REF_SEL 13
++#define IMX8MN_M7_ALT_PLL_REF_SEL 13
++#define IMX8MN_VPU_PLL_REF_SEL IMX8MN_M7_ALT_PLL_REF_SEL
+ #define IMX8MN_ARM_PLL_REF_SEL 14
+ #define IMX8MN_SYS_PLL1_REF_SEL 15
+ #define IMX8MN_SYS_PLL2_REF_SEL 16
+@@ -29,7 +30,8 @@
+ #define IMX8MN_VIDEO_PLL1 20
+ #define IMX8MN_DRAM_PLL 21
+ #define IMX8MN_GPU_PLL 22
+-#define IMX8MN_VPU_PLL 23
++#define IMX8MN_M7_ALT_PLL 23
++#define IMX8MN_VPU_PLL IMX8MN_M7_ALT_PLL
+ #define IMX8MN_ARM_PLL 24
+ #define IMX8MN_SYS_PLL1 25
+ #define IMX8MN_SYS_PLL2 26
+@@ -39,7 +41,8 @@
+ #define IMX8MN_VIDEO_PLL1_BYPASS 30
+ #define IMX8MN_DRAM_PLL_BYPASS 31
+ #define IMX8MN_GPU_PLL_BYPASS 32
+-#define IMX8MN_VPU_PLL_BYPASS 33
++#define IMX8MN_M7_ALT_PLL_BYPASS 33
++#define IMX8MN_VPU_PLL_BYPASS IMX8MN_M7_ALT_PLL_BYPASS
+ #define IMX8MN_ARM_PLL_BYPASS 34
+ #define IMX8MN_SYS_PLL1_BYPASS 35
+ #define IMX8MN_SYS_PLL2_BYPASS 36
+@@ -49,7 +52,8 @@
+ #define IMX8MN_VIDEO_PLL1_OUT 40
+ #define IMX8MN_DRAM_PLL_OUT 41
+ #define IMX8MN_GPU_PLL_OUT 42
+-#define IMX8MN_VPU_PLL_OUT 43
++#define IMX8MN_M7_ALT_PLL_OUT 43
++#define IMX8MN_VPU_PLL_OUT IMX8MN_M7_ALT_PLL_OUT
+ #define IMX8MN_ARM_PLL_OUT 44
+ #define IMX8MN_SYS_PLL1_OUT 45
+ #define IMX8MN_SYS_PLL2_OUT 46
+--
+2.35.1
+
--- /dev/null
+From c5335b2c95c08290bdee422fc18dc1cd8eb79bfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 17:52:07 +0800
+Subject: clk: imx93: correct enet clock
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 4be5d91b9433f1dc76de485e240ca6aaa2d19f65 ]
+
+Per update Reference Mannual, correct the enet clock parent to
+wakeup_axi_root.
+
+Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk")
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221028095211.2598312-3-peng.fan@oss.nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx93.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imx93.c b/drivers/clk/imx/clk-imx93.c
+index 8d67b065f7b6..2e99c3443d3c 100644
+--- a/drivers/clk/imx/clk-imx93.c
++++ b/drivers/clk/imx/clk-imx93.c
+@@ -229,7 +229,7 @@ static const struct imx93_clk_ccgr {
+ { IMX93_CLK_AUD_XCVR_GATE, "aud_xcvr", "audio_xcvr_root", 0x9b80, },
+ { IMX93_CLK_SPDIF_GATE, "spdif", "spdif_root", 0x9c00, },
+ { IMX93_CLK_HSIO_32K_GATE, "hsio_32k", "osc_32k", 0x9dc0, },
+- { IMX93_CLK_ENET1_GATE, "enet1", "enet_root", 0x9e00, },
++ { IMX93_CLK_ENET1_GATE, "enet1", "wakeup_axi_root", 0x9e00, },
+ { IMX93_CLK_ENET_QOS_GATE, "enet_qos", "wakeup_axi_root", 0x9e40, },
+ { IMX93_CLK_SYS_CNT_GATE, "sys_cnt", "osc_24m", 0x9e80, },
+ { IMX93_CLK_TSTMR1_GATE, "tstmr1", "bus_aon_root", 0x9ec0, },
+--
+2.35.1
+
--- /dev/null
+From 0553be03fccf61183baf22d82d1290a31ebe82b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 13:26:39 +0800
+Subject: clk: imx93: correct the flexspi1 clock setting
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 62dfdbcc16e767b91ed35d4fc0428c86d4688505 ]
+
+Correct IMX93_CLK_FLEXSPI1_GATE CCGR setting. Otherwise the flexspi
+always can't be assigned to a parent clock when dump the clock tree.
+
+Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/1666589199-1199-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx93.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imx93.c b/drivers/clk/imx/clk-imx93.c
+index dcc41d178238..4d2524addc3e 100644
+--- a/drivers/clk/imx/clk-imx93.c
++++ b/drivers/clk/imx/clk-imx93.c
+@@ -162,7 +162,7 @@ static const struct imx93_clk_ccgr {
+ { IMX93_CLK_MU_B_GATE, "mu_b", "bus_aon_root", 0x8500, },
+ { IMX93_CLK_EDMA1_GATE, "edma1", "m33_root", 0x8540, },
+ { IMX93_CLK_EDMA2_GATE, "edma2", "wakeup_axi_root", 0x8580, },
+- { IMX93_CLK_FLEXSPI1_GATE, "flexspi", "flexspi_root", 0x8640, },
++ { IMX93_CLK_FLEXSPI1_GATE, "flexspi1", "flexspi1_root", 0x8640, },
+ { IMX93_CLK_GPIO1_GATE, "gpio1", "m33_root", 0x8880, },
+ { IMX93_CLK_GPIO2_GATE, "gpio2", "bus_wakeup_root", 0x88c0, },
+ { IMX93_CLK_GPIO3_GATE, "gpio3", "bus_wakeup_root", 0x8900, },
+--
+2.35.1
+
--- /dev/null
+From b5b4b03782b3250a777b79eefc64ff76d3d62197 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 17:52:06 +0800
+Subject: clk: imx93: unmap anatop base in error handling path
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit bda7b7f396f94d8df89ecacc88f2826908e8762c ]
+
+The anatop base is not unmapped during error handling path, fix it.
+
+Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20221028095211.2598312-2-peng.fan@oss.nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx93.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx93.c b/drivers/clk/imx/clk-imx93.c
+index 4d2524addc3e..8d67b065f7b6 100644
+--- a/drivers/clk/imx/clk-imx93.c
++++ b/drivers/clk/imx/clk-imx93.c
+@@ -247,7 +247,7 @@ static int imx93_clocks_probe(struct platform_device *pdev)
+ struct device_node *np = dev->of_node;
+ const struct imx93_clk_root *root;
+ const struct imx93_clk_ccgr *ccgr;
+- void __iomem *base = NULL;
++ void __iomem *base, *anatop_base;
+ int i, ret;
+
+ clk_hw_data = kzalloc(struct_size(clk_hw_data, hws,
+@@ -274,20 +274,22 @@ static int imx93_clocks_probe(struct platform_device *pdev)
+ "sys_pll_pfd2", 1, 2);
+
+ np = of_find_compatible_node(NULL, NULL, "fsl,imx93-anatop");
+- base = of_iomap(np, 0);
++ anatop_base = of_iomap(np, 0);
+ of_node_put(np);
+- if (WARN_ON(!base))
++ if (WARN_ON(!anatop_base))
+ return -ENOMEM;
+
+- clks[IMX93_CLK_AUDIO_PLL] = imx_clk_fracn_gppll("audio_pll", "osc_24m", base + 0x1200,
++ clks[IMX93_CLK_AUDIO_PLL] = imx_clk_fracn_gppll("audio_pll", "osc_24m", anatop_base + 0x1200,
+ &imx_fracn_gppll);
+- clks[IMX93_CLK_VIDEO_PLL] = imx_clk_fracn_gppll("video_pll", "osc_24m", base + 0x1400,
++ clks[IMX93_CLK_VIDEO_PLL] = imx_clk_fracn_gppll("video_pll", "osc_24m", anatop_base + 0x1400,
+ &imx_fracn_gppll);
+
+ np = dev->of_node;
+ base = devm_platform_ioremap_resource(pdev, 0);
+- if (WARN_ON(IS_ERR(base)))
++ if (WARN_ON(IS_ERR(base))) {
++ iounmap(anatop_base);
+ return PTR_ERR(base);
++ }
+
+ for (i = 0; i < ARRAY_SIZE(root_array); i++) {
+ root = &root_array[i];
+@@ -317,6 +319,7 @@ static int imx93_clocks_probe(struct platform_device *pdev)
+
+ unregister_hws:
+ imx_unregister_hw_clocks(clks, IMX93_CLK_END);
++ iounmap(anatop_base);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 089b6c171ffbb4aad421fbf8956750dde69c6811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 17:18:07 +0100
+Subject: clk: mediatek: fix dependency of MT7986 ADC clocks
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit a46315295489933209e902638cd287aeb5f982ab ]
+
+It seems like CLK_INFRA_ADC_FRC_CK always need to be enabled for
+CLK_INFRA_ADC_26M_CK to work. Instead of adding this dependency to the
+mtk-thermal and mt6577_auxadc drivers, add dependency to the clock
+driver clk-mt7986-infracfg.c.
+
+Fixes: ec97d23c8e22 ("clk: mediatek: add mt7986 clock support")
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Link: https://lore.kernel.org/r/5e55012567da74870e1fb2edc2dc513b5821e523.1666801017.git.daniel@makrotopia.org
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt7986-infracfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt7986-infracfg.c b/drivers/clk/mediatek/clk-mt7986-infracfg.c
+index d90727a53283..49666047bf0e 100644
+--- a/drivers/clk/mediatek/clk-mt7986-infracfg.c
++++ b/drivers/clk/mediatek/clk-mt7986-infracfg.c
+@@ -153,7 +153,7 @@ static const struct mtk_gate infra_clks[] = {
+ 18),
+ GATE_INFRA1(CLK_INFRA_MSDC_66M_CK, "infra_msdc_66m", "infra_sysaxi_d2",
+ 19),
+- GATE_INFRA1(CLK_INFRA_ADC_26M_CK, "infra_adc_26m", "csw_f26m_sel", 20),
++ GATE_INFRA1(CLK_INFRA_ADC_26M_CK, "infra_adc_26m", "infra_adc_frc", 20),
+ GATE_INFRA1(CLK_INFRA_ADC_FRC_CK, "infra_adc_frc", "csw_f26m_sel", 21),
+ GATE_INFRA1(CLK_INFRA_FBIST2FPC_CK, "infra_fbist2fpc", "nfi1x_sel", 23),
+ /* INFRA2 */
+--
+2.35.1
+
--- /dev/null
+From a9739d33ac8dc2737905cebf412502c55f5c9d4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 22:56:25 +0100
+Subject: clk: qcom: clk-krait: fix wrong div2 functions
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+[ Upstream commit d676d3a3717cf726d3affedbe5ba98fc4ccad7b3 ]
+
+Currently div2 value is applied to the wrong bits. This is caused by a
+bug in the code where the shift is done only for lpl, for anything
+else the mask is not shifted to the correct bits.
+
+Fix this by correctly shift if lpl is not supported.
+
+Fixes: 4d7dc77babfe ("clk: qcom: Add support for Krait clocks")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221108215625.30186-1-ansuelsmth@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-krait.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/qcom/clk-krait.c b/drivers/clk/qcom/clk-krait.c
+index 45da736bd5f4..293a9dfa7151 100644
+--- a/drivers/clk/qcom/clk-krait.c
++++ b/drivers/clk/qcom/clk-krait.c
+@@ -114,6 +114,8 @@ static int krait_div2_set_rate(struct clk_hw *hw, unsigned long rate,
+
+ if (d->lpl)
+ mask = mask << (d->shift + LPL_SHIFT) | mask << d->shift;
++ else
++ mask <<= d->shift;
+
+ spin_lock_irqsave(&krait_clock_reg_lock, flags);
+ val = krait_get_l2_indirect_reg(d->offset);
+--
+2.35.1
+
--- /dev/null
+From f8a8e879a408843a2c4ff6acfd7bde7ebe0a6647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 17:55:46 +0200
+Subject: clk: qcom: dispcc-sm6350: Add CLK_OPS_PARENT_ENABLE to pixel&byte src
+
+From: Konrad Dybcio <konrad.dybcio@somainline.org>
+
+[ Upstream commit 92039e8c080c63748f8e133e7cfad33a75daefb6 ]
+
+Add the CLK_OPS_PARENT_ENABLE flag to pixel and byte clk srcs to
+ensure set_rate can succeed.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350")
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221010155546.73884-1-konrad.dybcio@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm6350.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c
+index 0c3c2e26ede9..ea6f54ed846e 100644
+--- a/drivers/clk/qcom/dispcc-sm6350.c
++++ b/drivers/clk/qcom/dispcc-sm6350.c
+@@ -306,7 +306,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = {
+ .name = "disp_cc_mdss_pclk0_clk_src",
+ .parent_data = disp_cc_parent_data_5,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_5),
+- .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE,
++ .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE | CLK_OPS_PARENT_ENABLE,
+ .ops = &clk_pixel_ops,
+ },
+ };
+@@ -385,7 +385,7 @@ static struct clk_branch disp_cc_mdss_byte0_clk = {
+ &disp_cc_mdss_byte0_clk_src.clkr.hw,
+ },
+ .num_parents = 1,
+- .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE,
++ .flags = CLK_SET_RATE_PARENT | CLK_GET_RATE_NOCACHE | CLK_OPS_PARENT_ENABLE,
+ .ops = &clk_branch2_ops,
+ },
+ },
+--
+2.35.1
+
--- /dev/null
+From 566eddd95216396574fc01f539e9d435d4701c44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 14:38:25 +0300
+Subject: clk: qcom: gcc-ipq806x: use parent_data for the last remaining entry
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 55307e522cc7a4dddc3d231ca5cb7e68e9668f66 ]
+
+Use parent_data for the last remaining entry (pll4). This clock is
+provided by the lcc device.
+
+Fixes: cb02866f9a74 ("clk: qcom: gcc-ipq806x: convert parent_names to parent_data")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220927113826.246241-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-ipq806x.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-ipq806x.c b/drivers/clk/qcom/gcc-ipq806x.c
+index 718de17a1e60..6447f3e81b55 100644
+--- a/drivers/clk/qcom/gcc-ipq806x.c
++++ b/drivers/clk/qcom/gcc-ipq806x.c
+@@ -79,7 +79,9 @@ static struct clk_regmap pll4_vote = {
+ .enable_mask = BIT(4),
+ .hw.init = &(struct clk_init_data){
+ .name = "pll4_vote",
+- .parent_names = (const char *[]){ "pll4" },
++ .parent_data = &(const struct clk_parent_data){
++ .fw_name = "pll4", .name = "pll4",
++ },
+ .num_parents = 1,
+ .ops = &clk_pll_vote_ops,
+ },
+--
+2.35.1
+
--- /dev/null
+From daaea5e34cd6e0147121d001d89077f069d1526c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 14:43:20 +0530
+Subject: clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit ac1c5a03d3772b1db25e8092f771aa33f6ae2f7e ]
+
+USB controllers on SM8250 doesn't work after coming back from suspend.
+This can be fixed by keeping the USB GDSCs in retention mode so that
+hardware can keep them ON and put into rentention mode once the parent
+domain goes to a low power state.
+
+Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221102091320.66007-1-manivannan.sadhasivam@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sm8250.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-sm8250.c b/drivers/clk/qcom/gcc-sm8250.c
+index 9755ef4888c1..a0ba37656b07 100644
+--- a/drivers/clk/qcom/gcc-sm8250.c
++++ b/drivers/clk/qcom/gcc-sm8250.c
+@@ -3267,7 +3267,7 @@ static struct gdsc usb30_prim_gdsc = {
+ .pd = {
+ .name = "usb30_prim_gdsc",
+ },
+- .pwrsts = PWRSTS_OFF_ON,
++ .pwrsts = PWRSTS_RET_ON,
+ };
+
+ static struct gdsc usb30_sec_gdsc = {
+@@ -3275,7 +3275,7 @@ static struct gdsc usb30_sec_gdsc = {
+ .pd = {
+ .name = "usb30_sec_gdsc",
+ },
+- .pwrsts = PWRSTS_OFF_ON,
++ .pwrsts = PWRSTS_RET_ON,
+ };
+
+ static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
+--
+2.35.1
+
--- /dev/null
+From be1cc7bfd4cbfc1f6529deb0b06a3ed9e9da3e07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 09:47:26 +0530
+Subject: clk: qcom: lpass: Add support for resets & external mclk for SC7280
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+[ Upstream commit 7c6a6641c24d30ab6f5456d19e15e64bea971b82 ]
+
+The clock gating control for TX/RX/WSA core bus clocks would be required
+to be reset(moved from hardware control) from audio core driver. Thus
+add the support for the reset clocks.
+
+Update the lpass_aon_cc_main_rcg_clk_src ops to park the RCG at XO after
+disable as this clock signal is used by hardware to turn ON memories in
+LPASS. Also add the external mclk to interface external MI2S.
+
+Fixes: a9dd26639d05 ("clk: qcom: lpass: Add support for LPASS clock controller for SC7280")
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1662005846-4838-6-git-send-email-quic_c_skakit@quicinc.com
+Stable-dep-of: d470be3c4f30 ("clk: qcom: lpass-sc7280: Fix pm_runtime usage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/lpassaudiocc-sc7280.c | 24 +++++++++++++++++--
+ drivers/clk/qcom/lpasscorecc-sc7280.c | 33 ++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/lpassaudiocc-sc7280.c b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+index 606732879fea..5d4bc563073c 100644
+--- a/drivers/clk/qcom/lpassaudiocc-sc7280.c
++++ b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+@@ -23,6 +23,7 @@
+ #include "clk-regmap-mux.h"
+ #include "common.h"
+ #include "gdsc.h"
++#include "reset.h"
+
+ enum {
+ P_BI_TCXO,
+@@ -248,7 +249,7 @@ static struct clk_rcg2 lpass_aon_cc_main_rcg_clk_src = {
+ .parent_data = lpass_aon_cc_parent_data_0,
+ .num_parents = ARRAY_SIZE(lpass_aon_cc_parent_data_0),
+ .flags = CLK_OPS_PARENT_ENABLE,
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_shared_ops,
+ },
+ };
+
+@@ -703,6 +704,18 @@ static const struct qcom_cc_desc lpass_audio_cc_sc7280_desc = {
+ .num_clks = ARRAY_SIZE(lpass_audio_cc_sc7280_clocks),
+ };
+
++static const struct qcom_reset_map lpass_audio_cc_sc7280_resets[] = {
++ [LPASS_AUDIO_SWR_RX_CGCR] = { 0xa0, 1 },
++ [LPASS_AUDIO_SWR_TX_CGCR] = { 0xa8, 1 },
++ [LPASS_AUDIO_SWR_WSA_CGCR] = { 0xb0, 1 },
++};
++
++static const struct qcom_cc_desc lpass_audio_cc_reset_sc7280_desc = {
++ .config = &lpass_audio_cc_sc7280_regmap_config,
++ .resets = lpass_audio_cc_sc7280_resets,
++ .num_resets = ARRAY_SIZE(lpass_audio_cc_sc7280_resets),
++};
++
+ static const struct of_device_id lpass_audio_cc_sc7280_match_table[] = {
+ { .compatible = "qcom,sc7280-lpassaudiocc" },
+ { }
+@@ -772,13 +785,20 @@ static int lpass_audio_cc_sc7280_probe(struct platform_device *pdev)
+ regmap_write(regmap, 0x4, 0x3b);
+ regmap_write(regmap, 0x8, 0xff05);
+
+- ret = qcom_cc_really_probe(pdev, &lpass_audio_cc_sc7280_desc, regmap);
++ ret = qcom_cc_probe_by_index(pdev, 0, &lpass_audio_cc_sc7280_desc);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to register LPASS AUDIO CC clocks\n");
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+ }
+
++ ret = qcom_cc_probe_by_index(pdev, 1, &lpass_audio_cc_reset_sc7280_desc);
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to register LPASS AUDIO CC Resets\n");
++ pm_runtime_disable(&pdev->dev);
++ return ret;
++ }
++
+ pm_runtime_mark_last_busy(&pdev->dev);
+ pm_runtime_put_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
+diff --git a/drivers/clk/qcom/lpasscorecc-sc7280.c b/drivers/clk/qcom/lpasscorecc-sc7280.c
+index 1f1f1bd1b68e..6ad19b06b1ce 100644
+--- a/drivers/clk/qcom/lpasscorecc-sc7280.c
++++ b/drivers/clk/qcom/lpasscorecc-sc7280.c
+@@ -190,6 +190,19 @@ static struct clk_rcg2 lpass_core_cc_ext_if1_clk_src = {
+ },
+ };
+
++static struct clk_rcg2 lpass_core_cc_ext_mclk0_clk_src = {
++ .cmd_rcgr = 0x20000,
++ .mnd_width = 8,
++ .hid_width = 5,
++ .parent_map = lpass_core_cc_parent_map_0,
++ .freq_tbl = ftbl_lpass_core_cc_ext_if0_clk_src,
++ .clkr.hw.init = &(const struct clk_init_data){
++ .name = "lpass_core_cc_ext_mclk0_clk_src",
++ .parent_data = lpass_core_cc_parent_data_0,
++ .num_parents = ARRAY_SIZE(lpass_core_cc_parent_data_0),
++ .ops = &clk_rcg2_ops,
++ },
++};
+
+ static struct clk_branch lpass_core_cc_core_clk = {
+ .halt_reg = 0x1f000,
+@@ -283,6 +296,24 @@ static struct clk_branch lpass_core_cc_lpm_mem0_core_clk = {
+ },
+ };
+
++static struct clk_branch lpass_core_cc_ext_mclk0_clk = {
++ .halt_reg = 0x20014,
++ .halt_check = BRANCH_HALT,
++ .clkr = {
++ .enable_reg = 0x20014,
++ .enable_mask = BIT(0),
++ .hw.init = &(const struct clk_init_data){
++ .name = "lpass_core_cc_ext_mclk0_clk",
++ .parent_hws = (const struct clk_hw*[]){
++ &lpass_core_cc_ext_mclk0_clk_src.clkr.hw,
++ },
++ .num_parents = 1,
++ .flags = CLK_SET_RATE_PARENT,
++ .ops = &clk_branch2_ops,
++ },
++ },
++};
++
+ static struct clk_branch lpass_core_cc_sysnoc_mport_core_clk = {
+ .halt_reg = 0x23000,
+ .halt_check = BRANCH_HALT_VOTED,
+@@ -326,6 +357,8 @@ static struct clk_regmap *lpass_core_cc_sc7280_clocks[] = {
+ [LPASS_CORE_CC_LPM_CORE_CLK] = &lpass_core_cc_lpm_core_clk.clkr,
+ [LPASS_CORE_CC_LPM_MEM0_CORE_CLK] = &lpass_core_cc_lpm_mem0_core_clk.clkr,
+ [LPASS_CORE_CC_SYSNOC_MPORT_CORE_CLK] = &lpass_core_cc_sysnoc_mport_core_clk.clkr,
++ [LPASS_CORE_CC_EXT_MCLK0_CLK] = &lpass_core_cc_ext_mclk0_clk.clkr,
++ [LPASS_CORE_CC_EXT_MCLK0_CLK_SRC] = &lpass_core_cc_ext_mclk0_clk_src.clkr,
+ };
+
+ static struct regmap_config lpass_core_cc_sc7280_regmap_config = {
+--
+2.35.1
+
--- /dev/null
+From bbd3bcb4683566d5710bd8dfb1d906a04b39c3e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 09:47:23 +0530
+Subject: clk: qcom: lpass: Handle the regmap overlap of lpasscc and lpass_aon
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+[ Upstream commit 0cbcfbe50cbff331c775982a53bc4fa66c875b36 ]
+
+Move registration of lpass_q6ss_ahbm_clk and lpass_q6ss_ahbs_clk to
+lpass_aon_cc_sc7280_probe and register them only if "qcom,adsp-pil-mode"
+is enabled in the lpass_aon DT node.
+
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Signed-off-by: Satya Priya <quic_c_skakit@quicinc.com>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1662005846-4838-3-git-send-email-quic_c_skakit@quicinc.com
+Stable-dep-of: d470be3c4f30 ("clk: qcom: lpass-sc7280: Fix pm_runtime usage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/lpassaudiocc-sc7280.c | 44 ++++++++++++++++++++++++++
+ drivers/clk/qcom/lpasscc-sc7280.c | 44 --------------------------
+ 2 files changed, 44 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/clk/qcom/lpassaudiocc-sc7280.c b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+index 6ab6e5a34c72..606732879fea 100644
+--- a/drivers/clk/qcom/lpassaudiocc-sc7280.c
++++ b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+@@ -12,6 +12,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/regmap.h>
+
++#include <dt-bindings/clock/qcom,lpass-sc7280.h>
+ #include <dt-bindings/clock/qcom,lpassaudiocc-sc7280.h>
+
+ #include "clk-alpha-pll.h"
+@@ -38,6 +39,32 @@ static const struct pll_vco zonda_vco[] = {
+ { 595200000UL, 3600000000UL, 0 },
+ };
+
++static struct clk_branch lpass_q6ss_ahbm_clk = {
++ .halt_reg = 0x901c,
++ .halt_check = BRANCH_HALT,
++ .clkr = {
++ .enable_reg = 0x901c,
++ .enable_mask = BIT(0),
++ .hw.init = &(struct clk_init_data){
++ .name = "lpass_q6ss_ahbm_clk",
++ .ops = &clk_branch2_ops,
++ },
++ },
++};
++
++static struct clk_branch lpass_q6ss_ahbs_clk = {
++ .halt_reg = 0x9020,
++ .halt_check = BRANCH_HALT_VOTED,
++ .clkr = {
++ .enable_reg = 0x9020,
++ .enable_mask = BIT(0),
++ .hw.init = &(struct clk_init_data){
++ .name = "lpass_q6ss_ahbs_clk",
++ .ops = &clk_branch2_ops,
++ },
++ },
++};
++
+ /* 1128.96MHz configuration */
+ static const struct alpha_pll_config lpass_audio_cc_pll_config = {
+ .l = 0x3a,
+@@ -614,6 +641,11 @@ static struct gdsc lpass_aon_cc_lpass_audio_hm_gdsc = {
+ .flags = RETAIN_FF_ENABLE,
+ };
+
++static struct clk_regmap *lpass_cc_sc7280_clocks[] = {
++ [LPASS_Q6SS_AHBM_CLK] = &lpass_q6ss_ahbm_clk.clkr,
++ [LPASS_Q6SS_AHBS_CLK] = &lpass_q6ss_ahbs_clk.clkr,
++};
++
+ static struct clk_regmap *lpass_aon_cc_sc7280_clocks[] = {
+ [LPASS_AON_CC_AUDIO_HM_H_CLK] = &lpass_aon_cc_audio_hm_h_clk.clkr,
+ [LPASS_AON_CC_VA_MEM0_CLK] = &lpass_aon_cc_va_mem0_clk.clkr,
+@@ -659,6 +691,12 @@ static struct regmap_config lpass_audio_cc_sc7280_regmap_config = {
+ .fast_io = true,
+ };
+
++static const struct qcom_cc_desc lpass_cc_sc7280_desc = {
++ .config = &lpass_audio_cc_sc7280_regmap_config,
++ .clks = lpass_cc_sc7280_clocks,
++ .num_clks = ARRAY_SIZE(lpass_cc_sc7280_clocks),
++};
++
+ static const struct qcom_cc_desc lpass_audio_cc_sc7280_desc = {
+ .config = &lpass_audio_cc_sc7280_regmap_config,
+ .clks = lpass_audio_cc_sc7280_clocks,
+@@ -785,6 +823,12 @@ static int lpass_aon_cc_sc7280_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ if (of_property_read_bool(pdev->dev.of_node, "qcom,adsp-pil-mode")) {
++ lpass_audio_cc_sc7280_regmap_config.name = "cc";
++ desc = &lpass_cc_sc7280_desc;
++ return qcom_cc_probe(pdev, desc);
++ }
++
+ lpass_audio_cc_sc7280_regmap_config.name = "lpasscc_aon";
+ lpass_audio_cc_sc7280_regmap_config.max_register = 0xa0008;
+ desc = &lpass_aon_cc_sc7280_desc;
+diff --git a/drivers/clk/qcom/lpasscc-sc7280.c b/drivers/clk/qcom/lpasscc-sc7280.c
+index b39ee1c9647b..5c1e17bd0d76 100644
+--- a/drivers/clk/qcom/lpasscc-sc7280.c
++++ b/drivers/clk/qcom/lpasscc-sc7280.c
+@@ -17,32 +17,6 @@
+ #include "clk-branch.h"
+ #include "common.h"
+
+-static struct clk_branch lpass_q6ss_ahbm_clk = {
+- .halt_reg = 0x1c,
+- .halt_check = BRANCH_HALT,
+- .clkr = {
+- .enable_reg = 0x1c,
+- .enable_mask = BIT(0),
+- .hw.init = &(struct clk_init_data){
+- .name = "lpass_q6ss_ahbm_clk",
+- .ops = &clk_branch2_ops,
+- },
+- },
+-};
+-
+-static struct clk_branch lpass_q6ss_ahbs_clk = {
+- .halt_reg = 0x20,
+- .halt_check = BRANCH_HALT_VOTED,
+- .clkr = {
+- .enable_reg = 0x20,
+- .enable_mask = BIT(0),
+- .hw.init = &(struct clk_init_data){
+- .name = "lpass_q6ss_ahbs_clk",
+- .ops = &clk_branch2_ops,
+- },
+- },
+-};
+-
+ static struct clk_branch lpass_top_cc_lpi_q6_axim_hs_clk = {
+ .halt_reg = 0x0,
+ .halt_check = BRANCH_HALT,
+@@ -105,17 +79,6 @@ static struct regmap_config lpass_regmap_config = {
+ .fast_io = true,
+ };
+
+-static struct clk_regmap *lpass_cc_sc7280_clocks[] = {
+- [LPASS_Q6SS_AHBM_CLK] = &lpass_q6ss_ahbm_clk.clkr,
+- [LPASS_Q6SS_AHBS_CLK] = &lpass_q6ss_ahbs_clk.clkr,
+-};
+-
+-static const struct qcom_cc_desc lpass_cc_sc7280_desc = {
+- .config = &lpass_regmap_config,
+- .clks = lpass_cc_sc7280_clocks,
+- .num_clks = ARRAY_SIZE(lpass_cc_sc7280_clocks),
+-};
+-
+ static struct clk_regmap *lpass_cc_top_sc7280_clocks[] = {
+ [LPASS_TOP_CC_LPI_Q6_AXIM_HS_CLK] =
+ &lpass_top_cc_lpi_q6_axim_hs_clk.clkr,
+@@ -169,13 +132,6 @@ static int lpass_cc_sc7280_probe(struct platform_device *pdev)
+ if (ret)
+ goto destroy_pm_clk;
+
+- lpass_regmap_config.name = "cc";
+- desc = &lpass_cc_sc7280_desc;
+-
+- ret = qcom_cc_probe_by_index(pdev, 2, desc);
+- if (ret)
+- goto destroy_pm_clk;
+-
+ return 0;
+
+ destroy_pm_clk:
+--
+2.35.1
+
--- /dev/null
+From a1529af3d1a8a295523a0cca02a32cf30fd57c4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 06:56:29 -0700
+Subject: clk: qcom: lpass-sc7180: Fix pm_runtime usage
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit ff1ccf59eaffd192efe21f7de9fb0c130faf1b1b ]
+
+The sc7180 lpass clock controller's pm_runtime usage wasn't broken
+quite as spectacularly as the sc7280's pm_runtime usage, but it was
+still broken. Putting some printouts in at boot showed me this (with
+serial console enabled, which makes the prints slow and thus changes
+timing):
+ [ 3.109951] DOUG: my_pm_clk_resume, usage=1
+ [ 3.114767] DOUG: my_pm_clk_resume, usage=1
+ [ 3.664443] DOUG: my_pm_clk_suspend, usage=0
+ [ 3.897566] DOUG: my_pm_clk_suspend, usage=0
+ [ 3.910137] DOUG: my_pm_clk_resume, usage=1
+ [ 3.923217] DOUG: my_pm_clk_resume, usage=0
+ [ 4.440116] DOUG: my_pm_clk_suspend, usage=-1
+ [ 4.444982] DOUG: my_pm_clk_suspend, usage=0
+ [ 14.170501] DOUG: my_pm_clk_resume, usage=1
+ [ 14.176245] DOUG: my_pm_clk_resume, usage=0
+
+...or this w/out serial console:
+ [ 0.556139] DOUG: my_pm_clk_resume, usage=1
+ [ 0.556279] DOUG: my_pm_clk_resume, usage=1
+ [ 1.058422] DOUG: my_pm_clk_suspend, usage=-1
+ [ 1.058464] DOUG: my_pm_clk_suspend, usage=0
+ [ 1.186250] DOUG: my_pm_clk_resume, usage=1
+ [ 1.186292] DOUG: my_pm_clk_resume, usage=0
+ [ 1.731536] DOUG: my_pm_clk_suspend, usage=-1
+ [ 1.731557] DOUG: my_pm_clk_suspend, usage=0
+ [ 10.288910] DOUG: my_pm_clk_resume, usage=1
+ [ 10.289496] DOUG: my_pm_clk_resume, usage=0
+
+It seems to be doing roughly the right sequence of calls, but just
+like with sc7280 this is more by luck than anything. Having a usage of
+-1 is just not OK.
+
+Let's fix this like we did with sc7280.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Fixes: ce8c195e652f ("clk: qcom: lpasscc: Introduce pm autosuspend for SC7180")
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221104064055.2.I49b25b9bda9430fc7ea21e5a708ca5a0aced2798@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/lpasscorecc-sc7180.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clk/qcom/lpasscorecc-sc7180.c b/drivers/clk/qcom/lpasscorecc-sc7180.c
+index ac09b7b840ab..a5731994cbed 100644
+--- a/drivers/clk/qcom/lpasscorecc-sc7180.c
++++ b/drivers/clk/qcom/lpasscorecc-sc7180.c
+@@ -356,7 +356,7 @@ static const struct qcom_cc_desc lpass_audio_hm_sc7180_desc = {
+ .num_gdscs = ARRAY_SIZE(lpass_audio_hm_sc7180_gdscs),
+ };
+
+-static int lpass_create_pm_clks(struct platform_device *pdev)
++static int lpass_setup_runtime_pm(struct platform_device *pdev)
+ {
+ int ret;
+
+@@ -375,7 +375,7 @@ static int lpass_create_pm_clks(struct platform_device *pdev)
+ if (ret < 0)
+ dev_err(&pdev->dev, "failed to acquire iface clock\n");
+
+- return ret;
++ return pm_runtime_resume_and_get(&pdev->dev);
+ }
+
+ static int lpass_core_cc_sc7180_probe(struct platform_device *pdev)
+@@ -384,7 +384,7 @@ static int lpass_core_cc_sc7180_probe(struct platform_device *pdev)
+ struct regmap *regmap;
+ int ret;
+
+- ret = lpass_create_pm_clks(pdev);
++ ret = lpass_setup_runtime_pm(pdev);
+ if (ret)
+ return ret;
+
+@@ -392,12 +392,14 @@ static int lpass_core_cc_sc7180_probe(struct platform_device *pdev)
+ desc = &lpass_audio_hm_sc7180_desc;
+ ret = qcom_cc_probe_by_index(pdev, 1, desc);
+ if (ret)
+- return ret;
++ goto exit;
+
+ lpass_core_cc_sc7180_regmap_config.name = "lpass_core_cc";
+ regmap = qcom_cc_map(pdev, &lpass_core_cc_sc7180_desc);
+- if (IS_ERR(regmap))
+- return PTR_ERR(regmap);
++ if (IS_ERR(regmap)) {
++ ret = PTR_ERR(regmap);
++ goto exit;
++ }
+
+ /*
+ * Keep the CLK always-ON
+@@ -415,6 +417,7 @@ static int lpass_core_cc_sc7180_probe(struct platform_device *pdev)
+ ret = qcom_cc_really_probe(pdev, &lpass_core_cc_sc7180_desc, regmap);
+
+ pm_runtime_mark_last_busy(&pdev->dev);
++exit:
+ pm_runtime_put_autosuspend(&pdev->dev);
+
+ return ret;
+@@ -425,14 +428,19 @@ static int lpass_hm_core_probe(struct platform_device *pdev)
+ const struct qcom_cc_desc *desc;
+ int ret;
+
+- ret = lpass_create_pm_clks(pdev);
++ ret = lpass_setup_runtime_pm(pdev);
+ if (ret)
+ return ret;
+
+ lpass_core_cc_sc7180_regmap_config.name = "lpass_hm_core";
+ desc = &lpass_core_hm_sc7180_desc;
+
+- return qcom_cc_probe_by_index(pdev, 0, desc);
++ ret = qcom_cc_probe_by_index(pdev, 0, desc);
++
++ pm_runtime_mark_last_busy(&pdev->dev);
++ pm_runtime_put_autosuspend(&pdev->dev);
++
++ return ret;
+ }
+
+ static const struct of_device_id lpass_hm_sc7180_match_table[] = {
+--
+2.35.1
+
--- /dev/null
+From ebb552c5ca64a47349e34f0ec2f7687a1d9aeb82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 06:56:28 -0700
+Subject: clk: qcom: lpass-sc7280: Fix pm_runtime usage
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit d470be3c4f30b4666e43eef6bab80f543563cdb0 ]
+
+The pm_runtime usage in lpass-sc7280 was broken in quite a few
+ways. Specifically:
+
+1. At the end of probe it called "put" twice. This is a no-no and will
+ end us up with a negative usage count. Even worse than calling
+ "put" twice, it never called "get" once. Thus after bootup it could
+ be seen that the runtime usage of the devices managed by this
+ driver was -2.
+2. In some error cases it manually called pm_runtime_disable() even
+ though it had previously used devm_add_action_or_reset() to set
+ this up to be called automatically. This meant that in these error
+ cases we'd double-call pm_runtime_disable().
+3. It forgot to call undo pm_runtime_use_autosuspend(), which can
+ sometimes have subtle problems (and the docs specifically mention
+ that you need to undo this function).
+
+Overall the above seriously calls into question how this driver is
+working. It seems like a combination of "it doesn't", "by luck", and
+"because of the weirdness of runtime_pm". Specifically I put a
+printout to the serial console every time the runtime suspend/resume
+was called for the two devices created by this driver (I wrapped the
+pm_clk calls). When I had serial console enabled, I found that the
+calls got resumed at bootup (when the clk core probed and before our
+double-put) and then never touched again. That's no good.
+ [ 0.829997] DOUG: my_pm_clk_resume, usage=1
+ [ 0.835487] DOUG: my_pm_clk_resume, usage=1
+
+When I disabled serial console (speeding up boot), I got a different
+pattern, which I guess (?) is better:
+ [ 0.089767] DOUG: my_pm_clk_resume, usage=1
+ [ 0.090507] DOUG: my_pm_clk_resume, usage=1
+ [ 0.151885] DOUG: my_pm_clk_suspend, usage=-2
+ [ 0.151914] DOUG: my_pm_clk_suspend, usage=-2
+ [ 1.825747] DOUG: my_pm_clk_resume, usage=-1
+ [ 1.825774] DOUG: my_pm_clk_resume, usage=-1
+ [ 1.888269] DOUG: my_pm_clk_suspend, usage=-2
+ [ 1.888282] DOUG: my_pm_clk_suspend, usage=-2
+
+These different patterns have to do with the fact that the core PM
+Runtime code really isn't designed to be robust to negative usage
+counts and sometimes may happen to stumble upon a behavior that
+happens to "work". For instance, you can see that
+__pm_runtime_suspend() will treat any non-zero value (including
+negative numbers) as if the device is in use.
+
+In any case, let's fix the driver to be correct. We'll hold a
+pm_runtime reference for the whole probe and then drop it (once!) at
+the end. We'll get rid of manual pm_runtime_disable() calls in the
+error handling. We'll also switch to devm_pm_runtime_enable(), which
+magically handles undoing pm_runtime_use_autosuspend() as of commit
+b4060db9251f ("PM: runtime: Have devm_pm_runtime_enable() handle
+pm_runtime_dont_use_autosuspend()").
+
+While we're at this, let's also use devm_pm_clk_create() instead of
+rolling it ourselves.
+
+Note that the above changes make it obvious that
+lpassaudio_create_pm_clks() was doing more than just creating
+clocks. It was also setting up pm_runtime parameters. Let's rename it.
+
+All of these problems were found by code inspection. I started looking
+at this driver because it was involved in a deadlock that I reported a
+while ago [1]. Though I bisected the deadlock to commit 1b771839de05
+("clk: qcom: gdsc: enable optional power domain support"), it was
+never really clear why that patch affected it other than a luck of
+timing changes. I'll also note that by fixing the timing (as done in
+this change) we also seem to aboid the deadlock, which is a nice
+benefit.
+
+Also note that some of the fixes here are much the same type of stuff
+that Dmitry did in commit 72cfc73f4663 ("clk: qcom: use
+devm_pm_runtime_enable and devm_pm_clk_create"), but I guess
+lpassaudiocc-sc7280.c didn't exist then.
+
+[1] https://lore.kernel.org/r/20220922154354.2486595-1-dianders@chromium.org
+
+Fixes: a9dd26639d05 ("clk: qcom: lpass: Add support for LPASS clock controller for SC7280")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221104064055.1.I00a0e4564a25489e85328ec41636497775627564@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/lpassaudiocc-sc7280.c | 55 ++++++++++----------------
+ 1 file changed, 21 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/clk/qcom/lpassaudiocc-sc7280.c b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+index 5d4bc563073c..b2646b7e13c9 100644
+--- a/drivers/clk/qcom/lpassaudiocc-sc7280.c
++++ b/drivers/clk/qcom/lpassaudiocc-sc7280.c
+@@ -722,33 +722,17 @@ static const struct of_device_id lpass_audio_cc_sc7280_match_table[] = {
+ };
+ MODULE_DEVICE_TABLE(of, lpass_audio_cc_sc7280_match_table);
+
+-static void lpassaudio_pm_runtime_disable(void *data)
+-{
+- pm_runtime_disable(data);
+-}
+-
+-static void lpassaudio_pm_clk_destroy(void *data)
+-{
+- pm_clk_destroy(data);
+-}
+-
+-static int lpassaudio_create_pm_clks(struct platform_device *pdev)
++static int lpass_audio_setup_runtime_pm(struct platform_device *pdev)
+ {
+ int ret;
+
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+- pm_runtime_enable(&pdev->dev);
+-
+- ret = devm_add_action_or_reset(&pdev->dev, lpassaudio_pm_runtime_disable, &pdev->dev);
+- if (ret)
+- return ret;
+-
+- ret = pm_clk_create(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ return ret;
+
+- ret = devm_add_action_or_reset(&pdev->dev, lpassaudio_pm_clk_destroy, &pdev->dev);
++ ret = devm_pm_clk_create(&pdev->dev);
+ if (ret)
+ return ret;
+
+@@ -756,7 +740,7 @@ static int lpassaudio_create_pm_clks(struct platform_device *pdev)
+ if (ret < 0)
+ dev_err(&pdev->dev, "failed to acquire iface clock\n");
+
+- return ret;
++ return pm_runtime_resume_and_get(&pdev->dev);
+ }
+
+ static int lpass_audio_cc_sc7280_probe(struct platform_device *pdev)
+@@ -765,7 +749,7 @@ static int lpass_audio_cc_sc7280_probe(struct platform_device *pdev)
+ struct regmap *regmap;
+ int ret;
+
+- ret = lpassaudio_create_pm_clks(pdev);
++ ret = lpass_audio_setup_runtime_pm(pdev);
+ if (ret)
+ return ret;
+
+@@ -775,8 +759,8 @@ static int lpass_audio_cc_sc7280_probe(struct platform_device *pdev)
+
+ regmap = qcom_cc_map(pdev, desc);
+ if (IS_ERR(regmap)) {
+- pm_runtime_disable(&pdev->dev);
+- return PTR_ERR(regmap);
++ ret = PTR_ERR(regmap);
++ goto exit;
+ }
+
+ clk_zonda_pll_configure(&lpass_audio_cc_pll, regmap, &lpass_audio_cc_pll_config);
+@@ -788,20 +772,18 @@ static int lpass_audio_cc_sc7280_probe(struct platform_device *pdev)
+ ret = qcom_cc_probe_by_index(pdev, 0, &lpass_audio_cc_sc7280_desc);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to register LPASS AUDIO CC clocks\n");
+- pm_runtime_disable(&pdev->dev);
+- return ret;
++ goto exit;
+ }
+
+ ret = qcom_cc_probe_by_index(pdev, 1, &lpass_audio_cc_reset_sc7280_desc);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to register LPASS AUDIO CC Resets\n");
+- pm_runtime_disable(&pdev->dev);
+- return ret;
++ goto exit;
+ }
+
+ pm_runtime_mark_last_busy(&pdev->dev);
++exit:
+ pm_runtime_put_autosuspend(&pdev->dev);
+- pm_runtime_put_sync(&pdev->dev);
+
+ return ret;
+ }
+@@ -839,14 +821,15 @@ static int lpass_aon_cc_sc7280_probe(struct platform_device *pdev)
+ struct regmap *regmap;
+ int ret;
+
+- ret = lpassaudio_create_pm_clks(pdev);
++ ret = lpass_audio_setup_runtime_pm(pdev);
+ if (ret)
+ return ret;
+
+ if (of_property_read_bool(pdev->dev.of_node, "qcom,adsp-pil-mode")) {
+ lpass_audio_cc_sc7280_regmap_config.name = "cc";
+ desc = &lpass_cc_sc7280_desc;
+- return qcom_cc_probe(pdev, desc);
++ ret = qcom_cc_probe(pdev, desc);
++ goto exit;
+ }
+
+ lpass_audio_cc_sc7280_regmap_config.name = "lpasscc_aon";
+@@ -854,18 +837,22 @@ static int lpass_aon_cc_sc7280_probe(struct platform_device *pdev)
+ desc = &lpass_aon_cc_sc7280_desc;
+
+ regmap = qcom_cc_map(pdev, desc);
+- if (IS_ERR(regmap))
+- return PTR_ERR(regmap);
++ if (IS_ERR(regmap)) {
++ ret = PTR_ERR(regmap);
++ goto exit;
++ }
+
+ clk_lucid_pll_configure(&lpass_aon_cc_pll, regmap, &lpass_aon_cc_pll_config);
+
+ ret = qcom_cc_really_probe(pdev, &lpass_aon_cc_sc7280_desc, regmap);
+- if (ret)
++ if (ret) {
+ dev_err(&pdev->dev, "Failed to register LPASS AON CC clocks\n");
++ goto exit;
++ }
+
+ pm_runtime_mark_last_busy(&pdev->dev);
++exit:
+ pm_runtime_put_autosuspend(&pdev->dev);
+- pm_runtime_put_sync(&pdev->dev);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 88ee093ca204f1fcb2d3732be01254b2fc1fa3e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 20:48:30 +0200
+Subject: clk: renesas: r8a779a0: Fix SD0H clock name
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit db7076d5a7f0ca7dcf08f5095c74f86d4d0085ff ]
+
+Correct the misspelled textual name of the SD0H clock.
+
+Fixes: 470e3f0d0b15 ("clk: renesas: rcar-gen4: Introduce R-Car Gen4 CPG driver")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20221012184830.3199-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a779a0-cpg-mssr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/renesas/r8a779a0-cpg-mssr.c b/drivers/clk/renesas/r8a779a0-cpg-mssr.c
+index d74d46833012..e02542ca24a0 100644
+--- a/drivers/clk/renesas/r8a779a0-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a779a0-cpg-mssr.c
+@@ -116,7 +116,7 @@ static const struct cpg_core_clk r8a779a0_core_clks[] __initconst = {
+ DEF_FIXED("cp", R8A779A0_CLK_CP, CLK_EXTAL, 2, 1),
+ DEF_FIXED("cl16mck", R8A779A0_CLK_CL16MCK, CLK_PLL1_DIV2, 64, 1),
+
+- DEF_GEN4_SDH("sdh0", R8A779A0_CLK_SD0H, CLK_SDSRC, 0x870),
++ DEF_GEN4_SDH("sd0h", R8A779A0_CLK_SD0H, CLK_SDSRC, 0x870),
+ DEF_GEN4_SD("sd0", R8A779A0_CLK_SD0, R8A779A0_CLK_SD0H, 0x870),
+
+ DEF_BASE("rpc", R8A779A0_CLK_RPC, CLK_TYPE_GEN4_RPC, CLK_RPCSRC),
+--
+2.35.1
+
--- /dev/null
+From 0625573b20ff0d945a5f1a1e9588aaaf72a9ad37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:34:37 +0100
+Subject: clk: renesas: r8a779f0: Fix HSCIF parent clocks
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c258e3ab639112d8f5ae9df9a873750ae2623ce2 ]
+
+As serial communication requires a clean clock signal, the High Speed
+Serial Communication Interfaces with FIFO (HSCIF) are clocked by a clock
+that is not affected by Spread Spectrum or Fractional Multiplication.
+
+Hence change the parent clocks for the HSCIF modules from the S0D3_PER
+clock to the SASYNCPERD1 clock (which has the same clock rate), cfr.
+R-Car S4-8 Hardware User's Manual rev. 0.81.
+
+Fixes: 080bcd8d5997 ("clk: renesas: r8a779f0: Add HSCIF clocks")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20221103143440.46449-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a779f0-cpg-mssr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/renesas/r8a779f0-cpg-mssr.c b/drivers/clk/renesas/r8a779f0-cpg-mssr.c
+index cd80b6084ece..90cac3f8b2ed 100644
+--- a/drivers/clk/renesas/r8a779f0-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a779f0-cpg-mssr.c
+@@ -120,10 +120,10 @@ static const struct cpg_core_clk r8a779f0_core_clks[] __initconst = {
+ };
+
+ static const struct mssr_mod_clk r8a779f0_mod_clks[] __initconst = {
+- DEF_MOD("hscif0", 514, R8A779F0_CLK_S0D3),
+- DEF_MOD("hscif1", 515, R8A779F0_CLK_S0D3),
+- DEF_MOD("hscif2", 516, R8A779F0_CLK_S0D3),
+- DEF_MOD("hscif3", 517, R8A779F0_CLK_S0D3),
++ DEF_MOD("hscif0", 514, R8A779F0_CLK_SASYNCPERD1),
++ DEF_MOD("hscif1", 515, R8A779F0_CLK_SASYNCPERD1),
++ DEF_MOD("hscif2", 516, R8A779F0_CLK_SASYNCPERD1),
++ DEF_MOD("hscif3", 517, R8A779F0_CLK_SASYNCPERD1),
+ DEF_MOD("i2c0", 518, R8A779F0_CLK_S0D6_PER),
+ DEF_MOD("i2c1", 519, R8A779F0_CLK_S0D6_PER),
+ DEF_MOD("i2c2", 520, R8A779F0_CLK_S0D6_PER),
+--
+2.35.1
+
--- /dev/null
+From 372d5277cd445da9aede3ec06531a80b51880067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:34:38 +0100
+Subject: clk: renesas: r8a779f0: Fix SCIF parent clocks
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 2e0d7d3eabce3babae1fd66d7650e00c848a3b45 ]
+
+As serial communication requires a clean clock signal, the Serial
+Communication Interfaces with FIFO (SCIF) are clocked by a clock that is
+not affected by Spread Spectrum or Fractional Multiplication.
+
+Hence change the parent clocks for the SCIF modules from the S0D12_PER
+clock to the SASYNCPERD4 clock (which has the same clock rate), cfr.
+R-Car S4-8 Hardware User's Manual rev. 0.81.
+
+Fixes: 24aaff6a6ce4 ("clk: renesas: cpg-mssr: Add support for R-Car S4-8")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20221103143440.46449-3-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a779f0-cpg-mssr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/renesas/r8a779f0-cpg-mssr.c b/drivers/clk/renesas/r8a779f0-cpg-mssr.c
+index 90cac3f8b2ed..b7936f422c27 100644
+--- a/drivers/clk/renesas/r8a779f0-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a779f0-cpg-mssr.c
+@@ -132,10 +132,10 @@ static const struct mssr_mod_clk r8a779f0_mod_clks[] __initconst = {
+ DEF_MOD("i2c5", 523, R8A779F0_CLK_S0D6_PER),
+ DEF_MOD("pcie0", 624, R8A779F0_CLK_S0D2),
+ DEF_MOD("pcie1", 625, R8A779F0_CLK_S0D2),
+- DEF_MOD("scif0", 702, R8A779F0_CLK_S0D12_PER),
+- DEF_MOD("scif1", 703, R8A779F0_CLK_S0D12_PER),
+- DEF_MOD("scif3", 704, R8A779F0_CLK_S0D12_PER),
+- DEF_MOD("scif4", 705, R8A779F0_CLK_S0D12_PER),
++ DEF_MOD("scif0", 702, R8A779F0_CLK_SASYNCPERD4),
++ DEF_MOD("scif1", 703, R8A779F0_CLK_SASYNCPERD4),
++ DEF_MOD("scif3", 704, R8A779F0_CLK_SASYNCPERD4),
++ DEF_MOD("scif4", 705, R8A779F0_CLK_SASYNCPERD4),
+ DEF_MOD("sdhi0", 706, R8A779F0_CLK_SD0),
+ DEF_MOD("sys-dmac0", 709, R8A779F0_CLK_S0D3_PER),
+ DEF_MOD("sys-dmac1", 710, R8A779F0_CLK_S0D3_PER),
+--
+2.35.1
+
--- /dev/null
+From 1cc19f3122568aae190ab9bed862dea5708d6f40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:38:34 +0200
+Subject: clk: renesas: r9a06g032: Repair grave increment error
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 02693e11611e082e3c4d8653e8af028e43d31164 ]
+
+If condition (clkspec.np != pd->dev.of_node) is true, then the driver
+ends up in an endless loop, forever, locking up the machine.
+
+Fixes: aad03a66f902 ("clk: renesas: r9a06g032: Add clock domain support")
+Reviewed-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Gareth Williams <gareth.williams.jx@renesas.com>
+Link: https://lore.kernel.org/r/20221028113834.7496-1-marex@denx.de
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r9a06g032-clocks.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
+index 1488c9d6e639..983faa5707b9 100644
+--- a/drivers/clk/renesas/r9a06g032-clocks.c
++++ b/drivers/clk/renesas/r9a06g032-clocks.c
+@@ -412,7 +412,7 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd,
+ int error;
+ int index;
+
+- while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i,
++ while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i++,
+ &clkspec)) {
+ if (clkspec.np != pd->dev.of_node)
+ continue;
+@@ -425,7 +425,6 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd,
+ if (error)
+ return error;
+ }
+- i++;
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 8485c0d5f570fa34c62e348a371bf75a67c3fa18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:12:01 +0800
+Subject: clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ]
+
+If clk_register() fails, @pll->rate_table may have allocated memory by
+kmemdup(), so it needs to be freed, otherwise will cause memory leak
+issue, this patch fixes it.
+
+Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-pll.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c
+index f7827b3b7fc1..6e5e502be44a 100644
+--- a/drivers/clk/rockchip/clk-pll.c
++++ b/drivers/clk/rockchip/clk-pll.c
+@@ -981,6 +981,7 @@ struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx,
+ return mux_clk;
+
+ err_pll:
++ kfree(pll->rate_table);
+ clk_unregister(mux_clk);
+ mux_clk = pll_clk;
+ err_mux:
+--
+2.35.1
+
--- /dev/null
+From a9904627d2315d8a580226fb04ea489ddd880152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 11:20:15 +0800
+Subject: clk: samsung: Fix memory leak in _samsung_clk_register_pll()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 5174e5b0d1b669a489524192b6adcbb3c54ebc72 ]
+
+If clk_register() fails, @pll->rate_table may have allocated memory by
+kmemdup(), so it needs to be freed, otherwise will cause memory leak
+issue, this patch fixes it.
+
+Fixes: 3ff6e0d8d64d ("clk: samsung: Add support to register rate_table for samsung plls")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://lore.kernel.org/r/20221123032015.63980-1-xiujianfeng@huawei.com
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-pll.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/samsung/clk-pll.c b/drivers/clk/samsung/clk-pll.c
+index fe383471c5f0..0ff28938943f 100644
+--- a/drivers/clk/samsung/clk-pll.c
++++ b/drivers/clk/samsung/clk-pll.c
+@@ -1583,6 +1583,7 @@ static void __init _samsung_clk_register_pll(struct samsung_clk_provider *ctx,
+ if (ret) {
+ pr_err("%s: failed to register pll clock %s : %d\n",
+ __func__, pll_clk->name, ret);
++ kfree(pll->rate_table);
+ kfree(pll);
+ return;
+ }
+--
+2.35.1
+
--- /dev/null
+From fb3d697c9e601fdd08a45045c8e31352044d32f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 11:16:22 +0800
+Subject: clk: socfpga: Fix memory leak in socfpga_gate_init()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 0b8ba891ad4d1ef6bfa4c72efc83f9f9f855f68b ]
+
+Free @socfpga_clk and @ops on the error path to avoid memory leak issue.
+
+Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://lore.kernel.org/r/20221123031622.63171-1-xiujianfeng@huawei.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
+index 53d6e3ec4309..c94b59b80dd4 100644
+--- a/drivers/clk/socfpga/clk-gate.c
++++ b/drivers/clk/socfpga/clk-gate.c
+@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
+ return;
+
+ ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
+- if (WARN_ON(!ops))
++ if (WARN_ON(!ops)) {
++ kfree(socfpga_clk);
+ return;
++ }
+
+ rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
+ if (rc)
+@@ -243,6 +245,7 @@ void __init socfpga_gate_init(struct device_node *node)
+
+ err = clk_hw_register(NULL, hw_clk);
+ if (err) {
++ kfree(ops);
+ kfree(socfpga_clk);
+ return;
+ }
+--
+2.35.1
+
--- /dev/null
+From aa3be47d4318d8a7cac5bd46540623dfa1665825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 21:36:14 +0800
+Subject: clk: st: Fix memory leak in st_of_quadfs_setup()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ]
+
+If st_clk_register_quadfs_pll() fails, @lock should be freed before goto
+@err_exit, otherwise will cause meory leak issue, fix it.
+
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com
+Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/st/clkgen-fsyn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c
+index d820292a381d..40df1db102a7 100644
+--- a/drivers/clk/st/clkgen-fsyn.c
++++ b/drivers/clk/st/clkgen-fsyn.c
+@@ -1020,9 +1020,10 @@ static void __init st_of_quadfs_setup(struct device_node *np,
+
+ clk = st_clk_register_quadfs_pll(pll_name, clk_parent_name, datac->data,
+ reg, lock);
+- if (IS_ERR(clk))
++ if (IS_ERR(clk)) {
++ kfree(lock);
+ goto err_exit;
+- else
++ } else
+ pr_debug("%s: parent %s rate %u\n",
+ __clk_get_name(clk),
+ __clk_get_name(clk_get_parent(clk)),
+--
+2.35.1
+
--- /dev/null
+From b82da2eabdb6814af6d8f881974edf0de36a43b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 23:23:53 +0800
+Subject: clk: visconti: Fix memory leak in visconti_register_pll()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit b55226f8553d255f5002c751c7c6ba9291f34bf2 ]
+
+@pll->rate_table has allocated memory by kmemdup(), if clk_hw_register()
+fails, it should be freed, otherwise it will cause memory leak issue,
+this patch fixes it.
+
+Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://lore.kernel.org/r/20221122152353.204132-1-xiujianfeng@huawei.com
+Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/visconti/pll.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c
+index a484cb945d67..1f3234f22667 100644
+--- a/drivers/clk/visconti/pll.c
++++ b/drivers/clk/visconti/pll.c
+@@ -277,6 +277,7 @@ static struct clk_hw *visconti_register_pll(struct visconti_pll_provider *ctx,
+ ret = clk_hw_register(NULL, &pll->hw);
+ if (ret) {
+ pr_err("failed to register pll clock %s : %d\n", name, ret);
++ kfree(pll->rate_table);
+ kfree(pll);
+ pll_hw_clk = ERR_PTR(ret);
+ }
+--
+2.35.1
+
--- /dev/null
+From 70d7f2b61d6c2174ab09b9df021470e63047aa45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 22:06:09 +0100
+Subject: clocksource/drivers/sh_cmt: Access registers according to spec
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 3f44f7156f59cae06e9160eafb5d8b2dfd09e639 ]
+
+Documentation for most CMTs say that it takes two input clocks before
+changes propagate to the timer. This is especially relevant when the timer
+is stopped to change further settings.
+
+Implement the delays according to the spec. To avoid unnecessary delays in
+atomic mode, also check if the to-be-written value actually differs.
+
+CMCNT is a bit special because testing showed that it requires 3 cycles to
+propagate, which affects all CMTs. Also, the WRFLAG needs to be checked
+before writing. This fixes "cannot clear CMCNT" messages which occur often
+on R-Car Gen4 SoCs, but only very rarely on older SoCs for some reason.
+
+Fixes: 81b3b2711072 ("clocksource: sh_cmt: Add support for multiple channels per device")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20221130210609.7718-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/sh_cmt.c | 88 ++++++++++++++++++++++--------------
+ 1 file changed, 55 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
+index 64dcb082d4cf..7b952aa52c0b 100644
+--- a/drivers/clocksource/sh_cmt.c
++++ b/drivers/clocksource/sh_cmt.c
+@@ -13,6 +13,7 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/io.h>
++#include <linux/iopoll.h>
+ #include <linux/ioport.h>
+ #include <linux/irq.h>
+ #include <linux/module.h>
+@@ -116,6 +117,7 @@ struct sh_cmt_device {
+ void __iomem *mapbase;
+ struct clk *clk;
+ unsigned long rate;
++ unsigned int reg_delay;
+
+ raw_spinlock_t lock; /* Protect the shared start/stop register */
+
+@@ -247,10 +249,17 @@ static inline u32 sh_cmt_read_cmstr(struct sh_cmt_channel *ch)
+
+ static inline void sh_cmt_write_cmstr(struct sh_cmt_channel *ch, u32 value)
+ {
+- if (ch->iostart)
+- ch->cmt->info->write_control(ch->iostart, 0, value);
+- else
+- ch->cmt->info->write_control(ch->cmt->mapbase, 0, value);
++ u32 old_value = sh_cmt_read_cmstr(ch);
++
++ if (value != old_value) {
++ if (ch->iostart) {
++ ch->cmt->info->write_control(ch->iostart, 0, value);
++ udelay(ch->cmt->reg_delay);
++ } else {
++ ch->cmt->info->write_control(ch->cmt->mapbase, 0, value);
++ udelay(ch->cmt->reg_delay);
++ }
++ }
+ }
+
+ static inline u32 sh_cmt_read_cmcsr(struct sh_cmt_channel *ch)
+@@ -260,7 +269,12 @@ static inline u32 sh_cmt_read_cmcsr(struct sh_cmt_channel *ch)
+
+ static inline void sh_cmt_write_cmcsr(struct sh_cmt_channel *ch, u32 value)
+ {
+- ch->cmt->info->write_control(ch->ioctrl, CMCSR, value);
++ u32 old_value = sh_cmt_read_cmcsr(ch);
++
++ if (value != old_value) {
++ ch->cmt->info->write_control(ch->ioctrl, CMCSR, value);
++ udelay(ch->cmt->reg_delay);
++ }
+ }
+
+ static inline u32 sh_cmt_read_cmcnt(struct sh_cmt_channel *ch)
+@@ -268,14 +282,33 @@ static inline u32 sh_cmt_read_cmcnt(struct sh_cmt_channel *ch)
+ return ch->cmt->info->read_count(ch->ioctrl, CMCNT);
+ }
+
+-static inline void sh_cmt_write_cmcnt(struct sh_cmt_channel *ch, u32 value)
++static inline int sh_cmt_write_cmcnt(struct sh_cmt_channel *ch, u32 value)
+ {
++ /* Tests showed that we need to wait 3 clocks here */
++ unsigned int cmcnt_delay = DIV_ROUND_UP(3 * ch->cmt->reg_delay, 2);
++ u32 reg;
++
++ if (ch->cmt->info->model > SH_CMT_16BIT) {
++ int ret = read_poll_timeout_atomic(sh_cmt_read_cmcsr, reg,
++ !(reg & SH_CMT32_CMCSR_WRFLG),
++ 1, cmcnt_delay, false, ch);
++ if (ret < 0)
++ return ret;
++ }
++
+ ch->cmt->info->write_count(ch->ioctrl, CMCNT, value);
++ udelay(cmcnt_delay);
++ return 0;
+ }
+
+ static inline void sh_cmt_write_cmcor(struct sh_cmt_channel *ch, u32 value)
+ {
+- ch->cmt->info->write_count(ch->ioctrl, CMCOR, value);
++ u32 old_value = ch->cmt->info->read_count(ch->ioctrl, CMCOR);
++
++ if (value != old_value) {
++ ch->cmt->info->write_count(ch->ioctrl, CMCOR, value);
++ udelay(ch->cmt->reg_delay);
++ }
+ }
+
+ static u32 sh_cmt_get_counter(struct sh_cmt_channel *ch, u32 *has_wrapped)
+@@ -319,7 +352,7 @@ static void sh_cmt_start_stop_ch(struct sh_cmt_channel *ch, int start)
+
+ static int sh_cmt_enable(struct sh_cmt_channel *ch)
+ {
+- int k, ret;
++ int ret;
+
+ dev_pm_syscore_device(&ch->cmt->pdev->dev, true);
+
+@@ -347,26 +380,9 @@ static int sh_cmt_enable(struct sh_cmt_channel *ch)
+ }
+
+ sh_cmt_write_cmcor(ch, 0xffffffff);
+- sh_cmt_write_cmcnt(ch, 0);
+-
+- /*
+- * According to the sh73a0 user's manual, as CMCNT can be operated
+- * only by the RCLK (Pseudo 32 kHz), there's one restriction on
+- * modifying CMCNT register; two RCLK cycles are necessary before
+- * this register is either read or any modification of the value
+- * it holds is reflected in the LSI's actual operation.
+- *
+- * While at it, we're supposed to clear out the CMCNT as of this
+- * moment, so make sure it's processed properly here. This will
+- * take RCLKx2 at maximum.
+- */
+- for (k = 0; k < 100; k++) {
+- if (!sh_cmt_read_cmcnt(ch))
+- break;
+- udelay(1);
+- }
++ ret = sh_cmt_write_cmcnt(ch, 0);
+
+- if (sh_cmt_read_cmcnt(ch)) {
++ if (ret || sh_cmt_read_cmcnt(ch)) {
+ dev_err(&ch->cmt->pdev->dev, "ch%u: cannot clear CMCNT\n",
+ ch->index);
+ ret = -ETIMEDOUT;
+@@ -995,8 +1011,8 @@ MODULE_DEVICE_TABLE(of, sh_cmt_of_table);
+
+ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
+ {
+- unsigned int mask;
+- unsigned int i;
++ unsigned int mask, i;
++ unsigned long rate;
+ int ret;
+
+ cmt->pdev = pdev;
+@@ -1032,10 +1048,16 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
+ if (ret < 0)
+ goto err_clk_unprepare;
+
+- if (cmt->info->width == 16)
+- cmt->rate = clk_get_rate(cmt->clk) / 512;
+- else
+- cmt->rate = clk_get_rate(cmt->clk) / 8;
++ rate = clk_get_rate(cmt->clk);
++ if (!rate) {
++ ret = -EINVAL;
++ goto err_clk_disable;
++ }
++
++ /* We shall wait 2 input clks after register writes */
++ if (cmt->info->model >= SH_CMT_48BIT)
++ cmt->reg_delay = DIV_ROUND_UP(2UL * USEC_PER_SEC, rate);
++ cmt->rate = rate / (cmt->info->width == 16 ? 512 : 8);
+
+ /* Map the memory resource(s). */
+ ret = sh_cmt_map_memory(cmt);
+--
+2.35.1
+
--- /dev/null
+From 5c2709dc1cd3d76295ad5c58149e61dbd40c2dda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 19:44:27 +0800
+Subject: clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in
+ dmtimer_systimer_init_clock()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 180d35a7c05d520314a590c99ad8643d0213f28b ]
+
+If clk_get_rate() fails which is called after clk_prepare_enable(),
+clk_disable_unprepare() need be called in error path to disable the
+clock in dmtimer_systimer_init_clock().
+
+Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221029114427.946520-1-yangyingliang@huawei.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-ti-dm-systimer.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-ti-dm-systimer.c b/drivers/clocksource/timer-ti-dm-systimer.c
+index 2737407ff069..632523c1232f 100644
+--- a/drivers/clocksource/timer-ti-dm-systimer.c
++++ b/drivers/clocksource/timer-ti-dm-systimer.c
+@@ -345,8 +345,10 @@ static int __init dmtimer_systimer_init_clock(struct dmtimer_systimer *t,
+ return error;
+
+ r = clk_get_rate(clock);
+- if (!r)
++ if (!r) {
++ clk_disable_unprepare(clock);
+ return -ENODEV;
++ }
+
+ if (is_ick)
+ t->ick = clock;
+--
+2.35.1
+
--- /dev/null
+From b97a8d995576f8dff5967b6eb1bec121c1ee6a83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:35:26 +0300
+Subject: clocksource/drivers/timer-ti-dm: Fix warning for omap_timer_match
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 9688498b1648aa98a3ee45d9f07763c099f6fb12 ]
+
+We can now get a warning for 'omap_timer_match' defined but not used.
+Let's fix this by dropping of_match_ptr for omap_timer_match.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: ab0bbef3ae0f ("clocksource/drivers/timer-ti-dm: Make timer selectable for ARCH_K3")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221028103526.40319-1-tony@atomide.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-ti-dm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-ti-dm.c b/drivers/clocksource/timer-ti-dm.c
+index 469f7c91564b..78c2c038d3ae 100644
+--- a/drivers/clocksource/timer-ti-dm.c
++++ b/drivers/clocksource/timer-ti-dm.c
+@@ -1081,7 +1081,7 @@ static struct platform_driver omap_dm_timer_driver = {
+ .remove = omap_dm_timer_remove,
+ .driver = {
+ .name = "omap_timer",
+- .of_match_table = of_match_ptr(omap_timer_match),
++ .of_match_table = omap_timer_match,
+ .pm = &omap_dm_timer_pm_ops,
+ },
+ };
+--
+2.35.1
+
--- /dev/null
+From 90c9bb39277f59257162786ef4ca7872dcb53c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 09:42:30 +0800
+Subject: configfs: fix possible memory leak in configfs_create_dir()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit c65234b283a65cfbfc94619655e820a5e55199eb ]
+
+kmemleak reported memory leaks in configfs_create_dir():
+
+unreferenced object 0xffff888009f6af00 (size 192):
+ comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
+ backtrace:
+ kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
+ new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)
+ configfs_register_subsystem (fs/configfs/dir.c:1857)
+ basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
+ do_one_initcall (init/main.c:1296)
+ do_init_module (kernel/module/main.c:2455)
+ ...
+
+unreferenced object 0xffff888003ba7180 (size 96):
+ comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
+ backtrace:
+ kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
+ configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)
+ configfs_make_dirent (fs/configfs/dir.c:248)
+ configfs_create_dir (fs/configfs/dir.c:296)
+ configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)
+ configfs_register_subsystem (fs/configfs/dir.c:1881)
+ basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
+ do_one_initcall (init/main.c:1296)
+ do_init_module (kernel/module/main.c:2455)
+ ...
+
+This is because the refcount is not correct in configfs_make_dirent().
+For normal stage, the refcount is changing as:
+
+configfs_register_subsystem()
+ configfs_create_dir()
+ configfs_make_dirent()
+ configfs_new_dirent() # set s_count = 1
+ dentry->d_fsdata = configfs_get(sd); # s_count = 2
+...
+configfs_unregister_subsystem()
+ configfs_remove_dir()
+ remove_dir()
+ configfs_remove_dirent() # s_count = 1
+ dput() ...
+ *dentry_unlink_inode()*
+ configfs_d_iput() # s_count = 0, release
+
+However, if we failed in configfs_create():
+
+configfs_register_subsystem()
+ configfs_create_dir()
+ configfs_make_dirent() # s_count = 2
+ ...
+ configfs_create() # fail
+ ->out_remove:
+ configfs_remove_dirent(dentry)
+ configfs_put(sd) # s_count = 1
+ return PTR_ERR(inode);
+
+There is no inode in the error path, so the configfs_d_iput() is lost
+and makes sd and fragment memory leaked.
+
+To fix this, when we failed in configfs_create(), manually call
+configfs_put(sd) to keep the refcount correct.
+
+Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index d1f9d2632202..ec6519e1ca3b 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -316,6 +316,7 @@ static int configfs_create_dir(struct config_item *item, struct dentry *dentry,
+ return 0;
+
+ out_remove:
++ configfs_put(dentry->d_fsdata);
+ configfs_remove_dirent(dentry);
+ return PTR_ERR(inode);
+ }
+@@ -382,6 +383,7 @@ int configfs_create_link(struct configfs_dirent *target, struct dentry *parent,
+ return 0;
+
+ out_remove:
++ configfs_put(dentry->d_fsdata);
+ configfs_remove_dirent(dentry);
+ return PTR_ERR(inode);
+ }
+--
+2.35.1
+
--- /dev/null
+From acbb4a7472e542133da5116cc743c2e30a490165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 17:03:55 +0800
+Subject: coresight: trbe: remove cpuhp instance node before remove cpuhp state
+
+From: Yang Shen <shenyang39@huawei.com>
+
+[ Upstream commit 20ee8c223f792947378196307d8e707c9cdc2d61 ]
+
+cpuhp_state_add_instance() and cpuhp_state_remove_instance() should
+be used in pairs. Or there will lead to the warn on
+cpuhp_remove_multi_state() since the cpuhp_step list is not empty.
+
+The following is the error log with 'rmmod coresight-trbe':
+Error: Removing state 215 which has instances left.
+Call trace:
+ __cpuhp_remove_state_cpuslocked+0x144/0x160
+ __cpuhp_remove_state+0xac/0x100
+ arm_trbe_device_remove+0x2c/0x60 [coresight_trbe]
+ platform_remove+0x34/0x70
+ device_remove+0x54/0x90
+ device_release_driver_internal+0x1e4/0x250
+ driver_detach+0x5c/0xb0
+ bus_remove_driver+0x64/0xc0
+ driver_unregister+0x3c/0x70
+ platform_driver_unregister+0x20/0x30
+ arm_trbe_exit+0x1c/0x658 [coresight_trbe]
+ __arm64_sys_delete_module+0x1ac/0x24c
+ invoke_syscall+0x50/0x120
+ el0_svc_common.constprop.0+0x58/0x1a0
+ do_el0_svc+0x38/0xd0
+ el0_svc+0x2c/0xc0
+ el0t_64_sync_handler+0x1ac/0x1b0
+ el0t_64_sync+0x19c/0x1a0
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20221122090355.23533-1-shenyang39@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-trbe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-trbe.c b/drivers/hwtracing/coresight/coresight-trbe.c
+index 2b386bb848f8..1fc4fd79a1c6 100644
+--- a/drivers/hwtracing/coresight/coresight-trbe.c
++++ b/drivers/hwtracing/coresight/coresight-trbe.c
+@@ -1434,6 +1434,7 @@ static int arm_trbe_probe_cpuhp(struct trbe_drvdata *drvdata)
+
+ static void arm_trbe_remove_cpuhp(struct trbe_drvdata *drvdata)
+ {
++ cpuhp_state_remove_instance(drvdata->trbe_online, &drvdata->hotplug_node);
+ cpuhp_remove_multi_state(drvdata->trbe_online);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5e73e365ba0ae594275c3e8073228b63951b4701 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:36:09 +0100
+Subject: counter: stm32-lptimer-cnt: fix the check on arr and cmp registers
+ update
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+[ Upstream commit fd5ac974fc25feed084c2d1599d0dddb4e0556bc ]
+
+The ARR (auto reload register) and CMP (compare) registers are
+successively written. The status bits to check the update of these
+registers are polled together with regmap_read_poll_timeout().
+The condition to end the loop may become true, even if one of the register
+isn't correctly updated.
+So ensure both status bits are set before clearing them.
+
+Fixes: d8958824cf07 ("iio: counter: Add support for STM32 LPTimer")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Link: https://lore.kernel.org/r/20221123133609.465614-1-fabrice.gasnier@foss.st.com/
+Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/stm32-lptimer-cnt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/counter/stm32-lptimer-cnt.c b/drivers/counter/stm32-lptimer-cnt.c
+index 68031d93ce89..aee3b1a8aaa7 100644
+--- a/drivers/counter/stm32-lptimer-cnt.c
++++ b/drivers/counter/stm32-lptimer-cnt.c
+@@ -69,7 +69,7 @@ static int stm32_lptim_set_enable_state(struct stm32_lptim_cnt *priv,
+
+ /* ensure CMP & ARR registers are properly written */
+ ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val,
+- (val & STM32_LPTIM_CMPOK_ARROK),
++ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK,
+ 100, 1000);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From d6cd2a9a84452fcbf6d48d182de25fc2fdf4f6fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 11:12:59 +0100
+Subject: cpu/hotplug: Do not bail-out in DYING/STARTING sections
+
+From: Vincent Donnefort <vdonnefort@google.com>
+
+[ Upstream commit 6f855b39e4602b6b42a8e5cbcfefb8a1b8b5f0be ]
+
+The DYING/STARTING callbacks are not expected to fail. However, as reported
+by Derek, buggy drivers such as tboot are still free to return errors
+within those sections, which halts the hot(un)plug and leaves the CPU in an
+unrecoverable state.
+
+As there is no rollback possible, only log the failures and proceed with
+the following steps.
+
+This restores the hotplug behaviour prior to commit 453e41085183
+("cpu/hotplug: Add cpuhp_invoke_callback_range()")
+
+Fixes: 453e41085183 ("cpu/hotplug: Add cpuhp_invoke_callback_range()")
+Reported-by: Derek Dolney <z23@posteo.net>
+Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Derek Dolney <z23@posteo.net>
+Reviewed-by: Valentin Schneider <vschneid@redhat.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215867
+Link: https://lore.kernel.org/r/20220927101259.1149636-1-vdonnefort@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 56 +++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 979de993f853..98a7a7b1471b 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -663,21 +663,51 @@ static bool cpuhp_next_state(bool bringup,
+ return true;
+ }
+
+-static int cpuhp_invoke_callback_range(bool bringup,
+- unsigned int cpu,
+- struct cpuhp_cpu_state *st,
+- enum cpuhp_state target)
++static int __cpuhp_invoke_callback_range(bool bringup,
++ unsigned int cpu,
++ struct cpuhp_cpu_state *st,
++ enum cpuhp_state target,
++ bool nofail)
+ {
+ enum cpuhp_state state;
+- int err = 0;
++ int ret = 0;
+
+ while (cpuhp_next_state(bringup, &state, st, target)) {
++ int err;
++
+ err = cpuhp_invoke_callback(cpu, state, bringup, NULL, NULL);
+- if (err)
++ if (!err)
++ continue;
++
++ if (nofail) {
++ pr_warn("CPU %u %s state %s (%d) failed (%d)\n",
++ cpu, bringup ? "UP" : "DOWN",
++ cpuhp_get_step(st->state)->name,
++ st->state, err);
++ ret = -1;
++ } else {
++ ret = err;
+ break;
++ }
+ }
+
+- return err;
++ return ret;
++}
++
++static inline int cpuhp_invoke_callback_range(bool bringup,
++ unsigned int cpu,
++ struct cpuhp_cpu_state *st,
++ enum cpuhp_state target)
++{
++ return __cpuhp_invoke_callback_range(bringup, cpu, st, target, false);
++}
++
++static inline void cpuhp_invoke_callback_range_nofail(bool bringup,
++ unsigned int cpu,
++ struct cpuhp_cpu_state *st,
++ enum cpuhp_state target)
++{
++ __cpuhp_invoke_callback_range(bringup, cpu, st, target, true);
+ }
+
+ static inline bool can_rollback_cpu(struct cpuhp_cpu_state *st)
+@@ -999,7 +1029,6 @@ static int take_cpu_down(void *_param)
+ struct cpuhp_cpu_state *st = this_cpu_ptr(&cpuhp_state);
+ enum cpuhp_state target = max((int)st->target, CPUHP_AP_OFFLINE);
+ int err, cpu = smp_processor_id();
+- int ret;
+
+ /* Ensure this CPU doesn't handle any more interrupts. */
+ err = __cpu_disable();
+@@ -1012,13 +1041,10 @@ static int take_cpu_down(void *_param)
+ */
+ WARN_ON(st->state != (CPUHP_TEARDOWN_CPU - 1));
+
+- /* Invoke the former CPU_DYING callbacks */
+- ret = cpuhp_invoke_callback_range(false, cpu, st, target);
+-
+ /*
+- * DYING must not fail!
++ * Invoke the former CPU_DYING callbacks. DYING must not fail!
+ */
+- WARN_ON_ONCE(ret);
++ cpuhp_invoke_callback_range_nofail(false, cpu, st, target);
+
+ /* Give up timekeeping duties */
+ tick_handover_do_timer();
+@@ -1296,16 +1322,14 @@ void notify_cpu_starting(unsigned int cpu)
+ {
+ struct cpuhp_cpu_state *st = per_cpu_ptr(&cpuhp_state, cpu);
+ enum cpuhp_state target = min((int)st->target, CPUHP_AP_ONLINE);
+- int ret;
+
+ rcu_cpu_starting(cpu); /* Enables RCU usage on this CPU. */
+ cpumask_set_cpu(cpu, &cpus_booted_once_mask);
+- ret = cpuhp_invoke_callback_range(true, cpu, st, target);
+
+ /*
+ * STARTING must not fail!
+ */
+- WARN_ON_ONCE(ret);
++ cpuhp_invoke_callback_range_nofail(true, cpu, st, target);
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 774909e4e0c642f44142c90f07ec52f562e13b0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:23:28 -0500
+Subject: cpu/hotplug: Make target_store() a nop when target == state
+
+From: Phil Auld <pauld@redhat.com>
+
+[ Upstream commit 64ea6e44f85b9b75925ebe1ba0e6e8430cc4e06f ]
+
+Writing the current state back in hotplug/target calls cpu_down()
+which will set cpu dying even when it isn't and then nothing will
+ever clear it. A stress test that reads values and writes them back
+for all cpu device files in sysfs will trigger the BUG() in
+select_fallback_rq once all cpus are marked as dying.
+
+kernel/cpu.c::target_store()
+ ...
+ if (st->state < target)
+ ret = cpu_up(dev->id, target);
+ else
+ ret = cpu_down(dev->id, target);
+
+cpu_down() -> cpu_set_state()
+ bool bringup = st->state < target;
+ ...
+ if (cpu_dying(cpu) != !bringup)
+ set_cpu_dying(cpu, !bringup);
+
+Fix this by letting state==target fall through in the target_store()
+conditional. Also make sure st->target == target in that case.
+
+Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable")
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Valentin Schneider <vschneid@redhat.com>
+Link: https://lore.kernel.org/r/20221117162329.3164999-2-pauld@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index bbad5e375d3b..979de993f853 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2326,8 +2326,10 @@ static ssize_t target_store(struct device *dev, struct device_attribute *attr,
+
+ if (st->state < target)
+ ret = cpu_up(dev->id, target);
+- else
++ else if (st->state > target)
+ ret = cpu_down(dev->id, target);
++ else if (WARN_ON(st->target != target))
++ st->target = target;
+ out:
+ unlock_device_hotplug();
+ return ret ? ret : count;
+--
+2.35.1
+
--- /dev/null
+From 362cbac486f5bdac6e4d5f2e0df114ccbaa301a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 19:33:39 +0800
+Subject: cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 91fda1f88c0968f1491ab150bb01690525af150a ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev. We need to use pci_dev_put() to decrease the reference count
+after using pci_get_device(). Let's add it.
+
+Fixes: 59a3b3a8db16 ("cpufreq: AMD: Ignore the check for ProcFeedback in ST/CZ")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/amd_freq_sensitivity.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/amd_freq_sensitivity.c b/drivers/cpufreq/amd_freq_sensitivity.c
+index 6448e03bcf48..59b19b9975e8 100644
+--- a/drivers/cpufreq/amd_freq_sensitivity.c
++++ b/drivers/cpufreq/amd_freq_sensitivity.c
+@@ -125,6 +125,8 @@ static int __init amd_freq_sensitivity_init(void)
+ if (!pcidev) {
+ if (!boot_cpu_has(X86_FEATURE_PROC_FEEDBACK))
+ return -ENODEV;
++ } else {
++ pci_dev_put(pcidev);
+ }
+
+ if (rdmsrl_safe(MSR_AMD64_FREQ_SENSITIVITY_ACTUAL, &val))
+--
+2.35.1
+
--- /dev/null
+From 80e438c86bfce5d131ff0058385aa00e22aed866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 15:23:02 +0800
+Subject: cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
+
+From: Chen Hui <judy.chenhui@huawei.com>
+
+[ Upstream commit 9901c21bcaf2f01fe5078f750d624f4ddfa8f81b ]
+
+If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(),
+the program will return, resulting in "table" resource is not released.
+
+Fixes: 51c843cf77bb ("cpufreq: qcom: Update the bandwidth levels on frequency change")
+Signed-off-by: Chen Hui <judy.chenhui@huawei.com>
+Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/qcom-cpufreq-hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
+index bb32659820ce..9221a416230a 100644
+--- a/drivers/cpufreq/qcom-cpufreq-hw.c
++++ b/drivers/cpufreq/qcom-cpufreq-hw.c
+@@ -190,6 +190,7 @@ static int qcom_cpufreq_hw_read_lut(struct device *cpu_dev,
+ }
+ } else if (ret != -ENODEV) {
+ dev_err(cpu_dev, "Invalid opp table in device tree\n");
++ kfree(table);
+ return ret;
+ } else {
+ policy->fast_switch_possible = true;
+--
+2.35.1
+
--- /dev/null
+From 9405be54bbcd17dc4a75cd971a7652321443d8ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:01:45 +0530
+Subject: cpufreq: qcom-hw: Fix the frequency returned by cpufreq_driver->get()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit c72cf0cb1d77f6b1b58c334dcc3d09fa13111c4c ]
+
+The cpufreq_driver->get() callback is supposed to return the current
+frequency of the CPU and not the one requested by the CPUFreq core.
+Fix it by returning the frequency that gets supplied to the CPU after
+the DCVS operation of EPSS/OSM.
+
+Fixes: 2849dd8bc72b ("cpufreq: qcom-hw: Add support for QCOM cpufreq HW driver")
+Reported-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/qcom-cpufreq-hw.c | 42 +++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
+index 9221a416230a..823b069203e1 100644
+--- a/drivers/cpufreq/qcom-cpufreq-hw.c
++++ b/drivers/cpufreq/qcom-cpufreq-hw.c
+@@ -122,7 +122,35 @@ static int qcom_cpufreq_hw_target_index(struct cpufreq_policy *policy,
+ return 0;
+ }
+
++static unsigned long qcom_lmh_get_throttle_freq(struct qcom_cpufreq_data *data)
++{
++ unsigned int lval;
++
++ if (data->soc_data->reg_current_vote)
++ lval = readl_relaxed(data->base + data->soc_data->reg_current_vote) & 0x3ff;
++ else
++ lval = readl_relaxed(data->base + data->soc_data->reg_domain_state) & 0xff;
++
++ return lval * xo_rate;
++}
++
++/* Get the current frequency of the CPU (after throttling) */
+ static unsigned int qcom_cpufreq_hw_get(unsigned int cpu)
++{
++ struct qcom_cpufreq_data *data;
++ struct cpufreq_policy *policy;
++
++ policy = cpufreq_cpu_get_raw(cpu);
++ if (!policy)
++ return 0;
++
++ data = policy->driver_data;
++
++ return qcom_lmh_get_throttle_freq(data) / HZ_PER_KHZ;
++}
++
++/* Get the frequency requested by the cpufreq core for the CPU */
++static unsigned int qcom_cpufreq_get_freq(unsigned int cpu)
+ {
+ struct qcom_cpufreq_data *data;
+ const struct qcom_cpufreq_soc_data *soc_data;
+@@ -284,18 +312,6 @@ static void qcom_get_related_cpus(int index, struct cpumask *m)
+ }
+ }
+
+-static unsigned long qcom_lmh_get_throttle_freq(struct qcom_cpufreq_data *data)
+-{
+- unsigned int lval;
+-
+- if (data->soc_data->reg_current_vote)
+- lval = readl_relaxed(data->base + data->soc_data->reg_current_vote) & 0x3ff;
+- else
+- lval = readl_relaxed(data->base + data->soc_data->reg_domain_state) & 0xff;
+-
+- return lval * xo_rate;
+-}
+-
+ static void qcom_lmh_dcvs_notify(struct qcom_cpufreq_data *data)
+ {
+ struct cpufreq_policy *policy = data->policy;
+@@ -337,7 +353,7 @@ static void qcom_lmh_dcvs_notify(struct qcom_cpufreq_data *data)
+ * If h/w throttled frequency is higher than what cpufreq has requested
+ * for, then stop polling and switch back to interrupt mechanism.
+ */
+- if (throttled_freq >= qcom_cpufreq_hw_get(cpu))
++ if (throttled_freq >= qcom_cpufreq_get_freq(cpu))
+ enable_irq(data->throttle_irq);
+ else
+ mod_delayed_work(system_highpri_wq, &data->throttle_work,
+--
+2.35.1
+
--- /dev/null
+From a764dcaf802073dce6c193ab5f56bb87c53225ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 17:10:12 +0200
+Subject: cpuidle: dt: Return the correct numbers of parsed idle states
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ]
+
+While we correctly skips to initialize an idle state from a disabled idle
+state node in DT, the returned value from dt_init_idle_driver() don't get
+adjusted accordingly. Instead the number of found idle state nodes are
+returned, while the callers are expecting the number of successfully
+initialized idle states from DT.
+
+This leads to cpuidle drivers unnecessarily continues to initialize their
+idle state specific data. Moreover, in the case when all idle states have
+been disabled in DT, we would end up registering a cpuidle driver, rather
+than relying on the default arch specific idle call.
+
+Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/dt_idle_states.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
+index 252f2a9686a6..448bc796b0b4 100644
+--- a/drivers/cpuidle/dt_idle_states.c
++++ b/drivers/cpuidle/dt_idle_states.c
+@@ -223,6 +223,6 @@ int dt_init_idle_driver(struct cpuidle_driver *drv,
+ * also be 0 on platforms with missing DT idle states or legacy DT
+ * configuration predating the DT idle states bindings.
+ */
+- return i;
++ return state_idx - start_idx;
+ }
+ EXPORT_SYMBOL_GPL(dt_init_idle_driver);
+--
+2.35.1
+
--- /dev/null
+From b28a715c1992edb9d36279628dce66c392daa06c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 22:56:19 +0100
+Subject: crypto: amlogic - Remove kcalloc without check
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3d780c8a9850ad60dee47a8d971ba7888f3d1bd3 ]
+
+There is no real point in allocating dedicated memory for the irqs array.
+MAXFLOW is only 2, so it is easier to allocated the needed space
+directly within the 'meson_dev' structure.
+
+This saves some memory allocation and avoids an indirection when using the
+irqs array.
+
+Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator...")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/amlogic/amlogic-gxl-core.c | 1 -
+ drivers/crypto/amlogic/amlogic-gxl.h | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/amlogic/amlogic-gxl-core.c b/drivers/crypto/amlogic/amlogic-gxl-core.c
+index 6e7ae896717c..937187027ad5 100644
+--- a/drivers/crypto/amlogic/amlogic-gxl-core.c
++++ b/drivers/crypto/amlogic/amlogic-gxl-core.c
+@@ -237,7 +237,6 @@ static int meson_crypto_probe(struct platform_device *pdev)
+ return err;
+ }
+
+- mc->irqs = devm_kcalloc(mc->dev, MAXFLOW, sizeof(int), GFP_KERNEL);
+ for (i = 0; i < MAXFLOW; i++) {
+ mc->irqs[i] = platform_get_irq(pdev, i);
+ if (mc->irqs[i] < 0)
+diff --git a/drivers/crypto/amlogic/amlogic-gxl.h b/drivers/crypto/amlogic/amlogic-gxl.h
+index dc0f142324a3..8c0746a1d6d4 100644
+--- a/drivers/crypto/amlogic/amlogic-gxl.h
++++ b/drivers/crypto/amlogic/amlogic-gxl.h
+@@ -95,7 +95,7 @@ struct meson_dev {
+ struct device *dev;
+ struct meson_flow *chanlist;
+ atomic_t flow;
+- int *irqs;
++ int irqs[MAXFLOW];
+ #ifdef CONFIG_CRYPTO_DEV_AMLOGIC_GXL_DEBUG
+ struct dentry *dbgfs_dir;
+ #endif
+--
+2.35.1
+
--- /dev/null
+From 0c51c0a978d317aec6406f0cb3bb87c76377cc12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:22:36 +0100
+Subject: crypto: ccree - Make cc_debugfs_global_fini() available for module
+ init function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 8e96729fc26c8967db45a3fb7a60387619f77a22 ]
+
+ccree_init() calls cc_debugfs_global_fini(), the former is an init
+function and the latter an exit function though.
+
+A modular build emits:
+
+ WARNING: modpost: drivers/crypto/ccree/ccree.o: section mismatch in reference: init_module (section: .init.text) -> cc_debugfs_global_fini (section: .exit.text)
+
+(with CONFIG_DEBUG_SECTION_MISMATCH=y).
+
+Fixes: 4f1c596df706 ("crypto: ccree - Remove debugfs when platform_driver_register failed")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccree/cc_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccree/cc_debugfs.c b/drivers/crypto/ccree/cc_debugfs.c
+index 7083767602fc..8f008f024f8f 100644
+--- a/drivers/crypto/ccree/cc_debugfs.c
++++ b/drivers/crypto/ccree/cc_debugfs.c
+@@ -55,7 +55,7 @@ void __init cc_debugfs_global_init(void)
+ cc_debugfs_dir = debugfs_create_dir("ccree", NULL);
+ }
+
+-void __exit cc_debugfs_global_fini(void)
++void cc_debugfs_global_fini(void)
+ {
+ debugfs_remove(cc_debugfs_dir);
+ }
+--
+2.35.1
+
--- /dev/null
+From e4fbf2cc8967f7799eaf2c2b4c279604a818f0ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:29:12 +0800
+Subject: crypto: ccree - Remove debugfs when platform_driver_register failed
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 4f1c596df706c9aca662b6c214fad84047ae2a97 ]
+
+When platform_driver_register failed, we need to remove debugfs,
+which will caused a resource leak, fix it.
+
+Failed logs as follows:
+[ 32.606488] debugfs: Directory 'ccree' with parent '/' already present!
+
+Fixes: 4c3f97276e15 ("crypto: ccree - introduce CryptoCell driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccree/cc_driver.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_driver.c
+index cadead18b59e..d489c6f80892 100644
+--- a/drivers/crypto/ccree/cc_driver.c
++++ b/drivers/crypto/ccree/cc_driver.c
+@@ -651,9 +651,17 @@ static struct platform_driver ccree_driver = {
+
+ static int __init ccree_init(void)
+ {
++ int rc;
++
+ cc_debugfs_global_init();
+
+- return platform_driver_register(&ccree_driver);
++ rc = platform_driver_register(&ccree_driver);
++ if (rc) {
++ cc_debugfs_global_fini();
++ return rc;
++ }
++
++ return 0;
+ }
+ module_init(ccree_init);
+
+--
+2.35.1
+
--- /dev/null
+From 15f82129170ab6184fe8fa9be4b4748bff24aa94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 17:59:17 +0800
+Subject: crypto: cryptd - Use request context instead of stack for sub-request
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3a58c231172537f7b0e19d93ed33decd04f80eab ]
+
+cryptd is buggy as it tries to use sync_skcipher without going
+through the proper sync_skcipher interface. In fact it doesn't
+even need sync_skcipher since it's already a proper skcipher and
+can easily access the request context instead of using something
+off the stack.
+
+Fixes: 36b3875a97b8 ("crypto: cryptd - Remove VLA usage of skcipher")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/cryptd.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/crypto/cryptd.c b/crypto/cryptd.c
+index 668095eca0fa..ca3a40fc7da9 100644
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -68,11 +68,12 @@ struct aead_instance_ctx {
+
+ struct cryptd_skcipher_ctx {
+ refcount_t refcnt;
+- struct crypto_sync_skcipher *child;
++ struct crypto_skcipher *child;
+ };
+
+ struct cryptd_skcipher_request_ctx {
+ crypto_completion_t complete;
++ struct skcipher_request req;
+ };
+
+ struct cryptd_hash_ctx {
+@@ -227,13 +228,13 @@ static int cryptd_skcipher_setkey(struct crypto_skcipher *parent,
+ const u8 *key, unsigned int keylen)
+ {
+ struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(parent);
+- struct crypto_sync_skcipher *child = ctx->child;
++ struct crypto_skcipher *child = ctx->child;
+
+- crypto_sync_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
+- crypto_sync_skcipher_set_flags(child,
+- crypto_skcipher_get_flags(parent) &
+- CRYPTO_TFM_REQ_MASK);
+- return crypto_sync_skcipher_setkey(child, key, keylen);
++ crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
++ crypto_skcipher_set_flags(child,
++ crypto_skcipher_get_flags(parent) &
++ CRYPTO_TFM_REQ_MASK);
++ return crypto_skcipher_setkey(child, key, keylen);
+ }
+
+ static void cryptd_skcipher_complete(struct skcipher_request *req, int err)
+@@ -258,13 +259,13 @@ static void cryptd_skcipher_encrypt(struct crypto_async_request *base,
+ struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+- struct crypto_sync_skcipher *child = ctx->child;
+- SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child);
++ struct skcipher_request *subreq = &rctx->req;
++ struct crypto_skcipher *child = ctx->child;
+
+ if (unlikely(err == -EINPROGRESS))
+ goto out;
+
+- skcipher_request_set_sync_tfm(subreq, child);
++ skcipher_request_set_tfm(subreq, child);
+ skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP,
+ NULL, NULL);
+ skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
+@@ -286,13 +287,13 @@ static void cryptd_skcipher_decrypt(struct crypto_async_request *base,
+ struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+- struct crypto_sync_skcipher *child = ctx->child;
+- SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child);
++ struct skcipher_request *subreq = &rctx->req;
++ struct crypto_skcipher *child = ctx->child;
+
+ if (unlikely(err == -EINPROGRESS))
+ goto out;
+
+- skcipher_request_set_sync_tfm(subreq, child);
++ skcipher_request_set_tfm(subreq, child);
+ skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP,
+ NULL, NULL);
+ skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
+@@ -343,9 +344,10 @@ static int cryptd_skcipher_init_tfm(struct crypto_skcipher *tfm)
+ if (IS_ERR(cipher))
+ return PTR_ERR(cipher);
+
+- ctx->child = (struct crypto_sync_skcipher *)cipher;
++ ctx->child = cipher;
+ crypto_skcipher_set_reqsize(
+- tfm, sizeof(struct cryptd_skcipher_request_ctx));
++ tfm, sizeof(struct cryptd_skcipher_request_ctx) +
++ crypto_skcipher_reqsize(cipher));
+ return 0;
+ }
+
+@@ -353,7 +355,7 @@ static void cryptd_skcipher_exit_tfm(struct crypto_skcipher *tfm)
+ {
+ struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+
+- crypto_free_sync_skcipher(ctx->child);
++ crypto_free_skcipher(ctx->child);
+ }
+
+ static void cryptd_skcipher_free(struct skcipher_instance *inst)
+@@ -931,7 +933,7 @@ struct crypto_skcipher *cryptd_skcipher_child(struct cryptd_skcipher *tfm)
+ {
+ struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(&tfm->base);
+
+- return &ctx->child->base;
++ return ctx->child;
+ }
+ EXPORT_SYMBOL_GPL(cryptd_skcipher_child);
+
+--
+2.35.1
+
--- /dev/null
+From 4a7e3716b9556df683cf3b3abdeab48f1e6c6ebc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 15:38:31 +0800
+Subject: crypto: hisilicon/hpre - fix resource leak in remove process
+
+From: Zhiqi Song <songzhiqi1@huawei.com>
+
+[ Upstream commit 45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c ]
+
+In hpre_remove(), when the disable operation of qm sriov failed,
+the following logic should continue to be executed to release the
+remaining resources that have been allocated, instead of returning
+directly, otherwise there will be resource leakage.
+
+Signed-off-by: Zhiqi Song <songzhiqi1@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index fd55c6ff13ba..7a50ca664ada 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -1287,18 +1287,12 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ static void hpre_remove(struct pci_dev *pdev)
+ {
+ struct hisi_qm *qm = pci_get_drvdata(pdev);
+- int ret;
+
+ hisi_qm_pm_uninit(qm);
+ hisi_qm_wait_task_finish(qm, &hpre_devices);
+ hisi_qm_alg_unregister(qm, &hpre_devices);
+- if (qm->fun_type == QM_HW_PF && qm->vfs_num) {
+- ret = hisi_qm_sriov_disable(pdev, true);
+- if (ret) {
+- pci_err(pdev, "Disable SRIOV fail!\n");
+- return;
+- }
+- }
++ if (qm->fun_type == QM_HW_PF && qm->vfs_num)
++ hisi_qm_sriov_disable(pdev, true);
+
+ hpre_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+--
+2.35.1
+
--- /dev/null
+From f80cbfdea33418e49f36ac91a6e06138d712b69a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 18:00:36 +0800
+Subject: crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit cc7710d0d4ebc6998f04035cde4f32c5ddbe9d7f ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev. We need to use pci_dev_put() to decrease the reference count
+before q_num_set() returns.
+
+Fixes: c8b4b477079d ("crypto: hisilicon - add HiSilicon HPRE accelerator")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Reviewed-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/hisi_acc_qm.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/hisi_acc_qm.h b/include/linux/hisi_acc_qm.h
+index 851c962ba473..ce0c3ed67a5f 100644
+--- a/include/linux/hisi_acc_qm.h
++++ b/include/linux/hisi_acc_qm.h
+@@ -400,14 +400,14 @@ struct hisi_qp {
+ static inline int q_num_set(const char *val, const struct kernel_param *kp,
+ unsigned int device)
+ {
+- struct pci_dev *pdev = pci_get_device(PCI_VENDOR_ID_HUAWEI,
+- device, NULL);
++ struct pci_dev *pdev;
+ u32 n, q_num;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
++ pdev = pci_get_device(PCI_VENDOR_ID_HUAWEI, device, NULL);
+ if (!pdev) {
+ q_num = min_t(u32, QM_QNUM_V1, QM_QNUM_V2);
+ pr_info("No device found currently, suppose queue number is %u\n",
+@@ -417,6 +417,8 @@ static inline int q_num_set(const char *val, const struct kernel_param *kp,
+ q_num = QM_QNUM_V1;
+ else
+ q_num = QM_QNUM_V2;
++
++ pci_dev_put(pdev);
+ }
+
+ ret = kstrtou32(val, 10, &n);
+--
+2.35.1
+
--- /dev/null
+From 8152e90a8b25f2b803490ec1e549d417a19803a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Aug 2022 18:34:52 +0800
+Subject: crypto: hisilicon/qm - fix missing destroy qp_idr
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 116be08f6e4e385733d42360a33c3d883d2dd702 ]
+
+In the function hisi_qm_memory_init(), if resource alloc fails after
+idr_init, the initialized qp_idr needs to be destroyed.
+
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: ee1537fe3dd8 ("crypto: hisilicon/qm - re-enable communicate interrupt before notifying PF")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 9fa2efe60153..bdb7d5ba23b8 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -6143,8 +6143,8 @@ static int hisi_qm_memory_init(struct hisi_qm *qm)
+ GFP_ATOMIC);
+ dev_dbg(dev, "allocate qm dma buf size=%zx)\n", qm->qdma.size);
+ if (!qm->qdma.va) {
+- ret = -ENOMEM;
+- goto err_alloc_qdma;
++ ret = -ENOMEM;
++ goto err_destroy_idr;
+ }
+
+ QM_INIT_BUF(qm, eqe, QM_EQ_DEPTH);
+@@ -6160,7 +6160,8 @@ static int hisi_qm_memory_init(struct hisi_qm *qm)
+
+ err_alloc_qp_array:
+ dma_free_coherent(dev, qm->qdma.size, qm->qdma.va, qm->qdma.dma);
+-err_alloc_qdma:
++err_destroy_idr:
++ idr_destroy(&qm->qp_idr);
+ kfree(qm->factor);
+
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 5ebb594eca74c3d20b771432f35fc251a2366e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 17:46:55 +0800
+Subject: crypto: hisilicon/qm - get hardware features from hardware registers
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 82f00b24f532557fb0e15a6a2747859e4b70c4bd ]
+
+Before hardware V3, hardwares do not provide the feature registers,
+driver resolves hardware differences based on the hardware version.
+As a result, the driver does not support the new hardware.
+
+Hardware V3 and later versions support to obtain hardware features,
+such as power-gating management and doorbell isolation, through
+the hardware registers. To be compatible with later hardware versions,
+the features of the current device is obtained by reading the
+hardware registers instead of the hardware version.
+
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: ee1537fe3dd8 ("crypto: hisilicon/qm - re-enable communicate interrupt before notifying PF")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 4 +-
+ drivers/crypto/hisilicon/qm.c | 196 +++++++++++++++-------
+ drivers/crypto/hisilicon/sec2/sec_main.c | 4 +-
+ drivers/crypto/hisilicon/zip/zip_main.c | 4 +-
+ include/linux/hisi_acc_qm.h | 31 +++-
+ 5 files changed, 170 insertions(+), 69 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index 9d529df0eab9..fd55c6ff13ba 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -457,7 +457,7 @@ static void hpre_open_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ /* Enable prefetch */
+@@ -478,7 +478,7 @@ static void hpre_close_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ val = readl_relaxed(qm->io_base + HPRE_PREFETCH_CFG);
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index bdb7d5ba23b8..2cfb072a218f 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -86,9 +86,7 @@
+ #define QM_DB_CMD_SHIFT_V1 16
+ #define QM_DB_INDEX_SHIFT_V1 32
+ #define QM_DB_PRIORITY_SHIFT_V1 48
+-#define QM_QUE_ISO_CFG_V 0x0030
+ #define QM_PAGE_SIZE 0x0034
+-#define QM_QUE_ISO_EN 0x100154
+ #define QM_CAPBILITY 0x100158
+ #define QM_QP_NUN_MASK GENMASK(10, 0)
+ #define QM_QP_DB_INTERVAL 0x10000
+@@ -205,6 +203,8 @@
+ #define MAX_WAIT_COUNTS 1000
+ #define QM_CACHE_WB_START 0x204
+ #define QM_CACHE_WB_DONE 0x208
++#define QM_FUNC_CAPS_REG 0x3100
++#define QM_CAPBILITY_VERSION GENMASK(7, 0)
+
+ #define PCI_BAR_2 2
+ #define PCI_BAR_4 4
+@@ -329,6 +329,22 @@ enum qm_mb_cmd {
+ QM_VF_GET_QOS,
+ };
+
++static const struct hisi_qm_cap_info qm_cap_info_comm[] = {
++ {QM_SUPPORT_DB_ISOLATION, 0x30, 0, BIT(0), 0x0, 0x0, 0x0},
++ {QM_SUPPORT_FUNC_QOS, 0x3100, 0, BIT(8), 0x0, 0x0, 0x1},
++ {QM_SUPPORT_STOP_QP, 0x3100, 0, BIT(9), 0x0, 0x0, 0x1},
++ {QM_SUPPORT_MB_COMMAND, 0x3100, 0, BIT(11), 0x0, 0x0, 0x1},
++ {QM_SUPPORT_SVA_PREFETCH, 0x3100, 0, BIT(14), 0x0, 0x0, 0x1},
++};
++
++static const struct hisi_qm_cap_info qm_cap_info_pf[] = {
++ {QM_SUPPORT_RPM, 0x3100, 0, BIT(13), 0x0, 0x0, 0x1},
++};
++
++static const struct hisi_qm_cap_info qm_cap_info_vf[] = {
++ {QM_SUPPORT_RPM, 0x3100, 0, BIT(12), 0x0, 0x0, 0x0},
++};
++
+ struct qm_cqe {
+ __le32 rsvd0;
+ __le16 cmd_id;
+@@ -426,10 +442,7 @@ struct hisi_qm_hw_ops {
+ void (*hw_error_init)(struct hisi_qm *qm, u32 ce, u32 nfe, u32 fe);
+ void (*hw_error_uninit)(struct hisi_qm *qm);
+ enum acc_err_result (*hw_error_handle)(struct hisi_qm *qm);
+- int (*stop_qp)(struct hisi_qp *qp);
+ int (*set_msi)(struct hisi_qm *qm, bool set);
+- int (*ping_all_vfs)(struct hisi_qm *qm, u64 cmd);
+- int (*ping_pf)(struct hisi_qm *qm, u64 cmd);
+ };
+
+ struct qm_dfx_item {
+@@ -828,6 +841,36 @@ static int qm_dev_mem_reset(struct hisi_qm *qm)
+ POLL_TIMEOUT);
+ }
+
++/**
++ * hisi_qm_get_hw_info() - Get device information.
++ * @qm: The qm which want to get information.
++ * @info_table: Array for storing device information.
++ * @index: Index in info_table.
++ * @is_read: Whether read from reg, 0: not support read from reg.
++ *
++ * This function returns device information the caller needs.
++ */
++u32 hisi_qm_get_hw_info(struct hisi_qm *qm,
++ const struct hisi_qm_cap_info *info_table,
++ u32 index, bool is_read)
++{
++ u32 val;
++
++ switch (qm->ver) {
++ case QM_HW_V1:
++ return info_table[index].v1_val;
++ case QM_HW_V2:
++ return info_table[index].v2_val;
++ default:
++ if (!is_read)
++ return info_table[index].v3_val;
++
++ val = readl(qm->io_base + info_table[index].offset);
++ return (val >> info_table[index].shift) & info_table[index].mask;
++ }
++}
++EXPORT_SYMBOL_GPL(hisi_qm_get_hw_info);
++
+ static u32 qm_get_irq_num_v1(struct hisi_qm *qm)
+ {
+ return QM_IRQ_NUM_V1;
+@@ -854,7 +897,7 @@ static int qm_pm_get_sync(struct hisi_qm *qm)
+ struct device *dev = &qm->pdev->dev;
+ int ret;
+
+- if (qm->fun_type == QM_HW_VF || qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_RPM, &qm->caps))
+ return 0;
+
+ ret = pm_runtime_resume_and_get(dev);
+@@ -870,7 +913,7 @@ static void qm_pm_put_sync(struct hisi_qm *qm)
+ {
+ struct device *dev = &qm->pdev->dev;
+
+- if (qm->fun_type == QM_HW_VF || qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_RPM, &qm->caps))
+ return;
+
+ pm_runtime_mark_last_busy(dev);
+@@ -1151,7 +1194,7 @@ static void qm_init_prefetch(struct hisi_qm *qm)
+ struct device *dev = &qm->pdev->dev;
+ u32 page_type = 0x0;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ switch (PAGE_SIZE) {
+@@ -1270,7 +1313,7 @@ static void qm_vft_data_cfg(struct hisi_qm *qm, enum vft_type type, u32 base,
+ }
+ break;
+ case SHAPER_VFT:
+- if (qm->ver >= QM_HW_V3) {
++ if (factor) {
+ tmp = factor->cir_b |
+ (factor->cir_u << QM_SHAPER_FACTOR_CIR_U_SHIFT) |
+ (factor->cir_s << QM_SHAPER_FACTOR_CIR_S_SHIFT) |
+@@ -1288,10 +1331,13 @@ static void qm_vft_data_cfg(struct hisi_qm *qm, enum vft_type type, u32 base,
+ static int qm_set_vft_common(struct hisi_qm *qm, enum vft_type type,
+ u32 fun_num, u32 base, u32 number)
+ {
+- struct qm_shaper_factor *factor = &qm->factor[fun_num];
++ struct qm_shaper_factor *factor = NULL;
+ unsigned int val;
+ int ret;
+
++ if (type == SHAPER_VFT && test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps))
++ factor = &qm->factor[fun_num];
++
+ ret = readl_relaxed_poll_timeout(qm->io_base + QM_VFT_CFG_RDY, val,
+ val & BIT(0), POLL_PERIOD,
+ POLL_TIMEOUT);
+@@ -1349,7 +1395,7 @@ static int qm_set_sqc_cqc_vft(struct hisi_qm *qm, u32 fun_num, u32 base,
+ }
+
+ /* init default shaper qos val */
+- if (qm->ver >= QM_HW_V3) {
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps)) {
+ ret = qm_shaper_init_vft(qm, fun_num);
+ if (ret)
+ goto back_sqc_cqc;
+@@ -2495,7 +2541,7 @@ static int qm_wait_vf_prepare_finish(struct hisi_qm *qm)
+ u64 val;
+ u32 i;
+
+- if (!qm->vfs_num || qm->ver < QM_HW_V3)
++ if (!qm->vfs_num || !test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps))
+ return 0;
+
+ while (true) {
+@@ -2780,10 +2826,7 @@ static const struct hisi_qm_hw_ops qm_hw_ops_v3 = {
+ .hw_error_init = qm_hw_error_init_v3,
+ .hw_error_uninit = qm_hw_error_uninit_v3,
+ .hw_error_handle = qm_hw_error_handle_v2,
+- .stop_qp = qm_stop_qp,
+ .set_msi = qm_set_msi_v3,
+- .ping_all_vfs = qm_ping_all_vfs,
+- .ping_pf = qm_ping_pf,
+ };
+
+ static void *qm_get_avail_sqe(struct hisi_qp *qp)
+@@ -3080,8 +3123,8 @@ static int qm_drain_qp(struct hisi_qp *qp)
+ return 0;
+
+ /* Kunpeng930 supports drain qp by device */
+- if (qm->ops->stop_qp) {
+- ret = qm->ops->stop_qp(qp);
++ if (test_bit(QM_SUPPORT_STOP_QP, &qm->caps)) {
++ ret = qm_stop_qp(qp);
+ if (ret)
+ dev_err(dev, "Failed to stop qp(%u)!\n", qp->qp_id);
+ return ret;
+@@ -3312,7 +3355,7 @@ static int hisi_qm_uacce_mmap(struct uacce_queue *q,
+ if (qm->ver == QM_HW_V1) {
+ if (sz > PAGE_SIZE * QM_DOORBELL_PAGE_NR)
+ return -EINVAL;
+- } else if (qm->ver == QM_HW_V2 || !qm->use_db_isolation) {
++ } else if (!test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps)) {
+ if (sz > PAGE_SIZE * (QM_DOORBELL_PAGE_NR +
+ QM_DOORBELL_SQ_CQ_BASE_V2 / PAGE_SIZE))
+ return -EINVAL;
+@@ -3466,7 +3509,7 @@ static int qm_alloc_uacce(struct hisi_qm *qm)
+
+ if (qm->ver == QM_HW_V1)
+ mmio_page_nr = QM_DOORBELL_PAGE_NR;
+- else if (qm->ver == QM_HW_V2 || !qm->use_db_isolation)
++ else if (!test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps))
+ mmio_page_nr = QM_DOORBELL_PAGE_NR +
+ QM_DOORBELL_SQ_CQ_BASE_V2 / PAGE_SIZE;
+ else
+@@ -3628,7 +3671,7 @@ static void hisi_qm_pre_init(struct hisi_qm *qm)
+ init_rwsem(&qm->qps_lock);
+ qm->qp_in_used = 0;
+ qm->misc_ctl = false;
+- if (qm->fun_type == QM_HW_PF && qm->ver > QM_HW_V2) {
++ if (test_bit(QM_SUPPORT_RPM, &qm->caps)) {
+ if (!acpi_device_power_manageable(ACPI_COMPANION(&pdev->dev)))
+ dev_info(&pdev->dev, "_PS0 and _PR0 are not defined");
+ }
+@@ -3638,7 +3681,7 @@ static void qm_cmd_uninit(struct hisi_qm *qm)
+ {
+ u32 val;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps))
+ return;
+
+ val = readl(qm->io_base + QM_IFC_INT_MASK);
+@@ -3650,7 +3693,7 @@ static void qm_cmd_init(struct hisi_qm *qm)
+ {
+ u32 val;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps))
+ return;
+
+ /* Clear communication interrupt source */
+@@ -3666,7 +3709,7 @@ static void qm_put_pci_res(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+
+- if (qm->use_db_isolation)
++ if (test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps))
+ iounmap(qm->db_io_base);
+
+ iounmap(qm->io_base);
+@@ -3716,7 +3759,9 @@ static void hisi_qm_memory_uninit(struct hisi_qm *qm)
+ }
+
+ idr_destroy(&qm->qp_idr);
+- kfree(qm->factor);
++
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps))
++ kfree(qm->factor);
+ }
+
+ /**
+@@ -4499,12 +4544,10 @@ static int qm_vf_read_qos(struct hisi_qm *qm)
+ qm->mb_qos = 0;
+
+ /* vf ping pf to get function qos */
+- if (qm->ops->ping_pf) {
+- ret = qm->ops->ping_pf(qm, QM_VF_GET_QOS);
+- if (ret) {
+- pci_err(qm->pdev, "failed to send cmd to PF to get qos!\n");
+- return ret;
+- }
++ ret = qm_ping_pf(qm, QM_VF_GET_QOS);
++ if (ret) {
++ pci_err(qm->pdev, "failed to send cmd to PF to get qos!\n");
++ return ret;
+ }
+
+ while (true) {
+@@ -4676,14 +4719,14 @@ static const struct file_operations qm_algqos_fops = {
+ * hisi_qm_set_algqos_init() - Initialize function qos debugfs files.
+ * @qm: The qm for which we want to add debugfs files.
+ *
+- * Create function qos debugfs files.
++ * Create function qos debugfs files, VF ping PF to get function qos.
+ */
+ static void hisi_qm_set_algqos_init(struct hisi_qm *qm)
+ {
+ if (qm->fun_type == QM_HW_PF)
+ debugfs_create_file("alg_qos", 0644, qm->debug.debug_root,
+ qm, &qm_algqos_fops);
+- else
++ else if (test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps))
+ debugfs_create_file("alg_qos", 0444, qm->debug.debug_root,
+ qm, &qm_algqos_fops);
+ }
+@@ -4731,7 +4774,7 @@ void hisi_qm_debug_init(struct hisi_qm *qm)
+ &qm_atomic64_ops);
+ }
+
+- if (qm->ver >= QM_HW_V3)
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps))
+ hisi_qm_set_algqos_init(qm);
+ }
+ EXPORT_SYMBOL_GPL(hisi_qm_debug_init);
+@@ -4848,7 +4891,9 @@ int hisi_qm_sriov_disable(struct pci_dev *pdev, bool is_frozen)
+
+ pci_disable_sriov(pdev);
+ /* clear vf function shaper configure array */
+- memset(qm->factor + 1, 0, sizeof(struct qm_shaper_factor) * total_vfs);
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps))
++ memset(qm->factor + 1, 0, sizeof(struct qm_shaper_factor) * total_vfs);
++
+ ret = qm_clear_vft_config(qm);
+ if (ret)
+ return ret;
+@@ -5072,8 +5117,8 @@ static int qm_try_stop_vfs(struct hisi_qm *qm, u64 cmd,
+ return 0;
+
+ /* Kunpeng930 supports to notify VFs to stop before PF reset */
+- if (qm->ops->ping_all_vfs) {
+- ret = qm->ops->ping_all_vfs(qm, cmd);
++ if (test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps)) {
++ ret = qm_ping_all_vfs(qm, cmd);
+ if (ret)
+ pci_err(pdev, "failed to send cmd to all VFs before PF reset!\n");
+ } else {
+@@ -5264,8 +5309,8 @@ static int qm_try_start_vfs(struct hisi_qm *qm, enum qm_mb_cmd cmd)
+ }
+
+ /* Kunpeng930 supports to notify VFs to start after PF reset. */
+- if (qm->ops->ping_all_vfs) {
+- ret = qm->ops->ping_all_vfs(qm, cmd);
++ if (test_bit(QM_SUPPORT_MB_COMMAND, &qm->caps)) {
++ ret = qm_ping_all_vfs(qm, cmd);
+ if (ret)
+ pci_warn(pdev, "failed to send cmd to all VFs after PF reset!\n");
+ } else {
+@@ -5713,7 +5758,7 @@ static void qm_pf_reset_vf_prepare(struct hisi_qm *qm,
+ hisi_qm_set_hw_reset(qm, QM_RESET_STOP_RX_OFFSET);
+ out:
+ pci_save_state(pdev);
+- ret = qm->ops->ping_pf(qm, cmd);
++ ret = qm_ping_pf(qm, cmd);
+ if (ret)
+ dev_warn(&pdev->dev, "PF responds timeout in reset prepare!\n");
+ }
+@@ -5731,7 +5776,7 @@ static void qm_pf_reset_vf_done(struct hisi_qm *qm)
+ cmd = QM_VF_START_FAIL;
+ }
+
+- ret = qm->ops->ping_pf(qm, cmd);
++ ret = qm_ping_pf(qm, cmd);
+ if (ret)
+ dev_warn(&pdev->dev, "PF responds timeout in reset done!\n");
+
+@@ -5936,7 +5981,7 @@ static int qm_get_qp_num(struct hisi_qm *qm)
+ qm->ctrl_qp_num = readl(qm->io_base + QM_CAPBILITY) &
+ QM_QP_NUN_MASK;
+
+- if (qm->use_db_isolation)
++ if (test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps))
+ qm->max_qp_num = (readl(qm->io_base + QM_CAPBILITY) >>
+ QM_QP_MAX_NUM_SHIFT) & QM_QP_NUN_MASK;
+ else
+@@ -5952,6 +5997,39 @@ static int qm_get_qp_num(struct hisi_qm *qm)
+ return 0;
+ }
+
++static void qm_get_hw_caps(struct hisi_qm *qm)
++{
++ const struct hisi_qm_cap_info *cap_info = qm->fun_type == QM_HW_PF ?
++ qm_cap_info_pf : qm_cap_info_vf;
++ u32 size = qm->fun_type == QM_HW_PF ? ARRAY_SIZE(qm_cap_info_pf) :
++ ARRAY_SIZE(qm_cap_info_vf);
++ u32 val, i;
++
++ /* Doorbell isolate register is a independent register. */
++ val = hisi_qm_get_hw_info(qm, qm_cap_info_comm, QM_SUPPORT_DB_ISOLATION, true);
++ if (val)
++ set_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps);
++
++ if (qm->ver >= QM_HW_V3) {
++ val = readl(qm->io_base + QM_FUNC_CAPS_REG);
++ qm->cap_ver = val & QM_CAPBILITY_VERSION;
++ }
++
++ /* Get PF/VF common capbility */
++ for (i = 1; i < ARRAY_SIZE(qm_cap_info_comm); i++) {
++ val = hisi_qm_get_hw_info(qm, qm_cap_info_comm, i, qm->cap_ver);
++ if (val)
++ set_bit(qm_cap_info_comm[i].type, &qm->caps);
++ }
++
++ /* Get PF/VF different capbility */
++ for (i = 0; i < size; i++) {
++ val = hisi_qm_get_hw_info(qm, cap_info, i, qm->cap_ver);
++ if (val)
++ set_bit(cap_info[i].type, &qm->caps);
++ }
++}
++
+ static int qm_get_pci_res(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+@@ -5971,16 +6049,8 @@ static int qm_get_pci_res(struct hisi_qm *qm)
+ goto err_request_mem_regions;
+ }
+
+- if (qm->ver > QM_HW_V2) {
+- if (qm->fun_type == QM_HW_PF)
+- qm->use_db_isolation = readl(qm->io_base +
+- QM_QUE_ISO_EN) & BIT(0);
+- else
+- qm->use_db_isolation = readl(qm->io_base +
+- QM_QUE_ISO_CFG_V) & BIT(0);
+- }
+-
+- if (qm->use_db_isolation) {
++ qm_get_hw_caps(qm);
++ if (test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps)) {
+ qm->db_interval = QM_QP_DB_INTERVAL;
+ qm->db_phys_base = pci_resource_start(pdev, PCI_BAR_4);
+ qm->db_io_base = ioremap(qm->db_phys_base,
+@@ -6004,7 +6074,7 @@ static int qm_get_pci_res(struct hisi_qm *qm)
+ return 0;
+
+ err_db_ioremap:
+- if (qm->use_db_isolation)
++ if (test_bit(QM_SUPPORT_DB_ISOLATION, &qm->caps))
+ iounmap(qm->db_io_base);
+ err_ioremap:
+ iounmap(qm->io_base);
+@@ -6121,12 +6191,15 @@ static int hisi_qm_memory_init(struct hisi_qm *qm)
+ int ret, total_func, i;
+ size_t off = 0;
+
+- total_func = pci_sriov_get_totalvfs(qm->pdev) + 1;
+- qm->factor = kcalloc(total_func, sizeof(struct qm_shaper_factor), GFP_KERNEL);
+- if (!qm->factor)
+- return -ENOMEM;
+- for (i = 0; i < total_func; i++)
+- qm->factor[i].func_qos = QM_QOS_MAX_VAL;
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps)) {
++ total_func = pci_sriov_get_totalvfs(qm->pdev) + 1;
++ qm->factor = kcalloc(total_func, sizeof(struct qm_shaper_factor), GFP_KERNEL);
++ if (!qm->factor)
++ return -ENOMEM;
++
++ for (i = 0; i < total_func; i++)
++ qm->factor[i].func_qos = QM_QOS_MAX_VAL;
++ }
+
+ #define QM_INIT_BUF(qm, type, num) do { \
+ (qm)->type = ((qm)->qdma.va + (off)); \
+@@ -6162,7 +6235,8 @@ static int hisi_qm_memory_init(struct hisi_qm *qm)
+ dma_free_coherent(dev, qm->qdma.size, qm->qdma.va, qm->qdma.dma);
+ err_destroy_idr:
+ idr_destroy(&qm->qp_idr);
+- kfree(qm->factor);
++ if (test_bit(QM_SUPPORT_FUNC_QOS, &qm->caps))
++ kfree(qm->factor);
+
+ return ret;
+ }
+@@ -6305,7 +6379,7 @@ void hisi_qm_pm_init(struct hisi_qm *qm)
+ {
+ struct device *dev = &qm->pdev->dev;
+
+- if (qm->fun_type == QM_HW_VF || qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_RPM, &qm->caps))
+ return;
+
+ pm_runtime_set_autosuspend_delay(dev, QM_AUTOSUSPEND_DELAY);
+@@ -6324,7 +6398,7 @@ void hisi_qm_pm_uninit(struct hisi_qm *qm)
+ {
+ struct device *dev = &qm->pdev->dev;
+
+- if (qm->fun_type == QM_HW_VF || qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_RPM, &qm->caps))
+ return;
+
+ pm_runtime_get_noresume(dev);
+diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c
+index 2c0be91c0b09..1ec3b06345fd 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_main.c
++++ b/drivers/crypto/hisilicon/sec2/sec_main.c
+@@ -415,7 +415,7 @@ static void sec_open_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ /* Enable prefetch */
+@@ -435,7 +435,7 @@ static void sec_close_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ val = readl_relaxed(qm->io_base + SEC_PREFETCH_CFG);
+diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
+index c3303d99acac..65ed2ae8e131 100644
+--- a/drivers/crypto/hisilicon/zip/zip_main.c
++++ b/drivers/crypto/hisilicon/zip/zip_main.c
+@@ -348,7 +348,7 @@ static void hisi_zip_open_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ /* Enable prefetch */
+@@ -368,7 +368,7 @@ static void hisi_zip_close_sva_prefetch(struct hisi_qm *qm)
+ u32 val;
+ int ret;
+
+- if (qm->ver < QM_HW_V3)
++ if (!test_bit(QM_SUPPORT_SVA_PREFETCH, &qm->caps))
+ return;
+
+ val = readl_relaxed(qm->io_base + HZIP_PREFETCH_CFG);
+diff --git a/include/linux/hisi_acc_qm.h b/include/linux/hisi_acc_qm.h
+index 116e8bd68c99..851c962ba473 100644
+--- a/include/linux/hisi_acc_qm.h
++++ b/include/linux/hisi_acc_qm.h
+@@ -168,6 +168,15 @@ enum qm_vf_state {
+ QM_NOT_READY,
+ };
+
++enum qm_cap_bits {
++ QM_SUPPORT_DB_ISOLATION = 0x0,
++ QM_SUPPORT_FUNC_QOS,
++ QM_SUPPORT_STOP_QP,
++ QM_SUPPORT_MB_COMMAND,
++ QM_SUPPORT_SVA_PREFETCH,
++ QM_SUPPORT_RPM,
++};
++
+ struct dfx_diff_registers {
+ u32 *regs;
+ u32 reg_offset;
+@@ -258,6 +267,18 @@ struct hisi_qm_err_ini {
+ void (*err_info_init)(struct hisi_qm *qm);
+ };
+
++struct hisi_qm_cap_info {
++ u32 type;
++ /* Register offset */
++ u32 offset;
++ /* Bit offset in register */
++ u32 shift;
++ u32 mask;
++ u32 v1_val;
++ u32 v2_val;
++ u32 v3_val;
++};
++
+ struct hisi_qm_list {
+ struct mutex lock;
+ struct list_head list;
+@@ -278,6 +299,9 @@ struct hisi_qm {
+ struct pci_dev *pdev;
+ void __iomem *io_base;
+ void __iomem *db_io_base;
++
++ /* Capbility version, 0: not supports */
++ u32 cap_ver;
+ u32 sqe_size;
+ u32 qp_base;
+ u32 qp_num;
+@@ -304,6 +328,8 @@ struct hisi_qm {
+ struct hisi_qm_err_info err_info;
+ struct hisi_qm_err_status err_status;
+ unsigned long misc_ctl; /* driver removing and reset sched */
++ /* Device capability bit */
++ unsigned long caps;
+
+ struct rw_semaphore qps_lock;
+ struct idr qp_idr;
+@@ -326,8 +352,6 @@ struct hisi_qm {
+ bool use_sva;
+ bool is_frozen;
+
+- /* doorbell isolation enable */
+- bool use_db_isolation;
+ resource_size_t phys_base;
+ resource_size_t db_phys_base;
+ struct uacce_device *uacce;
+@@ -501,6 +525,9 @@ void hisi_qm_pm_init(struct hisi_qm *qm);
+ int hisi_qm_get_dfx_access(struct hisi_qm *qm);
+ void hisi_qm_put_dfx_access(struct hisi_qm *qm);
+ void hisi_qm_regs_dump(struct seq_file *s, struct debugfs_regset32 *regset);
++u32 hisi_qm_get_hw_info(struct hisi_qm *qm,
++ const struct hisi_qm_cap_info *info_table,
++ u32 index, bool is_read);
+
+ /* Used by VFIO ACC live migration driver */
+ struct pci_driver *hisi_sec_get_pf_driver(void);
+--
+2.35.1
+
--- /dev/null
+From bd5eb3ecb30702a086a6ae4482768a7c6c015160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 01:17:44 +0000
+Subject: crypto: hisilicon/qm - increase the memory of local variables
+
+From: Kai Ye <yekai13@huawei.com>
+
+[ Upstream commit 3efe90af4c0c46c58dba1b306de142827153d9c0 ]
+
+Increase the buffer to prevent stack overflow by fuzz test. The maximum
+length of the qos configuration buffer is 256 bytes. Currently, the value
+of the 'val buffer' is only 32 bytes. The sscanf does not check the dest
+memory length. So the 'val buffer' may stack overflow.
+
+Signed-off-by: Kai Ye <yekai13@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 180589c73663..959f4846aa23 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -252,7 +252,6 @@
+ #define QM_QOS_MIN_CIR_B 100
+ #define QM_QOS_MAX_CIR_U 6
+ #define QM_QOS_MAX_CIR_S 11
+-#define QM_QOS_VAL_MAX_LEN 32
+ #define QM_DFX_BASE 0x0100000
+ #define QM_DFX_STATE1 0x0104000
+ #define QM_DFX_STATE2 0x01040C8
+@@ -4626,7 +4625,7 @@ static ssize_t qm_get_qos_value(struct hisi_qm *qm, const char *buf,
+ unsigned int *fun_index)
+ {
+ char tbuf_bdf[QM_DBG_READ_LEN] = {0};
+- char val_buf[QM_QOS_VAL_MAX_LEN] = {0};
++ char val_buf[QM_DBG_READ_LEN] = {0};
+ u32 tmp1, device, function;
+ int ret, bus;
+
+--
+2.35.1
+
--- /dev/null
+From e090d7bd37b283db6f9f689604eabb9d216391db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 19:04:31 +0800
+Subject: crypto: hisilicon/qm - re-enable communicate interrupt before
+ notifying PF
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit ee1537fe3dd89860d0336563891f6cac707d0cb5 ]
+
+After the device is reset, the VF needs to re-enable communication
+interrupt before the VF sends restart complete message to the PF.
+If the interrupt is re-enabled after the VF notifies the PF, the PF
+may fail to send messages to the VF after receiving VF's restart
+complete message.
+
+Fixes: 760fe22cf5e9 ("crypto: hisilicon/qm - update reset flow")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 2cfb072a218f..180589c73663 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -5776,6 +5776,7 @@ static void qm_pf_reset_vf_done(struct hisi_qm *qm)
+ cmd = QM_VF_START_FAIL;
+ }
+
++ qm_cmd_init(qm);
+ ret = qm_ping_pf(qm, cmd);
+ if (ret)
+ dev_warn(&pdev->dev, "PF responds timeout in reset done!\n");
+@@ -5837,7 +5838,6 @@ static void qm_pf_reset_vf_process(struct hisi_qm *qm,
+ goto err_get_status;
+
+ qm_pf_reset_vf_done(qm);
+- qm_cmd_init(qm);
+
+ dev_info(dev, "device reset done.\n");
+
+--
+2.35.1
+
--- /dev/null
+From 65887ea95b7ac572adc71094aec861489994cfde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 14:25:26 +0800
+Subject: crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ]
+
+Smatch report warning as follows:
+
+drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable
+dereferenced before check 'hdev->req'
+
+Variable dereferenced should be done after check 'hdev->req',
+fix it.
+
+Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
+Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/img-hash.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
+index d8e82d69745d..9629e98bd68b 100644
+--- a/drivers/crypto/img-hash.c
++++ b/drivers/crypto/img-hash.c
+@@ -358,12 +358,16 @@ static int img_hash_dma_init(struct img_hash_dev *hdev)
+ static void img_hash_dma_task(unsigned long d)
+ {
+ struct img_hash_dev *hdev = (struct img_hash_dev *)d;
+- struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
++ struct img_hash_request_ctx *ctx;
+ u8 *addr;
+ size_t nbytes, bleft, wsend, len, tbc;
+ struct scatterlist tsg;
+
+- if (!hdev->req || !ctx->sg)
++ if (!hdev->req)
++ return;
++
++ ctx = ahash_request_ctx(hdev->req);
++ if (!ctx->sg)
+ return;
+
+ addr = sg_virt(ctx->sg);
+--
+2.35.1
+
--- /dev/null
+From 5480b9edfac370a2fb73d67fe6639f2fc99e18b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 13:25:05 +0300
+Subject: crypto: nitrox - avoid double free on error path in
+ nitrox_sriov_init()
+
+From: Natalia Petrova <n.petrova@fintech.ru>
+
+[ Upstream commit 094528b6a5a755b1195a01e10b13597d67d1a0e6 ]
+
+If alloc_workqueue() fails in nitrox_mbox_init() it deallocates
+ndev->iov.vfdev and returns error code, but then nitrox_sriov_init()
+calls nitrox_sriov_cleanup() where ndev->iov.vfdev is deallocated
+again.
+
+Fix this by nulling ndev->iov.vfdev after the first deallocation.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9e5de3e06e54 ("crypto: cavium/nitrox - Add mailbox...")
+Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/nitrox/nitrox_mbx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/cavium/nitrox/nitrox_mbx.c b/drivers/crypto/cavium/nitrox/nitrox_mbx.c
+index 9e7308e39b30..d4e06999af9b 100644
+--- a/drivers/crypto/cavium/nitrox/nitrox_mbx.c
++++ b/drivers/crypto/cavium/nitrox/nitrox_mbx.c
+@@ -195,6 +195,7 @@ int nitrox_mbox_init(struct nitrox_device *ndev)
+ ndev->iov.pf2vf_wq = alloc_workqueue("nitrox_pf2vf", 0, 0);
+ if (!ndev->iov.pf2vf_wq) {
+ kfree(ndev->iov.vfdev);
++ ndev->iov.vfdev = NULL;
+ return -ENOMEM;
+ }
+ /* enable pf2vf mailbox interrupts */
+--
+2.35.1
+
--- /dev/null
+From 58a6b758a866bfe2b52f8765837bcb45c055182e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 14:49:40 +0800
+Subject: crypto: omap-sham - Use pm_runtime_resume_and_get() in
+ omap_sham_probe()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 7bcceb4c9896b1b672b636ae70fe75110d6bf1ad ]
+
+omap_sham_probe() calls pm_runtime_get_sync() and calls
+pm_runtime_put_sync() latter to put usage_counter. However,
+pm_runtime_get_sync() will increment usage_counter even it failed. Fix
+it by replacing it with pm_runtime_resume_and_get() to keep usage
+counter balanced.
+
+Fixes: b359f034c8bf ("crypto: omap-sham - Convert to use pm_runtime API")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index 655a7f5a406a..cbeda59c6b19 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -2114,7 +2114,7 @@ static int omap_sham_probe(struct platform_device *pdev)
+
+ pm_runtime_enable(dev);
+
+- err = pm_runtime_get_sync(dev);
++ err = pm_runtime_resume_and_get(dev);
+ if (err < 0) {
+ dev_err(dev, "failed to get sync: %d\n", err);
+ goto err_pm;
+--
+2.35.1
+
--- /dev/null
+From 03fd1a02be5a379d8dd4d087be6657c77d4cb5f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:27:34 +0800
+Subject: crypto: qat - fix error return code in adf_probe
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 31f81401e23fb88cc030cd586abd28740e6c8136 ]
+
+Fix to return a negative error code -EINVAL instead of 0.
+
+Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_4xxx/adf_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/qat/qat_4xxx/adf_drv.c b/drivers/crypto/qat/qat_4xxx/adf_drv.c
+index 2f212561acc4..670a58b25cb1 100644
+--- a/drivers/crypto/qat/qat_4xxx/adf_drv.c
++++ b/drivers/crypto/qat/qat_4xxx/adf_drv.c
+@@ -261,6 +261,7 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ hw_data->accel_capabilities_mask = hw_data->get_accel_cap(accel_dev);
+ if (!hw_data->accel_capabilities_mask) {
+ dev_err(&pdev->dev, "Failed to get capabilities mask.\n");
++ ret = -EINVAL;
+ goto out_err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 38e900d649e86de9ec416b69870d793646e1dbe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:45 +0000
+Subject: crypto: rockchip - add fallback for ahash
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 816600485cb597b3ff7d6806a95a78512839f775 ]
+
+Adds a fallback for all case hardware cannot handle.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 38 +++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+index 49017d1fb510..16009bb0bf16 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -16,6 +16,40 @@
+ * so we put the fixed hash out when met zero message.
+ */
+
++static bool rk_ahash_need_fallback(struct ahash_request *req)
++{
++ struct scatterlist *sg;
++
++ sg = req->src;
++ while (sg) {
++ if (!IS_ALIGNED(sg->offset, sizeof(u32))) {
++ return true;
++ }
++ if (sg->length % 4) {
++ return true;
++ }
++ sg = sg_next(sg);
++ }
++ return false;
++}
++
++static int rk_ahash_digest_fb(struct ahash_request *areq)
++{
++ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
++ struct rk_ahash_ctx *tfmctx = crypto_ahash_ctx(tfm);
++
++ ahash_request_set_tfm(&rctx->fallback_req, tfmctx->fallback_tfm);
++ rctx->fallback_req.base.flags = areq->base.flags &
++ CRYPTO_TFM_REQ_MAY_SLEEP;
++
++ rctx->fallback_req.nbytes = areq->nbytes;
++ rctx->fallback_req.src = areq->src;
++ rctx->fallback_req.result = areq->result;
++
++ return crypto_ahash_digest(&rctx->fallback_req);
++}
++
+ static int zero_message_process(struct ahash_request *req)
+ {
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+@@ -167,6 +201,9 @@ static int rk_ahash_digest(struct ahash_request *req)
+ struct rk_ahash_ctx *tctx = crypto_tfm_ctx(req->base.tfm);
+ struct rk_crypto_info *dev = tctx->dev;
+
++ if (rk_ahash_need_fallback(req))
++ return rk_ahash_digest_fb(req);
++
+ if (!req->nbytes)
+ return zero_message_process(req);
+ else
+@@ -309,6 +346,7 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
+ struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
+
+ free_page((unsigned long)tctx->dev->addr_vir);
++ crypto_free_ahash(tctx->fallback_tfm);
+ }
+
+ struct rk_crypto_tmp rk_ahash_sha1 = {
+--
+2.35.1
+
--- /dev/null
+From b9718f5784f7f2ba332089ce7cda4804c1d5c8eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:44 +0000
+Subject: crypto: rockchip - add fallback for cipher
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 68ef8af09a1a912a5ed2cfaa4cca7606f52cef90 ]
+
+The hardware does not handle 0 size length request, let's add a
+fallback.
+Furthermore fallback will be used for all unaligned case the hardware
+cannot handle.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/Kconfig | 4 +
+ drivers/crypto/rockchip/rk3288_crypto.h | 2 +
+ .../crypto/rockchip/rk3288_crypto_skcipher.c | 97 ++++++++++++++++---
+ 3 files changed, 90 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
+index 3e6aa319920b..3080bd3d8cbb 100644
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -669,6 +669,10 @@ config CRYPTO_DEV_IMGTEC_HASH
+ config CRYPTO_DEV_ROCKCHIP
+ tristate "Rockchip's Cryptographic Engine driver"
+ depends on OF && ARCH_ROCKCHIP
++ depends on PM
++ select CRYPTO_ECB
++ select CRYPTO_CBC
++ select CRYPTO_DES
+ select CRYPTO_AES
+ select CRYPTO_LIB_DES
+ select CRYPTO_MD5
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index 3e60e3dca1b5..dfff0e2a83e4 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -246,10 +246,12 @@ struct rk_cipher_ctx {
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
+ u8 iv[AES_BLOCK_SIZE];
++ struct crypto_skcipher *fallback_tfm;
+ };
+
+ struct rk_cipher_rctx {
+ u32 mode;
++ struct skcipher_request fallback_req; // keep at the end
+ };
+
+ enum alg_type {
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index bbd0bf52bf07..eac5bba66e25 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -13,6 +13,63 @@
+
+ #define RK_CRYPTO_DEC BIT(0)
+
++static int rk_cipher_need_fallback(struct skcipher_request *req)
++{
++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
++ unsigned int bs = crypto_skcipher_blocksize(tfm);
++ struct scatterlist *sgs, *sgd;
++ unsigned int stodo, dtodo, len;
++
++ if (!req->cryptlen)
++ return true;
++
++ len = req->cryptlen;
++ sgs = req->src;
++ sgd = req->dst;
++ while (sgs && sgd) {
++ if (!IS_ALIGNED(sgs->offset, sizeof(u32))) {
++ return true;
++ }
++ if (!IS_ALIGNED(sgd->offset, sizeof(u32))) {
++ return true;
++ }
++ stodo = min(len, sgs->length);
++ if (stodo % bs) {
++ return true;
++ }
++ dtodo = min(len, sgd->length);
++ if (dtodo % bs) {
++ return true;
++ }
++ if (stodo != dtodo) {
++ return true;
++ }
++ len -= stodo;
++ sgs = sg_next(sgs);
++ sgd = sg_next(sgd);
++ }
++ return false;
++}
++
++static int rk_cipher_fallback(struct skcipher_request *areq)
++{
++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(areq);
++ struct rk_cipher_ctx *op = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(areq);
++ int err;
++
++ skcipher_request_set_tfm(&rctx->fallback_req, op->fallback_tfm);
++ skcipher_request_set_callback(&rctx->fallback_req, areq->base.flags,
++ areq->base.complete, areq->base.data);
++ skcipher_request_set_crypt(&rctx->fallback_req, areq->src, areq->dst,
++ areq->cryptlen, areq->iv);
++ if (rctx->mode & RK_CRYPTO_DEC)
++ err = crypto_skcipher_decrypt(&rctx->fallback_req);
++ else
++ err = crypto_skcipher_encrypt(&rctx->fallback_req);
++ return err;
++}
++
+ static void rk_crypto_complete(struct crypto_async_request *base, int err)
+ {
+ if (base->complete)
+@@ -22,10 +79,10 @@ static void rk_crypto_complete(struct crypto_async_request *base, int err)
+ static int rk_handle_req(struct rk_crypto_info *dev,
+ struct skcipher_request *req)
+ {
+- if (!IS_ALIGNED(req->cryptlen, dev->align_size))
+- return -EINVAL;
+- else
+- return dev->enqueue(dev, &req->base);
++ if (rk_cipher_need_fallback(req))
++ return rk_cipher_fallback(req);
++
++ return dev->enqueue(dev, &req->base);
+ }
+
+ static int rk_aes_setkey(struct crypto_skcipher *cipher,
+@@ -39,7 +96,8 @@ static int rk_aes_setkey(struct crypto_skcipher *cipher,
+ return -EINVAL;
+ ctx->keylen = keylen;
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, key, keylen);
+- return 0;
++
++ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+
+ static int rk_des_setkey(struct crypto_skcipher *cipher,
+@@ -54,7 +112,8 @@ static int rk_des_setkey(struct crypto_skcipher *cipher,
+
+ ctx->keylen = keylen;
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
+- return 0;
++
++ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+
+ static int rk_tdes_setkey(struct crypto_skcipher *cipher,
+@@ -69,7 +128,7 @@ static int rk_tdes_setkey(struct crypto_skcipher *cipher,
+
+ ctx->keylen = keylen;
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
+- return 0;
++ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+
+ static int rk_aes_ecb_encrypt(struct skcipher_request *req)
+@@ -394,6 +453,7 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ {
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
++ const char *name = crypto_tfm_alg_name(&tfm->base);
+ struct rk_crypto_tmp *algt;
+
+ algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
+@@ -407,6 +467,16 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ if (!ctx->dev->addr_vir)
+ return -ENOMEM;
+
++ ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
++ if (IS_ERR(ctx->fallback_tfm)) {
++ dev_err(ctx->dev->dev, "ERROR: Cannot allocate fallback for %s %ld\n",
++ name, PTR_ERR(ctx->fallback_tfm));
++ return PTR_ERR(ctx->fallback_tfm);
++ }
++
++ tfm->reqsize = sizeof(struct rk_cipher_rctx) +
++ crypto_skcipher_reqsize(ctx->fallback_tfm);
++
+ return 0;
+ }
+
+@@ -415,6 +485,7 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+
+ free_page((unsigned long)ctx->dev->addr_vir);
++ crypto_free_skcipher(ctx->fallback_tfm);
+ }
+
+ struct rk_crypto_tmp rk_ecb_aes_alg = {
+@@ -423,7 +494,7 @@ struct rk_crypto_tmp rk_ecb_aes_alg = {
+ .base.cra_name = "ecb(aes)",
+ .base.cra_driver_name = "ecb-aes-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x0f,
+@@ -445,7 +516,7 @@ struct rk_crypto_tmp rk_cbc_aes_alg = {
+ .base.cra_name = "cbc(aes)",
+ .base.cra_driver_name = "cbc-aes-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x0f,
+@@ -468,7 +539,7 @@ struct rk_crypto_tmp rk_ecb_des_alg = {
+ .base.cra_name = "ecb(des)",
+ .base.cra_driver_name = "ecb-des-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = DES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x07,
+@@ -490,7 +561,7 @@ struct rk_crypto_tmp rk_cbc_des_alg = {
+ .base.cra_name = "cbc(des)",
+ .base.cra_driver_name = "cbc-des-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = DES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x07,
+@@ -513,7 +584,7 @@ struct rk_crypto_tmp rk_ecb_des3_ede_alg = {
+ .base.cra_name = "ecb(des3_ede)",
+ .base.cra_driver_name = "ecb-des3-ede-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = DES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x07,
+@@ -535,7 +606,7 @@ struct rk_crypto_tmp rk_cbc_des3_ede_alg = {
+ .base.cra_name = "cbc(des3_ede)",
+ .base.cra_driver_name = "cbc-des3-ede-rk",
+ .base.cra_priority = 300,
+- .base.cra_flags = CRYPTO_ALG_ASYNC,
++ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
+ .base.cra_blocksize = DES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
+ .base.cra_alignmask = 0x07,
+--
+2.35.1
+
--- /dev/null
+From 18b08e5da621cc436ed1e49060a885aa41add368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:46 +0000
+Subject: crypto: rockchip - better handle cipher key
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit d6b23ccef82816050c2fd458c9dabfa0e0af09b9 ]
+
+The key should not be set in hardware too much in advance, this will
+fail it 2 TFM with different keys generate alternative requests.
+The key should be stored and used just before doing cipher operations.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/rockchip/rk3288_crypto.h | 1 +
+ drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index dfff0e2a83e4..665cc0bb2264 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -245,6 +245,7 @@ struct rk_ahash_rctx {
+ struct rk_cipher_ctx {
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
++ u8 key[AES_MAX_KEY_SIZE];
+ u8 iv[AES_BLOCK_SIZE];
+ struct crypto_skcipher *fallback_tfm;
+ };
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index eac5bba66e25..1ef94f8db2c5 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -95,7 +95,7 @@ static int rk_aes_setkey(struct crypto_skcipher *cipher,
+ keylen != AES_KEYSIZE_256)
+ return -EINVAL;
+ ctx->keylen = keylen;
+- memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, key, keylen);
++ memcpy(ctx->key, key, keylen);
+
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+@@ -111,7 +111,7 @@ static int rk_des_setkey(struct crypto_skcipher *cipher,
+ return err;
+
+ ctx->keylen = keylen;
+- memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
++ memcpy(ctx->key, key, keylen);
+
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+@@ -127,7 +127,8 @@ static int rk_tdes_setkey(struct crypto_skcipher *cipher,
+ return err;
+
+ ctx->keylen = keylen;
+- memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
++ memcpy(ctx->key, key, keylen);
++
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
+ }
+
+@@ -283,6 +284,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ RK_CRYPTO_TDES_BYTESWAP_IV;
+ CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
+ memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
++ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, ctx->key, ctx->keylen);
+ conf_reg = RK_CRYPTO_DESSEL;
+ } else {
+ rctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
+@@ -295,6 +297,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ rctx->mode |= RK_CRYPTO_AES_256BIT_key;
+ CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
+ memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
++ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, ctx->key, ctx->keylen);
+ }
+ conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
+ RK_CRYPTO_BYTESWAP_BRFIFO;
+@@ -484,6 +487,7 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
+ {
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+
++ memzero_explicit(ctx->key, ctx->keylen);
+ free_page((unsigned long)ctx->dev->addr_vir);
+ crypto_free_skcipher(ctx->fallback_tfm);
+ }
+--
+2.35.1
+
--- /dev/null
+From 1ee3286890c3cc08acfe031db7864897ac478860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:41 +0000
+Subject: crypto: rockchip - do not do custom power management
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit c50ef1411c8cbad0c7db100c477126076b6e3348 ]
+
+The clock enable/disable at tfm init/exit is fragile,
+if 2 tfm are init in the same time and one is removed just after,
+it will leave the hardware uncloked even if a user remains.
+
+Instead simply enable clocks at probe time.
+We will do PM later.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/rockchip/rk3288_crypto.c | 4 ++--
+ drivers/crypto/rockchip/rk3288_crypto.h | 2 --
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 3 +--
+ drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 5 +++--
+ 4 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
+index 35d73061d156..5f8444b9633a 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.c
++++ b/drivers/crypto/rockchip/rk3288_crypto.c
+@@ -395,8 +395,7 @@ static int rk_crypto_probe(struct platform_device *pdev)
+ rk_crypto_done_task_cb, (unsigned long)crypto_info);
+ crypto_init_queue(&crypto_info->queue, 50);
+
+- crypto_info->enable_clk = rk_crypto_enable_clk;
+- crypto_info->disable_clk = rk_crypto_disable_clk;
++ rk_crypto_enable_clk(crypto_info);
+ crypto_info->load_data = rk_load_data;
+ crypto_info->unload_data = rk_unload_data;
+ crypto_info->enqueue = rk_crypto_enqueue;
+@@ -423,6 +422,7 @@ static int rk_crypto_remove(struct platform_device *pdev)
+ struct rk_crypto_info *crypto_tmp = platform_get_drvdata(pdev);
+
+ rk_crypto_unregister();
++ rk_crypto_disable_clk(crypto_tmp);
+ tasklet_kill(&crypto_tmp->done_task);
+ tasklet_kill(&crypto_tmp->queue_task);
+ return 0;
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index 97278c2574ff..2fa7131e4060 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -220,8 +220,6 @@ struct rk_crypto_info {
+ int (*start)(struct rk_crypto_info *dev);
+ int (*update)(struct rk_crypto_info *dev);
+ void (*complete)(struct crypto_async_request *base, int err);
+- int (*enable_clk)(struct rk_crypto_info *dev);
+- void (*disable_clk)(struct rk_crypto_info *dev);
+ int (*load_data)(struct rk_crypto_info *dev,
+ struct scatterlist *sg_src,
+ struct scatterlist *sg_dst);
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+index ed03058497bc..49017d1fb510 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -301,7 +301,7 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
+ sizeof(struct rk_ahash_rctx) +
+ crypto_ahash_reqsize(tctx->fallback_tfm));
+
+- return tctx->dev->enable_clk(tctx->dev);
++ return 0;
+ }
+
+ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
+@@ -309,7 +309,6 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
+ struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
+
+ free_page((unsigned long)tctx->dev->addr_vir);
+- return tctx->dev->disable_clk(tctx->dev);
+ }
+
+ struct rk_crypto_tmp rk_ahash_sha1 = {
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index 5bbf0d2722e1..8c44a19eab75 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -388,8 +388,10 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ ctx->dev->update = rk_ablk_rx;
+ ctx->dev->complete = rk_crypto_complete;
+ ctx->dev->addr_vir = (char *)__get_free_page(GFP_KERNEL);
++ if (!ctx->dev->addr_vir)
++ return -ENOMEM;
+
+- return ctx->dev->addr_vir ? ctx->dev->enable_clk(ctx->dev) : -ENOMEM;
++ return 0;
+ }
+
+ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
+@@ -397,7 +399,6 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+
+ free_page((unsigned long)ctx->dev->addr_vir);
+- ctx->dev->disable_clk(ctx->dev);
+ }
+
+ struct rk_crypto_tmp rk_ecb_aes_alg = {
+--
+2.35.1
+
--- /dev/null
+From c56e92134449c4c8dac79c7c072365e3d60544f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:43 +0000
+Subject: crypto: rockchip - do not store mode globally
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 87e356c4966444866186f68f05832fdcc0f351a3 ]
+
+Storing the mode globally does not work if 2 requests are handled in the
+same time.
+We should store it in a request context.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/rockchip/rk3288_crypto.h | 5 +-
+ .../crypto/rockchip/rk3288_crypto_skcipher.c | 58 ++++++++++++-------
+ 2 files changed, 41 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index 2fa7131e4060..3e60e3dca1b5 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -245,10 +245,13 @@ struct rk_ahash_rctx {
+ struct rk_cipher_ctx {
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
+- u32 mode;
+ u8 iv[AES_BLOCK_SIZE];
+ };
+
++struct rk_cipher_rctx {
++ u32 mode;
++};
++
+ enum alg_type {
+ ALG_TYPE_HASH,
+ ALG_TYPE_CIPHER,
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index 8c44a19eab75..bbd0bf52bf07 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -76,9 +76,10 @@ static int rk_aes_ecb_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_AES_ECB_MODE;
++ rctx->mode = RK_CRYPTO_AES_ECB_MODE;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -86,9 +87,10 @@ static int rk_aes_ecb_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_AES_ECB_MODE | RK_CRYPTO_DEC;
++ rctx->mode = RK_CRYPTO_AES_ECB_MODE | RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -96,9 +98,10 @@ static int rk_aes_cbc_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_AES_CBC_MODE;
++ rctx->mode = RK_CRYPTO_AES_CBC_MODE;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -106,9 +109,10 @@ static int rk_aes_cbc_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_AES_CBC_MODE | RK_CRYPTO_DEC;
++ rctx->mode = RK_CRYPTO_AES_CBC_MODE | RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -116,9 +120,10 @@ static int rk_des_ecb_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = 0;
++ rctx->mode = 0;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -126,9 +131,10 @@ static int rk_des_ecb_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_DEC;
++ rctx->mode = RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -136,9 +142,10 @@ static int rk_des_cbc_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC;
++ rctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -146,9 +153,10 @@ static int rk_des_cbc_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC | RK_CRYPTO_DEC;
++ rctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC | RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -156,9 +164,10 @@ static int rk_des3_ede_ecb_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_SELECT;
++ rctx->mode = RK_CRYPTO_TDES_SELECT;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -166,9 +175,10 @@ static int rk_des3_ede_ecb_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_DEC;
++ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -176,9 +186,10 @@ static int rk_des3_ede_cbc_encrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC;
++ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC;
+ return rk_handle_req(dev, req);
+ }
+
+@@ -186,9 +197,10 @@ static int rk_des3_ede_cbc_decrypt(struct skcipher_request *req)
+ {
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_crypto_info *dev = ctx->dev;
+
+- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC |
++ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC |
+ RK_CRYPTO_DEC;
+ return rk_handle_req(dev, req);
+ }
+@@ -199,6 +211,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ skcipher_request_cast(dev->async_req);
+ struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
+ struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(cipher);
+ u32 ivsize, block, conf_reg = 0;
+
+@@ -206,22 +219,22 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ ivsize = crypto_skcipher_ivsize(cipher);
+
+ if (block == DES_BLOCK_SIZE) {
+- ctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
++ rctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
+ RK_CRYPTO_TDES_BYTESWAP_KEY |
+ RK_CRYPTO_TDES_BYTESWAP_IV;
+- CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, ctx->mode);
++ CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
+ memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
+ conf_reg = RK_CRYPTO_DESSEL;
+ } else {
+- ctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
++ rctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
+ RK_CRYPTO_AES_KEY_CHANGE |
+ RK_CRYPTO_AES_BYTESWAP_KEY |
+ RK_CRYPTO_AES_BYTESWAP_IV;
+ if (ctx->keylen == AES_KEYSIZE_192)
+- ctx->mode |= RK_CRYPTO_AES_192BIT_key;
++ rctx->mode |= RK_CRYPTO_AES_192BIT_key;
+ else if (ctx->keylen == AES_KEYSIZE_256)
+- ctx->mode |= RK_CRYPTO_AES_256BIT_key;
+- CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, ctx->mode);
++ rctx->mode |= RK_CRYPTO_AES_256BIT_key;
++ CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
+ memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
+ }
+ conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
+@@ -246,6 +259,7 @@ static int rk_set_data_start(struct rk_crypto_info *dev)
+ struct skcipher_request *req =
+ skcipher_request_cast(dev->async_req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ u32 ivsize = crypto_skcipher_ivsize(tfm);
+ u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
+@@ -254,7 +268,7 @@ static int rk_set_data_start(struct rk_crypto_info *dev)
+ /* Store the iv that need to be updated in chain mode.
+ * And update the IV buffer to contain the next IV for decryption mode.
+ */
+- if (ctx->mode & RK_CRYPTO_DEC) {
++ if (rctx->mode & RK_CRYPTO_DEC) {
+ memcpy(ctx->iv, src_last_blk, ivsize);
+ sg_pcopy_to_buffer(dev->first, dev->src_nents, req->iv,
+ ivsize, dev->total - ivsize);
+@@ -294,11 +308,12 @@ static void rk_iv_copyback(struct rk_crypto_info *dev)
+ struct skcipher_request *req =
+ skcipher_request_cast(dev->async_req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ u32 ivsize = crypto_skcipher_ivsize(tfm);
+
+ /* Update the IV buffer to contain the next IV for encryption mode. */
+- if (!(ctx->mode & RK_CRYPTO_DEC)) {
++ if (!(rctx->mode & RK_CRYPTO_DEC)) {
+ if (dev->aligned) {
+ memcpy(req->iv, sg_virt(dev->sg_dst) +
+ dev->sg_dst->length - ivsize, ivsize);
+@@ -314,11 +329,12 @@ static void rk_update_iv(struct rk_crypto_info *dev)
+ struct skcipher_request *req =
+ skcipher_request_cast(dev->async_req);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ u32 ivsize = crypto_skcipher_ivsize(tfm);
+ u8 *new_iv = NULL;
+
+- if (ctx->mode & RK_CRYPTO_DEC) {
++ if (rctx->mode & RK_CRYPTO_DEC) {
+ new_iv = ctx->iv;
+ } else {
+ new_iv = page_address(sg_page(dev->sg_dst)) +
+--
+2.35.1
+
--- /dev/null
+From d35120c86007bd2d03f0ade37bb53161bc8ce15f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:47 +0000
+Subject: crypto: rockchip - remove non-aligned handling
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit bb3c7b73363c9a149b12b74c44ae94b73a8fddf8 ]
+
+Now driver have fallback for un-aligned cases, remove all code handling
+those cases.
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/rockchip/rk3288_crypto.c | 69 +++++--------------
+ drivers/crypto/rockchip/rk3288_crypto.h | 4 --
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 22 ++----
+ .../crypto/rockchip/rk3288_crypto_skcipher.c | 39 +++--------
+ 4 files changed, 31 insertions(+), 103 deletions(-)
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
+index 5f8444b9633a..31453257ab11 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.c
++++ b/drivers/crypto/rockchip/rk3288_crypto.c
+@@ -88,63 +88,26 @@ static int rk_load_data(struct rk_crypto_info *dev,
+ {
+ unsigned int count;
+
+- dev->aligned = dev->aligned ?
+- check_alignment(sg_src, sg_dst, dev->align_size) :
+- dev->aligned;
+- if (dev->aligned) {
+- count = min(dev->left_bytes, sg_src->length);
+- dev->left_bytes -= count;
+-
+- if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
+- dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
++ count = min(dev->left_bytes, sg_src->length);
++ dev->left_bytes -= count;
++
++ if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
++ dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
+ __func__, __LINE__);
+- return -EINVAL;
+- }
+- dev->addr_in = sg_dma_address(sg_src);
++ return -EINVAL;
++ }
++ dev->addr_in = sg_dma_address(sg_src);
+
+- if (sg_dst) {
+- if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
+- dev_err(dev->dev,
++ if (sg_dst) {
++ if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
++ dev_err(dev->dev,
+ "[%s:%d] dma_map_sg(dst) error\n",
+ __func__, __LINE__);
+- dma_unmap_sg(dev->dev, sg_src, 1,
+- DMA_TO_DEVICE);
+- return -EINVAL;
+- }
+- dev->addr_out = sg_dma_address(sg_dst);
+- }
+- } else {
+- count = (dev->left_bytes > PAGE_SIZE) ?
+- PAGE_SIZE : dev->left_bytes;
+-
+- if (!sg_pcopy_to_buffer(dev->first, dev->src_nents,
+- dev->addr_vir, count,
+- dev->total - dev->left_bytes)) {
+- dev_err(dev->dev, "[%s:%d] pcopy err\n",
+- __func__, __LINE__);
++ dma_unmap_sg(dev->dev, sg_src, 1,
++ DMA_TO_DEVICE);
+ return -EINVAL;
+ }
+- dev->left_bytes -= count;
+- sg_init_one(&dev->sg_tmp, dev->addr_vir, count);
+- if (!dma_map_sg(dev->dev, &dev->sg_tmp, 1, DMA_TO_DEVICE)) {
+- dev_err(dev->dev, "[%s:%d] dma_map_sg(sg_tmp) error\n",
+- __func__, __LINE__);
+- return -ENOMEM;
+- }
+- dev->addr_in = sg_dma_address(&dev->sg_tmp);
+-
+- if (sg_dst) {
+- if (!dma_map_sg(dev->dev, &dev->sg_tmp, 1,
+- DMA_FROM_DEVICE)) {
+- dev_err(dev->dev,
+- "[%s:%d] dma_map_sg(sg_tmp) error\n",
+- __func__, __LINE__);
+- dma_unmap_sg(dev->dev, &dev->sg_tmp, 1,
+- DMA_TO_DEVICE);
+- return -ENOMEM;
+- }
+- dev->addr_out = sg_dma_address(&dev->sg_tmp);
+- }
++ dev->addr_out = sg_dma_address(sg_dst);
+ }
+ dev->count = count;
+ return 0;
+@@ -154,11 +117,11 @@ static void rk_unload_data(struct rk_crypto_info *dev)
+ {
+ struct scatterlist *sg_in, *sg_out;
+
+- sg_in = dev->aligned ? dev->sg_src : &dev->sg_tmp;
++ sg_in = dev->sg_src;
+ dma_unmap_sg(dev->dev, sg_in, 1, DMA_TO_DEVICE);
+
+ if (dev->sg_dst) {
+- sg_out = dev->aligned ? dev->sg_dst : &dev->sg_tmp;
++ sg_out = dev->sg_dst;
+ dma_unmap_sg(dev->dev, sg_out, 1, DMA_FROM_DEVICE);
+ }
+ }
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index 665cc0bb2264..df4db59fa13e 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -204,12 +204,8 @@ struct rk_crypto_info {
+ /* the public variable */
+ struct scatterlist *sg_src;
+ struct scatterlist *sg_dst;
+- struct scatterlist sg_tmp;
+ struct scatterlist *first;
+ unsigned int left_bytes;
+- void *addr_vir;
+- int aligned;
+- int align_size;
+ size_t src_nents;
+ size_t dst_nents;
+ unsigned int total;
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+index 16009bb0bf16..c762e462eb57 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -236,8 +236,6 @@ static int rk_ahash_start(struct rk_crypto_info *dev)
+
+ dev->total = req->nbytes;
+ dev->left_bytes = req->nbytes;
+- dev->aligned = 0;
+- dev->align_size = 4;
+ dev->sg_dst = NULL;
+ dev->sg_src = req->src;
+ dev->first = req->src;
+@@ -272,15 +270,13 @@ static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
+
+ dev->unload_data(dev);
+ if (dev->left_bytes) {
+- if (dev->aligned) {
+- if (sg_is_last(dev->sg_src)) {
+- dev_warn(dev->dev, "[%s:%d], Lack of data\n",
+- __func__, __LINE__);
+- err = -ENOMEM;
+- goto out_rx;
+- }
+- dev->sg_src = sg_next(dev->sg_src);
++ if (sg_is_last(dev->sg_src)) {
++ dev_warn(dev->dev, "[%s:%d], Lack of data\n",
++ __func__, __LINE__);
++ err = -ENOMEM;
++ goto out_rx;
+ }
++ dev->sg_src = sg_next(dev->sg_src);
+ err = rk_ahash_set_data_start(dev);
+ } else {
+ /*
+@@ -318,11 +314,6 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
+ algt = container_of(alg, struct rk_crypto_tmp, alg.hash);
+
+ tctx->dev = algt->dev;
+- tctx->dev->addr_vir = (void *)__get_free_page(GFP_KERNEL);
+- if (!tctx->dev->addr_vir) {
+- dev_err(tctx->dev->dev, "failed to kmalloc for addr_vir\n");
+- return -ENOMEM;
+- }
+ tctx->dev->start = rk_ahash_start;
+ tctx->dev->update = rk_ahash_crypto_rx;
+ tctx->dev->complete = rk_ahash_crypto_complete;
+@@ -345,7 +336,6 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
+ {
+ struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
+
+- free_page((unsigned long)tctx->dev->addr_vir);
+ crypto_free_ahash(tctx->fallback_tfm);
+ }
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index 1ef94f8db2c5..d067b7f09165 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -356,7 +356,6 @@ static int rk_ablk_start(struct rk_crypto_info *dev)
+ dev->src_nents = sg_nents(req->src);
+ dev->sg_dst = req->dst;
+ dev->dst_nents = sg_nents(req->dst);
+- dev->aligned = 1;
+
+ spin_lock_irqsave(&dev->lock, flags);
+ rk_ablk_hw_init(dev);
+@@ -376,13 +375,9 @@ static void rk_iv_copyback(struct rk_crypto_info *dev)
+
+ /* Update the IV buffer to contain the next IV for encryption mode. */
+ if (!(rctx->mode & RK_CRYPTO_DEC)) {
+- if (dev->aligned) {
+- memcpy(req->iv, sg_virt(dev->sg_dst) +
+- dev->sg_dst->length - ivsize, ivsize);
+- } else {
+- memcpy(req->iv, dev->addr_vir +
+- dev->count - ivsize, ivsize);
+- }
++ memcpy(req->iv,
++ sg_virt(dev->sg_dst) + dev->sg_dst->length - ivsize,
++ ivsize);
+ }
+ }
+
+@@ -420,27 +415,16 @@ static int rk_ablk_rx(struct rk_crypto_info *dev)
+ skcipher_request_cast(dev->async_req);
+
+ dev->unload_data(dev);
+- if (!dev->aligned) {
+- if (!sg_pcopy_from_buffer(req->dst, dev->dst_nents,
+- dev->addr_vir, dev->count,
+- dev->total - dev->left_bytes -
+- dev->count)) {
+- err = -EINVAL;
+- goto out_rx;
+- }
+- }
+ if (dev->left_bytes) {
+ rk_update_iv(dev);
+- if (dev->aligned) {
+- if (sg_is_last(dev->sg_src)) {
+- dev_err(dev->dev, "[%s:%d] Lack of data\n",
++ if (sg_is_last(dev->sg_src)) {
++ dev_err(dev->dev, "[%s:%d] Lack of data\n",
+ __func__, __LINE__);
+- err = -ENOMEM;
+- goto out_rx;
+- }
+- dev->sg_src = sg_next(dev->sg_src);
+- dev->sg_dst = sg_next(dev->sg_dst);
++ err = -ENOMEM;
++ goto out_rx;
+ }
++ dev->sg_src = sg_next(dev->sg_src);
++ dev->sg_dst = sg_next(dev->sg_dst);
+ err = rk_set_data_start(dev);
+ } else {
+ rk_iv_copyback(dev);
+@@ -462,13 +446,9 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
+
+ ctx->dev = algt->dev;
+- ctx->dev->align_size = crypto_tfm_alg_alignmask(crypto_skcipher_tfm(tfm)) + 1;
+ ctx->dev->start = rk_ablk_start;
+ ctx->dev->update = rk_ablk_rx;
+ ctx->dev->complete = rk_crypto_complete;
+- ctx->dev->addr_vir = (char *)__get_free_page(GFP_KERNEL);
+- if (!ctx->dev->addr_vir)
+- return -ENOMEM;
+
+ ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
+ if (IS_ERR(ctx->fallback_tfm)) {
+@@ -488,7 +468,6 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+
+ memzero_explicit(ctx->key, ctx->keylen);
+- free_page((unsigned long)ctx->dev->addr_vir);
+ crypto_free_skcipher(ctx->fallback_tfm);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 79bc0fbc0d8bd96bf9bf2558ef2dfd9d5e273ca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 07:54:48 +0000
+Subject: crypto: rockchip - rework by using crypto_engine
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 57d67c6e8219b2a034c16d6149e30fb40fd39935 ]
+
+Instead of doing manual queue management, let's use the crypto/engine
+for that.
+In the same time, rework the requests handling to be easier to
+understand (and fix all bugs related to them).
+
+Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/Kconfig | 1 +
+ drivers/crypto/rockchip/rk3288_crypto.c | 152 +----------
+ drivers/crypto/rockchip/rk3288_crypto.h | 39 +--
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 144 +++++-----
+ .../crypto/rockchip/rk3288_crypto_skcipher.c | 250 +++++++++---------
+ 5 files changed, 221 insertions(+), 365 deletions(-)
+
+diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
+index 3080bd3d8cbb..79d9e14b70c8 100644
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -674,6 +674,7 @@ config CRYPTO_DEV_ROCKCHIP
+ select CRYPTO_CBC
+ select CRYPTO_DES
+ select CRYPTO_AES
++ select CRYPTO_ENGINE
+ select CRYPTO_LIB_DES
+ select CRYPTO_MD5
+ select CRYPTO_SHA1
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
+index 31453257ab11..14a0aef18ab1 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.c
++++ b/drivers/crypto/rockchip/rk3288_crypto.c
+@@ -65,149 +65,24 @@ static void rk_crypto_disable_clk(struct rk_crypto_info *dev)
+ clk_disable_unprepare(dev->sclk);
+ }
+
+-static int check_alignment(struct scatterlist *sg_src,
+- struct scatterlist *sg_dst,
+- int align_mask)
+-{
+- int in, out, align;
+-
+- in = IS_ALIGNED((uint32_t)sg_src->offset, 4) &&
+- IS_ALIGNED((uint32_t)sg_src->length, align_mask);
+- if (!sg_dst)
+- return in;
+- out = IS_ALIGNED((uint32_t)sg_dst->offset, 4) &&
+- IS_ALIGNED((uint32_t)sg_dst->length, align_mask);
+- align = in && out;
+-
+- return (align && (sg_src->length == sg_dst->length));
+-}
+-
+-static int rk_load_data(struct rk_crypto_info *dev,
+- struct scatterlist *sg_src,
+- struct scatterlist *sg_dst)
+-{
+- unsigned int count;
+-
+- count = min(dev->left_bytes, sg_src->length);
+- dev->left_bytes -= count;
+-
+- if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
+- dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
+- __func__, __LINE__);
+- return -EINVAL;
+- }
+- dev->addr_in = sg_dma_address(sg_src);
+-
+- if (sg_dst) {
+- if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
+- dev_err(dev->dev,
+- "[%s:%d] dma_map_sg(dst) error\n",
+- __func__, __LINE__);
+- dma_unmap_sg(dev->dev, sg_src, 1,
+- DMA_TO_DEVICE);
+- return -EINVAL;
+- }
+- dev->addr_out = sg_dma_address(sg_dst);
+- }
+- dev->count = count;
+- return 0;
+-}
+-
+-static void rk_unload_data(struct rk_crypto_info *dev)
+-{
+- struct scatterlist *sg_in, *sg_out;
+-
+- sg_in = dev->sg_src;
+- dma_unmap_sg(dev->dev, sg_in, 1, DMA_TO_DEVICE);
+-
+- if (dev->sg_dst) {
+- sg_out = dev->sg_dst;
+- dma_unmap_sg(dev->dev, sg_out, 1, DMA_FROM_DEVICE);
+- }
+-}
+-
+ static irqreturn_t rk_crypto_irq_handle(int irq, void *dev_id)
+ {
+ struct rk_crypto_info *dev = platform_get_drvdata(dev_id);
+ u32 interrupt_status;
+
+- spin_lock(&dev->lock);
+ interrupt_status = CRYPTO_READ(dev, RK_CRYPTO_INTSTS);
+ CRYPTO_WRITE(dev, RK_CRYPTO_INTSTS, interrupt_status);
+
++ dev->status = 1;
+ if (interrupt_status & 0x0a) {
+ dev_warn(dev->dev, "DMA Error\n");
+- dev->err = -EFAULT;
++ dev->status = 0;
+ }
+- tasklet_schedule(&dev->done_task);
++ complete(&dev->complete);
+
+- spin_unlock(&dev->lock);
+ return IRQ_HANDLED;
+ }
+
+-static int rk_crypto_enqueue(struct rk_crypto_info *dev,
+- struct crypto_async_request *async_req)
+-{
+- unsigned long flags;
+- int ret;
+-
+- spin_lock_irqsave(&dev->lock, flags);
+- ret = crypto_enqueue_request(&dev->queue, async_req);
+- if (dev->busy) {
+- spin_unlock_irqrestore(&dev->lock, flags);
+- return ret;
+- }
+- dev->busy = true;
+- spin_unlock_irqrestore(&dev->lock, flags);
+- tasklet_schedule(&dev->queue_task);
+-
+- return ret;
+-}
+-
+-static void rk_crypto_queue_task_cb(unsigned long data)
+-{
+- struct rk_crypto_info *dev = (struct rk_crypto_info *)data;
+- struct crypto_async_request *async_req, *backlog;
+- unsigned long flags;
+- int err = 0;
+-
+- dev->err = 0;
+- spin_lock_irqsave(&dev->lock, flags);
+- backlog = crypto_get_backlog(&dev->queue);
+- async_req = crypto_dequeue_request(&dev->queue);
+-
+- if (!async_req) {
+- dev->busy = false;
+- spin_unlock_irqrestore(&dev->lock, flags);
+- return;
+- }
+- spin_unlock_irqrestore(&dev->lock, flags);
+-
+- if (backlog) {
+- backlog->complete(backlog, -EINPROGRESS);
+- backlog = NULL;
+- }
+-
+- dev->async_req = async_req;
+- err = dev->start(dev);
+- if (err)
+- dev->complete(dev->async_req, err);
+-}
+-
+-static void rk_crypto_done_task_cb(unsigned long data)
+-{
+- struct rk_crypto_info *dev = (struct rk_crypto_info *)data;
+-
+- if (dev->err) {
+- dev->complete(dev->async_req, dev->err);
+- return;
+- }
+-
+- dev->err = dev->update(dev);
+- if (dev->err)
+- dev->complete(dev->async_req, dev->err);
+-}
+-
+ static struct rk_crypto_tmp *rk_cipher_algs[] = {
+ &rk_ecb_aes_alg,
+ &rk_cbc_aes_alg,
+@@ -300,8 +175,6 @@ static int rk_crypto_probe(struct platform_device *pdev)
+ if (err)
+ goto err_crypto;
+
+- spin_lock_init(&crypto_info->lock);
+-
+ crypto_info->reg = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(crypto_info->reg)) {
+ err = PTR_ERR(crypto_info->reg);
+@@ -352,17 +225,11 @@ static int rk_crypto_probe(struct platform_device *pdev)
+ crypto_info->dev = &pdev->dev;
+ platform_set_drvdata(pdev, crypto_info);
+
+- tasklet_init(&crypto_info->queue_task,
+- rk_crypto_queue_task_cb, (unsigned long)crypto_info);
+- tasklet_init(&crypto_info->done_task,
+- rk_crypto_done_task_cb, (unsigned long)crypto_info);
+- crypto_init_queue(&crypto_info->queue, 50);
++ crypto_info->engine = crypto_engine_alloc_init(&pdev->dev, true);
++ crypto_engine_start(crypto_info->engine);
++ init_completion(&crypto_info->complete);
+
+ rk_crypto_enable_clk(crypto_info);
+- crypto_info->load_data = rk_load_data;
+- crypto_info->unload_data = rk_unload_data;
+- crypto_info->enqueue = rk_crypto_enqueue;
+- crypto_info->busy = false;
+
+ err = rk_crypto_register(crypto_info);
+ if (err) {
+@@ -374,9 +241,9 @@ static int rk_crypto_probe(struct platform_device *pdev)
+ return 0;
+
+ err_register_alg:
+- tasklet_kill(&crypto_info->queue_task);
+- tasklet_kill(&crypto_info->done_task);
++ crypto_engine_exit(crypto_info->engine);
+ err_crypto:
++ dev_err(dev, "Crypto Accelerator not successfully registered\n");
+ return err;
+ }
+
+@@ -386,8 +253,7 @@ static int rk_crypto_remove(struct platform_device *pdev)
+
+ rk_crypto_unregister();
+ rk_crypto_disable_clk(crypto_tmp);
+- tasklet_kill(&crypto_tmp->done_task);
+- tasklet_kill(&crypto_tmp->queue_task);
++ crypto_engine_exit(crypto_tmp->engine);
+ return 0;
+ }
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
+index df4db59fa13e..045e811b4af8 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -5,9 +5,11 @@
+ #include <crypto/aes.h>
+ #include <crypto/internal/des.h>
+ #include <crypto/algapi.h>
++#include <linux/dma-mapping.h>
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+ #include <linux/scatterlist.h>
++#include <crypto/engine.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
+
+@@ -193,39 +195,15 @@ struct rk_crypto_info {
+ struct reset_control *rst;
+ void __iomem *reg;
+ int irq;
+- struct crypto_queue queue;
+- struct tasklet_struct queue_task;
+- struct tasklet_struct done_task;
+- struct crypto_async_request *async_req;
+- int err;
+- /* device lock */
+- spinlock_t lock;
+-
+- /* the public variable */
+- struct scatterlist *sg_src;
+- struct scatterlist *sg_dst;
+- struct scatterlist *first;
+- unsigned int left_bytes;
+- size_t src_nents;
+- size_t dst_nents;
+- unsigned int total;
+- unsigned int count;
+- dma_addr_t addr_in;
+- dma_addr_t addr_out;
+- bool busy;
+- int (*start)(struct rk_crypto_info *dev);
+- int (*update)(struct rk_crypto_info *dev);
+- void (*complete)(struct crypto_async_request *base, int err);
+- int (*load_data)(struct rk_crypto_info *dev,
+- struct scatterlist *sg_src,
+- struct scatterlist *sg_dst);
+- void (*unload_data)(struct rk_crypto_info *dev);
+- int (*enqueue)(struct rk_crypto_info *dev,
+- struct crypto_async_request *async_req);
++
++ struct crypto_engine *engine;
++ struct completion complete;
++ int status;
+ };
+
+ /* the private variable of hash */
+ struct rk_ahash_ctx {
++ struct crypto_engine_ctx enginectx;
+ struct rk_crypto_info *dev;
+ /* for fallback */
+ struct crypto_ahash *fallback_tfm;
+@@ -235,10 +213,12 @@ struct rk_ahash_ctx {
+ struct rk_ahash_rctx {
+ struct ahash_request fallback_req;
+ u32 mode;
++ int nrsg;
+ };
+
+ /* the private variable of cipher */
+ struct rk_cipher_ctx {
++ struct crypto_engine_ctx enginectx;
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
+ u8 key[AES_MAX_KEY_SIZE];
+@@ -247,6 +227,7 @@ struct rk_cipher_ctx {
+ };
+
+ struct rk_cipher_rctx {
++ u8 backup_iv[AES_BLOCK_SIZE];
+ u32 mode;
+ struct skcipher_request fallback_req; // keep at the end
+ };
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+index c762e462eb57..edd40e16a3f0 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -9,6 +9,7 @@
+ * Some ideas are from marvell/cesa.c and s5p-sss.c driver.
+ */
+ #include <linux/device.h>
++#include <asm/unaligned.h>
+ #include "rk3288_crypto.h"
+
+ /*
+@@ -72,16 +73,12 @@ static int zero_message_process(struct ahash_request *req)
+ return 0;
+ }
+
+-static void rk_ahash_crypto_complete(struct crypto_async_request *base, int err)
++static void rk_ahash_reg_init(struct ahash_request *req)
+ {
+- if (base->complete)
+- base->complete(base, err);
+-}
+-
+-static void rk_ahash_reg_init(struct rk_crypto_info *dev)
+-{
+- struct ahash_request *req = ahash_request_cast(dev->async_req);
+ struct rk_ahash_rctx *rctx = ahash_request_ctx(req);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
++ struct rk_crypto_info *dev = tctx->dev;
+ int reg_status;
+
+ reg_status = CRYPTO_READ(dev, RK_CRYPTO_CTRL) |
+@@ -108,7 +105,7 @@ static void rk_ahash_reg_init(struct rk_crypto_info *dev)
+ RK_CRYPTO_BYTESWAP_BRFIFO |
+ RK_CRYPTO_BYTESWAP_BTFIFO);
+
+- CRYPTO_WRITE(dev, RK_CRYPTO_HASH_MSG_LEN, dev->total);
++ CRYPTO_WRITE(dev, RK_CRYPTO_HASH_MSG_LEN, req->nbytes);
+ }
+
+ static int rk_ahash_init(struct ahash_request *req)
+@@ -206,44 +203,59 @@ static int rk_ahash_digest(struct ahash_request *req)
+
+ if (!req->nbytes)
+ return zero_message_process(req);
+- else
+- return dev->enqueue(dev, &req->base);
++
++ return crypto_transfer_hash_request_to_engine(dev->engine, req);
+ }
+
+-static void crypto_ahash_dma_start(struct rk_crypto_info *dev)
++static void crypto_ahash_dma_start(struct rk_crypto_info *dev, struct scatterlist *sg)
+ {
+- CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAS, dev->addr_in);
+- CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAL, (dev->count + 3) / 4);
++ CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAS, sg_dma_address(sg));
++ CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAL, sg_dma_len(sg) / 4);
+ CRYPTO_WRITE(dev, RK_CRYPTO_CTRL, RK_CRYPTO_HASH_START |
+ (RK_CRYPTO_HASH_START << 16));
+ }
+
+-static int rk_ahash_set_data_start(struct rk_crypto_info *dev)
++static int rk_hash_prepare(struct crypto_engine *engine, void *breq)
++{
++ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
++ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
++ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
++ int ret;
++
++ ret = dma_map_sg(tctx->dev->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE);
++ if (ret <= 0)
++ return -EINVAL;
++
++ rctx->nrsg = ret;
++
++ return 0;
++}
++
++static int rk_hash_unprepare(struct crypto_engine *engine, void *breq)
+ {
+- int err;
++ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
++ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
++ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
+
+- err = dev->load_data(dev, dev->sg_src, NULL);
+- if (!err)
+- crypto_ahash_dma_start(dev);
+- return err;
++ dma_unmap_sg(tctx->dev->dev, areq->src, rctx->nrsg, DMA_TO_DEVICE);
++ return 0;
+ }
+
+-static int rk_ahash_start(struct rk_crypto_info *dev)
++static int rk_hash_run(struct crypto_engine *engine, void *breq)
+ {
+- struct ahash_request *req = ahash_request_cast(dev->async_req);
+- struct crypto_ahash *tfm;
+- struct rk_ahash_rctx *rctx;
+-
+- dev->total = req->nbytes;
+- dev->left_bytes = req->nbytes;
+- dev->sg_dst = NULL;
+- dev->sg_src = req->src;
+- dev->first = req->src;
+- dev->src_nents = sg_nents(req->src);
+- rctx = ahash_request_ctx(req);
++ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
++ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
++ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
++ struct scatterlist *sg = areq->src;
++ int err = 0;
++ int i;
++ u32 v;
++
+ rctx->mode = 0;
+
+- tfm = crypto_ahash_reqtfm(req);
+ switch (crypto_ahash_digestsize(tfm)) {
+ case SHA1_DIGEST_SIZE:
+ rctx->mode = RK_CRYPTO_HASH_SHA1;
+@@ -255,30 +267,26 @@ static int rk_ahash_start(struct rk_crypto_info *dev)
+ rctx->mode = RK_CRYPTO_HASH_MD5;
+ break;
+ default:
+- return -EINVAL;
++ err = -EINVAL;
++ goto theend;
+ }
+
+- rk_ahash_reg_init(dev);
+- return rk_ahash_set_data_start(dev);
+-}
++ rk_ahash_reg_init(areq);
+
+-static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
+-{
+- int err = 0;
+- struct ahash_request *req = ahash_request_cast(dev->async_req);
+- struct crypto_ahash *tfm;
+-
+- dev->unload_data(dev);
+- if (dev->left_bytes) {
+- if (sg_is_last(dev->sg_src)) {
+- dev_warn(dev->dev, "[%s:%d], Lack of data\n",
+- __func__, __LINE__);
+- err = -ENOMEM;
+- goto out_rx;
++ while (sg) {
++ reinit_completion(&tctx->dev->complete);
++ tctx->dev->status = 0;
++ crypto_ahash_dma_start(tctx->dev, sg);
++ wait_for_completion_interruptible_timeout(&tctx->dev->complete,
++ msecs_to_jiffies(2000));
++ if (!tctx->dev->status) {
++ dev_err(tctx->dev->dev, "DMA timeout\n");
++ err = -EFAULT;
++ goto theend;
+ }
+- dev->sg_src = sg_next(dev->sg_src);
+- err = rk_ahash_set_data_start(dev);
+- } else {
++ sg = sg_next(sg);
++ }
++
+ /*
+ * it will take some time to process date after last dma
+ * transmission.
+@@ -289,18 +297,20 @@ static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
+ * efficiency, and make it response quickly when dma
+ * complete.
+ */
+- while (!CRYPTO_READ(dev, RK_CRYPTO_HASH_STS))
+- udelay(10);
+-
+- tfm = crypto_ahash_reqtfm(req);
+- memcpy_fromio(req->result, dev->reg + RK_CRYPTO_HASH_DOUT_0,
+- crypto_ahash_digestsize(tfm));
+- dev->complete(dev->async_req, 0);
+- tasklet_schedule(&dev->queue_task);
++ while (!CRYPTO_READ(tctx->dev, RK_CRYPTO_HASH_STS))
++ udelay(10);
++
++ for (i = 0; i < crypto_ahash_digestsize(tfm) / 4; i++) {
++ v = readl(tctx->dev->reg + RK_CRYPTO_HASH_DOUT_0 + i * 4);
++ put_unaligned_le32(v, areq->result + i * 4);
+ }
+
+-out_rx:
+- return err;
++theend:
++ local_bh_disable();
++ crypto_finalize_hash_request(engine, breq, err);
++ local_bh_enable();
++
++ return 0;
+ }
+
+ static int rk_cra_hash_init(struct crypto_tfm *tfm)
+@@ -314,9 +324,6 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
+ algt = container_of(alg, struct rk_crypto_tmp, alg.hash);
+
+ tctx->dev = algt->dev;
+- tctx->dev->start = rk_ahash_start;
+- tctx->dev->update = rk_ahash_crypto_rx;
+- tctx->dev->complete = rk_ahash_crypto_complete;
+
+ /* for fallback */
+ tctx->fallback_tfm = crypto_alloc_ahash(alg_name, 0,
+@@ -325,10 +332,15 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
+ dev_err(tctx->dev->dev, "Could not load fallback driver.\n");
+ return PTR_ERR(tctx->fallback_tfm);
+ }
++
+ crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm),
+ sizeof(struct rk_ahash_rctx) +
+ crypto_ahash_reqsize(tctx->fallback_tfm));
+
++ tctx->enginectx.op.do_one_request = rk_hash_run;
++ tctx->enginectx.op.prepare_request = rk_hash_prepare;
++ tctx->enginectx.op.unprepare_request = rk_hash_unprepare;
++
+ return 0;
+ }
+
+diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+index d067b7f09165..67a7e05d5ae3 100644
+--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+@@ -9,6 +9,7 @@
+ * Some ideas are from marvell-cesa.c and s5p-sss.c driver.
+ */
+ #include <linux/device.h>
++#include <crypto/scatterwalk.h>
+ #include "rk3288_crypto.h"
+
+ #define RK_CRYPTO_DEC BIT(0)
+@@ -70,19 +71,15 @@ static int rk_cipher_fallback(struct skcipher_request *areq)
+ return err;
+ }
+
+-static void rk_crypto_complete(struct crypto_async_request *base, int err)
+-{
+- if (base->complete)
+- base->complete(base, err);
+-}
+-
+ static int rk_handle_req(struct rk_crypto_info *dev,
+ struct skcipher_request *req)
+ {
++ struct crypto_engine *engine = dev->engine;
++
+ if (rk_cipher_need_fallback(req))
+ return rk_cipher_fallback(req);
+
+- return dev->enqueue(dev, &req->base);
++ return crypto_transfer_skcipher_request_to_engine(engine, req);
+ }
+
+ static int rk_aes_setkey(struct crypto_skcipher *cipher,
+@@ -265,25 +262,21 @@ static int rk_des3_ede_cbc_decrypt(struct skcipher_request *req)
+ return rk_handle_req(dev, req);
+ }
+
+-static void rk_ablk_hw_init(struct rk_crypto_info *dev)
++static void rk_ablk_hw_init(struct rk_crypto_info *dev, struct skcipher_request *req)
+ {
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+ struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
+ struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(cipher);
+- u32 ivsize, block, conf_reg = 0;
++ u32 block, conf_reg = 0;
+
+ block = crypto_tfm_alg_blocksize(tfm);
+- ivsize = crypto_skcipher_ivsize(cipher);
+
+ if (block == DES_BLOCK_SIZE) {
+ rctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
+ RK_CRYPTO_TDES_BYTESWAP_KEY |
+ RK_CRYPTO_TDES_BYTESWAP_IV;
+ CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
+- memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, ctx->key, ctx->keylen);
+ conf_reg = RK_CRYPTO_DESSEL;
+ } else {
+@@ -296,7 +289,6 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ else if (ctx->keylen == AES_KEYSIZE_256)
+ rctx->mode |= RK_CRYPTO_AES_256BIT_key;
+ CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
+- memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, ctx->key, ctx->keylen);
+ }
+ conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
+@@ -306,133 +298,138 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+ RK_CRYPTO_BCDMA_ERR_ENA | RK_CRYPTO_BCDMA_DONE_ENA);
+ }
+
+-static void crypto_dma_start(struct rk_crypto_info *dev)
++static void crypto_dma_start(struct rk_crypto_info *dev,
++ struct scatterlist *sgs,
++ struct scatterlist *sgd, unsigned int todo)
+ {
+- CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAS, dev->addr_in);
+- CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAL, dev->count / 4);
+- CRYPTO_WRITE(dev, RK_CRYPTO_BTDMAS, dev->addr_out);
++ CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAS, sg_dma_address(sgs));
++ CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAL, todo);
++ CRYPTO_WRITE(dev, RK_CRYPTO_BTDMAS, sg_dma_address(sgd));
+ CRYPTO_WRITE(dev, RK_CRYPTO_CTRL, RK_CRYPTO_BLOCK_START |
+ _SBF(RK_CRYPTO_BLOCK_START, 16));
+ }
+
+-static int rk_set_data_start(struct rk_crypto_info *dev)
++static int rk_cipher_run(struct crypto_engine *engine, void *async_req)
+ {
+- int err;
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
++ struct skcipher_request *areq = container_of(async_req, struct skcipher_request, base);
++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(areq);
+ struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+- u32 ivsize = crypto_skcipher_ivsize(tfm);
+- u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
+- dev->sg_src->offset + dev->sg_src->length - ivsize;
+-
+- /* Store the iv that need to be updated in chain mode.
+- * And update the IV buffer to contain the next IV for decryption mode.
+- */
+- if (rctx->mode & RK_CRYPTO_DEC) {
+- memcpy(ctx->iv, src_last_blk, ivsize);
+- sg_pcopy_to_buffer(dev->first, dev->src_nents, req->iv,
+- ivsize, dev->total - ivsize);
+- }
+-
+- err = dev->load_data(dev, dev->sg_src, dev->sg_dst);
+- if (!err)
+- crypto_dma_start(dev);
+- return err;
+-}
+-
+-static int rk_ablk_start(struct rk_crypto_info *dev)
+-{
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+- unsigned long flags;
++ struct rk_cipher_rctx *rctx = skcipher_request_ctx(areq);
++ struct scatterlist *sgs, *sgd;
+ int err = 0;
++ int ivsize = crypto_skcipher_ivsize(tfm);
++ int offset;
++ u8 iv[AES_BLOCK_SIZE];
++ u8 biv[AES_BLOCK_SIZE];
++ u8 *ivtouse = areq->iv;
++ unsigned int len = areq->cryptlen;
++ unsigned int todo;
++
++ ivsize = crypto_skcipher_ivsize(tfm);
++ if (areq->iv && crypto_skcipher_ivsize(tfm) > 0) {
++ if (rctx->mode & RK_CRYPTO_DEC) {
++ offset = areq->cryptlen - ivsize;
++ scatterwalk_map_and_copy(rctx->backup_iv, areq->src,
++ offset, ivsize, 0);
++ }
++ }
+
+- dev->left_bytes = req->cryptlen;
+- dev->total = req->cryptlen;
+- dev->sg_src = req->src;
+- dev->first = req->src;
+- dev->src_nents = sg_nents(req->src);
+- dev->sg_dst = req->dst;
+- dev->dst_nents = sg_nents(req->dst);
+-
+- spin_lock_irqsave(&dev->lock, flags);
+- rk_ablk_hw_init(dev);
+- err = rk_set_data_start(dev);
+- spin_unlock_irqrestore(&dev->lock, flags);
+- return err;
+-}
+-
+-static void rk_iv_copyback(struct rk_crypto_info *dev)
+-{
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+- struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+- u32 ivsize = crypto_skcipher_ivsize(tfm);
++ sgs = areq->src;
++ sgd = areq->dst;
+
+- /* Update the IV buffer to contain the next IV for encryption mode. */
+- if (!(rctx->mode & RK_CRYPTO_DEC)) {
+- memcpy(req->iv,
+- sg_virt(dev->sg_dst) + dev->sg_dst->length - ivsize,
+- ivsize);
++ while (sgs && sgd && len) {
++ if (!sgs->length) {
++ sgs = sg_next(sgs);
++ sgd = sg_next(sgd);
++ continue;
++ }
++ if (rctx->mode & RK_CRYPTO_DEC) {
++ /* we backup last block of source to be used as IV at next step */
++ offset = sgs->length - ivsize;
++ scatterwalk_map_and_copy(biv, sgs, offset, ivsize, 0);
++ }
++ if (sgs == sgd) {
++ err = dma_map_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
++ if (err <= 0) {
++ err = -EINVAL;
++ goto theend_iv;
++ }
++ } else {
++ err = dma_map_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
++ if (err <= 0) {
++ err = -EINVAL;
++ goto theend_iv;
++ }
++ err = dma_map_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
++ if (err <= 0) {
++ err = -EINVAL;
++ goto theend_sgs;
++ }
++ }
++ err = 0;
++ rk_ablk_hw_init(ctx->dev, areq);
++ if (ivsize) {
++ if (ivsize == DES_BLOCK_SIZE)
++ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_IV_0, ivtouse, ivsize);
++ else
++ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_IV_0, ivtouse, ivsize);
++ }
++ reinit_completion(&ctx->dev->complete);
++ ctx->dev->status = 0;
++
++ todo = min(sg_dma_len(sgs), len);
++ len -= todo;
++ crypto_dma_start(ctx->dev, sgs, sgd, todo / 4);
++ wait_for_completion_interruptible_timeout(&ctx->dev->complete,
++ msecs_to_jiffies(2000));
++ if (!ctx->dev->status) {
++ dev_err(ctx->dev->dev, "DMA timeout\n");
++ err = -EFAULT;
++ goto theend;
++ }
++ if (sgs == sgd) {
++ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
++ } else {
++ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
++ dma_unmap_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
++ }
++ if (rctx->mode & RK_CRYPTO_DEC) {
++ memcpy(iv, biv, ivsize);
++ ivtouse = iv;
++ } else {
++ offset = sgd->length - ivsize;
++ scatterwalk_map_and_copy(iv, sgd, offset, ivsize, 0);
++ ivtouse = iv;
++ }
++ sgs = sg_next(sgs);
++ sgd = sg_next(sgd);
+ }
+-}
+-
+-static void rk_update_iv(struct rk_crypto_info *dev)
+-{
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+- struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+- u32 ivsize = crypto_skcipher_ivsize(tfm);
+- u8 *new_iv = NULL;
+
+- if (rctx->mode & RK_CRYPTO_DEC) {
+- new_iv = ctx->iv;
+- } else {
+- new_iv = page_address(sg_page(dev->sg_dst)) +
+- dev->sg_dst->offset + dev->sg_dst->length - ivsize;
++ if (areq->iv && ivsize > 0) {
++ offset = areq->cryptlen - ivsize;
++ if (rctx->mode & RK_CRYPTO_DEC) {
++ memcpy(areq->iv, rctx->backup_iv, ivsize);
++ memzero_explicit(rctx->backup_iv, ivsize);
++ } else {
++ scatterwalk_map_and_copy(areq->iv, areq->dst, offset,
++ ivsize, 0);
++ }
+ }
+
+- if (ivsize == DES_BLOCK_SIZE)
+- memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, new_iv, ivsize);
+- else if (ivsize == AES_BLOCK_SIZE)
+- memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, new_iv, ivsize);
+-}
++theend:
++ local_bh_disable();
++ crypto_finalize_skcipher_request(engine, areq, err);
++ local_bh_enable();
++ return 0;
+
+-/* return:
+- * true some err was occurred
+- * fault no err, continue
+- */
+-static int rk_ablk_rx(struct rk_crypto_info *dev)
+-{
+- int err = 0;
+- struct skcipher_request *req =
+- skcipher_request_cast(dev->async_req);
+-
+- dev->unload_data(dev);
+- if (dev->left_bytes) {
+- rk_update_iv(dev);
+- if (sg_is_last(dev->sg_src)) {
+- dev_err(dev->dev, "[%s:%d] Lack of data\n",
+- __func__, __LINE__);
+- err = -ENOMEM;
+- goto out_rx;
+- }
+- dev->sg_src = sg_next(dev->sg_src);
+- dev->sg_dst = sg_next(dev->sg_dst);
+- err = rk_set_data_start(dev);
++theend_sgs:
++ if (sgs == sgd) {
++ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
+ } else {
+- rk_iv_copyback(dev);
+- /* here show the calculation is over without any err */
+- dev->complete(dev->async_req, 0);
+- tasklet_schedule(&dev->queue_task);
++ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
++ dma_unmap_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
+ }
+-out_rx:
++theend_iv:
+ return err;
+ }
+
+@@ -446,9 +443,6 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
+
+ ctx->dev = algt->dev;
+- ctx->dev->start = rk_ablk_start;
+- ctx->dev->update = rk_ablk_rx;
+- ctx->dev->complete = rk_crypto_complete;
+
+ ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
+ if (IS_ERR(ctx->fallback_tfm)) {
+@@ -460,6 +454,8 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
+ tfm->reqsize = sizeof(struct rk_cipher_rctx) +
+ crypto_skcipher_reqsize(ctx->fallback_tfm);
+
++ ctx->enginectx.op.do_one_request = rk_cipher_run;
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 74b5a923ad4d3db125242353594131e9af4d0567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 08:55:55 +0000
+Subject: crypto: sun8i-ss - use dma_addr instead u32
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 839b8ae2fc10f205317bcc32c9de18456756e1f5 ]
+
+The DMA address need to be stored in a dma_addr_t
+
+Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+index 910d6751644c..902f6be057ec 100644
+--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+@@ -124,7 +124,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
+ unsigned int ivsize = crypto_skcipher_ivsize(tfm);
+ struct sun8i_ss_flow *sf = &ss->flows[rctx->flow];
+ int i = 0;
+- u32 a;
++ dma_addr_t a;
+ int err;
+
+ rctx->ivlen = ivsize;
+--
+2.35.1
+
--- /dev/null
+From d2d2ad7693eb9950e3b59abc2efbe88085fe3620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:24:11 +0800
+Subject: crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
+
+From: Zhang Yiqun <zhangyiqun@phytium.com.cn>
+
+[ Upstream commit 1aa33fc8d4032227253ceb736f47c52b859d9683 ]
+
+In the past, the data for mb-skcipher test has been allocated
+twice, that means the first allcated memory area is without
+free, which may cause a potential memory leakage. So this
+patch is to remove one allocation to fix this error.
+
+Fixes: e161c5930c15 ("crypto: tcrypt - add multibuf skcipher...")
+Signed-off-by: Zhang Yiqun <zhangyiqun@phytium.com.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/tcrypt.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
+index 574640210c80..bc57b182f304 100644
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -1101,15 +1101,6 @@ static void test_mb_skcipher_speed(const char *algo, int enc, int secs,
+ goto out_free_tfm;
+ }
+
+-
+- for (i = 0; i < num_mb; ++i)
+- if (testmgr_alloc_buf(data[i].xbuf)) {
+- while (i--)
+- testmgr_free_buf(data[i].xbuf);
+- goto out_free_tfm;
+- }
+-
+-
+ for (i = 0; i < num_mb; ++i) {
+ data[i].req = skcipher_request_alloc(tfm, GFP_KERNEL);
+ if (!data[i].req) {
+--
+2.35.1
+
--- /dev/null
+From 2609a60f996dab6d2945b6fe9348f2f743a04567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 16:40:14 -0500
+Subject: crypto: tcrypt - fix return value for multiple subtests
+
+From: Robert Elliott <elliott@hpe.com>
+
+[ Upstream commit 65c92cbb3f2365627a10cf97560d51e88fb4e588 ]
+
+When a test mode invokes multiple tests (e.g., mode 0 invokes modes
+1 through 199, and mode 3 tests three block cipher modes with des),
+don't keep accumulating the return values with ret += tcrypt_test(),
+which results in a bogus value if more than one report a nonzero
+value (e.g., two reporting -2 (-ENOENT) end up reporting -4 (-EINTR)).
+Instead, keep track of the minimum return value reported by any
+subtest.
+
+Fixes: 4e033a6bc70f ("crypto: tcrypt - Do not exit on success in fips mode")
+Signed-off-by: Robert Elliott <elliott@hpe.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/tcrypt.c | 256 ++++++++++++++++++++++++------------------------
+ 1 file changed, 128 insertions(+), 128 deletions(-)
+
+diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
+index 59eb8ec36664..574640210c80 100644
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -1494,387 +1494,387 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb)
+ }
+
+ for (i = 1; i < 200; i++)
+- ret += do_test(NULL, 0, 0, i, num_mb);
++ ret = min(ret, do_test(NULL, 0, 0, i, num_mb));
+ break;
+
+ case 1:
+- ret += tcrypt_test("md5");
++ ret = min(ret, tcrypt_test("md5"));
+ break;
+
+ case 2:
+- ret += tcrypt_test("sha1");
++ ret = min(ret, tcrypt_test("sha1"));
+ break;
+
+ case 3:
+- ret += tcrypt_test("ecb(des)");
+- ret += tcrypt_test("cbc(des)");
+- ret += tcrypt_test("ctr(des)");
++ ret = min(ret, tcrypt_test("ecb(des)"));
++ ret = min(ret, tcrypt_test("cbc(des)"));
++ ret = min(ret, tcrypt_test("ctr(des)"));
+ break;
+
+ case 4:
+- ret += tcrypt_test("ecb(des3_ede)");
+- ret += tcrypt_test("cbc(des3_ede)");
+- ret += tcrypt_test("ctr(des3_ede)");
++ ret = min(ret, tcrypt_test("ecb(des3_ede)"));
++ ret = min(ret, tcrypt_test("cbc(des3_ede)"));
++ ret = min(ret, tcrypt_test("ctr(des3_ede)"));
+ break;
+
+ case 5:
+- ret += tcrypt_test("md4");
++ ret = min(ret, tcrypt_test("md4"));
+ break;
+
+ case 6:
+- ret += tcrypt_test("sha256");
++ ret = min(ret, tcrypt_test("sha256"));
+ break;
+
+ case 7:
+- ret += tcrypt_test("ecb(blowfish)");
+- ret += tcrypt_test("cbc(blowfish)");
+- ret += tcrypt_test("ctr(blowfish)");
++ ret = min(ret, tcrypt_test("ecb(blowfish)"));
++ ret = min(ret, tcrypt_test("cbc(blowfish)"));
++ ret = min(ret, tcrypt_test("ctr(blowfish)"));
+ break;
+
+ case 8:
+- ret += tcrypt_test("ecb(twofish)");
+- ret += tcrypt_test("cbc(twofish)");
+- ret += tcrypt_test("ctr(twofish)");
+- ret += tcrypt_test("lrw(twofish)");
+- ret += tcrypt_test("xts(twofish)");
++ ret = min(ret, tcrypt_test("ecb(twofish)"));
++ ret = min(ret, tcrypt_test("cbc(twofish)"));
++ ret = min(ret, tcrypt_test("ctr(twofish)"));
++ ret = min(ret, tcrypt_test("lrw(twofish)"));
++ ret = min(ret, tcrypt_test("xts(twofish)"));
+ break;
+
+ case 9:
+- ret += tcrypt_test("ecb(serpent)");
+- ret += tcrypt_test("cbc(serpent)");
+- ret += tcrypt_test("ctr(serpent)");
+- ret += tcrypt_test("lrw(serpent)");
+- ret += tcrypt_test("xts(serpent)");
++ ret = min(ret, tcrypt_test("ecb(serpent)"));
++ ret = min(ret, tcrypt_test("cbc(serpent)"));
++ ret = min(ret, tcrypt_test("ctr(serpent)"));
++ ret = min(ret, tcrypt_test("lrw(serpent)"));
++ ret = min(ret, tcrypt_test("xts(serpent)"));
+ break;
+
+ case 10:
+- ret += tcrypt_test("ecb(aes)");
+- ret += tcrypt_test("cbc(aes)");
+- ret += tcrypt_test("lrw(aes)");
+- ret += tcrypt_test("xts(aes)");
+- ret += tcrypt_test("ctr(aes)");
+- ret += tcrypt_test("rfc3686(ctr(aes))");
+- ret += tcrypt_test("ofb(aes)");
+- ret += tcrypt_test("cfb(aes)");
+- ret += tcrypt_test("xctr(aes)");
++ ret = min(ret, tcrypt_test("ecb(aes)"));
++ ret = min(ret, tcrypt_test("cbc(aes)"));
++ ret = min(ret, tcrypt_test("lrw(aes)"));
++ ret = min(ret, tcrypt_test("xts(aes)"));
++ ret = min(ret, tcrypt_test("ctr(aes)"));
++ ret = min(ret, tcrypt_test("rfc3686(ctr(aes))"));
++ ret = min(ret, tcrypt_test("ofb(aes)"));
++ ret = min(ret, tcrypt_test("cfb(aes)"));
++ ret = min(ret, tcrypt_test("xctr(aes)"));
+ break;
+
+ case 11:
+- ret += tcrypt_test("sha384");
++ ret = min(ret, tcrypt_test("sha384"));
+ break;
+
+ case 12:
+- ret += tcrypt_test("sha512");
++ ret = min(ret, tcrypt_test("sha512"));
+ break;
+
+ case 13:
+- ret += tcrypt_test("deflate");
++ ret = min(ret, tcrypt_test("deflate"));
+ break;
+
+ case 14:
+- ret += tcrypt_test("ecb(cast5)");
+- ret += tcrypt_test("cbc(cast5)");
+- ret += tcrypt_test("ctr(cast5)");
++ ret = min(ret, tcrypt_test("ecb(cast5)"));
++ ret = min(ret, tcrypt_test("cbc(cast5)"));
++ ret = min(ret, tcrypt_test("ctr(cast5)"));
+ break;
+
+ case 15:
+- ret += tcrypt_test("ecb(cast6)");
+- ret += tcrypt_test("cbc(cast6)");
+- ret += tcrypt_test("ctr(cast6)");
+- ret += tcrypt_test("lrw(cast6)");
+- ret += tcrypt_test("xts(cast6)");
++ ret = min(ret, tcrypt_test("ecb(cast6)"));
++ ret = min(ret, tcrypt_test("cbc(cast6)"));
++ ret = min(ret, tcrypt_test("ctr(cast6)"));
++ ret = min(ret, tcrypt_test("lrw(cast6)"));
++ ret = min(ret, tcrypt_test("xts(cast6)"));
+ break;
+
+ case 16:
+- ret += tcrypt_test("ecb(arc4)");
++ ret = min(ret, tcrypt_test("ecb(arc4)"));
+ break;
+
+ case 17:
+- ret += tcrypt_test("michael_mic");
++ ret = min(ret, tcrypt_test("michael_mic"));
+ break;
+
+ case 18:
+- ret += tcrypt_test("crc32c");
++ ret = min(ret, tcrypt_test("crc32c"));
+ break;
+
+ case 19:
+- ret += tcrypt_test("ecb(tea)");
++ ret = min(ret, tcrypt_test("ecb(tea)"));
+ break;
+
+ case 20:
+- ret += tcrypt_test("ecb(xtea)");
++ ret = min(ret, tcrypt_test("ecb(xtea)"));
+ break;
+
+ case 21:
+- ret += tcrypt_test("ecb(khazad)");
++ ret = min(ret, tcrypt_test("ecb(khazad)"));
+ break;
+
+ case 22:
+- ret += tcrypt_test("wp512");
++ ret = min(ret, tcrypt_test("wp512"));
+ break;
+
+ case 23:
+- ret += tcrypt_test("wp384");
++ ret = min(ret, tcrypt_test("wp384"));
+ break;
+
+ case 24:
+- ret += tcrypt_test("wp256");
++ ret = min(ret, tcrypt_test("wp256"));
+ break;
+
+ case 26:
+- ret += tcrypt_test("ecb(anubis)");
+- ret += tcrypt_test("cbc(anubis)");
++ ret = min(ret, tcrypt_test("ecb(anubis)"));
++ ret = min(ret, tcrypt_test("cbc(anubis)"));
+ break;
+
+ case 30:
+- ret += tcrypt_test("ecb(xeta)");
++ ret = min(ret, tcrypt_test("ecb(xeta)"));
+ break;
+
+ case 31:
+- ret += tcrypt_test("pcbc(fcrypt)");
++ ret = min(ret, tcrypt_test("pcbc(fcrypt)"));
+ break;
+
+ case 32:
+- ret += tcrypt_test("ecb(camellia)");
+- ret += tcrypt_test("cbc(camellia)");
+- ret += tcrypt_test("ctr(camellia)");
+- ret += tcrypt_test("lrw(camellia)");
+- ret += tcrypt_test("xts(camellia)");
++ ret = min(ret, tcrypt_test("ecb(camellia)"));
++ ret = min(ret, tcrypt_test("cbc(camellia)"));
++ ret = min(ret, tcrypt_test("ctr(camellia)"));
++ ret = min(ret, tcrypt_test("lrw(camellia)"));
++ ret = min(ret, tcrypt_test("xts(camellia)"));
+ break;
+
+ case 33:
+- ret += tcrypt_test("sha224");
++ ret = min(ret, tcrypt_test("sha224"));
+ break;
+
+ case 35:
+- ret += tcrypt_test("gcm(aes)");
++ ret = min(ret, tcrypt_test("gcm(aes)"));
+ break;
+
+ case 36:
+- ret += tcrypt_test("lzo");
++ ret = min(ret, tcrypt_test("lzo"));
+ break;
+
+ case 37:
+- ret += tcrypt_test("ccm(aes)");
++ ret = min(ret, tcrypt_test("ccm(aes)"));
+ break;
+
+ case 38:
+- ret += tcrypt_test("cts(cbc(aes))");
++ ret = min(ret, tcrypt_test("cts(cbc(aes))"));
+ break;
+
+ case 39:
+- ret += tcrypt_test("xxhash64");
++ ret = min(ret, tcrypt_test("xxhash64"));
+ break;
+
+ case 40:
+- ret += tcrypt_test("rmd160");
++ ret = min(ret, tcrypt_test("rmd160"));
+ break;
+
+ case 42:
+- ret += tcrypt_test("blake2b-512");
++ ret = min(ret, tcrypt_test("blake2b-512"));
+ break;
+
+ case 43:
+- ret += tcrypt_test("ecb(seed)");
++ ret = min(ret, tcrypt_test("ecb(seed)"));
+ break;
+
+ case 45:
+- ret += tcrypt_test("rfc4309(ccm(aes))");
++ ret = min(ret, tcrypt_test("rfc4309(ccm(aes))"));
+ break;
+
+ case 46:
+- ret += tcrypt_test("ghash");
++ ret = min(ret, tcrypt_test("ghash"));
+ break;
+
+ case 47:
+- ret += tcrypt_test("crct10dif");
++ ret = min(ret, tcrypt_test("crct10dif"));
+ break;
+
+ case 48:
+- ret += tcrypt_test("sha3-224");
++ ret = min(ret, tcrypt_test("sha3-224"));
+ break;
+
+ case 49:
+- ret += tcrypt_test("sha3-256");
++ ret = min(ret, tcrypt_test("sha3-256"));
+ break;
+
+ case 50:
+- ret += tcrypt_test("sha3-384");
++ ret = min(ret, tcrypt_test("sha3-384"));
+ break;
+
+ case 51:
+- ret += tcrypt_test("sha3-512");
++ ret = min(ret, tcrypt_test("sha3-512"));
+ break;
+
+ case 52:
+- ret += tcrypt_test("sm3");
++ ret = min(ret, tcrypt_test("sm3"));
+ break;
+
+ case 53:
+- ret += tcrypt_test("streebog256");
++ ret = min(ret, tcrypt_test("streebog256"));
+ break;
+
+ case 54:
+- ret += tcrypt_test("streebog512");
++ ret = min(ret, tcrypt_test("streebog512"));
+ break;
+
+ case 55:
+- ret += tcrypt_test("gcm(sm4)");
++ ret = min(ret, tcrypt_test("gcm(sm4)"));
+ break;
+
+ case 56:
+- ret += tcrypt_test("ccm(sm4)");
++ ret = min(ret, tcrypt_test("ccm(sm4)"));
+ break;
+
+ case 57:
+- ret += tcrypt_test("polyval");
++ ret = min(ret, tcrypt_test("polyval"));
+ break;
+
+ case 58:
+- ret += tcrypt_test("gcm(aria)");
++ ret = min(ret, tcrypt_test("gcm(aria)"));
+ break;
+
+ case 100:
+- ret += tcrypt_test("hmac(md5)");
++ ret = min(ret, tcrypt_test("hmac(md5)"));
+ break;
+
+ case 101:
+- ret += tcrypt_test("hmac(sha1)");
++ ret = min(ret, tcrypt_test("hmac(sha1)"));
+ break;
+
+ case 102:
+- ret += tcrypt_test("hmac(sha256)");
++ ret = min(ret, tcrypt_test("hmac(sha256)"));
+ break;
+
+ case 103:
+- ret += tcrypt_test("hmac(sha384)");
++ ret = min(ret, tcrypt_test("hmac(sha384)"));
+ break;
+
+ case 104:
+- ret += tcrypt_test("hmac(sha512)");
++ ret = min(ret, tcrypt_test("hmac(sha512)"));
+ break;
+
+ case 105:
+- ret += tcrypt_test("hmac(sha224)");
++ ret = min(ret, tcrypt_test("hmac(sha224)"));
+ break;
+
+ case 106:
+- ret += tcrypt_test("xcbc(aes)");
++ ret = min(ret, tcrypt_test("xcbc(aes)"));
+ break;
+
+ case 108:
+- ret += tcrypt_test("hmac(rmd160)");
++ ret = min(ret, tcrypt_test("hmac(rmd160)"));
+ break;
+
+ case 109:
+- ret += tcrypt_test("vmac64(aes)");
++ ret = min(ret, tcrypt_test("vmac64(aes)"));
+ break;
+
+ case 111:
+- ret += tcrypt_test("hmac(sha3-224)");
++ ret = min(ret, tcrypt_test("hmac(sha3-224)"));
+ break;
+
+ case 112:
+- ret += tcrypt_test("hmac(sha3-256)");
++ ret = min(ret, tcrypt_test("hmac(sha3-256)"));
+ break;
+
+ case 113:
+- ret += tcrypt_test("hmac(sha3-384)");
++ ret = min(ret, tcrypt_test("hmac(sha3-384)"));
+ break;
+
+ case 114:
+- ret += tcrypt_test("hmac(sha3-512)");
++ ret = min(ret, tcrypt_test("hmac(sha3-512)"));
+ break;
+
+ case 115:
+- ret += tcrypt_test("hmac(streebog256)");
++ ret = min(ret, tcrypt_test("hmac(streebog256)"));
+ break;
+
+ case 116:
+- ret += tcrypt_test("hmac(streebog512)");
++ ret = min(ret, tcrypt_test("hmac(streebog512)"));
+ break;
+
+ case 150:
+- ret += tcrypt_test("ansi_cprng");
++ ret = min(ret, tcrypt_test("ansi_cprng"));
+ break;
+
+ case 151:
+- ret += tcrypt_test("rfc4106(gcm(aes))");
++ ret = min(ret, tcrypt_test("rfc4106(gcm(aes))"));
+ break;
+
+ case 152:
+- ret += tcrypt_test("rfc4543(gcm(aes))");
++ ret = min(ret, tcrypt_test("rfc4543(gcm(aes))"));
+ break;
+
+ case 153:
+- ret += tcrypt_test("cmac(aes)");
++ ret = min(ret, tcrypt_test("cmac(aes)"));
+ break;
+
+ case 154:
+- ret += tcrypt_test("cmac(des3_ede)");
++ ret = min(ret, tcrypt_test("cmac(des3_ede)"));
+ break;
+
+ case 155:
+- ret += tcrypt_test("authenc(hmac(sha1),cbc(aes))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha1),cbc(aes))"));
+ break;
+
+ case 156:
+- ret += tcrypt_test("authenc(hmac(md5),ecb(cipher_null))");
++ ret = min(ret, tcrypt_test("authenc(hmac(md5),ecb(cipher_null))"));
+ break;
+
+ case 157:
+- ret += tcrypt_test("authenc(hmac(sha1),ecb(cipher_null))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha1),ecb(cipher_null))"));
+ break;
+
+ case 158:
+- ret += tcrypt_test("cbcmac(sm4)");
++ ret = min(ret, tcrypt_test("cbcmac(sm4)"));
+ break;
+
+ case 159:
+- ret += tcrypt_test("cmac(sm4)");
++ ret = min(ret, tcrypt_test("cmac(sm4)"));
+ break;
+
+ case 181:
+- ret += tcrypt_test("authenc(hmac(sha1),cbc(des))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha1),cbc(des))"));
+ break;
+ case 182:
+- ret += tcrypt_test("authenc(hmac(sha1),cbc(des3_ede))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha1),cbc(des3_ede))"));
+ break;
+ case 183:
+- ret += tcrypt_test("authenc(hmac(sha224),cbc(des))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha224),cbc(des))"));
+ break;
+ case 184:
+- ret += tcrypt_test("authenc(hmac(sha224),cbc(des3_ede))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha224),cbc(des3_ede))"));
+ break;
+ case 185:
+- ret += tcrypt_test("authenc(hmac(sha256),cbc(des))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha256),cbc(des))"));
+ break;
+ case 186:
+- ret += tcrypt_test("authenc(hmac(sha256),cbc(des3_ede))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha256),cbc(des3_ede))"));
+ break;
+ case 187:
+- ret += tcrypt_test("authenc(hmac(sha384),cbc(des))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha384),cbc(des))"));
+ break;
+ case 188:
+- ret += tcrypt_test("authenc(hmac(sha384),cbc(des3_ede))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha384),cbc(des3_ede))"));
+ break;
+ case 189:
+- ret += tcrypt_test("authenc(hmac(sha512),cbc(des))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha512),cbc(des))"));
+ break;
+ case 190:
+- ret += tcrypt_test("authenc(hmac(sha512),cbc(des3_ede))");
++ ret = min(ret, tcrypt_test("authenc(hmac(sha512),cbc(des3_ede))"));
+ break;
+ case 191:
+- ret += tcrypt_test("ecb(sm4)");
+- ret += tcrypt_test("cbc(sm4)");
+- ret += tcrypt_test("cfb(sm4)");
+- ret += tcrypt_test("ctr(sm4)");
++ ret = min(ret, tcrypt_test("ecb(sm4)"));
++ ret = min(ret, tcrypt_test("cbc(sm4)"));
++ ret = min(ret, tcrypt_test("cfb(sm4)"));
++ ret = min(ret, tcrypt_test("ctr(sm4)"));
+ break;
+ case 192:
+- ret += tcrypt_test("ecb(aria)");
+- ret += tcrypt_test("cbc(aria)");
+- ret += tcrypt_test("cfb(aria)");
+- ret += tcrypt_test("ctr(aria)");
++ ret = min(ret, tcrypt_test("ecb(aria)"));
++ ret = min(ret, tcrypt_test("cbc(aria)"));
++ ret = min(ret, tcrypt_test("cfb(aria)"));
++ ret = min(ret, tcrypt_test("ctr(aria)"));
+ break;
+ case 200:
+ test_cipher_speed("ecb(aes)", ENCRYPT, sec, NULL, 0,
+--
+2.35.1
+
--- /dev/null
+From 5a1649b4906bb83940c74eccf2f1e28581480453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 22:54:39 +0800
+Subject: cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ]
+
+If device_register() fails in cxl_register_afu|adapter(), the device
+is not added, device_unregister() can not be called in the error path,
+otherwise it will cause a null-ptr-deref because of removing not added
+device.
+
+As comment of device_register() says, it should use put_device() to give
+up the reference in the error path. So split device_unregister() into
+device_del() and put_device(), then goes to put dev when register fails.
+
+Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cxl/guest.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c
+index 375f692ae9d6..fb95a2d5cef4 100644
+--- a/drivers/misc/cxl/guest.c
++++ b/drivers/misc/cxl/guest.c
+@@ -965,10 +965,10 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
+ * if it returns an error!
+ */
+ if ((rc = cxl_register_afu(afu)))
+- goto err_put1;
++ goto err_put_dev;
+
+ if ((rc = cxl_sysfs_afu_add(afu)))
+- goto err_put1;
++ goto err_del_dev;
+
+ /*
+ * pHyp doesn't expose the programming models supported by the
+@@ -984,7 +984,7 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
+ afu->modes_supported = CXL_MODE_DIRECTED;
+
+ if ((rc = cxl_afu_select_best_mode(afu)))
+- goto err_put2;
++ goto err_remove_sysfs;
+
+ adapter->afu[afu->slice] = afu;
+
+@@ -1004,10 +1004,12 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
+
+ return 0;
+
+-err_put2:
++err_remove_sysfs:
+ cxl_sysfs_afu_remove(afu);
+-err_put1:
+- device_unregister(&afu->dev);
++err_del_dev:
++ device_del(&afu->dev);
++err_put_dev:
++ put_device(&afu->dev);
+ free = false;
+ guest_release_serr_irq(afu);
+ err2:
+@@ -1141,18 +1143,20 @@ struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_devic
+ * even if it returns an error!
+ */
+ if ((rc = cxl_register_adapter(adapter)))
+- goto err_put1;
++ goto err_put_dev;
+
+ if ((rc = cxl_sysfs_adapter_add(adapter)))
+- goto err_put1;
++ goto err_del_dev;
+
+ /* release the context lock as the adapter is configured */
+ cxl_adapter_context_unlock(adapter);
+
+ return adapter;
+
+-err_put1:
+- device_unregister(&adapter->dev);
++err_del_dev:
++ device_del(&adapter->dev);
++err_put_dev:
++ put_device(&adapter->dev);
+ free = false;
+ cxl_guest_remove_chardev(adapter);
+ err1:
+--
+2.35.1
+
--- /dev/null
+From b479fade14b317d8255e72ea92e13361286ff2c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 22:54:40 +0800
+Subject: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ]
+
+If device_register() fails in cxl_pci_afu|adapter(), the device
+is not added, device_unregister() can not be called in the error
+path, otherwise it will cause a null-ptr-deref because of removing
+not added device.
+
+As comment of device_register() says, it should use put_device() to give
+up the reference in the error path. So split device_unregister() into
+device_del() and put_device(), then goes to put dev when register fails.
+
+Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cxl/pci.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c
+index 3de0aea62ade..6d495d641c95 100644
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -1164,10 +1164,10 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
+ * if it returns an error!
+ */
+ if ((rc = cxl_register_afu(afu)))
+- goto err_put1;
++ goto err_put_dev;
+
+ if ((rc = cxl_sysfs_afu_add(afu)))
+- goto err_put1;
++ goto err_del_dev;
+
+ adapter->afu[afu->slice] = afu;
+
+@@ -1176,10 +1176,12 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
+
+ return 0;
+
+-err_put1:
++err_del_dev:
++ device_del(&afu->dev);
++err_put_dev:
+ pci_deconfigure_afu(afu);
+ cxl_debugfs_afu_remove(afu);
+- device_unregister(&afu->dev);
++ put_device(&afu->dev);
+ return rc;
+
+ err_free_native:
+@@ -1667,23 +1669,25 @@ static struct cxl *cxl_pci_init_adapter(struct pci_dev *dev)
+ * even if it returns an error!
+ */
+ if ((rc = cxl_register_adapter(adapter)))
+- goto err_put1;
++ goto err_put_dev;
+
+ if ((rc = cxl_sysfs_adapter_add(adapter)))
+- goto err_put1;
++ goto err_del_dev;
+
+ /* Release the context lock as adapter is configured */
+ cxl_adapter_context_unlock(adapter);
+
+ return adapter;
+
+-err_put1:
++err_del_dev:
++ device_del(&adapter->dev);
++err_put_dev:
+ /* This should mirror cxl_remove_adapter, except without the
+ * sysfs parts
+ */
+ cxl_debugfs_adapter_remove(adapter);
+ cxl_deconfigure_adapter(adapter);
+- device_unregister(&adapter->dev);
++ put_device(&adapter->dev);
+ return ERR_PTR(rc);
+
+ err_release:
+--
+2.35.1
+
--- /dev/null
+From 6725f3f21233f446c7fec723ba95dd744cf130fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jun 2022 10:00:38 +0400
+Subject: cxl: Fix refcount leak in cxl_calc_capp_routing
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 1d09697ff22908ae487fc8c4fbde1811732be523 ]
+
+of_get_next_parent() returns a node pointer with refcount incremented,
+we should use of_node_put() on it when not need anymore.
+This function only calls of_node_put() in normal path,
+missing it in the error path.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: f24be42aab37 ("cxl: Add psl9 specific code")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220605060038.62217-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cxl/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c
+index 6d495d641c95..0ff944860dda 100644
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -387,6 +387,7 @@ int cxl_calc_capp_routing(struct pci_dev *dev, u64 *chipid,
+ rc = get_phb_index(np, phb_index);
+ if (rc) {
+ pr_err("cxl: invalid phb index\n");
++ of_node_put(np);
+ return rc;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 307f5c9761f654af8849ef8c6a7fc7e0a4a47bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 02:24:18 +0900
+Subject: debugfs: fix error when writing negative value to atomic_t debugfs
+ file
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit d472cf797c4e268613dbce5ec9b95d0bcae19ecb ]
+
+The simple attribute files do not accept a negative value since the commit
+488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()"), so we have to use a 64-bit value to write a
+negative value for a debugfs file created by debugfs_create_atomic_t().
+
+This restores the previous behaviour by introducing
+DEFINE_DEBUGFS_ATTRIBUTE_SIGNED for a signed value.
+
+Link: https://lkml.kernel.org/r/20220919172418.45257-4-akinobu.mita@gmail.com
+Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Wei Yongjun <weiyongjun1@huawei.com>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../fault-injection/fault-injection.rst | 10 +++----
+ fs/debugfs/file.c | 28 +++++++++++++++----
+ include/linux/debugfs.h | 19 +++++++++++--
+ 3 files changed, 43 insertions(+), 14 deletions(-)
+
+diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst
+index 17779a2772e5..5f6454b9dbd4 100644
+--- a/Documentation/fault-injection/fault-injection.rst
++++ b/Documentation/fault-injection/fault-injection.rst
+@@ -83,9 +83,7 @@ configuration of fault-injection capabilities.
+ - /sys/kernel/debug/fail*/times:
+
+ specifies how many times failures may happen at most. A value of -1
+- means "no limit". Note, though, that this file only accepts unsigned
+- values. So, if you want to specify -1, you better use 'printf' instead
+- of 'echo', e.g.: $ printf %#x -1 > times
++ means "no limit".
+
+ - /sys/kernel/debug/fail*/space:
+
+@@ -284,7 +282,7 @@ Application Examples
+ echo Y > /sys/kernel/debug/$FAILTYPE/task-filter
+ echo 10 > /sys/kernel/debug/$FAILTYPE/probability
+ echo 100 > /sys/kernel/debug/$FAILTYPE/interval
+- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
++ echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo 0 > /sys/kernel/debug/$FAILTYPE/space
+ echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
+ echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
+@@ -338,7 +336,7 @@ Application Examples
+ echo N > /sys/kernel/debug/$FAILTYPE/task-filter
+ echo 10 > /sys/kernel/debug/$FAILTYPE/probability
+ echo 100 > /sys/kernel/debug/$FAILTYPE/interval
+- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
++ echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo 0 > /sys/kernel/debug/$FAILTYPE/space
+ echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
+ echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
+@@ -369,7 +367,7 @@ Application Examples
+ echo N > /sys/kernel/debug/$FAILTYPE/task-filter
+ echo 100 > /sys/kernel/debug/$FAILTYPE/probability
+ echo 0 > /sys/kernel/debug/$FAILTYPE/interval
+- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
++ echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo 0 > /sys/kernel/debug/$FAILTYPE/space
+ echo 1 > /sys/kernel/debug/$FAILTYPE/verbose
+
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index 950c63fa4d0b..38930d9b0bb7 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -378,8 +378,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf,
+ }
+ EXPORT_SYMBOL_GPL(debugfs_attr_read);
+
+-ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
+- size_t len, loff_t *ppos)
++static ssize_t debugfs_attr_write_xsigned(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos, bool is_signed)
+ {
+ struct dentry *dentry = F_DENTRY(file);
+ ssize_t ret;
+@@ -387,12 +387,28 @@ ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
+ ret = debugfs_file_get(dentry);
+ if (unlikely(ret))
+ return ret;
+- ret = simple_attr_write(file, buf, len, ppos);
++ if (is_signed)
++ ret = simple_attr_write_signed(file, buf, len, ppos);
++ else
++ ret = simple_attr_write(file, buf, len, ppos);
+ debugfs_file_put(dentry);
+ return ret;
+ }
++
++ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return debugfs_attr_write_xsigned(file, buf, len, ppos, false);
++}
+ EXPORT_SYMBOL_GPL(debugfs_attr_write);
+
++ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return debugfs_attr_write_xsigned(file, buf, len, ppos, true);
++}
++EXPORT_SYMBOL_GPL(debugfs_attr_write_signed);
++
+ static struct dentry *debugfs_create_mode_unsafe(const char *name, umode_t mode,
+ struct dentry *parent, void *value,
+ const struct file_operations *fops,
+@@ -738,11 +754,11 @@ static int debugfs_atomic_t_get(void *data, u64 *val)
+ *val = atomic_read((atomic_t *)data);
+ return 0;
+ }
+-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t, debugfs_atomic_t_get,
++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t, debugfs_atomic_t_get,
+ debugfs_atomic_t_set, "%lld\n");
+-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_ro, debugfs_atomic_t_get, NULL,
++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_ro, debugfs_atomic_t_get, NULL,
+ "%lld\n");
+-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_wo, NULL, debugfs_atomic_t_set,
++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_wo, NULL, debugfs_atomic_t_set,
+ "%lld\n");
+
+ /**
+diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h
+index f60674692d36..ea2d919fd9c7 100644
+--- a/include/linux/debugfs.h
++++ b/include/linux/debugfs.h
+@@ -45,7 +45,7 @@ struct debugfs_u32_array {
+
+ extern struct dentry *arch_debugfs_dir;
+
+-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
++#define DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \
+ static int __fops ## _open(struct inode *inode, struct file *file) \
+ { \
+ __simple_attr_check_format(__fmt, 0ull); \
+@@ -56,10 +56,16 @@ static const struct file_operations __fops = { \
+ .open = __fops ## _open, \
+ .release = simple_attr_release, \
+ .read = debugfs_attr_read, \
+- .write = debugfs_attr_write, \
++ .write = (__is_signed) ? debugfs_attr_write_signed : debugfs_attr_write, \
+ .llseek = no_llseek, \
+ }
+
++#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
++ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false)
++
++#define DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \
++ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true)
++
+ typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
+
+ #if defined(CONFIG_DEBUG_FS)
+@@ -102,6 +108,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf,
+ size_t len, loff_t *ppos);
+ ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
++ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos);
+
+ struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
+ struct dentry *new_dir, const char *new_name);
+@@ -254,6 +262,13 @@ static inline ssize_t debugfs_attr_write(struct file *file,
+ return -ENODEV;
+ }
+
++static inline ssize_t debugfs_attr_write_signed(struct file *file,
++ const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return -ENODEV;
++}
++
+ static inline struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
+ struct dentry *new_dir, char *new_name)
+ {
+--
+2.35.1
+
--- /dev/null
+From 7900cb775b18791f4a8f72eb85270f94920684ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 18:01:00 -0800
+Subject: devlink: hold region lock when flushing snapshots
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit b4cafb3d2c740f8d1b1234b43ac4a60e5291c960 ]
+
+Netdevsim triggers a splat on reload, when it destroys regions
+with snapshots pending:
+
+ WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140
+ CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580
+ RIP: 0010:devlink_region_snapshot_del+0x12e/0x140
+ Call Trace:
+ <TASK>
+ devl_region_destroy+0x70/0x140
+ nsim_dev_reload_down+0x2f/0x60 [netdevsim]
+ devlink_reload+0x1f7/0x360
+ devlink_nl_cmd_reload+0x6ce/0x860
+ genl_family_rcv_msg_doit.isra.0+0x145/0x1c0
+
+This is the locking assert in devlink_region_snapshot_del(),
+we're supposed to be holding the region->snapshot_lock here.
+
+Fixes: 2dec18ad826f ("net: devlink: remove region snapshots list dependency on devlink->lock")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index cfa6a099457a..b3a869ccc8ed 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -11358,8 +11358,10 @@ void devl_region_destroy(struct devlink_region *region)
+ devl_assert_locked(devlink);
+
+ /* Free all snapshots of region */
++ mutex_lock(®ion->snapshot_lock);
+ list_for_each_entry_safe(snapshot, ts, ®ion->snapshot_list, list)
+ devlink_region_snapshot_del(region, snapshot);
++ mutex_unlock(®ion->snapshot_lock);
+
+ list_del(®ion->list);
+ mutex_destroy(®ion->snapshot_lock);
+--
+2.35.1
+
--- /dev/null
+From f2847aa712f0534fb0dd6b944bb3cf1097500f33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 20:41:22 -0800
+Subject: devlink: protect devlink dump by the instance lock
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 214964a13ab56a9757d146b79b468a7ca190fbfb ]
+
+Take the instance lock around devlink_nl_fill() when dumping,
+doit takes it already.
+
+We are only dumping basic info so in the worst case we were risking
+data races around the reload statistics. Until the big devlink mutex
+was removed all relevant code was protected by it, so the missing
+instance lock was not exposed.
+
+Fixes: d3efc2a6a6d8 ("net: devlink: remove devlink_mutex")
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20221216044122.1863550-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index b3a869ccc8ed..5f894bd20c31 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -1498,10 +1498,13 @@ static int devlink_nl_cmd_get_dumpit(struct sk_buff *msg,
+ continue;
+ }
+
++ devl_lock(devlink);
+ err = devlink_nl_fill(msg, devlink, DEVLINK_CMD_NEW,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, NLM_F_MULTI);
++ devl_unlock(devlink);
+ devlink_put(devlink);
++
+ if (err)
+ goto out;
+ idx++;
+--
+2.35.1
+
--- /dev/null
+From c2e030d1f11b79659e1f2f8b3766888fd85642b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:10:48 +0800
+Subject: dm: cleanup close_table_device
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7b5865831c1003122f737df5e16adaa583f1a595 ]
+
+Take the list unlink and free into close_table_device so that no half
+torn down table_devices exist. Also remove the check for a NULL bdev
+as that can't happen - open_table_device never adds a table_device to
+the list that does not have a valid block_device.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Link: https://lore.kernel.org/r/20221115141054.1051801-5-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 1903afa4618a..620abcef2df5 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -774,14 +774,11 @@ static struct table_device *open_table_device(struct mapped_device *md,
+ */
+ static void close_table_device(struct table_device *td, struct mapped_device *md)
+ {
+- if (!td->dm_dev.bdev)
+- return;
+-
+ bd_unlink_disk_holder(td->dm_dev.bdev, dm_disk(md));
+ blkdev_put(td->dm_dev.bdev, td->dm_dev.mode | FMODE_EXCL);
+ put_dax(td->dm_dev.dax_dev);
+- td->dm_dev.bdev = NULL;
+- td->dm_dev.dax_dev = NULL;
++ list_del(&td->list);
++ kfree(td);
+ }
+
+ static struct table_device *find_table_device(struct list_head *l, dev_t dev,
+@@ -823,11 +820,8 @@ void dm_put_table_device(struct mapped_device *md, struct dm_dev *d)
+ struct table_device *td = container_of(d, struct table_device, dm_dev);
+
+ mutex_lock(&md->table_devices_lock);
+- if (refcount_dec_and_test(&td->count)) {
++ if (refcount_dec_and_test(&td->count))
+ close_table_device(td, md);
+- list_del(&td->list);
+- kfree(td);
+- }
+ mutex_unlock(&md->table_devices_lock);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 59f455a845a2554f4412de46c93889723f8b34ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:10:47 +0800
+Subject: dm: cleanup open_table_device
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit b9a785d2dc6567b2fd9fc60057a6a945a276927a ]
+
+Move all the logic for allocation the table_device and linking it into
+the list into the open_table_device. This keeps the code tidy and
+ensures that the table_devices only exist in fully initialized state.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Link: https://lore.kernel.org/r/20221115141054.1051801-4-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 56 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 27 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index b4a2cb5333fc..1903afa4618a 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -732,28 +732,41 @@ static char *_dm_claim_ptr = "I belong to device-mapper";
+ /*
+ * Open a table device so we can use it as a map destination.
+ */
+-static int open_table_device(struct table_device *td, dev_t dev,
+- struct mapped_device *md)
++static struct table_device *open_table_device(struct mapped_device *md,
++ dev_t dev, fmode_t mode)
+ {
++ struct table_device *td;
+ struct block_device *bdev;
+ u64 part_off;
+ int r;
+
+- BUG_ON(td->dm_dev.bdev);
++ td = kmalloc_node(sizeof(*td), GFP_KERNEL, md->numa_node_id);
++ if (!td)
++ return ERR_PTR(-ENOMEM);
++ refcount_set(&td->count, 1);
+
+- bdev = blkdev_get_by_dev(dev, td->dm_dev.mode | FMODE_EXCL, _dm_claim_ptr);
+- if (IS_ERR(bdev))
+- return PTR_ERR(bdev);
++ bdev = blkdev_get_by_dev(dev, mode | FMODE_EXCL, _dm_claim_ptr);
++ if (IS_ERR(bdev)) {
++ r = PTR_ERR(bdev);
++ goto out_free_td;
++ }
+
+ r = bd_link_disk_holder(bdev, dm_disk(md));
+- if (r) {
+- blkdev_put(bdev, td->dm_dev.mode | FMODE_EXCL);
+- return r;
+- }
++ if (r)
++ goto out_blkdev_put;
+
++ td->dm_dev.mode = mode;
+ td->dm_dev.bdev = bdev;
+ td->dm_dev.dax_dev = fs_dax_get_by_bdev(bdev, &part_off, NULL, NULL);
+- return 0;
++ format_dev_t(td->dm_dev.name, dev);
++ list_add(&td->list, &md->table_devices);
++ return td;
++
++out_blkdev_put:
++ blkdev_put(bdev, mode | FMODE_EXCL);
++out_free_td:
++ kfree(td);
++ return ERR_PTR(r);
+ }
+
+ /*
+@@ -786,31 +799,16 @@ static struct table_device *find_table_device(struct list_head *l, dev_t dev,
+ int dm_get_table_device(struct mapped_device *md, dev_t dev, fmode_t mode,
+ struct dm_dev **result)
+ {
+- int r;
+ struct table_device *td;
+
+ mutex_lock(&md->table_devices_lock);
+ td = find_table_device(&md->table_devices, dev, mode);
+ if (!td) {
+- td = kmalloc_node(sizeof(*td), GFP_KERNEL, md->numa_node_id);
+- if (!td) {
+- mutex_unlock(&md->table_devices_lock);
+- return -ENOMEM;
+- }
+-
+- td->dm_dev.mode = mode;
+- td->dm_dev.bdev = NULL;
+-
+- if ((r = open_table_device(td, dev, md))) {
++ td = open_table_device(md, dev, mode);
++ if (IS_ERR(td)) {
+ mutex_unlock(&md->table_devices_lock);
+- kfree(td);
+- return r;
++ return PTR_ERR(td);
+ }
+-
+- format_dev_t(td->dm_dev.name, dev);
+-
+- refcount_set(&td->count, 1);
+- list_add(&td->list, &md->table_devices);
+ } else {
+ refcount_inc(&td->count);
+ }
+--
+2.35.1
+
--- /dev/null
+From 5ac9f51dd35fc9f760091bba7d3e9f510622be15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:10:49 +0800
+Subject: dm: make sure create and remove dm device won't race with open and
+ close table
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit d563792c8933a810d28ce0f2831f0726c2b15a31 ]
+
+open_table_device() and close_table_device() is protected by
+table_devices_lock, hence use it to protect add_disk() and
+del_gendisk().
+
+Prepare to track per-add_disk holder relations in dm.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221115141054.1051801-6-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 620abcef2df5..e7fc2a69633c 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1965,7 +1965,14 @@ static void cleanup_mapped_device(struct mapped_device *md)
+ spin_unlock(&_minor_lock);
+ if (dm_get_md_type(md) != DM_TYPE_NONE) {
+ dm_sysfs_exit(md);
++
++ /*
++ * Hold lock to make sure del_gendisk() won't concurrent
++ * with open/close_table_device().
++ */
++ mutex_lock(&md->table_devices_lock);
+ del_gendisk(md->disk);
++ mutex_unlock(&md->table_devices_lock);
+ }
+ dm_queue_destroy_crypto_profile(md->queue);
+ put_disk(md->disk);
+@@ -2325,15 +2332,24 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t)
+ if (r)
+ return r;
+
++ /*
++ * Hold lock to make sure add_disk() and del_gendisk() won't concurrent
++ * with open_table_device() and close_table_device().
++ */
++ mutex_lock(&md->table_devices_lock);
+ r = add_disk(md->disk);
++ mutex_unlock(&md->table_devices_lock);
+ if (r)
+ return r;
+
+ r = dm_sysfs_init(md);
+ if (r) {
++ mutex_lock(&md->table_devices_lock);
+ del_gendisk(md->disk);
++ mutex_unlock(&md->table_devices_lock);
+ return r;
+ }
++
+ md->type = type;
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From a55bcb965cbb8704e1aa6c6ddd7ebca9373a966a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 22:10:50 +0800
+Subject: dm: track per-add_disk holder relations in DM
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1a581b72169968f4154b5793828f3bc28b258b35 ]
+
+dm is a bit special in that it opens the underlying devices. Commit
+89f871af1b26 ("dm: delay registering the gendisk") tried to accommodate
+that by allowing to add the holder to the list before add_gendisk and
+then just add them to sysfs once add_disk is called. But that leads to
+really odd lifetime problems and error handling problems as we can't
+know the state of the kobjects and don't unwind properly. To fix this
+switch to just registering all existing table_devices with the holder
+code right after add_disk, and remove them before calling del_gendisk.
+
+Fixes: 89f871af1b26 ("dm: delay registering the gendisk")
+Reported-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Link: https://lore.kernel.org/r/20221115141054.1051801-7-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 49 +++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 39 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index e7fc2a69633c..bbde744f7dba 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -751,9 +751,16 @@ static struct table_device *open_table_device(struct mapped_device *md,
+ goto out_free_td;
+ }
+
+- r = bd_link_disk_holder(bdev, dm_disk(md));
+- if (r)
+- goto out_blkdev_put;
++ /*
++ * We can be called before the dm disk is added. In that case we can't
++ * register the holder relation here. It will be done once add_disk was
++ * called.
++ */
++ if (md->disk->slave_dir) {
++ r = bd_link_disk_holder(bdev, md->disk);
++ if (r)
++ goto out_blkdev_put;
++ }
+
+ td->dm_dev.mode = mode;
+ td->dm_dev.bdev = bdev;
+@@ -774,7 +781,8 @@ static struct table_device *open_table_device(struct mapped_device *md,
+ */
+ static void close_table_device(struct table_device *td, struct mapped_device *md)
+ {
+- bd_unlink_disk_holder(td->dm_dev.bdev, dm_disk(md));
++ if (md->disk->slave_dir)
++ bd_unlink_disk_holder(td->dm_dev.bdev, md->disk);
+ blkdev_put(td->dm_dev.bdev, td->dm_dev.mode | FMODE_EXCL);
+ put_dax(td->dm_dev.dax_dev);
+ list_del(&td->list);
+@@ -1964,7 +1972,13 @@ static void cleanup_mapped_device(struct mapped_device *md)
+ md->disk->private_data = NULL;
+ spin_unlock(&_minor_lock);
+ if (dm_get_md_type(md) != DM_TYPE_NONE) {
++ struct table_device *td;
++
+ dm_sysfs_exit(md);
++ list_for_each_entry(td, &md->table_devices, list) {
++ bd_unlink_disk_holder(td->dm_dev.bdev,
++ md->disk);
++ }
+
+ /*
+ * Hold lock to make sure del_gendisk() won't concurrent
+@@ -2304,6 +2318,7 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t)
+ {
+ enum dm_queue_mode type = dm_table_get_type(t);
+ struct queue_limits limits;
++ struct table_device *td;
+ int r;
+
+ switch (type) {
+@@ -2342,16 +2357,30 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t)
+ if (r)
+ return r;
+
+- r = dm_sysfs_init(md);
+- if (r) {
+- mutex_lock(&md->table_devices_lock);
+- del_gendisk(md->disk);
+- mutex_unlock(&md->table_devices_lock);
+- return r;
++ /*
++ * Register the holder relationship for devices added before the disk
++ * was live.
++ */
++ list_for_each_entry(td, &md->table_devices, list) {
++ r = bd_link_disk_holder(td->dm_dev.bdev, md->disk);
++ if (r)
++ goto out_undo_holders;
+ }
+
++ r = dm_sysfs_init(md);
++ if (r)
++ goto out_undo_holders;
++
+ md->type = type;
+ return 0;
++
++out_undo_holders:
++ list_for_each_entry_continue_reverse(td, &md->table_devices, list)
++ bd_unlink_disk_holder(td->dm_dev.bdev, md->disk);
++ mutex_lock(&md->table_devices_lock);
++ del_gendisk(md->disk);
++ mutex_unlock(&md->table_devices_lock);
++ return r;
+ }
+
+ struct mapped_device *dm_get_md(dev_t dev)
+--
+2.35.1
+
--- /dev/null
+From aec679a754a7b4ddee426694d18178fa8cb5f574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 15:23:24 +0200
+Subject: dmaengine: apple-admac: Allocate cache SRAM to channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit 568aa6dd641f63166bb60d769e256789b3ac42d4 ]
+
+There's a previously unknown part of the controller interface: We have
+to assign SRAM carveouts to channels to store their in-flight samples
+in. So, obtain the size of the SRAM from a read-only register and divide
+it into 2K blocks for allocation to channels. The FIFO depths we
+configure will always fit into 2K.
+
+(This fixes audio artifacts during simultaneous playback/capture on
+multiple channels -- which looking back is fully accounted for by having
+had the caches in the DMA controller overlap in memory.)
+
+Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20221019132324.8585-2-povik+lin@cutebit.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/apple-admac.c | 102 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 101 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c
+index d69ed9c93648..e3334762be85 100644
+--- a/drivers/dma/apple-admac.c
++++ b/drivers/dma/apple-admac.c
+@@ -20,6 +20,12 @@
+ #define NCHANNELS_MAX 64
+ #define IRQ_NOUTPUTS 4
+
++/*
++ * For allocation purposes we split the cache
++ * memory into blocks of fixed size (given in bytes).
++ */
++#define SRAM_BLOCK 2048
++
+ #define RING_WRITE_SLOT GENMASK(1, 0)
+ #define RING_READ_SLOT GENMASK(5, 4)
+ #define RING_FULL BIT(9)
+@@ -35,6 +41,9 @@
+ #define REG_TX_STOP 0x0004
+ #define REG_RX_START 0x0008
+ #define REG_RX_STOP 0x000c
++#define REG_IMPRINT 0x0090
++#define REG_TX_SRAM_SIZE 0x0094
++#define REG_RX_SRAM_SIZE 0x0098
+
+ #define REG_CHAN_CTL(ch) (0x8000 + (ch) * 0x200)
+ #define REG_CHAN_CTL_RST_RINGS BIT(0)
+@@ -52,7 +61,9 @@
+ #define BUS_WIDTH_FRAME_2_WORDS 0x10
+ #define BUS_WIDTH_FRAME_4_WORDS 0x20
+
+-#define CHAN_BUFSIZE 0x8000
++#define REG_CHAN_SRAM_CARVEOUT(ch) (0x8050 + (ch) * 0x200)
++#define CHAN_SRAM_CARVEOUT_SIZE GENMASK(31, 16)
++#define CHAN_SRAM_CARVEOUT_BASE GENMASK(15, 0)
+
+ #define REG_CHAN_FIFOCTL(ch) (0x8054 + (ch) * 0x200)
+ #define CHAN_FIFOCTL_LIMIT GENMASK(31, 16)
+@@ -75,6 +86,8 @@ struct admac_chan {
+ struct dma_chan chan;
+ struct tasklet_struct tasklet;
+
++ u32 carveout;
++
+ spinlock_t lock;
+ struct admac_tx *current_tx;
+ int nperiod_acks;
+@@ -91,11 +104,23 @@ struct admac_chan {
+ struct list_head to_free;
+ };
+
++struct admac_sram {
++ u32 size;
++ /*
++ * SRAM_CARVEOUT has 16-bit fields, so the SRAM cannot be larger than
++ * 64K and a 32-bit bitfield over 2K blocks covers it.
++ */
++ u32 allocated;
++};
++
+ struct admac_data {
+ struct dma_device dma;
+ struct device *dev;
+ __iomem void *base;
+
++ struct mutex cache_alloc_lock;
++ struct admac_sram txcache, rxcache;
++
+ int irq;
+ int irq_index;
+ int nchannels;
+@@ -116,6 +141,60 @@ struct admac_tx {
+ struct list_head node;
+ };
+
++static int admac_alloc_sram_carveout(struct admac_data *ad,
++ enum dma_transfer_direction dir,
++ u32 *out)
++{
++ struct admac_sram *sram;
++ int i, ret = 0, nblocks;
++
++ if (dir == DMA_MEM_TO_DEV)
++ sram = &ad->txcache;
++ else
++ sram = &ad->rxcache;
++
++ mutex_lock(&ad->cache_alloc_lock);
++
++ nblocks = sram->size / SRAM_BLOCK;
++ for (i = 0; i < nblocks; i++)
++ if (!(sram->allocated & BIT(i)))
++ break;
++
++ if (i < nblocks) {
++ *out = FIELD_PREP(CHAN_SRAM_CARVEOUT_BASE, i * SRAM_BLOCK) |
++ FIELD_PREP(CHAN_SRAM_CARVEOUT_SIZE, SRAM_BLOCK);
++ sram->allocated |= BIT(i);
++ } else {
++ ret = -EBUSY;
++ }
++
++ mutex_unlock(&ad->cache_alloc_lock);
++
++ return ret;
++}
++
++static void admac_free_sram_carveout(struct admac_data *ad,
++ enum dma_transfer_direction dir,
++ u32 carveout)
++{
++ struct admac_sram *sram;
++ u32 base = FIELD_GET(CHAN_SRAM_CARVEOUT_BASE, carveout);
++ int i;
++
++ if (dir == DMA_MEM_TO_DEV)
++ sram = &ad->txcache;
++ else
++ sram = &ad->rxcache;
++
++ if (WARN_ON(base >= sram->size))
++ return;
++
++ mutex_lock(&ad->cache_alloc_lock);
++ i = base / SRAM_BLOCK;
++ sram->allocated &= ~BIT(i);
++ mutex_unlock(&ad->cache_alloc_lock);
++}
++
+ static void admac_modify(struct admac_data *ad, int reg, u32 mask, u32 val)
+ {
+ void __iomem *addr = ad->base + reg;
+@@ -464,15 +543,28 @@ static void admac_synchronize(struct dma_chan *chan)
+ static int admac_alloc_chan_resources(struct dma_chan *chan)
+ {
+ struct admac_chan *adchan = to_admac_chan(chan);
++ struct admac_data *ad = adchan->host;
++ int ret;
+
+ dma_cookie_init(&adchan->chan);
++ ret = admac_alloc_sram_carveout(ad, admac_chan_direction(adchan->no),
++ &adchan->carveout);
++ if (ret < 0)
++ return ret;
++
++ writel_relaxed(adchan->carveout,
++ ad->base + REG_CHAN_SRAM_CARVEOUT(adchan->no));
+ return 0;
+ }
+
+ static void admac_free_chan_resources(struct dma_chan *chan)
+ {
++ struct admac_chan *adchan = to_admac_chan(chan);
++
+ admac_terminate_all(chan);
+ admac_synchronize(chan);
++ admac_free_sram_carveout(adchan->host, admac_chan_direction(adchan->no),
++ adchan->carveout);
+ }
+
+ static struct dma_chan *admac_dma_of_xlate(struct of_phandle_args *dma_spec,
+@@ -710,6 +802,7 @@ static int admac_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, ad);
+ ad->dev = &pdev->dev;
+ ad->nchannels = nchannels;
++ mutex_init(&ad->cache_alloc_lock);
+
+ /*
+ * The controller has 4 IRQ outputs. Try them all until
+@@ -788,6 +881,13 @@ static int admac_probe(struct platform_device *pdev)
+ goto free_irq;
+ }
+
++ ad->txcache.size = readl_relaxed(ad->base + REG_TX_SRAM_SIZE);
++ ad->rxcache.size = readl_relaxed(ad->base + REG_RX_SRAM_SIZE);
++
++ dev_info(&pdev->dev, "Audio DMA Controller\n");
++ dev_info(&pdev->dev, "imprint %x TX cache %u RX cache %u\n",
++ readl_relaxed(ad->base + REG_IMPRINT), ad->txcache.size, ad->rxcache.size);
++
+ return 0;
+
+ free_irq:
+--
+2.35.1
+
--- /dev/null
+From c1cd60030af21908582ae4eadcf1bc18175480bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 11:58:44 +0200
+Subject: dmaengine: apple-admac: Do not use devres for IRQs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit 072431595a57bc6605c29724afce5f9ef8114915 ]
+
+This is in advance of adding support for triggering the reset signal to
+the peripheral, since registering the IRQ handler will have to be
+sequenced with it.
+
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20220918095845.68860-4-povik+lin@cutebit.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 568aa6dd641f ("dmaengine: apple-admac: Allocate cache SRAM to channels")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/apple-admac.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c
+index 6780761a1640..d69ed9c93648 100644
+--- a/drivers/dma/apple-admac.c
++++ b/drivers/dma/apple-admac.c
+@@ -96,6 +96,7 @@ struct admac_data {
+ struct device *dev;
+ __iomem void *base;
+
++ int irq;
+ int irq_index;
+ int nchannels;
+ struct admac_chan channels[];
+@@ -724,12 +725,7 @@ static int admac_probe(struct platform_device *pdev)
+
+ if (irq < 0)
+ return dev_err_probe(&pdev->dev, irq, "no usable interrupt\n");
+-
+- err = devm_request_irq(&pdev->dev, irq, admac_interrupt,
+- 0, dev_name(&pdev->dev), ad);
+- if (err)
+- return dev_err_probe(&pdev->dev, err,
+- "unable to register interrupt\n");
++ ad->irq = irq;
+
+ ad->base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(ad->base))
+@@ -774,17 +770,29 @@ static int admac_probe(struct platform_device *pdev)
+ tasklet_setup(&adchan->tasklet, admac_chan_tasklet);
+ }
+
+- err = dma_async_device_register(&ad->dma);
++ err = request_irq(irq, admac_interrupt, 0, dev_name(&pdev->dev), ad);
+ if (err)
+- return dev_err_probe(&pdev->dev, err, "failed to register DMA device\n");
++ return dev_err_probe(&pdev->dev, err,
++ "unable to register interrupt\n");
++
++ err = dma_async_device_register(&ad->dma);
++ if (err) {
++ dev_err_probe(&pdev->dev, err, "failed to register DMA device\n");
++ goto free_irq;
++ }
+
+ err = of_dma_controller_register(pdev->dev.of_node, admac_dma_of_xlate, ad);
+ if (err) {
+ dma_async_device_unregister(&ad->dma);
+- return dev_err_probe(&pdev->dev, err, "failed to register with OF\n");
++ dev_err_probe(&pdev->dev, err, "failed to register with OF\n");
++ goto free_irq;
+ }
+
+ return 0;
++
++free_irq:
++ free_irq(ad->irq, ad);
++ return err;
+ }
+
+ static int admac_remove(struct platform_device *pdev)
+@@ -793,6 +801,7 @@ static int admac_remove(struct platform_device *pdev)
+
+ of_dma_controller_free(pdev->dev.of_node);
+ dma_async_device_unregister(&ad->dma);
++ free_irq(ad->irq, ad);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From a0d89ea710fbe5d93029062f11aa1ddd12952e1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 17:27:15 -0800
+Subject: dmaengine: idxd: Fix crc_val field for completion record
+
+From: Fenghua Yu <fenghua.yu@intel.com>
+
+[ Upstream commit dc901d98b1fe6e52ab81cd3e0879379168e06daa ]
+
+The crc_val in the completion record should be 64 bits and not 32 bits.
+
+Fixes: 4ac823e9cd85 ("dmaengine: idxd: fix delta_rec and crc size field for completion record")
+Reported-by: Nirav N Shah <nirav.n.shah@intel.com>
+Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20221111012715.2031481-1-fenghua.yu@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/idxd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/idxd.h b/include/uapi/linux/idxd.h
+index 2b9e7feba3f3..1d553bedbdb5 100644
+--- a/include/uapi/linux/idxd.h
++++ b/include/uapi/linux/idxd.h
+@@ -295,7 +295,7 @@ struct dsa_completion_record {
+ };
+
+ uint32_t delta_rec_size;
+- uint32_t crc_val;
++ uint64_t crc_val;
+
+ /* DIF check & strip */
+ struct {
+--
+2.35.1
+
--- /dev/null
+From 6f91a1e5a16c0e65e6d4db870f1de1b993f49d20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 09:58:17 +0800
+Subject: drbd: destroy workqueue when drbd device was freed
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 8692814b77ca4228a99da8a005de0acf40af6132 ]
+
+A submitter workqueue is dynamically allocated by init_submitter()
+called by drbd_create_device(), we should destroy it when this
+device is not needed or destroyed.
+
+Fixes: 113fef9e20e0 ("drbd: prepare to queue write requests on a submit worker")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/r/20221124015817.2729789-3-bobo.shaobowang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
+index 78cae4e75af1..677240232684 100644
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -2217,6 +2217,8 @@ void drbd_destroy_device(struct kref *kref)
+ kref_put(&peer_device->connection->kref, drbd_destroy_connection);
+ kfree(peer_device);
+ }
++ if (device->submit.wq)
++ destroy_workqueue(device->submit.wq);
+ kfree(device);
+ kref_put(&resource->kref, drbd_destroy_resource);
+ }
+@@ -2771,7 +2773,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
+
+ err = add_disk(disk);
+ if (err)
+- goto out_idr_remove_from_resource;
++ goto out_destroy_workqueue;
+
+ /* inherit the connection state */
+ device->state.conn = first_connection(resource)->cstate;
+@@ -2785,6 +2787,8 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
+ drbd_debugfs_device_add(device);
+ return NO_ERROR;
+
++out_destroy_workqueue:
++ destroy_workqueue(device->submit.wq);
+ out_idr_remove_from_resource:
+ for_each_connection_safe(connection, n, resource) {
+ peer_device = idr_remove(&connection->peer_devices, vnr);
+--
+2.35.1
+
--- /dev/null
+From f7e1557aff2606ba6996540eed3d59d340791446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 09:58:16 +0800
+Subject: drbd: remove call to memset before free device/resource/connection
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 6e7b854e4c1b02dba00760dfa79d8dbf6cce561e ]
+
+This revert c2258ffc56f2 ("drbd: poison free'd device, resource and
+connection structs"), add memset is odd here for debugging, there are
+some methods to accurately show what happened, such as kdump.
+
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/r/20221124015817.2729789-2-bobo.shaobowang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 8692814b77ca ("drbd: destroy workqueue when drbd device was freed")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_main.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
+index 8532b839a343..78cae4e75af1 100644
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -2217,7 +2217,6 @@ void drbd_destroy_device(struct kref *kref)
+ kref_put(&peer_device->connection->kref, drbd_destroy_connection);
+ kfree(peer_device);
+ }
+- memset(device, 0xfd, sizeof(*device));
+ kfree(device);
+ kref_put(&resource->kref, drbd_destroy_resource);
+ }
+@@ -2309,7 +2308,6 @@ void drbd_destroy_resource(struct kref *kref)
+ idr_destroy(&resource->devices);
+ free_cpumask_var(resource->cpu_mask);
+ kfree(resource->name);
+- memset(resource, 0xf2, sizeof(*resource));
+ kfree(resource);
+ }
+
+@@ -2650,7 +2648,6 @@ void drbd_destroy_connection(struct kref *kref)
+ drbd_free_socket(&connection->data);
+ kfree(connection->int_dig_in);
+ kfree(connection->int_dig_vv);
+- memset(connection, 0xfc, sizeof(*connection));
+ kfree(connection);
+ kref_put(&resource->kref, drbd_destroy_resource);
+ }
+--
+2.35.1
+
--- /dev/null
+From 1b27f409e4c7fa73544e4003be11717f7e1796a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 14:34:51 +0100
+Subject: drbd: use blk_queue_max_discard_sectors helper
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+
+[ Upstream commit 258bea6388ac93f34561fd91064232d14e174bff ]
+
+We currently only set q->limits.max_discard_sectors, but that is not
+enough. Another field, max_hw_discard_sectors, was introduced in
+commit 0034af036554 ("block: make /sys/block/<dev>/queue/discard_max_bytes
+writeable").
+
+The difference is that max_discard_sectors can be changed from user
+space via sysfs, while max_hw_discard_sectors is the "hardware" upper
+limit.
+
+So use this helper, which sets both.
+
+This is also a fixup for commit 998e9cbcd615 ("drbd: cleanup
+decide_on_discard_support"): if discards are not supported, that does
+not necessarily mean we also want to disable write_zeroes.
+
+Fixes: 998e9cbcd615 ("drbd: cleanup decide_on_discard_support")
+Reviewed-by: Joel Colledge <joel.colledge@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/20221109133453.51652-2-christoph.boehmwalder@linbit.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_nl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
+index 013d355a2033..921c303a7b5c 100644
+--- a/drivers/block/drbd/drbd_nl.c
++++ b/drivers/block/drbd/drbd_nl.c
+@@ -1210,6 +1210,7 @@ static void decide_on_discard_support(struct drbd_device *device,
+ struct drbd_connection *connection =
+ first_peer_device(device)->connection;
+ struct request_queue *q = device->rq_queue;
++ unsigned int max_discard_sectors;
+
+ if (bdev && !bdev_max_discard_sectors(bdev->backing_bdev))
+ goto not_supported;
+@@ -1230,15 +1231,14 @@ static void decide_on_discard_support(struct drbd_device *device,
+ * topology on all peers.
+ */
+ blk_queue_discard_granularity(q, 512);
+- q->limits.max_discard_sectors = drbd_max_discard_sectors(connection);
+- q->limits.max_write_zeroes_sectors =
+- drbd_max_discard_sectors(connection);
++ max_discard_sectors = drbd_max_discard_sectors(connection);
++ blk_queue_max_discard_sectors(q, max_discard_sectors);
++ blk_queue_max_write_zeroes_sectors(q, max_discard_sectors);
+ return;
+
+ not_supported:
+ blk_queue_discard_granularity(q, 0);
+- q->limits.max_discard_sectors = 0;
+- q->limits.max_write_zeroes_sectors = 0;
++ blk_queue_max_discard_sectors(q, 0);
+ }
+
+ static void fixup_write_zeroes(struct drbd_device *device, struct request_queue *q)
+--
+2.35.1
+
--- /dev/null
+From f59bcde245f515f9217e2411cfb6ea34df29bb9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 14:40:36 +0800
+Subject: drivers: dio: fix possible memory leak in dio_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ]
+
+If device_register() returns error, the 'dev' and name needs be
+freed. Add a release function, and then call put_device() in the
+error path, so the name is freed in kobject_cleanup() and to the
+'dev' is freed in release function.
+
+Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings")
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dio/dio.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/dio/dio.c b/drivers/dio/dio.c
+index 0e5a5662d5a4..0a051d656880 100644
+--- a/drivers/dio/dio.c
++++ b/drivers/dio/dio.c
+@@ -109,6 +109,12 @@ static char dio_no_name[] = { 0 };
+
+ #endif /* CONFIG_DIO_CONSTANTS */
+
++static void dio_dev_release(struct device *dev)
++{
++ struct dio_dev *ddev = container_of(dev, typeof(struct dio_dev), dev);
++ kfree(ddev);
++}
++
+ int __init dio_find(int deviceid)
+ {
+ /* Called to find a DIO device before the full bus scan has run.
+@@ -225,6 +231,7 @@ static int __init dio_init(void)
+ dev->bus = &dio_bus;
+ dev->dev.parent = &dio_bus.dev;
+ dev->dev.bus = &dio_bus_type;
++ dev->dev.release = dio_dev_release;
+ dev->scode = scode;
+ dev->resource.start = pa;
+ dev->resource.end = pa + DIO_SIZE(scode, va);
+@@ -252,6 +259,7 @@ static int __init dio_init(void)
+ if (error) {
+ pr_err("DIO: Error registering device %s\n",
+ dev->name);
++ put_device(&dev->dev);
+ continue;
+ }
+ error = dio_create_sysfs_dev_files(dev);
+--
+2.35.1
+
--- /dev/null
+From 6a601794de8c6219ee412bcf0e4215ce8edad988 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 01:38:49 -0800
+Subject: drivers: mcb: fix resource leak in mcb_probe()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ]
+
+When probe hook function failed in mcb_probe(), it doesn't put the device.
+Compiled test only.
+
+Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mcb/mcb-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c
+index 338fc889b357..b8ad4f16b4ac 100644
+--- a/drivers/mcb/mcb-core.c
++++ b/drivers/mcb/mcb-core.c
+@@ -71,8 +71,10 @@ static int mcb_probe(struct device *dev)
+
+ get_device(dev);
+ ret = mdrv->probe(mdev, found_id);
+- if (ret)
++ if (ret) {
+ module_put(carrier_mod);
++ put_device(dev);
++ }
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From a70e617c7d80934bfa02894daad6b267cef0e723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 16:33:05 -0700
+Subject: drivers/md/md-bitmap: check the return value of
+ md_bitmap_get_counter()
+
+From: Li Zhong <floridsleeves@gmail.com>
+
+[ Upstream commit 3bd548e5b819b8c0f2c9085de775c5c7bff9052f ]
+
+Check the return value of md_bitmap_get_counter() in case it returns
+NULL pointer, which will result in a null pointer dereference.
+
+v2: update the check to include other dereference
+
+Signed-off-by: Li Zhong <floridsleeves@gmail.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index bf6dffadbe6f..63ece30114e5 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -2195,20 +2195,23 @@ int md_bitmap_resize(struct bitmap *bitmap, sector_t blocks,
+
+ if (set) {
+ bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1);
+- if (*bmc_new == 0) {
+- /* need to set on-disk bits too. */
+- sector_t end = block + new_blocks;
+- sector_t start = block >> chunkshift;
+- start <<= chunkshift;
+- while (start < end) {
+- md_bitmap_file_set_bit(bitmap, block);
+- start += 1 << chunkshift;
++ if (bmc_new) {
++ if (*bmc_new == 0) {
++ /* need to set on-disk bits too. */
++ sector_t end = block + new_blocks;
++ sector_t start = block >> chunkshift;
++
++ start <<= chunkshift;
++ while (start < end) {
++ md_bitmap_file_set_bit(bitmap, block);
++ start += 1 << chunkshift;
++ }
++ *bmc_new = 2;
++ md_bitmap_count_page(&bitmap->counts, block, 1);
++ md_bitmap_set_pending(&bitmap->counts, block);
+ }
+- *bmc_new = 2;
+- md_bitmap_count_page(&bitmap->counts, block, 1);
+- md_bitmap_set_pending(&bitmap->counts, block);
++ *bmc_new |= NEEDED_MASK;
+ }
+- *bmc_new |= NEEDED_MASK;
+ if (new_blocks < old_blocks)
+ old_blocks = new_blocks;
+ }
+--
+2.35.1
+
--- /dev/null
+From bce5a8ae9fa8f01d07d9f83fbba4e7cc9a97220a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 08:54:10 +0000
+Subject: drivers: net: qlcnic: Fix potential memory leak in
+ qlcnic_sriov_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ]
+
+If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp
+needs to be freed.
+
+Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+index 9282321c2e7f..f9dd50152b1e 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -221,6 +221,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs)
+ return 0;
+
+ qlcnic_destroy_async_wq:
++ while (i--)
++ kfree(sriov->vf_info[i].vp);
+ destroy_workqueue(bc->bc_async_wq);
+
+ qlcnic_destroy_trans_wq:
+--
+2.35.1
+
--- /dev/null
+From 05da6c1973288c0fb4677f9a2206680c2d60f7ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:41:33 +0800
+Subject: drivers/perf: hisi: Fix some event id for hisi-pcie-pmu
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 6b4bb4f38dbfe85247f006f06135ba46450d5bf0 ]
+
+Some event id of hisi-pcie-pmu is incorrect, fix them.
+
+Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU")
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20221117084136.53572-2-yangyicong@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_pcie_pmu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+index 21771708597d..071e63d9a9ac 100644
+--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c
++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+@@ -693,10 +693,10 @@ static struct attribute *hisi_pcie_pmu_events_attr[] = {
+ HISI_PCIE_PMU_EVENT_ATTR(rx_mrd_cnt, 0x10210),
+ HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_latency, 0x0011),
+ HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_cnt, 0x10011),
+- HISI_PCIE_PMU_EVENT_ATTR(rx_mrd_flux, 0x1005),
+- HISI_PCIE_PMU_EVENT_ATTR(rx_mrd_time, 0x11005),
+- HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_flux, 0x2004),
+- HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_time, 0x12004),
++ HISI_PCIE_PMU_EVENT_ATTR(rx_mrd_flux, 0x0804),
++ HISI_PCIE_PMU_EVENT_ATTR(rx_mrd_time, 0x10804),
++ HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_flux, 0x0405),
++ HISI_PCIE_PMU_EVENT_ATTR(tx_mrd_time, 0x10405),
+ NULL
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 8d243054440a00880bebdeea311c08a0fe10dead Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 07:02:07 +0000
+Subject: drivers: perf: marvell_cn10k: Fix hotplug callback leak in
+ tad_pmu_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 973ae93d80d9d262f695eb485a1902b74c4b9098 ]
+
+tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi()
+when platform_driver_register() failed. Remove the callback by
+cpuhp_remove_multi_state() in fail path.
+
+Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
+arm-ccn: Prevent hotplug callback leak")
+
+Fixes: 036a7584bede ("drivers: perf: Add LLC-TAD perf counter support")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221115070207.32634-3-yuancan@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/marvell_cn10k_tad_pmu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/marvell_cn10k_tad_pmu.c b/drivers/perf/marvell_cn10k_tad_pmu.c
+index 69c3050a4348..a1166afb3702 100644
+--- a/drivers/perf/marvell_cn10k_tad_pmu.c
++++ b/drivers/perf/marvell_cn10k_tad_pmu.c
+@@ -408,7 +408,11 @@ static int __init tad_pmu_init(void)
+ if (ret < 0)
+ return ret;
+ tad_pmu_cpuhp_state = ret;
+- return platform_driver_register(&tad_pmu_driver);
++ ret = platform_driver_register(&tad_pmu_driver);
++ if (ret)
++ cpuhp_remove_multi_state(tad_pmu_cpuhp_state);
++
++ return ret;
+ }
+
+ static void __exit tad_pmu_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 08343d9feccd543970c9d38637c718447cd1eac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 23:32:12 +0800
+Subject: drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
+
+From: Chen Jiahao <chenjiahao16@huawei.com>
+
+[ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ]
+
+There is a sparse warning shown below:
+
+drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol
+'knav_acc_firmwares' was not declared. Should it be static?
+
+Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c,
+mark it as static to fix the warning.
+
+Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver")
+Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/knav_qmss_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
+index 92af7d1b6f5b..16a6d530a0d4 100644
+--- a/drivers/soc/ti/knav_qmss_queue.c
++++ b/drivers/soc/ti/knav_qmss_queue.c
+@@ -67,7 +67,7 @@ static DEFINE_MUTEX(knav_dev_lock);
+ * Newest followed by older ones. Search is done from start of the array
+ * until a firmware file is found.
+ */
+-const char *knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
++static const char * const knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
+
+ static bool device_ready;
+ bool knav_qmss_device_ready(void)
+--
+2.35.1
+
--- /dev/null
+From f2c2f0484f0a1d3634f54860fac91bd8f6986f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 16:34:24 +0800
+Subject: drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in
+ rtw_join_timeout_handler
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit ce8cc75c7419ad54cb99437543a54c97c7446db5 ]
+
+The rtw_join_timeout_handler() is a timer handler that
+runs in atomic context, but it could call msleep().
+As a result, the sleep-in-atomic-context bug will happen.
+The process is shown below:
+
+ (atomic context)
+rtw_join_timeout_handler
+ _rtw_join_timeout_handler
+ rtw_do_join
+ rtw_select_and_join_from_scanned_queue
+ rtw_indicate_disconnect
+ rtw_lps_ctrl_wk_cmd
+ lps_ctrl_wk_hdl
+ LPS_Leave
+ LPS_RF_ON_check
+ msleep //sleep in atomic context
+
+Fix by removing msleep() and replacing with mdelay().
+
+Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20221018083424.79741-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/r8188eu/core/rtw_pwrctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/r8188eu/core/rtw_pwrctrl.c b/drivers/staging/r8188eu/core/rtw_pwrctrl.c
+index 10550bd2c16d..abfd14bfd5fb 100644
+--- a/drivers/staging/r8188eu/core/rtw_pwrctrl.c
++++ b/drivers/staging/r8188eu/core/rtw_pwrctrl.c
+@@ -273,7 +273,7 @@ static s32 LPS_RF_ON_check(struct adapter *padapter, u32 delay_ms)
+ err = -1;
+ break;
+ }
+- msleep(1);
++ mdelay(1);
+ }
+
+ return err;
+--
+2.35.1
+
--- /dev/null
+From e6b03c46bc97964b0b574872b2f6f745134a69ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 19:06:10 -0400
+Subject: drm/amd/display: Disable DRR actions during state commit
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit de020e5fa9ebc6fc32e82ae6ccb0282451ed937c ]
+
+[WHY]
+Committing a state while performing DRR actions can cause underflow.
+
+[HOW]
+Disabled features performing DRR actions during state commit.
+Need to follow-up on why DRR actions affect state commit.
+
+Reviewed-by: Jun Lei <Jun.Lei@amd.com>
+Acked-by: Alan Liu <HaoPing.Liu@amd.com>
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
+index fb59fed8f425..9d369155901a 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
+@@ -973,8 +973,5 @@ void dcn30_prepare_bandwidth(struct dc *dc,
+ dc->clk_mgr->funcs->set_max_memclk(dc->clk_mgr, dc->clk_mgr->bw_params->clk_table.entries[dc->clk_mgr->bw_params->clk_table.num_entries - 1].memclk_mhz);
+
+ dcn20_prepare_bandwidth(dc, context);
+-
+- dc_dmub_srv_p_state_delegate(dc,
+- context->bw_ctx.bw.dcn.clk.fw_based_mclk_switching, context);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 00771e1ce0fd6b10c7d9e7bf53d55d8dcaa83b13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 15:35:53 -0400
+Subject: drm/amd/display: fix array index out of bound error in bios parser
+
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+
+[ Upstream commit 4fc1ba4aa589ca267468ad23fedef37562227d32 ]
+
+[Why&How]
+Firmware headers dictate that gpio_pin array only has a size of 8. The
+count returned from vbios however is greater than 8.
+
+Fix this by not using array indexing but incrementing the pointer since
+gpio_pin definition in atomfirmware.h is hardcoded to size 8
+
+Reviewed-by: Martin Leung <Martin.Leung@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/bios/bios_parser2.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+index de3a1f3fd4f1..c98cd7c5b9f7 100644
+--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+@@ -487,6 +487,7 @@ static enum bp_result get_gpio_i2c_info(
+ uint32_t count = 0;
+ unsigned int table_index = 0;
+ bool find_valid = false;
++ struct atom_gpio_pin_assignment *pin;
+
+ if (!info)
+ return BP_RESULT_BADINPUT;
+@@ -514,20 +515,17 @@ static enum bp_result get_gpio_i2c_info(
+ - sizeof(struct atom_common_table_header))
+ / sizeof(struct atom_gpio_pin_assignment);
+
++ pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;
++
+ for (table_index = 0; table_index < count; table_index++) {
+- if (((record->i2c_id & I2C_HW_CAP) == (
+- header->gpio_pin[table_index].gpio_id &
+- I2C_HW_CAP)) &&
+- ((record->i2c_id & I2C_HW_ENGINE_ID_MASK) ==
+- (header->gpio_pin[table_index].gpio_id &
+- I2C_HW_ENGINE_ID_MASK)) &&
+- ((record->i2c_id & I2C_HW_LANE_MUX) ==
+- (header->gpio_pin[table_index].gpio_id &
+- I2C_HW_LANE_MUX))) {
++ if (((record->i2c_id & I2C_HW_CAP) == (pin->gpio_id & I2C_HW_CAP)) &&
++ ((record->i2c_id & I2C_HW_ENGINE_ID_MASK) == (pin->gpio_id & I2C_HW_ENGINE_ID_MASK)) &&
++ ((record->i2c_id & I2C_HW_LANE_MUX) == (pin->gpio_id & I2C_HW_LANE_MUX))) {
+ /* still valid */
+ find_valid = true;
+ break;
+ }
++ pin = (struct atom_gpio_pin_assignment *)((uint8_t *)pin + sizeof(struct atom_gpio_pin_assignment));
+ }
+
+ /* If we don't find the entry that we are looking for then
+--
+2.35.1
+
--- /dev/null
+From 56aacff0b50b8d8595f967d37a6c7c264f8cc6b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 11:42:41 -0500
+Subject: drm/amd/display: Fix DTBCLK disable requests and SRC_SEL programming
+
+From: Alvin Lee <Alvin.Lee2@amd.com>
+
+[ Upstream commit f6015da7f2410109bd2ccd2e2828f26185aeb81d ]
+
+[Description]
+- When transitioning FRL / DP2 is not required, we will always request
+ DTBCLK = 0Mhz, but PMFW returns the min freq
+- This causes us to make DTBCLK requests every time we call optimize
+ after transitioning from FRL to non-FRL
+- If DTBCLK is not required, request the min instead (then we only need
+ to make 1 extra request at boot time)
+- Also when programming PIPE_DTO_SRC_SEL, don't programming for DP
+ first, just programming once for the required selection (programming
+ DP on an HDMI connection then switching back causes corruption)
+
+Reviewed-by: Dillon Varone <Dillon.Varone@amd.com>
+Acked-by: Jasdeep Dhillon <jdhillon@amd.com>
+Signed-off-by: Alvin Lee <Alvin.Lee2@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 2 +-
+ drivers/gpu/drm/amd/display/dc/dcn32/dcn32_dccg.c | 6 +-----
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
+index e7f1d5f8166f..59a29c32f66a 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
+@@ -436,7 +436,7 @@ static void dcn32_update_clocks(struct clk_mgr *clk_mgr_base,
+ }
+
+ if (!new_clocks->dtbclk_en) {
+- new_clocks->ref_dtbclk_khz = 0;
++ new_clocks->ref_dtbclk_khz = clk_mgr_base->bw_params->clk_table.entries[0].dtbclk_mhz * 1000;
+ }
+
+ /* clock limits are received with MHz precision, divide by 1000 to prevent setting clocks at every call */
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_dccg.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_dccg.c
+index 6dd8dadd68a5..6f160f65c8fa 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_dccg.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_dccg.c
+@@ -225,11 +225,7 @@ void dccg32_set_dtbclk_dto(
+ } else {
+ REG_UPDATE_2(OTG_PIXEL_RATE_CNTL[params->otg_inst],
+ DTBCLK_DTO_ENABLE[params->otg_inst], 0,
+- PIPE_DTO_SRC_SEL[params->otg_inst], 1);
+- if (params->is_hdmi)
+- REG_UPDATE(OTG_PIXEL_RATE_CNTL[params->otg_inst],
+- PIPE_DTO_SRC_SEL[params->otg_inst], 0);
+-
++ PIPE_DTO_SRC_SEL[params->otg_inst], params->is_hdmi ? 0 : 1);
+ REG_WRITE(DTBCLK_DTO_MODULO[params->otg_inst], 0);
+ REG_WRITE(DTBCLK_DTO_PHASE[params->otg_inst], 0);
+ }
+--
+2.35.1
+
--- /dev/null
+From 9267767fb37332f39c59be6e1602ecd57e37c59a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 17:54:05 +0800
+Subject: drm/amd/display: prevent memory leak
+
+From: gehao <gehao@kylinos.cn>
+
+[ Upstream commit d232afb1f3417ae8194ccf19ad3a8360e70e104e ]
+
+In dce6(0,1,4)_create_resource_pool and dce80_create_resource_pool
+the allocated memory should be released if construct pool fails.
+
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: gehao <gehao@kylinos.cn>
+Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c | 3 +++
+ drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c b/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
+index fc6aa098bda0..8db9f7514466 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
+@@ -1128,6 +1128,7 @@ struct resource_pool *dce60_create_resource_pool(
+ if (dce60_construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+@@ -1325,6 +1326,7 @@ struct resource_pool *dce61_create_resource_pool(
+ if (dce61_construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+@@ -1518,6 +1520,7 @@ struct resource_pool *dce64_create_resource_pool(
+ if (dce64_construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c b/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
+index b28025960050..5825e6f412bd 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
+@@ -1137,6 +1137,7 @@ struct resource_pool *dce80_create_resource_pool(
+ if (dce80_construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+@@ -1336,6 +1337,7 @@ struct resource_pool *dce81_create_resource_pool(
+ if (dce81_construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From a64bc9daaa44a67b59734b935815b6dd03a8eaf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:43:13 -0500
+Subject: drm/amd/display: Use the largest vready_offset in pipe group
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit 5842abd985b792a3b13a89b6dae4869b56656c92 ]
+
+[WHY]
+Corruption can occur in LB if vready_offset is not large enough.
+DML calculates vready_offset for each pipe, but we currently select the
+top pipe's vready_offset, which is not necessarily enough for all pipes
+in the group.
+
+[HOW]
+Wherever program_global_sync is currently called, iterate through the
+entire pipe group and find the highest vready_offset.
+
+Reviewed-by: Dillon Varone <Dillon.Varone@amd.com>
+Acked-by: Jasdeep Dhillon <jdhillon@amd.com>
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 30 +++++++++++++++++--
+ .../drm/amd/display/dc/dcn20/dcn20_hwseq.c | 29 ++++++++++++++++--
+ 2 files changed, 55 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index bc9b92838ea9..d7757e7900ba 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -867,6 +867,32 @@ static void false_optc_underflow_wa(
+ tg->funcs->clear_optc_underflow(tg);
+ }
+
++static int calculate_vready_offset_for_group(struct pipe_ctx *pipe)
++{
++ struct pipe_ctx *other_pipe;
++ int vready_offset = pipe->pipe_dlg_param.vready_offset;
++
++ /* Always use the largest vready_offset of all connected pipes */
++ for (other_pipe = pipe->bottom_pipe; other_pipe != NULL; other_pipe = other_pipe->bottom_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->top_pipe; other_pipe != NULL; other_pipe = other_pipe->top_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->next_odm_pipe; other_pipe != NULL; other_pipe = other_pipe->next_odm_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->prev_odm_pipe; other_pipe != NULL; other_pipe = other_pipe->prev_odm_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++
++ return vready_offset;
++}
++
+ enum dc_status dcn10_enable_stream_timing(
+ struct pipe_ctx *pipe_ctx,
+ struct dc_state *context,
+@@ -902,7 +928,7 @@ enum dc_status dcn10_enable_stream_timing(
+ pipe_ctx->stream_res.tg->funcs->program_timing(
+ pipe_ctx->stream_res.tg,
+ &stream->timing,
+- pipe_ctx->pipe_dlg_param.vready_offset,
++ calculate_vready_offset_for_group(pipe_ctx),
+ pipe_ctx->pipe_dlg_param.vstartup_start,
+ pipe_ctx->pipe_dlg_param.vupdate_offset,
+ pipe_ctx->pipe_dlg_param.vupdate_width,
+@@ -2869,7 +2895,7 @@ void dcn10_program_pipe(
+
+ pipe_ctx->stream_res.tg->funcs->program_global_sync(
+ pipe_ctx->stream_res.tg,
+- pipe_ctx->pipe_dlg_param.vready_offset,
++ calculate_vready_offset_for_group(pipe_ctx),
+ pipe_ctx->pipe_dlg_param.vstartup_start,
+ pipe_ctx->pipe_dlg_param.vupdate_offset,
+ pipe_ctx->pipe_dlg_param.vupdate_width);
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index 146189323dbe..cd799ce6e48b 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -1608,6 +1608,31 @@ static void dcn20_update_dchubp_dpp(
+ hubp->funcs->phantom_hubp_post_enable(hubp);
+ }
+
++static int calculate_vready_offset_for_group(struct pipe_ctx *pipe)
++{
++ struct pipe_ctx *other_pipe;
++ int vready_offset = pipe->pipe_dlg_param.vready_offset;
++
++ /* Always use the largest vready_offset of all connected pipes */
++ for (other_pipe = pipe->bottom_pipe; other_pipe != NULL; other_pipe = other_pipe->bottom_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->top_pipe; other_pipe != NULL; other_pipe = other_pipe->top_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->next_odm_pipe; other_pipe != NULL; other_pipe = other_pipe->next_odm_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++ for (other_pipe = pipe->prev_odm_pipe; other_pipe != NULL; other_pipe = other_pipe->prev_odm_pipe) {
++ if (other_pipe->pipe_dlg_param.vready_offset > vready_offset)
++ vready_offset = other_pipe->pipe_dlg_param.vready_offset;
++ }
++
++ return vready_offset;
++}
+
+ static void dcn20_program_pipe(
+ struct dc *dc,
+@@ -1626,7 +1651,7 @@ static void dcn20_program_pipe(
+ && !pipe_ctx->prev_odm_pipe) {
+ pipe_ctx->stream_res.tg->funcs->program_global_sync(
+ pipe_ctx->stream_res.tg,
+- pipe_ctx->pipe_dlg_param.vready_offset,
++ calculate_vready_offset_for_group(pipe_ctx),
+ pipe_ctx->pipe_dlg_param.vstartup_start,
+ pipe_ctx->pipe_dlg_param.vupdate_offset,
+ pipe_ctx->pipe_dlg_param.vupdate_width);
+@@ -2038,7 +2063,7 @@ bool dcn20_update_bandwidth(
+
+ pipe_ctx->stream_res.tg->funcs->program_global_sync(
+ pipe_ctx->stream_res.tg,
+- pipe_ctx->pipe_dlg_param.vready_offset,
++ calculate_vready_offset_for_group(pipe_ctx),
+ pipe_ctx->pipe_dlg_param.vstartup_start,
+ pipe_ctx->pipe_dlg_param.vupdate_offset,
+ pipe_ctx->pipe_dlg_param.vupdate_width);
+--
+2.35.1
+
--- /dev/null
+From 3ffee9028d10a5d17e7be56c5bb7f81cd00faf08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 11:46:54 -0400
+Subject: drm/amd/display: wait for vblank during pipe programming
+
+From: Haiyi Zhou <Haiyi.Zhou@amd.com>
+
+[ Upstream commit 203ccaf586446b578909de1b763278033fb74b51 ]
+
+[WHY]
+Skipping vblank during global sync update request can result in
+underflow on certain displays.
+
+[HOW]
+Roll back to the previous behavior where DC waits for vblank during pipe
+programming.
+
+Fixes: 5d3e14421410 ("drm/amd/display: do not wait for vblank during pipe programming")
+Tested-by: Mark Broadworth <mark.broadworth@amd.com>
+Reviewed-by: Martin Leung <Martin.Leung@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Haiyi Zhou <Haiyi.Zhou@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index 0f30df523fdf..146189323dbe 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -1632,10 +1632,8 @@ static void dcn20_program_pipe(
+ pipe_ctx->pipe_dlg_param.vupdate_width);
+
+ if (pipe_ctx->stream->mall_stream_config.type != SUBVP_PHANTOM) {
+- pipe_ctx->stream_res.tg->funcs->wait_for_state(
+- pipe_ctx->stream_res.tg, CRTC_STATE_VBLANK);
+- pipe_ctx->stream_res.tg->funcs->wait_for_state(
+- pipe_ctx->stream_res.tg, CRTC_STATE_VACTIVE);
++ pipe_ctx->stream_res.tg->funcs->wait_for_state(pipe_ctx->stream_res.tg, CRTC_STATE_VBLANK);
++ pipe_ctx->stream_res.tg->funcs->wait_for_state(pipe_ctx->stream_res.tg, CRTC_STATE_VACTIVE);
+ }
+
+ pipe_ctx->stream_res.tg->funcs->set_vtg_params(
+--
+2.35.1
+
--- /dev/null
+From 1964447fb162463d085feb3a4ccb2c46375294df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 00:16:56 -0400
+Subject: drm/amd/display: Workaround to increase phantom pipe vactive in
+ pipesplit
+
+From: George Shen <george.shen@amd.com>
+
+[ Upstream commit 5b8f9deaf3b6badfc0da968e6e07ceabd19700b6 ]
+
+[Why]
+Certain high resolution displays exhibit DCC line corruption with SubVP
+enabled. This is likely due to insufficient DCC meta data buffered
+immediately after the mclk switch.
+
+[How]
+Add workaround to increase phantom pipe vactive height by
+meta_row_height number of lines, thus increasing the amount of meta data
+buffered immediately after mclk switch finishes.
+
+Reviewed-by: Alvin Lee <Alvin.Lee2@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: George Shen <george.shen@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
+index 07c56e231b04..d05df4f7139f 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
+@@ -485,9 +485,11 @@ void dcn32_set_phantom_stream_timing(struct dc *dc,
+ unsigned int i, pipe_idx;
+ struct pipe_ctx *pipe;
+ uint32_t phantom_vactive, phantom_bp, pstate_width_fw_delay_lines;
++ unsigned int num_dpp;
+ unsigned int vlevel = context->bw_ctx.dml.vba.VoltageLevel;
+ unsigned int dcfclk = context->bw_ctx.dml.vba.DCFCLKState[vlevel][context->bw_ctx.dml.vba.maxMpcComb];
+ unsigned int socclk = context->bw_ctx.dml.vba.SOCCLKPerState[vlevel];
++ struct vba_vars_st *vba = &context->bw_ctx.dml.vba;
+
+ dc_assert_fp_enabled();
+
+@@ -523,6 +525,11 @@ void dcn32_set_phantom_stream_timing(struct dc *dc,
+ phantom_vactive = get_subviewport_lines_needed_in_mall(&context->bw_ctx.dml, pipes, pipe_cnt, pipe_idx) +
+ pstate_width_fw_delay_lines + dc->caps.subvp_swath_height_margin_lines;
+
++ // W/A for DCC corruption with certain high resolution timings.
++ // Determing if pipesplit is used. If so, add meta_row_height to the phantom vactive.
++ num_dpp = vba->NoOfDPP[vba->VoltageLevel][vba->maxMpcComb][vba->pipe_plane[pipe_idx]];
++ phantom_vactive += num_dpp > 1 ? vba->meta_row_height[vba->pipe_plane[pipe_idx]] : 0;
++
+ // For backporch of phantom pipe, use vstartup of the main pipe
+ phantom_bp = get_vstartup(&context->bw_ctx.dml, pipes, pipe_cnt, pipe_idx);
+
+--
+2.35.1
+
--- /dev/null
+From f170dcdd8d658050e8ab4e0705c59643113ccd6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 17:33:24 +0800
+Subject: drm/amd/pm/smu11: BACO is supported when it's in BACO state
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 6dca7efe6e522bf213c7dab691fa580d82f48f74 ]
+
+Return true early if ASIC is in BACO state already, no need
+to talk to SMU. It can fix the issue that driver was not
+calling BACO exit at all in runtime pm resume, and a timing
+issue leading to a PCI AER error happened eventually.
+
+Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()")
+Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+index 70b560737687..ad5f6a15a1d7 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+@@ -1588,6 +1588,10 @@ bool smu_v11_0_baco_is_support(struct smu_context *smu)
+ if (amdgpu_sriov_vf(smu->adev) || !smu_baco->platform_support)
+ return false;
+
++ /* return true if ASIC is in BACO state already */
++ if (smu_v11_0_baco_get_state(smu) == SMU_BACO_STATE_ENTER)
++ return true;
++
+ /* Arcturus does not support this bit mask */
+ if (smu_cmn_feature_is_supported(smu, SMU_FEATURE_BACO_BIT) &&
+ !smu_cmn_feature_is_enabled(smu, SMU_FEATURE_BACO_BIT))
+--
+2.35.1
+
--- /dev/null
+From facdee3c596627308659e5741cba661f7ad39e5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:30:43 +0800
+Subject: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ]
+
+As comment of pci_get_class() says, it returns a pci_device with its
+refcount increased and decreased the refcount for the input parameter
+@from if it is not NULL.
+
+If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we
+need to call pci_dev_put() to decrease the refcount. Add the missing
+pci_dev_put() to avoid refcount leak.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+index e363f56c72af..30c28a69e847 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+@@ -317,6 +317,7 @@ static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev)
+
+ if (!found)
+ return false;
++ pci_dev_put(pdev);
+
+ adev->bios = kmalloc(size, GFP_KERNEL);
+ if (!adev->bios) {
+--
+2.35.1
+
--- /dev/null
+From 210d7c26340dc40fa3f42fd263029f205672712e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 23:00:03 +0800
+Subject: drm/amdgpu: fix pci device refcount leak
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b85e285e3d6352b02947fc1b72303673dfacb0aa ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put().
+
+So before returning from amdgpu_device_resume|suspend_display_audio(),
+pci_dev_put() is called to avoid refcount leak.
+
+Fixes: 3f12acc8d6d4 ("drm/amdgpu: put the audio codec into suspend state before gpu reset V3")
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index e0c960cc1d2e..f04e698e631c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -5004,6 +5004,8 @@ static void amdgpu_device_resume_display_audio(struct amdgpu_device *adev)
+ pm_runtime_enable(&(p->dev));
+ pm_runtime_resume(&(p->dev));
+ }
++
++ pci_dev_put(p);
+ }
+
+ static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
+@@ -5042,6 +5044,7 @@ static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
+
+ if (expires < ktime_get_mono_fast_ns()) {
+ dev_warn(adev->dev, "failed to suspend display audio\n");
++ pci_dev_put(p);
+ /* TODO: abort the succeeding gpu reset? */
+ return -ETIMEDOUT;
+ }
+@@ -5049,6 +5052,7 @@ static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
+
+ pm_runtime_disable(&(p->dev));
+
++ pci_dev_put(p);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 50aede00d5f3b498ce488a0721add0f82ec2527d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:25:40 -0700
+Subject: drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table()
+ callback
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
+ .odn_edit_dpm_table = smu_od_edit_dpm_table,
+ ^~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+There are only two implementations of ->odn_edit_dpm_table() in 'struct
+amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One
+has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the
+other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls
+->od_edit_dpm_table() from 'struct pptable_funcs' and
+pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct
+pp_hwmgr_func', which both have a second parameter type of 'enum
+PP_OD_DPM_TABLE_COMMAND'.
+
+Update the type parameter in both the prototype in 'struct amd_pm_funcs'
+and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which
+cleans up the warning.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/include/kgd_pp_interface.h | 3 ++-
+ drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/include/kgd_pp_interface.h b/drivers/gpu/drm/amd/include/kgd_pp_interface.h
+index 7e3231c2191c..ffe19883b2ee 100644
+--- a/drivers/gpu/drm/amd/include/kgd_pp_interface.h
++++ b/drivers/gpu/drm/amd/include/kgd_pp_interface.h
+@@ -354,7 +354,8 @@ struct amd_pm_funcs {
+ int (*get_power_profile_mode)(void *handle, char *buf);
+ int (*set_power_profile_mode)(void *handle, long *input, uint32_t size);
+ int (*set_fine_grain_clk_vol)(void *handle, uint32_t type, long *input, uint32_t size);
+- int (*odn_edit_dpm_table)(void *handle, uint32_t type, long *input, uint32_t size);
++ int (*odn_edit_dpm_table)(void *handle, enum PP_OD_DPM_TABLE_COMMAND type,
++ long *input, uint32_t size);
+ int (*set_mp1_state)(void *handle, enum pp_mp1_state mp1_state);
+ int (*smu_i2c_bus_access)(void *handle, bool acquire);
+ int (*gfx_state_change_set)(void *handle, uint32_t state);
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+index 1eb4e613b27a..6562978de84a 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+@@ -838,7 +838,8 @@ static int pp_set_fine_grain_clk_vol(void *handle, uint32_t type, long *input, u
+ return hwmgr->hwmgr_func->set_fine_grain_clk_vol(hwmgr, type, input, size);
+ }
+
+-static int pp_odn_edit_dpm_table(void *handle, uint32_t type, long *input, uint32_t size)
++static int pp_odn_edit_dpm_table(void *handle, enum PP_OD_DPM_TABLE_COMMAND type,
++ long *input, uint32_t size)
+ {
+ struct pp_hwmgr *hwmgr = handle;
+
+--
+2.35.1
+
--- /dev/null
+From 0925827973d2389c0b69ee88ba03ed7bc4471b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:25:39 -0700
+Subject: drm/amdgpu: Fix type of second parameter in trans_msg() callback
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit f0d0f1087333714ee683cc134a95afe331d7ddd9 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c:412:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
+ .trans_msg = xgpu_ai_mailbox_trans_msg,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+ drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c:435:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
+ .trans_msg = xgpu_nv_mailbox_trans_msg,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+The type of the second parameter in the prototype should be 'enum
+idh_request' instead of 'u32'. Update it to clear up the warnings.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+index 617d072275eb..77210fd64a2b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+@@ -75,6 +75,8 @@ struct amdgpu_vf_error_buffer {
+ uint64_t data[AMDGPU_VF_ERROR_ENTRY_SIZE];
+ };
+
++enum idh_request;
++
+ /**
+ * struct amdgpu_virt_ops - amdgpu device virt operations
+ */
+@@ -84,7 +86,8 @@ struct amdgpu_virt_ops {
+ int (*req_init_data)(struct amdgpu_device *adev);
+ int (*reset_gpu)(struct amdgpu_device *adev);
+ int (*wait_reset)(struct amdgpu_device *adev);
+- void (*trans_msg)(struct amdgpu_device *adev, u32 req, u32 data1, u32 data2, u32 data3);
++ void (*trans_msg)(struct amdgpu_device *adev, enum idh_request req,
++ u32 data1, u32 data2, u32 data3);
+ };
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 105a948e673886da078c10119df136f18bcda803 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 21:53:57 -0300
+Subject: drm/amdgpu/powerplay/psm: Fix memory leak in power state init
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit 8f8033d5663b18e6efb33feb61f2287a04605ab5 ]
+
+Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power
+state init") made the power state init function return early in case of
+failure to get an entry from the powerplay table, but it missed to clean up
+the allocated memory for the current power state before returning.
+
+Fixes: 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init")
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+index 67d7da0b6fed..1d829402cd2e 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+@@ -75,8 +75,10 @@ int psm_init_power_state_table(struct pp_hwmgr *hwmgr)
+ for (i = 0; i < table_entries; i++) {
+ result = hwmgr->hwmgr_func->get_pp_table_entry(hwmgr, i, state);
+ if (result) {
++ kfree(hwmgr->current_ps);
+ kfree(hwmgr->request_ps);
+ kfree(hwmgr->ps);
++ hwmgr->current_ps = NULL;
+ hwmgr->request_ps = NULL;
+ hwmgr->ps = NULL;
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 0e4976d87526bf050fa0e02ccadfe6b3177430e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 23:02:54 -0500
+Subject: drm/amdkfd: Fix memory leakage
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit 75818afff631e1ea785a82c3e8bb82eb0dee539c ]
+
+This patch fixes potential memory leakage and seg fault
+in _gpuvm_import_dmabuf() function
+
+Fixes: d4ec4bdc0bd5 ("drm/amdkfd: Allow access for mmapping KFD BOs")
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+index 5e184952ec98..6659630303a3 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -2253,7 +2253,7 @@ int amdgpu_amdkfd_gpuvm_import_dmabuf(struct amdgpu_device *adev,
+
+ ret = drm_vma_node_allow(&obj->vma_node, drm_priv);
+ if (ret) {
+- kfree(mem);
++ kfree(*mem);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 66f00960b3a4a823fcefcea790b915c34e4558c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Oct 2022 14:43:37 +0200
+Subject: drm/atomic-helper: Don't allocate new plane state in CRTC check
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit dbbf933d365da1a76a540211bee3d57bde520194 ]
+
+In drm_atomic_helper_check_crtc_state(), do not add a new plane state
+to the global state if it does not exist already. Adding a new plane
+state will result in overhead for the plane during the atomic-commit
+step.
+
+For the test in drm_atomic_helper_check_crtc_state() to succeed, it
+is important that the CRTC has an enabled primary plane after the
+commit. Simply testing the CRTC state's plane_mask for a primary plane
+is sufficient.
+
+Note that the helper still only tests for an attached primary plane.
+Drivers have to ensure that the plane contains valid pixel information.
+
+v5:
+ * fix commit description (Javier)
+v3:
+ * test for a primary plane in plane_mask (Ville)
+v2:
+ * remove unnecessary test for plane->crtc (Ville)
+ * inline drm_atomic_get_next_plane_state() (Ville)
+ * acquire plane lock before accessing plane->state (Ville)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Fixes: d6b9af1097fe ("drm/atomic-helper: Add helper drm_atomic_helper_check_crtc_state()")
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20221007124338.24152-2-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
+index 8bf41aa24068..6526d6ade04b 100644
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -899,7 +899,6 @@ int drm_atomic_helper_check_crtc_state(struct drm_crtc_state *crtc_state,
+ bool can_disable_primary_planes)
+ {
+ struct drm_device *dev = crtc_state->crtc->dev;
+- struct drm_atomic_state *state = crtc_state->state;
+
+ if (!crtc_state->enable)
+ return 0;
+@@ -910,14 +909,7 @@ int drm_atomic_helper_check_crtc_state(struct drm_crtc_state *crtc_state,
+ struct drm_plane *plane;
+
+ drm_for_each_plane_mask(plane, dev, crtc_state->plane_mask) {
+- struct drm_plane_state *plane_state;
+-
+- if (plane->type != DRM_PLANE_TYPE_PRIMARY)
+- continue;
+- plane_state = drm_atomic_get_plane_state(state, plane);
+- if (IS_ERR(plane_state))
+- return PTR_ERR(plane_state);
+- if (plane_state->fb && plane_state->crtc) {
++ if (plane->type == DRM_PLANE_TYPE_PRIMARY) {
+ has_primary_plane = true;
+ break;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5c1bf19bf3049d5422146df968e60a016baffe1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 14:10:49 -0700
+Subject: drm/bridge: adv7533: remove dynamic lane switching from adv7533
+ bridge
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit 9a0cdcd6649b76f0b7ceec0e55b0a718321e34d3 ]
+
+adv7533 bridge tries to dynamically switch lanes based on the
+mode by detaching and attaching the mipi dsi device.
+
+This approach is incorrect because this method of dynamic switch of
+detaching and attaching the mipi dsi device also results in removing
+and adding the component which is not necessary.
+
+This approach is also prone to deadlocks. So for example, on the
+db410c whenever this path is executed with lockdep enabled,
+this results in a deadlock due to below ordering of locks.
+
+-> #1 (crtc_ww_class_acquire){+.+.}-{0:0}:
+ lock_acquire+0x6c/0x90
+ drm_modeset_acquire_init+0xf4/0x150
+ drmm_mode_config_init+0x220/0x770
+ msm_drm_bind+0x13c/0x654
+ try_to_bring_up_aggregate_device+0x164/0x1d0
+ __component_add+0xa8/0x174
+ component_add+0x18/0x2c
+ dsi_dev_attach+0x24/0x30
+ dsi_host_attach+0x98/0x14c
+ devm_mipi_dsi_attach+0x38/0xb0
+ adv7533_attach_dsi+0x8c/0x110
+ adv7511_probe+0x5a0/0x930
+ i2c_device_probe+0x30c/0x350
+ really_probe.part.0+0x9c/0x2b0
+ __driver_probe_device+0x98/0x144
+ driver_probe_device+0xac/0x14c
+ __device_attach_driver+0xbc/0x124
+ bus_for_each_drv+0x78/0xd0
+ __device_attach+0xa8/0x1c0
+ device_initial_probe+0x18/0x24
+ bus_probe_device+0xa0/0xac
+ deferred_probe_work_func+0x90/0xd0
+ process_one_work+0x28c/0x6b0
+ worker_thread+0x240/0x444
+ kthread+0x110/0x114
+ ret_from_fork+0x10/0x20
+
+-> #0 (component_mutex){+.+.}-{3:3}:
+ __lock_acquire+0x1280/0x20ac
+ lock_acquire.part.0+0xe0/0x230
+ lock_acquire+0x6c/0x90
+ __mutex_lock+0x84/0x400
+ mutex_lock_nested+0x3c/0x70
+ component_del+0x34/0x170
+ dsi_dev_detach+0x24/0x30
+ dsi_host_detach+0x20/0x64
+ mipi_dsi_detach+0x2c/0x40
+ adv7533_mode_set+0x64/0x90
+ adv7511_bridge_mode_set+0x210/0x214
+ drm_bridge_chain_mode_set+0x5c/0x84
+ crtc_set_mode+0x18c/0x1dc
+ drm_atomic_helper_commit_modeset_disables+0x40/0x50
+ msm_atomic_commit_tail+0x1d0/0x6e0
+ commit_tail+0xa4/0x180
+ drm_atomic_helper_commit+0x178/0x3b0
+ drm_atomic_commit+0xa4/0xe0
+ drm_client_modeset_commit_atomic+0x228/0x284
+ drm_client_modeset_commit_locked+0x64/0x1d0
+ drm_client_modeset_commit+0x34/0x60
+ drm_fb_helper_lastclose+0x74/0xcc
+ drm_lastclose+0x3c/0x80
+ drm_release+0xfc/0x114
+ __fput+0x70/0x224
+ ____fput+0x14/0x20
+ task_work_run+0x88/0x1a0
+ do_exit+0x350/0xa50
+ do_group_exit+0x38/0xa4
+ __wake_up_parent+0x0/0x34
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x60/0x11c
+ do_el0_svc+0x30/0xc0
+ el0_svc+0x58/0x100
+ el0t_64_sync_handler+0x1b0/0x1bc
+ el0t_64_sync+0x18c/0x190
+
+Due to above reasons, remove the dynamic lane switching
+code from adv7533 bridge chip and filter out the modes
+which would need different number of lanes as compared
+to the initialization time using the mode_valid callback.
+
+This can be potentially re-introduced by using the pre_enable()
+callback but this needs to be evaluated first whether such an
+approach will work so this will be done with a separate change.
+
+changes since RFC:
+ - Fix commit text and add TODO comment
+
+changes in v2:
+ - Fix checkpatch formatting errors
+
+Fixes: 62b2f026cd8e ("drm/bridge: adv7533: Change number of DSI lanes dynamically")
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/16
+Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Link: https://lore.kernel.org/r/1661797363-7564-1-git-send-email-quic_abhinavk@quicinc.com
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1665522649-3423-1-git-send-email-quic_abhinavk@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511.h | 3 ++-
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 18 ++++++++++----
+ drivers/gpu/drm/bridge/adv7511/adv7533.c | 25 ++++++++++----------
+ 3 files changed, 29 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+index 94de73cbeb2d..17445800248d 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+@@ -402,7 +402,8 @@ static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+
+ void adv7533_dsi_power_on(struct adv7511 *adv);
+ void adv7533_dsi_power_off(struct adv7511 *adv);
+-void adv7533_mode_set(struct adv7511 *adv, const struct drm_display_mode *mode);
++enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv,
++ const struct drm_display_mode *mode);
+ int adv7533_patch_registers(struct adv7511 *adv);
+ int adv7533_patch_cec_registers(struct adv7511 *adv);
+ int adv7533_attach_dsi(struct adv7511 *adv);
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+index 6031bdd92342..0f0950c11196 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -697,7 +697,7 @@ adv7511_detect(struct adv7511 *adv7511, struct drm_connector *connector)
+ }
+
+ static enum drm_mode_status adv7511_mode_valid(struct adv7511 *adv7511,
+- struct drm_display_mode *mode)
++ const struct drm_display_mode *mode)
+ {
+ if (mode->clock > 165000)
+ return MODE_CLOCK_HIGH;
+@@ -791,9 +791,6 @@ static void adv7511_mode_set(struct adv7511 *adv7511,
+ regmap_update_bits(adv7511->regmap, 0x17,
+ 0x60, (vsync_polarity << 6) | (hsync_polarity << 5));
+
+- if (adv7511->type == ADV7533 || adv7511->type == ADV7535)
+- adv7533_mode_set(adv7511, adj_mode);
+-
+ drm_mode_copy(&adv7511->curr_mode, adj_mode);
+
+ /*
+@@ -913,6 +910,18 @@ static void adv7511_bridge_mode_set(struct drm_bridge *bridge,
+ adv7511_mode_set(adv, mode, adj_mode);
+ }
+
++static enum drm_mode_status adv7511_bridge_mode_valid(struct drm_bridge *bridge,
++ const struct drm_display_info *info,
++ const struct drm_display_mode *mode)
++{
++ struct adv7511 *adv = bridge_to_adv7511(bridge);
++
++ if (adv->type == ADV7533 || adv->type == ADV7535)
++ return adv7533_mode_valid(adv, mode);
++ else
++ return adv7511_mode_valid(adv, mode);
++}
++
+ static int adv7511_bridge_attach(struct drm_bridge *bridge,
+ enum drm_bridge_attach_flags flags)
+ {
+@@ -960,6 +969,7 @@ static const struct drm_bridge_funcs adv7511_bridge_funcs = {
+ .enable = adv7511_bridge_enable,
+ .disable = adv7511_bridge_disable,
+ .mode_set = adv7511_bridge_mode_set,
++ .mode_valid = adv7511_bridge_mode_valid,
+ .attach = adv7511_bridge_attach,
+ .detect = adv7511_bridge_detect,
+ .get_edid = adv7511_bridge_get_edid,
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
+index ef6270806d1d..258c79d4dab0 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
+@@ -100,26 +100,27 @@ void adv7533_dsi_power_off(struct adv7511 *adv)
+ regmap_write(adv->regmap_cec, 0x27, 0x0b);
+ }
+
+-void adv7533_mode_set(struct adv7511 *adv, const struct drm_display_mode *mode)
++enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv,
++ const struct drm_display_mode *mode)
+ {
++ int lanes;
+ struct mipi_dsi_device *dsi = adv->dsi;
+- int lanes, ret;
+-
+- if (adv->num_dsi_lanes != 4)
+- return;
+
+ if (mode->clock > 80000)
+ lanes = 4;
+ else
+ lanes = 3;
+
+- if (lanes != dsi->lanes) {
+- mipi_dsi_detach(dsi);
+- dsi->lanes = lanes;
+- ret = mipi_dsi_attach(dsi);
+- if (ret)
+- dev_err(&dsi->dev, "failed to change host lanes\n");
+- }
++ /*
++ * TODO: add support for dynamic switching of lanes
++ * by using the bridge pre_enable() op . Till then filter
++ * out the modes which shall need different number of lanes
++ * than what was configured in the device tree.
++ */
++ if (lanes != dsi->lanes)
++ return MODE_BAD;
++
++ return MODE_OK;
+ }
+
+ int adv7533_patch_registers(struct adv7511 *adv)
+--
+2.35.1
+
--- /dev/null
+From 727c5ca60f298c8f632513df65530282d3a1c591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 19:04:08 +0800
+Subject: drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+[ Upstream commit e577d4b13064c337b83fe7edecb3f34e87144821 ]
+
+During device boot, the HPD interrupt could be triggered before the DRM
+subsystem registers it6505 as a DRM bridge. In such cases, the driver
+tries to access AUX channel and causes NULL pointer dereference.
+Initializing the AUX channel earlier to prevent such error.
+
+Fixes: b5c84a9edcd4 ("drm/bridge: add it6505 driver")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221013110411.1674359-2-treapking@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index a09d1a39ab0a..711f403afe7c 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2854,10 +2854,7 @@ static int it6505_bridge_attach(struct drm_bridge *bridge,
+ }
+
+ /* Register aux channel */
+- it6505->aux.name = "DP-AUX";
+- it6505->aux.dev = dev;
+ it6505->aux.drm_dev = bridge->dev;
+- it6505->aux.transfer = it6505_aux_transfer;
+
+ ret = drm_dp_aux_register(&it6505->aux);
+
+@@ -3310,6 +3307,11 @@ static int it6505_i2c_probe(struct i2c_client *client,
+ DRM_DEV_DEBUG_DRIVER(dev, "it6505 device name: %s", dev_name(dev));
+ debugfs_init(it6505);
+
++ it6505->aux.name = "DP-AUX";
++ it6505->aux.dev = dev;
++ it6505->aux.transfer = it6505_aux_transfer;
++ drm_dp_aux_init(&it6505->aux);
++
+ it6505->bridge.funcs = &it6505_bridge_funcs;
+ it6505->bridge.type = DRM_MODE_CONNECTOR_DisplayPort;
+ it6505->bridge.ops = DRM_BRIDGE_OP_DETECT | DRM_BRIDGE_OP_EDID |
+--
+2.35.1
+
--- /dev/null
+From b1df0fa6739e2c13bc519d6ca152c518c6da5c60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 16:37:34 -0400
+Subject: drm/edid: add a quirk for two LG monitors to get them to work on
+ 10bpc
+
+From: Hamza Mahfooz <hamza.mahfooz@amd.com>
+
+[ Upstream commit aa193f7eff8ff753577351140b8af13b76cdc7c2 ]
+
+The LG 27GP950 and LG 27GN950 have visible display corruption when
+trying to use 10bpc modes. So, to fix this, cap their maximum DSC
+target bitrate to 15bpp.
+
+Suggested-by: Roman Li <roman.li@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_edid.c | 12 ++++++++++++
+ include/drm/drm_connector.h | 6 ++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
+index eaa819381281..fefcfac999d9 100644
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -87,6 +87,8 @@ static int oui(u8 first, u8 second, u8 third)
+ #define EDID_QUIRK_FORCE_10BPC (1 << 11)
+ /* Non desktop display (i.e. HMD) */
+ #define EDID_QUIRK_NON_DESKTOP (1 << 12)
++/* Cap the DSC target bitrate to 15bpp */
++#define EDID_QUIRK_CAP_DSC_15BPP (1 << 13)
+
+ #define MICROSOFT_IEEE_OUI 0xca125c
+
+@@ -147,6 +149,12 @@ static const struct edid_quirk {
+ EDID_QUIRK('F', 'C', 'M', 13600, EDID_QUIRK_PREFER_LARGE_75 |
+ EDID_QUIRK_DETAILED_IN_CM),
+
++ /* LG 27GP950 */
++ EDID_QUIRK('G', 'S', 'M', 0x5bbf, EDID_QUIRK_CAP_DSC_15BPP),
++
++ /* LG 27GN950 */
++ EDID_QUIRK('G', 'S', 'M', 0x5b9a, EDID_QUIRK_CAP_DSC_15BPP),
++
+ /* LGD panel of HP zBook 17 G2, eDP 10 bpc, but reports unknown bpc */
+ EDID_QUIRK('L', 'G', 'D', 764, EDID_QUIRK_FORCE_10BPC),
+
+@@ -6116,6 +6124,7 @@ static void drm_reset_display_info(struct drm_connector *connector)
+
+ info->mso_stream_count = 0;
+ info->mso_pixel_overlap = 0;
++ info->max_dsc_bpp = 0;
+ }
+
+ static u32 update_display_info(struct drm_connector *connector,
+@@ -6202,6 +6211,9 @@ static u32 update_display_info(struct drm_connector *connector,
+ info->non_desktop = true;
+ }
+
++ if (quirks & EDID_QUIRK_CAP_DSC_15BPP)
++ info->max_dsc_bpp = 15;
++
+ return quirks;
+ }
+
+diff --git a/include/drm/drm_connector.h b/include/drm/drm_connector.h
+index 7df7876b2ad5..d9879fc9ceb1 100644
+--- a/include/drm/drm_connector.h
++++ b/include/drm/drm_connector.h
+@@ -635,6 +635,12 @@ struct drm_display_info {
+ * @mso_pixel_overlap: eDP MSO segment pixel overlap, 0-8 pixels.
+ */
+ u8 mso_pixel_overlap;
++
++ /**
++ * @max_dsc_bpp: Maximum DSC target bitrate, if it is set to 0 the
++ * monitor's default value is used instead.
++ */
++ u32 max_dsc_bpp;
+ };
+
+ int drm_display_info_set_bus_formats(struct drm_display_info *info,
+--
+2.35.1
+
--- /dev/null
+From a07f8098bbd25c431de8b94cc489486fa4660dbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 13:29:38 -0700
+Subject: drm/etnaviv: add missing quirks for GC300
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit cc7d3fb446a91f24978a6aa59cbb578f92e22242 ]
+
+The GC300's features register doesn't specify that a 2D pipe is
+available, and like the GC600, its idle register reports zero bits where
+modules aren't present.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index 37018bc55810..f667e7906d1f 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -416,6 +416,12 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu)
+ if (gpu->identity.model == chipModel_GC700)
+ gpu->identity.features &= ~chipFeatures_FAST_CLEAR;
+
++ /* These models/revisions don't have the 2D pipe bit */
++ if ((gpu->identity.model == chipModel_GC500 &&
++ gpu->identity.revision <= 2) ||
++ gpu->identity.model == chipModel_GC300)
++ gpu->identity.features |= chipFeatures_PIPE_2D;
++
+ if ((gpu->identity.model == chipModel_GC500 &&
+ gpu->identity.revision < 2) ||
+ (gpu->identity.model == chipModel_GC300 &&
+@@ -449,8 +455,9 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu)
+ gpu_read(gpu, VIVS_HI_CHIP_MINOR_FEATURE_5);
+ }
+
+- /* GC600 idle register reports zero bits where modules aren't present */
+- if (gpu->identity.model == chipModel_GC600)
++ /* GC600/300 idle register reports zero bits where modules aren't present */
++ if (gpu->identity.model == chipModel_GC600 ||
++ gpu->identity.model == chipModel_GC300)
+ gpu->idle_mask = VIVS_HI_IDLE_STATE_TX |
+ VIVS_HI_IDLE_STATE_RA |
+ VIVS_HI_IDLE_STATE_SE |
+--
+2.35.1
+
--- /dev/null
+From 2c1a2c776289f4ee779509432a6fea8ddf680633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 15:43:06 +0100
+Subject: drm/fourcc: Fix vsub/hsub for Q410 and Q401
+
+From: Brian Starkey <brian.starkey@arm.com>
+
+[ Upstream commit b230555f3257f197dd98641ef6ebaf778b52dd51 ]
+
+These formats are not subsampled, but that means hsub and vsub should be
+1, not 0.
+
+Fixes: 94b292b27734 ("drm: drm_fourcc: add NV15, Q410, Q401 YUV formats")
+Reported-by: George Kennedy <george.kennedy@oracle.com>
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Brian Starkey <brian.starkey@arm.com>
+Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220913144306.17279-1-brian.starkey@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_fourcc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c
+index 07741b678798..6768b7d18b6f 100644
+--- a/drivers/gpu/drm/drm_fourcc.c
++++ b/drivers/gpu/drm/drm_fourcc.c
+@@ -263,12 +263,12 @@ const struct drm_format_info *__drm_format_info(u32 format)
+ .vsub = 2, .is_yuv = true },
+ { .format = DRM_FORMAT_Q410, .depth = 0,
+ .num_planes = 3, .char_per_block = { 2, 2, 2 },
+- .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 0,
+- .vsub = 0, .is_yuv = true },
++ .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 1,
++ .vsub = 1, .is_yuv = true },
+ { .format = DRM_FORMAT_Q401, .depth = 0,
+ .num_planes = 3, .char_per_block = { 2, 2, 2 },
+- .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 0,
+- .vsub = 0, .is_yuv = true },
++ .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 1,
++ .vsub = 1, .is_yuv = true },
+ { .format = DRM_FORMAT_P030, .depth = 0, .num_planes = 2,
+ .char_per_block = { 4, 8, 0 }, .block_w = { 3, 3, 0 }, .block_h = { 1, 1, 0 },
+ .hsub = 2, .vsub = 2, .is_yuv = true},
+--
+2.35.1
+
--- /dev/null
+From 59b5b5ddaceacad95a10dafa12873e806fa9c356 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:42:15 -0700
+Subject: drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = fsl_dcu_drm_connector_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
+type of 'enum drm_mode_status', not 'int'. Adjust the return type of
+fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve
+the warning and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
+index 4d4a715b429d..2c2b92324a2e 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
+@@ -60,8 +60,9 @@ static int fsl_dcu_drm_connector_get_modes(struct drm_connector *connector)
+ return drm_panel_get_modes(fsl_connector->panel, connector);
+ }
+
+-static int fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status
++fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ if (mode->hdisplay & 0xf)
+ return MODE_ERROR;
+--
+2.35.1
+
--- /dev/null
+From 32c827f9f330fc48c5341c0bde22c381ec6407a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 14:34:28 +0800
+Subject: drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs
+
+From: Xia Fukun <xiafukun@huawei.com>
+
+[ Upstream commit 1382901f75a5a7dc8eac05059fd0c7816def4eae ]
+
+When (size != 0 || ptrs->lvds_ entries != 3), the program tries to
+free() the ptrs. However, the ptrs is not created by calling kzmalloc(),
+but is obtained by pointer offset operation.
+This may lead to memory leaks or undefined behavior.
+
+Fix this by replacing the arguments of kfree() with ptrs_block.
+
+Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them")
+Signed-off-by: Xia Fukun <xiafukun@huawei.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221125063428.69486-1-xiafukun@huawei.com
+(cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_bios.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
+index 459571e2cc57..2bfcfbfa52a4 100644
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -414,7 +414,7 @@ static void *generate_lfp_data_ptrs(struct drm_i915_private *i915,
+ ptrs->lvds_entries++;
+
+ if (size != 0 || ptrs->lvds_entries != 3) {
+- kfree(ptrs);
++ kfree(ptrs_block);
+ return NULL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 591f21ff48a1310878377fb6a31be9ccae17a634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 14:38:11 -0700
+Subject: drm/i915: Fix compute pre-emption w/a to apply to compute engines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit c3bd49cd9a1043b963331e7fd874b380bed3f2bd ]
+
+An earlier patch added support for compute engines. However, it missed
+enabling the anti-pre-emption w/a for the new engine class. So move
+the 'compute capable' flag earlier and use it for the pre-emption w/a
+test.
+
+Fixes: c674c5b9342e ("drm/i915/xehp: CCS should use RCS setup functions")
+Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
+Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Cc: Aravind Iddamsetty <aravind.iddamsetty@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: John Harrison <John.C.Harrison@Intel.com>
+Cc: Jason Ekstrand <jason@jlekstrand.net>
+Cc: "Michał Winiarski" <michal.winiarski@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tejas Upadhyay <tejaskumarx.surendrakumar.upadhyay@intel.com>
+Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
+Cc: Stuart Summers <stuart.summers@intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Ramalingam C <ramalingam.c@intel.com>
+Cc: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221006213813.1563435-3-John.C.Harrison@Intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 24 +++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 699308a1323d..3dd0af057e6b 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -486,6 +486,17 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id,
+ engine->logical_mask = BIT(logical_instance);
+ __sprint_engine_name(engine);
+
++ if ((engine->class == COMPUTE_CLASS && !RCS_MASK(engine->gt) &&
++ __ffs(CCS_MASK(engine->gt)) == engine->instance) ||
++ engine->class == RENDER_CLASS)
++ engine->flags |= I915_ENGINE_FIRST_RENDER_COMPUTE;
++
++ /* features common between engines sharing EUs */
++ if (engine->class == RENDER_CLASS || engine->class == COMPUTE_CLASS) {
++ engine->flags |= I915_ENGINE_HAS_RCS_REG_STATE;
++ engine->flags |= I915_ENGINE_HAS_EU_PRIORITY;
++ }
++
+ engine->props.heartbeat_interval_ms =
+ CONFIG_DRM_I915_HEARTBEAT_INTERVAL;
+ engine->props.max_busywait_duration_ns =
+@@ -498,20 +509,9 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id,
+ CONFIG_DRM_I915_TIMESLICE_DURATION;
+
+ /* Override to uninterruptible for OpenCL workloads. */
+- if (GRAPHICS_VER(i915) == 12 && engine->class == RENDER_CLASS)
++ if (GRAPHICS_VER(i915) == 12 && (engine->flags & I915_ENGINE_HAS_RCS_REG_STATE))
+ engine->props.preempt_timeout_ms = 0;
+
+- if ((engine->class == COMPUTE_CLASS && !RCS_MASK(engine->gt) &&
+- __ffs(CCS_MASK(engine->gt)) == engine->instance) ||
+- engine->class == RENDER_CLASS)
+- engine->flags |= I915_ENGINE_FIRST_RENDER_COMPUTE;
+-
+- /* features common between engines sharing EUs */
+- if (engine->class == RENDER_CLASS || engine->class == COMPUTE_CLASS) {
+- engine->flags |= I915_ENGINE_HAS_RCS_REG_STATE;
+- engine->flags |= I915_ENGINE_HAS_EU_PRIORITY;
+- }
+-
+ /* Cap properties according to any system limits */
+ #define CLAMP_PROP(field) \
+ do { \
+--
+2.35.1
+
--- /dev/null
+From 4ddaa438b22dd9f0406dd15bd55801b084bd75e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 19:20:22 -0700
+Subject: drm/i915/guc: Add a helper for log buffer size
+
+From: Alan Previn <alan.previn.teres.alexis@intel.com>
+
+[ Upstream commit 5ce27d6210018e972197ff7e5da6309f919fd61b ]
+
+Add a helper to get GuC log buffer size.
+
+Signed-off-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220728022028.2190627-2-John.C.Harrison@Intel.com
+Stable-dep-of: befb231d5de2 ("drm/i915/guc: Fix GuC error capture sizing estimation and reporting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.c | 49 ++++++++++++----------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+index 25b2d7ce6640..492bbf419d4d 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+@@ -15,6 +15,32 @@
+
+ static void guc_log_copy_debuglogs_for_relay(struct intel_guc_log *log);
+
++static u32 intel_guc_log_size(struct intel_guc_log *log)
++{
++ /*
++ * GuC Log buffer Layout:
++ *
++ * NB: Ordering must follow "enum guc_log_buffer_type".
++ *
++ * +===============================+ 00B
++ * | Debug state header |
++ * +-------------------------------+ 32B
++ * | Crash dump state header |
++ * +-------------------------------+ 64B
++ * | Capture state header |
++ * +-------------------------------+ 96B
++ * | |
++ * +===============================+ PAGE_SIZE (4KB)
++ * | Debug logs |
++ * +===============================+ + DEBUG_SIZE
++ * | Crash Dump logs |
++ * +===============================+ + CRASH_SIZE
++ * | Capture logs |
++ * +===============================+ + CAPTURE_SIZE
++ */
++ return PAGE_SIZE + CRASH_BUFFER_SIZE + DEBUG_BUFFER_SIZE + CAPTURE_BUFFER_SIZE;
++}
++
+ /**
+ * DOC: GuC firmware log
+ *
+@@ -461,32 +487,11 @@ int intel_guc_log_create(struct intel_guc_log *log)
+
+ GEM_BUG_ON(log->vma);
+
+- /*
+- * GuC Log buffer Layout
+- * (this ordering must follow "enum guc_log_buffer_type" definition)
+- *
+- * +===============================+ 00B
+- * | Debug state header |
+- * +-------------------------------+ 32B
+- * | Crash dump state header |
+- * +-------------------------------+ 64B
+- * | Capture state header |
+- * +-------------------------------+ 96B
+- * | |
+- * +===============================+ PAGE_SIZE (4KB)
+- * | Debug logs |
+- * +===============================+ + DEBUG_SIZE
+- * | Crash Dump logs |
+- * +===============================+ + CRASH_SIZE
+- * | Capture logs |
+- * +===============================+ + CAPTURE_SIZE
+- */
+ if (intel_guc_capture_output_min_size_est(guc) > CAPTURE_BUFFER_SIZE)
+ DRM_WARN("GuC log buffer for state_capture maybe too small. %d < %d\n",
+ CAPTURE_BUFFER_SIZE, intel_guc_capture_output_min_size_est(guc));
+
+- guc_log_size = PAGE_SIZE + CRASH_BUFFER_SIZE + DEBUG_BUFFER_SIZE +
+- CAPTURE_BUFFER_SIZE;
++ guc_log_size = intel_guc_log_size(log);
+
+ vma = intel_guc_allocate_vma(guc, guc_log_size);
+ if (IS_ERR(vma)) {
+--
+2.35.1
+
--- /dev/null
+From d89b61f09df5fa2ff29952a11334739d6850cf1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 00:29:29 -0700
+Subject: drm/i915/guc: Add error-capture init warnings when needed
+
+From: Alan Previn <alan.previn.teres.alexis@intel.com>
+
+[ Upstream commit a894077890ad118de88c97c03f67a611ca60882a ]
+
+If GuC is being used and we initialized GuC-error-capture,
+we need to be warning if we don't provide an error-capture
+register list in the firmware ADS, for valid GT engines.
+A warning makes sense as this would impact debugability
+without realizing why a reglist wasn't retrieved and reported
+by GuC.
+
+However, depending on the platform, we might have certain
+engines that have a register list for engine instance error state
+but not for engine class. Thus, add a check only to warn if the
+register list was non existent vs an empty list (use the
+empty lists to skip the warning).
+
+NOTE: if a future platform were to introduce new registers
+in place of what was an empty list on existing / legacy hardware
+engines no warning is provided as the empty list is meant
+to be used intentionally. As an example, if a future hardware
+were to add blitter engine-class-registers (new) on top
+of the legacy blitter engine-instance-register (HEAD, TAIL, etc.),
+no warning is generated.
+
+Signed-off-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Reviewed-by: John Harrison <John.C.Harrison@Intel.com>
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221019072930.17755-2-alan.previn.teres.alexis@intel.com
+Stable-dep-of: befb231d5de2 ("drm/i915/guc: Fix GuC error capture sizing estimation and reporting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/i915/gt/uc/intel_guc_capture.c | 78 ++++++++++++++++---
+ 1 file changed, 69 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+index d2ac53d4f3b6..c398bdd5403a 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+@@ -419,6 +419,44 @@ guc_capture_get_device_reglist(struct intel_guc *guc)
+ return default_lists;
+ }
+
++static const char *
++__stringify_type(u32 type)
++{
++ switch (type) {
++ case GUC_CAPTURE_LIST_TYPE_GLOBAL:
++ return "Global";
++ case GUC_CAPTURE_LIST_TYPE_ENGINE_CLASS:
++ return "Class";
++ case GUC_CAPTURE_LIST_TYPE_ENGINE_INSTANCE:
++ return "Instance";
++ default:
++ break;
++ }
++
++ return "unknown";
++}
++
++static const char *
++__stringify_engclass(u32 class)
++{
++ switch (class) {
++ case GUC_RENDER_CLASS:
++ return "Render";
++ case GUC_VIDEO_CLASS:
++ return "Video";
++ case GUC_VIDEOENHANCE_CLASS:
++ return "VideoEnhance";
++ case GUC_BLITTER_CLASS:
++ return "Blitter";
++ case GUC_COMPUTE_CLASS:
++ return "Compute";
++ default:
++ break;
++ }
++
++ return "unknown";
++}
++
+ static int
+ guc_capture_list_init(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
+ struct guc_mmio_reg *ptr, u16 num_entries)
+@@ -482,23 +520,38 @@ guc_cap_list_num_regs(struct intel_guc_state_capture *gc, u32 owner, u32 type, u
+ return num_regs;
+ }
+
+-int
+-intel_guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
+- size_t *size)
++static int
++guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
++ size_t *size, bool is_purpose_est)
+ {
+ struct intel_guc_state_capture *gc = guc->capture;
++ struct drm_i915_private *i915 = guc_to_gt(guc)->i915;
+ struct __guc_capture_ads_cache *cache = &gc->ads_cache[owner][type][classid];
+ int num_regs;
+
+- if (!gc->reglists)
++ if (!gc->reglists) {
++ drm_warn(&i915->drm, "GuC-capture: No reglist on this device\n");
+ return -ENODEV;
++ }
+
+ if (cache->is_valid) {
+ *size = cache->size;
+ return cache->status;
+ }
+
++ if (!is_purpose_est && owner == GUC_CAPTURE_LIST_INDEX_PF &&
++ !guc_capture_get_one_list(gc->reglists, owner, type, classid)) {
++ if (type == GUC_CAPTURE_LIST_TYPE_GLOBAL)
++ drm_warn(&i915->drm, "Missing GuC-Err-Cap reglist Global!\n");
++ else
++ drm_warn(&i915->drm, "Missing GuC-Err-Cap reglist %s(%u):%s(%u)!\n",
++ __stringify_type(type), type,
++ __stringify_engclass(classid), classid);
++ return -ENODATA;
++ }
++
+ num_regs = guc_cap_list_num_regs(gc, owner, type, classid);
++ /* intentional empty lists can exist depending on hw config */
+ if (!num_regs)
+ return -ENODATA;
+
+@@ -508,6 +561,13 @@ intel_guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 cl
+ return 0;
+ }
+
++int
++intel_guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
++ size_t *size)
++{
++ return guc_capture_getlistsize(guc, owner, type, classid, size, false);
++}
++
+ static void guc_capture_create_prealloc_nodes(struct intel_guc *guc);
+
+ int
+@@ -627,15 +687,15 @@ guc_capture_output_min_size_est(struct intel_guc *guc)
+ worst_min_size += sizeof(struct guc_state_capture_group_header_t) +
+ (3 * sizeof(struct guc_state_capture_header_t));
+
+- if (!intel_guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_GLOBAL, 0, &tmp))
++ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_GLOBAL, 0, &tmp, true))
+ num_regs += tmp;
+
+- if (!intel_guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_CLASS,
+- engine->class, &tmp)) {
++ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_CLASS,
++ engine->class, &tmp, true)) {
+ num_regs += tmp;
+ }
+- if (!intel_guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_INSTANCE,
+- engine->class, &tmp)) {
++ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_INSTANCE,
++ engine->class, &tmp, true)) {
+ num_regs += tmp;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From f8ae27e5ca3db6539e278528a2ac832fbd4d0678 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 19:20:23 -0700
+Subject: drm/i915/guc: Fix capture size warning and bump the size
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit 56c7f0e2026328e56106b54cb0e2fe3a7e70ce4f ]
+
+There was a size check to warn if the GuC error state capture buffer
+allocation would be too small to fit a reasonable amount of capture
+data for the current platform. Unfortunately, the test was done too
+early in the boot sequence and was actually testing 'if(-ENODEV >
+size)'.
+
+Move the check to be later. The check is only used to print a warning
+message, so it doesn't really matter how early or late it is done.
+Note that it is not possible to dynamically size the buffer because
+the allocation needs to be done before the engine information is
+available (at least, it would be in the intended two-phase GuC init
+process).
+
+Now that the check works, it is reporting size too small for newer
+platforms. The check includes a 3x oversample multiplier to allow for
+multiple error captures to be bufferd by GuC before i915 has a chance
+to read them out. This is less important than simply being big enough
+to fit the first capture.
+
+So a) bump the default size to be large enough for one capture minimum
+and b) make the warning only if one capture won't fit, instead use a
+notice for the 3x size.
+
+Note that the size estimate is a worst case scenario. Actual captures
+will likely be smaller.
+
+Lastly, use drm_warn istead of DRM_WARN as the former provides more
+infmration and the latter is deprecated.
+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220728022028.2190627-3-John.C.Harrison@Intel.com
+Stable-dep-of: befb231d5de2 ("drm/i915/guc: Fix GuC error capture sizing estimation and reporting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/i915/gt/uc/intel_guc_capture.c | 40 ++++++++++++++-----
+ .../gpu/drm/i915/gt/uc/intel_guc_capture.h | 1 -
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.c | 4 --
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.h | 4 +-
+ 4 files changed, 31 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+index 75257bd20ff0..b54b7883320b 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+@@ -600,10 +600,8 @@ intel_guc_capture_getnullheader(struct intel_guc *guc,
+ return 0;
+ }
+
+-#define GUC_CAPTURE_OVERBUFFER_MULTIPLIER 3
+-
+-int
+-intel_guc_capture_output_min_size_est(struct intel_guc *guc)
++static int
++guc_capture_output_min_size_est(struct intel_guc *guc)
+ {
+ struct intel_gt *gt = guc_to_gt(guc);
+ struct intel_engine_cs *engine;
+@@ -623,13 +621,8 @@ intel_guc_capture_output_min_size_est(struct intel_guc *guc)
+ * For each engine instance, there would be 1 x guc_state_capture_group_t output
+ * followed by 3 x guc_state_capture_t lists. The latter is how the register
+ * dumps are split across different register types (where the '3' are global vs class
+- * vs instance). Finally, let's multiply the whole thing by 3x (just so we are
+- * not limited to just 1 round of data in a worst case full register dump log)
+- *
+- * NOTE: intel_guc_log that allocates the log buffer would round this size up to
+- * a power of two.
++ * vs instance).
+ */
+-
+ for_each_engine(engine, gt, id) {
+ worst_min_size += sizeof(struct guc_state_capture_group_header_t) +
+ (3 * sizeof(struct guc_state_capture_header_t));
+@@ -649,7 +642,30 @@ intel_guc_capture_output_min_size_est(struct intel_guc *guc)
+
+ worst_min_size += (num_regs * sizeof(struct guc_mmio_reg));
+
+- return (worst_min_size * GUC_CAPTURE_OVERBUFFER_MULTIPLIER);
++ return worst_min_size;
++}
++
++/*
++ * Add on a 3x multiplier to allow for multiple back-to-back captures occurring
++ * before the i915 can read the data out and process it
++ */
++#define GUC_CAPTURE_OVERBUFFER_MULTIPLIER 3
++
++static void check_guc_capture_size(struct intel_guc *guc)
++{
++ struct drm_i915_private *i915 = guc_to_gt(guc)->i915;
++ int min_size = guc_capture_output_min_size_est(guc);
++ int spare_size = min_size * GUC_CAPTURE_OVERBUFFER_MULTIPLIER;
++
++ if (min_size < 0)
++ drm_warn(&i915->drm, "Failed to calculate GuC error state capture buffer minimum size: %d!\n",
++ min_size);
++ else if (min_size > CAPTURE_BUFFER_SIZE)
++ drm_warn(&i915->drm, "GuC error state capture buffer is too small: %d < %d\n",
++ CAPTURE_BUFFER_SIZE, min_size);
++ else if (spare_size > CAPTURE_BUFFER_SIZE)
++ drm_notice(&i915->drm, "GuC error state capture buffer maybe too small: %d < %d (min = %d)\n",
++ CAPTURE_BUFFER_SIZE, spare_size, min_size);
+ }
+
+ /*
+@@ -1580,5 +1596,7 @@ int intel_guc_capture_init(struct intel_guc *guc)
+ INIT_LIST_HEAD(&guc->capture->outlist);
+ INIT_LIST_HEAD(&guc->capture->cachelist);
+
++ check_guc_capture_size(guc);
++
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.h b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.h
+index d3d7bd0b6db6..fbd3713c7832 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.h
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.h
+@@ -21,7 +21,6 @@ int intel_guc_capture_print_engine_node(struct drm_i915_error_state_buf *m,
+ void intel_guc_capture_get_matching_node(struct intel_gt *gt, struct intel_engine_coredump *ee,
+ struct intel_context *ce);
+ void intel_guc_capture_process(struct intel_guc *guc);
+-int intel_guc_capture_output_min_size_est(struct intel_guc *guc);
+ int intel_guc_capture_getlist(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
+ void **outptr);
+ int intel_guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+index 492bbf419d4d..991d4a02248d 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+@@ -487,10 +487,6 @@ int intel_guc_log_create(struct intel_guc_log *log)
+
+ GEM_BUG_ON(log->vma);
+
+- if (intel_guc_capture_output_min_size_est(guc) > CAPTURE_BUFFER_SIZE)
+- DRM_WARN("GuC log buffer for state_capture maybe too small. %d < %d\n",
+- CAPTURE_BUFFER_SIZE, intel_guc_capture_output_min_size_est(guc));
+-
+ guc_log_size = intel_guc_log_size(log);
+
+ vma = intel_guc_allocate_vma(guc, guc_log_size);
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
+index 18007e639be9..dc9715411d62 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
+@@ -22,11 +22,11 @@ struct intel_guc;
+ #elif defined(CONFIG_DRM_I915_DEBUG_GEM)
+ #define CRASH_BUFFER_SIZE SZ_1M
+ #define DEBUG_BUFFER_SIZE SZ_2M
+-#define CAPTURE_BUFFER_SIZE SZ_1M
++#define CAPTURE_BUFFER_SIZE SZ_4M
+ #else
+ #define CRASH_BUFFER_SIZE SZ_8K
+ #define DEBUG_BUFFER_SIZE SZ_64K
+-#define CAPTURE_BUFFER_SIZE SZ_16K
++#define CAPTURE_BUFFER_SIZE SZ_2M
+ #endif
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 387b800c9dafa9e918ba368ba97d7c11d91e49a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 23:05:06 -0700
+Subject: drm/i915/guc: Fix GuC error capture sizing estimation and reporting
+
+From: Alan Previn <alan.previn.teres.alexis@intel.com>
+
+[ Upstream commit befb231d5de2773f6c6f6cf918234e2e709110a5 ]
+
+During GuC error capture initialization, we estimate the amount of size
+we need for the error-capture-region of the shared GuC-log-buffer.
+This calculation was incorrect so fix that. With the fixed calculation
+we can reduce the allocation of error-capture region from 4MB to 1MB
+(see note2 below for reasoning). Additionally, switch from drm_notice to
+drm_debug for the 3X spare size check since that would be impossible to
+hit without redesigning gpu_coredump framework to hold multiple captures.
+
+NOTE1: Even for 1x the min size estimation case, actually running out
+of space is a corner case because it can only occur if all engine
+instances get reset all at once and i915 isn't able extract the capture
+data fast enough within G2H handler worker.
+
+NOTE2: With the corrected calculation, a DG2 part required ~77K and a PVC
+required ~115K (1X min-est-size that is calculated as one-shot all-engine-
+reset scenario).
+
+Fixes: d7c15d76a554 ("drm/i915/guc: Check sizing of guc_capture output")
+Cc: Alan Previn <alan.previn.teres.alexis@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: John Harrison <John.C.Harrison@Intel.com>
+Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Cc: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Chris Wilson <chris.p.wilson@intel.com>
+Signed-off-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Reviewed-by: John Harrison <John.C.Harrison@Intel.com>
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221026060506.1007830-2-alan.previn.teres.alexis@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/i915/gt/uc/intel_guc_capture.c | 29 ++++++++++++-------
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.c | 6 ++--
+ 2 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+index c398bdd5403a..34e72675b7e4 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+@@ -555,8 +555,9 @@ guc_capture_getlistsize(struct intel_guc *guc, u32 owner, u32 type, u32 classid,
+ if (!num_regs)
+ return -ENODATA;
+
+- *size = PAGE_ALIGN((sizeof(struct guc_debug_capture_list)) +
+- (num_regs * sizeof(struct guc_mmio_reg)));
++ if (size)
++ *size = PAGE_ALIGN((sizeof(struct guc_debug_capture_list)) +
++ (num_regs * sizeof(struct guc_mmio_reg)));
+
+ return 0;
+ }
+@@ -666,7 +667,7 @@ guc_capture_output_min_size_est(struct intel_guc *guc)
+ struct intel_gt *gt = guc_to_gt(guc);
+ struct intel_engine_cs *engine;
+ enum intel_engine_id id;
+- int worst_min_size = 0, num_regs = 0;
++ int worst_min_size = 0;
+ size_t tmp = 0;
+
+ if (!guc->capture)
+@@ -688,20 +689,18 @@ guc_capture_output_min_size_est(struct intel_guc *guc)
+ (3 * sizeof(struct guc_state_capture_header_t));
+
+ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_GLOBAL, 0, &tmp, true))
+- num_regs += tmp;
++ worst_min_size += tmp;
+
+ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_CLASS,
+ engine->class, &tmp, true)) {
+- num_regs += tmp;
++ worst_min_size += tmp;
+ }
+ if (!guc_capture_getlistsize(guc, 0, GUC_CAPTURE_LIST_TYPE_ENGINE_INSTANCE,
+ engine->class, &tmp, true)) {
+- num_regs += tmp;
++ worst_min_size += tmp;
+ }
+ }
+
+- worst_min_size += (num_regs * sizeof(struct guc_mmio_reg));
+-
+ return worst_min_size;
+ }
+
+@@ -718,15 +717,23 @@ static void check_guc_capture_size(struct intel_guc *guc)
+ int spare_size = min_size * GUC_CAPTURE_OVERBUFFER_MULTIPLIER;
+ u32 buffer_size = intel_guc_log_section_size_capture(&guc->log);
+
++ /*
++ * NOTE: min_size is much smaller than the capture region allocation (DG2: <80K vs 1MB)
++ * Additionally, its based on space needed to fit all engines getting reset at once
++ * within the same G2H handler task slot. This is very unlikely. However, if GuC really
++ * does run out of space for whatever reason, we will see an separate warning message
++ * when processing the G2H event capture-notification, search for:
++ * INTEL_GUC_STATE_CAPTURE_EVENT_STATUS_NOSPACE.
++ */
+ if (min_size < 0)
+ drm_warn(&i915->drm, "Failed to calculate GuC error state capture buffer minimum size: %d!\n",
+ min_size);
+ else if (min_size > buffer_size)
+- drm_warn(&i915->drm, "GuC error state capture buffer is too small: %d < %d\n",
++ drm_warn(&i915->drm, "GuC error state capture buffer maybe small: %d < %d\n",
+ buffer_size, min_size);
+ else if (spare_size > buffer_size)
+- drm_notice(&i915->drm, "GuC error state capture buffer maybe too small: %d < %d (min = %d)\n",
+- buffer_size, spare_size, min_size);
++ drm_dbg(&i915->drm, "GuC error state capture buffer lacks spare size: %d < %d (min = %d)\n",
++ buffer_size, spare_size, min_size);
+ }
+
+ /*
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+index 2b878030d3e1..8d755d285247 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+@@ -16,15 +16,15 @@
+ #if defined(CONFIG_DRM_I915_DEBUG_GUC)
+ #define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_2M
+ #define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_16M
+-#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_4M
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_1M
+ #elif defined(CONFIG_DRM_I915_DEBUG_GEM)
+ #define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_1M
+ #define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_2M
+-#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_4M
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_1M
+ #else
+ #define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_8K
+ #define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_64K
+-#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_2M
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_1M
+ #endif
+
+ static void guc_log_copy_debuglogs_for_relay(struct intel_guc_log *log);
+--
+2.35.1
+
--- /dev/null
+From 620a2343cedd106fd75d78bb8ea10cd9d1620260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 14:38:10 -0700
+Subject: drm/i915/guc: Limit scheduling properties to avoid overflow
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit 568944af44e7538ed5d1389dabf56e938afdaf4f ]
+
+GuC converts the pre-emption timeout and timeslice quantum values into
+clock ticks internally. That significantly reduces the point of 32bit
+overflow. On current platforms, worst case scenario is approximately
+110 seconds. Rather than allowing the user to set higher values and
+then get confused by early timeouts, add limits when setting these
+values.
+
+v2: Add helper functions for clamping (review feedback from Tvrtko).
+v3: Add a bunch of BUG_ON range checks in addition to the checks
+already in the clamping functions (Tvrtko)
+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Acked-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221006213813.1563435-2-John.C.Harrison@Intel.com
+Stable-dep-of: c3bd49cd9a10 ("drm/i915: Fix compute pre-emption w/a to apply to compute engines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine.h | 6 ++
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 69 +++++++++++++++++++
+ drivers/gpu/drm/i915/gt/sysfs_engines.c | 25 ++++---
+ drivers/gpu/drm/i915/gt/uc/intel_guc_fwif.h | 21 ++++++
+ .../gpu/drm/i915/gt/uc/intel_guc_submission.c | 8 +++
+ 5 files changed, 119 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine.h b/drivers/gpu/drm/i915/gt/intel_engine.h
+index 04e435bce79b..cbc8b857d5f7 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine.h
++++ b/drivers/gpu/drm/i915/gt/intel_engine.h
+@@ -348,4 +348,10 @@ intel_engine_get_hung_context(struct intel_engine_cs *engine)
+ return engine->hung_ce;
+ }
+
++u64 intel_clamp_heartbeat_interval_ms(struct intel_engine_cs *engine, u64 value);
++u64 intel_clamp_max_busywait_duration_ns(struct intel_engine_cs *engine, u64 value);
++u64 intel_clamp_preempt_timeout_ms(struct intel_engine_cs *engine, u64 value);
++u64 intel_clamp_stop_timeout_ms(struct intel_engine_cs *engine, u64 value);
++u64 intel_clamp_timeslice_duration_ms(struct intel_engine_cs *engine, u64 value);
++
+ #endif /* _INTEL_RINGBUFFER_H_ */
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 37fa813af766..699308a1323d 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -512,6 +512,26 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id,
+ engine->flags |= I915_ENGINE_HAS_EU_PRIORITY;
+ }
+
++ /* Cap properties according to any system limits */
++#define CLAMP_PROP(field) \
++ do { \
++ u64 clamp = intel_clamp_##field(engine, engine->props.field); \
++ if (clamp != engine->props.field) { \
++ drm_notice(&engine->i915->drm, \
++ "Warning, clamping %s to %lld to prevent overflow\n", \
++ #field, clamp); \
++ engine->props.field = clamp; \
++ } \
++ } while (0)
++
++ CLAMP_PROP(heartbeat_interval_ms);
++ CLAMP_PROP(max_busywait_duration_ns);
++ CLAMP_PROP(preempt_timeout_ms);
++ CLAMP_PROP(stop_timeout_ms);
++ CLAMP_PROP(timeslice_duration_ms);
++
++#undef CLAMP_PROP
++
+ engine->defaults = engine->props; /* never to change again */
+
+ engine->context_size = intel_engine_context_size(gt, engine->class);
+@@ -534,6 +554,55 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id,
+ return 0;
+ }
+
++u64 intel_clamp_heartbeat_interval_ms(struct intel_engine_cs *engine, u64 value)
++{
++ value = min_t(u64, value, jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT));
++
++ return value;
++}
++
++u64 intel_clamp_max_busywait_duration_ns(struct intel_engine_cs *engine, u64 value)
++{
++ value = min(value, jiffies_to_nsecs(2));
++
++ return value;
++}
++
++u64 intel_clamp_preempt_timeout_ms(struct intel_engine_cs *engine, u64 value)
++{
++ /*
++ * NB: The GuC API only supports 32bit values. However, the limit is further
++ * reduced due to internal calculations which would otherwise overflow.
++ */
++ if (intel_guc_submission_is_wanted(&engine->gt->uc.guc))
++ value = min_t(u64, value, guc_policy_max_preempt_timeout_ms());
++
++ value = min_t(u64, value, jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT));
++
++ return value;
++}
++
++u64 intel_clamp_stop_timeout_ms(struct intel_engine_cs *engine, u64 value)
++{
++ value = min_t(u64, value, jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT));
++
++ return value;
++}
++
++u64 intel_clamp_timeslice_duration_ms(struct intel_engine_cs *engine, u64 value)
++{
++ /*
++ * NB: The GuC API only supports 32bit values. However, the limit is further
++ * reduced due to internal calculations which would otherwise overflow.
++ */
++ if (intel_guc_submission_is_wanted(&engine->gt->uc.guc))
++ value = min_t(u64, value, guc_policy_max_exec_quantum_ms());
++
++ value = min_t(u64, value, jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT));
++
++ return value;
++}
++
+ static void __setup_engine_capabilities(struct intel_engine_cs *engine)
+ {
+ struct drm_i915_private *i915 = engine->i915;
+diff --git a/drivers/gpu/drm/i915/gt/sysfs_engines.c b/drivers/gpu/drm/i915/gt/sysfs_engines.c
+index 967031056202..f2d9858d827c 100644
+--- a/drivers/gpu/drm/i915/gt/sysfs_engines.c
++++ b/drivers/gpu/drm/i915/gt/sysfs_engines.c
+@@ -144,7 +144,7 @@ max_spin_store(struct kobject *kobj, struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct intel_engine_cs *engine = kobj_to_engine(kobj);
+- unsigned long long duration;
++ unsigned long long duration, clamped;
+ int err;
+
+ /*
+@@ -168,7 +168,8 @@ max_spin_store(struct kobject *kobj, struct kobj_attribute *attr,
+ if (err)
+ return err;
+
+- if (duration > jiffies_to_nsecs(2))
++ clamped = intel_clamp_max_busywait_duration_ns(engine, duration);
++ if (duration != clamped)
+ return -EINVAL;
+
+ WRITE_ONCE(engine->props.max_busywait_duration_ns, duration);
+@@ -203,7 +204,7 @@ timeslice_store(struct kobject *kobj, struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct intel_engine_cs *engine = kobj_to_engine(kobj);
+- unsigned long long duration;
++ unsigned long long duration, clamped;
+ int err;
+
+ /*
+@@ -218,7 +219,8 @@ timeslice_store(struct kobject *kobj, struct kobj_attribute *attr,
+ if (err)
+ return err;
+
+- if (duration > jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT))
++ clamped = intel_clamp_timeslice_duration_ms(engine, duration);
++ if (duration != clamped)
+ return -EINVAL;
+
+ WRITE_ONCE(engine->props.timeslice_duration_ms, duration);
+@@ -256,7 +258,7 @@ stop_store(struct kobject *kobj, struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct intel_engine_cs *engine = kobj_to_engine(kobj);
+- unsigned long long duration;
++ unsigned long long duration, clamped;
+ int err;
+
+ /*
+@@ -272,7 +274,8 @@ stop_store(struct kobject *kobj, struct kobj_attribute *attr,
+ if (err)
+ return err;
+
+- if (duration > jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT))
++ clamped = intel_clamp_stop_timeout_ms(engine, duration);
++ if (duration != clamped)
+ return -EINVAL;
+
+ WRITE_ONCE(engine->props.stop_timeout_ms, duration);
+@@ -306,7 +309,7 @@ preempt_timeout_store(struct kobject *kobj, struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct intel_engine_cs *engine = kobj_to_engine(kobj);
+- unsigned long long timeout;
++ unsigned long long timeout, clamped;
+ int err;
+
+ /*
+@@ -322,7 +325,8 @@ preempt_timeout_store(struct kobject *kobj, struct kobj_attribute *attr,
+ if (err)
+ return err;
+
+- if (timeout > jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT))
++ clamped = intel_clamp_preempt_timeout_ms(engine, timeout);
++ if (timeout != clamped)
+ return -EINVAL;
+
+ WRITE_ONCE(engine->props.preempt_timeout_ms, timeout);
+@@ -362,7 +366,7 @@ heartbeat_store(struct kobject *kobj, struct kobj_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct intel_engine_cs *engine = kobj_to_engine(kobj);
+- unsigned long long delay;
++ unsigned long long delay, clamped;
+ int err;
+
+ /*
+@@ -379,7 +383,8 @@ heartbeat_store(struct kobject *kobj, struct kobj_attribute *attr,
+ if (err)
+ return err;
+
+- if (delay >= jiffies_to_msecs(MAX_SCHEDULE_TIMEOUT))
++ clamped = intel_clamp_heartbeat_interval_ms(engine, delay);
++ if (delay != clamped)
+ return -EINVAL;
+
+ err = intel_engine_set_heartbeat(engine, delay);
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_fwif.h b/drivers/gpu/drm/i915/gt/uc/intel_guc_fwif.h
+index 323b055e5db9..502e7cb5a302 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_fwif.h
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_fwif.h
+@@ -305,6 +305,27 @@ struct guc_update_context_policy {
+
+ #define GLOBAL_POLICY_DEFAULT_DPC_PROMOTE_TIME_US 500000
+
++/*
++ * GuC converts the timeout to clock ticks internally. Different platforms have
++ * different GuC clocks. Thus, the maximum value before overflow is platform
++ * dependent. Current worst case scenario is about 110s. So, the spec says to
++ * limit to 100s to be safe.
++ */
++#define GUC_POLICY_MAX_EXEC_QUANTUM_US (100 * 1000 * 1000UL)
++#define GUC_POLICY_MAX_PREEMPT_TIMEOUT_US (100 * 1000 * 1000UL)
++
++static inline u32 guc_policy_max_exec_quantum_ms(void)
++{
++ BUILD_BUG_ON(GUC_POLICY_MAX_EXEC_QUANTUM_US >= UINT_MAX);
++ return GUC_POLICY_MAX_EXEC_QUANTUM_US / 1000;
++}
++
++static inline u32 guc_policy_max_preempt_timeout_ms(void)
++{
++ BUILD_BUG_ON(GUC_POLICY_MAX_PREEMPT_TIMEOUT_US >= UINT_MAX);
++ return GUC_POLICY_MAX_PREEMPT_TIMEOUT_US / 1000;
++}
++
+ struct guc_policies {
+ u32 submission_queue_depth[GUC_MAX_ENGINE_CLASSES];
+ /* In micro seconds. How much time to allow before DPC processing is
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+index fe179146d51b..cd0c5043863b 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+@@ -2430,6 +2430,10 @@ static int guc_context_policy_init_v70(struct intel_context *ce, bool loop)
+ int ret;
+
+ /* NB: For both of these, zero means disabled. */
++ GEM_BUG_ON(overflows_type(engine->props.timeslice_duration_ms * 1000,
++ execution_quantum));
++ GEM_BUG_ON(overflows_type(engine->props.preempt_timeout_ms * 1000,
++ preemption_timeout));
+ execution_quantum = engine->props.timeslice_duration_ms * 1000;
+ preemption_timeout = engine->props.preempt_timeout_ms * 1000;
+
+@@ -2486,6 +2490,10 @@ static void guc_context_policy_init_v69(struct intel_engine_cs *engine,
+ desc->policy_flags |= CONTEXT_POLICY_FLAG_PREEMPT_TO_IDLE_V69;
+
+ /* NB: For both of these, zero means disabled. */
++ GEM_BUG_ON(overflows_type(engine->props.timeslice_duration_ms * 1000,
++ desc->execution_quantum));
++ GEM_BUG_ON(overflows_type(engine->props.preempt_timeout_ms * 1000,
++ desc->preemption_timeout));
+ desc->execution_quantum = engine->props.timeslice_duration_ms * 1000;
+ desc->preemption_timeout = engine->props.preempt_timeout_ms * 1000;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5a9761e2e008e66ff35825f3a62d46656935d948 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 16:16:16 +0200
+Subject: drm/i915/guc: make default_lists const data
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+[ Upstream commit dfa5e6ef3ccefff9fa8a70d9f5fa6ef6244aa312 ]
+
+The default_lists array should be in rodata.
+
+Fixes: dce2bd542337 ("drm/i915/guc: Add Gen9 registers for GuC error state capture.")
+Cc: Alan Previn <alan.previn.teres.alexis@intel.com>
+Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221122141616.3469214-1-jani.nikula@intel.com
+(cherry picked from commit 8b7f7a9b10b704ba7d73199ff0f01354e0bad7a5)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+index 34e72675b7e4..4c51888fd78b 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+@@ -165,7 +165,7 @@ static const struct __guc_mmio_reg_descr empty_regs_list[] = {
+ }
+
+ /* List of lists */
+-static struct __guc_mmio_reg_descr_group default_lists[] = {
++static const struct __guc_mmio_reg_descr_group default_lists[] = {
+ MAKE_REGLIST(default_global_regs, PF, GLOBAL, 0),
+ MAKE_REGLIST(default_rc_class_regs, PF, ENGINE_CLASS, GUC_RENDER_CLASS),
+ MAKE_REGLIST(xe_lpd_rc_inst_regs, PF, ENGINE_INSTANCE, GUC_RENDER_CLASS),
+--
+2.35.1
+
--- /dev/null
+From c6388f92e6bb1c36c41ab3f5c1e774ef0e868592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 19:20:27 -0700
+Subject: drm/i915/guc: Make GuC log sizes runtime configurable
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit 8ad0152afb1bb3878bba282308f037d73a87ace5 ]
+
+The GuC log buffer sizes had to be configured statically at compile
+time. This can be quite troublesome when needing to get larger logs
+out of a released driver. So re-organise the code to allow a boot time
+module parameter override.
+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220728022028.2190627-7-John.C.Harrison@Intel.com
+Stable-dep-of: befb231d5de2 ("drm/i915/guc: Fix GuC error capture sizing estimation and reporting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_guc.c | 53 ++----
+ .../gpu/drm/i915/gt/uc/intel_guc_capture.c | 14 +-
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.c | 176 +++++++++++++++++-
+ drivers/gpu/drm/i915/gt/uc/intel_guc_log.h | 42 +++--
+ drivers/gpu/drm/i915/i915_params.c | 12 ++
+ drivers/gpu/drm/i915/i915_params.h | 3 +
+ 6 files changed, 226 insertions(+), 74 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc.c b/drivers/gpu/drm/i915/gt/uc/intel_guc.c
+index 2706a8c65090..7fbcfeda9195 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc.c
+@@ -224,53 +224,22 @@ static u32 guc_ctl_feature_flags(struct intel_guc *guc)
+
+ static u32 guc_ctl_log_params_flags(struct intel_guc *guc)
+ {
+- u32 offset = intel_guc_ggtt_offset(guc, guc->log.vma) >> PAGE_SHIFT;
+- u32 flags;
+-
+- #if (((CRASH_BUFFER_SIZE) % SZ_1M) == 0)
+- #define LOG_UNIT SZ_1M
+- #define LOG_FLAG GUC_LOG_LOG_ALLOC_UNITS
+- #else
+- #define LOG_UNIT SZ_4K
+- #define LOG_FLAG 0
+- #endif
+-
+- #if (((CAPTURE_BUFFER_SIZE) % SZ_1M) == 0)
+- #define CAPTURE_UNIT SZ_1M
+- #define CAPTURE_FLAG GUC_LOG_CAPTURE_ALLOC_UNITS
+- #else
+- #define CAPTURE_UNIT SZ_4K
+- #define CAPTURE_FLAG 0
+- #endif
+-
+- BUILD_BUG_ON(!CRASH_BUFFER_SIZE);
+- BUILD_BUG_ON(!IS_ALIGNED(CRASH_BUFFER_SIZE, LOG_UNIT));
+- BUILD_BUG_ON(!DEBUG_BUFFER_SIZE);
+- BUILD_BUG_ON(!IS_ALIGNED(DEBUG_BUFFER_SIZE, LOG_UNIT));
+- BUILD_BUG_ON(!CAPTURE_BUFFER_SIZE);
+- BUILD_BUG_ON(!IS_ALIGNED(CAPTURE_BUFFER_SIZE, CAPTURE_UNIT));
+-
+- BUILD_BUG_ON((CRASH_BUFFER_SIZE / LOG_UNIT - 1) >
+- (GUC_LOG_CRASH_MASK >> GUC_LOG_CRASH_SHIFT));
+- BUILD_BUG_ON((DEBUG_BUFFER_SIZE / LOG_UNIT - 1) >
+- (GUC_LOG_DEBUG_MASK >> GUC_LOG_DEBUG_SHIFT));
+- BUILD_BUG_ON((CAPTURE_BUFFER_SIZE / CAPTURE_UNIT - 1) >
+- (GUC_LOG_CAPTURE_MASK >> GUC_LOG_CAPTURE_SHIFT));
++ struct intel_guc_log *log = &guc->log;
++ u32 offset, flags;
++
++ GEM_BUG_ON(!log->sizes_initialised);
++
++ offset = intel_guc_ggtt_offset(guc, log->vma) >> PAGE_SHIFT;
+
+ flags = GUC_LOG_VALID |
+ GUC_LOG_NOTIFY_ON_HALF_FULL |
+- CAPTURE_FLAG |
+- LOG_FLAG |
+- ((CRASH_BUFFER_SIZE / LOG_UNIT - 1) << GUC_LOG_CRASH_SHIFT) |
+- ((DEBUG_BUFFER_SIZE / LOG_UNIT - 1) << GUC_LOG_DEBUG_SHIFT) |
+- ((CAPTURE_BUFFER_SIZE / CAPTURE_UNIT - 1) << GUC_LOG_CAPTURE_SHIFT) |
++ log->sizes[GUC_LOG_SECTIONS_DEBUG].flag |
++ log->sizes[GUC_LOG_SECTIONS_CAPTURE].flag |
++ (log->sizes[GUC_LOG_SECTIONS_CRASH].count << GUC_LOG_CRASH_SHIFT) |
++ (log->sizes[GUC_LOG_SECTIONS_DEBUG].count << GUC_LOG_DEBUG_SHIFT) |
++ (log->sizes[GUC_LOG_SECTIONS_CAPTURE].count << GUC_LOG_CAPTURE_SHIFT) |
+ (offset << GUC_LOG_BUF_ADDR_SHIFT);
+
+- #undef LOG_UNIT
+- #undef LOG_FLAG
+- #undef CAPTURE_UNIT
+- #undef CAPTURE_FLAG
+-
+ return flags;
+ }
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+index b54b7883320b..d2ac53d4f3b6 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c
+@@ -656,16 +656,17 @@ static void check_guc_capture_size(struct intel_guc *guc)
+ struct drm_i915_private *i915 = guc_to_gt(guc)->i915;
+ int min_size = guc_capture_output_min_size_est(guc);
+ int spare_size = min_size * GUC_CAPTURE_OVERBUFFER_MULTIPLIER;
++ u32 buffer_size = intel_guc_log_section_size_capture(&guc->log);
+
+ if (min_size < 0)
+ drm_warn(&i915->drm, "Failed to calculate GuC error state capture buffer minimum size: %d!\n",
+ min_size);
+- else if (min_size > CAPTURE_BUFFER_SIZE)
++ else if (min_size > buffer_size)
+ drm_warn(&i915->drm, "GuC error state capture buffer is too small: %d < %d\n",
+- CAPTURE_BUFFER_SIZE, min_size);
+- else if (spare_size > CAPTURE_BUFFER_SIZE)
++ buffer_size, min_size);
++ else if (spare_size > buffer_size)
+ drm_notice(&i915->drm, "GuC error state capture buffer maybe too small: %d < %d (min = %d)\n",
+- CAPTURE_BUFFER_SIZE, spare_size, min_size);
++ buffer_size, spare_size, min_size);
+ }
+
+ /*
+@@ -1294,7 +1295,8 @@ static void __guc_capture_process_output(struct intel_guc *guc)
+
+ log_buf_state = guc->log.buf_addr +
+ (sizeof(struct guc_log_buffer_state) * GUC_CAPTURE_LOG_BUFFER);
+- src_data = guc->log.buf_addr + intel_guc_get_log_buffer_offset(GUC_CAPTURE_LOG_BUFFER);
++ src_data = guc->log.buf_addr +
++ intel_guc_get_log_buffer_offset(&guc->log, GUC_CAPTURE_LOG_BUFFER);
+
+ /*
+ * Make a copy of the state structure, inside GuC log buffer
+@@ -1302,7 +1304,7 @@ static void __guc_capture_process_output(struct intel_guc *guc)
+ * from it multiple times.
+ */
+ memcpy(&log_buf_state_local, log_buf_state, sizeof(struct guc_log_buffer_state));
+- buffer_size = intel_guc_get_log_buffer_size(GUC_CAPTURE_LOG_BUFFER);
++ buffer_size = intel_guc_get_log_buffer_size(&guc->log, GUC_CAPTURE_LOG_BUFFER);
+ read_offset = log_buf_state_local.read_ptr;
+ write_offset = log_buf_state_local.sampled_write_ptr;
+ full_count = log_buf_state_local.buffer_full_cnt;
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+index 991d4a02248d..2b878030d3e1 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
+@@ -13,8 +13,158 @@
+ #include "intel_guc_capture.h"
+ #include "intel_guc_log.h"
+
++#if defined(CONFIG_DRM_I915_DEBUG_GUC)
++#define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_2M
++#define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_16M
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_4M
++#elif defined(CONFIG_DRM_I915_DEBUG_GEM)
++#define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_1M
++#define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_2M
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_4M
++#else
++#define GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE SZ_8K
++#define GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE SZ_64K
++#define GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE SZ_2M
++#endif
++
+ static void guc_log_copy_debuglogs_for_relay(struct intel_guc_log *log);
+
++struct guc_log_section {
++ u32 max;
++ u32 flag;
++ u32 default_val;
++ const char *name;
++};
++
++static s32 scale_log_param(struct intel_guc_log *log, const struct guc_log_section *section,
++ s32 param)
++{
++ /* -1 means default */
++ if (param < 0)
++ return section->default_val;
++
++ /* Check for 32-bit overflow */
++ if (param >= SZ_4K) {
++ drm_err(&guc_to_gt(log_to_guc(log))->i915->drm, "Size too large for GuC %s log: %dMB!",
++ section->name, param);
++ return section->default_val;
++ }
++
++ /* Param units are 1MB */
++ return param * SZ_1M;
++}
++
++static void _guc_log_init_sizes(struct intel_guc_log *log)
++{
++ struct intel_guc *guc = log_to_guc(log);
++ struct drm_i915_private *i915 = guc_to_gt(guc)->i915;
++ static const struct guc_log_section sections[GUC_LOG_SECTIONS_LIMIT] = {
++ {
++ GUC_LOG_CRASH_MASK >> GUC_LOG_CRASH_SHIFT,
++ GUC_LOG_LOG_ALLOC_UNITS,
++ GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE,
++ "crash dump"
++ },
++ {
++ GUC_LOG_DEBUG_MASK >> GUC_LOG_DEBUG_SHIFT,
++ GUC_LOG_LOG_ALLOC_UNITS,
++ GUC_LOG_DEFAULT_DEBUG_BUFFER_SIZE,
++ "debug",
++ },
++ {
++ GUC_LOG_CAPTURE_MASK >> GUC_LOG_CAPTURE_SHIFT,
++ GUC_LOG_CAPTURE_ALLOC_UNITS,
++ GUC_LOG_DEFAULT_CAPTURE_BUFFER_SIZE,
++ "capture",
++ }
++ };
++ s32 params[GUC_LOG_SECTIONS_LIMIT] = {
++ i915->params.guc_log_size_crash,
++ i915->params.guc_log_size_debug,
++ i915->params.guc_log_size_capture,
++ };
++ int i;
++
++ for (i = 0; i < GUC_LOG_SECTIONS_LIMIT; i++)
++ log->sizes[i].bytes = scale_log_param(log, sections + i, params[i]);
++
++ /* If debug size > 1MB then bump default crash size to keep the same units */
++ if (log->sizes[GUC_LOG_SECTIONS_DEBUG].bytes >= SZ_1M &&
++ (i915->params.guc_log_size_crash == -1) &&
++ GUC_LOG_DEFAULT_CRASH_BUFFER_SIZE < SZ_1M)
++ log->sizes[GUC_LOG_SECTIONS_CRASH].bytes = SZ_1M;
++
++ /* Prepare the GuC API structure fields: */
++ for (i = 0; i < GUC_LOG_SECTIONS_LIMIT; i++) {
++ /* Convert to correct units */
++ if ((log->sizes[i].bytes % SZ_1M) == 0) {
++ log->sizes[i].units = SZ_1M;
++ log->sizes[i].flag = sections[i].flag;
++ } else {
++ log->sizes[i].units = SZ_4K;
++ log->sizes[i].flag = 0;
++ }
++
++ if (!IS_ALIGNED(log->sizes[i].bytes, log->sizes[i].units))
++ drm_err(&i915->drm, "Mis-aligned GuC log %s size: 0x%X vs 0x%X!",
++ sections[i].name, log->sizes[i].bytes, log->sizes[i].units);
++ log->sizes[i].count = log->sizes[i].bytes / log->sizes[i].units;
++
++ if (!log->sizes[i].count) {
++ drm_err(&i915->drm, "Zero GuC log %s size!", sections[i].name);
++ } else {
++ /* Size is +1 unit */
++ log->sizes[i].count--;
++ }
++
++ /* Clip to field size */
++ if (log->sizes[i].count > sections[i].max) {
++ drm_err(&i915->drm, "GuC log %s size too large: %d vs %d!",
++ sections[i].name, log->sizes[i].count + 1, sections[i].max + 1);
++ log->sizes[i].count = sections[i].max;
++ }
++ }
++
++ if (log->sizes[GUC_LOG_SECTIONS_CRASH].units != log->sizes[GUC_LOG_SECTIONS_DEBUG].units) {
++ drm_err(&i915->drm, "Unit mis-match for GuC log crash and debug sections: %d vs %d!",
++ log->sizes[GUC_LOG_SECTIONS_CRASH].units,
++ log->sizes[GUC_LOG_SECTIONS_DEBUG].units);
++ log->sizes[GUC_LOG_SECTIONS_CRASH].units = log->sizes[GUC_LOG_SECTIONS_DEBUG].units;
++ log->sizes[GUC_LOG_SECTIONS_CRASH].count = 0;
++ }
++
++ log->sizes_initialised = true;
++}
++
++static void guc_log_init_sizes(struct intel_guc_log *log)
++{
++ if (log->sizes_initialised)
++ return;
++
++ _guc_log_init_sizes(log);
++}
++
++static u32 intel_guc_log_section_size_crash(struct intel_guc_log *log)
++{
++ guc_log_init_sizes(log);
++
++ return log->sizes[GUC_LOG_SECTIONS_CRASH].bytes;
++}
++
++static u32 intel_guc_log_section_size_debug(struct intel_guc_log *log)
++{
++ guc_log_init_sizes(log);
++
++ return log->sizes[GUC_LOG_SECTIONS_DEBUG].bytes;
++}
++
++u32 intel_guc_log_section_size_capture(struct intel_guc_log *log)
++{
++ guc_log_init_sizes(log);
++
++ return log->sizes[GUC_LOG_SECTIONS_CAPTURE].bytes;
++}
++
+ static u32 intel_guc_log_size(struct intel_guc_log *log)
+ {
+ /*
+@@ -38,7 +188,10 @@ static u32 intel_guc_log_size(struct intel_guc_log *log)
+ * | Capture logs |
+ * +===============================+ + CAPTURE_SIZE
+ */
+- return PAGE_SIZE + CRASH_BUFFER_SIZE + DEBUG_BUFFER_SIZE + CAPTURE_BUFFER_SIZE;
++ return PAGE_SIZE +
++ intel_guc_log_section_size_crash(log) +
++ intel_guc_log_section_size_debug(log) +
++ intel_guc_log_section_size_capture(log);
+ }
+
+ /**
+@@ -165,7 +318,8 @@ static void guc_move_to_next_buf(struct intel_guc_log *log)
+ smp_wmb();
+
+ /* All data has been written, so now move the offset of sub buffer. */
+- relay_reserve(log->relay.channel, log->vma->obj->base.size - CAPTURE_BUFFER_SIZE);
++ relay_reserve(log->relay.channel, log->vma->obj->base.size -
++ intel_guc_log_section_size_capture(log));
+
+ /* Switch to the next sub buffer */
+ relay_flush(log->relay.channel);
+@@ -210,15 +364,16 @@ bool intel_guc_check_log_buf_overflow(struct intel_guc_log *log,
+ return overflow;
+ }
+
+-unsigned int intel_guc_get_log_buffer_size(enum guc_log_buffer_type type)
++unsigned int intel_guc_get_log_buffer_size(struct intel_guc_log *log,
++ enum guc_log_buffer_type type)
+ {
+ switch (type) {
+ case GUC_DEBUG_LOG_BUFFER:
+- return DEBUG_BUFFER_SIZE;
++ return intel_guc_log_section_size_debug(log);
+ case GUC_CRASH_DUMP_LOG_BUFFER:
+- return CRASH_BUFFER_SIZE;
++ return intel_guc_log_section_size_crash(log);
+ case GUC_CAPTURE_LOG_BUFFER:
+- return CAPTURE_BUFFER_SIZE;
++ return intel_guc_log_section_size_capture(log);
+ default:
+ MISSING_CASE(type);
+ }
+@@ -226,7 +381,8 @@ unsigned int intel_guc_get_log_buffer_size(enum guc_log_buffer_type type)
+ return 0;
+ }
+
+-size_t intel_guc_get_log_buffer_offset(enum guc_log_buffer_type type)
++size_t intel_guc_get_log_buffer_offset(struct intel_guc_log *log,
++ enum guc_log_buffer_type type)
+ {
+ enum guc_log_buffer_type i;
+ size_t offset = PAGE_SIZE;/* for the log_buffer_states */
+@@ -234,7 +390,7 @@ size_t intel_guc_get_log_buffer_offset(enum guc_log_buffer_type type)
+ for (i = GUC_DEBUG_LOG_BUFFER; i < GUC_MAX_LOG_BUFFER; ++i) {
+ if (i == type)
+ break;
+- offset += intel_guc_get_log_buffer_size(i);
++ offset += intel_guc_get_log_buffer_size(log, i);
+ }
+
+ return offset;
+@@ -285,7 +441,7 @@ static void _guc_log_copy_debuglogs_for_relay(struct intel_guc_log *log)
+ */
+ memcpy(&log_buf_state_local, log_buf_state,
+ sizeof(struct guc_log_buffer_state));
+- buffer_size = intel_guc_get_log_buffer_size(type);
++ buffer_size = intel_guc_get_log_buffer_size(log, type);
+ read_offset = log_buf_state_local.read_ptr;
+ write_offset = log_buf_state_local.sampled_write_ptr;
+ full_cnt = log_buf_state_local.buffer_full_cnt;
+@@ -400,7 +556,7 @@ static int guc_log_relay_create(struct intel_guc_log *log)
+ * Keep the size of sub buffers same as shared log buffer
+ * but GuC log-events excludes the error-state-capture logs
+ */
+- subbuf_size = log->vma->size - CAPTURE_BUFFER_SIZE;
++ subbuf_size = log->vma->size - intel_guc_log_section_size_capture(log);
+
+ /*
+ * Store up to 8 snapshots, which is large enough to buffer sufficient
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
+index dc9715411d62..02127703be80 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_log.h
+@@ -15,20 +15,6 @@
+
+ struct intel_guc;
+
+-#if defined(CONFIG_DRM_I915_DEBUG_GUC)
+-#define CRASH_BUFFER_SIZE SZ_2M
+-#define DEBUG_BUFFER_SIZE SZ_16M
+-#define CAPTURE_BUFFER_SIZE SZ_4M
+-#elif defined(CONFIG_DRM_I915_DEBUG_GEM)
+-#define CRASH_BUFFER_SIZE SZ_1M
+-#define DEBUG_BUFFER_SIZE SZ_2M
+-#define CAPTURE_BUFFER_SIZE SZ_4M
+-#else
+-#define CRASH_BUFFER_SIZE SZ_8K
+-#define DEBUG_BUFFER_SIZE SZ_64K
+-#define CAPTURE_BUFFER_SIZE SZ_2M
+-#endif
+-
+ /*
+ * While we're using plain log level in i915, GuC controls are much more...
+ * "elaborate"? We have a couple of bits for verbosity, separate bit for actual
+@@ -46,10 +32,30 @@ struct intel_guc;
+ #define GUC_VERBOSITY_TO_LOG_LEVEL(x) ((x) + 2)
+ #define GUC_LOG_LEVEL_MAX GUC_VERBOSITY_TO_LOG_LEVEL(GUC_LOG_VERBOSITY_MAX)
+
++enum {
++ GUC_LOG_SECTIONS_CRASH,
++ GUC_LOG_SECTIONS_DEBUG,
++ GUC_LOG_SECTIONS_CAPTURE,
++ GUC_LOG_SECTIONS_LIMIT
++};
++
+ struct intel_guc_log {
+ u32 level;
++
++ /* Allocation settings */
++ struct {
++ s32 bytes; /* Size in bytes */
++ s32 units; /* GuC API units - 1MB or 4KB */
++ s32 count; /* Number of API units */
++ u32 flag; /* GuC API units flag */
++ } sizes[GUC_LOG_SECTIONS_LIMIT];
++ bool sizes_initialised;
++
++ /* Combined buffer allocation */
+ struct i915_vma *vma;
+ void *buf_addr;
++
++ /* RelayFS support */
+ struct {
+ bool buf_in_use;
+ bool started;
+@@ -58,6 +64,7 @@ struct intel_guc_log {
+ struct mutex lock;
+ u32 full_count;
+ } relay;
++
+ /* logging related stats */
+ struct {
+ u32 sampled_overflow;
+@@ -69,8 +76,9 @@ struct intel_guc_log {
+ void intel_guc_log_init_early(struct intel_guc_log *log);
+ bool intel_guc_check_log_buf_overflow(struct intel_guc_log *log, enum guc_log_buffer_type type,
+ unsigned int full_cnt);
+-unsigned int intel_guc_get_log_buffer_size(enum guc_log_buffer_type type);
+-size_t intel_guc_get_log_buffer_offset(enum guc_log_buffer_type type);
++unsigned int intel_guc_get_log_buffer_size(struct intel_guc_log *log,
++ enum guc_log_buffer_type type);
++size_t intel_guc_get_log_buffer_offset(struct intel_guc_log *log, enum guc_log_buffer_type type);
+ int intel_guc_log_create(struct intel_guc_log *log);
+ void intel_guc_log_destroy(struct intel_guc_log *log);
+
+@@ -92,4 +100,6 @@ void intel_guc_log_info(struct intel_guc_log *log, struct drm_printer *p);
+ int intel_guc_log_dump(struct intel_guc_log *log, struct drm_printer *p,
+ bool dump_load_err);
+
++u32 intel_guc_log_section_size_capture(struct intel_guc_log *log);
++
+ #endif
+diff --git a/drivers/gpu/drm/i915/i915_params.c b/drivers/gpu/drm/i915/i915_params.c
+index 6fc475a5db61..06ca5b822111 100644
+--- a/drivers/gpu/drm/i915/i915_params.c
++++ b/drivers/gpu/drm/i915/i915_params.c
+@@ -171,6 +171,18 @@ i915_param_named(guc_log_level, int, 0400,
+ "GuC firmware logging level. Requires GuC to be loaded. "
+ "(-1=auto [default], 0=disable, 1..4=enable with verbosity min..max)");
+
++i915_param_named(guc_log_size_crash, int, 0400,
++ "GuC firmware logging buffer size for crash dumps (in MB)"
++ "(-1=auto [default], NB: max = 4, other restrictions apply)");
++
++i915_param_named(guc_log_size_debug, int, 0400,
++ "GuC firmware logging buffer size for debug logs (in MB)"
++ "(-1=auto [default], NB: max = 16, other restrictions apply)");
++
++i915_param_named(guc_log_size_capture, int, 0400,
++ "GuC error capture register dump buffer size (in MB)"
++ "(-1=auto [default], NB: max = 4, other restrictions apply)");
++
+ i915_param_named_unsafe(guc_firmware_path, charp, 0400,
+ "GuC firmware path to use instead of the default one");
+
+diff --git a/drivers/gpu/drm/i915/i915_params.h b/drivers/gpu/drm/i915/i915_params.h
+index 2733cb6cfe09..f684d1ab8707 100644
+--- a/drivers/gpu/drm/i915/i915_params.h
++++ b/drivers/gpu/drm/i915/i915_params.h
+@@ -61,6 +61,9 @@ struct drm_printer;
+ param(int, invert_brightness, 0, 0600) \
+ param(int, enable_guc, -1, 0400) \
+ param(int, guc_log_level, -1, 0400) \
++ param(int, guc_log_size_crash, -1, 0400) \
++ param(int, guc_log_size_debug, -1, 0400) \
++ param(int, guc_log_size_capture, -1, 0400) \
+ param(char *, guc_firmware_path, NULL, 0400) \
+ param(char *, huc_firmware_path, NULL, 0400) \
+ param(char *, dmc_firmware_path, NULL, 0400) \
+--
+2.35.1
+
--- /dev/null
+From b56378dca29bcb414d2490d52bb4dd098c0aacb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 17:46:15 +0100
+Subject: drm: lcdif: change burst size to 256B
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+[ Upstream commit 2215cb3be5c28a1fd43036550c00c2371aeeba95 ]
+
+If a axi bus master with a higher priority do a lot of memory access
+FIFO underruns can be inspected. Increase the burst size to 256B to
+avoid such underruns and to improve the memory access efficiency.
+
+Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant")
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221101164615.778299-1-m.felsch@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/lcdif_kms.c | 14 ++++++++++++--
+ drivers/gpu/drm/mxsfb/lcdif_regs.h | 4 ++++
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mxsfb/lcdif_kms.c b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+index 11f881554f74..713b0d756f2a 100644
+--- a/drivers/gpu/drm/mxsfb/lcdif_kms.c
++++ b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+@@ -149,8 +149,18 @@ static void lcdif_set_mode(struct lcdif_drm_private *lcdif, u32 bus_flags)
+ CTRLDESCL0_1_WIDTH(m->crtc_hdisplay),
+ lcdif->base + LCDC_V8_CTRLDESCL0_1);
+
+- writel(CTRLDESCL0_3_PITCH(lcdif->crtc.primary->state->fb->pitches[0]),
+- lcdif->base + LCDC_V8_CTRLDESCL0_3);
++ /*
++ * Undocumented P_SIZE and T_SIZE register but those written in the
++ * downstream kernel those registers control the AXI burst size. As of
++ * now there are two known values:
++ * 1 - 128Byte
++ * 2 - 256Byte
++ * Downstream set it to 256B burst size to improve the memory
++ * efficiency so set it here too.
++ */
++ ctrl = CTRLDESCL0_3_P_SIZE(2) | CTRLDESCL0_3_T_SIZE(2) |
++ CTRLDESCL0_3_PITCH(lcdif->crtc.primary->state->fb->pitches[0]);
++ writel(ctrl, lcdif->base + LCDC_V8_CTRLDESCL0_3);
+ }
+
+ static void lcdif_enable_controller(struct lcdif_drm_private *lcdif)
+diff --git a/drivers/gpu/drm/mxsfb/lcdif_regs.h b/drivers/gpu/drm/mxsfb/lcdif_regs.h
+index c70220651e3a..8e8bef175bf2 100644
+--- a/drivers/gpu/drm/mxsfb/lcdif_regs.h
++++ b/drivers/gpu/drm/mxsfb/lcdif_regs.h
+@@ -190,6 +190,10 @@
+ #define CTRLDESCL0_1_WIDTH(n) ((n) & 0xffff)
+ #define CTRLDESCL0_1_WIDTH_MASK GENMASK(15, 0)
+
++#define CTRLDESCL0_3_P_SIZE(n) (((n) << 20) & CTRLDESCL0_3_P_SIZE_MASK)
++#define CTRLDESCL0_3_P_SIZE_MASK GENMASK(22, 20)
++#define CTRLDESCL0_3_T_SIZE(n) (((n) << 16) & CTRLDESCL0_3_T_SIZE_MASK)
++#define CTRLDESCL0_3_T_SIZE_MASK GENMASK(17, 16)
+ #define CTRLDESCL0_3_PITCH(n) ((n) & 0xffff)
+ #define CTRLDESCL0_3_PITCH_MASK GENMASK(15, 0)
+
+--
+2.35.1
+
--- /dev/null
+From d70e6462bc49eb0e3fbd4cc9b1dfc8d04a0531fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 16:26:29 +0100
+Subject: drm: lcdif: Set and enable FIFO Panic threshold
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e3cac8f7749f78dacdf19c00ed5862a1db52239f ]
+
+In case the LCDIFv3 is used to drive a 4k panel via i.MX8MP HDMI bridge,
+the LCDIFv3 becomes susceptible to FIFO underflows, these lead to nasty
+flicker of the image on the panel, or image being shifted by half frame
+horizontally every second frame. The flicker can be easily triggered by
+running 3D application on top of weston compositor, like neverball or
+chromium. Surprisingly glmark2-es2-wayland or glmark2-es2-drm does not
+trigger this effect so easily.
+
+Configure the FIFO Panic threshold register and enable the FIFO Panic
+mode, which internally boosts the NoC interconnect priority for LCDIFv3
+transactions in case of possible underflow. This mitigates the flicker
+effect on 4k panels as well.
+
+Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Tested-by: Liu Ying <victor.liu@nxp.com> # i.MX8mp EVK
+Reviewed-by: Liu Ying <victor.liu@nxp.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221101152629.21768-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/lcdif_kms.c | 16 ++++++++++++++++
+ drivers/gpu/drm/mxsfb/lcdif_regs.h | 1 +
+ 2 files changed, 17 insertions(+)
+
+diff --git a/drivers/gpu/drm/mxsfb/lcdif_kms.c b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+index 713b0d756f2a..d419c61c3407 100644
+--- a/drivers/gpu/drm/mxsfb/lcdif_kms.c
++++ b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+@@ -5,6 +5,7 @@
+ * This code is based on drivers/gpu/drm/mxsfb/mxsfb*
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/clk.h>
+ #include <linux/io.h>
+ #include <linux/iopoll.h>
+@@ -167,6 +168,18 @@ static void lcdif_enable_controller(struct lcdif_drm_private *lcdif)
+ {
+ u32 reg;
+
++ /* Set FIFO Panic watermarks, low 1/3, high 2/3 . */
++ writel(FIELD_PREP(PANIC0_THRES_LOW_MASK, 1 * PANIC0_THRES_MAX / 3) |
++ FIELD_PREP(PANIC0_THRES_HIGH_MASK, 2 * PANIC0_THRES_MAX / 3),
++ lcdif->base + LCDC_V8_PANIC0_THRES);
++
++ /*
++ * Enable FIFO Panic, this does not generate interrupt, but
++ * boosts NoC priority based on FIFO Panic watermarks.
++ */
++ writel(INT_ENABLE_D1_PLANE_PANIC_EN,
++ lcdif->base + LCDC_V8_INT_ENABLE_D1);
++
+ reg = readl(lcdif->base + LCDC_V8_DISP_PARA);
+ reg |= DISP_PARA_DISP_ON;
+ writel(reg, lcdif->base + LCDC_V8_DISP_PARA);
+@@ -194,6 +207,9 @@ static void lcdif_disable_controller(struct lcdif_drm_private *lcdif)
+ reg = readl(lcdif->base + LCDC_V8_DISP_PARA);
+ reg &= ~DISP_PARA_DISP_ON;
+ writel(reg, lcdif->base + LCDC_V8_DISP_PARA);
++
++ /* Disable FIFO Panic NoC priority booster. */
++ writel(0, lcdif->base + LCDC_V8_INT_ENABLE_D1);
+ }
+
+ static void lcdif_reset_block(struct lcdif_drm_private *lcdif)
+diff --git a/drivers/gpu/drm/mxsfb/lcdif_regs.h b/drivers/gpu/drm/mxsfb/lcdif_regs.h
+index 8e8bef175bf2..37f0d9a06b10 100644
+--- a/drivers/gpu/drm/mxsfb/lcdif_regs.h
++++ b/drivers/gpu/drm/mxsfb/lcdif_regs.h
+@@ -252,6 +252,7 @@
+
+ #define PANIC0_THRES_LOW_MASK GENMASK(24, 16)
+ #define PANIC0_THRES_HIGH_MASK GENMASK(8, 0)
++#define PANIC0_THRES_MAX 511
+
+ #define LCDIF_MIN_XRES 120
+ #define LCDIF_MIN_YRES 120
+--
+2.35.1
+
--- /dev/null
+From c3e31f539085f68db0a2a595634bb8550081ee31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 11:39:54 +0300
+Subject: drm: lcdif: Switch to limited range for RGB to YUV conversion
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit ec39dee8b25229a646271815cc86a8fc865525cf ]
+
+Up to and including v1.3, HDMI supported limited quantization range only
+for YCbCr. HDMI v1.4 introduced selectable quantization ranges, but this
+feature isn't supported in the dw-hdmi driver that is used in
+conjunction with the LCDIF in the i.MX8MP. The HDMI YCbCr output is thus
+always advertised in the AVI infoframe as limited range.
+
+The LCDIF driver, on the other hand, configures the CSC to produce full
+range YCbCr. This mismatch results in loss of details and incorrect
+colours. Fix it by switching to limited range YCbCr.
+
+The coefficients are copied from drivers/media/platforms/nxp/imx-pxp.c
+for coherency, as the hardware is most likely identical.
+
+Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Reviewed-by: Liu Ying <victor.liu@nxp.com>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220930083955.31580-4-laurent.pinchart@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/lcdif_kms.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/mxsfb/lcdif_kms.c b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+index 1bec1279c8b5..11f881554f74 100644
+--- a/drivers/gpu/drm/mxsfb/lcdif_kms.c
++++ b/drivers/gpu/drm/mxsfb/lcdif_kms.c
+@@ -53,16 +53,22 @@ static void lcdif_set_formats(struct lcdif_drm_private *lcdif,
+ writel(DISP_PARA_LINE_PATTERN_UYVY_H,
+ lcdif->base + LCDC_V8_DISP_PARA);
+
+- /* CSC: BT.601 Full Range RGB to YCbCr coefficients. */
+- writel(CSC0_COEF0_A2(0x096) | CSC0_COEF0_A1(0x04c),
++ /*
++ * CSC: BT.601 Limited Range RGB to YCbCr coefficients.
++ *
++ * |Y | | 0.2568 0.5041 0.0979| |R| |16 |
++ * |Cb| = |-0.1482 -0.2910 0.4392| * |G| + |128|
++ * |Cr| | 0.4392 0.4392 -0.3678| |B| |128|
++ */
++ writel(CSC0_COEF0_A2(0x081) | CSC0_COEF0_A1(0x041),
+ lcdif->base + LCDC_V8_CSC0_COEF0);
+- writel(CSC0_COEF1_B1(0x7d5) | CSC0_COEF1_A3(0x01d),
++ writel(CSC0_COEF1_B1(0x7db) | CSC0_COEF1_A3(0x019),
+ lcdif->base + LCDC_V8_CSC0_COEF1);
+- writel(CSC0_COEF2_B3(0x080) | CSC0_COEF2_B2(0x7ac),
++ writel(CSC0_COEF2_B3(0x070) | CSC0_COEF2_B2(0x7b6),
+ lcdif->base + LCDC_V8_CSC0_COEF2);
+- writel(CSC0_COEF3_C2(0x795) | CSC0_COEF3_C1(0x080),
++ writel(CSC0_COEF3_C2(0x7a2) | CSC0_COEF3_C1(0x070),
+ lcdif->base + LCDC_V8_CSC0_COEF3);
+- writel(CSC0_COEF4_D1(0x000) | CSC0_COEF4_C3(0x7ec),
++ writel(CSC0_COEF4_D1(0x010) | CSC0_COEF4_C3(0x7ee),
+ lcdif->base + LCDC_V8_CSC0_COEF4);
+ writel(CSC0_COEF5_D3(0x080) | CSC0_COEF5_D2(0x080),
+ lcdif->base + LCDC_V8_CSC0_COEF5);
+--
+2.35.1
+
--- /dev/null
+From 037bb6a6fc060d5681a40dfa7281453d96cf9658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:47:12 -0700
+Subject: drm/mediatek: Fix return type of mtk_hdmi_bridge_mode_valid()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 890d637523eec9d730e3885532fa1228ba678880 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/mediatek/mtk_hdmi.c:1407:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' with an expression of type 'int (struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = mtk_hdmi_bridge_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+->mode_valid() in 'struct drm_bridge_funcs' expects a return type of
+'enum drm_mode_status', not 'int'. Adjust the return type of
+mtk_hdmi_bridge_mode_valid() to match the prototype's to resolve the
+warning and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 3196189429bc..7613b0fa2be6 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -1203,9 +1203,10 @@ static enum drm_connector_status mtk_hdmi_detect(struct mtk_hdmi *hdmi)
+ return mtk_hdmi_update_plugged_status(hdmi);
+ }
+
+-static int mtk_hdmi_bridge_mode_valid(struct drm_bridge *bridge,
+- const struct drm_display_info *info,
+- const struct drm_display_mode *mode)
++static enum drm_mode_status
++mtk_hdmi_bridge_mode_valid(struct drm_bridge *bridge,
++ const struct drm_display_info *info,
++ const struct drm_display_mode *mode)
+ {
+ struct mtk_hdmi *hdmi = hdmi_ctx_from_bridge(bridge);
+ struct drm_bridge *next_bridge;
+--
+2.35.1
+
--- /dev/null
+From 87136b4f291661416e09fcac7b9edccd5d0806af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 18:00:59 +0800
+Subject: drm/mediatek: Modify dpi power on/off sequence.
+
+From: Xinlei Lee <xinlei.lee@mediatek.com>
+
+[ Upstream commit ff446c0f6290185cefafe3b376bb86063a3a9f6a ]
+
+Modify dpi power on/off sequence so that the first gpio operation will
+take effect.
+
+Fixes: 6bd4763fd532 ("drm/mediatek: set dpi pin mode to gpio low to avoid leakage current")
+Signed-off-by: Xinlei Lee <xinlei.lee@mediatek.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dpi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
+index 630a4e301ef6..b11b5a2c0663 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
+@@ -462,9 +462,6 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
+ if (--dpi->refcount != 0)
+ return;
+
+- if (dpi->pinctrl && dpi->pins_gpio)
+- pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
+-
+ mtk_dpi_disable(dpi);
+ clk_disable_unprepare(dpi->pixel_clk);
+ clk_disable_unprepare(dpi->engine_clk);
+@@ -489,9 +486,6 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
+ goto err_pixel;
+ }
+
+- if (dpi->pinctrl && dpi->pins_dpi)
+- pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi);
+-
+ return 0;
+
+ err_pixel:
+@@ -722,12 +716,18 @@ static void mtk_dpi_bridge_disable(struct drm_bridge *bridge)
+ struct mtk_dpi *dpi = bridge_to_dpi(bridge);
+
+ mtk_dpi_power_off(dpi);
++
++ if (dpi->pinctrl && dpi->pins_gpio)
++ pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
+ }
+
+ static void mtk_dpi_bridge_enable(struct drm_bridge *bridge)
+ {
+ struct mtk_dpi *dpi = bridge_to_dpi(bridge);
+
++ if (dpi->pinctrl && dpi->pins_dpi)
++ pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi);
++
+ mtk_dpi_power_on(dpi);
+ mtk_dpi_set_display_mode(dpi, &dpi->mode);
+ mtk_dpi_enable(dpi);
+--
+2.35.1
+
--- /dev/null
+From eb946849174c8b08b23d3f90aca0fbc3a0ed5fbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:52:42 -0700
+Subject: drm/meson: Fix return type of meson_encoder_cvbs_mode_valid()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 6c4e4d35203301906afb53c6d1e1302d4c793c05 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/meson/meson_encoder_cvbs.c:211:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' with an expression of type 'int (struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = meson_encoder_cvbs_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+->mode_valid() in 'struct drm_bridge_funcs' expects a return type of
+'enum drm_mode_status', not 'int'. Adjust the return type of
+meson_encoder_cvbs_mode_valid() to match the prototype's to resolve the
+warning and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221102155242.1927166-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_encoder_cvbs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+index 5675bc2a92cf..3f73b211fa8e 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c
++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+@@ -116,9 +116,10 @@ static int meson_encoder_cvbs_get_modes(struct drm_bridge *bridge,
+ return i;
+ }
+
+-static int meson_encoder_cvbs_mode_valid(struct drm_bridge *bridge,
+- const struct drm_display_info *display_info,
+- const struct drm_display_mode *mode)
++static enum drm_mode_status
++meson_encoder_cvbs_mode_valid(struct drm_bridge *bridge,
++ const struct drm_display_info *display_info,
++ const struct drm_display_mode *mode)
+ {
+ if (meson_cvbs_get_mode(mode))
+ return MODE_OK;
+--
+2.35.1
+
--- /dev/null
+From 2db5be10781ebbb1fb92222780fe69f643b3562f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 07:46:34 -0800
+Subject: drm/msm/a6xx: Fix speed-bin detection vs probe-defer
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit f6d1918794ef92b4e26b80c3d40365347b76b1fd ]
+
+If we get an error (other than -ENOENT) we need to propagate that up the
+stack. Otherwise if the nvmem driver hasn't probed yet, we'll end up
+end up claiming that we support all the OPPs which is not likely to be
+true (and on some generations impossible to be true, ie. if there are
+conflicting OPPs).
+
+v2: Update commit msg, gc unused label, etc
+v3: Add previously missing \n's
+
+Fixes: fe7952c629da ("drm/msm: Add speed-bin support to a618 gpu")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/511690/
+Link: https://lore.kernel.org/r/20221115154637.1613968-1-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+index 4d501100b9e4..5804c35ae74b 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+@@ -1869,7 +1869,7 @@ static u32 fuse_to_supp_hw(struct device *dev, struct adreno_rev rev, u32 fuse)
+
+ if (val == UINT_MAX) {
+ DRM_DEV_ERROR(dev,
+- "missing support for speed-bin: %u. Some OPPs may not be supported by hardware",
++ "missing support for speed-bin: %u. Some OPPs may not be supported by hardware\n",
+ fuse);
+ return UINT_MAX;
+ }
+@@ -1879,7 +1879,7 @@ static u32 fuse_to_supp_hw(struct device *dev, struct adreno_rev rev, u32 fuse)
+
+ static int a6xx_set_supported_hw(struct device *dev, struct adreno_rev rev)
+ {
+- u32 supp_hw = UINT_MAX;
++ u32 supp_hw;
+ u32 speedbin;
+ int ret;
+
+@@ -1891,15 +1891,13 @@ static int a6xx_set_supported_hw(struct device *dev, struct adreno_rev rev)
+ if (ret == -ENOENT) {
+ return 0;
+ } else if (ret) {
+- DRM_DEV_ERROR(dev,
+- "failed to read speed-bin (%d). Some OPPs may not be supported by hardware",
+- ret);
+- goto done;
++ dev_err_probe(dev, ret,
++ "failed to read speed-bin. Some OPPs may not be supported by hardware\n");
++ return ret;
+ }
+
+ supp_hw = fuse_to_supp_hw(dev, rev, speedbin);
+
+-done:
+ ret = devm_pm_opp_set_supported_hw(dev, &supp_hw, 1);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 05afbda2bca5b89a5ae7e4848b8e9af97210fa29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 13:04:31 +0300
+Subject: drm/msm/dpu: use drm_dsc_config instead of msm_display_dsc_config
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 46dd0c0658ff5783acce37dcfe437e2a79a9934e ]
+
+There is no need to use the struct msm_display_dsc_config wrapper inside
+the dpu driver, use the struct drm_dsc_config directly to pass pps data.
+
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/493340/
+Link: https://lore.kernel.org/r/20220711100432.455268-2-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Stable-dep-of: d3c1a8663d0d ("drm/msm/dpu1: Account for DSC's bits_per_pixel having 4 fractional bits")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 25 +++----
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 2 +-
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c | 74 ++++++++++-----------
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.h | 4 +-
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +-
+ 5 files changed, 54 insertions(+), 53 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index 52a626117f70..7f5dba96b2ff 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -162,7 +162,7 @@ enum dpu_enc_rc_states {
+ * @vsync_event_work: worker to handle vsync event for autorefresh
+ * @topology: topology of the display
+ * @idle_timeout: idle timeout duration in milliseconds
+- * @dsc: msm_display_dsc_config pointer, for DSC-enabled encoders
++ * @dsc: drm_dsc_config pointer, for DSC-enabled encoders
+ */
+ struct dpu_encoder_virt {
+ struct drm_encoder base;
+@@ -208,7 +208,7 @@ struct dpu_encoder_virt {
+ bool wide_bus_en;
+
+ /* DSC configuration */
+- struct msm_display_dsc_config *dsc;
++ struct drm_dsc_config *dsc;
+ };
+
+ #define to_dpu_encoder_virt(x) container_of(x, struct dpu_encoder_virt, base)
+@@ -1791,12 +1791,12 @@ static void dpu_encoder_vsync_event_work_handler(struct kthread_work *work)
+ }
+
+ static u32
+-dpu_encoder_dsc_initial_line_calc(struct msm_display_dsc_config *dsc,
++dpu_encoder_dsc_initial_line_calc(struct drm_dsc_config *dsc,
+ u32 enc_ip_width)
+ {
+ int ssm_delay, total_pixels, soft_slice_per_enc;
+
+- soft_slice_per_enc = enc_ip_width / dsc->drm->slice_width;
++ soft_slice_per_enc = enc_ip_width / dsc->slice_width;
+
+ /*
+ * minimum number of initial line pixels is a sum of:
+@@ -1808,16 +1808,16 @@ dpu_encoder_dsc_initial_line_calc(struct msm_display_dsc_config *dsc,
+ * 5. 6 additional pixels as the output of the rate buffer is
+ * 48 bits wide
+ */
+- ssm_delay = ((dsc->drm->bits_per_component < 10) ? 84 : 92);
+- total_pixels = ssm_delay * 3 + dsc->drm->initial_xmit_delay + 47;
++ ssm_delay = ((dsc->bits_per_component < 10) ? 84 : 92);
++ total_pixels = ssm_delay * 3 + dsc->initial_xmit_delay + 47;
+ if (soft_slice_per_enc > 1)
+ total_pixels += (ssm_delay * 3);
+- return DIV_ROUND_UP(total_pixels, dsc->drm->slice_width);
++ return DIV_ROUND_UP(total_pixels, dsc->slice_width);
+ }
+
+ static void dpu_encoder_dsc_pipe_cfg(struct dpu_hw_dsc *hw_dsc,
+ struct dpu_hw_pingpong *hw_pp,
+- struct msm_display_dsc_config *dsc,
++ struct drm_dsc_config *dsc,
+ u32 common_mode,
+ u32 initial_lines)
+ {
+@@ -1835,7 +1835,7 @@ static void dpu_encoder_dsc_pipe_cfg(struct dpu_hw_dsc *hw_dsc,
+ }
+
+ static void dpu_encoder_prep_dsc(struct dpu_encoder_virt *dpu_enc,
+- struct msm_display_dsc_config *dsc)
++ struct drm_dsc_config *dsc)
+ {
+ /* coding only for 2LM, 2enc, 1 dsc config */
+ struct dpu_encoder_phys *enc_master = dpu_enc->cur_master;
+@@ -1858,14 +1858,15 @@ static void dpu_encoder_prep_dsc(struct dpu_encoder_virt *dpu_enc,
+ }
+ }
+
+- pic_width = dsc->drm->pic_width;
++ dsc_common_mode = 0;
++ pic_width = dsc->pic_width;
+
+ dsc_common_mode = DSC_MODE_MULTIPLEX | DSC_MODE_SPLIT_PANEL;
+ if (enc_master->intf_mode == INTF_MODE_VIDEO)
+ dsc_common_mode |= DSC_MODE_VIDEO;
+
+- this_frame_slices = pic_width / dsc->drm->slice_width;
+- intf_ip_w = this_frame_slices * dsc->drm->slice_width;
++ this_frame_slices = pic_width / dsc->slice_width;
++ intf_ip_w = this_frame_slices * dsc->slice_width;
+
+ /*
+ * dsc merge case: when using 2 encoders for the same stream,
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
+index d4d1ecd416e3..9e7236ef34e6 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h
+@@ -36,7 +36,7 @@ struct msm_display_info {
+ uint32_t h_tile_instance[MAX_H_TILES_PER_DISPLAY];
+ bool is_cmd_mode;
+ bool is_te_using_watchdog_timer;
+- struct msm_display_dsc_config *dsc;
++ struct drm_dsc_config *dsc;
+ };
+
+ /**
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
+index 411689ae6382..f2ddcfb6f7ee 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
+@@ -37,7 +37,7 @@ static void dpu_hw_dsc_disable(struct dpu_hw_dsc *dsc)
+ }
+
+ static void dpu_hw_dsc_config(struct dpu_hw_dsc *hw_dsc,
+- struct msm_display_dsc_config *dsc,
++ struct drm_dsc_config *dsc,
+ u32 mode,
+ u32 initial_lines)
+ {
+@@ -52,89 +52,89 @@ static void dpu_hw_dsc_config(struct dpu_hw_dsc *hw_dsc,
+ if (is_cmd_mode)
+ initial_lines += 1;
+
+- slice_last_group_size = 3 - (dsc->drm->slice_width % 3);
++ slice_last_group_size = 3 - (dsc->slice_width % 3);
+ data = (initial_lines << 20);
+ data |= ((slice_last_group_size - 1) << 18);
+ /* bpp is 6.4 format, 4 LSBs bits are for fractional part */
+- data |= dsc->drm->bits_per_pixel << 12;
+- lsb = dsc->drm->bits_per_pixel % 4;
+- bpp = dsc->drm->bits_per_pixel / 4;
++ data |= dsc->bits_per_pixel << 12;
++ lsb = dsc->bits_per_pixel % 4;
++ bpp = dsc->bits_per_pixel / 4;
+ bpp *= 4;
+ bpp <<= 4;
+ bpp |= lsb;
+
+ data |= bpp << 8;
+- data |= (dsc->drm->block_pred_enable << 7);
+- data |= (dsc->drm->line_buf_depth << 3);
+- data |= (dsc->drm->simple_422 << 2);
+- data |= (dsc->drm->convert_rgb << 1);
+- data |= dsc->drm->bits_per_component;
++ data |= (dsc->block_pred_enable << 7);
++ data |= (dsc->line_buf_depth << 3);
++ data |= (dsc->simple_422 << 2);
++ data |= (dsc->convert_rgb << 1);
++ data |= dsc->bits_per_component;
+
+ DPU_REG_WRITE(c, DSC_ENC, data);
+
+- data = dsc->drm->pic_width << 16;
+- data |= dsc->drm->pic_height;
++ data = dsc->pic_width << 16;
++ data |= dsc->pic_height;
+ DPU_REG_WRITE(c, DSC_PICTURE, data);
+
+- data = dsc->drm->slice_width << 16;
+- data |= dsc->drm->slice_height;
++ data = dsc->slice_width << 16;
++ data |= dsc->slice_height;
+ DPU_REG_WRITE(c, DSC_SLICE, data);
+
+- data = dsc->drm->slice_chunk_size << 16;
++ data = dsc->slice_chunk_size << 16;
+ DPU_REG_WRITE(c, DSC_CHUNK_SIZE, data);
+
+- data = dsc->drm->initial_dec_delay << 16;
+- data |= dsc->drm->initial_xmit_delay;
++ data = dsc->initial_dec_delay << 16;
++ data |= dsc->initial_xmit_delay;
+ DPU_REG_WRITE(c, DSC_DELAY, data);
+
+- data = dsc->drm->initial_scale_value;
++ data = dsc->initial_scale_value;
+ DPU_REG_WRITE(c, DSC_SCALE_INITIAL, data);
+
+- data = dsc->drm->scale_decrement_interval;
++ data = dsc->scale_decrement_interval;
+ DPU_REG_WRITE(c, DSC_SCALE_DEC_INTERVAL, data);
+
+- data = dsc->drm->scale_increment_interval;
++ data = dsc->scale_increment_interval;
+ DPU_REG_WRITE(c, DSC_SCALE_INC_INTERVAL, data);
+
+- data = dsc->drm->first_line_bpg_offset;
++ data = dsc->first_line_bpg_offset;
+ DPU_REG_WRITE(c, DSC_FIRST_LINE_BPG_OFFSET, data);
+
+- data = dsc->drm->nfl_bpg_offset << 16;
+- data |= dsc->drm->slice_bpg_offset;
++ data = dsc->nfl_bpg_offset << 16;
++ data |= dsc->slice_bpg_offset;
+ DPU_REG_WRITE(c, DSC_BPG_OFFSET, data);
+
+- data = dsc->drm->initial_offset << 16;
+- data |= dsc->drm->final_offset;
++ data = dsc->initial_offset << 16;
++ data |= dsc->final_offset;
+ DPU_REG_WRITE(c, DSC_DSC_OFFSET, data);
+
+- det_thresh_flatness = 7 + 2 * (dsc->drm->bits_per_component - 8);
++ det_thresh_flatness = 7 + 2 * (dsc->bits_per_component - 8);
+ data = det_thresh_flatness << 10;
+- data |= dsc->drm->flatness_max_qp << 5;
+- data |= dsc->drm->flatness_min_qp;
++ data |= dsc->flatness_max_qp << 5;
++ data |= dsc->flatness_min_qp;
+ DPU_REG_WRITE(c, DSC_FLATNESS, data);
+
+- data = dsc->drm->rc_model_size;
++ data = dsc->rc_model_size;
+ DPU_REG_WRITE(c, DSC_RC_MODEL_SIZE, data);
+
+- data = dsc->drm->rc_tgt_offset_low << 18;
+- data |= dsc->drm->rc_tgt_offset_high << 14;
+- data |= dsc->drm->rc_quant_incr_limit1 << 9;
+- data |= dsc->drm->rc_quant_incr_limit0 << 4;
+- data |= dsc->drm->rc_edge_factor;
++ data = dsc->rc_tgt_offset_low << 18;
++ data |= dsc->rc_tgt_offset_high << 14;
++ data |= dsc->rc_quant_incr_limit1 << 9;
++ data |= dsc->rc_quant_incr_limit0 << 4;
++ data |= dsc->rc_edge_factor;
+ DPU_REG_WRITE(c, DSC_RC, data);
+ }
+
+ static void dpu_hw_dsc_config_thresh(struct dpu_hw_dsc *hw_dsc,
+- struct msm_display_dsc_config *dsc)
++ struct drm_dsc_config *dsc)
+ {
+- struct drm_dsc_rc_range_parameters *rc = dsc->drm->rc_range_params;
++ struct drm_dsc_rc_range_parameters *rc = dsc->rc_range_params;
+ struct dpu_hw_blk_reg_map *c = &hw_dsc->hw;
+ u32 off;
+ int i;
+
+ off = DSC_RC_BUF_THRESH;
+ for (i = 0; i < DSC_NUM_BUF_RANGES - 1 ; i++) {
+- DPU_REG_WRITE(c, off, dsc->drm->rc_buf_thresh[i]);
++ DPU_REG_WRITE(c, off, dsc->rc_buf_thresh[i]);
+ off += 4;
+ }
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.h
+index 45e4118f1fa2..c0b77fe1a696 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.h
+@@ -31,7 +31,7 @@ struct dpu_hw_dsc_ops {
+ * @initial_lines: amount of initial lines to be used
+ */
+ void (*dsc_config)(struct dpu_hw_dsc *hw_dsc,
+- struct msm_display_dsc_config *dsc,
++ struct drm_dsc_config *dsc,
+ u32 mode,
+ u32 initial_lines);
+
+@@ -41,7 +41,7 @@ struct dpu_hw_dsc_ops {
+ * @dsc: panel dsc parameters
+ */
+ void (*dsc_config_thresh)(struct dpu_hw_dsc *hw_dsc,
+- struct msm_display_dsc_config *dsc);
++ struct drm_dsc_config *dsc);
+ };
+
+ struct dpu_hw_dsc {
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index c99c7a218ddb..af5e027eb86f 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -582,7 +582,7 @@ static int _dpu_kms_initialize_dsi(struct drm_device *dev,
+ info.h_tile_instance[info.num_of_h_tiles++] = i;
+ info.is_cmd_mode = msm_dsi_is_cmd_mode(priv->dsi[i]);
+
+- info.dsc = msm_dsi_get_dsc_config(priv->dsi[i]);
++ info.dsc = msm_dsi_get_dsc_config(priv->dsi[i])->drm;
+
+ if (msm_dsi_is_bonded_dsi(priv->dsi[i]) && priv->dsi[other]) {
+ rc = msm_dsi_modeset_init(priv->dsi[other], dev, encoder);
+--
+2.35.1
+
--- /dev/null
+From 71274d360a400694ffd7abea10047a059fdc2e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:23 +0200
+Subject: drm/msm/dpu1: Account for DSC's bits_per_pixel having 4 fractional
+ bits
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit d3c1a8663d0ddb74eaa51121ccbb8340739a12a8 ]
+
+According to the comment this DPU register contains the bits per pixel
+as a 6.4 fractional value, conveniently matching the contents of
+bits_per_pixel in struct drm_dsc_config which also uses 4 fractional
+bits. However, the downstream source this implementation was
+copy-pasted from has its bpp field stored _without_ fractional part.
+
+This makes the entire convoluted math obsolete as it is impossible to
+pull those 4 fractional bits out of thin air, by somehow trying to reuse
+the lowest 2 bits of a non-fractional bpp (lsb = bpp % 4??).
+
+The rest of the code merely attempts to keep the integer part a multiple
+of 4, which is rendered useless thanks to data |= dsc->bits_per_pixel <<
+12; already filling up those bits anyway (but not on downstream).
+
+Fixes: c110cfd1753e ("drm/msm/disp/dpu1: Add support for DSC")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508946/
+Link: https://lore.kernel.org/r/20221026182824.876933-10-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
+index f2ddcfb6f7ee..3662df698dae 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c
+@@ -42,7 +42,7 @@ static void dpu_hw_dsc_config(struct dpu_hw_dsc *hw_dsc,
+ u32 initial_lines)
+ {
+ struct dpu_hw_blk_reg_map *c = &hw_dsc->hw;
+- u32 data, lsb, bpp;
++ u32 data;
+ u32 slice_last_group_size;
+ u32 det_thresh_flatness;
+ bool is_cmd_mode = !(mode & DSC_MODE_VIDEO);
+@@ -56,14 +56,7 @@ static void dpu_hw_dsc_config(struct dpu_hw_dsc *hw_dsc,
+ data = (initial_lines << 20);
+ data |= ((slice_last_group_size - 1) << 18);
+ /* bpp is 6.4 format, 4 LSBs bits are for fractional part */
+- data |= dsc->bits_per_pixel << 12;
+- lsb = dsc->bits_per_pixel % 4;
+- bpp = dsc->bits_per_pixel / 4;
+- bpp *= 4;
+- bpp <<= 4;
+- bpp |= lsb;
+-
+- data |= bpp << 8;
++ data |= (dsc->bits_per_pixel << 8);
+ data |= (dsc->block_pred_enable << 7);
+ data |= (dsc->line_buf_depth << 3);
+ data |= (dsc->simple_422 << 2);
+--
+2.35.1
+
--- /dev/null
+From 39d4bd544e45541a57407d39da416246c86cbed1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:21 +0200
+Subject: drm/msm/dsi: Account for DSC's bits_per_pixel having 4 fractional
+ bits
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit d2c277c61986942e99680cb67ce26423d0f42f11 ]
+
+drm_dsc_config's bits_per_pixel field holds a fractional value with 4
+bits, which all panel drivers should adhere to for
+drm_dsc_pps_payload_pack() to generate a valid payload. All code in the
+DSI driver here seems to assume that this field doesn't contain any
+fractional bits, hence resulting in the wrong values being computed.
+Since none of the calculations leave any room for fractional bits or
+seem to indicate any possible area of support, disallow such values
+altogether. calculate_rc_params() in intel_vdsc.c performs an identical
+bitshift to get at this integer value.
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508938/
+Link: https://lore.kernel.org/r/20221026182824.876933-8-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 0c80d0797a6a..27fef5169bed 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -34,7 +34,7 @@
+
+ #define DSI_RESET_TOGGLE_DELAY_MS 20
+
+-static int dsi_populate_dsc_params(struct drm_dsc_config *dsc);
++static int dsi_populate_dsc_params(struct msm_dsi_host *msm_host, struct drm_dsc_config *dsc);
+
+ static int dsi_get_version(const void __iomem *base, u32 *major, u32 *minor)
+ {
+@@ -984,6 +984,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
+ u32 va_end = va_start + mode->vdisplay;
+ u32 hdisplay = mode->hdisplay;
+ u32 wc;
++ int ret;
+
+ DBG("");
+
+@@ -1019,7 +1020,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
+ /* we do the calculations for dsc parameters here so that
+ * panel can use these parameters
+ */
+- dsi_populate_dsc_params(dsc);
++ ret = dsi_populate_dsc_params(msm_host, dsc);
++ if (ret)
++ return;
+
+ /* Divide the display by 3 but keep back/font porch and
+ * pulse width same
+@@ -1835,9 +1838,15 @@ static char bpg_offset[DSC_NUM_BUF_RANGES] = {
+ 2, 0, 0, -2, -4, -6, -8, -8, -8, -10, -10, -12, -12, -12, -12
+ };
+
+-static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
++static int dsi_populate_dsc_params(struct msm_dsi_host *msm_host, struct drm_dsc_config *dsc)
+ {
+ int i;
++ u16 bpp = dsc->bits_per_pixel >> 4;
++
++ if (dsc->bits_per_pixel & 0xf) {
++ DRM_DEV_ERROR(&msm_host->pdev->dev, "DSI does not support fractional bits_per_pixel\n");
++ return -EINVAL;
++ }
+
+ dsc->rc_model_size = 8192;
+ dsc->first_line_bpg_offset = 12;
+@@ -1858,8 +1867,8 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ dsc->rc_range_params[i].range_bpg_offset = bpg_offset[i];
+ }
+
+- dsc->initial_offset = 6144; /* Not bpp 12 */
+- if (dsc->bits_per_pixel != 8)
++ dsc->initial_offset = 6144; /* Not bpp 12 */
++ if (bpp != 8)
+ dsc->initial_offset = 2048; /* bpp = 12 */
+
+ if (dsc->bits_per_component <= 10)
+--
+2.35.1
+
--- /dev/null
+From 62bbc14e6c346984c791c7b0b7e3cd2b74d7b69c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:19 +0200
+Subject: drm/msm/dsi: Appropriately set dsc->mux_word_size based on bpc
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 0ca870ca304d3449b2ccdc3f0bad9843ff1519f0 ]
+
+This field is currently unread but will come into effect when duplicated
+code below is migrated to call drm_dsc_compute_rc_parameters(), which
+uses the bpc-dependent value of the local variable mux_words_size in
+much the same way.
+
+The hardcoded constant seems to be a remnant from the `/* bpc 8 */`
+comment right above, indicating that this group of field assignments is
+applicable to bpc = 8 exclusively and should probably bail out on
+different bpc values, until constants for other bpc values are added (or
+the current ones are confirmed to be correct across multiple bpc's).
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508943/
+Link: https://lore.kernel.org/r/20221026182824.876933-6-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index a99c54556f51..5e5eb1a10f94 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1873,6 +1873,7 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ if (dsc->bits_per_component == 12)
+ mux_words_size = 64;
+
++ dsc->mux_word_size = mux_words_size;
+ dsc->initial_xmit_delay = 512;
+ dsc->initial_scale_value = 32;
+ dsc->first_line_bpg_offset = 12;
+@@ -1883,7 +1884,6 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ dsc->flatness_max_qp = 12;
+ dsc->rc_quant_incr_limit0 = 11;
+ dsc->rc_quant_incr_limit1 = 11;
+- dsc->mux_word_size = DSC_MUX_WORD_SIZE_8_10_BPC;
+
+ /* FIXME: need to call drm_dsc_compute_rc_parameters() so that rest of
+ * params are calculated
+--
+2.35.1
+
--- /dev/null
+From 61d221251de3a590e1097a09770e1dbd82ed59e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:22 +0200
+Subject: drm/msm/dsi: Disallow 8 BPC DSC configuration for alternative BPC
+ values
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit d053fbc449c47517b1f6516dbce2f917f2a9f51d ]
+
+According to the `/* bpc 8 */` comment below only values for a
+bits_per_component of 8 are currently hardcoded in place. This is
+further confirmed by downstream sources [1] containing different
+constants for other BPC values (and different initial_offset too,
+with an extra dependency on bits_per_pixel). Prevent future mishaps by
+explicitly disallowing any other bits_per_component value until the
+right parameters are put in place and tested.
+
+[1]: https://git.codelinaro.org/clo/la/platform/vendor/opensource/display-drivers/-/blob/DISPLAY.LA.2.0.r1-08000-WAIPIO.0/msm/sde_dsc_helper.c#L110-139
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508942/
+Link: https://lore.kernel.org/r/20221026182824.876933-9-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 27fef5169bed..c5805416854f 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1848,6 +1848,11 @@ static int dsi_populate_dsc_params(struct msm_dsi_host *msm_host, struct drm_dsc
+ return -EINVAL;
+ }
+
++ if (dsc->bits_per_component != 8) {
++ DRM_DEV_ERROR(&msm_host->pdev->dev, "DSI does not support bits_per_component != 8 yet\n");
++ return -EOPNOTSUPP;
++ }
++
+ dsc->rc_model_size = 8192;
+ dsc->first_line_bpg_offset = 12;
+ dsc->rc_edge_factor = 6;
+--
+2.35.1
+
--- /dev/null
+From 2af826c38608d6b611c30c7d42d039fddc8dae7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:20 +0200
+Subject: drm/msm/dsi: Migrate to drm_dsc_compute_rc_parameters()
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit c3a1aabce2d4087255de90100c3dad492e7d925c ]
+
+As per the FIXME this code is entirely duplicate with what is already
+provided inside drm_dsc_compute_rc_parameters(), supposedly because that
+function was yielding "incorrect" results while in reality the panel
+driver(s?) used for testing were providing incorrect parameters.
+
+For example, this code from downstream assumed dsc->bits_per_pixel to
+contain an integer value, whereas the upstream drm_dsc_config struct
+stores it with 4 fractional bits. drm_dsc_compute_rc_parameters()
+already accounts for this feat while the panel driver used for testing
+[1] wasn't, hence making drm_dsc_compute_rc_parameters() seem like it
+was returning an incorrect result.
+Other users of dsc->bits_per_pixel inside dsi_populate_dsc_params() also
+treat it in the same erroneous way, and will be addressed in a separate
+patch.
+In the end, using drm_dsc_compute_rc_parameters() spares both a lot of
+duplicate code and erratic behaviour.
+
+[1]: https://git.linaro.org/people/vinod.koul/kernel.git/commit/?h=topic/pixel3_5.18-rc1&id=1d7d98ad564f1ec69e7525e07418918d90f247a1
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508939/
+Link: https://lore.kernel.org/r/20221026182824.876933-7-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 64 +++---------------------------
+ 1 file changed, 6 insertions(+), 58 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 5e5eb1a10f94..0c80d0797a6a 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -21,6 +21,7 @@
+
+ #include <video/mipi_display.h>
+
++#include <drm/display/drm_dsc_helper.h>
+ #include <drm/drm_of.h>
+
+ #include "dsi.h"
+@@ -1836,14 +1837,6 @@ static char bpg_offset[DSC_NUM_BUF_RANGES] = {
+
+ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ {
+- int mux_words_size;
+- int groups_per_line, groups_total;
+- int min_rate_buffer_size;
+- int hrd_delay;
+- int pre_num_extra_mux_bits, num_extra_mux_bits;
+- int slice_bits;
+- int data;
+- int final_value, final_scale;
+ int i;
+
+ dsc->rc_model_size = 8192;
+@@ -1869,11 +1862,11 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ if (dsc->bits_per_pixel != 8)
+ dsc->initial_offset = 2048; /* bpp = 12 */
+
+- mux_words_size = 48; /* bpc == 8/10 */
+- if (dsc->bits_per_component == 12)
+- mux_words_size = 64;
++ if (dsc->bits_per_component <= 10)
++ dsc->mux_word_size = DSC_MUX_WORD_SIZE_8_10_BPC;
++ else
++ dsc->mux_word_size = DSC_MUX_WORD_SIZE_12_BPC;
+
+- dsc->mux_word_size = mux_words_size;
+ dsc->initial_xmit_delay = 512;
+ dsc->initial_scale_value = 32;
+ dsc->first_line_bpg_offset = 12;
+@@ -1885,52 +1878,7 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ dsc->rc_quant_incr_limit0 = 11;
+ dsc->rc_quant_incr_limit1 = 11;
+
+- /* FIXME: need to call drm_dsc_compute_rc_parameters() so that rest of
+- * params are calculated
+- */
+- groups_per_line = DIV_ROUND_UP(dsc->slice_width, 3);
+- dsc->slice_chunk_size = DIV_ROUND_UP(dsc->slice_width * dsc->bits_per_pixel, 8);
+-
+- /* rbs-min */
+- min_rate_buffer_size = dsc->rc_model_size - dsc->initial_offset +
+- dsc->initial_xmit_delay * dsc->bits_per_pixel +
+- groups_per_line * dsc->first_line_bpg_offset;
+-
+- hrd_delay = DIV_ROUND_UP(min_rate_buffer_size, dsc->bits_per_pixel);
+-
+- dsc->initial_dec_delay = hrd_delay - dsc->initial_xmit_delay;
+-
+- dsc->initial_scale_value = 8 * dsc->rc_model_size /
+- (dsc->rc_model_size - dsc->initial_offset);
+-
+- slice_bits = 8 * dsc->slice_chunk_size * dsc->slice_height;
+-
+- groups_total = groups_per_line * dsc->slice_height;
+-
+- data = dsc->first_line_bpg_offset * 2048;
+-
+- dsc->nfl_bpg_offset = DIV_ROUND_UP(data, (dsc->slice_height - 1));
+-
+- pre_num_extra_mux_bits = 3 * (mux_words_size + (4 * dsc->bits_per_component + 4) - 2);
+-
+- num_extra_mux_bits = pre_num_extra_mux_bits - (mux_words_size -
+- ((slice_bits - pre_num_extra_mux_bits) % mux_words_size));
+-
+- data = 2048 * (dsc->rc_model_size - dsc->initial_offset + num_extra_mux_bits);
+- dsc->slice_bpg_offset = DIV_ROUND_UP(data, groups_total);
+-
+- data = dsc->initial_xmit_delay * dsc->bits_per_pixel;
+- final_value = dsc->rc_model_size - data + num_extra_mux_bits;
+- dsc->final_offset = final_value;
+-
+- final_scale = 8 * dsc->rc_model_size / (dsc->rc_model_size - final_value);
+-
+- data = (final_scale - 9) * (dsc->nfl_bpg_offset + dsc->slice_bpg_offset);
+- dsc->scale_increment_interval = (2048 * dsc->final_offset) / data;
+-
+- dsc->scale_decrement_interval = groups_per_line / (dsc->initial_scale_value - 8);
+-
+- return 0;
++ return drm_dsc_compute_rc_parameters(dsc);
+ }
+
+ static int dsi_host_parse_dt(struct msm_dsi_host *msm_host)
+--
+2.35.1
+
--- /dev/null
+From a3ce89f6e60f800926f46c866e59af8a35f1a701 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:24 +0200
+Subject: drm/msm/dsi: Prevent signed BPG offsets from bleeding into adjacent
+ bits
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit cc84b66be223d36a3d10d59d68ba647e72db3099 ]
+
+The bpg_offset array contains negative BPG offsets which fill the full 8
+bits of a char thanks to two's complement: this however results in those
+bits bleeding into the next field when the value is packed into DSC PPS
+by the drm_dsc_helper function, which only expects range_bpg_offset to
+contain 6-bit wide values. As a consequence random slices appear
+corrupted on-screen (tested on a Sony Tama Akatsuki device with sdm845).
+
+Use AND operators to limit these two's complement values to 6 bits,
+similar to the AMD and i915 drivers.
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508941/
+Link: https://lore.kernel.org/r/20221026182824.876933-11-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index c5805416854f..cf7d5b69aac5 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1869,7 +1869,11 @@ static int dsi_populate_dsc_params(struct msm_dsi_host *msm_host, struct drm_dsc
+ for (i = 0; i < DSC_NUM_BUF_RANGES; i++) {
+ dsc->rc_range_params[i].range_min_qp = min_qp[i];
+ dsc->rc_range_params[i].range_max_qp = max_qp[i];
+- dsc->rc_range_params[i].range_bpg_offset = bpg_offset[i];
++ /*
++ * Range BPG Offset contains two's-complement signed values that fill
++ * 8 bits, yet the registers and DCS PPS field are only 6 bits wide.
++ */
++ dsc->rc_range_params[i].range_bpg_offset = bpg_offset[i] & DSC_RANGE_BPG_OFFSET_MASK;
+ }
+
+ dsc->initial_offset = 6144; /* Not bpp 12 */
+--
+2.35.1
+
--- /dev/null
+From 3a84a04fb9c880bda0c4c9372db44ee2ad0e8b1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:16 +0200
+Subject: drm/msm/dsi: Remove repeated calculation of slice_per_intf
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 170ffca836dd9f1a0219c4f67554d408fa2b5912 ]
+
+slice_per_intf is already computed for intf_width, which holds the same
+value as hdisplay.
+
+Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration")
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508933/
+Link: https://lore.kernel.org/r/20221026182824.876933-3-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 843521c9cdcf..1bce664a4eed 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -917,7 +917,7 @@ static void dsi_ctrl_config(struct msm_dsi_host *msm_host, bool enable,
+ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mode, u32 hdisplay)
+ {
+ struct drm_dsc_config *dsc = msm_host->dsc;
+- u32 reg, intf_width, reg_ctrl, reg_ctrl2;
++ u32 reg, reg_ctrl, reg_ctrl2;
+ u32 slice_per_intf, total_bytes_per_intf;
+ u32 pkt_per_line;
+ u32 bytes_in_slice;
+@@ -926,8 +926,7 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ /* first calculate dsc parameters and then program
+ * compress mode registers
+ */
+- intf_width = hdisplay;
+- slice_per_intf = DIV_ROUND_UP(intf_width, dsc->slice_width);
++ slice_per_intf = DIV_ROUND_UP(hdisplay, dsc->slice_width);
+
+ /* If slice_per_pkt is greater than slice_per_intf
+ * then default to 1. This can happen during partial
+@@ -936,7 +935,6 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ if (slice_per_intf > dsc->slice_count)
+ dsc->slice_count = 1;
+
+- slice_per_intf = DIV_ROUND_UP(hdisplay, dsc->slice_width);
+ bytes_in_slice = DIV_ROUND_UP(dsc->slice_width * dsc->bits_per_pixel, 8);
+
+ dsc->slice_chunk_size = bytes_in_slice;
+--
+2.35.1
+
--- /dev/null
+From 3348f21ae2cc5b4b94a0a5d1c856f69512f2eb13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:15 +0200
+Subject: drm/msm/dsi: Remove useless math in DSC calculations
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 01a907980e0be3310f18c7d4955968f3b28e7147 ]
+
+Multiplying a value by 2 and adding 1 to it always results in a value
+that is uneven, and that 1 gets truncated immediately when performing
+integer division by 2 again. There is no "rounding" possible here.
+
+After that target_bpp_x16 is used to store a multiplication of
+bits_per_pixel by 16 which is only ever read to immediately be divided
+by 16 again, and is elided in much the same way.
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508932/
+Link: https://lore.kernel.org/r/20221026182824.876933-2-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 15e108be1901..843521c9cdcf 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1849,7 +1849,6 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ int hrd_delay;
+ int pre_num_extra_mux_bits, num_extra_mux_bits;
+ int slice_bits;
+- int target_bpp_x16;
+ int data;
+ int final_value, final_scale;
+ int i;
+@@ -1929,14 +1928,7 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ data = 2048 * (dsc->rc_model_size - dsc->initial_offset + num_extra_mux_bits);
+ dsc->slice_bpg_offset = DIV_ROUND_UP(data, groups_total);
+
+- /* bpp * 16 + 0.5 */
+- data = dsc->bits_per_pixel * 16;
+- data *= 2;
+- data++;
+- data /= 2;
+- target_bpp_x16 = data;
+-
+- data = (dsc->initial_xmit_delay * target_bpp_x16) / 16;
++ data = dsc->initial_xmit_delay * dsc->bits_per_pixel;
+ final_value = dsc->rc_model_size - data + num_extra_mux_bits;
+ dsc->final_offset = final_value;
+
+--
+2.35.1
+
--- /dev/null
+From 94f5662c19f4d5c086cf9dbf4582b21cf6c6089a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:18 +0200
+Subject: drm/msm/dsi: Reuse earlier computed dsc->slice_chunk_size
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit e443459e2e6b8e0d3187dd0d09ef7fcea87531d2 ]
+
+dsi_populate_dsc_params() is called prior to dsi_update_dsc_timing() and
+already computes a value for slice_chunk_size, whose value doesn't need
+to be recomputed and re-set here.
+
+Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508934/
+Link: https://lore.kernel.org/r/20221026182824.876933-5-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 3459cac6f770..a99c54556f51 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -920,7 +920,6 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ u32 reg, reg_ctrl, reg_ctrl2;
+ u32 slice_per_intf, total_bytes_per_intf;
+ u32 pkt_per_line;
+- u32 bytes_in_slice;
+ u32 eol_byte_num;
+
+ /* first calculate dsc parameters and then program
+@@ -935,11 +934,7 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ if (slice_per_intf > dsc->slice_count)
+ dsc->slice_count = 1;
+
+- bytes_in_slice = DIV_ROUND_UP(dsc->slice_width * dsc->bits_per_pixel, 8);
+-
+- dsc->slice_chunk_size = bytes_in_slice;
+-
+- total_bytes_per_intf = bytes_in_slice * slice_per_intf;
++ total_bytes_per_intf = dsc->slice_chunk_size * slice_per_intf;
+
+ eol_byte_num = total_bytes_per_intf % 3;
+ pkt_per_line = slice_per_intf / dsc->slice_count;
+@@ -965,7 +960,7 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ reg_ctrl |= reg;
+
+ reg_ctrl2 &= ~DSI_COMMAND_COMPRESSION_MODE_CTRL2_STREAM0_SLICE_WIDTH__MASK;
+- reg_ctrl2 |= DSI_COMMAND_COMPRESSION_MODE_CTRL2_STREAM0_SLICE_WIDTH(bytes_in_slice);
++ reg_ctrl2 |= DSI_COMMAND_COMPRESSION_MODE_CTRL2_STREAM0_SLICE_WIDTH(dsc->slice_chunk_size);
+
+ dsi_write(msm_host, REG_DSI_COMMAND_COMPRESSION_MODE_CTRL, reg_ctrl);
+ dsi_write(msm_host, REG_DSI_COMMAND_COMPRESSION_MODE_CTRL2, reg_ctrl2);
+--
+2.35.1
+
--- /dev/null
+From 9ad86bc96cfebf3c091fb8b801355a92e5da3bb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 20:28:17 +0200
+Subject: drm/msm/dsi: Use DIV_ROUND_UP instead of conditional increment on
+ modulo
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 1e8196103bd02a396b45c8f6188541634a47fce2 ]
+
+This exact same math is used to compute bytes_in_slice above in
+dsi_update_dsc_timing(), also used to fill slice_chunk_size.
+
+Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/508935/
+Link: https://lore.kernel.org/r/20221026182824.876933-4-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 1bce664a4eed..3459cac6f770 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1894,9 +1894,7 @@ static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ * params are calculated
+ */
+ groups_per_line = DIV_ROUND_UP(dsc->slice_width, 3);
+- dsc->slice_chunk_size = dsc->slice_width * dsc->bits_per_pixel / 8;
+- if ((dsc->slice_width * dsc->bits_per_pixel) % 8)
+- dsc->slice_chunk_size++;
++ dsc->slice_chunk_size = DIV_ROUND_UP(dsc->slice_width * dsc->bits_per_pixel, 8);
+
+ /* rbs-min */
+ min_rate_buffer_size = dsc->rc_model_size - dsc->initial_offset +
+--
+2.35.1
+
--- /dev/null
+From 1d754c9024741e72e9054c944d0a379be89ec2db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 13:04:32 +0300
+Subject: drm/msm/dsi: use drm_dsc_config instead of msm_display_dsc_config
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 4b2b1b3674f80ed786e73d8e24c19e7129257ad8 ]
+
+There is no need to use the struct msm_display_dsc_config wrapper inside
+the dsi driver, use the struct drm_dsc_config directly to pass pps data.
+
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/493341/
+Link: https://lore.kernel.org/r/20220711100432.455268-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Stable-dep-of: 01a907980e0b ("drm/msm/dsi: Remove useless math in DSC calculations")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +-
+ drivers/gpu/drm/msm/dsi/dsi.c | 2 +-
+ drivers/gpu/drm/msm/dsi/dsi.h | 2 +-
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 157 +++++++++++-------------
+ drivers/gpu/drm/msm/msm_drv.h | 9 +-
+ 5 files changed, 79 insertions(+), 93 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index af5e027eb86f..c99c7a218ddb 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -582,7 +582,7 @@ static int _dpu_kms_initialize_dsi(struct drm_device *dev,
+ info.h_tile_instance[info.num_of_h_tiles++] = i;
+ info.is_cmd_mode = msm_dsi_is_cmd_mode(priv->dsi[i]);
+
+- info.dsc = msm_dsi_get_dsc_config(priv->dsi[i])->drm;
++ info.dsc = msm_dsi_get_dsc_config(priv->dsi[i]);
+
+ if (msm_dsi_is_bonded_dsi(priv->dsi[i]) && priv->dsi[other]) {
+ rc = msm_dsi_modeset_init(priv->dsi[other], dev, encoder);
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c
+index 3db85b5c0feb..31e452ede71f 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.c
++++ b/drivers/gpu/drm/msm/dsi/dsi.c
+@@ -21,7 +21,7 @@ bool msm_dsi_is_cmd_mode(struct msm_dsi *msm_dsi)
+ return !(host_flags & MIPI_DSI_MODE_VIDEO);
+ }
+
+-struct msm_display_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi)
++struct drm_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi)
+ {
+ return msm_dsi_host_get_dsc_config(msm_dsi->host);
+ }
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.h b/drivers/gpu/drm/msm/dsi/dsi.h
+index 580a1e6358bf..df46cdda1b43 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.h
++++ b/drivers/gpu/drm/msm/dsi/dsi.h
+@@ -154,7 +154,7 @@ int dsi_calc_clk_rate_v2(struct msm_dsi_host *msm_host, bool is_bonded_dsi);
+ int dsi_calc_clk_rate_6g(struct msm_dsi_host *msm_host, bool is_bonded_dsi);
+ void msm_dsi_host_snapshot(struct msm_disp_state *disp_state, struct mipi_dsi_host *host);
+ void msm_dsi_host_test_pattern_en(struct mipi_dsi_host *host);
+-struct msm_display_dsc_config *msm_dsi_host_get_dsc_config(struct mipi_dsi_host *host);
++struct drm_dsc_config *msm_dsi_host_get_dsc_config(struct mipi_dsi_host *host);
+
+ /* dsi phy */
+ struct msm_dsi_phy;
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index a34078497af1..15e108be1901 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -33,7 +33,7 @@
+
+ #define DSI_RESET_TOGGLE_DELAY_MS 20
+
+-static int dsi_populate_dsc_params(struct msm_display_dsc_config *dsc);
++static int dsi_populate_dsc_params(struct drm_dsc_config *dsc);
+
+ static int dsi_get_version(const void __iomem *base, u32 *major, u32 *minor)
+ {
+@@ -161,7 +161,7 @@ struct msm_dsi_host {
+ struct regmap *sfpb;
+
+ struct drm_display_mode *mode;
+- struct msm_display_dsc_config *dsc;
++ struct drm_dsc_config *dsc;
+
+ /* connected device info */
+ struct device_node *device_node;
+@@ -916,7 +916,7 @@ static void dsi_ctrl_config(struct msm_dsi_host *msm_host, bool enable,
+
+ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mode, u32 hdisplay)
+ {
+- struct msm_display_dsc_config *dsc = msm_host->dsc;
++ struct drm_dsc_config *dsc = msm_host->dsc;
+ u32 reg, intf_width, reg_ctrl, reg_ctrl2;
+ u32 slice_per_intf, total_bytes_per_intf;
+ u32 pkt_per_line;
+@@ -927,24 +927,24 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod
+ * compress mode registers
+ */
+ intf_width = hdisplay;
+- slice_per_intf = DIV_ROUND_UP(intf_width, dsc->drm->slice_width);
++ slice_per_intf = DIV_ROUND_UP(intf_width, dsc->slice_width);
+
+ /* If slice_per_pkt is greater than slice_per_intf
+ * then default to 1. This can happen during partial
+ * update.
+ */
+- if (slice_per_intf > dsc->drm->slice_count)
+- dsc->drm->slice_count = 1;
++ if (slice_per_intf > dsc->slice_count)
++ dsc->slice_count = 1;
+
+- slice_per_intf = DIV_ROUND_UP(hdisplay, dsc->drm->slice_width);
+- bytes_in_slice = DIV_ROUND_UP(dsc->drm->slice_width * dsc->drm->bits_per_pixel, 8);
++ slice_per_intf = DIV_ROUND_UP(hdisplay, dsc->slice_width);
++ bytes_in_slice = DIV_ROUND_UP(dsc->slice_width * dsc->bits_per_pixel, 8);
+
+- dsc->drm->slice_chunk_size = bytes_in_slice;
++ dsc->slice_chunk_size = bytes_in_slice;
+
+ total_bytes_per_intf = bytes_in_slice * slice_per_intf;
+
+ eol_byte_num = total_bytes_per_intf % 3;
+- pkt_per_line = slice_per_intf / dsc->drm->slice_count;
++ pkt_per_line = slice_per_intf / dsc->slice_count;
+
+ if (is_cmd_mode) /* packet data type */
+ reg = DSI_COMMAND_COMPRESSION_MODE_CTRL_STREAM0_DATATYPE(MIPI_DSI_DCS_LONG_WRITE);
+@@ -1009,7 +1009,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
+ }
+
+ if (msm_host->dsc) {
+- struct msm_display_dsc_config *dsc = msm_host->dsc;
++ struct drm_dsc_config *dsc = msm_host->dsc;
+
+ /* update dsc params with timing params */
+ if (!dsc || !mode->hdisplay || !mode->vdisplay) {
+@@ -1018,9 +1018,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
+ return;
+ }
+
+- dsc->drm->pic_width = mode->hdisplay;
+- dsc->drm->pic_height = mode->vdisplay;
+- DBG("Mode %dx%d\n", dsc->drm->pic_width, dsc->drm->pic_height);
++ dsc->pic_width = mode->hdisplay;
++ dsc->pic_height = mode->vdisplay;
++ DBG("Mode %dx%d\n", dsc->pic_width, dsc->pic_height);
+
+ /* we do the calculations for dsc parameters here so that
+ * panel can use these parameters
+@@ -1841,7 +1841,7 @@ static char bpg_offset[DSC_NUM_BUF_RANGES] = {
+ 2, 0, 0, -2, -4, -6, -8, -8, -8, -10, -10, -12, -12, -12, -12
+ };
+
+-static int dsi_populate_dsc_params(struct msm_display_dsc_config *dsc)
++static int dsi_populate_dsc_params(struct drm_dsc_config *dsc)
+ {
+ int mux_words_size;
+ int groups_per_line, groups_total;
+@@ -1854,98 +1854,98 @@ static int dsi_populate_dsc_params(struct msm_display_dsc_config *dsc)
+ int final_value, final_scale;
+ int i;
+
+- dsc->drm->rc_model_size = 8192;
+- dsc->drm->first_line_bpg_offset = 12;
+- dsc->drm->rc_edge_factor = 6;
+- dsc->drm->rc_tgt_offset_high = 3;
+- dsc->drm->rc_tgt_offset_low = 3;
+- dsc->drm->simple_422 = 0;
+- dsc->drm->convert_rgb = 1;
+- dsc->drm->vbr_enable = 0;
++ dsc->rc_model_size = 8192;
++ dsc->first_line_bpg_offset = 12;
++ dsc->rc_edge_factor = 6;
++ dsc->rc_tgt_offset_high = 3;
++ dsc->rc_tgt_offset_low = 3;
++ dsc->simple_422 = 0;
++ dsc->convert_rgb = 1;
++ dsc->vbr_enable = 0;
+
+ /* handle only bpp = bpc = 8 */
+ for (i = 0; i < DSC_NUM_BUF_RANGES - 1 ; i++)
+- dsc->drm->rc_buf_thresh[i] = dsi_dsc_rc_buf_thresh[i];
++ dsc->rc_buf_thresh[i] = dsi_dsc_rc_buf_thresh[i];
+
+ for (i = 0; i < DSC_NUM_BUF_RANGES; i++) {
+- dsc->drm->rc_range_params[i].range_min_qp = min_qp[i];
+- dsc->drm->rc_range_params[i].range_max_qp = max_qp[i];
+- dsc->drm->rc_range_params[i].range_bpg_offset = bpg_offset[i];
++ dsc->rc_range_params[i].range_min_qp = min_qp[i];
++ dsc->rc_range_params[i].range_max_qp = max_qp[i];
++ dsc->rc_range_params[i].range_bpg_offset = bpg_offset[i];
+ }
+
+- dsc->drm->initial_offset = 6144; /* Not bpp 12 */
+- if (dsc->drm->bits_per_pixel != 8)
+- dsc->drm->initial_offset = 2048; /* bpp = 12 */
++ dsc->initial_offset = 6144; /* Not bpp 12 */
++ if (dsc->bits_per_pixel != 8)
++ dsc->initial_offset = 2048; /* bpp = 12 */
+
+ mux_words_size = 48; /* bpc == 8/10 */
+- if (dsc->drm->bits_per_component == 12)
++ if (dsc->bits_per_component == 12)
+ mux_words_size = 64;
+
+- dsc->drm->initial_xmit_delay = 512;
+- dsc->drm->initial_scale_value = 32;
+- dsc->drm->first_line_bpg_offset = 12;
+- dsc->drm->line_buf_depth = dsc->drm->bits_per_component + 1;
++ dsc->initial_xmit_delay = 512;
++ dsc->initial_scale_value = 32;
++ dsc->first_line_bpg_offset = 12;
++ dsc->line_buf_depth = dsc->bits_per_component + 1;
+
+ /* bpc 8 */
+- dsc->drm->flatness_min_qp = 3;
+- dsc->drm->flatness_max_qp = 12;
+- dsc->drm->rc_quant_incr_limit0 = 11;
+- dsc->drm->rc_quant_incr_limit1 = 11;
+- dsc->drm->mux_word_size = DSC_MUX_WORD_SIZE_8_10_BPC;
++ dsc->flatness_min_qp = 3;
++ dsc->flatness_max_qp = 12;
++ dsc->rc_quant_incr_limit0 = 11;
++ dsc->rc_quant_incr_limit1 = 11;
++ dsc->mux_word_size = DSC_MUX_WORD_SIZE_8_10_BPC;
+
+ /* FIXME: need to call drm_dsc_compute_rc_parameters() so that rest of
+ * params are calculated
+ */
+- groups_per_line = DIV_ROUND_UP(dsc->drm->slice_width, 3);
+- dsc->drm->slice_chunk_size = dsc->drm->slice_width * dsc->drm->bits_per_pixel / 8;
+- if ((dsc->drm->slice_width * dsc->drm->bits_per_pixel) % 8)
+- dsc->drm->slice_chunk_size++;
++ groups_per_line = DIV_ROUND_UP(dsc->slice_width, 3);
++ dsc->slice_chunk_size = dsc->slice_width * dsc->bits_per_pixel / 8;
++ if ((dsc->slice_width * dsc->bits_per_pixel) % 8)
++ dsc->slice_chunk_size++;
+
+ /* rbs-min */
+- min_rate_buffer_size = dsc->drm->rc_model_size - dsc->drm->initial_offset +
+- dsc->drm->initial_xmit_delay * dsc->drm->bits_per_pixel +
+- groups_per_line * dsc->drm->first_line_bpg_offset;
++ min_rate_buffer_size = dsc->rc_model_size - dsc->initial_offset +
++ dsc->initial_xmit_delay * dsc->bits_per_pixel +
++ groups_per_line * dsc->first_line_bpg_offset;
+
+- hrd_delay = DIV_ROUND_UP(min_rate_buffer_size, dsc->drm->bits_per_pixel);
++ hrd_delay = DIV_ROUND_UP(min_rate_buffer_size, dsc->bits_per_pixel);
+
+- dsc->drm->initial_dec_delay = hrd_delay - dsc->drm->initial_xmit_delay;
++ dsc->initial_dec_delay = hrd_delay - dsc->initial_xmit_delay;
+
+- dsc->drm->initial_scale_value = 8 * dsc->drm->rc_model_size /
+- (dsc->drm->rc_model_size - dsc->drm->initial_offset);
++ dsc->initial_scale_value = 8 * dsc->rc_model_size /
++ (dsc->rc_model_size - dsc->initial_offset);
+
+- slice_bits = 8 * dsc->drm->slice_chunk_size * dsc->drm->slice_height;
++ slice_bits = 8 * dsc->slice_chunk_size * dsc->slice_height;
+
+- groups_total = groups_per_line * dsc->drm->slice_height;
++ groups_total = groups_per_line * dsc->slice_height;
+
+- data = dsc->drm->first_line_bpg_offset * 2048;
++ data = dsc->first_line_bpg_offset * 2048;
+
+- dsc->drm->nfl_bpg_offset = DIV_ROUND_UP(data, (dsc->drm->slice_height - 1));
++ dsc->nfl_bpg_offset = DIV_ROUND_UP(data, (dsc->slice_height - 1));
+
+- pre_num_extra_mux_bits = 3 * (mux_words_size + (4 * dsc->drm->bits_per_component + 4) - 2);
++ pre_num_extra_mux_bits = 3 * (mux_words_size + (4 * dsc->bits_per_component + 4) - 2);
+
+ num_extra_mux_bits = pre_num_extra_mux_bits - (mux_words_size -
+ ((slice_bits - pre_num_extra_mux_bits) % mux_words_size));
+
+- data = 2048 * (dsc->drm->rc_model_size - dsc->drm->initial_offset + num_extra_mux_bits);
+- dsc->drm->slice_bpg_offset = DIV_ROUND_UP(data, groups_total);
++ data = 2048 * (dsc->rc_model_size - dsc->initial_offset + num_extra_mux_bits);
++ dsc->slice_bpg_offset = DIV_ROUND_UP(data, groups_total);
+
+ /* bpp * 16 + 0.5 */
+- data = dsc->drm->bits_per_pixel * 16;
++ data = dsc->bits_per_pixel * 16;
+ data *= 2;
+ data++;
+ data /= 2;
+ target_bpp_x16 = data;
+
+- data = (dsc->drm->initial_xmit_delay * target_bpp_x16) / 16;
+- final_value = dsc->drm->rc_model_size - data + num_extra_mux_bits;
+- dsc->drm->final_offset = final_value;
++ data = (dsc->initial_xmit_delay * target_bpp_x16) / 16;
++ final_value = dsc->rc_model_size - data + num_extra_mux_bits;
++ dsc->final_offset = final_value;
+
+- final_scale = 8 * dsc->drm->rc_model_size / (dsc->drm->rc_model_size - final_value);
++ final_scale = 8 * dsc->rc_model_size / (dsc->rc_model_size - final_value);
+
+- data = (final_scale - 9) * (dsc->drm->nfl_bpg_offset + dsc->drm->slice_bpg_offset);
+- dsc->drm->scale_increment_interval = (2048 * dsc->drm->final_offset) / data;
++ data = (final_scale - 9) * (dsc->nfl_bpg_offset + dsc->slice_bpg_offset);
++ dsc->scale_increment_interval = (2048 * dsc->final_offset) / data;
+
+- dsc->drm->scale_decrement_interval = groups_per_line / (dsc->drm->initial_scale_value - 8);
++ dsc->scale_decrement_interval = groups_per_line / (dsc->initial_scale_value - 8);
+
+ return 0;
+ }
+@@ -2165,17 +2165,8 @@ int msm_dsi_host_modeset_init(struct mipi_dsi_host *host,
+ msm_host->dev = dev;
+ panel = msm_dsi_host_get_panel(&msm_host->base);
+
+- if (!IS_ERR(panel) && panel->dsc) {
+- struct msm_display_dsc_config *dsc = msm_host->dsc;
+-
+- if (!dsc) {
+- dsc = devm_kzalloc(&msm_host->pdev->dev, sizeof(*dsc), GFP_KERNEL);
+- if (!dsc)
+- return -ENOMEM;
+- dsc->drm = panel->dsc;
+- msm_host->dsc = dsc;
+- }
+- }
++ if (!IS_ERR(panel) && panel->dsc)
++ msm_host->dsc = panel->dsc;
+
+ ret = cfg_hnd->ops->tx_buf_alloc(msm_host, SZ_4K);
+ if (ret) {
+@@ -2659,22 +2650,22 @@ enum drm_mode_status msm_dsi_host_check_dsc(struct mipi_dsi_host *host,
+ const struct drm_display_mode *mode)
+ {
+ struct msm_dsi_host *msm_host = to_msm_dsi_host(host);
+- struct msm_display_dsc_config *dsc = msm_host->dsc;
++ struct drm_dsc_config *dsc = msm_host->dsc;
+ int pic_width = mode->hdisplay;
+ int pic_height = mode->vdisplay;
+
+ if (!msm_host->dsc)
+ return MODE_OK;
+
+- if (pic_width % dsc->drm->slice_width) {
++ if (pic_width % dsc->slice_width) {
+ pr_err("DSI: pic_width %d has to be multiple of slice %d\n",
+- pic_width, dsc->drm->slice_width);
++ pic_width, dsc->slice_width);
+ return MODE_H_ILLEGAL;
+ }
+
+- if (pic_height % dsc->drm->slice_height) {
++ if (pic_height % dsc->slice_height) {
+ pr_err("DSI: pic_height %d has to be multiple of slice %d\n",
+- pic_height, dsc->drm->slice_height);
++ pic_height, dsc->slice_height);
+ return MODE_V_ILLEGAL;
+ }
+
+@@ -2771,7 +2762,7 @@ void msm_dsi_host_test_pattern_en(struct mipi_dsi_host *host)
+ DSI_TEST_PATTERN_GEN_CMD_STREAM0_TRIGGER_SW_TRIGGER);
+ }
+
+-struct msm_display_dsc_config *msm_dsi_host_get_dsc_config(struct mipi_dsi_host *host)
++struct drm_dsc_config *msm_dsi_host_get_dsc_config(struct mipi_dsi_host *host)
+ {
+ struct msm_dsi_host *msm_host = to_msm_dsi_host(host);
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
+index 80da0d3cfdc1..03e5b6863319 100644
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -96,11 +96,6 @@ struct msm_drm_thread {
+ struct kthread_worker *worker;
+ };
+
+-/* DSC config */
+-struct msm_display_dsc_config {
+- struct drm_dsc_config *drm;
+-};
+-
+ struct msm_drm_private {
+
+ struct drm_device *dev;
+@@ -290,7 +285,7 @@ void msm_dsi_snapshot(struct msm_disp_state *disp_state, struct msm_dsi *msm_dsi
+ bool msm_dsi_is_cmd_mode(struct msm_dsi *msm_dsi);
+ bool msm_dsi_is_bonded_dsi(struct msm_dsi *msm_dsi);
+ bool msm_dsi_is_master_dsi(struct msm_dsi *msm_dsi);
+-struct msm_display_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi);
++struct drm_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi);
+ #else
+ static inline void __init msm_dsi_register(void)
+ {
+@@ -320,7 +315,7 @@ static inline bool msm_dsi_is_master_dsi(struct msm_dsi *msm_dsi)
+ return false;
+ }
+
+-static inline struct msm_display_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi)
++static inline struct drm_dsc_config *msm_dsi_get_dsc_config(struct msm_dsi *msm_dsi)
+ {
+ return NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8774643161f182dfce8c89c4695ab95e5a5d5e37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 12:39:23 +0300
+Subject: drm/msm/hdmi: use devres helper for runtime PM management
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit b964444b2b64ce182495731d830499d1c588ccf6 ]
+
+Use devm_pm_runtime_enable() to enable runtime PM. This way its effect
+will be reverted on device unbind/destruction.
+
+Fixes: 6ed9ed484d04 ("drm/msm/hdmi: Set up runtime PM for HDMI")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/499647/
+Link: https://lore.kernel.org/r/20220826093927.851597-2-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/hdmi/hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
+index f28fb21e3891..8cd5d50639a5 100644
+--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
+@@ -252,7 +252,7 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev)
+ if (hdmi->hpd_gpiod)
+ gpiod_set_consumer_name(hdmi->hpd_gpiod, "HDMI_HPD");
+
+- pm_runtime_enable(&pdev->dev);
++ devm_pm_runtime_enable(&pdev->dev);
+
+ hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0);
+
+--
+2.35.1
+
--- /dev/null
+From e6b2335916f06283de35fd97002248c1aafa761b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 02:02:13 +0200
+Subject: drm/msm/mdp5: fix reading hw revision on db410c platform
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 5d8c0417ea62fed3cec7f5daed06a20477efeb39 ]
+
+Since the commit commit c6122688f265 ("drm/msm/mdp5: stop overriding
+drvdata") reading the MDP5 hw revision on db410c will crash the board
+as the MDSS_GDSC is not enabled. Revert a part of the offending commit
+(moving rpm enablement) and set priv->kms earlier. This make it possible
+to use pm_runtime_get_sync() during read_mdp_hw_revision(), which will
+power up both the MDP5 and MDSS devices.
+
+Fixes: c6122688f265 ("drm/msm/mdp5: stop overriding drvdata")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/512985/
+Link: https://lore.kernel.org/r/20221125000213.252115-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+index b46f983f2b46..29ae5c9613f3 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+@@ -519,10 +519,9 @@ static void read_mdp_hw_revision(struct mdp5_kms *mdp5_kms,
+ struct device *dev = &mdp5_kms->pdev->dev;
+ u32 version;
+
+- /* Manually enable the MDP5, as pm runtime isn't usable yet. */
+- mdp5_enable(mdp5_kms);
++ pm_runtime_get_sync(dev);
+ version = mdp5_read(mdp5_kms, REG_MDP5_HW_VERSION);
+- mdp5_disable(mdp5_kms);
++ pm_runtime_put_sync(dev);
+
+ *major = FIELD(version, MDP5_HW_VERSION_MAJOR);
+ *minor = FIELD(version, MDP5_HW_VERSION_MINOR);
+@@ -839,6 +838,12 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+ */
+ clk_set_rate(mdp5_kms->core_clk, 200000000);
+
++ /* set uninit-ed kms */
++ priv->kms = &mdp5_kms->base.base;
++
++ pm_runtime_enable(&pdev->dev);
++ mdp5_kms->rpm_enabled = true;
++
+ read_mdp_hw_revision(mdp5_kms, &major, &minor);
+
+ mdp5_kms->cfg = mdp5_cfg_init(mdp5_kms, major, minor);
+@@ -887,12 +892,6 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+ if (ret)
+ goto fail;
+
+- /* set uninit-ed kms */
+- priv->kms = &mdp5_kms->base.base;
+-
+- pm_runtime_enable(&pdev->dev);
+- mdp5_kms->rpm_enabled = true;
+-
+ return 0;
+ fail:
+ if (mdp5_kms)
+--
+2.35.1
+
--- /dev/null
+From 5e4a15f4501a99c78ded6314a263c08ddd802684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 18:26:42 +0300
+Subject: drm/msm/mdp5: stop overriding drvdata
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c6122688f2652d7f8a44000ce21e84e82bae2b5e ]
+
+The rest of the code expects that master's device drvdata is the
+struct msm_drm_private instance. Do not override the mdp5's drvdata.
+
+Fixes: 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master components")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/508334/
+Link: https://lore.kernel.org/r/20221024152642.3213488-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 32 +++++++++++++-----------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+index b0d21838a134..b46f983f2b46 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+@@ -203,7 +203,7 @@ static int mdp5_set_split_display(struct msm_kms *kms,
+ slave_encoder);
+ }
+
+-static void mdp5_destroy(struct platform_device *pdev);
++static void mdp5_destroy(struct mdp5_kms *mdp5_kms);
+
+ static void mdp5_kms_destroy(struct msm_kms *kms)
+ {
+@@ -223,7 +223,7 @@ static void mdp5_kms_destroy(struct msm_kms *kms)
+ }
+
+ mdp_kms_destroy(&mdp5_kms->base);
+- mdp5_destroy(mdp5_kms->pdev);
++ mdp5_destroy(mdp5_kms);
+ }
+
+ #ifdef CONFIG_DEBUG_FS
+@@ -519,9 +519,10 @@ static void read_mdp_hw_revision(struct mdp5_kms *mdp5_kms,
+ struct device *dev = &mdp5_kms->pdev->dev;
+ u32 version;
+
+- pm_runtime_get_sync(dev);
++ /* Manually enable the MDP5, as pm runtime isn't usable yet. */
++ mdp5_enable(mdp5_kms);
+ version = mdp5_read(mdp5_kms, REG_MDP5_HW_VERSION);
+- pm_runtime_put_sync(dev);
++ mdp5_disable(mdp5_kms);
+
+ *major = FIELD(version, MDP5_HW_VERSION_MAJOR);
+ *minor = FIELD(version, MDP5_HW_VERSION_MINOR);
+@@ -559,6 +560,8 @@ static int mdp5_kms_init(struct drm_device *dev)
+ int irq, i, ret;
+
+ ret = mdp5_init(to_platform_device(dev->dev), dev);
++ if (ret)
++ return ret;
+
+ /* priv->kms would have been populated by the MDP5 driver */
+ kms = priv->kms;
+@@ -632,9 +635,8 @@ static int mdp5_kms_init(struct drm_device *dev)
+ return ret;
+ }
+
+-static void mdp5_destroy(struct platform_device *pdev)
++static void mdp5_destroy(struct mdp5_kms *mdp5_kms)
+ {
+- struct mdp5_kms *mdp5_kms = platform_get_drvdata(pdev);
+ int i;
+
+ if (mdp5_kms->ctlm)
+@@ -648,7 +650,7 @@ static void mdp5_destroy(struct platform_device *pdev)
+ kfree(mdp5_kms->intfs[i]);
+
+ if (mdp5_kms->rpm_enabled)
+- pm_runtime_disable(&pdev->dev);
++ pm_runtime_disable(&mdp5_kms->pdev->dev);
+
+ drm_atomic_private_obj_fini(&mdp5_kms->glob_state);
+ drm_modeset_lock_fini(&mdp5_kms->glob_state_lock);
+@@ -797,8 +799,6 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+ goto fail;
+ }
+
+- platform_set_drvdata(pdev, mdp5_kms);
+-
+ spin_lock_init(&mdp5_kms->resource_lock);
+
+ mdp5_kms->dev = dev;
+@@ -839,9 +839,6 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+ */
+ clk_set_rate(mdp5_kms->core_clk, 200000000);
+
+- pm_runtime_enable(&pdev->dev);
+- mdp5_kms->rpm_enabled = true;
+-
+ read_mdp_hw_revision(mdp5_kms, &major, &minor);
+
+ mdp5_kms->cfg = mdp5_cfg_init(mdp5_kms, major, minor);
+@@ -893,10 +890,13 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+ /* set uninit-ed kms */
+ priv->kms = &mdp5_kms->base.base;
+
++ pm_runtime_enable(&pdev->dev);
++ mdp5_kms->rpm_enabled = true;
++
+ return 0;
+ fail:
+ if (mdp5_kms)
+- mdp5_destroy(pdev);
++ mdp5_destroy(mdp5_kms);
+ return ret;
+ }
+
+@@ -953,7 +953,8 @@ static int mdp5_dev_remove(struct platform_device *pdev)
+ static __maybe_unused int mdp5_runtime_suspend(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+- struct mdp5_kms *mdp5_kms = platform_get_drvdata(pdev);
++ struct msm_drm_private *priv = platform_get_drvdata(pdev);
++ struct mdp5_kms *mdp5_kms = to_mdp5_kms(to_mdp_kms(priv->kms));
+
+ DBG("");
+
+@@ -963,7 +964,8 @@ static __maybe_unused int mdp5_runtime_suspend(struct device *dev)
+ static __maybe_unused int mdp5_runtime_resume(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+- struct mdp5_kms *mdp5_kms = platform_get_drvdata(pdev);
++ struct msm_drm_private *priv = platform_get_drvdata(pdev);
++ struct mdp5_kms *mdp5_kms = to_mdp5_kms(to_mdp_kms(priv->kms));
+
+ DBG("");
+
+--
+2.35.1
+
--- /dev/null
+From 477d5a9df183596f697d384ab81dff347f309beb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:25:42 +0200
+Subject: drm/msm: Use drm_mode_copy()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit b2a1c5ca50db22b3677676dd5bad5f6092429acf ]
+
+struct drm_display_mode embeds a list head, so overwriting
+the full struct with another one will corrupt the list
+(if the destination mode is on a list). Use drm_mode_copy()
+instead which explicitly preserves the list head of
+the destination mode.
+
+Even if we know the destination mode is not on any list
+using drm_mode_copy() seems decent as it sets a good
+example. Bad examples of not using it might eventually
+get copied into code where preserving the list head
+actually matters.
+
+Obviously one case not covered here is when the mode
+itself is embedded in a larger structure and the whole
+structure is copied. But if we are careful when copying
+into modes embedded in structures I think we can be a
+little more reassured that bogus list heads haven't been
+propagated in.
+
+@is_mode_copy@
+@@
+drm_mode_copy(...)
+{
+...
+}
+
+@depends on !is_mode_copy@
+struct drm_display_mode *mode;
+expression E, S;
+@@
+(
+- *mode = E
++ drm_mode_copy(mode, &E)
+|
+- memcpy(mode, E, S)
++ drm_mode_copy(mode, E)
+)
+
+@depends on !is_mode_copy@
+struct drm_display_mode mode;
+expression E;
+@@
+(
+- mode = E
++ drm_mode_copy(&mode, &E)
+|
+- memcpy(&mode, E, S)
++ drm_mode_copy(&mode, E)
+)
+
+@@
+struct drm_display_mode *mode;
+@@
+- &*mode
++ mode
+
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Sean Paul <sean@poorly.run>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: freedreno@lists.freedesktop.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-5-ville.syrjala@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index a49f6dbbe888..c9d9b384ddd0 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -857,7 +857,7 @@ static int dp_display_set_mode(struct msm_dp *dp_display,
+
+ dp = container_of(dp_display, struct dp_display_private, dp_display);
+
+- dp->panel->dp_mode.drm_mode = mode->drm_mode;
++ drm_mode_copy(&dp->panel->dp_mode.drm_mode, &mode->drm_mode);
+ dp->panel->dp_mode.bpp = mode->bpp;
+ dp->panel->dp_mode.capabilities = mode->capabilities;
+ dp_panel_init_panel_info(dp->panel);
+--
+2.35.1
+
--- /dev/null
+From 857312beb3e387fa90e41de53074c886ab017fea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Oct 2022 01:11:06 +0200
+Subject: drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit c62102165dd79284d42383d2f7ed17301bd8e629 ]
+
+In case mipi_dsi_attach() fails, call drm_panel_remove() to
+avoid memory leak.
+
+Fixes: 849b2e3ff969 ("drm/panel: Add Sitronix ST7701 panel driver")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221014231106.468063-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-sitronix-st7701.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7701.c b/drivers/gpu/drm/panel/panel-sitronix-st7701.c
+index 320a2a8fd459..098955526b68 100644
+--- a/drivers/gpu/drm/panel/panel-sitronix-st7701.c
++++ b/drivers/gpu/drm/panel/panel-sitronix-st7701.c
+@@ -384,7 +384,15 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi)
+ st7701->dsi = dsi;
+ st7701->desc = desc;
+
+- return mipi_dsi_attach(dsi);
++ ret = mipi_dsi_attach(dsi);
++ if (ret)
++ goto err_attach;
++
++ return 0;
++
++err_attach:
++ drm_panel_remove(&st7701->panel);
++ return ret;
+ }
+
+ static int st7701_dsi_remove(struct mipi_dsi_device *dsi)
+--
+2.35.1
+
--- /dev/null
+From 095670b69905dca73b81ddb988b9ce324773002e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 17:50:02 +0800
+Subject: drm/radeon: Add the missed acpi_put_table() to fix memory leak
+
+From: Hanjun Guo <guohanjun@huawei.com>
+
+[ Upstream commit 10276a20be1115e1f76c189330da2992df980eee ]
+
+When the radeon driver reads the bios information from ACPI
+table in radeon_acpi_vfct_bios(), it misses to call acpi_put_table()
+to release the ACPI memory after the init, so add acpi_put_table()
+properly to fix the memory leak.
+
+v2: fix text formatting (Alex)
+
+Fixes: 268ba0a99f89 ("drm/radeon: implement ACPI VFCT vbios fetch (v3)")
+Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_bios.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
+index 33121655d50b..1d99c9a2b56e 100644
+--- a/drivers/gpu/drm/radeon/radeon_bios.c
++++ b/drivers/gpu/drm/radeon/radeon_bios.c
+@@ -612,13 +612,14 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
+ acpi_size tbl_size;
+ UEFI_ACPI_VFCT *vfct;
+ unsigned offset;
++ bool r = false;
+
+ if (!ACPI_SUCCESS(acpi_get_table("VFCT", 1, &hdr)))
+ return false;
+ tbl_size = hdr->length;
+ if (tbl_size < sizeof(UEFI_ACPI_VFCT)) {
+ DRM_ERROR("ACPI VFCT table present but broken (too short #1)\n");
+- return false;
++ goto out;
+ }
+
+ vfct = (UEFI_ACPI_VFCT *)hdr;
+@@ -631,13 +632,13 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
+ offset += sizeof(VFCT_IMAGE_HEADER);
+ if (offset > tbl_size) {
+ DRM_ERROR("ACPI VFCT image header truncated\n");
+- return false;
++ goto out;
+ }
+
+ offset += vhdr->ImageLength;
+ if (offset > tbl_size) {
+ DRM_ERROR("ACPI VFCT image truncated\n");
+- return false;
++ goto out;
+ }
+
+ if (vhdr->ImageLength &&
+@@ -649,15 +650,18 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
+ rdev->bios = kmemdup(&vbios->VbiosContent,
+ vhdr->ImageLength,
+ GFP_KERNEL);
++ if (rdev->bios)
++ r = true;
+
+- if (!rdev->bios)
+- return false;
+- return true;
++ goto out;
+ }
+ }
+
+ DRM_ERROR("ACPI VFCT table present but broken (too short #2)\n");
+- return false;
++
++out:
++ acpi_put_table(hdr);
++ return r;
+ }
+ #else
+ static inline bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
+--
+2.35.1
+
--- /dev/null
+From a5d20a4e93bb5de3aab5ff8a9c6d56c576be7aef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:30:42 +0800
+Subject: drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ]
+
+As comment of pci_get_class() says, it returns a pci_device with its
+refcount increased and decreased the refcount for the input parameter
+@from if it is not NULL.
+
+If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we
+need to call pci_dev_put() to decrease the refcount. Add the missing
+pci_dev_put() to avoid refcount leak.
+
+Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM")
+Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_bios.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
+index 1d99c9a2b56e..63bdc9f6fc24 100644
+--- a/drivers/gpu/drm/radeon/radeon_bios.c
++++ b/drivers/gpu/drm/radeon/radeon_bios.c
+@@ -227,6 +227,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev)
+
+ if (!found)
+ return false;
++ pci_dev_put(pdev);
+
+ rdev->bios = kmalloc(size, GFP_KERNEL);
+ if (!rdev->bios) {
+--
+2.35.1
+
--- /dev/null
+From 31a6e15c869508a078e0a9533a3dadfa383ab8b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 00:31:10 +0300
+Subject: drm: rcar-du: Drop leftovers dependencies from Kconfig
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit 1760eb547276299ab0c6a6cd3d29469e54ade615 ]
+
+Commit 841281fe52a7 ("drm: rcar-du: Drop LVDS device tree backward
+compatibility") has removed device tree overlay sources used for
+backward compatibility with old bindings, but forgot to remove related
+dependencies from Kconfig. Fix it.
+
+Fixes: 841281fe52a7 ("drm: rcar-du: Drop LVDS device tree backward compatibility")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/Kconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/Kconfig b/drivers/gpu/drm/rcar-du/Kconfig
+index f6e6a6d5d987..b3c29ca7726e 100644
+--- a/drivers/gpu/drm/rcar-du/Kconfig
++++ b/drivers/gpu/drm/rcar-du/Kconfig
+@@ -41,8 +41,6 @@ config DRM_RCAR_LVDS
+ depends on DRM_RCAR_USE_LVDS
+ select DRM_KMS_HELPER
+ select DRM_PANEL
+- select OF_FLATTREE
+- select OF_OVERLAY
+
+ config DRM_RCAR_MIPI_DSI
+ tristate "R-Car DU MIPI DSI Encoder Support"
+--
+2.35.1
+
--- /dev/null
+From 0506ea8978ba99b612423ea6352d40ddf86c8c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:21:07 +0800
+Subject: drm/rockchip: lvds: fix PM usage counter unbalance in poweron
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 4dba27f1a14592ac4cf71c3bc1cc1fd05dea8015 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+We fix it by replacing it with the newest pm_runtime_resume_and_get
+to keep usage counter balanced.
+
+Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS")
+Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220922132107.105419-3-zhangqilong3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_lvds.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+index 5a284332ec49..68f6ebb33460 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+@@ -152,7 +152,7 @@ static int rk3288_lvds_poweron(struct rockchip_lvds *lvds)
+ DRM_DEV_ERROR(lvds->dev, "failed to enable lvds pclk %d\n", ret);
+ return ret;
+ }
+- ret = pm_runtime_get_sync(lvds->dev);
++ ret = pm_runtime_resume_and_get(lvds->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
+ clk_disable(lvds->pclk);
+@@ -336,16 +336,20 @@ static int px30_lvds_poweron(struct rockchip_lvds *lvds)
+ {
+ int ret;
+
+- ret = pm_runtime_get_sync(lvds->dev);
++ ret = pm_runtime_resume_and_get(lvds->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
+ return ret;
+ }
+
+ /* Enable LVDS mode */
+- return regmap_update_bits(lvds->grf, PX30_LVDS_GRF_PD_VO_CON1,
++ ret = regmap_update_bits(lvds->grf, PX30_LVDS_GRF_PD_VO_CON1,
+ PX30_LVDS_MODE_EN(1) | PX30_LVDS_P2S_EN(1),
+ PX30_LVDS_MODE_EN(1) | PX30_LVDS_P2S_EN(1));
++ if (ret)
++ pm_runtime_put(lvds->dev);
++
++ return ret;
+ }
+
+ static void px30_lvds_poweroff(struct rockchip_lvds *lvds)
+--
+2.35.1
+
--- /dev/null
+From de2bc7bcb9918fb1d14134028c0fbd4b99ff1096 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:25:44 +0200
+Subject: drm/rockchip: Use drm_mode_copy()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ]
+
+struct drm_display_mode embeds a list head, so overwriting
+the full struct with another one will corrupt the list
+(if the destination mode is on a list). Use drm_mode_copy()
+instead which explicitly preserves the list head of
+the destination mode.
+
+Even if we know the destination mode is not on any list
+using drm_mode_copy() seems decent as it sets a good
+example. Bad examples of not using it might eventually
+get copied into code where preserving the list head
+actually matters.
+
+Obviously one case not covered here is when the mode
+itself is embedded in a larger structure and the whole
+structure is copied. But if we are careful when copying
+into modes embedded in structures I think we can be a
+little more reassured that bogus list heads haven't been
+propagated in.
+
+@is_mode_copy@
+@@
+drm_mode_copy(...)
+{
+...
+}
+
+@depends on !is_mode_copy@
+struct drm_display_mode *mode;
+expression E, S;
+@@
+(
+- *mode = E
++ drm_mode_copy(mode, &E)
+|
+- memcpy(mode, E, S)
++ drm_mode_copy(mode, E)
+)
+
+@depends on !is_mode_copy@
+struct drm_display_mode mode;
+expression E;
+@@
+(
+- mode = E
++ drm_mode_copy(&mode, &E)
+|
+- memcpy(&mode, E, S)
++ drm_mode_copy(&mode, E)
+)
+
+@@
+struct drm_display_mode *mode;
+@@
+- &*mode
++ mode
+
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Sandy Huang <hjc@rock-chips.com>
+Cc: "Heiko Stübner" <heiko@sntech.de>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-rockchip@lists.infradead.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
+ drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
+ drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+index 518ee13b1d6f..8526dda91931 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+@@ -571,7 +571,7 @@ static void cdn_dp_encoder_mode_set(struct drm_encoder *encoder,
+ video->v_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NVSYNC);
+ video->h_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NHSYNC);
+
+- memcpy(&dp->mode, adjusted, sizeof(*mode));
++ drm_mode_copy(&dp->mode, adjusted);
+ }
+
+ static bool cdn_dp_check_link_status(struct cdn_dp_device *dp)
+diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c
+index 87b2243ea23e..f51774866f41 100644
+--- a/drivers/gpu/drm/rockchip/inno_hdmi.c
++++ b/drivers/gpu/drm/rockchip/inno_hdmi.c
+@@ -499,7 +499,7 @@ static void inno_hdmi_encoder_mode_set(struct drm_encoder *encoder,
+ inno_hdmi_setup(hdmi, adj_mode);
+
+ /* Store the display mode for plugin/DPMS poweron events */
+- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
++ drm_mode_copy(&hdmi->previous_mode, adj_mode);
+ }
+
+ static void inno_hdmi_encoder_enable(struct drm_encoder *encoder)
+diff --git a/drivers/gpu/drm/rockchip/rk3066_hdmi.c b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
+index cf2cf51091a3..90145ad96984 100644
+--- a/drivers/gpu/drm/rockchip/rk3066_hdmi.c
++++ b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
+@@ -395,7 +395,7 @@ rk3066_hdmi_encoder_mode_set(struct drm_encoder *encoder,
+ struct rk3066_hdmi *hdmi = encoder_to_rk3066_hdmi(encoder);
+
+ /* Store the display mode for plugin/DPMS poweron events. */
+- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
++ drm_mode_copy(&hdmi->previous_mode, adj_mode);
+ }
+
+ static void rk3066_hdmi_encoder_enable(struct drm_encoder *encoder)
+--
+2.35.1
+
--- /dev/null
+From d443989c539ee7696cb43be9854353551e0c9189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 06:26:44 +0000
+Subject: drm/rockchip: use pm_runtime_resume_and_get() instead of
+ pm_runtime_get_sync()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit e3558747ebe15306e6d0b75bd6d211436be4a7d5 ]
+
+Replace pm_runtime_get_sync() with pm_runtime_resume_and_get() to avoid
+device usage counter leak.
+
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220615062644.96837-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 2 +-
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
+ drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+index 1aa3700551f4..1e1a8bc6c856 100644
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -1201,7 +1201,7 @@ static int dw_mipi_dsi_dphy_power_on(struct phy *phy)
+ return i;
+ }
+
+- ret = pm_runtime_get_sync(dsi->dev);
++ ret = pm_runtime_resume_and_get(dsi->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(dsi->dev, "failed to enable device: %d\n", ret);
+ return ret;
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index ad3958b6f8bf..9a039a31fe48 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -605,7 +605,7 @@ static int vop_enable(struct drm_crtc *crtc, struct drm_crtc_state *old_state)
+ struct vop *vop = to_vop(crtc);
+ int ret, i;
+
+- ret = pm_runtime_get_sync(vop->dev);
++ ret = pm_runtime_resume_and_get(vop->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
+ return ret;
+@@ -1953,7 +1953,7 @@ static int vop_initial(struct vop *vop)
+ return PTR_ERR(vop->dclk);
+ }
+
+- ret = pm_runtime_get_sync(vop->dev);
++ ret = pm_runtime_resume_and_get(vop->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
+ return ret;
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+index 1fc04019dfd8..6dc14ea7f6fc 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+@@ -823,7 +823,7 @@ static void vop2_enable(struct vop2 *vop2)
+ {
+ int ret;
+
+- ret = pm_runtime_get_sync(vop2->dev);
++ ret = pm_runtime_resume_and_get(vop2->dev);
+ if (ret < 0) {
+ drm_err(vop2->drm, "failed to get pm runtime: %d\n", ret);
+ return;
+--
+2.35.1
+
--- /dev/null
+From 6501e5fc5b54d401272bfbe6db771eaf068d7c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:56:23 -0700
+Subject: drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = sti_hda_connector_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = sti_dvo_connector_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .mode_valid = sti_hdmi_connector_mode_valid,
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
+type of 'enum drm_mode_status', not 'int'. Adjust the return type of
+sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to
+resolve the warning and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sti/sti_dvo.c | 5 +++--
+ drivers/gpu/drm/sti/sti_hda.c | 5 +++--
+ drivers/gpu/drm/sti/sti_hdmi.c | 5 +++--
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
+index f3a5616b7daf..577c477b5f46 100644
+--- a/drivers/gpu/drm/sti/sti_dvo.c
++++ b/drivers/gpu/drm/sti/sti_dvo.c
+@@ -346,8 +346,9 @@ static int sti_dvo_connector_get_modes(struct drm_connector *connector)
+
+ #define CLK_TOLERANCE_HZ 50
+
+-static int sti_dvo_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status
++sti_dvo_connector_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ int target = mode->clock * 1000;
+ int target_min = target - CLK_TOLERANCE_HZ;
+diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
+index ec6656b9ee7c..15097ac67931 100644
+--- a/drivers/gpu/drm/sti/sti_hda.c
++++ b/drivers/gpu/drm/sti/sti_hda.c
+@@ -601,8 +601,9 @@ static int sti_hda_connector_get_modes(struct drm_connector *connector)
+
+ #define CLK_TOLERANCE_HZ 50
+
+-static int sti_hda_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status
++sti_hda_connector_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ int target = mode->clock * 1000;
+ int target_min = target - CLK_TOLERANCE_HZ;
+diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
+index fcc2194869d6..8539fe1fedc4 100644
+--- a/drivers/gpu/drm/sti/sti_hdmi.c
++++ b/drivers/gpu/drm/sti/sti_hdmi.c
+@@ -1004,8 +1004,9 @@ static int sti_hdmi_connector_get_modes(struct drm_connector *connector)
+
+ #define CLK_TOLERANCE_HZ 50
+
+-static int sti_hdmi_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status
++sti_hdmi_connector_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ int target = mode->clock * 1000;
+ int target_min = target - CLK_TOLERANCE_HZ;
+--
+2.35.1
+
--- /dev/null
+From 8daa0be07a14a0f2ec52e89bde3f6b2ef2dcef4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:25:45 +0200
+Subject: drm/sti: Use drm_mode_copy()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ]
+
+struct drm_display_mode embeds a list head, so overwriting
+the full struct with another one will corrupt the list
+(if the destination mode is on a list). Use drm_mode_copy()
+instead which explicitly preserves the list head of
+the destination mode.
+
+Even if we know the destination mode is not on any list
+using drm_mode_copy() seems decent as it sets a good
+example. Bad examples of not using it might eventually
+get copied into code where preserving the list head
+actually matters.
+
+Obviously one case not covered here is when the mode
+itself is embedded in a larger structure and the whole
+structure is copied. But if we are careful when copying
+into modes embedded in structures I think we can be a
+little more reassured that bogus list heads haven't been
+propagated in.
+
+@is_mode_copy@
+@@
+drm_mode_copy(...)
+{
+...
+}
+
+@depends on !is_mode_copy@
+struct drm_display_mode *mode;
+expression E, S;
+@@
+(
+- *mode = E
++ drm_mode_copy(mode, &E)
+|
+- memcpy(mode, E, S)
++ drm_mode_copy(mode, E)
+)
+
+@depends on !is_mode_copy@
+struct drm_display_mode mode;
+expression E;
+@@
+(
+- mode = E
++ drm_mode_copy(&mode, &E)
+|
+- memcpy(&mode, E, S)
++ drm_mode_copy(&mode, E)
+)
+
+@@
+struct drm_display_mode *mode;
+@@
+- &*mode
++ mode
+
+Cc: Alain Volmat <alain.volmat@foss.st.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sti/sti_dvo.c | 2 +-
+ drivers/gpu/drm/sti/sti_hda.c | 2 +-
+ drivers/gpu/drm/sti/sti_hdmi.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
+index b6ee8a82e656..f3a5616b7daf 100644
+--- a/drivers/gpu/drm/sti/sti_dvo.c
++++ b/drivers/gpu/drm/sti/sti_dvo.c
+@@ -288,7 +288,7 @@ static void sti_dvo_set_mode(struct drm_bridge *bridge,
+
+ DRM_DEBUG_DRIVER("\n");
+
+- memcpy(&dvo->mode, mode, sizeof(struct drm_display_mode));
++ drm_mode_copy(&dvo->mode, mode);
+
+ /* According to the path used (main or aux), the dvo clocks should
+ * have a different parent clock. */
+diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
+index 03cc401ed593..ec6656b9ee7c 100644
+--- a/drivers/gpu/drm/sti/sti_hda.c
++++ b/drivers/gpu/drm/sti/sti_hda.c
+@@ -524,7 +524,7 @@ static void sti_hda_set_mode(struct drm_bridge *bridge,
+
+ DRM_DEBUG_DRIVER("\n");
+
+- memcpy(&hda->mode, mode, sizeof(struct drm_display_mode));
++ drm_mode_copy(&hda->mode, mode);
+
+ if (!hda_get_mode_idx(hda->mode, &mode_idx)) {
+ DRM_ERROR("Undefined mode\n");
+diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
+index cb82622877d2..fcc2194869d6 100644
+--- a/drivers/gpu/drm/sti/sti_hdmi.c
++++ b/drivers/gpu/drm/sti/sti_hdmi.c
+@@ -941,7 +941,7 @@ static void sti_hdmi_set_mode(struct drm_bridge *bridge,
+ DRM_DEBUG_DRIVER("\n");
+
+ /* Copy the drm display mode in the connector local structure */
+- memcpy(&hdmi->mode, mode, sizeof(struct drm_display_mode));
++ drm_mode_copy(&hdmi->mode, mode);
+
+ /* Update clock framerate according to the selected mode */
+ ret = clk_set_rate(hdmi->clk_pix, mode->clock * 1000);
+--
+2.35.1
+
--- /dev/null
+From 6cf034e401050abe8cfecb0f461b0051c0f4ef43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 08:50:50 +0000
+Subject: drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
+
+From: Zhang Zekun <zhangzekun11@huawei.com>
+
+[ Upstream commit 7ad4384d53c67672a8720cdc2ef638d7d1710ab8 ]
+
+Add the missing clk_disable_unprepare() before return from
+tegra_dc_probe() in the error handling path.
+
+Fixes: f68ba6912bd2 ("drm/tegra: dc: Link DC1 to DC0 on Tegra20")
+Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/dc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
+index 747abafb6a5c..b8035b3be3d3 100644
+--- a/drivers/gpu/drm/tegra/dc.c
++++ b/drivers/gpu/drm/tegra/dc.c
+@@ -3206,8 +3206,10 @@ static int tegra_dc_probe(struct platform_device *pdev)
+ usleep_range(2000, 4000);
+
+ err = reset_control_assert(dc->rst);
+- if (err < 0)
++ if (err < 0) {
++ clk_disable_unprepare(dc->clk);
+ return err;
++ }
+
+ usleep_range(2000, 4000);
+
+--
+2.35.1
+
--- /dev/null
+From 11c1e96661a8e54360fe0574584b332e057fae62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 19:33:50 +0800
+Subject: drm/ttm: fix undefined behavior in bit shift for
+ TTM_TT_FLAG_PRIV_POPULATED
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26
+left shift of 1 by 31 places cannot be represented in type 'int'
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7d/0xa5
+ dump_stack+0x15/0x1b
+ ubsan_epilogue+0xe/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
+ ttm_bo_move_memcpy+0x3b4/0x460 [ttm]
+ bo_driver_move+0x32/0x40 [drm_vram_helper]
+ ttm_bo_handle_move_mem+0x118/0x200 [ttm]
+ ttm_bo_validate+0xfa/0x220 [ttm]
+ drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]
+ drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]
+ drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]
+ drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]
+ drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]
+ drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]
+ drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]
+ drm_atomic_commit+0x9c/0x160 [drm]
+ drm_client_modeset_commit_atomic+0x33a/0x380 [drm]
+ drm_client_modeset_commit_locked+0x77/0x220 [drm]
+ drm_client_modeset_commit+0x31/0x60 [drm]
+ __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]
+ drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]
+ fbcon_init+0x316/0x790
+ visual_init+0x113/0x1d0
+ do_bind_con_driver+0x2a3/0x5c0
+ do_take_over_console+0xa9/0x270
+ do_fbcon_takeover+0xa1/0x170
+ do_fb_registered+0x2a8/0x340
+ fbcon_fb_registered+0x47/0xe0
+ register_framebuffer+0x294/0x4a0
+ __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
+ drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
+ drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
+ drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
+ bochs_pci_probe+0x6ca/0x772 [bochs]
+ local_pci_probe+0x4d/0xb0
+ pci_device_probe+0x119/0x320
+ really_probe+0x181/0x550
+ __driver_probe_device+0xc6/0x220
+ driver_probe_device+0x32/0x100
+ __driver_attach+0x195/0x200
+ bus_for_each_dev+0xbb/0x120
+ driver_attach+0x27/0x30
+ bus_add_driver+0x22e/0x2f0
+ driver_register+0xa9/0x190
+ __pci_register_driver+0x90/0xa0
+ bochs_pci_driver_init+0x52/0x1000 [bochs]
+ do_one_initcall+0x76/0x430
+ do_init_module+0x61/0x28a
+ load_module+0x1f82/0x2e50
+ __do_sys_finit_module+0xf8/0x190
+ __x64_sys_finit_module+0x23/0x30
+ do_syscall_64+0x58/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+
+Fixes: 3312be8f6fc8 ("drm/ttm: move populated state into page flags")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221031113350.4180975-1-cuigaosheng1@huawei.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/ttm/ttm_tt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/drm/ttm/ttm_tt.h b/include/drm/ttm/ttm_tt.h
+index 17a0310e8aaa..b7d3f3843f1e 100644
+--- a/include/drm/ttm/ttm_tt.h
++++ b/include/drm/ttm/ttm_tt.h
+@@ -88,7 +88,7 @@ struct ttm_tt {
+ #define TTM_TT_FLAG_EXTERNAL (1 << 2)
+ #define TTM_TT_FLAG_EXTERNAL_MAPPABLE (1 << 3)
+
+-#define TTM_TT_FLAG_PRIV_POPULATED (1 << 31)
++#define TTM_TT_FLAG_PRIV_POPULATED (1U << 31)
+ uint32_t page_flags;
+ /** @num_pages: Number of pages in the page array. */
+ uint32_t num_pages;
+--
+2.35.1
+
--- /dev/null
+From f35edfe3f2034a4a50c5f120dd2720c91e66dca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 09:47:24 +0530
+Subject: dt-bindings: clock: Add resets for LPASS audio clock controller for
+ SC7280
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+[ Upstream commit be9439df235352a41605bf2cc8ba10aa0fc40d29 ]
+
+Add support for LPASS audio clock gating for RX/TX/SWA core bus clocks
+for SC7280. Update reg property min/max items in YAML schema.
+
+Fixes: 4185b27b3bef ("dt-bindings: clock: Add YAML schemas for LPASS clocks on SC7280")
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1662005846-4838-4-git-send-email-quic_c_skakit@quicinc.com
+Stable-dep-of: d470be3c4f30 ("clk: qcom: lpass-sc7280: Fix pm_runtime usage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../clock/qcom,sc7280-lpasscorecc.yaml | 19 ++++++++++++++++---
+ .../clock/qcom,lpassaudiocc-sc7280.h | 5 +++++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/clock/qcom,sc7280-lpasscorecc.yaml b/Documentation/devicetree/bindings/clock/qcom,sc7280-lpasscorecc.yaml
+index bad9135489de..1d20cdcc69ff 100644
+--- a/Documentation/devicetree/bindings/clock/qcom,sc7280-lpasscorecc.yaml
++++ b/Documentation/devicetree/bindings/clock/qcom,sc7280-lpasscorecc.yaml
+@@ -22,6 +22,8 @@ properties:
+
+ clock-names: true
+
++ reg: true
++
+ compatible:
+ enum:
+ - qcom,sc7280-lpassaoncc
+@@ -38,8 +40,8 @@ properties:
+ '#power-domain-cells':
+ const: 1
+
+- reg:
+- maxItems: 1
++ '#reset-cells':
++ const: 1
+
+ required:
+ - compatible
+@@ -69,6 +71,11 @@ allOf:
+ items:
+ - const: bi_tcxo
+ - const: lpass_aon_cc_main_rcg_clk_src
++
++ reg:
++ items:
++ - description: lpass core cc register
++ - description: lpass audio csr register
+ - if:
+ properties:
+ compatible:
+@@ -90,6 +97,8 @@ allOf:
+ - const: bi_tcxo_ao
+ - const: iface
+
++ reg:
++ maxItems: 1
+ - if:
+ properties:
+ compatible:
+@@ -108,6 +117,8 @@ allOf:
+ items:
+ - const: bi_tcxo
+
++ reg:
++ maxItems: 1
+ examples:
+ - |
+ #include <dt-bindings/clock/qcom,rpmh.h>
+@@ -116,13 +127,15 @@ examples:
+ #include <dt-bindings/clock/qcom,lpasscorecc-sc7280.h>
+ lpass_audiocc: clock-controller@3300000 {
+ compatible = "qcom,sc7280-lpassaudiocc";
+- reg = <0x3300000 0x30000>;
++ reg = <0x3300000 0x30000>,
++ <0x32a9000 0x1000>;
+ clocks = <&rpmhcc RPMH_CXO_CLK>,
+ <&lpass_aon LPASS_AON_CC_MAIN_RCG_CLK_SRC>;
+ clock-names = "bi_tcxo", "lpass_aon_cc_main_rcg_clk_src";
+ power-domains = <&lpass_aon LPASS_AON_CC_LPASS_AUDIO_HM_GDSC>;
+ #clock-cells = <1>;
+ #power-domain-cells = <1>;
++ #reset-cells = <1>;
+ };
+
+ - |
+diff --git a/include/dt-bindings/clock/qcom,lpassaudiocc-sc7280.h b/include/dt-bindings/clock/qcom,lpassaudiocc-sc7280.h
+index 20ef2ea673f3..22dcd47d4513 100644
+--- a/include/dt-bindings/clock/qcom,lpassaudiocc-sc7280.h
++++ b/include/dt-bindings/clock/qcom,lpassaudiocc-sc7280.h
+@@ -24,6 +24,11 @@
+ #define LPASS_AUDIO_CC_RX_MCLK_CLK 14
+ #define LPASS_AUDIO_CC_RX_MCLK_CLK_SRC 15
+
++/* LPASS AUDIO CC CSR */
++#define LPASS_AUDIO_SWR_RX_CGCR 0
++#define LPASS_AUDIO_SWR_TX_CGCR 1
++#define LPASS_AUDIO_SWR_WSA_CGCR 2
++
+ /* LPASS_AON_CC clocks */
+ #define LPASS_AON_CC_PLL 0
+ #define LPASS_AON_CC_PLL_OUT_EVEN 1
+--
+2.35.1
+
--- /dev/null
+From 42a66c7ea4cf66827c9758c7c981d80b749f35c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 09:47:25 +0530
+Subject: dt-bindings: clock: Add support for external MCLKs for LPASS on
+ SC7280
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+[ Upstream commit 1c3f9df77a506355b3c7761039b53e55ce746f17 ]
+
+Support external mclk to interface external MI2S clocks for SC7280.
+
+Fixes: 4185b27b3bef ("dt-bindings: clock: Add YAML schemas for LPASS clocks on SC7280")
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1662005846-4838-5-git-send-email-quic_c_skakit@quicinc.com
+Stable-dep-of: d470be3c4f30 ("clk: qcom: lpass-sc7280: Fix pm_runtime usage")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/clock/qcom,lpasscorecc-sc7280.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/dt-bindings/clock/qcom,lpasscorecc-sc7280.h b/include/dt-bindings/clock/qcom,lpasscorecc-sc7280.h
+index 28ed2a07aacc..0324c69ce968 100644
+--- a/include/dt-bindings/clock/qcom,lpasscorecc-sc7280.h
++++ b/include/dt-bindings/clock/qcom,lpasscorecc-sc7280.h
+@@ -19,6 +19,8 @@
+ #define LPASS_CORE_CC_LPM_CORE_CLK 9
+ #define LPASS_CORE_CC_LPM_MEM0_CORE_CLK 10
+ #define LPASS_CORE_CC_SYSNOC_MPORT_CORE_CLK 11
++#define LPASS_CORE_CC_EXT_MCLK0_CLK 12
++#define LPASS_CORE_CC_EXT_MCLK0_CLK_SRC 13
+
+ /* LPASS_CORE_CC power domains */
+ #define LPASS_CORE_CC_LPASS_CORE_HM_GDSC 0
+--
+2.35.1
+
--- /dev/null
+From a686a18eda309372d881b504103ec35d3c4e446b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 22:12:42 +0300
+Subject: dt-bindings: imx6q-pcie: Fix clock names for imx6sx and imx8mq
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit b8a83e600bdde93e7da41ea3204b2b3832a3c99b ]
+
+Originally as it was defined the legacy bindings the pcie_inbound_axi and
+pcie_aux clock names were supposed to be used in the fsl,imx6sx-pcie and
+fsl,imx8mq-pcie devices respectively. But the bindings conversion has been
+incorrectly so now the fourth clock name is defined as "pcie_inbound_axi
+for imx6sx-pcie, pcie_aux for imx8mq-pcie", which is completely wrong.
+Let's fix that by conditionally apply the clock-names constraints based on
+the compatible string content.
+
+Link: https://lore.kernel.org/r/20221113191301.5526-2-Sergey.Semin@baikalelectronics.ru
+Fixes: 751ca492f131 ("dt-bindings: PCI: imx6: convert the imx pcie controller to dtschema")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Acked-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/pci/fsl,imx6q-pcie.yaml | 46 +++++++++++++++++--
+ 1 file changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pci/fsl,imx6q-pcie.yaml b/Documentation/devicetree/bindings/pci/fsl,imx6q-pcie.yaml
+index 376e739bcad4..49b4f7a32e71 100644
+--- a/Documentation/devicetree/bindings/pci/fsl,imx6q-pcie.yaml
++++ b/Documentation/devicetree/bindings/pci/fsl,imx6q-pcie.yaml
+@@ -14,9 +14,6 @@ description: |+
+ This PCIe host controller is based on the Synopsys DesignWare PCIe IP
+ and thus inherits all the common properties defined in snps,dw-pcie.yaml.
+
+-allOf:
+- - $ref: /schemas/pci/snps,dw-pcie.yaml#
+-
+ properties:
+ compatible:
+ enum:
+@@ -61,7 +58,7 @@ properties:
+ - const: pcie
+ - const: pcie_bus
+ - const: pcie_phy
+- - const: pcie_inbound_axi for imx6sx-pcie, pcie_aux for imx8mq-pcie
++ - enum: [ pcie_inbound_axi, pcie_aux ]
+
+ num-lanes:
+ const: 1
+@@ -175,6 +172,47 @@ required:
+ - clocks
+ - clock-names
+
++allOf:
++ - $ref: /schemas/pci/snps,dw-pcie.yaml#
++ - if:
++ properties:
++ compatible:
++ contains:
++ const: fsl,imx6sx-pcie
++ then:
++ properties:
++ clock-names:
++ items:
++ - {}
++ - {}
++ - {}
++ - const: pcie_inbound_axi
++ - if:
++ properties:
++ compatible:
++ contains:
++ const: fsl,imx8mq-pcie
++ then:
++ properties:
++ clock-names:
++ items:
++ - {}
++ - {}
++ - {}
++ - const: pcie_aux
++ - if:
++ properties:
++ compatible:
++ not:
++ contains:
++ enum:
++ - fsl,imx6sx-pcie
++ - fsl,imx8mq-pcie
++ then:
++ properties:
++ clock-names:
++ maxItems: 3
++
+ unevaluatedProperties: false
+
+ examples:
+--
+2.35.1
+
--- /dev/null
+From 3c322ce1a94c8a697ada67b05c40a774fc6e7f01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 01:05:17 +0100
+Subject: dt-bindings: mfd: qcom,spmi-pmic: Drop PWM reg dependency
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 763ab98687404d924b6612f7c9c8430333d31229 ]
+
+The PWM node is not a separate device and is expected to be part of parent
+SPMI PMIC node, thus it obtains the address space from the parent. One IO
+address in "reg" is also not correct description because LPG block maps to
+several regions.
+
+Fixes: 3f5117be9584 ("dt-bindings: mfd: convert to yaml Qualcomm SPMI PMIC")
+Suggested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220928000517.228382-2-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/mfd/qcom,spmi-pmic.yaml | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/mfd/qcom,spmi-pmic.yaml b/Documentation/devicetree/bindings/mfd/qcom,spmi-pmic.yaml
+index 65cbc6dee545..2a5bafe0660a 100644
+--- a/Documentation/devicetree/bindings/mfd/qcom,spmi-pmic.yaml
++++ b/Documentation/devicetree/bindings/mfd/qcom,spmi-pmic.yaml
+@@ -92,6 +92,10 @@ properties:
+ type: object
+ $ref: /schemas/regulator/regulator.yaml#
+
++ pwm:
++ type: object
++ $ref: /schemas/leds/leds-qcom-lpg.yaml#
++
+ patternProperties:
+ "^adc@[0-9a-f]+$":
+ type: object
+@@ -117,10 +121,6 @@ patternProperties:
+ type: object
+ $ref: /schemas/power/reset/qcom,pon.yaml#
+
+- "pwm@[0-9a-f]+$":
+- type: object
+- $ref: /schemas/leds/leds-qcom-lpg.yaml#
+-
+ "^rtc@[0-9a-f]+$":
+ type: object
+ $ref: /schemas/rtc/qcom-pm8xxx-rtc.yaml#
+--
+2.35.1
+
--- /dev/null
+From 44d7dde4b7f3df14483a60c7bf839fa3a27b6f35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 09:01:09 +0100
+Subject: dt-bindings: pinctrl: update uart/mmc bindings for MT7986 SoC
+
+From: Frank Wunderlich <frank-w@public-files.de>
+
+[ Upstream commit c115e7f51e685536ecb885854bdd4b3f225ff3e4 ]
+
+Fix mmc and uart pins after uart splitting.
+
+Some pinmux pins of the mt7986 pinctrl driver is composed of multiple
+pinctrl groups, the original binding only allows one pinctrl group
+per dts node, this patch sets "maxItems" for these groups and add new
+examples to the binding documentation.
+
+Fixes: 65916a1ca90a ("dt-bindings: pinctrl: update bindings for MT7986 SoC")
+Signed-off-by: Sam Shih <sam.shih@mediatek.com>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221106080114.7426-3-linux@fw-web.de
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../pinctrl/mediatek,mt7986-pinctrl.yaml | 46 +++++++++++++++++--
+ 1 file changed, 41 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pinctrl/mediatek,mt7986-pinctrl.yaml b/Documentation/devicetree/bindings/pinctrl/mediatek,mt7986-pinctrl.yaml
+index 4eadea55df10..41abfa94877f 100644
+--- a/Documentation/devicetree/bindings/pinctrl/mediatek,mt7986-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/mediatek,mt7986-pinctrl.yaml
+@@ -87,6 +87,8 @@ patternProperties:
+ "wifi_led" "led" 1, 2
+ "i2c" "i2c" 3, 4
+ "uart1_0" "uart" 7, 8, 9, 10
++ "uart1_rx_tx" "uart" 42, 43
++ "uart1_cts_rts" "uart" 44, 45
+ "pcie_clk" "pcie" 9
+ "pcie_wake" "pcie" 10
+ "spi1_0" "spi" 11, 12, 13, 14
+@@ -98,9 +100,11 @@ patternProperties:
+ "emmc_45" "emmc" 22, 23, 24, 25, 26, 27, 28, 29, 30,
+ 31, 32
+ "spi1_1" "spi" 23, 24, 25, 26
+- "uart1_2" "uart" 29, 30, 31, 32
++ "uart1_2_rx_tx" "uart" 29, 30
++ "uart1_2_cts_rts" "uart" 31, 32
+ "uart1_1" "uart" 23, 24, 25, 26
+- "uart2_0" "uart" 29, 30, 31, 32
++ "uart2_0_rx_tx" "uart" 29, 30
++ "uart2_0_cts_rts" "uart" 31, 32
+ "spi0" "spi" 33, 34, 35, 36
+ "spi0_wp_hold" "spi" 37, 38
+ "uart1_3_rx_tx" "uart" 35, 36
+@@ -153,7 +157,7 @@ patternProperties:
+ then:
+ properties:
+ groups:
+- enum: [emmc, emmc_rst]
++ enum: [emmc_45, emmc_51]
+ - if:
+ properties:
+ function:
+@@ -217,8 +221,12 @@ patternProperties:
+ then:
+ properties:
+ groups:
+- enum: [uart1_0, uart1_1, uart1_2, uart1_3_rx_tx,
+- uart1_3_cts_rts, uart2_0, uart2_1, uart0, uart1, uart2]
++ items:
++ enum: [uart1_0, uart1_rx_tx, uart1_cts_rts, uart1_1,
++ uart1_2_rx_tx, uart1_2_cts_rts, uart1_3_rx_tx,
++ uart1_3_cts_rts, uart2_0_rx_tx, uart2_0_cts_rts,
++ uart2_1, uart0, uart1, uart2]
++ maxItems: 2
+ - if:
+ properties:
+ function:
+@@ -348,6 +356,27 @@ examples:
+ interrupt-parent = <&gic>;
+ #interrupt-cells = <2>;
+
++ pcie_pins: pcie-pins {
++ mux {
++ function = "pcie";
++ groups = "pcie_clk", "pcie_wake", "pcie_pereset";
++ };
++ };
++
++ pwm_pins: pwm-pins {
++ mux {
++ function = "pwm";
++ groups = "pwm0", "pwm1_0";
++ };
++ };
++
++ spi0_pins: spi0-pins {
++ mux {
++ function = "spi";
++ groups = "spi0", "spi0_wp_hold";
++ };
++ };
++
+ uart1_pins: uart1-pins {
+ mux {
+ function = "uart";
+@@ -355,6 +384,13 @@ examples:
+ };
+ };
+
++ uart1_3_pins: uart1-3-pins {
++ mux {
++ function = "uart";
++ groups = "uart1_3_rx_tx", "uart1_3_cts_rts";
++ };
++ };
++
+ uart2_pins: uart2-pins {
+ mux {
+ function = "uart";
+--
+2.35.1
+
--- /dev/null
+From 2ad4511a88f9f7cc00b2174f62f883f856cf5c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Oct 2022 12:35:10 +0100
+Subject: dt-bindings: pwm: fix microchip corePWM's pwm-cells
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit a62d196e89887c029d5aef409135f9a2a8667268 ]
+
+corePWM is capable of inverted operation but the binding requires
+\#pwm-cells of 2. Expand the binding to support setting the polarity.
+
+Fixes: df77f7735786 ("dt-bindings: pwm: add microchip corepwm binding")
+Acked-by: Rob Herring <robh@kernel.org>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/pwm/microchip,corepwm.yaml | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/pwm/microchip,corepwm.yaml b/Documentation/devicetree/bindings/pwm/microchip,corepwm.yaml
+index a7fae1772a81..cd8e9a8907f8 100644
+--- a/Documentation/devicetree/bindings/pwm/microchip,corepwm.yaml
++++ b/Documentation/devicetree/bindings/pwm/microchip,corepwm.yaml
+@@ -30,7 +30,9 @@ properties:
+ maxItems: 1
+
+ "#pwm-cells":
+- const: 2
++ enum: [2, 3]
++ description:
++ The only flag supported by the controller is PWM_POLARITY_INVERTED.
+
+ microchip,sync-update-mask:
+ description: |
+--
+2.35.1
+
--- /dev/null
+From 3734da7dc6467c1b6719f708bd00eb88741c093e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 22:12:43 +0300
+Subject: dt-bindings: visconti-pcie: Fix interrupts array max constraints
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 4cf4b9b70ab2785461190c08a3542d2d74c28b46 ]
+
+In accordance with the way the device DT-node is actually defined in
+arch/arm64/boot/dts/toshiba/tmpv7708.dtsi and the way the device is probed
+by the DW PCIe driver there are two IRQs it actually has. It's MSI IRQ the
+DT-bindings lack. Let's extend the interrupts property constraints then
+and fix the schema example so one would be acceptable by the actual device
+DT-bindings.
+
+Link: https://lore.kernel.org/r/20221113191301.5526-3-Sergey.Semin@baikalelectronics.ru
+Fixes: 17c1b16340f0 ("dt-bindings: pci: Add DT binding for Toshiba Visconti PCIe controller")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/pci/toshiba,visconti-pcie.yaml | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pci/toshiba,visconti-pcie.yaml b/Documentation/devicetree/bindings/pci/toshiba,visconti-pcie.yaml
+index 30b6396d83c8..aea0e2bcdd77 100644
+--- a/Documentation/devicetree/bindings/pci/toshiba,visconti-pcie.yaml
++++ b/Documentation/devicetree/bindings/pci/toshiba,visconti-pcie.yaml
+@@ -36,7 +36,7 @@ properties:
+ - const: mpu
+
+ interrupts:
+- maxItems: 1
++ maxItems: 2
+
+ clocks:
+ items:
+@@ -94,8 +94,9 @@ examples:
+ #interrupt-cells = <1>;
+ ranges = <0x81000000 0 0x40000000 0 0x40000000 0 0x00010000>,
+ <0x82000000 0 0x50000000 0 0x50000000 0 0x20000000>;
+- interrupts = <GIC_SPI 215 IRQ_TYPE_LEVEL_HIGH>;
+- interrupt-names = "intr";
++ interrupts = <GIC_SPI 211 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 215 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-names = "msi", "intr";
+ interrupt-map-mask = <0 0 0 7>;
+ interrupt-map =
+ <0 0 0 1 &gic GIC_SPI 215 IRQ_TYPE_LEVEL_HIGH
+--
+2.35.1
+
--- /dev/null
+From d4050c36a6d95b23904a4ac57c1f0a1a39ce308f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 10:23:28 +0300
+Subject: dw9768: Enable low-power probe on ACPI
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit 5f9a089b6de34655318afe8e544d9a9cc0fc1d29 ]
+
+Add support for low-power probe to the driver. Also fix runtime PM API
+usage in the driver.
+
+Much of the hassle comes from different factors affecting device power
+states during probe for ACPI and DT.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Fixes: 859891228e56 ("media: i2c: dw9768: Add DW9768 VCM driver")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/dw9768.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/i2c/dw9768.c b/drivers/media/i2c/dw9768.c
+index c086580efac7..60ae0adf5174 100644
+--- a/drivers/media/i2c/dw9768.c
++++ b/drivers/media/i2c/dw9768.c
+@@ -414,6 +414,7 @@ static int dw9768_probe(struct i2c_client *client)
+ {
+ struct device *dev = &client->dev;
+ struct dw9768 *dw9768;
++ bool full_power;
+ unsigned int i;
+ int ret;
+
+@@ -469,13 +470,23 @@ static int dw9768_probe(struct i2c_client *client)
+
+ dw9768->sd.entity.function = MEDIA_ENT_F_LENS;
+
++ /*
++ * Figure out whether we're going to power up the device here. Generally
++ * this is done if CONFIG_PM is disabled in a DT system or the device is
++ * to be powered on in an ACPI system. Similarly for power off in
++ * remove.
++ */
+ pm_runtime_enable(dev);
+- if (!pm_runtime_enabled(dev)) {
++ full_power = (is_acpi_node(dev_fwnode(dev)) &&
++ acpi_dev_state_d0(dev)) ||
++ (is_of_node(dev_fwnode(dev)) && !pm_runtime_enabled(dev));
++ if (full_power) {
+ ret = dw9768_runtime_resume(dev);
+ if (ret < 0) {
+ dev_err(dev, "failed to power on: %d\n", ret);
+ goto err_clean_entity;
+ }
++ pm_runtime_set_active(dev);
+ }
+
+ ret = v4l2_async_register_subdev(&dw9768->sd);
+@@ -484,14 +495,17 @@ static int dw9768_probe(struct i2c_client *client)
+ goto err_power_off;
+ }
+
++ pm_runtime_idle(dev);
++
+ return 0;
+
+ err_power_off:
+- if (pm_runtime_enabled(dev))
+- pm_runtime_disable(dev);
+- else
++ if (full_power) {
+ dw9768_runtime_suspend(dev);
++ pm_runtime_set_suspended(dev);
++ }
+ err_clean_entity:
++ pm_runtime_disable(dev);
+ media_entity_cleanup(&dw9768->sd.entity);
+ err_free_handler:
+ v4l2_ctrl_handler_free(&dw9768->ctrls);
+@@ -503,14 +517,17 @@ static int dw9768_remove(struct i2c_client *client)
+ {
+ struct v4l2_subdev *sd = i2c_get_clientdata(client);
+ struct dw9768 *dw9768 = sd_to_dw9768(sd);
++ struct device *dev = &client->dev;
+
+ v4l2_async_unregister_subdev(&dw9768->sd);
+ v4l2_ctrl_handler_free(&dw9768->ctrls);
+ media_entity_cleanup(&dw9768->sd.entity);
+- pm_runtime_disable(&client->dev);
+- if (!pm_runtime_status_suspended(&client->dev))
+- dw9768_runtime_suspend(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ if ((is_acpi_node(dev_fwnode(dev)) && acpi_dev_state_d0(dev)) ||
++ (is_of_node(dev_fwnode(dev)) && !pm_runtime_enabled(dev))) {
++ dw9768_runtime_suspend(dev);
++ pm_runtime_set_suspended(dev);
++ }
++ pm_runtime_disable(dev);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 2ee5f6a93bbd7688665898055e962f27f30645f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 14:55:12 +0800
+Subject: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 9c8921555907f4d723f01ed2d859b66f2d14f08e ]
+
+As the comment of pci_get_domain_bus_and_slot() says, it returns
+a PCI device with refcount incremented, so it doesn't need to
+call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI
+device needs to be put in the error path.
+
+Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20221128065512.3572550-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i10nm_base.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
+index 6cf50ee0b77c..e0af60833d28 100644
+--- a/drivers/edac/i10nm_base.c
++++ b/drivers/edac/i10nm_base.c
+@@ -198,11 +198,10 @@ static struct pci_dev *pci_get_dev_wrapper(int dom, unsigned int bus,
+ if (unlikely(pci_enable_device(pdev) < 0)) {
+ edac_dbg(2, "Failed to enable device %02x:%02x.%x\n",
+ bus, dev, fun);
++ pci_dev_put(pdev);
+ return NULL;
+ }
+
+- pci_dev_get(pdev);
+-
+ return pdev;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From c2ff34a4ea57357ad6cbc3319ea3645283d33541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 23:00:49 +0800
+Subject: erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit d5d188b8f8b38d3d71dd05993874b4fc9284ce95 ]
+
+Otherwise, meta buffers could be leaked.
+
+Fixes: cec6e93beadf ("erofs: support parsing big pcluster compress indexes")
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20221205150050.47784-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zmap.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
+index 63fd2f146026..bcc39077e9ac 100644
+--- a/fs/erofs/zmap.c
++++ b/fs/erofs/zmap.c
+@@ -673,7 +673,7 @@ static int z_erofs_do_map_blocks(struct inode *inode,
+ map->m_pa = blknr_to_addr(m.pblk);
+ err = z_erofs_get_extent_compressedlen(&m, initial_lcn);
+ if (err)
+- goto out;
++ goto unmap_out;
+ }
+
+ if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN)
+@@ -691,14 +691,12 @@ static int z_erofs_do_map_blocks(struct inode *inode,
+ if (!err)
+ map->m_flags |= EROFS_MAP_FULL_MAPPED;
+ }
++
+ unmap_out:
+ erofs_unmap_metabuf(&m.map->buf);
+-
+-out:
+ erofs_dbg("%s, m_la %llu m_pa %llu m_llen %llu m_plen %llu m_flags 0%o",
+ __func__, map->m_la, map->m_pa,
+ map->m_llen, map->m_plen, map->m_flags);
+-
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f57e8654b9865c02cd61a4e95cdf153579027804 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 11:49:57 +0800
+Subject: erofs: Fix pcluster memleak when its block address is zero
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit c42c0ffe81176940bd5dead474216b7198d77675 ]
+
+syzkaller reported a memleak:
+https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed
+
+unreferenced object 0xffff88811009c7f8 (size 136):
+ ...
+ backtrace:
+ [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740
+ [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580
+ [<ffffffff814bc0d6>] read_pages+0x86/0x3d0
+ ...
+
+syzkaller constructed a case: in z_erofs_register_pcluster(),
+ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be
+zero although pcl is not a inline pcluster.
+
+Then following path adds refcount for grp, but the refcount won't be put
+because pcl is inline.
+
+z_erofs_readahead()
+ z_erofs_do_read_page() # for another page
+ z_erofs_collector_begin()
+ erofs_find_workgroup()
+ erofs_workgroup_get()
+
+Since it's illegal for the block address of a non-inlined pcluster to
+be zero, add check here to avoid registering the pcluster which would
+be leaked.
+
+Fixes: cecf864d3d76 ("erofs: support inline data decompression")
+Reported-by: syzbot+6f8cd9a0155b366d227f@syzkaller.appspotmail.com
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/r/Y42Kz6sVkf+XqJRB@debian
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index c7511b431776..f19875d96cc1 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -487,7 +487,8 @@ static int z_erofs_register_pcluster(struct z_erofs_decompress_frontend *fe)
+ struct erofs_workgroup *grp;
+ int err;
+
+- if (!(map->m_flags & EROFS_MAP_ENCODED)) {
++ if (!(map->m_flags & EROFS_MAP_ENCODED) ||
++ (!ztailpacking && !(map->m_pa >> PAGE_SHIFT))) {
+ DBG_BUGON(1);
+ return -EFSCORRUPTED;
+ }
+--
+2.35.1
+
--- /dev/null
+From 1c23b4a9c12341a7c11adf8a07ed2ab354cb864d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 10:11:21 +0800
+Subject: erofs: support interlaced uncompressed data for compressed files
+
+From: Yue Hu <huyue2@coolpad.com>
+
+[ Upstream commit fdffc091e6f94602558bba712b51bc16f79fd6d5 ]
+
+Currently, uncompressed data is all handled in the shifted way, which
+means we have to shift the whole on-disk plain pcluster to get the
+logical data. However, since we are also using in-place I/O for
+uncompressed data, data copy will be reduced a lot if pcluster is
+recorded in the interlaced way as illustrated below:
+ _______________________________________________________________
+| | | |_ tail part |_ head part _|
+|<- blk0 ->| .. |<- blkn-2 ->|<- blkn-1 ->|
+
+The logical data then becomes:
+ ________________________________________________________
+|_ head part _|_ blk0 _| .. |_ blkn-2 _|_ tail part _|
+
+In addition, non-4k plain pclusters are also survived by the
+interlaced way, which can be used for non-4k lclusters as well.
+
+However, it's almost impossible to de-duplicate uncompressed data
+in the interlaced way, therefore shifted uncompressed data is still
+useful.
+
+Signed-off-by: Yue Hu <huyue2@coolpad.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/8369112678604fdf4ef796626d59b1fdd0745a53.1663898962.git.huyue2@coolpad.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Stable-dep-of: c505feba4c0d ("erofs: validate the extent length for uncompressed pclusters")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/decompressor.c | 47 ++++++++++++++++++++++++-----------------
+ fs/erofs/erofs_fs.h | 2 ++
+ fs/erofs/internal.h | 1 +
+ fs/erofs/zmap.c | 14 ++++++++----
+ 4 files changed, 41 insertions(+), 23 deletions(-)
+
+diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
+index 2d55569f96ac..51b7ac7166d9 100644
+--- a/fs/erofs/decompressor.c
++++ b/fs/erofs/decompressor.c
+@@ -317,52 +317,61 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq,
+ return ret;
+ }
+
+-static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq,
+- struct page **pagepool)
++static int z_erofs_transform_plain(struct z_erofs_decompress_req *rq,
++ struct page **pagepool)
+ {
+- const unsigned int nrpages_out =
++ const unsigned int inpages = PAGE_ALIGN(rq->inputsize) >> PAGE_SHIFT;
++ const unsigned int outpages =
+ PAGE_ALIGN(rq->pageofs_out + rq->outputsize) >> PAGE_SHIFT;
+ const unsigned int righthalf = min_t(unsigned int, rq->outputsize,
+ PAGE_SIZE - rq->pageofs_out);
+ const unsigned int lefthalf = rq->outputsize - righthalf;
++ const unsigned int interlaced_offset =
++ rq->alg == Z_EROFS_COMPRESSION_SHIFTED ? 0 : rq->pageofs_out;
+ unsigned char *src, *dst;
+
+- if (nrpages_out > 2) {
++ if (outpages > 2 && rq->alg == Z_EROFS_COMPRESSION_SHIFTED) {
+ DBG_BUGON(1);
+- return -EIO;
++ return -EFSCORRUPTED;
+ }
+
+ if (rq->out[0] == *rq->in) {
+- DBG_BUGON(nrpages_out != 1);
++ DBG_BUGON(rq->pageofs_out);
+ return 0;
+ }
+
+- src = kmap_atomic(*rq->in) + rq->pageofs_in;
++ src = kmap_local_page(rq->in[inpages - 1]) + rq->pageofs_in;
+ if (rq->out[0]) {
+- dst = kmap_atomic(rq->out[0]);
+- memcpy(dst + rq->pageofs_out, src, righthalf);
+- kunmap_atomic(dst);
++ dst = kmap_local_page(rq->out[0]);
++ memcpy(dst + rq->pageofs_out, src + interlaced_offset,
++ righthalf);
++ kunmap_local(dst);
+ }
+
+- if (nrpages_out == 2) {
+- DBG_BUGON(!rq->out[1]);
+- if (rq->out[1] == *rq->in) {
++ if (outpages > inpages) {
++ DBG_BUGON(!rq->out[outpages - 1]);
++ if (rq->out[outpages - 1] != rq->in[inpages - 1]) {
++ dst = kmap_local_page(rq->out[outpages - 1]);
++ memcpy(dst, interlaced_offset ? src :
++ (src + righthalf), lefthalf);
++ kunmap_local(dst);
++ } else if (!interlaced_offset) {
+ memmove(src, src + righthalf, lefthalf);
+- } else {
+- dst = kmap_atomic(rq->out[1]);
+- memcpy(dst, src + righthalf, lefthalf);
+- kunmap_atomic(dst);
+ }
+ }
+- kunmap_atomic(src);
++ kunmap_local(src);
+ return 0;
+ }
+
+ static struct z_erofs_decompressor decompressors[] = {
+ [Z_EROFS_COMPRESSION_SHIFTED] = {
+- .decompress = z_erofs_shifted_transform,
++ .decompress = z_erofs_transform_plain,
+ .name = "shifted"
+ },
++ [Z_EROFS_COMPRESSION_INTERLACED] = {
++ .decompress = z_erofs_transform_plain,
++ .name = "interlaced"
++ },
+ [Z_EROFS_COMPRESSION_LZ4] = {
+ .decompress = z_erofs_lz4_decompress,
+ .name = "lz4"
+diff --git a/fs/erofs/erofs_fs.h b/fs/erofs/erofs_fs.h
+index 2b48373f690b..5c1de6d7ad71 100644
+--- a/fs/erofs/erofs_fs.h
++++ b/fs/erofs/erofs_fs.h
+@@ -295,11 +295,13 @@ struct z_erofs_lzma_cfgs {
+ * bit 1 : HEAD1 big pcluster (0 - off; 1 - on)
+ * bit 2 : HEAD2 big pcluster (0 - off; 1 - on)
+ * bit 3 : tailpacking inline pcluster (0 - off; 1 - on)
++ * bit 4 : interlaced plain pcluster (0 - off; 1 - on)
+ */
+ #define Z_EROFS_ADVISE_COMPACTED_2B 0x0001
+ #define Z_EROFS_ADVISE_BIG_PCLUSTER_1 0x0002
+ #define Z_EROFS_ADVISE_BIG_PCLUSTER_2 0x0004
+ #define Z_EROFS_ADVISE_INLINE_PCLUSTER 0x0008
++#define Z_EROFS_ADVISE_INTERLACED_PCLUSTER 0x0010
+
+ struct z_erofs_map_header {
+ __le16 h_reserved1;
+diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h
+index a01cc82795a2..12d075dfb964 100644
+--- a/fs/erofs/internal.h
++++ b/fs/erofs/internal.h
+@@ -407,6 +407,7 @@ struct erofs_map_blocks {
+
+ enum {
+ Z_EROFS_COMPRESSION_SHIFTED = Z_EROFS_COMPRESSION_MAX,
++ Z_EROFS_COMPRESSION_INTERLACED,
+ Z_EROFS_COMPRESSION_RUNTIME_MAX
+ };
+
+diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
+index bcc39077e9ac..a2a44c11bb64 100644
+--- a/fs/erofs/zmap.c
++++ b/fs/erofs/zmap.c
+@@ -676,12 +676,18 @@ static int z_erofs_do_map_blocks(struct inode *inode,
+ goto unmap_out;
+ }
+
+- if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN)
+- map->m_algorithmformat = Z_EROFS_COMPRESSION_SHIFTED;
+- else if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_HEAD2)
++ if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN) {
++ if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER)
++ map->m_algorithmformat =
++ Z_EROFS_COMPRESSION_INTERLACED;
++ else
++ map->m_algorithmformat =
++ Z_EROFS_COMPRESSION_SHIFTED;
++ } else if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_HEAD2) {
+ map->m_algorithmformat = vi->z_algorithmtype[1];
+- else
++ } else {
+ map->m_algorithmformat = vi->z_algorithmtype[0];
++ }
+
+ if ((flags & EROFS_GET_BLOCKS_FIEMAP) ||
+ ((flags & EROFS_GET_BLOCKS_READMORE) &&
+--
+2.35.1
+
--- /dev/null
+From 8a77252fc04110aa7db98fb8c2f7767ea286a368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 23:00:50 +0800
+Subject: erofs: validate the extent length for uncompressed pclusters
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit c505feba4c0d76084e56ec498ce819f02a7043ae ]
+
+syzkaller reported a KASAN use-after-free:
+https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2
+
+The referenced fuzzed image actually has two issues:
+ - m_pa == 0 as a non-inlined pcluster;
+ - The logical length is longer than its physical length.
+
+The first issue has already been addressed. This patch addresses
+the second issue by checking the extent length validity.
+
+Reported-by: syzbot+2ae90e873e97f1faf6f2@syzkaller.appspotmail.com
+Fixes: 02827e1796b3 ("staging: erofs: add erofs_map_blocks_iter")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20221205150050.47784-2-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zmap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
+index a2a44c11bb64..720d74b5c699 100644
+--- a/fs/erofs/zmap.c
++++ b/fs/erofs/zmap.c
+@@ -677,6 +677,11 @@ static int z_erofs_do_map_blocks(struct inode *inode,
+ }
+
+ if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN) {
++ if (map->m_llen > map->m_plen) {
++ DBG_BUGON(1);
++ err = -EFSCORRUPTED;
++ goto unmap_out;
++ }
+ if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER)
+ map->m_algorithmformat =
+ Z_EROFS_COMPRESSION_INTERLACED;
+--
+2.35.1
+
--- /dev/null
+From a28343a4a382d3c61a66a1c71c05e24eeeae911a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 20:01:21 +0800
+Subject: ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In this case, dev_kfree_skb() is called in free_tx_buffers() to drop
+the SKBs in tx buffers, when the card is down, so replace it with
+dev_kfree_skb_irq() here.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/s2io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index 8f74c039b3be..29d39e5b9cf5 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -2386,7 +2386,7 @@ static void free_tx_buffers(struct s2io_nic *nic)
+ skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j);
+ if (skb) {
+ swstats->mem_freed += skb->truesize;
+- dev_kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ cnt++;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 39165a69c8a68e6c8cbaaa0a069abf3a60db332e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 15:29:01 +0300
+Subject: ethtool: avoiding integer overflow in ethtool_phys_id()
+
+From: Maxim Korotkov <korotkov.maxim.s@gmail.com>
+
+[ Upstream commit 64a8f8f7127da228d59a39e2c5e75f86590f90b4 ]
+
+The value of an arithmetic expression "n * id.data" is subject
+to possible overflow due to a failure to cast operands to a larger data
+type before performing arithmetic. Used macro for multiplication instead
+operator for avoiding overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Maxim Korotkov <korotkov.maxim.s@gmail.com>
+Reviewed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20221122122901.22294-1-korotkov.maxim.s@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ethtool/ioctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
+index 6a7308de192d..6b59e7a1c906 100644
+--- a/net/ethtool/ioctl.c
++++ b/net/ethtool/ioctl.c
+@@ -2007,7 +2007,8 @@ static int ethtool_phys_id(struct net_device *dev, void __user *useraddr)
+ } else {
+ /* Driver expects to be called at twice the frequency in rc */
+ int n = rc * 2, interval = HZ / n;
+- u64 count = n * id.data, i = 0;
++ u64 count = mul_u32_u32(n, id.data);
++ u64 i = 0;
+
+ do {
+ rtnl_lock();
+--
+2.35.1
+
--- /dev/null
+From a5f99034cfaf08a77fd9ada853f742be61a14bb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 22:01:54 +0800
+Subject: eventfd: change int to __u64 in eventfd_signal() ifndef
+ CONFIG_EVENTFD
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ]
+
+Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
+forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function.
+
+Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com
+Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Cc: Dylan Yudaken <dylany@fb.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Sha Zhengju <handai.szj@taobao.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/eventfd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h
+index 30eb30d6909b..3cd202d3eefb 100644
+--- a/include/linux/eventfd.h
++++ b/include/linux/eventfd.h
+@@ -61,7 +61,7 @@ static inline struct eventfd_ctx *eventfd_ctx_fdget(int fd)
+ return ERR_PTR(-ENOSYS);
+ }
+
+-static inline int eventfd_signal(struct eventfd_ctx *ctx, int n)
++static inline int eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
+ {
+ return -ENOSYS;
+ }
+--
+2.35.1
+
--- /dev/null
+From 81d8a3f0ecd026448cc927f7f78cb65e523551dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Jul 2022 20:05:00 +0200
+Subject: extcon: usbc-tusb320: Add USB TYPE-C support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit bf7571c00dca0a9c5af3f5125ef5a89a40b13cd5 ]
+
+The TI TUSB320 seems like a better fit for USB TYPE-C subsystem,
+which can expose details collected by the TUSB320 in a far more
+precise way than extcon. Since there are existing users in the
+kernel and in DT which depend on the extcon interface, keep it
+for now.
+
+Add TYPE-C interface and expose the supported supply current,
+direction and connector polarity via the TYPE-C interface.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Stable-dep-of: 581c848b610d ("extcon: usbc-tusb320: Update state on probe even if no IRQ pending")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/Kconfig | 2 +-
+ drivers/extcon/extcon-usbc-tusb320.c | 159 +++++++++++++++++++++++++++
+ 2 files changed, 160 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/extcon/Kconfig b/drivers/extcon/Kconfig
+index dca7cecb37e3..290186e44e6b 100644
+--- a/drivers/extcon/Kconfig
++++ b/drivers/extcon/Kconfig
+@@ -183,7 +183,7 @@ config EXTCON_USBC_CROS_EC
+
+ config EXTCON_USBC_TUSB320
+ tristate "TI TUSB320 USB-C extcon support"
+- depends on I2C
++ depends on I2C && TYPEC
+ select REGMAP_I2C
+ help
+ Say Y here to enable support for USB Type C cable detection extcon
+diff --git a/drivers/extcon/extcon-usbc-tusb320.c b/drivers/extcon/extcon-usbc-tusb320.c
+index aced4bbb455d..edb8c3f997c9 100644
+--- a/drivers/extcon/extcon-usbc-tusb320.c
++++ b/drivers/extcon/extcon-usbc-tusb320.c
+@@ -6,6 +6,7 @@
+ * Author: Michael Auchter <michael.auchter@ni.com>
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/extcon-provider.h>
+ #include <linux/i2c.h>
+ #include <linux/init.h>
+@@ -13,6 +14,24 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/regmap.h>
++#include <linux/usb/typec.h>
++
++#define TUSB320_REG8 0x8
++#define TUSB320_REG8_CURRENT_MODE_ADVERTISE GENMASK(7, 6)
++#define TUSB320_REG8_CURRENT_MODE_ADVERTISE_USB 0x0
++#define TUSB320_REG8_CURRENT_MODE_ADVERTISE_15A 0x1
++#define TUSB320_REG8_CURRENT_MODE_ADVERTISE_30A 0x2
++#define TUSB320_REG8_CURRENT_MODE_DETECT GENMASK(5, 4)
++#define TUSB320_REG8_CURRENT_MODE_DETECT_DEF 0x0
++#define TUSB320_REG8_CURRENT_MODE_DETECT_MED 0x1
++#define TUSB320_REG8_CURRENT_MODE_DETECT_ACC 0x2
++#define TUSB320_REG8_CURRENT_MODE_DETECT_HI 0x3
++#define TUSB320_REG8_ACCESSORY_CONNECTED GENMASK(3, 2)
++#define TUSB320_REG8_ACCESSORY_CONNECTED_NONE 0x0
++#define TUSB320_REG8_ACCESSORY_CONNECTED_AUDIO 0x4
++#define TUSB320_REG8_ACCESSORY_CONNECTED_ACC 0x5
++#define TUSB320_REG8_ACCESSORY_CONNECTED_DEBUG 0x6
++#define TUSB320_REG8_ACTIVE_CABLE_DETECTION BIT(0)
+
+ #define TUSB320_REG9 0x9
+ #define TUSB320_REG9_ATTACHED_STATE_SHIFT 6
+@@ -55,6 +74,10 @@ struct tusb320_priv {
+ struct extcon_dev *edev;
+ struct tusb320_ops *ops;
+ enum tusb320_attached_state state;
++ struct typec_port *port;
++ struct typec_capability cap;
++ enum typec_port_type port_type;
++ enum typec_pwr_opmode pwr_opmode;
+ };
+
+ static const char * const tusb_attached_states[] = {
+@@ -184,6 +207,44 @@ static struct tusb320_ops tusb320l_ops = {
+ .get_revision = tusb320l_get_revision,
+ };
+
++static int tusb320_set_adv_pwr_mode(struct tusb320_priv *priv)
++{
++ u8 mode;
++
++ if (priv->pwr_opmode == TYPEC_PWR_MODE_USB)
++ mode = TUSB320_REG8_CURRENT_MODE_ADVERTISE_USB;
++ else if (priv->pwr_opmode == TYPEC_PWR_MODE_1_5A)
++ mode = TUSB320_REG8_CURRENT_MODE_ADVERTISE_15A;
++ else if (priv->pwr_opmode == TYPEC_PWR_MODE_3_0A)
++ mode = TUSB320_REG8_CURRENT_MODE_ADVERTISE_30A;
++ else /* No other mode is supported. */
++ return -EINVAL;
++
++ return regmap_write_bits(priv->regmap, TUSB320_REG8,
++ TUSB320_REG8_CURRENT_MODE_ADVERTISE,
++ FIELD_PREP(TUSB320_REG8_CURRENT_MODE_ADVERTISE,
++ mode));
++}
++
++static int tusb320_port_type_set(struct typec_port *port,
++ enum typec_port_type type)
++{
++ struct tusb320_priv *priv = typec_get_drvdata(port);
++
++ if (type == TYPEC_PORT_SRC)
++ return priv->ops->set_mode(priv, TUSB320_MODE_DFP);
++ else if (type == TYPEC_PORT_SNK)
++ return priv->ops->set_mode(priv, TUSB320_MODE_UFP);
++ else if (type == TYPEC_PORT_DRP)
++ return priv->ops->set_mode(priv, TUSB320_MODE_DRP);
++ else
++ return priv->ops->set_mode(priv, TUSB320_MODE_PORT);
++}
++
++static const struct typec_operations tusb320_typec_ops = {
++ .port_type_set = tusb320_port_type_set,
++};
++
+ static void tusb320_extcon_irq_handler(struct tusb320_priv *priv, u8 reg)
+ {
+ int state, polarity;
+@@ -211,6 +272,47 @@ static void tusb320_extcon_irq_handler(struct tusb320_priv *priv, u8 reg)
+ priv->state = state;
+ }
+
++static void tusb320_typec_irq_handler(struct tusb320_priv *priv, u8 reg9)
++{
++ struct typec_port *port = priv->port;
++ struct device *dev = priv->dev;
++ u8 mode, role, state;
++ int ret, reg8;
++ bool ori;
++
++ ori = reg9 & TUSB320_REG9_CABLE_DIRECTION;
++ typec_set_orientation(port, ori ? TYPEC_ORIENTATION_REVERSE :
++ TYPEC_ORIENTATION_NORMAL);
++
++ state = (reg9 >> TUSB320_REG9_ATTACHED_STATE_SHIFT) &
++ TUSB320_REG9_ATTACHED_STATE_MASK;
++ if (state == TUSB320_ATTACHED_STATE_DFP)
++ role = TYPEC_SOURCE;
++ else
++ role = TYPEC_SINK;
++
++ typec_set_vconn_role(port, role);
++ typec_set_pwr_role(port, role);
++ typec_set_data_role(port, role == TYPEC_SOURCE ?
++ TYPEC_HOST : TYPEC_DEVICE);
++
++ ret = regmap_read(priv->regmap, TUSB320_REG8, ®8);
++ if (ret) {
++ dev_err(dev, "error during reg8 i2c read, ret=%d!\n", ret);
++ return;
++ }
++
++ mode = FIELD_GET(TUSB320_REG8_CURRENT_MODE_DETECT, reg8);
++ if (mode == TUSB320_REG8_CURRENT_MODE_DETECT_DEF)
++ typec_set_pwr_opmode(port, TYPEC_PWR_MODE_USB);
++ else if (mode == TUSB320_REG8_CURRENT_MODE_DETECT_MED)
++ typec_set_pwr_opmode(port, TYPEC_PWR_MODE_1_5A);
++ else if (mode == TUSB320_REG8_CURRENT_MODE_DETECT_HI)
++ typec_set_pwr_opmode(port, TYPEC_PWR_MODE_3_0A);
++ else /* Charge through accessory */
++ typec_set_pwr_opmode(port, TYPEC_PWR_MODE_USB);
++}
++
+ static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
+ {
+ struct tusb320_priv *priv = dev_id;
+@@ -225,6 +327,7 @@ static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
+ return IRQ_NONE;
+
+ tusb320_extcon_irq_handler(priv, reg);
++ tusb320_typec_irq_handler(priv, reg);
+
+ regmap_write(priv->regmap, TUSB320_REG9, reg);
+
+@@ -260,6 +363,58 @@ static int tusb320_extcon_probe(struct tusb320_priv *priv)
+ return 0;
+ }
+
++static int tusb320_typec_probe(struct i2c_client *client,
++ struct tusb320_priv *priv)
++{
++ struct fwnode_handle *connector;
++ const char *cap_str;
++ int ret;
++
++ /* The Type-C connector is optional, for backward compatibility. */
++ connector = device_get_named_child_node(&client->dev, "connector");
++ if (!connector)
++ return 0;
++
++ /* Type-C connector found. */
++ ret = typec_get_fw_cap(&priv->cap, connector);
++ if (ret)
++ return ret;
++
++ priv->port_type = priv->cap.type;
++
++ /* This goes into register 0x8 field CURRENT_MODE_ADVERTISE */
++ ret = fwnode_property_read_string(connector, "typec-power-opmode", &cap_str);
++ if (ret)
++ return ret;
++
++ ret = typec_find_pwr_opmode(cap_str);
++ if (ret < 0)
++ return ret;
++ if (ret == TYPEC_PWR_MODE_PD)
++ return -EINVAL;
++
++ priv->pwr_opmode = ret;
++
++ /* Initialize the hardware with the devicetree settings. */
++ ret = tusb320_set_adv_pwr_mode(priv);
++ if (ret)
++ return ret;
++
++ priv->cap.revision = USB_TYPEC_REV_1_1;
++ priv->cap.accessory[0] = TYPEC_ACCESSORY_AUDIO;
++ priv->cap.accessory[1] = TYPEC_ACCESSORY_DEBUG;
++ priv->cap.orientation_aware = true;
++ priv->cap.driver_data = priv;
++ priv->cap.ops = &tusb320_typec_ops;
++ priv->cap.fwnode = connector;
++
++ priv->port = typec_register_port(&client->dev, &priv->cap);
++ if (IS_ERR(priv->port))
++ return PTR_ERR(priv->port);
++
++ return 0;
++}
++
+ static int tusb320_probe(struct i2c_client *client,
+ const struct i2c_device_id *id)
+ {
+@@ -300,6 +455,10 @@ static int tusb320_probe(struct i2c_client *client,
+ if (ret)
+ return ret;
+
++ ret = tusb320_typec_probe(client, priv);
++ if (ret)
++ return ret;
++
+ /* update initial state */
+ tusb320_irq_handler(client->irq, priv);
+
+--
+2.35.1
+
--- /dev/null
+From 292cf9e59897eb3d515f0c1c7d0b4e0b42abbfc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Jul 2022 20:04:59 +0200
+Subject: extcon: usbc-tusb320: Factor out extcon into dedicated functions
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 9483811a126a319ecac749f1b767ea5faecc7aed ]
+
+Move extcon code into separate functions in preparation for addition of
+USB TYPE-C support. No functional change.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Stable-dep-of: 581c848b610d ("extcon: usbc-tusb320: Update state on probe even if no IRQ pending")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-usbc-tusb320.c | 75 +++++++++++++++++-----------
+ 1 file changed, 46 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/extcon/extcon-usbc-tusb320.c b/drivers/extcon/extcon-usbc-tusb320.c
+index 6ba3d89b106d..aced4bbb455d 100644
+--- a/drivers/extcon/extcon-usbc-tusb320.c
++++ b/drivers/extcon/extcon-usbc-tusb320.c
+@@ -184,19 +184,9 @@ static struct tusb320_ops tusb320l_ops = {
+ .get_revision = tusb320l_get_revision,
+ };
+
+-static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
++static void tusb320_extcon_irq_handler(struct tusb320_priv *priv, u8 reg)
+ {
+- struct tusb320_priv *priv = dev_id;
+ int state, polarity;
+- unsigned reg;
+-
+- if (regmap_read(priv->regmap, TUSB320_REG9, ®)) {
+- dev_err(priv->dev, "error during i2c read!\n");
+- return IRQ_NONE;
+- }
+-
+- if (!(reg & TUSB320_REG9_INTERRUPT_STATUS))
+- return IRQ_NONE;
+
+ state = (reg >> TUSB320_REG9_ATTACHED_STATE_SHIFT) &
+ TUSB320_REG9_ATTACHED_STATE_MASK;
+@@ -219,6 +209,22 @@ static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
+ extcon_sync(priv->edev, EXTCON_USB_HOST);
+
+ priv->state = state;
++}
++
++static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
++{
++ struct tusb320_priv *priv = dev_id;
++ unsigned int reg;
++
++ if (regmap_read(priv->regmap, TUSB320_REG9, ®)) {
++ dev_err(priv->dev, "error during i2c read!\n");
++ return IRQ_NONE;
++ }
++
++ if (!(reg & TUSB320_REG9_INTERRUPT_STATUS))
++ return IRQ_NONE;
++
++ tusb320_extcon_irq_handler(priv, reg);
+
+ regmap_write(priv->regmap, TUSB320_REG9, reg);
+
+@@ -230,8 +236,32 @@ static const struct regmap_config tusb320_regmap_config = {
+ .val_bits = 8,
+ };
+
+-static int tusb320_extcon_probe(struct i2c_client *client,
+- const struct i2c_device_id *id)
++static int tusb320_extcon_probe(struct tusb320_priv *priv)
++{
++ int ret;
++
++ priv->edev = devm_extcon_dev_allocate(priv->dev, tusb320_extcon_cable);
++ if (IS_ERR(priv->edev)) {
++ dev_err(priv->dev, "failed to allocate extcon device\n");
++ return PTR_ERR(priv->edev);
++ }
++
++ ret = devm_extcon_dev_register(priv->dev, priv->edev);
++ if (ret < 0) {
++ dev_err(priv->dev, "failed to register extcon device\n");
++ return ret;
++ }
++
++ extcon_set_property_capability(priv->edev, EXTCON_USB,
++ EXTCON_PROP_USB_TYPEC_POLARITY);
++ extcon_set_property_capability(priv->edev, EXTCON_USB_HOST,
++ EXTCON_PROP_USB_TYPEC_POLARITY);
++
++ return 0;
++}
++
++static int tusb320_probe(struct i2c_client *client,
++ const struct i2c_device_id *id)
+ {
+ struct tusb320_priv *priv;
+ const void *match_data;
+@@ -257,12 +287,6 @@ static int tusb320_extcon_probe(struct i2c_client *client,
+
+ priv->ops = (struct tusb320_ops*)match_data;
+
+- priv->edev = devm_extcon_dev_allocate(priv->dev, tusb320_extcon_cable);
+- if (IS_ERR(priv->edev)) {
+- dev_err(priv->dev, "failed to allocate extcon device\n");
+- return PTR_ERR(priv->edev);
+- }
+-
+ if (priv->ops->get_revision) {
+ ret = priv->ops->get_revision(priv, &revision);
+ if (ret)
+@@ -272,16 +296,9 @@ static int tusb320_extcon_probe(struct i2c_client *client,
+ dev_info(priv->dev, "chip revision %d\n", revision);
+ }
+
+- ret = devm_extcon_dev_register(priv->dev, priv->edev);
+- if (ret < 0) {
+- dev_err(priv->dev, "failed to register extcon device\n");
++ ret = tusb320_extcon_probe(priv);
++ if (ret)
+ return ret;
+- }
+-
+- extcon_set_property_capability(priv->edev, EXTCON_USB,
+- EXTCON_PROP_USB_TYPEC_POLARITY);
+- extcon_set_property_capability(priv->edev, EXTCON_USB_HOST,
+- EXTCON_PROP_USB_TYPEC_POLARITY);
+
+ /* update initial state */
+ tusb320_irq_handler(client->irq, priv);
+@@ -313,7 +330,7 @@ static const struct of_device_id tusb320_extcon_dt_match[] = {
+ MODULE_DEVICE_TABLE(of, tusb320_extcon_dt_match);
+
+ static struct i2c_driver tusb320_extcon_driver = {
+- .probe = tusb320_extcon_probe,
++ .probe = tusb320_probe,
+ .driver = {
+ .name = "extcon-tusb320",
+ .of_match_table = tusb320_extcon_dt_match,
+--
+2.35.1
+
--- /dev/null
+From c7ab3d0c30ef458e1620c619d46fc4d5edc38bb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:15:09 +0100
+Subject: extcon: usbc-tusb320: Update state on probe even if no IRQ pending
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 581c848b610dbf3fe1ed4d85fd53d0743c61faba ]
+
+Currently this driver triggers extcon and typec state update in its
+probe function, to read out current state reported by the chip and
+report the correct state to upper layers. This synchronization is
+performed correctly, but only in case the chip indicates a pending
+interrupt in reg09 register.
+
+This fails to cover the situation where all interrupts reported by
+the chip were already handled by Linux before reboot, then the system
+rebooted, and then Linux starts again. In this case, the TUSB320 no
+longer reports any interrupts in reg09, and the state update does not
+perform any update as it depends on that interrupt indication.
+
+Fix this by turning tusb320_irq_handler() into a thin wrapper around
+tusb320_state_update_handler(), where the later now contains the bulk
+of the code of tusb320_irq_handler(), but adds new function parameter
+"force_update". The "force_update" parameter can be used by the probe
+function to assure that the state synchronization is always performed,
+independent of the interrupt indicated in reg09. The interrupt handler
+tusb320_irq_handler() callback uses force_update=false to avoid state
+updates on potential spurious interrupts and retain current behavior.
+
+Fixes: 06bc4ca115cdd ("extcon: Add driver for TI TUSB320")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221120141509.81012-1-marex@denx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-usbc-tusb320.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/extcon/extcon-usbc-tusb320.c b/drivers/extcon/extcon-usbc-tusb320.c
+index edb8c3f997c9..b0f6e16ab0a9 100644
+--- a/drivers/extcon/extcon-usbc-tusb320.c
++++ b/drivers/extcon/extcon-usbc-tusb320.c
+@@ -313,9 +313,9 @@ static void tusb320_typec_irq_handler(struct tusb320_priv *priv, u8 reg9)
+ typec_set_pwr_opmode(port, TYPEC_PWR_MODE_USB);
+ }
+
+-static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
++static irqreturn_t tusb320_state_update_handler(struct tusb320_priv *priv,
++ bool force_update)
+ {
+- struct tusb320_priv *priv = dev_id;
+ unsigned int reg;
+
+ if (regmap_read(priv->regmap, TUSB320_REG9, ®)) {
+@@ -323,7 +323,7 @@ static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
+ return IRQ_NONE;
+ }
+
+- if (!(reg & TUSB320_REG9_INTERRUPT_STATUS))
++ if (!force_update && !(reg & TUSB320_REG9_INTERRUPT_STATUS))
+ return IRQ_NONE;
+
+ tusb320_extcon_irq_handler(priv, reg);
+@@ -334,6 +334,13 @@ static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
+ return IRQ_HANDLED;
+ }
+
++static irqreturn_t tusb320_irq_handler(int irq, void *dev_id)
++{
++ struct tusb320_priv *priv = dev_id;
++
++ return tusb320_state_update_handler(priv, false);
++}
++
+ static const struct regmap_config tusb320_regmap_config = {
+ .reg_bits = 8,
+ .val_bits = 8,
+@@ -460,7 +467,7 @@ static int tusb320_probe(struct i2c_client *client,
+ return ret;
+
+ /* update initial state */
+- tusb320_irq_handler(client->irq, priv);
++ tusb320_state_update_handler(priv, true);
+
+ /* Reset chip to its default state */
+ ret = tusb320_reset(priv);
+@@ -471,7 +478,7 @@ static int tusb320_probe(struct i2c_client *client,
+ * State and polarity might change after a reset, so update
+ * them again and make sure the interrupt status bit is cleared.
+ */
+- tusb320_irq_handler(client->irq, priv);
++ tusb320_state_update_handler(priv, true);
+
+ ret = devm_request_threaded_irq(priv->dev, client->irq, NULL,
+ tusb320_irq_handler,
+--
+2.35.1
+
--- /dev/null
+From a1d258a2a5ddb63ced381df45f231da19ad181bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 16:00:35 -0700
+Subject: f2fs: allow to set compression for inlined file
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit a995627e6dd81d4485d40ce64880017a080d71e6 ]
+
+The below commit disallows to set compression on empty created file which
+has a inline_data. Let's fix it.
+
+Fixes: 7165841d578e ("f2fs: fix to check inline_data during compressed inode conversion")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index ce4905a073b3..74337edcbbb0 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1866,6 +1866,10 @@ static int f2fs_setflags_common(struct inode *inode, u32 iflags, u32 mask)
+ if (!f2fs_disable_compressed_file(inode))
+ return -EINVAL;
+ } else {
++ /* try to convert inline_data to support compression */
++ int err = f2fs_convert_inline_inode(inode);
++ if (err)
++ return err;
+ if (!f2fs_may_compress(inode))
+ return -EINVAL;
+ if (S_ISREG(inode->i_mode) && F2FS_HAS_BLOCKS(inode))
+--
+2.35.1
+
--- /dev/null
+From 4b5ac4fcf49ec751ccdecfd4586b86fd254f5213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 18:03:20 +0900
+Subject: f2fs: avoid victim selection from previous victim section
+
+From: Yonggil Song <yonggil.song@samsung.com>
+
+[ Upstream commit e219aecfd4b766c4e878a3769057e9809f7fcadc ]
+
+When f2fs chooses GC victim in large section & LFS mode,
+next_victim_seg[gc_type] is referenced first. After segment is freed,
+next_victim_seg[gc_type] has the next segment number.
+However, next_victim_seg[gc_type] still has the last segment number
+even after the last segment of section is freed. In this case, when f2fs
+chooses a victim for the next GC round, the last segment of previous victim
+section is chosen as a victim.
+
+Initialize next_victim_seg[gc_type] to NULL_SEGNO for the last segment in
+large section.
+
+Fixes: e3080b0120a1 ("f2fs: support subsectional garbage collection")
+Signed-off-by: Yonggil Song <yonggil.song@samsung.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/gc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index af915f801455..68eb1d33128b 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1738,8 +1738,9 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
+ get_valid_blocks(sbi, segno, false) == 0)
+ seg_freed++;
+
+- if (__is_large_section(sbi) && segno + 1 < end_segno)
+- sbi->next_victim_seg[gc_type] = segno + 1;
++ if (__is_large_section(sbi))
++ sbi->next_victim_seg[gc_type] =
++ (segno + 1 < end_segno) ? segno + 1 : NULL_SEGNO;
+ skip:
+ f2fs_put_page(sum_page, 0);
+ }
+--
+2.35.1
+
--- /dev/null
+From 11b4812a88c8b6c33448cf6f8b93089a1366fb18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 22:56:03 +0800
+Subject: f2fs: fix iostat parameter for discard
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 15e38ee44d50cad264da80ef75626b9224ddc4a3 ]
+
+Just like other data we count uses the number of bytes as the basic unit,
+but discard uses the number of cmds as the statistical unit. In fact the
+discard command contains the number of blocks, so let's change to the
+number of bytes as the base unit.
+
+Fixes: b0af6d491a6b ("f2fs: add app/fs io stat")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 27690f757913..2afed479160b 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1171,7 +1171,7 @@ static int __submit_discard_cmd(struct f2fs_sb_info *sbi,
+
+ atomic_inc(&dcc->issued_discard);
+
+- f2fs_update_iostat(sbi, FS_DISCARD, 1);
++ f2fs_update_iostat(sbi, FS_DISCARD, len * F2FS_BLKSIZE);
+
+ lstart += len;
+ start += len;
+--
+2.35.1
+
--- /dev/null
+From 1573fcb7c883dcd2ccbab1f89705adea77b3748c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 17:40:36 +0800
+Subject: f2fs: fix normal discard process
+
+From: Dongdong Zhang <zhangdongdong1@oppo.com>
+
+[ Upstream commit b5f1a218ae5e4339130d6e733f0e63d623e09a2c ]
+
+In the DPOLICY_BG mode, there is a conflict between
+the two conditions "i + 1 < dpolicy->granularity" and
+"i < DEFAULT_DISCARD_GRANULARITY". If i = 15, the first
+condition is false, it will enter the second condition
+and dispatch all small granularity discards in function
+ __issue_discard_cmd_orderly. The restrictive effect
+of the first condition to small discards will be
+invalidated. These two conditions should align.
+
+Fixes: 20ee4382322c ("f2fs: issue small discard by LBA order")
+Signed-off-by: Dongdong Zhang <zhangdongdong1@oppo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 10d8bc81cff7..27690f757913 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1449,7 +1449,7 @@ static int __issue_discard_cmd(struct f2fs_sb_info *sbi,
+ if (i + 1 < dpolicy->granularity)
+ break;
+
+- if (i < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered)
++ if (i + 1 < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered)
+ return __issue_discard_cmd_orderly(sbi, dpolicy);
+
+ pend_list = &dcc->pend_list[i];
+--
+2.35.1
+
--- /dev/null
+From 1c837ab36d98f8f263043d068913d9afc1bbe8d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 14:42:40 +0530
+Subject: f2fs: fix the assign logic of iocb
+
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+
+[ Upstream commit 0db18eec0d9a7ee525209e31e3ac2f673545b12f ]
+
+commit 18ae8d12991b ("f2fs: show more DIO information in tracepoint")
+introduces iocb field in 'f2fs_direct_IO_enter' trace event
+And it only assigns the pointer and later it accesses its field
+in trace print log.
+
+Unable to handle kernel paging request at virtual address ffffffc04cef3d30
+Mem abort info:
+ESR = 0x96000007
+EC = 0x25: DABT (current EL), IL = 32 bits
+
+ pc : trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4
+ lr : trace_raw_output_f2fs_direct_IO_enter+0x2c/0xa4
+ sp : ffffffc0443cbbd0
+ x29: ffffffc0443cbbf0 x28: ffffff8935b120d0 x27: ffffff8935b12108
+ x26: ffffff8935b120f0 x25: ffffff8935b12100 x24: ffffff8935b110c0
+ x23: ffffff8935b10000 x22: ffffff88859a936c x21: ffffff88859a936c
+ x20: ffffff8935b110c0 x19: ffffff8935b10000 x18: ffffffc03b195060
+ x17: ffffff8935b11e76 x16: 00000000000000cc x15: ffffffef855c4f2c
+ x14: 0000000000000001 x13: 000000000000004e x12: ffff0000ffffff00
+ x11: ffffffef86c350d0 x10: 00000000000010c0 x9 : 000000000fe0002c
+ x8 : ffffffc04cef3d28 x7 : 7f7f7f7f7f7f7f7f x6 : 0000000002000000
+ x5 : ffffff8935b11e9a x4 : 0000000000006250 x3 : ffff0a00ffffff04
+ x2 : 0000000000000002 x1 : ffffffef86a0a31f x0 : ffffff8935b10000
+ Call trace:
+ trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4
+ print_trace_fmt+0x9c/0x138
+ print_trace_line+0x154/0x254
+ tracing_read_pipe+0x21c/0x380
+ vfs_read+0x108/0x3ac
+ ksys_read+0x7c/0xec
+ __arm64_sys_read+0x20/0x30
+ invoke_syscall+0x60/0x150
+ el0_svc_common.llvm.1237943816091755067+0xb8/0xf8
+ do_el0_svc+0x28/0xa0
+
+Fix it by copying the required variables for printing and while at
+it fix the similar issue at some other places in the same file.
+
+Fixes: bd984c03097b ("f2fs: show more DIO information in tracepoint")
+Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/f2fs.h | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index f1e922237736..f4556911c234 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -322,7 +322,7 @@ TRACE_EVENT(f2fs_unlink_enter,
+ __field(ino_t, ino)
+ __field(loff_t, size)
+ __field(blkcnt_t, blocks)
+- __field(const char *, name)
++ __string(name, dentry->d_name.name)
+ ),
+
+ TP_fast_assign(
+@@ -330,7 +330,7 @@ TRACE_EVENT(f2fs_unlink_enter,
+ __entry->ino = dir->i_ino;
+ __entry->size = dir->i_size;
+ __entry->blocks = dir->i_blocks;
+- __entry->name = dentry->d_name.name;
++ __assign_str(name, dentry->d_name.name);
+ ),
+
+ TP_printk("dev = (%d,%d), dir ino = %lu, i_size = %lld, "
+@@ -338,7 +338,7 @@ TRACE_EVENT(f2fs_unlink_enter,
+ show_dev_ino(__entry),
+ __entry->size,
+ (unsigned long long)__entry->blocks,
+- __entry->name)
++ __get_str(name))
+ );
+
+ DEFINE_EVENT(f2fs__inode_exit, f2fs_unlink_exit,
+@@ -940,25 +940,29 @@ TRACE_EVENT(f2fs_direct_IO_enter,
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(ino_t, ino)
+- __field(struct kiocb *, iocb)
++ __field(loff_t, ki_pos)
++ __field(int, ki_flags)
++ __field(u16, ki_ioprio)
+ __field(unsigned long, len)
+ __field(int, rw)
+ ),
+
+ TP_fast_assign(
+- __entry->dev = inode->i_sb->s_dev;
+- __entry->ino = inode->i_ino;
+- __entry->iocb = iocb;
+- __entry->len = len;
+- __entry->rw = rw;
++ __entry->dev = inode->i_sb->s_dev;
++ __entry->ino = inode->i_ino;
++ __entry->ki_pos = iocb->ki_pos;
++ __entry->ki_flags = iocb->ki_flags;
++ __entry->ki_ioprio = iocb->ki_ioprio;
++ __entry->len = len;
++ __entry->rw = rw;
+ ),
+
+ TP_printk("dev = (%d,%d), ino = %lu pos = %lld len = %lu ki_flags = %x ki_ioprio = %x rw = %d",
+ show_dev_ino(__entry),
+- __entry->iocb->ki_pos,
++ __entry->ki_pos,
+ __entry->len,
+- __entry->iocb->ki_flags,
+- __entry->iocb->ki_ioprio,
++ __entry->ki_flags,
++ __entry->ki_ioprio,
+ __entry->rw)
+ );
+
+@@ -1407,19 +1411,19 @@ TRACE_EVENT(f2fs_write_checkpoint,
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(int, reason)
+- __field(char *, msg)
++ __string(dest_msg, msg)
+ ),
+
+ TP_fast_assign(
+ __entry->dev = sb->s_dev;
+ __entry->reason = reason;
+- __entry->msg = msg;
++ __assign_str(dest_msg, msg);
+ ),
+
+ TP_printk("dev = (%d,%d), checkpoint for %s, state = %s",
+ show_dev(__entry->dev),
+ show_cpreason(__entry->reason),
+- __entry->msg)
++ __get_str(dest_msg))
+ );
+
+ DECLARE_EVENT_CLASS(f2fs_discard,
+--
+2.35.1
+
--- /dev/null
+From a5675a096cc23730a8b7104d2ff32a69105e683d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 10:45:32 +0800
+Subject: f2fs: Fix the race condition of resize flag between resizefs
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 28fc4e9077ce59ab28c89c20dc6be5154473218f ]
+
+Because the set/clear SBI_IS_RESIZEFS flag not between any locks,
+In the following case:
+ thread1 thread2
+ ->ioctl(resizefs)
+ ->set RESIZEFS flag ->ioctl(resizefs)
+ ... ->set RESIZEFS flag
+ ->clear RESIZEFS flag
+ ->resizefs stream
+ # No RESIZEFS flag in the stream
+
+Also before freeze_super, the resizefs not started, we should not set
+the SBI_IS_RESIZEFS flag.
+
+So move the set/clear SBI_IS_RESIZEFS flag between the cp_mutex and
+gc_lock.
+
+Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/gc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index 73881314bdda..af915f801455 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -2127,8 +2127,6 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
+ if (err)
+ return err;
+
+- set_sbi_flag(sbi, SBI_IS_RESIZEFS);
+-
+ freeze_super(sbi->sb);
+ f2fs_down_write(&sbi->gc_lock);
+ f2fs_down_write(&sbi->cp_global_sem);
+@@ -2144,6 +2142,7 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
+ if (err)
+ goto out_err;
+
++ set_sbi_flag(sbi, SBI_IS_RESIZEFS);
+ err = free_segment_range(sbi, secs, false);
+ if (err)
+ goto recover_out;
+@@ -2167,6 +2166,7 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
+ f2fs_commit_super(sbi, false);
+ }
+ recover_out:
++ clear_sbi_flag(sbi, SBI_IS_RESIZEFS);
+ if (err) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_err(sbi, "resize_fs failed, should run fsck to repair!");
+@@ -2179,6 +2179,5 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
+ f2fs_up_write(&sbi->cp_global_sem);
+ f2fs_up_write(&sbi->gc_lock);
+ thaw_super(sbi->sb);
+- clear_sbi_flag(sbi, SBI_IS_RESIZEFS);
+ return err;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3fd26fb7d8e1a99460436affbe1b9dc1e36f2808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 17:30:26 +0800
+Subject: f2fs: fix to destroy sbi->post_read_wq in error path of
+ f2fs_fill_super()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 7b02b2201893a71b881026cf574902019ab00db5 ]
+
+In error path of f2fs_fill_super(), this patch fixes to call
+f2fs_destroy_post_read_wq() once if we fail in f2fs_start_ckpt_thread().
+
+Fixes: 261eeb9c1585 ("f2fs: introduce checkpoint_merge mount option")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 5415c06d8246..1187f29dc8e0 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4460,9 +4460,9 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
+ f2fs_destroy_node_manager(sbi);
+ free_sm:
+ f2fs_destroy_segment_manager(sbi);
+- f2fs_destroy_post_read_wq(sbi);
+ stop_ckpt_thread:
+ f2fs_stop_ckpt_thread(sbi);
++ f2fs_destroy_post_read_wq(sbi);
+ free_devices:
+ destroy_device_list(sbi);
+ kvfree(sbi->ckpt);
+--
+2.35.1
+
--- /dev/null
+From bfe2b455137b04138fbdeabfdfbd713c56f4f6e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 18:08:29 +0800
+Subject: f2fs: fix to enable compress for newly created file if extension
+ matches
+
+From: Sheng Yong <shengyong@oppo.com>
+
+[ Upstream commit 787caf1bdcd9f04058e4e8d8ed56db1dbafea0b7 ]
+
+If compress_extension is set, and a newly created file matches the
+extension, the file could be marked as compression file. However,
+if inline_data is also enabled, there is no chance to check its
+extension since f2fs_should_compress() always returns false.
+
+This patch moves set_compress_inode(), which do extension check, in
+f2fs_should_compress() to check extensions before setting inline
+data flag.
+
+Fixes: 7165841d578e ("f2fs: fix to check inline_data during compressed inode conversion")
+Signed-off-by: Sheng Yong <shengyong@oppo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/namei.c | 329 ++++++++++++++++++++++++------------------------
+ 2 files changed, 164 insertions(+), 167 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 1e57b11ffe2a..a7227640fbdf 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -2966,7 +2966,7 @@ static inline void f2fs_change_bit(unsigned int nr, char *addr)
+ /* Flags that should be inherited by new inodes from their parent. */
+ #define F2FS_FL_INHERITED (F2FS_SYNC_FL | F2FS_NODUMP_FL | F2FS_NOATIME_FL | \
+ F2FS_DIRSYNC_FL | F2FS_PROJINHERIT_FL | \
+- F2FS_CASEFOLD_FL | F2FS_COMPR_FL | F2FS_NOCOMP_FL)
++ F2FS_CASEFOLD_FL)
+
+ /* Flags that are appropriate for regular files (all but dir-specific ones). */
+ #define F2FS_REG_FLMASK (~(F2FS_DIRSYNC_FL | F2FS_PROJINHERIT_FL | \
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index bf00d5057abb..0073e3511b2a 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -22,8 +22,163 @@
+ #include "acl.h"
+ #include <trace/events/f2fs.h>
+
++static inline int is_extension_exist(const unsigned char *s, const char *sub,
++ bool tmp_ext)
++{
++ size_t slen = strlen(s);
++ size_t sublen = strlen(sub);
++ int i;
++
++ if (sublen == 1 && *sub == '*')
++ return 1;
++
++ /*
++ * filename format of multimedia file should be defined as:
++ * "filename + '.' + extension + (optional: '.' + temp extension)".
++ */
++ if (slen < sublen + 2)
++ return 0;
++
++ if (!tmp_ext) {
++ /* file has no temp extension */
++ if (s[slen - sublen - 1] != '.')
++ return 0;
++ return !strncasecmp(s + slen - sublen, sub, sublen);
++ }
++
++ for (i = 1; i < slen - sublen; i++) {
++ if (s[i] != '.')
++ continue;
++ if (!strncasecmp(s + i + 1, sub, sublen))
++ return 1;
++ }
++
++ return 0;
++}
++
++int f2fs_update_extension_list(struct f2fs_sb_info *sbi, const char *name,
++ bool hot, bool set)
++{
++ __u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
++ int cold_count = le32_to_cpu(sbi->raw_super->extension_count);
++ int hot_count = sbi->raw_super->hot_ext_count;
++ int total_count = cold_count + hot_count;
++ int start, count;
++ int i;
++
++ if (set) {
++ if (total_count == F2FS_MAX_EXTENSION)
++ return -EINVAL;
++ } else {
++ if (!hot && !cold_count)
++ return -EINVAL;
++ if (hot && !hot_count)
++ return -EINVAL;
++ }
++
++ if (hot) {
++ start = cold_count;
++ count = total_count;
++ } else {
++ start = 0;
++ count = cold_count;
++ }
++
++ for (i = start; i < count; i++) {
++ if (strcmp(name, extlist[i]))
++ continue;
++
++ if (set)
++ return -EINVAL;
++
++ memcpy(extlist[i], extlist[i + 1],
++ F2FS_EXTENSION_LEN * (total_count - i - 1));
++ memset(extlist[total_count - 1], 0, F2FS_EXTENSION_LEN);
++ if (hot)
++ sbi->raw_super->hot_ext_count = hot_count - 1;
++ else
++ sbi->raw_super->extension_count =
++ cpu_to_le32(cold_count - 1);
++ return 0;
++ }
++
++ if (!set)
++ return -EINVAL;
++
++ if (hot) {
++ memcpy(extlist[count], name, strlen(name));
++ sbi->raw_super->hot_ext_count = hot_count + 1;
++ } else {
++ char buf[F2FS_MAX_EXTENSION][F2FS_EXTENSION_LEN];
++
++ memcpy(buf, &extlist[cold_count],
++ F2FS_EXTENSION_LEN * hot_count);
++ memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
++ memcpy(extlist[cold_count], name, strlen(name));
++ memcpy(&extlist[cold_count + 1], buf,
++ F2FS_EXTENSION_LEN * hot_count);
++ sbi->raw_super->extension_count = cpu_to_le32(cold_count + 1);
++ }
++ return 0;
++}
++
++static void set_compress_new_inode(struct f2fs_sb_info *sbi, struct inode *dir,
++ struct inode *inode, const unsigned char *name)
++{
++ __u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
++ unsigned char (*noext)[F2FS_EXTENSION_LEN] =
++ F2FS_OPTION(sbi).noextensions;
++ unsigned char (*ext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).extensions;
++ unsigned char ext_cnt = F2FS_OPTION(sbi).compress_ext_cnt;
++ unsigned char noext_cnt = F2FS_OPTION(sbi).nocompress_ext_cnt;
++ int i, cold_count, hot_count;
++
++ if (!f2fs_sb_has_compression(sbi))
++ return;
++
++ if (S_ISDIR(inode->i_mode))
++ goto inherit_comp;
++
++ /* This name comes only from normal files. */
++ if (!name)
++ return;
++
++ /* Don't compress hot files. */
++ f2fs_down_read(&sbi->sb_lock);
++ cold_count = le32_to_cpu(sbi->raw_super->extension_count);
++ hot_count = sbi->raw_super->hot_ext_count;
++ for (i = cold_count; i < cold_count + hot_count; i++)
++ if (is_extension_exist(name, extlist[i], false))
++ break;
++ f2fs_up_read(&sbi->sb_lock);
++ if (i < (cold_count + hot_count))
++ return;
++
++ /* Don't compress unallowed extension. */
++ for (i = 0; i < noext_cnt; i++)
++ if (is_extension_exist(name, noext[i], false))
++ return;
++
++ /* Compress wanting extension. */
++ for (i = 0; i < ext_cnt; i++) {
++ if (is_extension_exist(name, ext[i], false)) {
++ set_compress_context(inode);
++ return;
++ }
++ }
++inherit_comp:
++ /* Inherit the {no-}compression flag in directory */
++ if (F2FS_I(dir)->i_flags & F2FS_NOCOMP_FL) {
++ F2FS_I(inode)->i_flags |= F2FS_NOCOMP_FL;
++ f2fs_mark_inode_dirty_sync(inode, true);
++ } else if (F2FS_I(dir)->i_flags & F2FS_COMPR_FL) {
++ set_compress_context(inode);
++ }
++}
++
+ static struct inode *f2fs_new_inode(struct user_namespace *mnt_userns,
+- struct inode *dir, umode_t mode)
++ struct inode *dir, umode_t mode,
++ const char *name)
+ {
+ struct f2fs_sb_info *sbi = F2FS_I_SB(dir);
+ nid_t ino;
+@@ -114,12 +269,8 @@ static struct inode *f2fs_new_inode(struct user_namespace *mnt_userns,
+ if (F2FS_I(inode)->i_flags & F2FS_PROJINHERIT_FL)
+ set_inode_flag(inode, FI_PROJ_INHERIT);
+
+- if (f2fs_sb_has_compression(sbi)) {
+- /* Inherit the compression flag in directory */
+- if ((F2FS_I(dir)->i_flags & F2FS_COMPR_FL) &&
+- f2fs_may_compress(inode))
+- set_compress_context(inode);
+- }
++ /* Check compression first. */
++ set_compress_new_inode(sbi, dir, inode, name);
+
+ /* Should enable inline_data after compression set */
+ if (test_opt(sbi, INLINE_DATA) && f2fs_may_inline_data(inode))
+@@ -153,40 +304,6 @@ static struct inode *f2fs_new_inode(struct user_namespace *mnt_userns,
+ return ERR_PTR(err);
+ }
+
+-static inline int is_extension_exist(const unsigned char *s, const char *sub,
+- bool tmp_ext)
+-{
+- size_t slen = strlen(s);
+- size_t sublen = strlen(sub);
+- int i;
+-
+- if (sublen == 1 && *sub == '*')
+- return 1;
+-
+- /*
+- * filename format of multimedia file should be defined as:
+- * "filename + '.' + extension + (optional: '.' + temp extension)".
+- */
+- if (slen < sublen + 2)
+- return 0;
+-
+- if (!tmp_ext) {
+- /* file has no temp extension */
+- if (s[slen - sublen - 1] != '.')
+- return 0;
+- return !strncasecmp(s + slen - sublen, sub, sublen);
+- }
+-
+- for (i = 1; i < slen - sublen; i++) {
+- if (s[i] != '.')
+- continue;
+- if (!strncasecmp(s + i + 1, sub, sublen))
+- return 1;
+- }
+-
+- return 0;
+-}
+-
+ /*
+ * Set file's temperature for hot/cold data separation
+ */
+@@ -217,124 +334,6 @@ static inline void set_file_temperature(struct f2fs_sb_info *sbi, struct inode *
+ file_set_hot(inode);
+ }
+
+-int f2fs_update_extension_list(struct f2fs_sb_info *sbi, const char *name,
+- bool hot, bool set)
+-{
+- __u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
+- int cold_count = le32_to_cpu(sbi->raw_super->extension_count);
+- int hot_count = sbi->raw_super->hot_ext_count;
+- int total_count = cold_count + hot_count;
+- int start, count;
+- int i;
+-
+- if (set) {
+- if (total_count == F2FS_MAX_EXTENSION)
+- return -EINVAL;
+- } else {
+- if (!hot && !cold_count)
+- return -EINVAL;
+- if (hot && !hot_count)
+- return -EINVAL;
+- }
+-
+- if (hot) {
+- start = cold_count;
+- count = total_count;
+- } else {
+- start = 0;
+- count = cold_count;
+- }
+-
+- for (i = start; i < count; i++) {
+- if (strcmp(name, extlist[i]))
+- continue;
+-
+- if (set)
+- return -EINVAL;
+-
+- memcpy(extlist[i], extlist[i + 1],
+- F2FS_EXTENSION_LEN * (total_count - i - 1));
+- memset(extlist[total_count - 1], 0, F2FS_EXTENSION_LEN);
+- if (hot)
+- sbi->raw_super->hot_ext_count = hot_count - 1;
+- else
+- sbi->raw_super->extension_count =
+- cpu_to_le32(cold_count - 1);
+- return 0;
+- }
+-
+- if (!set)
+- return -EINVAL;
+-
+- if (hot) {
+- memcpy(extlist[count], name, strlen(name));
+- sbi->raw_super->hot_ext_count = hot_count + 1;
+- } else {
+- char buf[F2FS_MAX_EXTENSION][F2FS_EXTENSION_LEN];
+-
+- memcpy(buf, &extlist[cold_count],
+- F2FS_EXTENSION_LEN * hot_count);
+- memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
+- memcpy(extlist[cold_count], name, strlen(name));
+- memcpy(&extlist[cold_count + 1], buf,
+- F2FS_EXTENSION_LEN * hot_count);
+- sbi->raw_super->extension_count = cpu_to_le32(cold_count + 1);
+- }
+- return 0;
+-}
+-
+-static void set_compress_inode(struct f2fs_sb_info *sbi, struct inode *inode,
+- const unsigned char *name)
+-{
+- __u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
+- unsigned char (*noext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).noextensions;
+- unsigned char (*ext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).extensions;
+- unsigned char ext_cnt = F2FS_OPTION(sbi).compress_ext_cnt;
+- unsigned char noext_cnt = F2FS_OPTION(sbi).nocompress_ext_cnt;
+- int i, cold_count, hot_count;
+-
+- if (!f2fs_sb_has_compression(sbi) ||
+- F2FS_I(inode)->i_flags & F2FS_NOCOMP_FL ||
+- !f2fs_may_compress(inode) ||
+- (!ext_cnt && !noext_cnt))
+- return;
+-
+- f2fs_down_read(&sbi->sb_lock);
+-
+- cold_count = le32_to_cpu(sbi->raw_super->extension_count);
+- hot_count = sbi->raw_super->hot_ext_count;
+-
+- for (i = cold_count; i < cold_count + hot_count; i++) {
+- if (is_extension_exist(name, extlist[i], false)) {
+- f2fs_up_read(&sbi->sb_lock);
+- return;
+- }
+- }
+-
+- f2fs_up_read(&sbi->sb_lock);
+-
+- for (i = 0; i < noext_cnt; i++) {
+- if (is_extension_exist(name, noext[i], false)) {
+- f2fs_disable_compressed_file(inode);
+- return;
+- }
+- }
+-
+- if (is_inode_flag_set(inode, FI_COMPRESSED_FILE))
+- return;
+-
+- for (i = 0; i < ext_cnt; i++) {
+- if (!is_extension_exist(name, ext[i], false))
+- continue;
+-
+- /* Do not use inline_data with compression */
+- stat_dec_inline_inode(inode);
+- clear_inode_flag(inode, FI_INLINE_DATA);
+- set_compress_context(inode);
+- return;
+- }
+-}
+-
+ static int f2fs_create(struct user_namespace *mnt_userns, struct inode *dir,
+ struct dentry *dentry, umode_t mode, bool excl)
+ {
+@@ -352,15 +351,13 @@ static int f2fs_create(struct user_namespace *mnt_userns, struct inode *dir,
+ if (err)
+ return err;
+
+- inode = f2fs_new_inode(mnt_userns, dir, mode);
++ inode = f2fs_new_inode(mnt_userns, dir, mode, dentry->d_name.name);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+
+ if (!test_opt(sbi, DISABLE_EXT_IDENTIFY))
+ set_file_temperature(sbi, inode, dentry->d_name.name);
+
+- set_compress_inode(sbi, inode, dentry->d_name.name);
+-
+ inode->i_op = &f2fs_file_inode_operations;
+ inode->i_fop = &f2fs_file_operations;
+ inode->i_mapping->a_ops = &f2fs_dblock_aops;
+@@ -689,7 +686,7 @@ static int f2fs_symlink(struct user_namespace *mnt_userns, struct inode *dir,
+ if (err)
+ return err;
+
+- inode = f2fs_new_inode(mnt_userns, dir, S_IFLNK | S_IRWXUGO);
++ inode = f2fs_new_inode(mnt_userns, dir, S_IFLNK | S_IRWXUGO, NULL);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+
+@@ -760,7 +757,7 @@ static int f2fs_mkdir(struct user_namespace *mnt_userns, struct inode *dir,
+ if (err)
+ return err;
+
+- inode = f2fs_new_inode(mnt_userns, dir, S_IFDIR | mode);
++ inode = f2fs_new_inode(mnt_userns, dir, S_IFDIR | mode, NULL);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+
+@@ -817,7 +814,7 @@ static int f2fs_mknod(struct user_namespace *mnt_userns, struct inode *dir,
+ if (err)
+ return err;
+
+- inode = f2fs_new_inode(mnt_userns, dir, mode);
++ inode = f2fs_new_inode(mnt_userns, dir, mode, NULL);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+
+@@ -856,7 +853,7 @@ static int __f2fs_tmpfile(struct user_namespace *mnt_userns, struct inode *dir,
+ if (err)
+ return err;
+
+- inode = f2fs_new_inode(mnt_userns, dir, mode);
++ inode = f2fs_new_inode(mnt_userns, dir, mode, NULL);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+
+--
+2.35.1
+
--- /dev/null
+From 25166986c43493381fcbf025c3b393f0914202b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 10:34:22 +0800
+Subject: f2fs: fix to invalidate dcc->f2fs_issue_discard in error path
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 91586ce0d39a05f88795aa8814fb99b1387236b3 ]
+
+Syzbot reports a NULL pointer dereference issue as below:
+
+ __refcount_add include/linux/refcount.h:193 [inline]
+ __refcount_inc include/linux/refcount.h:250 [inline]
+ refcount_inc include/linux/refcount.h:267 [inline]
+ get_task_struct include/linux/sched/task.h:110 [inline]
+ kthread_stop+0x34/0x1c0 kernel/kthread.c:703
+ f2fs_stop_discard_thread+0x3c/0x5c fs/f2fs/segment.c:1638
+ kill_f2fs_super+0x5c/0x194 fs/f2fs/super.c:4522
+ deactivate_locked_super+0x70/0xe8 fs/super.c:332
+ deactivate_super+0xd0/0xd4 fs/super.c:363
+ cleanup_mnt+0x1f8/0x234 fs/namespace.c:1186
+ __cleanup_mnt+0x20/0x30 fs/namespace.c:1193
+ task_work_run+0xc4/0x14c kernel/task_work.c:177
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0x26c/0xbe0 kernel/exit.c:795
+ do_group_exit+0x60/0xe8 kernel/exit.c:925
+ __do_sys_exit_group kernel/exit.c:936 [inline]
+ __se_sys_exit_group kernel/exit.c:934 [inline]
+ __wake_up_parent+0x0/0x40 kernel/exit.c:934
+ __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+ el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+ do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+ el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+ el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+ el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
+
+The root cause of this issue is in error path of f2fs_start_discard_thread(),
+it missed to invalidate dcc->f2fs_issue_discard, later kthread_stop() may
+access invalid pointer.
+
+Fixes: 4d67490498ac ("f2fs: Don't create discard thread when device doesn't support realtime discard")
+Reported-by: syzbot+035a381ea1afb63f098d@syzkaller.appspotmail.com
+Reported-by: syzbot+729c925c2d9fc495ddee@syzkaller.appspotmail.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 84bad18ce13d..10d8bc81cff7 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2026,8 +2026,10 @@ int f2fs_start_discard_thread(struct f2fs_sb_info *sbi)
+
+ dcc->f2fs_issue_discard = kthread_run(issue_discard_thread, sbi,
+ "f2fs_discard-%u:%u", MAJOR(dev), MINOR(dev));
+- if (IS_ERR(dcc->f2fs_issue_discard))
++ if (IS_ERR(dcc->f2fs_issue_discard)) {
+ err = PTR_ERR(dcc->f2fs_issue_discard);
++ dcc->f2fs_issue_discard = NULL;
++ }
+
+ return err;
+ }
+--
+2.35.1
+
--- /dev/null
+From 09624ecebf966965f0822f450c1130d7a114410c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 23:10:54 +0800
+Subject: f2fs: set zstd compress level correctly
+
+From: Sheng Yong <shengyong@oppo.com>
+
+[ Upstream commit 4ff23a6547b81ca22adb852dfe93ee5fc45328ac ]
+
+Fixes: cf30f6a5f0c6 ("lib: zstd: Add kernel-specific API")
+Signed-off-by: Sheng Yong <shengyong@oppo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Nick Terrell <terrelln@fb.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/compress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
+index 70e97075e535..e70928e92b2c 100644
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -346,7 +346,7 @@ static int zstd_init_compress_ctx(struct compress_ctx *cc)
+ if (!level)
+ level = F2FS_ZSTD_DEFAULT_CLEVEL;
+
+- params = zstd_get_params(F2FS_ZSTD_DEFAULT_CLEVEL, cc->rlen);
++ params = zstd_get_params(level, cc->rlen);
+ workspace_size = zstd_cstream_workspace_bound(¶ms.cParams);
+
+ workspace = f2fs_kvmalloc(F2FS_I_SB(cc->inode),
+--
+2.35.1
+
--- /dev/null
+From d986fb8a569c2348dcbd8e8cf29a63ddd847852b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:29:43 +0800
+Subject: fbdev: ep93xx-fb: Add missing clk_disable_unprepare in
+ ep93xxfb_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit c84bf485a5aaf9aa0764a58832b7ef4375c29f03 ]
+
+The clk_disable_unprepare() should be called in the error handling
+of register_framebuffer(), fix it.
+
+Fixes: 0937a7b3625d ("video: ep93xx: Prepare clock before using it")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/ep93xx-fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/ep93xx-fb.c b/drivers/video/fbdev/ep93xx-fb.c
+index 2398b3d48fed..305f1587bd89 100644
+--- a/drivers/video/fbdev/ep93xx-fb.c
++++ b/drivers/video/fbdev/ep93xx-fb.c
+@@ -552,12 +552,14 @@ static int ep93xxfb_probe(struct platform_device *pdev)
+
+ err = register_framebuffer(info);
+ if (err)
+- goto failed_check;
++ goto failed_framebuffer;
+
+ dev_info(info->dev, "registered. Mode = %dx%d-%d\n",
+ info->var.xres, info->var.yres, info->var.bits_per_pixel);
+ return 0;
+
++failed_framebuffer:
++ clk_disable_unprepare(fbi->clk);
+ failed_check:
+ if (fbi->mach_info->teardown)
+ fbi->mach_info->teardown(pdev);
+--
+2.35.1
+
--- /dev/null
+From fdb2229dea538201aa832d6c45ea17b086ad5853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 13:55:44 -0800
+Subject: fbdev: geode: don't build on UML
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 71c53e19226b0166ba387d3c590d0509f541a0a1 ]
+
+The geode fbdev driver uses struct cpuinfo fields that are not present
+on ARCH=um, so don't allow this driver to be built on UML.
+
+Prevents these build errors:
+
+In file included from ../arch/x86/include/asm/olpc.h:7:0,
+ from ../drivers/mfd/cs5535-mfd.c:17:
+../arch/x86/include/asm/geode.h: In function ‘is_geode_gx’:
+../arch/x86/include/asm/geode.h:16:24: error: ‘struct cpuinfo_um’ has no member named ‘x86_vendor’
+ return ((boot_cpu_data.x86_vendor == X86_VENDOR_NSC) &&
+../arch/x86/include/asm/geode.h:16:39: error: ‘X86_VENDOR_NSC’ undeclared (first use in this function); did you mean ‘X86_VENDOR_ANY’?
+ return ((boot_cpu_data.x86_vendor == X86_VENDOR_NSC) &&
+../arch/x86/include/asm/geode.h:17:17: error: ‘struct cpuinfo_um’ has no member named ‘x86’
+ (boot_cpu_data.x86 == 5) &&
+../arch/x86/include/asm/geode.h:18:17: error: ‘struct cpuinfo_um’ has no member named ‘x86_model’
+ (boot_cpu_data.x86_model == 5));
+../arch/x86/include/asm/geode.h: In function ‘is_geode_lx’:
+../arch/x86/include/asm/geode.h:23:24: error: ‘struct cpuinfo_um’ has no member named ‘x86_vendor’
+ return ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) &&
+../arch/x86/include/asm/geode.h:23:39: error: ‘X86_VENDOR_AMD’ undeclared (first use in this function); did you mean ‘X86_VENDOR_ANY’?
+ return ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) &&
+../arch/x86/include/asm/geode.h:24:17: error: ‘struct cpuinfo_um’ has no member named ‘x86’
+ (boot_cpu_data.x86 == 5) &&
+../arch/x86/include/asm/geode.h:25:17: error: ‘struct cpuinfo_um’ has no member named ‘x86_model’
+ (boot_cpu_data.x86_model == 10));
+
+Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: linux-um@lists.infradead.org
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: Andres Salomon <dilinger@queued.net>
+Cc: linux-geode@lists.infradead.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/geode/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/geode/Kconfig b/drivers/video/fbdev/geode/Kconfig
+index ac9c860592aa..85bc14b6faf6 100644
+--- a/drivers/video/fbdev/geode/Kconfig
++++ b/drivers/video/fbdev/geode/Kconfig
+@@ -5,6 +5,7 @@
+ config FB_GEODE
+ bool "AMD Geode family framebuffer support"
+ depends on FB && PCI && (X86_32 || (X86 && COMPILE_TEST))
++ depends on !UML
+ help
+ Say 'Y' here to allow you to select framebuffer drivers for
+ the AMD Geode family of processors.
+--
+2.35.1
+
--- /dev/null
+From 88ad52b429184825636413e9dc713d1c649cd365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 17:55:10 +0800
+Subject: fbdev: pm2fb: fix missing pci_disable_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ]
+
+Add missing pci_disable_device() in error path of probe() and remove() path.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pm2fb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
+index 8fd79deb1e2a..94f1f33f88f9 100644
+--- a/drivers/video/fbdev/pm2fb.c
++++ b/drivers/video/fbdev/pm2fb.c
+@@ -1528,8 +1528,10 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ }
+
+ info = framebuffer_alloc(sizeof(struct pm2fb_par), &pdev->dev);
+- if (!info)
+- return -ENOMEM;
++ if (!info) {
++ err = -ENOMEM;
++ goto err_exit_disable;
++ }
+ default_par = info->par;
+
+ switch (pdev->device) {
+@@ -1710,6 +1712,8 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ release_mem_region(pm2fb_fix.mmio_start, pm2fb_fix.mmio_len);
+ err_exit_neither:
+ framebuffer_release(info);
++ err_exit_disable:
++ pci_disable_device(pdev);
+ return retval;
+ }
+
+@@ -1734,6 +1738,7 @@ static void pm2fb_remove(struct pci_dev *pdev)
+ fb_dealloc_cmap(&info->cmap);
+ kfree(info->pixmap.addr);
+ framebuffer_release(info);
++ pci_disable_device(pdev);
+ }
+
+ static const struct pci_device_id pm2fb_id_table[] = {
+--
+2.35.1
+
--- /dev/null
+From 2d7fad2ec7965b1e4e29428fe696918bfa67d541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 17:09:46 +0200
+Subject: fbdev: ssd1307fb: Drop optional dependency
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ]
+
+Only a single out of three devices need a PWM, so from driver it's
+optional. Moreover it's a single driver in the entire kernel that
+currently selects PWM. Unfortunately this selection is a root cause
+of the circular dependencies when we want to enable optional PWM
+for some other drivers that select GPIOLIB.
+
+Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
+index cfc55273dc5d..9497fe929162 100644
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -2217,7 +2217,6 @@ config FB_SSD1307
+ select FB_SYS_COPYAREA
+ select FB_SYS_IMAGEBLIT
+ select FB_DEFERRED_IO
+- select PWM
+ select FB_BACKLIGHT
+ help
+ This driver implements support for the Solomon SSD1307
+--
+2.35.1
+
--- /dev/null
+From a91337299e2c91db395a5f6173dad849903a1b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 13:55:59 -0800
+Subject: fbdev: uvesafb: don't build on UML
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 35b4f4d4a725cf8f8c10649163cd12aed509b953 ]
+
+The uvesafb fbdev driver uses memory management information that is not
+available on ARCH=um, so don't allow this driver to be built on UML.
+
+Prevents these build errors:
+
+../drivers/video/fbdev/uvesafb.c: In function ‘uvesafb_vbe_init’:
+../drivers/video/fbdev/uvesafb.c:807:21: error: ‘__supported_pte_mask’ undeclared (first use in this function)
+ 807 | if (__supported_pte_mask & _PAGE_NX) {
+../drivers/video/fbdev/uvesafb.c:807:44: error: ‘_PAGE_NX’ undeclared (first use in this function)
+ 807 | if (__supported_pte_mask & _PAGE_NX) {
+
+Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: linux-um@lists.infradead.org
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: Michal Januszewski <spock@gentoo.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
+index 9497fe929162..974e862cd20d 100644
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -601,6 +601,7 @@ config FB_TGA
+ config FB_UVESA
+ tristate "Userspace VESA VGA graphics support"
+ depends on FB && CONNECTOR
++ depends on !UML
+ select FB_CFB_FILLRECT
+ select FB_CFB_COPYAREA
+ select FB_CFB_IMAGEBLIT
+--
+2.35.1
+
--- /dev/null
+From 539a1d3df3ab8864fe344d3897a12cf633e3afee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Dec 2022 12:35:22 +0100
+Subject: fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ]
+
+If an error occurs after a successful uvesafb_init_mtrr() call, it must be
+undone by a corresponding arch_phys_wc_del() call, as already done in the
+remove function.
+
+This has been added in the remove function in commit 63e28a7a5ffc
+("uvesafb: Clean up MTRR code")
+
+Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/uvesafb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
+index 4df6772802d7..1f3b7e013568 100644
+--- a/drivers/video/fbdev/uvesafb.c
++++ b/drivers/video/fbdev/uvesafb.c
+@@ -1758,6 +1758,7 @@ static int uvesafb_probe(struct platform_device *dev)
+ out_unmap:
+ iounmap(info->screen_base);
+ out_mem:
++ arch_phys_wc_del(par->mtrr_handle);
+ release_mem_region(info->fix.smem_start, info->fix.smem_len);
+ out_reg:
+ release_region(0x3c0, 32);
+--
+2.35.1
+
--- /dev/null
+From 137e5c163d799c20a1a8a3c8dbe8ef655b824cc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 16:56:54 +0800
+Subject: fbdev: vermilion: decrease reference count in error path
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev. For the error path, we need to use pci_dev_put() to decrease
+the reference count.
+
+Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/vermilion/vermilion.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/vermilion/vermilion.c b/drivers/video/fbdev/vermilion/vermilion.c
+index ff61605b8764..a543643ce014 100644
+--- a/drivers/video/fbdev/vermilion/vermilion.c
++++ b/drivers/video/fbdev/vermilion/vermilion.c
+@@ -277,8 +277,10 @@ static int vmlfb_get_gpu(struct vml_par *par)
+
+ mutex_unlock(&vml_mutex);
+
+- if (pci_enable_device(par->gpu) < 0)
++ if (pci_enable_device(par->gpu) < 0) {
++ pci_dev_put(par->gpu);
+ return -ENODEV;
++ }
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 7a4f60af4c536d1ae17fb5e446f004532fb6af21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 09:08:52 +0800
+Subject: fbdev: via: Fix error in via_core_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ]
+
+via_core_init() won't exit the driver when pci_register_driver() failed.
+Exit the viafb-i2c and the viafb-gpio in failed path to prevent error.
+
+VIA Graphics Integration Chipset framebuffer 2.4 initializing
+Error: Driver 'viafb-i2c' is already registered, aborting...
+Error: Driver 'viafb-gpio' is already registered, aborting...
+
+Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/via/via-core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/via/via-core.c b/drivers/video/fbdev/via/via-core.c
+index 89d75079b730..0363b478fa3e 100644
+--- a/drivers/video/fbdev/via/via-core.c
++++ b/drivers/video/fbdev/via/via-core.c
+@@ -725,7 +725,14 @@ static int __init via_core_init(void)
+ return ret;
+ viafb_i2c_init();
+ viafb_gpio_init();
+- return pci_register_driver(&via_driver);
++ ret = pci_register_driver(&via_driver);
++ if (ret) {
++ viafb_gpio_exit();
++ viafb_i2c_exit();
++ return ret;
++ }
++
++ return 0;
+ }
+
+ static void __exit via_core_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 5634740fad0d038420529d4921930e04ecb7a076 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:06:36 +0800
+Subject: firmware: raspberrypi: fix possible memory leak in
+ rpi_firmware_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7b51161696e803fd5f9ad55b20a64c2df313f95c ]
+
+In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will
+not be freed through rpi_firmware_delete(), fix this leak by calling
+kfree() in the error path.
+
+Fixes: 1e7c57355a3b ("firmware: raspberrypi: Keep count of all consumers")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221117070636.3849773-1-yangyingliang@huawei.com
+Acked-by: Joel Savitz <jsavitz@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/raspberrypi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c
+index 4b8978b254f9..dba315f675bc 100644
+--- a/drivers/firmware/raspberrypi.c
++++ b/drivers/firmware/raspberrypi.c
+@@ -272,6 +272,7 @@ static int rpi_firmware_probe(struct platform_device *pdev)
+ int ret = PTR_ERR(fw->chan);
+ if (ret != -EPROBE_DEFER)
+ dev_err(dev, "Failed to get mbox channel: %d\n", ret);
++ kfree(fw);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 18e4959e48c0969afcf1406abeb97f253ebc0112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 21:57:04 +0300
+Subject: firmware: ti_sci: Fix polled mode during system suspend
+
+From: Georgi Vlaev <g-vlaev@ti.com>
+
+[ Upstream commit b13b2c3e0e4d0854228b5217fa34e145f3ace8ac ]
+
+Commit b9e8a7d950ff ("firmware: ti_sci: Switch transport to polled
+mode during system suspend") uses read_poll_timeout_atomic() macro
+in ti_sci_do_xfer() to wait for completion when the system is
+suspending. The break condition of the macro is set to "true" which
+will cause it break immediately when evaluated, likely before the
+TISCI xfer is completed, and always return 0. We want to poll here
+until "done_state == true".
+
+1) Change the break condition of read_poll_timeout_atomic() to
+the bool variable "done_state".
+
+2) The read_poll_timeout_atomic() returns 0 if the break condition
+is met or -ETIMEDOUT if not. Since our break condition has changed
+to "done_state", we also don't have to check for "!done_state" when
+evaluating the return value.
+
+Fixes: b9e8a7d950ff ("firmware: ti_sci: Switch transport to polled mode during system suspend")
+
+Signed-off-by: Georgi Vlaev <g-vlaev@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20221021185704.181316-1-g-vlaev@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/ti_sci.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c
+index ebc32bbd9b83..6281e7153b47 100644
+--- a/drivers/firmware/ti_sci.c
++++ b/drivers/firmware/ti_sci.c
+@@ -429,15 +429,14 @@ static inline int ti_sci_do_xfer(struct ti_sci_info *info,
+ * during noirq phase, so we must manually poll the completion.
+ */
+ ret = read_poll_timeout_atomic(try_wait_for_completion, done_state,
+- true, 1,
++ done_state, 1,
+ info->desc->max_rx_timeout_ms * 1000,
+ false, &xfer->done);
+ }
+
+- if (ret == -ETIMEDOUT || !done_state) {
++ if (ret == -ETIMEDOUT)
+ dev_err(dev, "Mbox timedout in resp(caller: %pS)\n",
+ (void *)_RET_IP_);
+- }
+
+ /*
+ * NOTE: we might prefer not to need the mailbox ticker to manage the
+--
+2.35.1
+
--- /dev/null
+From 6298d83cd0e56f0846db36f0c13ce37c59700073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 16:05:18 -0700
+Subject: fortify: Do not cast to "unsigned char"
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit e9a40e1585d792751d3a122392695e5a53032809 ]
+
+Do not cast to "unsigned char", as this needlessly creates type problems
+when attempting builds without -Wno-pointer-sign[1]. The intent of the
+cast is to drop possible "const" types.
+
+[1] https://lore.kernel.org/lkml/CAHk-=wgz3Uba8w7kdXhsqR1qvfemYL+OFQdefJnkeqXG8qZ_pA@mail.gmail.com/
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")
+Cc: linux-hardening@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index ae076aae9e66..c26160fe2e34 100644
+--- a/include/linux/fortify-string.h
++++ b/include/linux/fortify-string.h
+@@ -17,7 +17,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+
+ #define __compiletime_strlen(p) \
+ ({ \
+- unsigned char *__p = (unsigned char *)(p); \
++ char *__p = (char *)(p); \
+ size_t __ret = SIZE_MAX; \
+ size_t __p_size = __builtin_object_size(p, 1); \
+ if (__p_size != SIZE_MAX && \
+--
+2.35.1
+
--- /dev/null
+From c3bc1e3ce6b110d154b1d5a2559b93b4cf6d6b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 13:23:06 -0700
+Subject: fortify: Use SIZE_MAX instead of (size_t)-1
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 311fb40aa0569abacc430b0d66ee41470803111f ]
+
+Clean up uses of "(size_t)-1" in favor of SIZE_MAX.
+
+Cc: linux-hardening@vger.kernel.org
+Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: e9a40e1585d7 ("fortify: Do not cast to "unsigned char"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fortify-string.h | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index fce2fb2fc962..ae076aae9e66 100644
+--- a/include/linux/fortify-string.h
++++ b/include/linux/fortify-string.h
+@@ -3,6 +3,7 @@
+ #define _LINUX_FORTIFY_STRING_H_
+
+ #include <linux/const.h>
++#include <linux/limits.h>
+
+ #define __FORTIFY_INLINE extern __always_inline __gnu_inline __overloadable
+ #define __RENAME(x) __asm__(#x)
+@@ -17,9 +18,9 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ #define __compiletime_strlen(p) \
+ ({ \
+ unsigned char *__p = (unsigned char *)(p); \
+- size_t __ret = (size_t)-1; \
++ size_t __ret = SIZE_MAX; \
+ size_t __p_size = __builtin_object_size(p, 1); \
+- if (__p_size != (size_t)-1 && \
++ if (__p_size != SIZE_MAX && \
+ __builtin_constant_p(*__p)) { \
+ size_t __p_len = __p_size - 1; \
+ if (__builtin_constant_p(__p[__p_len]) && \
+@@ -95,7 +96,7 @@ char *strcat(char * const POS p, const char *q)
+ {
+ size_t p_size = __builtin_object_size(p, 1);
+
+- if (p_size == (size_t)-1)
++ if (p_size == SIZE_MAX)
+ return __underlying_strcat(p, q);
+ if (strlcat(p, q, p_size) >= p_size)
+ fortify_panic(__func__);
+@@ -110,7 +111,7 @@ __FORTIFY_INLINE __kernel_size_t strnlen(const char * const POS p, __kernel_size
+ size_t ret;
+
+ /* We can take compile-time actions when maxlen is const. */
+- if (__builtin_constant_p(maxlen) && p_len != (size_t)-1) {
++ if (__builtin_constant_p(maxlen) && p_len != SIZE_MAX) {
+ /* If p is const, we can use its compile-time-known len. */
+ if (maxlen >= p_size)
+ return p_len;
+@@ -138,7 +139,7 @@ __kernel_size_t __fortify_strlen(const char * const POS p)
+ size_t p_size = __builtin_object_size(p, 1);
+
+ /* Give up if we don't know how large p is. */
+- if (p_size == (size_t)-1)
++ if (p_size == SIZE_MAX)
+ return __underlying_strlen(p);
+ ret = strnlen(p, p_size);
+ if (p_size <= ret)
+@@ -155,7 +156,7 @@ __FORTIFY_INLINE size_t strlcpy(char * const POS p, const char * const POS q, si
+ size_t q_len; /* Full count of source string length. */
+ size_t len; /* Count of characters going into destination. */
+
+- if (p_size == (size_t)-1 && q_size == (size_t)-1)
++ if (p_size == SIZE_MAX && q_size == SIZE_MAX)
+ return __real_strlcpy(p, q, size);
+ q_len = strlen(q);
+ len = (q_len >= size) ? size - 1 : q_len;
+@@ -183,7 +184,7 @@ __FORTIFY_INLINE ssize_t strscpy(char * const POS p, const char * const POS q, s
+ size_t q_size = __builtin_object_size(q, 1);
+
+ /* If we cannot get size of p and q default to call strscpy. */
+- if (p_size == (size_t) -1 && q_size == (size_t) -1)
++ if (p_size == SIZE_MAX && q_size == SIZE_MAX)
+ return __real_strscpy(p, q, size);
+
+ /*
+@@ -228,7 +229,7 @@ char *strncat(char * const POS p, const char * const POS q, __kernel_size_t coun
+ size_t p_size = __builtin_object_size(p, 1);
+ size_t q_size = __builtin_object_size(q, 1);
+
+- if (p_size == (size_t)-1 && q_size == (size_t)-1)
++ if (p_size == SIZE_MAX && q_size == SIZE_MAX)
+ return __underlying_strncat(p, q, count);
+ p_len = strlen(p);
+ copy_len = strnlen(q, count);
+@@ -269,10 +270,10 @@ __FORTIFY_INLINE void fortify_memset_chk(__kernel_size_t size,
+ /*
+ * Always stop accesses beyond the struct that contains the
+ * field, when the buffer's remaining size is known.
+- * (The -1 test is to optimize away checks where the buffer
++ * (The SIZE_MAX test is to optimize away checks where the buffer
+ * lengths are unknown.)
+ */
+- if (p_size != (size_t)(-1) && p_size < size)
++ if (p_size != SIZE_MAX && p_size < size)
+ fortify_panic("memset");
+ }
+
+@@ -363,11 +364,11 @@ __FORTIFY_INLINE void fortify_memcpy_chk(__kernel_size_t size,
+ /*
+ * Always stop accesses beyond the struct that contains the
+ * field, when the buffer's remaining size is known.
+- * (The -1 test is to optimize away checks where the buffer
++ * (The SIZE_MAX test is to optimize away checks where the buffer
+ * lengths are unknown.)
+ */
+- if ((p_size != (size_t)(-1) && p_size < size) ||
+- (q_size != (size_t)(-1) && q_size < size))
++ if ((p_size != SIZE_MAX && p_size < size) ||
++ (q_size != SIZE_MAX && q_size < size))
+ fortify_panic(func);
+ }
+
+@@ -466,7 +467,7 @@ char *strcpy(char * const POS p, const char * const POS q)
+ size_t size;
+
+ /* If neither buffer size is known, immediately give up. */
+- if (p_size == (size_t)-1 && q_size == (size_t)-1)
++ if (p_size == SIZE_MAX && q_size == SIZE_MAX)
+ return __underlying_strcpy(p, q);
+ size = strlen(q) + 1;
+ /* Compile-time check for const size overflow. */
+--
+2.35.1
+
--- /dev/null
+From 48a99f9ab2de10ba850b6ddea14265c822f1478d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 16:12:05 +0100
+Subject: fs: don't audit the capability check in simple_xattr_list()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ]
+
+The check being unconditional may lead to unwanted denials reported by
+LSMs when a process has the capability granted by DAC, but denied by an
+LSM. In the case of SELinux such denials are a problem, since they can't
+be effectively filtered out via the policy and when not silenced, they
+produce noise that may hide a true problem or an attack.
+
+Checking for the capability only if any trusted xattr is actually
+present wouldn't really address the issue, since calling listxattr(2) on
+such node on its own doesn't indicate an explicit attempt to see the
+trusted xattrs. Additionally, it could potentially leak the presence of
+trusted xattrs to an unprivileged user if they can check for the denials
+(e.g. through dmesg).
+
+Therefore, it's best (and simplest) to keep the check unconditional and
+instead use ns_capable_noaudit() that will silence any associated LSM
+denials.
+
+Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs")
+Reported-by: Martin Pitt <mpitt@redhat.com>
+Suggested-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/xattr.c b/fs/xattr.c
+index a1f4998bc6be..8ea6b104b106 100644
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -1147,7 +1147,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size,
+ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
+ char *buffer, size_t size)
+ {
+- bool trusted = capable(CAP_SYS_ADMIN);
++ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
+ struct simple_xattr *xattr;
+ ssize_t remaining_size = size;
+ int err = 0;
+--
+2.35.1
+
--- /dev/null
+From df7df464fb92957272f7fafcc2d560a1946f1490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 08:48:07 -0500
+Subject: fs: jfs: fix shift-out-of-bounds in dbAllocAG
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ]
+
+Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The
+underlying bug is the missing check of bmp->db_agl2size. The field can
+be greater than 64 and trigger the shift-out-of-bounds.
+
+Fix this bug by adding a check of bmp->db_agl2size in dbMount since this
+field is used in many following functions. The upper bound for this
+field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.
+Note that, for maintenance, I reorganized error handling code of dbMount.
+
+Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 6b838d3ae7c2..e1cbfbb60303 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap)
+ struct bmap *bmp;
+ struct dbmap_disk *dbmp_le;
+ struct metapage *mp;
+- int i;
++ int i, err;
+
+ /*
+ * allocate/initialize the in-memory bmap descriptor
+@@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap)
+ BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
+ PSIZE, 0);
+ if (mp == NULL) {
+- kfree(bmp);
+- return -EIO;
++ err = -EIO;
++ goto err_kfree_bmp;
+ }
+
+ /* copy the on-disk bmap descriptor to its in-memory version. */
+@@ -181,9 +181,8 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+ if (!bmp->db_numag) {
+- release_metapage(mp);
+- kfree(bmp);
+- return -EINVAL;
++ err = -EINVAL;
++ goto err_release_metapage;
+ }
+
+ bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
+@@ -194,6 +193,11 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
+ bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
++ err = -EINVAL;
++ goto err_release_metapage;
++ }
++
+ for (i = 0; i < MAXAG; i++)
+ bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
+ bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
+@@ -214,6 +218,12 @@ int dbMount(struct inode *ipbmap)
+ BMAP_LOCK_INIT(bmp);
+
+ return (0);
++
++err_release_metapage:
++ release_metapage(mp);
++err_kfree_bmp:
++ kfree(bmp);
++ return err;
+ }
+
+
+--
+2.35.1
+
--- /dev/null
+From 5e25a58285279217d0921bceea1b888ac221f03f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 23:20:45 +0800
+Subject: fs: jfs: fix shift-out-of-bounds in dbDiscardAG
+
+From: Hoi Pok Wu <wuhoipok@gmail.com>
+
+[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ]
+
+This should be applied to most URSAN bugs found recently by syzbot,
+by guarding the dbMount. As syzbot feeding rubbish into the bmap
+descriptor.
+
+Signed-off-by: Hoi Pok Wu <wuhoipok@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index e1cbfbb60303..765838578a72 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -198,6 +198,11 @@ int dbMount(struct inode *ipbmap)
+ goto err_release_metapage;
+ }
+
++ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
++ err = -EINVAL;
++ goto err_release_metapage;
++ }
++
+ for (i = 0; i < MAXAG; i++)
+ bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
+ bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
+--
+2.35.1
+
--- /dev/null
+From c287616c4c8fabe15cb2841b6e83e5d8f285ee92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 23:46:25 +0900
+Subject: fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit caad9dd8792a2622737b7273cb34835fd9536cd2 ]
+
+syzbot reported UBSAN error as below:
+
+[ 76.901829][ T6677] ================================================================================
+[ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13
+[ 76.905363][ T6677] shift exponent -247 is negative
+
+This patch avoid this error.
+
+Link: https://syzkaller.appspot.com/bug?id=b0299c09a14aababf0f1c862dd4ebc8ab9eb0179
+Fixes: a3b774342fa7 (fs/ntfs3: validate BOOT sectors_per_clusters)
+Cc: Author: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: syzbot+35b87c668935bb55e666@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
+index 47012c9bf505..adc4f73722b7 100644
+--- a/fs/ntfs3/super.c
++++ b/fs/ntfs3/super.c
+@@ -672,7 +672,7 @@ static u32 true_sectors_per_clst(const struct NTFS_BOOT *boot)
+ if (boot->sectors_per_clusters <= 0x80)
+ return boot->sectors_per_clusters;
+ if (boot->sectors_per_clusters >= 0xf4) /* limit shift to 2MB max */
+- return 1U << (0 - boot->sectors_per_clusters);
++ return 1U << -(s8)boot->sectors_per_clusters;
+ return -EINVAL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 8fe739cb864e54d198559a578f83b0d7f605061b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 12:30:24 +0530
+Subject: fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 557d19675a470bb0a98beccec38c5dc3735c20fa ]
+
+Syzbot reports an out of bound access in ntfs_trim_fs.
+The cause of this is using a loop termination condition that compares
+window index (iw) with wnd->nbits instead of wnd->nwnd, due to which the
+index used for wnd->free_bits exceeds the size of the array allocated.
+
+Fix the loop condition.
+
+Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap")
+Link: https://syzkaller.appspot.com/bug?extid=b892240eac461e488d51
+Reported-by: syzbot+b892240eac461e488d51@syzkaller.appspotmail.com
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/bitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c
+index 5d44ceac855b..087282cb130b 100644
+--- a/fs/ntfs3/bitmap.c
++++ b/fs/ntfs3/bitmap.c
+@@ -1424,7 +1424,7 @@ int ntfs_trim_fs(struct ntfs_sb_info *sbi, struct fstrim_range *range)
+
+ down_read_nested(&wnd->rw_lock, BITMAP_MUTEX_CLUSTERS);
+
+- for (; iw < wnd->nbits; iw++, wbit = 0) {
++ for (; iw < wnd->nwnd; iw++, wbit = 0) {
+ CLST lcn_wnd = iw * wbits;
+ struct buffer_head *bh;
+
+--
+2.35.1
+
--- /dev/null
+From 71bc22a81e7b6d1a22b238803c3e1e5d8be49f0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 18:08:51 +0300
+Subject: fs/ntfs3: Harden against integer overflows
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e001e60869390686809663c02bceb1d3922548fb ]
+
+Smatch complains that the "add_bytes" is not to be trusted. Use
+size_add() to prevent an integer overflow.
+
+Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
+index 7de8718c68a9..ea582b4fe1d9 100644
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -107,7 +107,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea,
+ return -EFBIG;
+
+ /* Allocate memory for packed Ea. */
+- ea_p = kmalloc(size + add_bytes, GFP_NOFS);
++ ea_p = kmalloc(size_add(size, add_bytes), GFP_NOFS);
+ if (!ea_p)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From 951c0d28b197bcc8621c3799907ef948463abecd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 18:04:48 +0800
+Subject: fs: sysv: Fix sysv_nblocks() returns wrong value
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ]
+
+sysv_nblocks() returns 'blocks' rather than 'res', which only counting
+the number of triple-indirect blocks and causing sysv_getattr() gets a
+wrong result.
+
+[AV: this is actually a sysv counterpart of minixfs fix -
+0fcd426de9d0 "[PATCH] minix block usage counting fix" in
+historical tree; mea culpa, should've thought to check
+fs/sysv back then...]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/sysv/itree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
+index d4ec9bb97de9..3b8567564e7e 100644
+--- a/fs/sysv/itree.c
++++ b/fs/sysv/itree.c
+@@ -438,7 +438,7 @@ static unsigned sysv_nblocks(struct super_block *s, loff_t size)
+ res += blocks;
+ direct = 1;
+ }
+- return blocks;
++ return res;
+ }
+
+ int sysv_getattr(struct user_namespace *mnt_userns, const struct path *path,
+--
+2.35.1
+
--- /dev/null
+From 6f6ea3522ff0122a82a5da6c3a46f3ae02342d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 14:24:07 +0100
+Subject: ftrace: Allow WITH_ARGS flavour of graph tracer with shadow call
+ stack
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 38792972de4294163f44d6360fd221e6f2c22a05 ]
+
+The recent switch on arm64 from DYNAMIC_FTRACE_WITH_REGS to
+DYNAMIC_FTRACE_WITH_ARGS failed to take into account that we currently
+require the former in order to allow the function graph tracer to be
+enabled in combination with shadow call stacks. This means that this is
+no longer permitted at all, in spite of the fact that either flavour of
+ftrace works perfectly fine in this combination.
+
+So permit WITH_ARGS as well as WITH_REGS.
+
+Fixes: ddc9863e9e90 ("scs: Disable when function graph tracing is enabled")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20221213132407.1485025-1-ardb@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 8b311e400ec1..732a4680e733 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -629,7 +629,7 @@ config ARCH_SUPPORTS_SHADOW_CALL_STACK
+ config SHADOW_CALL_STACK
+ bool "Shadow Call Stack"
+ depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
+- depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
++ depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
+ help
+ This option enables the compiler's Shadow Call Stack, which
+ uses a shadow stack to protect function return addresses from
+--
+2.35.1
+
--- /dev/null
+From 40e73316fc294ca472f97e15b1ab0e840251a2b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 00:54:39 +0300
+Subject: futex: Resend potentially swallowed owner death notification
+
+From: Alexey Izbyshev <izbyshev@ispras.ru>
+
+[ Upstream commit 90d758896787048fa3d4209309d4800f3920e66f ]
+
+Commit ca16d5bee598 ("futex: Prevent robust futex exit race") addressed
+two cases when tasks waiting on a robust non-PI futex remained blocked
+despite the futex not being owned anymore:
+
+* if the owner died after writing zero to the futex word, but before
+ waking up a waiter
+
+* if a task waiting on the futex was woken up, but died before updating
+ the futex word (effectively swallowing the notification without acting
+ on it)
+
+In the second case, the task could be woken up either by the previous
+owner (after the futex word was reset to zero) or by the kernel (after
+the OWNER_DIED bit was set and the TID part of the futex word was reset
+to zero) if the previous owner died without the resetting the futex.
+
+Because the referenced commit wakes up a potential waiter only if the
+whole futex word is zero, the latter subcase remains unaddressed.
+
+Fix this by looking only at the TID part of the futex when deciding
+whether a wake up is needed.
+
+Fixes: ca16d5bee598 ("futex: Prevent robust futex exit race")
+Signed-off-by: Alexey Izbyshev <izbyshev@ispras.ru>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20221111215439.248185-1-izbyshev@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/futex/core.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/futex/core.c b/kernel/futex/core.c
+index b22ef1efe751..514e4582b863 100644
+--- a/kernel/futex/core.c
++++ b/kernel/futex/core.c
+@@ -638,6 +638,7 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+ bool pi, bool pending_op)
+ {
+ u32 uval, nval, mval;
++ pid_t owner;
+ int err;
+
+ /* Futex address must be 32bit aligned */
+@@ -659,6 +660,10 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+ * 2. A woken up waiter is killed before it can acquire the
+ * futex in user space.
+ *
++ * In the second case, the wake up notification could be generated
++ * by the unlock path in user space after setting the futex value
++ * to zero or by the kernel after setting the OWNER_DIED bit below.
++ *
+ * In both cases the TID validation below prevents a wakeup of
+ * potential waiters which can cause these waiters to block
+ * forever.
+@@ -667,24 +672,27 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+ *
+ * 1) task->robust_list->list_op_pending != NULL
+ * @pending_op == true
+- * 2) User space futex value == 0
++ * 2) The owner part of user space futex value == 0
+ * 3) Regular futex: @pi == false
+ *
+ * If these conditions are met, it is safe to attempt waking up a
+ * potential waiter without touching the user space futex value and
+- * trying to set the OWNER_DIED bit. The user space futex value is
+- * uncontended and the rest of the user space mutex state is
+- * consistent, so a woken waiter will just take over the
+- * uncontended futex. Setting the OWNER_DIED bit would create
+- * inconsistent state and malfunction of the user space owner died
+- * handling.
++ * trying to set the OWNER_DIED bit. If the futex value is zero,
++ * the rest of the user space mutex state is consistent, so a woken
++ * waiter will just take over the uncontended futex. Setting the
++ * OWNER_DIED bit would create inconsistent state and malfunction
++ * of the user space owner died handling. Otherwise, the OWNER_DIED
++ * bit is already set, and the woken waiter is expected to deal with
++ * this.
+ */
+- if (pending_op && !pi && !uval) {
++ owner = uval & FUTEX_TID_MASK;
++
++ if (pending_op && !pi && !owner) {
+ futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
+ return 0;
+ }
+
+- if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
++ if (owner != task_pid_vnr(curr))
+ return 0;
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 0553a915e09e4b4c49d643f217e3f5bddc16d27f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 23:16:12 +0800
+Subject: genirq/irqdesc: Don't try to remove non-existing sysfs files
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 9049e1ca41983ab773d7ea244bee86d7835ec9f5 ]
+
+Fault injection tests trigger warnings like this:
+
+ kernfs: can not remove 'chip_name', no directory
+ WARNING: CPU: 0 PID: 253 at fs/kernfs/dir.c:1616 kernfs_remove_by_name_ns+0xce/0xe0
+ RIP: 0010:kernfs_remove_by_name_ns+0xce/0xe0
+ Call Trace:
+ <TASK>
+ remove_files.isra.1+0x3f/0xb0
+ sysfs_remove_group+0x68/0xe0
+ sysfs_remove_groups+0x41/0x70
+ __kobject_del+0x45/0xc0
+ kobject_del+0x29/0x40
+ free_desc+0x42/0x70
+ irq_free_descs+0x5e/0x90
+
+The reason is that the interrupt descriptor sysfs handling does not roll
+back on a failing kobject_add() during allocation. If the descriptor is
+freed later on, kobject_del() is invoked with a not added kobject resulting
+in the above warnings.
+
+A proper rollback in case of a kobject_add() failure would be the straight
+forward solution. But this is not possible due to the way how interrupt
+descriptor sysfs handling works.
+
+Interrupt descriptors are allocated before sysfs becomes available. So the
+sysfs files for the early allocated descriptors are added later in the boot
+process. At this point there can be nothing useful done about a failing
+kobject_add(). For consistency the interrupt descriptor allocation always
+treats kobject_add() failures as non-critical and just emits a warning.
+
+To solve this problem, keep track in the interrupt descriptor whether
+kobject_add() was successful or not and make the invocation of
+kobject_del() conditional on that.
+
+[ tglx: Massage changelog, comments and use a state bit. ]
+
+Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20221128151612.1786122-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/internals.h | 2 ++
+ kernel/irq/irqdesc.c | 15 +++++++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
+index f09c60393e55..5fdc0b557579 100644
+--- a/kernel/irq/internals.h
++++ b/kernel/irq/internals.h
+@@ -52,6 +52,7 @@ enum {
+ * IRQS_PENDING - irq is pending and replayed later
+ * IRQS_SUSPENDED - irq is suspended
+ * IRQS_NMI - irq line is used to deliver NMIs
++ * IRQS_SYSFS - descriptor has been added to sysfs
+ */
+ enum {
+ IRQS_AUTODETECT = 0x00000001,
+@@ -64,6 +65,7 @@ enum {
+ IRQS_SUSPENDED = 0x00000800,
+ IRQS_TIMINGS = 0x00001000,
+ IRQS_NMI = 0x00002000,
++ IRQS_SYSFS = 0x00004000,
+ };
+
+ #include "debug.h"
+diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
+index 5db0230aa6b5..c797d4054d0e 100644
+--- a/kernel/irq/irqdesc.c
++++ b/kernel/irq/irqdesc.c
+@@ -288,22 +288,25 @@ static void irq_sysfs_add(int irq, struct irq_desc *desc)
+ if (irq_kobj_base) {
+ /*
+ * Continue even in case of failure as this is nothing
+- * crucial.
++ * crucial and failures in the late irq_sysfs_init()
++ * cannot be rolled back.
+ */
+ if (kobject_add(&desc->kobj, irq_kobj_base, "%d", irq))
+ pr_warn("Failed to add kobject for irq %d\n", irq);
++ else
++ desc->istate |= IRQS_SYSFS;
+ }
+ }
+
+ static void irq_sysfs_del(struct irq_desc *desc)
+ {
+ /*
+- * If irq_sysfs_init() has not yet been invoked (early boot), then
+- * irq_kobj_base is NULL and the descriptor was never added.
+- * kobject_del() complains about a object with no parent, so make
+- * it conditional.
++ * Only invoke kobject_del() when kobject_add() was successfully
++ * invoked for the descriptor. This covers both early boot, where
++ * sysfs is not initialized yet, and the case of a failed
++ * kobject_add() invocation.
+ */
+- if (irq_kobj_base)
++ if (desc->istate & IRQS_SYSFS)
+ kobject_del(&desc->kobj);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b04fa63e83fff14c540f061390a6936f49fc8e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 13:39:02 +0100
+Subject: gpiolib: cdev: fix NULL-pointer dereferences
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 533aae7c94dbc2b14301cfd68ae7e0e90f0c8438 ]
+
+There are several places where we can crash the kernel by requesting
+lines, unbinding the GPIO device, then calling any of the system calls
+relevant to the GPIO character device's annonymous file descriptors:
+ioctl(), read(), poll().
+
+While I observed it with the GPIO simulator, it will also happen for any
+of the GPIO devices that can be hot-unplugged - for instance any HID GPIO
+expander (e.g. CP2112).
+
+This affects both v1 and v2 uAPI.
+
+This fixes it partially by checking if gdev->chip is not NULL but it
+doesn't entirely remedy the situation as we still have a race condition
+in which another thread can remove the device after the check.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
+Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
+Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL")
+Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index 92f185575e94..5b647327cb7f 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -201,6 +201,9 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
+ unsigned int i;
+ int ret;
+
++ if (!lh->gdev->chip)
++ return -ENODEV;
++
+ switch (cmd) {
+ case GPIOHANDLE_GET_LINE_VALUES_IOCTL:
+ /* NOTE: It's okay to read values of output lines */
+@@ -1384,6 +1387,9 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
+ struct linereq *lr = file->private_data;
+ void __user *ip = (void __user *)arg;
+
++ if (!lr->gdev->chip)
++ return -ENODEV;
++
+ switch (cmd) {
+ case GPIO_V2_LINE_GET_VALUES_IOCTL:
+ return linereq_get_values(lr, ip);
+@@ -1410,6 +1416,9 @@ static __poll_t linereq_poll(struct file *file,
+ struct linereq *lr = file->private_data;
+ __poll_t events = 0;
+
++ if (!lr->gdev->chip)
++ return EPOLLHUP | EPOLLERR;
++
+ poll_wait(file, &lr->wait, wait);
+
+ if (!kfifo_is_empty_spinlocked_noirqsave(&lr->events,
+@@ -1429,6 +1438,9 @@ static ssize_t linereq_read(struct file *file,
+ ssize_t bytes_read = 0;
+ int ret;
+
++ if (!lr->gdev->chip)
++ return -ENODEV;
++
+ if (count < sizeof(le))
+ return -EINVAL;
+
+@@ -1698,6 +1710,9 @@ static __poll_t lineevent_poll(struct file *file,
+ struct lineevent_state *le = file->private_data;
+ __poll_t events = 0;
+
++ if (!le->gdev->chip)
++ return EPOLLHUP | EPOLLERR;
++
+ poll_wait(file, &le->wait, wait);
+
+ if (!kfifo_is_empty_spinlocked_noirqsave(&le->events, &le->wait.lock))
+@@ -1722,6 +1737,9 @@ static ssize_t lineevent_read(struct file *file,
+ ssize_t ge_size;
+ int ret;
+
++ if (!le->gdev->chip)
++ return -ENODEV;
++
+ /*
+ * When compatible system call is being used the struct gpioevent_data,
+ * in case of at least ia32, has different size due to the alignment
+@@ -1803,6 +1821,9 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd,
+ void __user *ip = (void __user *)arg;
+ struct gpiohandle_data ghd;
+
++ if (!le->gdev->chip)
++ return -ENODEV;
++
+ /*
+ * We can get the value for an event line but not set it,
+ * because it is input by definition.
+@@ -2389,6 +2410,9 @@ static __poll_t lineinfo_watch_poll(struct file *file,
+ struct gpio_chardev_data *cdev = file->private_data;
+ __poll_t events = 0;
+
++ if (!cdev->gdev->chip)
++ return EPOLLHUP | EPOLLERR;
++
+ poll_wait(file, &cdev->wait, pollt);
+
+ if (!kfifo_is_empty_spinlocked_noirqsave(&cdev->events,
+@@ -2407,6 +2431,9 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
+ int ret;
+ size_t event_size;
+
++ if (!cdev->gdev->chip)
++ return -ENODEV;
++
+ #ifndef CONFIG_GPIO_CDEV_V1
+ event_size = sizeof(struct gpio_v2_line_info_changed);
+ if (count < event_size)
+--
+2.35.1
+
--- /dev/null
+From 3e244b4939c777c0f05791406b9b12cfb19555ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 13:39:03 +0100
+Subject: gpiolib: protect the GPIO device against being dropped while in use
+ by user-space
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit bdbbae241a04f387ba910b8609f95fad5f1470c7 ]
+
+While any of the GPIO cdev syscalls is in progress, the kernel can call
+gpiochip_remove() (for instance, when a USB GPIO expander is disconnected)
+which will set gdev->chip to NULL after which any subsequent access will
+cause a crash.
+
+To avoid that: use an RW-semaphore in which the syscalls take it for
+reading (so that we don't needlessly prohibit the user-space from calling
+syscalls simultaneously) while gpiochip_remove() takes it for writing so
+that it can only happen once all syscalls return.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
+Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
+Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL")
+Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+[Nick: fixed a build failure with CDEV_V1 disabled]
+Co-authored-by: Nick Hainke <vincent@systemli.org>
+Reviewed-by: Kent Gibson <warthog618@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 177 +++++++++++++++++++++++++++++++-----
+ drivers/gpio/gpiolib.c | 4 +
+ drivers/gpio/gpiolib.h | 5 +
+ 3 files changed, 161 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index 5b647327cb7f..12e068dc60bc 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -55,6 +55,50 @@ static_assert(IS_ALIGNED(sizeof(struct gpio_v2_line_values), 8));
+ * interface to gpiolib GPIOs via ioctl()s.
+ */
+
++typedef __poll_t (*poll_fn)(struct file *, struct poll_table_struct *);
++typedef long (*ioctl_fn)(struct file *, unsigned int, unsigned long);
++typedef ssize_t (*read_fn)(struct file *, char __user *,
++ size_t count, loff_t *);
++
++static __poll_t call_poll_locked(struct file *file,
++ struct poll_table_struct *wait,
++ struct gpio_device *gdev, poll_fn func)
++{
++ __poll_t ret;
++
++ down_read(&gdev->sem);
++ ret = func(file, wait);
++ up_read(&gdev->sem);
++
++ return ret;
++}
++
++static long call_ioctl_locked(struct file *file, unsigned int cmd,
++ unsigned long arg, struct gpio_device *gdev,
++ ioctl_fn func)
++{
++ long ret;
++
++ down_read(&gdev->sem);
++ ret = func(file, cmd, arg);
++ up_read(&gdev->sem);
++
++ return ret;
++}
++
++static ssize_t call_read_locked(struct file *file, char __user *buf,
++ size_t count, loff_t *f_ps,
++ struct gpio_device *gdev, read_fn func)
++{
++ ssize_t ret;
++
++ down_read(&gdev->sem);
++ ret = func(file, buf, count, f_ps);
++ up_read(&gdev->sem);
++
++ return ret;
++}
++
+ /*
+ * GPIO line handle management
+ */
+@@ -191,8 +235,8 @@ static long linehandle_set_config(struct linehandle_state *lh,
+ return 0;
+ }
+
+-static long linehandle_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg)
++static long linehandle_ioctl_unlocked(struct file *file, unsigned int cmd,
++ unsigned long arg)
+ {
+ struct linehandle_state *lh = file->private_data;
+ void __user *ip = (void __user *)arg;
+@@ -250,6 +294,15 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
+ }
+ }
+
++static long linehandle_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg)
++{
++ struct linehandle_state *lh = file->private_data;
++
++ return call_ioctl_locked(file, cmd, arg, lh->gdev,
++ linehandle_ioctl_unlocked);
++}
++
+ #ifdef CONFIG_COMPAT
+ static long linehandle_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+@@ -1381,8 +1434,8 @@ static long linereq_set_config(struct linereq *lr, void __user *ip)
+ return ret;
+ }
+
+-static long linereq_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg)
++static long linereq_ioctl_unlocked(struct file *file, unsigned int cmd,
++ unsigned long arg)
+ {
+ struct linereq *lr = file->private_data;
+ void __user *ip = (void __user *)arg;
+@@ -1402,6 +1455,15 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
+ }
+ }
+
++static long linereq_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg)
++{
++ struct linereq *lr = file->private_data;
++
++ return call_ioctl_locked(file, cmd, arg, lr->gdev,
++ linereq_ioctl_unlocked);
++}
++
+ #ifdef CONFIG_COMPAT
+ static long linereq_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+@@ -1410,8 +1472,8 @@ static long linereq_ioctl_compat(struct file *file, unsigned int cmd,
+ }
+ #endif
+
+-static __poll_t linereq_poll(struct file *file,
+- struct poll_table_struct *wait)
++static __poll_t linereq_poll_unlocked(struct file *file,
++ struct poll_table_struct *wait)
+ {
+ struct linereq *lr = file->private_data;
+ __poll_t events = 0;
+@@ -1428,10 +1490,16 @@ static __poll_t linereq_poll(struct file *file,
+ return events;
+ }
+
+-static ssize_t linereq_read(struct file *file,
+- char __user *buf,
+- size_t count,
+- loff_t *f_ps)
++static __poll_t linereq_poll(struct file *file,
++ struct poll_table_struct *wait)
++{
++ struct linereq *lr = file->private_data;
++
++ return call_poll_locked(file, wait, lr->gdev, linereq_poll_unlocked);
++}
++
++static ssize_t linereq_read_unlocked(struct file *file, char __user *buf,
++ size_t count, loff_t *f_ps)
+ {
+ struct linereq *lr = file->private_data;
+ struct gpio_v2_line_event le;
+@@ -1485,6 +1553,15 @@ static ssize_t linereq_read(struct file *file,
+ return bytes_read;
+ }
+
++static ssize_t linereq_read(struct file *file, char __user *buf,
++ size_t count, loff_t *f_ps)
++{
++ struct linereq *lr = file->private_data;
++
++ return call_read_locked(file, buf, count, f_ps, lr->gdev,
++ linereq_read_unlocked);
++}
++
+ static void linereq_free(struct linereq *lr)
+ {
+ unsigned int i;
+@@ -1704,8 +1781,8 @@ struct lineevent_state {
+ (GPIOEVENT_REQUEST_RISING_EDGE | \
+ GPIOEVENT_REQUEST_FALLING_EDGE)
+
+-static __poll_t lineevent_poll(struct file *file,
+- struct poll_table_struct *wait)
++static __poll_t lineevent_poll_unlocked(struct file *file,
++ struct poll_table_struct *wait)
+ {
+ struct lineevent_state *le = file->private_data;
+ __poll_t events = 0;
+@@ -1721,15 +1798,21 @@ static __poll_t lineevent_poll(struct file *file,
+ return events;
+ }
+
++static __poll_t lineevent_poll(struct file *file,
++ struct poll_table_struct *wait)
++{
++ struct lineevent_state *le = file->private_data;
++
++ return call_poll_locked(file, wait, le->gdev, lineevent_poll_unlocked);
++}
++
+ struct compat_gpioeevent_data {
+ compat_u64 timestamp;
+ u32 id;
+ };
+
+-static ssize_t lineevent_read(struct file *file,
+- char __user *buf,
+- size_t count,
+- loff_t *f_ps)
++static ssize_t lineevent_read_unlocked(struct file *file, char __user *buf,
++ size_t count, loff_t *f_ps)
+ {
+ struct lineevent_state *le = file->private_data;
+ struct gpioevent_data ge;
+@@ -1797,6 +1880,15 @@ static ssize_t lineevent_read(struct file *file,
+ return bytes_read;
+ }
+
++static ssize_t lineevent_read(struct file *file, char __user *buf,
++ size_t count, loff_t *f_ps)
++{
++ struct lineevent_state *le = file->private_data;
++
++ return call_read_locked(file, buf, count, f_ps, le->gdev,
++ lineevent_read_unlocked);
++}
++
+ static void lineevent_free(struct lineevent_state *le)
+ {
+ if (le->irq)
+@@ -1814,8 +1906,8 @@ static int lineevent_release(struct inode *inode, struct file *file)
+ return 0;
+ }
+
+-static long lineevent_ioctl(struct file *file, unsigned int cmd,
+- unsigned long arg)
++static long lineevent_ioctl_unlocked(struct file *file, unsigned int cmd,
++ unsigned long arg)
+ {
+ struct lineevent_state *le = file->private_data;
+ void __user *ip = (void __user *)arg;
+@@ -1846,6 +1938,15 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd,
+ return -EINVAL;
+ }
+
++static long lineevent_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg)
++{
++ struct lineevent_state *le = file->private_data;
++
++ return call_ioctl_locked(file, cmd, arg, le->gdev,
++ lineevent_ioctl_unlocked);
++}
++
+ #ifdef CONFIG_COMPAT
+ static long lineevent_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+@@ -2404,8 +2505,8 @@ static int lineinfo_changed_notify(struct notifier_block *nb,
+ return NOTIFY_OK;
+ }
+
+-static __poll_t lineinfo_watch_poll(struct file *file,
+- struct poll_table_struct *pollt)
++static __poll_t lineinfo_watch_poll_unlocked(struct file *file,
++ struct poll_table_struct *pollt)
+ {
+ struct gpio_chardev_data *cdev = file->private_data;
+ __poll_t events = 0;
+@@ -2422,8 +2523,17 @@ static __poll_t lineinfo_watch_poll(struct file *file,
+ return events;
+ }
+
+-static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
+- size_t count, loff_t *off)
++static __poll_t lineinfo_watch_poll(struct file *file,
++ struct poll_table_struct *pollt)
++{
++ struct gpio_chardev_data *cdev = file->private_data;
++
++ return call_poll_locked(file, pollt, cdev->gdev,
++ lineinfo_watch_poll_unlocked);
++}
++
++static ssize_t lineinfo_watch_read_unlocked(struct file *file, char __user *buf,
++ size_t count, loff_t *off)
+ {
+ struct gpio_chardev_data *cdev = file->private_data;
+ struct gpio_v2_line_info_changed event;
+@@ -2501,6 +2611,15 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
+ return bytes_read;
+ }
+
++static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
++ size_t count, loff_t *off)
++{
++ struct gpio_chardev_data *cdev = file->private_data;
++
++ return call_read_locked(file, buf, count, off, cdev->gdev,
++ lineinfo_watch_read_unlocked);
++}
++
+ /**
+ * gpio_chrdev_open() - open the chardev for ioctl operations
+ * @inode: inode for this chardev
+@@ -2514,13 +2633,17 @@ static int gpio_chrdev_open(struct inode *inode, struct file *file)
+ struct gpio_chardev_data *cdev;
+ int ret = -ENOMEM;
+
++ down_read(&gdev->sem);
++
+ /* Fail on open if the backing gpiochip is gone */
+- if (!gdev->chip)
+- return -ENODEV;
++ if (!gdev->chip) {
++ ret = -ENODEV;
++ goto out_unlock;
++ }
+
+ cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
+ if (!cdev)
+- return -ENOMEM;
++ goto out_unlock;
+
+ cdev->watched_lines = bitmap_zalloc(gdev->chip->ngpio, GFP_KERNEL);
+ if (!cdev->watched_lines)
+@@ -2543,6 +2666,8 @@ static int gpio_chrdev_open(struct inode *inode, struct file *file)
+ if (ret)
+ goto out_unregister_notifier;
+
++ up_read(&gdev->sem);
++
+ return ret;
+
+ out_unregister_notifier:
+@@ -2552,6 +2677,8 @@ static int gpio_chrdev_open(struct inode *inode, struct file *file)
+ bitmap_free(cdev->watched_lines);
+ out_free_cdev:
+ kfree(cdev);
++out_unlock:
++ up_read(&gdev->sem);
+ return ret;
+ }
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index eb7d00608c7f..2adca7c2dd5c 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -735,6 +735,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ spin_unlock_irqrestore(&gpio_lock, flags);
+
+ BLOCKING_INIT_NOTIFIER_HEAD(&gdev->notifier);
++ init_rwsem(&gdev->sem);
+
+ #ifdef CONFIG_PINCTRL
+ INIT_LIST_HEAD(&gdev->pin_ranges);
+@@ -875,6 +876,8 @@ void gpiochip_remove(struct gpio_chip *gc)
+ unsigned long flags;
+ unsigned int i;
+
++ down_write(&gdev->sem);
++
+ /* FIXME: should the legacy sysfs handling be moved to gpio_device? */
+ gpiochip_sysfs_unregister(gdev);
+ gpiochip_free_hogs(gc);
+@@ -909,6 +912,7 @@ void gpiochip_remove(struct gpio_chip *gc)
+ * gone.
+ */
+ gcdev_unregister(gdev);
++ up_write(&gdev->sem);
+ put_device(&gdev->dev);
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_remove);
+diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
+index d900ecdbac46..9ad68a0adf4a 100644
+--- a/drivers/gpio/gpiolib.h
++++ b/drivers/gpio/gpiolib.h
+@@ -15,6 +15,7 @@
+ #include <linux/device.h>
+ #include <linux/module.h>
+ #include <linux/cdev.h>
++#include <linux/rwsem.h>
+
+ #define GPIOCHIP_NAME "gpiochip"
+
+@@ -39,6 +40,9 @@
+ * @list: links gpio_device:s together for traversal
+ * @notifier: used to notify subscribers about lines being requested, released
+ * or reconfigured
++ * @sem: protects the structure from a NULL-pointer dereference of @chip by
++ * user-space operations when the device gets unregistered during
++ * a hot-unplug event
+ * @pin_ranges: range of pins served by the GPIO driver
+ *
+ * This state container holds most of the runtime variable data
+@@ -60,6 +64,7 @@ struct gpio_device {
+ void *data;
+ struct list_head list;
+ struct blocking_notifier_head notifier;
++ struct rw_semaphore sem;
+
+ #ifdef CONFIG_PINCTRL
+ /*
+--
+2.35.1
+
--- /dev/null
+From 8618d0e0a1292d853a50af755b547cc0967252f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 09:06:10 -0700
+Subject: hamradio: baycom_epp: Fix return type of baycom_send_packet()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = baycom_send_packet,
+ ^~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
+'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet()
+to match the prototype's to resolve the warning and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/baycom_epp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c
+index 3e69079ed694..94720f8a8ba5 100644
+--- a/drivers/net/hamradio/baycom_epp.c
++++ b/drivers/net/hamradio/baycom_epp.c
+@@ -758,7 +758,7 @@ static void epp_bh(struct work_struct *work)
+ * ===================== network driver interface =========================
+ */
+
+-static int baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct baycom_state *bc = netdev_priv(dev);
+
+--
+2.35.1
+
--- /dev/null
+From e157680fcba85de8c7588c01925473c7ff42094f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 22:21:46 +0800
+Subject: hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs,
+so replace it with dev_kfree_skb_irq().
+
+In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed
+queue length, so replace it with dev_kfree_skb_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/scc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
+index f90830d3dfa6..a9184a78650b 100644
+--- a/drivers/net/hamradio/scc.c
++++ b/drivers/net/hamradio/scc.c
+@@ -302,12 +302,12 @@ static inline void scc_discard_buffers(struct scc_channel *scc)
+ spin_lock_irqsave(&scc->lock, flags);
+ if (scc->tx_buff != NULL)
+ {
+- dev_kfree_skb(scc->tx_buff);
++ dev_kfree_skb_irq(scc->tx_buff);
+ scc->tx_buff = NULL;
+ }
+
+ while (!skb_queue_empty(&scc->tx_queue))
+- dev_kfree_skb(skb_dequeue(&scc->tx_queue));
++ dev_kfree_skb_irq(skb_dequeue(&scc->tx_queue));
+
+ spin_unlock_irqrestore(&scc->lock, flags);
+ }
+@@ -1668,7 +1668,7 @@ static netdev_tx_t scc_net_tx(struct sk_buff *skb, struct net_device *dev)
+ if (skb_queue_len(&scc->tx_queue) > scc->dev->tx_queue_len) {
+ struct sk_buff *skb_del;
+ skb_del = skb_dequeue(&scc->tx_queue);
+- dev_kfree_skb(skb_del);
++ dev_kfree_skb_irq(skb_del);
+ }
+ skb_queue_tail(&scc->tx_queue, skb);
+ netif_trans_update(dev);
+--
+2.35.1
+
--- /dev/null
+From bb981c0d022b97727236a32c6db2169ce55faa97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 06:59:59 +0000
+Subject: hfs: fix OOB Read in __hfs_brec_find
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+[ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ]
+
+Syzbot reported a OOB read bug:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190
+fs/hfs/string.c:84
+Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11
+CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted
+6.1.0-rc6-syzkaller-00308-g644e9524388a #0
+Workqueue: writeback wb_workfn (flush-7:0)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
+ print_address_description+0x74/0x340 mm/kasan/report.c:284
+ print_report+0x107/0x1f0 mm/kasan/report.c:395
+ kasan_report+0xcd/0x100 mm/kasan/report.c:495
+ hfs_strcmp+0x117/0x190 fs/hfs/string.c:84
+ __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75
+ hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138
+ hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462
+ write_inode fs/fs-writeback.c:1440 [inline]
+
+If the input inode of hfs_write_inode() is incorrect:
+struct inode
+ struct hfs_inode_info
+ struct hfs_cat_key
+ struct hfs_name
+ u8 len # len is greater than HFS_NAMELEN(31) which is the
+maximum length of an HFS filename
+
+OOB read occurred:
+hfs_write_inode()
+ hfs_brec_find()
+ __hfs_brec_find()
+ hfs_cat_keycmp()
+ hfs_strcmp() # OOB read occurred due to len is too large
+
+Fix this by adding a Check on len in hfs_write_inode() before calling
+hfs_brec_find().
+
+Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Reported-by: <syzbot+e836ff7133ac02be825f@syzkaller.appspotmail.com>
+Cc: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Jeff Layton <jlayton@kernel.org>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Nanyong Sun <sunnanyong@huawei.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
+index c4526f16355d..a0746be3c1de 100644
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -458,6 +458,8 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
+ /* panic? */
+ return -EIO;
+
++ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN)
++ return -EIO;
+ fd.search_key->cat = HFS_I(main_inode)->cat_key;
+ if (hfs_brec_find(&fd))
+ /* panic? */
+--
+2.35.1
+
--- /dev/null
+From d77d3a5f563ce2cde9221c5d544ccb49610b337b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 03:00:38 +0000
+Subject: hfs: Fix OOB Write in hfs_asc2mac
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+[ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ]
+
+Syzbot reported a OOB Write bug:
+
+loop0: detected capacity change from 0 to 64
+==================================================================
+BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0
+fs/hfs/trans.c:133
+Write of size 1 at addr ffff88801848314e by task syz-executor391/3632
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
+ print_address_description+0x74/0x340 mm/kasan/report.c:284
+ print_report+0x107/0x1f0 mm/kasan/report.c:395
+ kasan_report+0xcd/0x100 mm/kasan/report.c:495
+ hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133
+ hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28
+ hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31
+ lookup_open fs/namei.c:3391 [inline]
+ open_last_lookups fs/namei.c:3481 [inline]
+ path_openat+0x10e6/0x2df0 fs/namei.c:3710
+ do_filp_open+0x264/0x4f0 fs/namei.c:3740
+
+If in->len is much larger than HFS_NAMELEN(31) which is the maximum
+length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In
+that case, when the dst reaches the boundary, the srclen is still
+greater than 0, which causes a OOB write.
+Fix this by adding a check on dstlen in while() before writing to dst
+address.
+
+Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com
+Fixes: 328b92278650 ("[PATCH] hfs: NLS support")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Reported-by: <syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/trans.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
+index 39f5e343bf4d..fdb0edb8a607 100644
+--- a/fs/hfs/trans.c
++++ b/fs/hfs/trans.c
+@@ -109,7 +109,7 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr
+ if (nls_io) {
+ wchar_t ch;
+
+- while (srclen > 0) {
++ while (srclen > 0 && dstlen > 0) {
+ size = nls_io->char2uni(src, srclen, &ch);
+ if (size < 0) {
+ ch = '?';
+--
+2.35.1
+
--- /dev/null
+From ebdae2272405c01aa2f013c63be59b0c0748296b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Dec 2022 10:49:21 +0800
+Subject: HID: amd_sfh: Add missing check for dma_alloc_coherent
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 53ffa6a9f83b2170c60591da1ead8791d5a42e81 ]
+
+Add check for the return value of the dma_alloc_coherent since
+it may return NULL pointer if allocation fails.
+
+Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20221220024921.21992-1-jiasheng@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/amd_sfh_client.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c
+index 8275bba63611..ab125f79408f 100644
+--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c
++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c
+@@ -237,6 +237,10 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata)
+ in_data->sensor_virt_addr[i] = dma_alloc_coherent(dev, sizeof(int) * 8,
+ &cl_data->sensor_dma_addr[i],
+ GFP_KERNEL);
++ if (!in_data->sensor_virt_addr[i]) {
++ rc = -ENOMEM;
++ goto cleanup;
++ }
+ cl_data->sensor_sts[i] = SENSOR_DISABLED;
+ cl_data->sensor_requested_cnt[i] = 0;
+ cl_data->cur_hid_dev = i;
+--
+2.35.1
+
--- /dev/null
+From 71c62e185e5f5a8939a03c0e7381d9a25dd2012b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 12:53:06 +0300
+Subject: HID: apple: enable APPLE_ISO_TILDE_QUIRK for the keyboards of Macs
+ with the T2 chip
+
+From: Kerem Karabay <kekrby@gmail.com>
+
+[ Upstream commit 084bc074c231e716cbcb9e8f9db05b17fd3563cf ]
+
+The iso_layout parameter must be manually set to get the driver to
+swap KEY_102ND and KEY_GRAVE. This patch eliminates the need to do that.
+
+This is safe to do, as Macs with keyboards that do not need the quirk
+will keep working the same way as the value of hid->country will be
+different than HID_COUNTRY_INTERNATIONAL_ISO. This was tested by one
+person with a Mac with the WELLSPRINGT2_J152F keyboard with a layout
+that does not require the quirk to be set.
+
+Signed-off-by: Kerem Karabay <kekrby@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-apple.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index e86bbf85b87e..c671ce94671c 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -997,21 +997,21 @@ static const struct hid_device_id apple_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING9_JIS),
+ .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J140K),
+- .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL },
++ .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J132),
+- .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL },
++ .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J680),
+- .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL },
++ .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J213),
+- .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL },
++ .driver_data = APPLE_HAS_FN | APPLE_BACKLIGHT_CTL | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J214K),
+- .driver_data = APPLE_HAS_FN },
++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J223),
+- .driver_data = APPLE_HAS_FN },
++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J230K),
+- .driver_data = APPLE_HAS_FN },
++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRINGT2_J152F),
+- .driver_data = APPLE_HAS_FN },
++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI),
+ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO),
+--
+2.35.1
+
--- /dev/null
+From 00d22e3081b7a37084dc09910af59449ec09396e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 12:53:05 +0300
+Subject: HID: apple: fix key translations where multiple quirks attempt to
+ translate the same key
+
+From: Kerem Karabay <kekrby@gmail.com>
+
+[ Upstream commit 5476fcf7f7b901db1cea92acb1abdd12609e30e1 ]
+
+The hid-apple driver does not support chaining translations or
+dependencies on other translations. This creates two problems:
+
+1 - In Non-English keyboards of Macs, KEY_102ND and KEY_GRAVE are
+swapped and the APPLE_ISO_TILDE_QUIRK is used to work around this
+problem. The quirk is not set for the Macs where these bugs happen yet
+(see the 2nd patch for that), but this can be forced by setting the
+iso_layout parameter. Unfortunately, this only partially works.
+KEY_102ND gets translated to KEY_GRAVE, but KEY_GRAVE does not get
+translated to KEY_102ND, so both of them end up functioning as
+KEY_GRAVE. This is because the driver translates the keys as if Fn was
+pressed and the original is sent if it is not pressed, without any
+further translations happening on the key[#463]. KEY_GRAVE is present at
+macbookpro_no_esc_fn_keys[#195], so this is what happens:
+
+ - KEY_GRAVE -> KEY_ESC (as if Fn is pressed)
+ - KEY_GRAVE is returned (Fn isn't pressed, so translation is discarded)
+ - KEY_GRAVE -> KEY_102ND (this part is not reached!)
+ ...
+
+2 - In case the touchbar does not work, the driver supports sending
+Escape when Fn+KEY_GRAVE is pressed. As mentioned previously, KEY_102ND
+is actually KEY_GRAVE and needs to be translated before this happens.
+
+Normally, these are the steps that should happen:
+
+ - KEY_102ND -> KEY_GRAVE
+ - KEY_GRAVE -> KEY_ESC (Fn is pressed)
+ - KEY_ESC is returned
+
+Though this is what happens instead, as dependencies on other
+translations are not supported:
+
+ - KEY_102ND -> KEY_ESC (Fn is pressed)
+ - KEY_ESC is returned
+
+This patch fixes both bugs by ordering the translations correctly and by
+making the translations continue and not return immediately after
+translating a key so that chained translations work and translations can
+depend on other ones.
+
+This patch also simplifies the implementation of the swap_fn_leftctrl
+option a little bit, as it makes it simply use a normal translation
+instead adding extra code to translate a key to KEY_FN[#381]. This change
+wasn't put in another patch as the code that translates the Fn key needs
+to be changed because of the changes in the patch, and those changes
+would be discarded with the next patch anyway (the part that originally
+translates KEY_FN to KEY_LEFTCTRL needs to be made an else-if branch of
+the part that transltes KEY_LEFTCTRL to KEY_FN).
+
+Note: Line numbers (#XYZ) are for drivers/hid/hid-apple.c at commit
+20afcc462579 ("HID: apple: Add "GANSS" to the non-Apple list").
+
+Note: These bugs are only present on Macs with a keyboard with no
+dedicated escape key and a non-English layout.
+
+Signed-off-by: Kerem Karabay <kekrby@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-apple.c | 102 +++++++++++++++++-----------------------
+ 1 file changed, 44 insertions(+), 58 deletions(-)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index 6970797cdc56..e86bbf85b87e 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -314,6 +314,7 @@ static const struct apple_key_translation swapped_option_cmd_keys[] = {
+
+ static const struct apple_key_translation swapped_fn_leftctrl_keys[] = {
+ { KEY_FN, KEY_LEFTCTRL },
++ { KEY_LEFTCTRL, KEY_FN },
+ { }
+ };
+
+@@ -375,24 +376,40 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ struct apple_sc *asc = hid_get_drvdata(hid);
+ const struct apple_key_translation *trans, *table;
+ bool do_translate;
+- u16 code = 0;
++ u16 code = usage->code;
+ unsigned int real_fnmode;
+
+- u16 fn_keycode = (swap_fn_leftctrl) ? (KEY_LEFTCTRL) : (KEY_FN);
+-
+- if (usage->code == fn_keycode) {
+- asc->fn_on = !!value;
+- input_event_with_scancode(input, usage->type, KEY_FN,
+- usage->hid, value);
+- return 1;
+- }
+-
+ if (fnmode == 3) {
+ real_fnmode = (asc->quirks & APPLE_IS_NON_APPLE) ? 2 : 1;
+ } else {
+ real_fnmode = fnmode;
+ }
+
++ if (swap_fn_leftctrl) {
++ trans = apple_find_translation(swapped_fn_leftctrl_keys, code);
++
++ if (trans)
++ code = trans->to;
++ }
++
++ if (iso_layout > 0 || (iso_layout < 0 && (asc->quirks & APPLE_ISO_TILDE_QUIRK) &&
++ hid->country == HID_COUNTRY_INTERNATIONAL_ISO)) {
++ trans = apple_find_translation(apple_iso_keyboard, code);
++
++ if (trans)
++ code = trans->to;
++ }
++
++ if (swap_opt_cmd) {
++ trans = apple_find_translation(swapped_option_cmd_keys, code);
++
++ if (trans)
++ code = trans->to;
++ }
++
++ if (code == KEY_FN)
++ asc->fn_on = !!value;
++
+ if (real_fnmode) {
+ if (hid->product == USB_DEVICE_ID_APPLE_ALU_WIRELESS_ANSI ||
+ hid->product == USB_DEVICE_ID_APPLE_ALU_WIRELESS_ISO ||
+@@ -430,15 +447,18 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ else
+ table = apple_fn_keys;
+
+- trans = apple_find_translation (table, usage->code);
++ trans = apple_find_translation(table, code);
+
+ if (trans) {
+- if (test_bit(trans->from, input->key))
++ bool from_is_set = test_bit(trans->from, input->key);
++ bool to_is_set = test_bit(trans->to, input->key);
++
++ if (from_is_set)
+ code = trans->from;
+- else if (test_bit(trans->to, input->key))
++ else if (to_is_set)
+ code = trans->to;
+
+- if (!code) {
++ if (!(from_is_set || to_is_set)) {
+ if (trans->flags & APPLE_FLAG_FKEY) {
+ switch (real_fnmode) {
+ case 1:
+@@ -455,62 +475,31 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ do_translate = asc->fn_on;
+ }
+
+- code = do_translate ? trans->to : trans->from;
++ if (do_translate)
++ code = trans->to;
+ }
+-
+- input_event_with_scancode(input, usage->type, code,
+- usage->hid, value);
+- return 1;
+ }
+
+ if (asc->quirks & APPLE_NUMLOCK_EMULATION &&
+- (test_bit(usage->code, asc->pressed_numlock) ||
++ (test_bit(code, asc->pressed_numlock) ||
+ test_bit(LED_NUML, input->led))) {
+- trans = apple_find_translation(powerbook_numlock_keys,
+- usage->code);
++ trans = apple_find_translation(powerbook_numlock_keys, code);
+
+ if (trans) {
+ if (value)
+- set_bit(usage->code,
+- asc->pressed_numlock);
++ set_bit(code, asc->pressed_numlock);
+ else
+- clear_bit(usage->code,
+- asc->pressed_numlock);
++ clear_bit(code, asc->pressed_numlock);
+
+- input_event_with_scancode(input, usage->type,
+- trans->to, usage->hid, value);
++ code = trans->to;
+ }
+-
+- return 1;
+ }
+ }
+
+- if (iso_layout > 0 || (iso_layout < 0 && (asc->quirks & APPLE_ISO_TILDE_QUIRK) &&
+- hid->country == HID_COUNTRY_INTERNATIONAL_ISO)) {
+- trans = apple_find_translation(apple_iso_keyboard, usage->code);
+- if (trans) {
+- input_event_with_scancode(input, usage->type,
+- trans->to, usage->hid, value);
+- return 1;
+- }
+- }
++ if (usage->code != code) {
++ input_event_with_scancode(input, usage->type, code, usage->hid, value);
+
+- if (swap_opt_cmd) {
+- trans = apple_find_translation(swapped_option_cmd_keys, usage->code);
+- if (trans) {
+- input_event_with_scancode(input, usage->type,
+- trans->to, usage->hid, value);
+- return 1;
+- }
+- }
+-
+- if (swap_fn_leftctrl) {
+- trans = apple_find_translation(swapped_fn_leftctrl_keys, usage->code);
+- if (trans) {
+- input_event_with_scancode(input, usage->type,
+- trans->to, usage->hid, value);
+- return 1;
+- }
++ return 1;
+ }
+
+ return 0;
+@@ -640,9 +629,6 @@ static void apple_setup_input(struct input_dev *input)
+ apple_setup_key_translation(input, apple2021_fn_keys);
+ apple_setup_key_translation(input, macbookpro_no_esc_fn_keys);
+ apple_setup_key_translation(input, macbookpro_dedicated_esc_fn_keys);
+-
+- if (swap_fn_leftctrl)
+- apple_setup_key_translation(input, swapped_fn_leftctrl_keys);
+ }
+
+ static int apple_input_mapping(struct hid_device *hdev, struct hid_input *hi,
+--
+2.35.1
+
--- /dev/null
+From caf64aef1bd4bdc71646e501be16377673876b84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 13:13:26 +0100
+Subject: HID: hid-sensor-custom: set fixed size for custom attributes
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+[ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ]
+
+This is no bugfix (so no Fixes: tag is necessary) as it is
+taken care of in hid_sensor_custom_add_attributes().
+
+The motivation for this patch is that:
+hid_sensor_custom_field.attr_name and
+hid_sensor_custom_field.attrs
+has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context.
+
+We compare against HID_CUSTOM_TOTAL_ATTRS when
+looping through hid_custom_attrs.
+
+We will silent the smatch error:
+hid_sensor_custom_add_attributes() error: buffer overflow
+'hid_custom_attrs' 8 <= 10
+
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-sensor-custom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
+index 32c2306e240d..602465ad2745 100644
+--- a/drivers/hid/hid-sensor-custom.c
++++ b/drivers/hid/hid-sensor-custom.c
+@@ -62,7 +62,7 @@ struct hid_sensor_sample {
+ u32 raw_len;
+ } __packed;
+
+-static struct attribute hid_custom_attrs[] = {
++static struct attribute hid_custom_attrs[HID_CUSTOM_TOTAL_ATTRS] = {
+ {.name = "name", .mode = S_IRUGO},
+ {.name = "units", .mode = S_IRUGO},
+ {.name = "unit-expo", .mode = S_IRUGO},
+--
+2.35.1
+
--- /dev/null
+From 40820bd77582e9eeb29e9b246c22c27c35c2a8a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 09:02:45 -0800
+Subject: HID: i2c: let RMI devices decide what constitutes wakeup event
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 9984fbf55b9bd998b4ff66395cbb118020c1effa ]
+
+HID-RMI is special in the sense that it does not carry HID events
+directly, but rather uses HID protocol as a wrapper/transport for RMI
+protocol. Therefore we should not assume that all data coming from the
+device via interrupt is associated with user activity and report wakeup
+event indiscriminately, but rather let HID-RMI do that when appropriate.
+
+HID-RMI devices tag responses to the commands issued by the host as
+RMI_READ_DATA_REPORT_ID whereas motion and other input events from the
+device are tagged as RMI_ATTN_REPORT_ID. Change hid-rmi to report wakeup
+events when receiving the latter packets. This allows ChromeOS to
+accurately identify wakeup source and make correct decision on the mode
+of the resume the system should take ("dark" where the display stays off
+vs normal one).
+
+Fixes: d951ae1ce803 ("HID: i2c-hid: Report wakeup events")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-rmi.c | 2 ++
+ drivers/hid/i2c-hid/i2c-hid-core.c | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
+index 311eee599ce9..b2bf588d18c3 100644
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -327,6 +327,8 @@ static int rmi_input_event(struct hid_device *hdev, u8 *data, int size)
+ if (!(test_bit(RMI_STARTED, &hdata->flags)))
+ return 0;
+
++ pm_wakeup_event(hdev->dev.parent, 0);
++
+ local_irq_save(flags);
+
+ rmi_set_attn_data(rmi_dev, data[1], &data[2], size - 2);
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index c078f09a2318..5a365648206e 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -554,7 +554,8 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ i2c_hid_dbg(ihid, "input: %*ph\n", ret_size, ihid->inbuf);
+
+ if (test_bit(I2C_HID_STARTED, &ihid->flags)) {
+- pm_wakeup_event(&ihid->client->dev, 0);
++ if (ihid->hid->group != HID_GROUP_RMI)
++ pm_wakeup_event(&ihid->client->dev, 0);
+
+ hid_input_report(ihid->hid, HID_INPUT_REPORT,
+ ihid->inbuf + sizeof(__le16),
+--
+2.35.1
+
--- /dev/null
+From 809d32f750c18e9790f7e55beb6be6eead307a4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 18:12:39 +0200
+Subject: HID: input: do not query XP-PEN Deco LW battery
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 037c1aaeb96fe5f778026f4c1ef28b26cf600bfa ]
+
+The XP-PEN Deco LW drawing tablet can be connected by USB cable or using
+a USB Bluetooth dongle. When it is connected using the dongle, there
+might be a small delay until the tablet is paired with the dongle.
+
+Fetching the device battery during this delay results in random battery
+percentage values.
+
+Add a quirk to avoid actively querying the battery percentage and wait
+for the device to report it on its own.
+
+Reported-by: Mia Kanashi <chad@redpilled.dev>
+Tested-by: Mia Kanashi <chad@redpilled.dev>
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 859aeb07542e..d728a94c642e 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -340,6 +340,7 @@ static enum power_supply_property hidinput_battery_props[] = {
+ #define HID_BATTERY_QUIRK_PERCENT (1 << 0) /* always reports percent */
+ #define HID_BATTERY_QUIRK_FEATURE (1 << 1) /* ask for feature report */
+ #define HID_BATTERY_QUIRK_IGNORE (1 << 2) /* completely ignore the battery */
++#define HID_BATTERY_QUIRK_AVOID_QUERY (1 << 3) /* do not query the battery */
+
+ static const struct hid_device_id hid_battery_quirks[] = {
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
+@@ -373,6 +374,8 @@ static const struct hid_device_id hid_battery_quirks[] = {
+ HID_BATTERY_QUIRK_IGNORE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN),
+ HID_BATTERY_QUIRK_IGNORE },
++ { HID_USB_DEVICE(USB_VENDOR_ID_UGEE, USB_DEVICE_ID_UGEE_XPPEN_TABLET_DECO_L),
++ HID_BATTERY_QUIRK_AVOID_QUERY },
+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15),
+ HID_BATTERY_QUIRK_IGNORE },
+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15T_DR100),
+@@ -554,6 +557,9 @@ static int hidinput_setup_battery(struct hid_device *dev, unsigned report_type,
+ dev->battery_avoid_query = report_type == HID_INPUT_REPORT &&
+ field->physical == HID_DG_STYLUS;
+
++ if (quirks & HID_BATTERY_QUIRK_AVOID_QUERY)
++ dev->battery_avoid_query = true;
++
+ dev->battery = power_supply_register(&dev->dev, psy_desc, &psy_cfg);
+ if (IS_ERR(dev->battery)) {
+ error = PTR_ERR(dev->battery);
+--
+2.35.1
+
--- /dev/null
+From 67db158c859c2bb422575bc0780cde456e480ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 11:33:32 +0000
+Subject: HSI: omap_ssi_core: Fix error handling in ssi_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ]
+
+The ssi_init() returns the platform_driver_register() directly without
+checking its return value, if platform_driver_register() failed, the
+ssi_pdriver is not unregistered.
+Fix by unregister ssi_pdriver when the last platform_driver_register()
+failed.
+
+Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
+index 052cf3e92dd6..26f2c3c01297 100644
+--- a/drivers/hsi/controllers/omap_ssi_core.c
++++ b/drivers/hsi/controllers/omap_ssi_core.c
+@@ -631,7 +631,13 @@ static int __init ssi_init(void) {
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&ssi_port_pdriver);
++ ret = platform_driver_register(&ssi_port_pdriver);
++ if (ret) {
++ platform_driver_unregister(&ssi_pdriver);
++ return ret;
++ }
++
++ return 0;
+ }
+ module_init(ssi_init);
+
+--
+2.35.1
+
--- /dev/null
+From 27046b2468f5d5a5a5a9fb1c1acefe27893becd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 15:43:37 +0800
+Subject: HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ]
+
+If ssi_add_controller() returns error, it should call hsi_put_controller()
+to give up the reference that was set in hsi_alloc_controller(), so that
+it can call hsi_controller_release() to free controller and ports that
+allocated in hsi_alloc_controller().
+
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
+index b23a576ed88a..052cf3e92dd6 100644
+--- a/drivers/hsi/controllers/omap_ssi_core.c
++++ b/drivers/hsi/controllers/omap_ssi_core.c
+@@ -502,8 +502,10 @@ static int ssi_probe(struct platform_device *pd)
+ platform_set_drvdata(pd, ssi);
+
+ err = ssi_add_controller(ssi, pd);
+- if (err < 0)
++ if (err < 0) {
++ hsi_put_controller(ssi);
+ goto out1;
++ }
+
+ pm_runtime_enable(&pd->dev);
+
+--
+2.35.1
+
--- /dev/null
+From 6211b21d21af85452154e6035cb8fabaf7a285d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 11:41:18 +0800
+Subject: HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ]
+
+In error label 'out1' path in ssi_probe(), the pm_runtime_enable()
+has not been called yet, so pm_runtime_disable() is not needed.
+
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
+index eb9820158318..b23a576ed88a 100644
+--- a/drivers/hsi/controllers/omap_ssi_core.c
++++ b/drivers/hsi/controllers/omap_ssi_core.c
+@@ -536,9 +536,9 @@ static int ssi_probe(struct platform_device *pd)
+ device_for_each_child(&pd->dev, NULL, ssi_remove_ports);
+ out2:
+ ssi_remove_controller(ssi);
++ pm_runtime_disable(&pd->dev);
+ out1:
+ platform_set_drvdata(pd, NULL);
+- pm_runtime_disable(&pd->dev);
+
+ return err;
+ }
+--
+2.35.1
+
--- /dev/null
+From d02e1b606c4234d5b724914d53568dc5e128cbf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:09 +0100
+Subject: hsr: Add a rcu-read lock to hsr_forward_skb().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 5aa2820177af650293b2f9f1873c1f6f8e4ad7a4 ]
+
+hsr_forward_skb() a skb and keeps information in an on-stack
+hsr_frame_info. hsr_get_node() assigns hsr_frame_info::node_src which is
+from a RCU list. This pointer is used later in hsr_forward_do().
+I don't see a reason why this pointer can't vanish midway since there is
+no guarantee that hsr_forward_skb() is invoked from an RCU read section.
+
+Use rcu_read_lock() to protect hsr_frame_info::node_src from its
+assignment until it is no longer used.
+
+Fixes: f266a683a4804 ("net/hsr: Better frame dispatch")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 3e58d310b4d4..a8befa35841e 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -614,11 +614,13 @@ void hsr_forward_skb(struct sk_buff *skb, struct hsr_port *port)
+ {
+ struct hsr_frame_info frame;
+
++ rcu_read_lock();
+ if (fill_frame_info(&frame, skb, port) < 0)
+ goto out_drop;
+
+ hsr_register_frame_in(frame.node_src, port, frame.sequence_nr);
+ hsr_forward_do(&frame);
++ rcu_read_unlock();
+ /* Gets called for ingress frames as well as egress from master port.
+ * So check and increment stats for master port only here.
+ */
+@@ -633,6 +635,7 @@ void hsr_forward_skb(struct sk_buff *skb, struct hsr_port *port)
+ return;
+
+ out_drop:
++ rcu_read_unlock();
+ port->dev->stats.tx_dropped++;
+ kfree_skb(skb);
+ }
+--
+2.35.1
+
--- /dev/null
+From d2893238ade4276e5c507b3b84feba00b2687525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:10 +0100
+Subject: hsr: Avoid double remove of a node.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 0c74d9f79ec4299365bbe803baa736ae0068179e ]
+
+Due to the hashed-MAC optimisation one problem become visible:
+hsr_handle_sup_frame() walks over the list of available nodes and merges
+two node entries into one if based on the information in the supervision
+both MAC addresses belong to one node. The list-walk happens on a RCU
+protected list and delete operation happens under a lock.
+
+If the supervision arrives on both slave interfaces at the same time
+then this delete operation can occur simultaneously on two CPUs. The
+result is the first-CPU deletes the from the list and the second CPUs
+BUGs while attempting to dereference a poisoned list-entry. This happens
+more likely with the optimisation because a new node for the mac_B entry
+is created once a packet has been received and removed (merged) once the
+supervision frame has been received.
+
+Avoid removing/ cleaning up a hsr_node twice by adding a `removed' field
+which is set to true after the removal and checked before the removal.
+
+Fixes: f266a683a4804 ("net/hsr: Better frame dispatch")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 16 +++++++++++-----
+ net/hsr/hsr_framereg.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 9b8eaebce254..f2dd846ff903 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -366,9 +366,12 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ node_real->addr_B_port = port_rcv->type;
+
+ spin_lock_bh(&hsr->list_lock);
+- list_del_rcu(&node_curr->mac_list);
++ if (!node_curr->removed) {
++ list_del_rcu(&node_curr->mac_list);
++ node_curr->removed = true;
++ kfree_rcu(node_curr, rcu_head);
++ }
+ spin_unlock_bh(&hsr->list_lock);
+- kfree_rcu(node_curr, rcu_head);
+
+ done:
+ /* Push back here */
+@@ -539,9 +542,12 @@ void hsr_prune_nodes(struct timer_list *t)
+ if (time_is_before_jiffies(timestamp +
+ msecs_to_jiffies(HSR_NODE_FORGET_TIME))) {
+ hsr_nl_nodedown(hsr, node->macaddress_A);
+- list_del_rcu(&node->mac_list);
+- /* Note that we need to free this entry later: */
+- kfree_rcu(node, rcu_head);
++ if (!node->removed) {
++ list_del_rcu(&node->mac_list);
++ node->removed = true;
++ /* Note that we need to free this entry later: */
++ kfree_rcu(node, rcu_head);
++ }
+ }
+ }
+ spin_unlock_bh(&hsr->list_lock);
+diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h
+index bdbb8c822ba1..b5f902397bf1 100644
+--- a/net/hsr/hsr_framereg.h
++++ b/net/hsr/hsr_framereg.h
+@@ -80,6 +80,7 @@ struct hsr_node {
+ bool san_a;
+ bool san_b;
+ u16 seq_out[HSR_PT_PORTS];
++ bool removed;
+ struct rcu_head rcu_head;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 7bbe05b664ce5cdf20cc4ee1d3080e61004fb423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:11 +0100
+Subject: hsr: Disable netpoll.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit d5c7652eb16fa203d82546e0285136d7b321ffa9 ]
+
+The hsr device is a software device. Its
+net_device_ops::ndo_start_xmit() routine will process the packet and
+then pass the resulting skb to dev_queue_xmit().
+During processing, hsr acquires a lock with spin_lock_bh()
+(hsr_add_node()) which needs to be promoted to the _irq() suffix in
+order to avoid a potential deadlock.
+Then there are the warnings in dev_queue_xmit() (due to
+local_bh_disable() with disabled interrupts) left.
+
+Instead trying to address those (there is qdisc and…) for netpoll sake,
+just disable netpoll on hsr.
+
+Disable netpoll on hsr and replace the _irqsave() locking with _bh().
+
+Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_device.c | 14 ++++++--------
+ net/hsr/hsr_forward.c | 5 ++---
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
+index 7518f7e93043..84fba2a402a5 100644
+--- a/net/hsr/hsr_device.c
++++ b/net/hsr/hsr_device.c
+@@ -278,7 +278,6 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
+ __u8 type = HSR_TLV_LIFE_CHECK;
+ struct hsr_sup_payload *hsr_sp;
+ struct hsr_sup_tag *hsr_stag;
+- unsigned long irqflags;
+ struct sk_buff *skb;
+
+ *interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL);
+@@ -299,7 +298,7 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
+ set_hsr_stag_HSR_ver(hsr_stag, hsr->prot_version);
+
+ /* From HSRv1 on we have separate supervision sequence numbers. */
+- spin_lock_irqsave(&master->hsr->seqnr_lock, irqflags);
++ spin_lock_bh(&hsr->seqnr_lock);
+ if (hsr->prot_version > 0) {
+ hsr_stag->sequence_nr = htons(hsr->sup_sequence_nr);
+ hsr->sup_sequence_nr++;
+@@ -307,7 +306,7 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
+ hsr_stag->sequence_nr = htons(hsr->sequence_nr);
+ hsr->sequence_nr++;
+ }
+- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
++ spin_unlock_bh(&hsr->seqnr_lock);
+
+ hsr_stag->tlv.HSR_TLV_type = type;
+ /* TODO: Why 12 in HSRv0? */
+@@ -332,7 +331,6 @@ static void send_prp_supervision_frame(struct hsr_port *master,
+ struct hsr_priv *hsr = master->hsr;
+ struct hsr_sup_payload *hsr_sp;
+ struct hsr_sup_tag *hsr_stag;
+- unsigned long irqflags;
+ struct sk_buff *skb;
+
+ skb = hsr_init_skb(master);
+@@ -347,7 +345,7 @@ static void send_prp_supervision_frame(struct hsr_port *master,
+ set_hsr_stag_HSR_ver(hsr_stag, (hsr->prot_version ? 1 : 0));
+
+ /* From HSRv1 on we have separate supervision sequence numbers. */
+- spin_lock_irqsave(&master->hsr->seqnr_lock, irqflags);
++ spin_lock_bh(&hsr->seqnr_lock);
+ hsr_stag->sequence_nr = htons(hsr->sup_sequence_nr);
+ hsr->sup_sequence_nr++;
+ hsr_stag->tlv.HSR_TLV_type = PRP_TLV_LIFE_CHECK_DD;
+@@ -358,11 +356,11 @@ static void send_prp_supervision_frame(struct hsr_port *master,
+ ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
+
+ if (skb_put_padto(skb, ETH_ZLEN)) {
+- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
++ spin_unlock_bh(&hsr->seqnr_lock);
+ return;
+ }
+
+- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
++ spin_unlock_bh(&hsr->seqnr_lock);
+
+ hsr_forward_skb(skb, master);
+ }
+@@ -444,7 +442,7 @@ void hsr_dev_setup(struct net_device *dev)
+ dev->header_ops = &hsr_header_ops;
+ dev->netdev_ops = &hsr_device_ops;
+ SET_NETDEV_DEVTYPE(dev, &hsr_type);
+- dev->priv_flags |= IFF_NO_QUEUE;
++ dev->priv_flags |= IFF_NO_QUEUE | IFF_DISABLE_NETPOLL;
+
+ dev->needs_free_netdev = true;
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index a8befa35841e..a828221335bd 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -500,7 +500,6 @@ static void handle_std_frame(struct sk_buff *skb,
+ {
+ struct hsr_port *port = frame->port_rcv;
+ struct hsr_priv *hsr = port->hsr;
+- unsigned long irqflags;
+
+ frame->skb_hsr = NULL;
+ frame->skb_prp = NULL;
+@@ -510,10 +509,10 @@ static void handle_std_frame(struct sk_buff *skb,
+ frame->is_from_san = true;
+ } else {
+ /* Sequence nr for the master node */
+- spin_lock_irqsave(&hsr->seqnr_lock, irqflags);
++ spin_lock_bh(&hsr->seqnr_lock);
+ frame->sequence_nr = hsr->sequence_nr;
+ hsr->sequence_nr++;
+- spin_unlock_irqrestore(&hsr->seqnr_lock, irqflags);
++ spin_unlock_bh(&hsr->seqnr_lock);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1bfecc0a6867fdd161c17f122706d276bf80e545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:12 +0100
+Subject: hsr: Synchronize sending frames to have always incremented outgoing
+ seq nr.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 06afd2c31d338fa762548580c1bf088703dd1e03 ]
+
+Sending frames via the hsr (master) device requires a sequence number
+which is tracked in hsr_priv::sequence_nr and protected by
+hsr_priv::seqnr_lock. Each time a new frame is sent, it will obtain a
+new id and then send it via the slave devices.
+Each time a packet is sent (via hsr_forward_do()) the sequence number is
+checked via hsr_register_frame_out() to ensure that a frame is not
+handled twice. This make sense for the receiving side to ensure that the
+frame is not injected into the stack twice after it has been received
+from both slave ports.
+
+There is no locking to cover the sending path which means the following
+scenario is possible:
+
+ CPU0 CPU1
+ hsr_dev_xmit(skb1) hsr_dev_xmit(skb2)
+ fill_frame_info() fill_frame_info()
+ hsr_fill_frame_info() hsr_fill_frame_info()
+ handle_std_frame() handle_std_frame()
+ skb1's sequence_nr = 1
+ skb2's sequence_nr = 2
+ hsr_forward_do() hsr_forward_do()
+
+ hsr_register_frame_out(, 2) // okay, send)
+
+ hsr_register_frame_out(, 1) // stop, lower seq duplicate
+
+Both skbs (or their struct hsr_frame_info) received an unique id.
+However since skb2 was sent before skb1, the higher sequence number was
+recorded in hsr_register_frame_out() and the late arriving skb1 was
+dropped and never sent.
+
+This scenario has been observed in a three node HSR setup, with node1 +
+node2 having ping and iperf running in parallel. From time to time ping
+reported a missing packet. Based on tracing that missing ping packet did
+not leave the system.
+
+It might be possible (didn't check) to drop the sequence number check on
+the sending side. But if the higher sequence number leaves on wire
+before the lower does and the destination receives them in that order
+and it will drop the packet with the lower sequence number and never
+inject into the stack.
+Therefore it seems the only way is to lock the whole path from obtaining
+the sequence number and sending via dev_queue_xmit() and assuming the
+packets leave on wire in the same order (and don't get reordered by the
+NIC).
+
+Cover the whole path for the master interface from obtaining the ID
+until after it has been forwarded via hsr_forward_skb() to ensure the
+skbs are sent to the NIC in the order of the assigned sequence numbers.
+
+Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_device.c | 12 +++++++-----
+ net/hsr/hsr_forward.c | 3 +--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
+index 84fba2a402a5..b1e86a7265b3 100644
+--- a/net/hsr/hsr_device.c
++++ b/net/hsr/hsr_device.c
+@@ -219,7 +219,9 @@ static netdev_tx_t hsr_dev_xmit(struct sk_buff *skb, struct net_device *dev)
+ skb->dev = master->dev;
+ skb_reset_mac_header(skb);
+ skb_reset_mac_len(skb);
++ spin_lock_bh(&hsr->seqnr_lock);
+ hsr_forward_skb(skb, master);
++ spin_unlock_bh(&hsr->seqnr_lock);
+ } else {
+ dev_core_stats_tx_dropped_inc(dev);
+ dev_kfree_skb_any(skb);
+@@ -306,7 +308,6 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
+ hsr_stag->sequence_nr = htons(hsr->sequence_nr);
+ hsr->sequence_nr++;
+ }
+- spin_unlock_bh(&hsr->seqnr_lock);
+
+ hsr_stag->tlv.HSR_TLV_type = type;
+ /* TODO: Why 12 in HSRv0? */
+@@ -317,11 +318,13 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
+ hsr_sp = skb_put(skb, sizeof(struct hsr_sup_payload));
+ ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
+
+- if (skb_put_padto(skb, ETH_ZLEN))
++ if (skb_put_padto(skb, ETH_ZLEN)) {
++ spin_unlock_bh(&hsr->seqnr_lock);
+ return;
++ }
+
+ hsr_forward_skb(skb, master);
+-
++ spin_unlock_bh(&hsr->seqnr_lock);
+ return;
+ }
+
+@@ -360,9 +363,8 @@ static void send_prp_supervision_frame(struct hsr_port *master,
+ return;
+ }
+
+- spin_unlock_bh(&hsr->seqnr_lock);
+-
+ hsr_forward_skb(skb, master);
++ spin_unlock_bh(&hsr->seqnr_lock);
+ }
+
+ /* Announce (supervision frame) timer function
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index a828221335bd..629daacc9607 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -509,10 +509,9 @@ static void handle_std_frame(struct sk_buff *skb,
+ frame->is_from_san = true;
+ } else {
+ /* Sequence nr for the master node */
+- spin_lock_bh(&hsr->seqnr_lock);
++ lockdep_assert_held(&hsr->seqnr_lock);
+ frame->sequence_nr = hsr->sequence_nr;
+ hsr->sequence_nr++;
+- spin_unlock_bh(&hsr->seqnr_lock);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e979c2c4ccceba66889d4269be9acf528c6b8ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:13 +0100
+Subject: hsr: Synchronize sequence number updates.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 5c7aa13210c3abdd34fd421f62347665ec6eb551 ]
+
+hsr_register_frame_out() compares new sequence_nr vs the old one
+recorded in hsr_node::seq_out and if the new sequence_nr is higher then
+it will be written to hsr_node::seq_out as the new value.
+
+This operation isn't locked so it is possible that two frames with the
+same sequence number arrive (via the two slave devices) and are fed to
+hsr_register_frame_out() at the same time. Both will pass the check and
+update the sequence counter later to the same value. As a result the
+content of the same packet is fed into the stack twice.
+
+This was noticed by running ping and observing DUP being reported from
+time to time.
+
+Instead of using the hsr_priv::seqnr_lock for the whole receive path (as
+it is for sending in the master node) add an additional lock that is only
+used for sequence number checks and updates.
+
+Add a per-node lock that is used during sequence number reads and
+updates.
+
+Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 9 ++++++++-
+ net/hsr/hsr_framereg.h | 2 ++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index f2dd846ff903..39a6088080e9 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -157,6 +157,7 @@ static struct hsr_node *hsr_add_node(struct hsr_priv *hsr,
+ return NULL;
+
+ ether_addr_copy(new_node->macaddress_A, addr);
++ spin_lock_init(&new_node->seq_out_lock);
+
+ /* We are only interested in time diffs here, so use current jiffies
+ * as initialization. (0 could trigger an spurious ring error warning).
+@@ -353,6 +354,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ }
+
+ ether_addr_copy(node_real->macaddress_B, ethhdr->h_source);
++ spin_lock_bh(&node_real->seq_out_lock);
+ for (i = 0; i < HSR_PT_PORTS; i++) {
+ if (!node_curr->time_in_stale[i] &&
+ time_after(node_curr->time_in[i], node_real->time_in[i])) {
+@@ -363,6 +365,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ if (seq_nr_after(node_curr->seq_out[i], node_real->seq_out[i]))
+ node_real->seq_out[i] = node_curr->seq_out[i];
+ }
++ spin_unlock_bh(&node_real->seq_out_lock);
+ node_real->addr_B_port = port_rcv->type;
+
+ spin_lock_bh(&hsr->list_lock);
+@@ -456,13 +459,17 @@ void hsr_register_frame_in(struct hsr_node *node, struct hsr_port *port,
+ int hsr_register_frame_out(struct hsr_port *port, struct hsr_node *node,
+ u16 sequence_nr)
+ {
++ spin_lock_bh(&node->seq_out_lock);
+ if (seq_nr_before_or_eq(sequence_nr, node->seq_out[port->type]) &&
+ time_is_after_jiffies(node->time_out[port->type] +
+- msecs_to_jiffies(HSR_ENTRY_FORGET_TIME)))
++ msecs_to_jiffies(HSR_ENTRY_FORGET_TIME))) {
++ spin_unlock_bh(&node->seq_out_lock);
+ return 1;
++ }
+
+ node->time_out[port->type] = jiffies;
+ node->seq_out[port->type] = sequence_nr;
++ spin_unlock_bh(&node->seq_out_lock);
+ return 0;
+ }
+
+diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h
+index b5f902397bf1..b23556251d62 100644
+--- a/net/hsr/hsr_framereg.h
++++ b/net/hsr/hsr_framereg.h
+@@ -69,6 +69,8 @@ void prp_update_san_info(struct hsr_node *node, bool is_sup);
+
+ struct hsr_node {
+ struct list_head mac_list;
++ /* Protect R/W access to seq_out */
++ spinlock_t seq_out_lock;
+ unsigned char macaddress_A[ETH_ALEN];
+ unsigned char macaddress_B[ETH_ALEN];
+ /* Local slave through which AddrB frames are received from this node */
+--
+2.35.1
+
--- /dev/null
+From 37b7b3fc89c6b023da1e1366d5a81e442806ccfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 07:16:08 +0800
+Subject: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
+
+From: Hawkins Jiawei <yin31149@gmail.com>
+
+[ Upstream commit 26215b7ee923b9251f7bb12c4e5f09dc465d35f2 ]
+
+Syzkaller reports a null-ptr-deref bug as follows:
+======================================================
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380
+[...]
+Call Trace:
+ <TASK>
+ vfs_parse_fs_param fs/fs_context.c:148 [inline]
+ vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129
+ vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191
+ generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231
+ do_new_mount fs/namespace.c:3036 [inline]
+ path_mount+0x12de/0x1e20 fs/namespace.c:3370
+ do_mount fs/namespace.c:3383 [inline]
+ __do_sys_mount fs/namespace.c:3591 [inline]
+ __se_sys_mount fs/namespace.c:3568 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+ </TASK>
+======================================================
+
+According to commit "vfs: parse: deal with zero length string value",
+kernel will set the param->string to null pointer in vfs_parse_fs_string()
+if fs string has zero length.
+
+Yet the problem is that, hugetlbfs_parse_param() will dereference the
+param->string, without checking whether it is a null pointer. To be more
+specific, if hugetlbfs_parse_param() parses an illegal mount parameter,
+such as "size=,", kernel will constructs struct fs_parameter with null
+pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to
+hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.
+
+This patch solves it by adding sanity check on param->string
+in hugetlbfs_parse_param().
+
+Link: https://lkml.kernel.org/r/20221020231609.4810-1-yin31149@gmail.com
+Reported-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com
+Tested-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com
+ Link: https://lore.kernel.org/all/0000000000005ad00405eb7148c6@google.com/
+Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Hawkins Jiawei <yin31149@gmail.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hugetlbfs/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index fbcfa6bfee80..26169d75f6cf 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -1256,7 +1256,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
+
+ case Opt_size:
+ /* memparse() will accept a K/M/G without a digit */
+- if (!isdigit(param->string[0]))
++ if (!param->string || !isdigit(param->string[0]))
+ goto bad_val;
+ ctx->max_size_opt = memparse(param->string, &rest);
+ ctx->max_val_type = SIZE_STD;
+@@ -1266,7 +1266,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
+
+ case Opt_nr_inodes:
+ /* memparse() will accept a K/M/G without a digit */
+- if (!isdigit(param->string[0]))
++ if (!param->string || !isdigit(param->string[0]))
+ goto bad_val;
+ ctx->nr_inodes = memparse(param->string, &rest);
+ return 0;
+@@ -1282,7 +1282,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
+
+ case Opt_min_size:
+ /* memparse() will accept a K/M/G without a digit */
+- if (!isdigit(param->string[0]))
++ if (!param->string || !isdigit(param->string[0]))
+ goto bad_val;
+ ctx->min_size_opt = memparse(param->string, &rest);
+ ctx->min_val_type = SIZE_STD;
+--
+2.35.1
+
--- /dev/null
+From d1ee4fe2cf5bb12b1699c6d660050d1e2cad6e74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Oct 2022 23:31:56 +0200
+Subject: hwmon: (jc42) Convert register access and caching to regmap/regcache
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 8f2fa4726faf01094d7a5be7bd0c120c565f54d9 ]
+
+Switch the jc42 driver to use an I2C regmap to access the registers.
+Also move over to regmap's built-in caching instead of adding a
+custom caching implementation. This works for JC42_REG_TEMP_UPPER,
+JC42_REG_TEMP_LOWER and JC42_REG_TEMP_CRITICAL as these values never
+change except when explicitly written. The cache For JC42_REG_TEMP is
+dropped (regmap can't cache it because it's volatile, meaning it can
+change at any time) as well for simplicity and consistency with other
+drivers.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20221023213157.11078-2-martin.blumenstingl@googlemail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Stable-dep-of: 084ed144c448 ("hwmon: (jc42) Restore the min/max/critical temperatures on resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/Kconfig | 1 +
+ drivers/hwmon/jc42.c | 233 ++++++++++++++++++++++++------------------
+ 2 files changed, 132 insertions(+), 102 deletions(-)
+
+diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig
+index e70d9614bec2..1533127960e7 100644
+--- a/drivers/hwmon/Kconfig
++++ b/drivers/hwmon/Kconfig
+@@ -798,6 +798,7 @@ config SENSORS_IT87
+ config SENSORS_JC42
+ tristate "JEDEC JC42.4 compliant memory module temperature sensors"
+ depends on I2C
++ select REGMAP_I2C
+ help
+ If you say yes here, you get support for JEDEC JC42.4 compliant
+ temperature sensors, which are used on many DDR3 memory modules for
+diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c
+index 07f7f8b5b73d..96bffd5b5866 100644
+--- a/drivers/hwmon/jc42.c
++++ b/drivers/hwmon/jc42.c
+@@ -19,6 +19,7 @@
+ #include <linux/err.h>
+ #include <linux/mutex.h>
+ #include <linux/of.h>
++#include <linux/regmap.h>
+
+ /* Addresses to scan */
+ static const unsigned short normal_i2c[] = {
+@@ -199,31 +200,14 @@ static struct jc42_chips jc42_chips[] = {
+ { STM_MANID, STTS3000_DEVID, STTS3000_DEVID_MASK },
+ };
+
+-enum temp_index {
+- t_input = 0,
+- t_crit,
+- t_min,
+- t_max,
+- t_num_temp
+-};
+-
+-static const u8 temp_regs[t_num_temp] = {
+- [t_input] = JC42_REG_TEMP,
+- [t_crit] = JC42_REG_TEMP_CRITICAL,
+- [t_min] = JC42_REG_TEMP_LOWER,
+- [t_max] = JC42_REG_TEMP_UPPER,
+-};
+-
+ /* Each client has this additional data */
+ struct jc42_data {
+- struct i2c_client *client;
+ struct mutex update_lock; /* protect register access */
++ struct regmap *regmap;
+ bool extended; /* true if extended range supported */
+ bool valid;
+- unsigned long last_updated; /* In jiffies */
+ u16 orig_config; /* original configuration */
+ u16 config; /* current configuration */
+- u16 temp[t_num_temp];/* Temperatures */
+ };
+
+ #define JC42_TEMP_MIN_EXTENDED (-40000)
+@@ -248,85 +232,102 @@ static int jc42_temp_from_reg(s16 reg)
+ return reg * 125 / 2;
+ }
+
+-static struct jc42_data *jc42_update_device(struct device *dev)
+-{
+- struct jc42_data *data = dev_get_drvdata(dev);
+- struct i2c_client *client = data->client;
+- struct jc42_data *ret = data;
+- int i, val;
+-
+- mutex_lock(&data->update_lock);
+-
+- if (time_after(jiffies, data->last_updated + HZ) || !data->valid) {
+- for (i = 0; i < t_num_temp; i++) {
+- val = i2c_smbus_read_word_swapped(client, temp_regs[i]);
+- if (val < 0) {
+- ret = ERR_PTR(val);
+- goto abort;
+- }
+- data->temp[i] = val;
+- }
+- data->last_updated = jiffies;
+- data->valid = true;
+- }
+-abort:
+- mutex_unlock(&data->update_lock);
+- return ret;
+-}
+-
+ static int jc42_read(struct device *dev, enum hwmon_sensor_types type,
+ u32 attr, int channel, long *val)
+ {
+- struct jc42_data *data = jc42_update_device(dev);
+- int temp, hyst;
++ struct jc42_data *data = dev_get_drvdata(dev);
++ unsigned int regval;
++ int ret, temp, hyst;
+
+- if (IS_ERR(data))
+- return PTR_ERR(data);
++ mutex_lock(&data->update_lock);
+
+ switch (attr) {
+ case hwmon_temp_input:
+- *val = jc42_temp_from_reg(data->temp[t_input]);
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
++ if (ret)
++ break;
++
++ *val = jc42_temp_from_reg(regval);
++ break;
+ case hwmon_temp_min:
+- *val = jc42_temp_from_reg(data->temp[t_min]);
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_LOWER, ®val);
++ if (ret)
++ break;
++
++ *val = jc42_temp_from_reg(regval);
++ break;
+ case hwmon_temp_max:
+- *val = jc42_temp_from_reg(data->temp[t_max]);
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_UPPER, ®val);
++ if (ret)
++ break;
++
++ *val = jc42_temp_from_reg(regval);
++ break;
+ case hwmon_temp_crit:
+- *val = jc42_temp_from_reg(data->temp[t_crit]);
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
++ ®val);
++ if (ret)
++ break;
++
++ *val = jc42_temp_from_reg(regval);
++ break;
+ case hwmon_temp_max_hyst:
+- temp = jc42_temp_from_reg(data->temp[t_max]);
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_UPPER, ®val);
++ if (ret)
++ break;
++
++ temp = jc42_temp_from_reg(regval);
+ hyst = jc42_hysteresis[(data->config & JC42_CFG_HYST_MASK)
+ >> JC42_CFG_HYST_SHIFT];
+ *val = temp - hyst;
+- return 0;
++ break;
+ case hwmon_temp_crit_hyst:
+- temp = jc42_temp_from_reg(data->temp[t_crit]);
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
++ ®val);
++ if (ret)
++ break;
++
++ temp = jc42_temp_from_reg(regval);
+ hyst = jc42_hysteresis[(data->config & JC42_CFG_HYST_MASK)
+ >> JC42_CFG_HYST_SHIFT];
+ *val = temp - hyst;
+- return 0;
++ break;
+ case hwmon_temp_min_alarm:
+- *val = (data->temp[t_input] >> JC42_ALARM_MIN_BIT) & 1;
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
++ if (ret)
++ break;
++
++ *val = (regval >> JC42_ALARM_MIN_BIT) & 1;
++ break;
+ case hwmon_temp_max_alarm:
+- *val = (data->temp[t_input] >> JC42_ALARM_MAX_BIT) & 1;
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
++ if (ret)
++ break;
++
++ *val = (regval >> JC42_ALARM_MAX_BIT) & 1;
++ break;
+ case hwmon_temp_crit_alarm:
+- *val = (data->temp[t_input] >> JC42_ALARM_CRIT_BIT) & 1;
+- return 0;
++ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
++ if (ret)
++ break;
++
++ *val = (regval >> JC42_ALARM_CRIT_BIT) & 1;
++ break;
+ default:
+- return -EOPNOTSUPP;
++ ret = -EOPNOTSUPP;
++ break;
+ }
++
++ mutex_unlock(&data->update_lock);
++
++ return ret;
+ }
+
+ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
+ u32 attr, int channel, long val)
+ {
+ struct jc42_data *data = dev_get_drvdata(dev);
+- struct i2c_client *client = data->client;
++ unsigned int regval;
+ int diff, hyst;
+ int ret;
+
+@@ -334,21 +335,23 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
+
+ switch (attr) {
+ case hwmon_temp_min:
+- data->temp[t_min] = jc42_temp_to_reg(val, data->extended);
+- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_min],
+- data->temp[t_min]);
++ ret = regmap_write(data->regmap, JC42_REG_TEMP_LOWER,
++ jc42_temp_to_reg(val, data->extended));
+ break;
+ case hwmon_temp_max:
+- data->temp[t_max] = jc42_temp_to_reg(val, data->extended);
+- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_max],
+- data->temp[t_max]);
++ ret = regmap_write(data->regmap, JC42_REG_TEMP_UPPER,
++ jc42_temp_to_reg(val, data->extended));
+ break;
+ case hwmon_temp_crit:
+- data->temp[t_crit] = jc42_temp_to_reg(val, data->extended);
+- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_crit],
+- data->temp[t_crit]);
++ ret = regmap_write(data->regmap, JC42_REG_TEMP_CRITICAL,
++ jc42_temp_to_reg(val, data->extended));
+ break;
+ case hwmon_temp_crit_hyst:
++ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
++ ®val);
++ if (ret)
++ return ret;
++
+ /*
+ * JC42.4 compliant chips only support four hysteresis values.
+ * Pick best choice and go from there.
+@@ -356,7 +359,7 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
+ val = clamp_val(val, (data->extended ? JC42_TEMP_MIN_EXTENDED
+ : JC42_TEMP_MIN) - 6000,
+ JC42_TEMP_MAX);
+- diff = jc42_temp_from_reg(data->temp[t_crit]) - val;
++ diff = jc42_temp_from_reg(regval) - val;
+ hyst = 0;
+ if (diff > 0) {
+ if (diff < 2250)
+@@ -368,9 +371,8 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
+ }
+ data->config = (data->config & ~JC42_CFG_HYST_MASK) |
+ (hyst << JC42_CFG_HYST_SHIFT);
+- ret = i2c_smbus_write_word_swapped(data->client,
+- JC42_REG_CONFIG,
+- data->config);
++ ret = regmap_write(data->regmap, JC42_REG_CONFIG,
++ data->config);
+ break;
+ default:
+ ret = -EOPNOTSUPP;
+@@ -470,51 +472,80 @@ static const struct hwmon_chip_info jc42_chip_info = {
+ .info = jc42_info,
+ };
+
++static bool jc42_readable_reg(struct device *dev, unsigned int reg)
++{
++ return (reg >= JC42_REG_CAP && reg <= JC42_REG_DEVICEID) ||
++ reg == JC42_REG_SMBUS;
++}
++
++static bool jc42_writable_reg(struct device *dev, unsigned int reg)
++{
++ return (reg >= JC42_REG_CONFIG && reg <= JC42_REG_TEMP_CRITICAL) ||
++ reg == JC42_REG_SMBUS;
++}
++
++static bool jc42_volatile_reg(struct device *dev, unsigned int reg)
++{
++ return reg == JC42_REG_CONFIG || reg == JC42_REG_TEMP;
++}
++
++static const struct regmap_config jc42_regmap_config = {
++ .reg_bits = 8,
++ .val_bits = 16,
++ .val_format_endian = REGMAP_ENDIAN_BIG,
++ .max_register = JC42_REG_SMBUS,
++ .writeable_reg = jc42_writable_reg,
++ .readable_reg = jc42_readable_reg,
++ .volatile_reg = jc42_volatile_reg,
++ .cache_type = REGCACHE_RBTREE,
++};
++
+ static int jc42_probe(struct i2c_client *client)
+ {
+ struct device *dev = &client->dev;
+ struct device *hwmon_dev;
++ unsigned int config, cap;
+ struct jc42_data *data;
+- int config, cap;
++ int ret;
+
+ data = devm_kzalloc(dev, sizeof(struct jc42_data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+- data->client = client;
++ data->regmap = devm_regmap_init_i2c(client, &jc42_regmap_config);
++ if (IS_ERR(data->regmap))
++ return PTR_ERR(data->regmap);
++
+ i2c_set_clientdata(client, data);
+ mutex_init(&data->update_lock);
+
+- cap = i2c_smbus_read_word_swapped(client, JC42_REG_CAP);
+- if (cap < 0)
+- return cap;
++ ret = regmap_read(data->regmap, JC42_REG_CAP, &cap);
++ if (ret)
++ return ret;
+
+ data->extended = !!(cap & JC42_CAP_RANGE);
+
+ if (device_property_read_bool(dev, "smbus-timeout-disable")) {
+- int smbus;
+-
+ /*
+ * Not all chips support this register, but from a
+ * quick read of various datasheets no chip appears
+ * incompatible with the below attempt to disable
+ * the timeout. And the whole thing is opt-in...
+ */
+- smbus = i2c_smbus_read_word_swapped(client, JC42_REG_SMBUS);
+- if (smbus < 0)
+- return smbus;
+- i2c_smbus_write_word_swapped(client, JC42_REG_SMBUS,
+- smbus | SMBUS_STMOUT);
++ ret = regmap_set_bits(data->regmap, JC42_REG_SMBUS,
++ SMBUS_STMOUT);
++ if (ret)
++ return ret;
+ }
+
+- config = i2c_smbus_read_word_swapped(client, JC42_REG_CONFIG);
+- if (config < 0)
+- return config;
++ ret = regmap_read(data->regmap, JC42_REG_CONFIG, &config);
++ if (ret)
++ return ret;
+
+ data->orig_config = config;
+ if (config & JC42_CFG_SHUTDOWN) {
+ config &= ~JC42_CFG_SHUTDOWN;
+- i2c_smbus_write_word_swapped(client, JC42_REG_CONFIG, config);
++ regmap_write(data->regmap, JC42_REG_CONFIG, config);
+ }
+ data->config = config;
+
+@@ -535,7 +566,7 @@ static int jc42_remove(struct i2c_client *client)
+
+ config = (data->orig_config & ~JC42_CFG_HYST_MASK)
+ | (data->config & JC42_CFG_HYST_MASK);
+- i2c_smbus_write_word_swapped(client, JC42_REG_CONFIG, config);
++ regmap_write(data->regmap, JC42_REG_CONFIG, config);
+ }
+ return 0;
+ }
+@@ -547,8 +578,7 @@ static int jc42_suspend(struct device *dev)
+ struct jc42_data *data = dev_get_drvdata(dev);
+
+ data->config |= JC42_CFG_SHUTDOWN;
+- i2c_smbus_write_word_swapped(data->client, JC42_REG_CONFIG,
+- data->config);
++ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
+ return 0;
+ }
+
+@@ -557,8 +587,7 @@ static int jc42_resume(struct device *dev)
+ struct jc42_data *data = dev_get_drvdata(dev);
+
+ data->config &= ~JC42_CFG_SHUTDOWN;
+- i2c_smbus_write_word_swapped(data->client, JC42_REG_CONFIG,
+- data->config);
++ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 560570a2cb88920d596a8e50c173efdb42da2878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Oct 2022 23:31:57 +0200
+Subject: hwmon: (jc42) Restore the min/max/critical temperatures on resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 084ed144c448fd5bc8ed5a58247153fbbfd115c3 ]
+
+The JC42 compatible thermal sensor on Kingston KSM32ES8/16ME DIMMs
+(using Micron E-Die) is an ST Microelectronics STTS2004 (manufacturer
+0x104a, device 0x2201). It does not keep the previously programmed
+minimum, maximum and critical temperatures after system suspend and
+resume (which is a shutdown / startup cycle for the JC42 temperature
+sensor). This results in an alarm on system resume because the hardware
+default for these values is 0°C (so any environment temperature greater
+than 0°C will trigger the alarm).
+
+Example before system suspend:
+ jc42-i2c-0-1a
+ Adapter: SMBus PIIX4 adapter port 0 at 0b00
+ temp1: +34.8°C (low = +0.0°C)
+ (high = +85.0°C, hyst = +85.0°C)
+ (crit = +95.0°C, hyst = +95.0°C)
+
+Example after system resume (without this change):
+ jc42-i2c-0-1a
+ Adapter: SMBus PIIX4 adapter port 0 at 0b00
+ temp1: +34.8°C (low = +0.0°C) ALARM (HIGH, CRIT)
+ (high = +0.0°C, hyst = +0.0°C)
+ (crit = +0.0°C, hyst = +0.0°C)
+
+Apply the cached values from the JC42_REG_TEMP_UPPER,
+JC42_REG_TEMP_LOWER, JC42_REG_TEMP_CRITICAL and JC42_REG_SMBUS (where
+the SMBUS register is not related to this issue but a side-effect of
+using regcache_sync() during system resume with the previously
+cached/programmed values. This fixes the alarm due to the hardware
+defaults of 0°C because the previously applied limits (set by userspace)
+are re-applied on system resume.
+
+Fixes: 175c490c9e7f ("hwmon: (jc42) Add support for STTS2004 and AT30TSE004")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20221023213157.11078-3-martin.blumenstingl@googlemail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/jc42.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c
+index 96bffd5b5866..5004b17c5682 100644
+--- a/drivers/hwmon/jc42.c
++++ b/drivers/hwmon/jc42.c
+@@ -579,6 +579,10 @@ static int jc42_suspend(struct device *dev)
+
+ data->config |= JC42_CFG_SHUTDOWN;
+ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
++
++ regcache_cache_only(data->regmap, true);
++ regcache_mark_dirty(data->regmap);
++
+ return 0;
+ }
+
+@@ -586,9 +590,13 @@ static int jc42_resume(struct device *dev)
+ {
+ struct jc42_data *data = dev_get_drvdata(dev);
+
++ regcache_cache_only(data->regmap, false);
++
+ data->config &= ~JC42_CFG_SHUTDOWN;
+ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
+- return 0;
++
++ /* Restore cached register values to hardware */
++ return regcache_sync(data->regmap);
+ }
+
+ static const struct dev_pm_ops jc42_dev_pm_ops = {
+--
+2.35.1
+
--- /dev/null
+From e7f882b066463f6dbd7d64eecf7d55a70ec44863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 23:44:56 +0200
+Subject: hwmon: (nct6775) add ASUS CROSSHAIR VIII/TUF/ProArt B550M
+
+From: Denis Pauk <pauk.denis@gmail.com>
+
+[ Upstream commit 1864069c695d475e0ce98a335c62274b81be57b4 ]
+
+Boards such as
+* ProArt B550-CREATOR
+* ProArt Z490-CREATOR 10G
+* ROG CROSSHAIR VIII EXTREME
+* ROG CROSSHAIR VIII HERO (WI-FI)
+* TUF GAMING B550M-E
+* TUF GAMING B550M-E (WI-FI)
+* TUF GAMING B550M-PLUS WIFI II
+have got a nct6775 chip, but by default there's no use of it
+because of resource conflict with WMI method.
+
+This commit adds such boards to the WMI monitoring list.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204807
+Signed-off-by: Denis Pauk <pauk.denis@gmail.com>
+Reported-by: yutesdb <mundanedefoliation@gmail.com>
+Tested-by: yutesdb <mundanedefoliation@gmail.com>
+Link: https://lore.kernel.org/r/20221114214456.3891-1-pauk.denis@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775-platform.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/hwmon/nct6775-platform.c b/drivers/hwmon/nct6775-platform.c
+index 41c97cfacfb8..50fe9533cf43 100644
+--- a/drivers/hwmon/nct6775-platform.c
++++ b/drivers/hwmon/nct6775-platform.c
+@@ -1043,7 +1043,9 @@ static struct platform_device *pdev[2];
+
+ static const char * const asus_wmi_boards[] = {
+ "PRO H410T",
++ "ProArt B550-CREATOR",
+ "ProArt X570-CREATOR WIFI",
++ "ProArt Z490-CREATOR 10G",
+ "Pro B550M-C",
+ "Pro WS X570-ACE",
+ "PRIME B360-PLUS",
+@@ -1055,8 +1057,10 @@ static const char * const asus_wmi_boards[] = {
+ "PRIME X570-P",
+ "PRIME X570-PRO",
+ "ROG CROSSHAIR VIII DARK HERO",
++ "ROG CROSSHAIR VIII EXTREME",
+ "ROG CROSSHAIR VIII FORMULA",
+ "ROG CROSSHAIR VIII HERO",
++ "ROG CROSSHAIR VIII HERO (WI-FI)",
+ "ROG CROSSHAIR VIII IMPACT",
+ "ROG STRIX B550-A GAMING",
+ "ROG STRIX B550-E GAMING",
+@@ -1080,8 +1084,11 @@ static const char * const asus_wmi_boards[] = {
+ "ROG STRIX Z490-G GAMING (WI-FI)",
+ "ROG STRIX Z490-H GAMING",
+ "ROG STRIX Z490-I GAMING",
++ "TUF GAMING B550M-E",
++ "TUF GAMING B550M-E (WI-FI)",
+ "TUF GAMING B550M-PLUS",
+ "TUF GAMING B550M-PLUS (WI-FI)",
++ "TUF GAMING B550M-PLUS WIFI II",
+ "TUF GAMING B550-PLUS",
+ "TUF GAMING B550-PLUS WIFI II",
+ "TUF GAMING B550-PRO",
+--
+2.35.1
+
--- /dev/null
+From 83aa369fd8afa2f0720d2176be86c98cecc952d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 21:22:33 +0800
+Subject: hwrng: amd - Fix PCI device refcount leak
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ]
+
+for_each_pci_dev() is implemented by pci_get_device(). The comment of
+pci_get_device() says that it will increase the reference count for the
+returned pci_dev and also decrease the reference count for the input
+pci_dev @from if it is not NULL.
+
+If we break for_each_pci_dev() loop with pdev not NULL, we need to call
+pci_dev_put() to decrease the reference count. Add the missing
+pci_dev_put() for the normal and error path.
+
+Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/amd-rng.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c
+index c22d4184bb61..0555e3838bce 100644
+--- a/drivers/char/hw_random/amd-rng.c
++++ b/drivers/char/hw_random/amd-rng.c
+@@ -143,15 +143,19 @@ static int __init amd_rng_mod_init(void)
+ found:
+ err = pci_read_config_dword(pdev, 0x58, &pmbase);
+ if (err)
+- return err;
++ goto put_dev;
+
+ pmbase &= 0x0000FF00;
+- if (pmbase == 0)
+- return -EIO;
++ if (pmbase == 0) {
++ err = -EIO;
++ goto put_dev;
++ }
+
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+- if (!priv)
+- return -ENOMEM;
++ if (!priv) {
++ err = -ENOMEM;
++ goto put_dev;
++ }
+
+ if (!request_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE, DRV_NAME)) {
+ dev_err(&pdev->dev, DRV_NAME " region 0x%x already in use!\n",
+@@ -185,6 +189,8 @@ static int __init amd_rng_mod_init(void)
+ release_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE);
+ out:
+ kfree(priv);
++put_dev:
++ pci_dev_put(pdev);
+ return err;
+ }
+
+@@ -200,6 +206,8 @@ static void __exit amd_rng_mod_exit(void)
+
+ release_region(priv->pmbase + PMBASE_OFFSET, PMBASE_SIZE);
+
++ pci_dev_put(priv->pcidev);
++
+ kfree(priv);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 83628c9433d1e492d2811bfa1720f78443f94757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 21:22:34 +0800
+Subject: hwrng: geode - Fix PCI device refcount leak
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ]
+
+for_each_pci_dev() is implemented by pci_get_device(). The comment of
+pci_get_device() says that it will increase the reference count for the
+returned pci_dev and also decrease the reference count for the input
+pci_dev @from if it is not NULL.
+
+If we break for_each_pci_dev() loop with pdev not NULL, we need to call
+pci_dev_put() to decrease the reference count. We add a new struct
+'amd_geode_priv' to record pointer of the pci_dev and membase, and then
+add missing pci_dev_put() for the normal and error path.
+
+Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/geode-rng.c | 36 +++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c
+index 138ce434f86b..12fbe8091831 100644
+--- a/drivers/char/hw_random/geode-rng.c
++++ b/drivers/char/hw_random/geode-rng.c
+@@ -51,6 +51,10 @@ static const struct pci_device_id pci_tbl[] = {
+ };
+ MODULE_DEVICE_TABLE(pci, pci_tbl);
+
++struct amd_geode_priv {
++ struct pci_dev *pcidev;
++ void __iomem *membase;
++};
+
+ static int geode_rng_data_read(struct hwrng *rng, u32 *data)
+ {
+@@ -90,6 +94,7 @@ static int __init geode_rng_init(void)
+ const struct pci_device_id *ent;
+ void __iomem *mem;
+ unsigned long rng_base;
++ struct amd_geode_priv *priv;
+
+ for_each_pci_dev(pdev) {
+ ent = pci_match_id(pci_tbl, pdev);
+@@ -97,17 +102,26 @@ static int __init geode_rng_init(void)
+ goto found;
+ }
+ /* Device not found. */
+- goto out;
++ return err;
+
+ found:
++ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++ if (!priv) {
++ err = -ENOMEM;
++ goto put_dev;
++ }
++
+ rng_base = pci_resource_start(pdev, 0);
+ if (rng_base == 0)
+- goto out;
++ goto free_priv;
+ err = -ENOMEM;
+ mem = ioremap(rng_base, 0x58);
+ if (!mem)
+- goto out;
+- geode_rng.priv = (unsigned long)mem;
++ goto free_priv;
++
++ geode_rng.priv = (unsigned long)priv;
++ priv->membase = mem;
++ priv->pcidev = pdev;
+
+ pr_info("AMD Geode RNG detected\n");
+ err = hwrng_register(&geode_rng);
+@@ -116,20 +130,26 @@ static int __init geode_rng_init(void)
+ err);
+ goto err_unmap;
+ }
+-out:
+ return err;
+
+ err_unmap:
+ iounmap(mem);
+- goto out;
++free_priv:
++ kfree(priv);
++put_dev:
++ pci_dev_put(pdev);
++ return err;
+ }
+
+ static void __exit geode_rng_exit(void)
+ {
+- void __iomem *mem = (void __iomem *)geode_rng.priv;
++ struct amd_geode_priv *priv;
+
++ priv = (struct amd_geode_priv *)geode_rng.priv;
+ hwrng_unregister(&geode_rng);
+- iounmap(mem);
++ iounmap(priv->membase);
++ pci_dev_put(priv->pcidev);
++ kfree(priv);
+ }
+
+ module_init(geode_rng_init);
+--
+2.35.1
+
--- /dev/null
+From fbb4d1f9c81f5cb9da0846f694f291c05c61ac6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 19:02:16 +0800
+Subject: i2c: ismt: Fix an out-of-bounds bug in ismt_access()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ]
+
+When the driver does not check the data from the user, the variable
+'data->block[0]' may be very large to cause an out-of-bounds bug.
+
+The following log can reveal it:
+
+[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
+[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
+[ 33.996475] ==================================================================
+[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
+[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
+[ 33.999450] Call Trace:
+[ 34.001849] memcpy+0x20/0x60
+[ 34.002077] ismt_access.cold+0x374/0x214b
+[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
+[ 34.004007] i2c_smbus_xfer+0x10a/0x390
+[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
+[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
+
+Fix this bug by checking the size of 'data->block[0]' first.
+
+Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-ismt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
+index 6078fa0c0d48..63120c41354c 100644
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -509,6 +509,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
+ if (read_write == I2C_SMBUS_WRITE) {
+ /* Block Write */
+ dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
++ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
++ return -EINVAL;
++
+ dma_size = data->block[0] + 1;
+ dma_direction = DMA_TO_DEVICE;
+ desc->wr_len_cmd = dma_size;
+--
+2.35.1
+
--- /dev/null
+From da4f7806f916a153947e2f7581505343a15a0271 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 17:38:25 +0800
+Subject: i2c: mux: reg: check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2d47b79d2bd39cc6369eccf94a06568d84c906ae ]
+
+It will cause null-ptr-deref in resource_size(), if platform_get_resource()
+returns NULL, move calling resource_size() after devm_ioremap_resource() that
+will check 'res' to avoid null-ptr-deref.
+And use devm_platform_get_and_ioremap_resource() to simplify code.
+
+Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/muxes/i2c-mux-reg.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/muxes/i2c-mux-reg.c b/drivers/i2c/muxes/i2c-mux-reg.c
+index 0e0679f65cf7..30a6de1694e0 100644
+--- a/drivers/i2c/muxes/i2c-mux-reg.c
++++ b/drivers/i2c/muxes/i2c-mux-reg.c
+@@ -183,13 +183,12 @@ static int i2c_mux_reg_probe(struct platform_device *pdev)
+ if (!mux->data.reg) {
+ dev_info(&pdev->dev,
+ "Register not set, using platform resource\n");
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- mux->data.reg_size = resource_size(res);
+- mux->data.reg = devm_ioremap_resource(&pdev->dev, res);
++ mux->data.reg = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(mux->data.reg)) {
+ ret = PTR_ERR(mux->data.reg);
+ goto err_put_parent;
+ }
++ mux->data.reg_size = resource_size(res);
+ }
+
+ if (mux->data.reg_size != 4 && mux->data.reg_size != 2 &&
+--
+2.35.1
+
--- /dev/null
+From f50c3e5b48b510ff39aa732726c2d0537598b9fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:25:40 +0800
+Subject: i2c: pxa-pci: fix missing pci_disable_device() on error in
+ ce4100_i2c_probe
+
+From: Hui Tang <tanghui20@huawei.com>
+
+[ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ]
+
+Using pcim_enable_device() to avoid missing pci_disable_device().
+
+Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller")
+Signed-off-by: Hui Tang <tanghui20@huawei.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-pxa-pci.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-pxa-pci.c b/drivers/i2c/busses/i2c-pxa-pci.c
+index f614cade432b..30e38bc8b6db 100644
+--- a/drivers/i2c/busses/i2c-pxa-pci.c
++++ b/drivers/i2c/busses/i2c-pxa-pci.c
+@@ -105,7 +105,7 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
+ int i;
+ struct ce4100_devices *sds;
+
+- ret = pci_enable_device_mem(dev);
++ ret = pcim_enable_device(dev);
+ if (ret)
+ return ret;
+
+@@ -114,10 +114,8 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
+ return -EINVAL;
+ }
+ sds = kzalloc(sizeof(*sds), GFP_KERNEL);
+- if (!sds) {
+- ret = -ENOMEM;
+- goto err_mem;
+- }
++ if (!sds)
++ return -ENOMEM;
+
+ for (i = 0; i < ARRAY_SIZE(sds->pdev); i++) {
+ sds->pdev[i] = add_i2c_device(dev, i);
+@@ -133,8 +131,6 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
+
+ err_dev_add:
+ kfree(sds);
+-err_mem:
+- pci_disable_device(dev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b6dca4f1d97af3dadc52d58882066fa4e0a1fee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 10:54:11 -0800
+Subject: i40e: Fix the inability to attach XDP program on downed interface
+
+From: Bartosz Staszewski <bartoszx.staszewski@intel.com>
+
+[ Upstream commit 0c87b545a2ed5cd8a6318011f1c92b188c2d74bc ]
+
+Whenever trying to load XDP prog on downed interface, function i40e_xdp
+was passing vsi->rx_buf_len field to i40e_xdp_setup() which was equal 0.
+i40e_open() calls i40e_vsi_configure_rx() which configures that field,
+but that only happens when interface is up. When it is down, i40e_open()
+is not being called, thus vsi->rx_buf_len is not set.
+
+Solution for this is calculate buffer length in newly created
+function - i40e_calculate_vsi_rx_buf_len() that return actual buffer
+length. Buffer length is being calculated based on the same rules
+applied previously in i40e_vsi_configure_rx() function.
+
+Fixes: 613142b0bb88 ("i40e: Log error for oversized MTU on device")
+Fixes: 0c8493d90b6b ("i40e: add XDP support for pass and drop actions")
+Signed-off-by: Bartosz Staszewski <bartoszx.staszewski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Shwetha Nagaraju <Shwetha.nagaraju@intel.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.com>
+Link: https://lore.kernel.org/r/20221209185411.2519898-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 36 ++++++++++++++-------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index e53ea7ed0b1d..8c07d92a6574 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -3692,6 +3692,24 @@ static int i40e_vsi_configure_tx(struct i40e_vsi *vsi)
+ return err;
+ }
+
++/**
++ * i40e_calculate_vsi_rx_buf_len - Calculates buffer length
++ *
++ * @vsi: VSI to calculate rx_buf_len from
++ */
++static u16 i40e_calculate_vsi_rx_buf_len(struct i40e_vsi *vsi)
++{
++ if (!vsi->netdev || (vsi->back->flags & I40E_FLAG_LEGACY_RX))
++ return I40E_RXBUFFER_2048;
++
++#if (PAGE_SIZE < 8192)
++ if (!I40E_2K_TOO_SMALL_WITH_PADDING && vsi->netdev->mtu <= ETH_DATA_LEN)
++ return I40E_RXBUFFER_1536 - NET_IP_ALIGN;
++#endif
++
++ return PAGE_SIZE < 8192 ? I40E_RXBUFFER_3072 : I40E_RXBUFFER_2048;
++}
++
+ /**
+ * i40e_vsi_configure_rx - Configure the VSI for Rx
+ * @vsi: the VSI being configured
+@@ -3703,20 +3721,14 @@ static int i40e_vsi_configure_rx(struct i40e_vsi *vsi)
+ int err = 0;
+ u16 i;
+
+- if (!vsi->netdev || (vsi->back->flags & I40E_FLAG_LEGACY_RX)) {
+- vsi->max_frame = I40E_MAX_RXBUFFER;
+- vsi->rx_buf_len = I40E_RXBUFFER_2048;
++ vsi->max_frame = I40E_MAX_RXBUFFER;
++ vsi->rx_buf_len = i40e_calculate_vsi_rx_buf_len(vsi);
++
+ #if (PAGE_SIZE < 8192)
+- } else if (!I40E_2K_TOO_SMALL_WITH_PADDING &&
+- (vsi->netdev->mtu <= ETH_DATA_LEN)) {
++ if (vsi->netdev && !I40E_2K_TOO_SMALL_WITH_PADDING &&
++ vsi->netdev->mtu <= ETH_DATA_LEN)
+ vsi->max_frame = I40E_RXBUFFER_1536 - NET_IP_ALIGN;
+- vsi->rx_buf_len = I40E_RXBUFFER_1536 - NET_IP_ALIGN;
+ #endif
+- } else {
+- vsi->max_frame = I40E_MAX_RXBUFFER;
+- vsi->rx_buf_len = (PAGE_SIZE < 8192) ? I40E_RXBUFFER_3072 :
+- I40E_RXBUFFER_2048;
+- }
+
+ /* set up individual rings */
+ for (i = 0; i < vsi->num_queue_pairs && !err; i++)
+@@ -13290,7 +13302,7 @@ static int i40e_xdp_setup(struct i40e_vsi *vsi, struct bpf_prog *prog,
+ int i;
+
+ /* Don't allow frames that span over multiple buffers */
+- if (frame_size > vsi->rx_buf_len) {
++ if (frame_size > i40e_calculate_vsi_rx_buf_len(vsi)) {
+ NL_SET_ERR_MSG_MOD(extack, "MTU too large to enable XDP");
+ return -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 650bfec52ee7b2986c2ae696a8522cb61ba6dcc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 09:52:54 +0200
+Subject: IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ]
+
+There are 2 ways to create IPoIB PKEY child interfaces:
+1) Writing a PKEY to /sys/class/net/<ib parent interface>/create_child.
+2) Using netlink with iproute.
+
+While with sysfs the child interface has the same number of tx and
+rx queues as the parent, with netlink there will always be 1 tx
+and 1 rx queue for the child interface. That's because the
+get_num_tx/rx_queues() netlink ops are missing and the default value
+of 1 is taken for the number of queues (in rtnl_create_link()).
+
+This change adds the get_num_tx/rx_queues() ops which allows for
+interfaces with multiple queues to be created over netlink. This
+constant only represents the max number of tx and rx queues on that
+net device.
+
+Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+index ea16ba5d8da6..9ad8d9856275 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+@@ -41,6 +41,11 @@ static const struct nla_policy ipoib_policy[IFLA_IPOIB_MAX + 1] = {
+ [IFLA_IPOIB_UMCAST] = { .type = NLA_U16 },
+ };
+
++static unsigned int ipoib_get_max_num_queues(void)
++{
++ return min_t(unsigned int, num_possible_cpus(), 128);
++}
++
+ static int ipoib_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ {
+ struct ipoib_dev_priv *priv = ipoib_priv(dev);
+@@ -172,6 +177,8 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
+ .changelink = ipoib_changelink,
+ .get_size = ipoib_get_size,
+ .fill_info = ipoib_fill_info,
++ .get_num_rx_queues = ipoib_get_max_num_queues,
++ .get_num_tx_queues = ipoib_get_max_num_queues,
+ };
+
+ struct rtnl_link_ops *ipoib_get_link_ops(void)
+--
+2.35.1
+
--- /dev/null
+From 33c65862653a0d8705e19d4fc83472834dd9b4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 11:57:17 +0200
+Subject: IB/mad: Don't call to function that might sleep while in atomic
+ context
+
+From: Leonid Ravich <lravich@gmail.com>
+
+[ Upstream commit 5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3 ]
+
+Tracepoints are not allowed to sleep, as such the following splat is
+generated due to call to ib_query_pkey() in atomic context.
+
+WARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220
+CPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1
+ Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014
+ Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
+ RIP: 0010:rb_commit+0xc1/0x220
+ RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202
+ RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246
+ RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246
+ R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000
+ FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0
+ Call Trace:
+ ring_buffer_unlock_commit+0x1d/0xa0
+ trace_buffer_unlock_commit_regs+0x3b/0x1b0
+ trace_event_buffer_commit+0x67/0x1d0
+ trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]
+ ib_mad_recv_done+0x48b/0xc10 [ib_core]
+ ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]
+ __ib_process_cq+0x91/0x1c0 [ib_core]
+ ib_cq_poll_work+0x26/0x80 [ib_core]
+ process_one_work+0x1a7/0x360
+ ? create_worker+0x1a0/0x1a0
+ worker_thread+0x30/0x390
+ ? create_worker+0x1a0/0x1a0
+ kthread+0x116/0x130
+ ? kthread_flush_work_fn+0x10/0x10
+ ret_from_fork+0x35/0x40
+ ---[ end trace 78ba8509d3830a16 ]---
+
+Fixes: 821bf1de45a1 ("IB/MAD: Add recv path trace point")
+Signed-off-by: Leonid Ravich <lravich@gmail.com>
+Link: https://lore.kernel.org/r/Y2t5feomyznrVj7V@leonid-Inspiron-3421
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 5 -----
+ include/trace/events/ib_mad.h | 13 ++++---------
+ 2 files changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index 1893aa613ad7..674344eb8e2f 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -59,9 +59,6 @@ static void create_mad_addr_info(struct ib_mad_send_wr_private *mad_send_wr,
+ struct ib_mad_qp_info *qp_info,
+ struct trace_event_raw_ib_mad_send_template *entry)
+ {
+- u16 pkey;
+- struct ib_device *dev = qp_info->port_priv->device;
+- u32 pnum = qp_info->port_priv->port_num;
+ struct ib_ud_wr *wr = &mad_send_wr->send_wr;
+ struct rdma_ah_attr attr = {};
+
+@@ -69,8 +66,6 @@ static void create_mad_addr_info(struct ib_mad_send_wr_private *mad_send_wr,
+
+ /* These are common */
+ entry->sl = attr.sl;
+- ib_query_pkey(dev, pnum, wr->pkey_index, &pkey);
+- entry->pkey = pkey;
+ entry->rqpn = wr->remote_qpn;
+ entry->rqkey = wr->remote_qkey;
+ entry->dlid = rdma_ah_get_dlid(&attr);
+diff --git a/include/trace/events/ib_mad.h b/include/trace/events/ib_mad.h
+index 59363a083ecb..d92691c78cff 100644
+--- a/include/trace/events/ib_mad.h
++++ b/include/trace/events/ib_mad.h
+@@ -49,7 +49,6 @@ DECLARE_EVENT_CLASS(ib_mad_send_template,
+ __field(int, retries_left)
+ __field(int, max_retries)
+ __field(int, retry)
+- __field(u16, pkey)
+ ),
+
+ TP_fast_assign(
+@@ -89,7 +88,7 @@ DECLARE_EVENT_CLASS(ib_mad_send_template,
+ "hdr : base_ver 0x%x class 0x%x class_ver 0x%x " \
+ "method 0x%x status 0x%x class_specific 0x%x tid 0x%llx " \
+ "attr_id 0x%x attr_mod 0x%x => dlid 0x%08x sl %d "\
+- "pkey 0x%x rpqn 0x%x rqpkey 0x%x",
++ "rpqn 0x%x rqpkey 0x%x",
+ __entry->dev_index, __entry->port_num, __entry->qp_num,
+ __entry->agent_priv, be64_to_cpu(__entry->wrtid),
+ __entry->retries_left, __entry->max_retries,
+@@ -100,7 +99,7 @@ DECLARE_EVENT_CLASS(ib_mad_send_template,
+ be16_to_cpu(__entry->class_specific),
+ be64_to_cpu(__entry->tid), be16_to_cpu(__entry->attr_id),
+ be32_to_cpu(__entry->attr_mod),
+- be32_to_cpu(__entry->dlid), __entry->sl, __entry->pkey,
++ be32_to_cpu(__entry->dlid), __entry->sl,
+ __entry->rqpn, __entry->rqkey
+ )
+ );
+@@ -204,7 +203,6 @@ TRACE_EVENT(ib_mad_recv_done_handler,
+ __field(u16, wc_status)
+ __field(u32, slid)
+ __field(u32, dev_index)
+- __field(u16, pkey)
+ ),
+
+ TP_fast_assign(
+@@ -224,9 +222,6 @@ TRACE_EVENT(ib_mad_recv_done_handler,
+ __entry->slid = wc->slid;
+ __entry->src_qp = wc->src_qp;
+ __entry->sl = wc->sl;
+- ib_query_pkey(qp_info->port_priv->device,
+- qp_info->port_priv->port_num,
+- wc->pkey_index, &__entry->pkey);
+ __entry->wc_status = wc->status;
+ ),
+
+@@ -234,7 +229,7 @@ TRACE_EVENT(ib_mad_recv_done_handler,
+ "base_ver 0x%02x class 0x%02x class_ver 0x%02x " \
+ "method 0x%02x status 0x%04x class_specific 0x%04x " \
+ "tid 0x%016llx attr_id 0x%04x attr_mod 0x%08x " \
+- "slid 0x%08x src QP%d, sl %d pkey 0x%04x",
++ "slid 0x%08x src QP%d, sl %d",
+ __entry->dev_index, __entry->port_num, __entry->qp_num,
+ __entry->wc_status,
+ __entry->length,
+@@ -244,7 +239,7 @@ TRACE_EVENT(ib_mad_recv_done_handler,
+ be16_to_cpu(__entry->class_specific),
+ be64_to_cpu(__entry->tid), be16_to_cpu(__entry->attr_id),
+ be32_to_cpu(__entry->attr_mod),
+- __entry->slid, __entry->src_qp, __entry->sl, __entry->pkey
++ __entry->slid, __entry->src_qp, __entry->sl
+ )
+ );
+
+--
+2.35.1
+
--- /dev/null
+From 66ed3017d9ebc623894ead4612465e3112e05389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 02:25:24 -0700
+Subject: igb: Do not free q_vector unless new one was allocated
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
+
+Avoid potential use-after-free condition under memory pressure. If the
+kzalloc() fails, q_vector will be freed but left in the original
+adapter->q_vector[v_idx] array position.
+
+Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: intel-wired-lan@lists.osuosl.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index ea46649b2ed3..0e36894db986 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1202,8 +1202,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
+ if (!q_vector) {
+ q_vector = kzalloc(size, GFP_KERNEL);
+ } else if (size > ksize(q_vector)) {
+- kfree_rcu(q_vector, rcu);
+- q_vector = kzalloc(size, GFP_KERNEL);
++ struct igb_q_vector *new_q_vector;
++
++ new_q_vector = kzalloc(size, GFP_KERNEL);
++ if (new_q_vector)
++ kfree_rcu(q_vector, rcu);
++ q_vector = new_q_vector;
+ } else {
+ memset(q_vector, 0, size);
+ }
+--
+2.35.1
+
--- /dev/null
+From 45a32be284187cd1cb9a4e38e8cc3e2c7b9c1fa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:19 +0800
+Subject: igc: Add checking for basetime less than zero
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+[ Upstream commit 3b61764fb49a6e147ac90d71dccdddc9d5508ba1 ]
+
+Using the tc qdisc command, the user can set basetime to any value.
+Checking should be done on the driver's side to prevent registering
+basetime values that are less than zero.
+
+Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 19b7ff201c7d..f7983d23d5b9 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6003,6 +6003,9 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+ if (!qopt->enable)
+ return igc_tsn_clear_schedule(adapter);
+
++ if (qopt->base_time < 0)
++ return -ERANGE;
++
+ if (adapter->base_time)
+ return -EALREADY;
+
+--
+2.35.1
+
--- /dev/null
+From 0adec6f7083050ca3215f1d5292cb2bd653362a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:20 +0800
+Subject: igc: allow BaseTime 0 enrollment for Qbv
+
+From: Tan Tee Min <tee.min.tan@linux.intel.com>
+
+[ Upstream commit e17090eb24944fbbe1f24d9f336d7bad4fbe47e8 ]
+
+Introduce qbv_enable flag in igc_adapter struct to store the Qbv on/off.
+So this allow the BaseTime to enroll with zero value.
+
+Fixes: 61572d5f8f91 ("igc: Simplify TSN flags handling")
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 1 +
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 ++
+ drivers/net/ethernet/intel/igc/igc_tsn.c | 2 +-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 66a57636d329..df3e26c0cf01 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -184,6 +184,7 @@ struct igc_adapter {
+
+ ktime_t base_time;
+ ktime_t cycle_time;
++ bool qbv_enable;
+
+ /* OS defined structs */
+ struct pci_dev *pdev;
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index f7983d23d5b9..10690a0cfae1 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6000,6 +6000,8 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+ u32 start_time = 0, end_time = 0;
+ size_t n;
+
++ adapter->qbv_enable = qopt->enable;
++
+ if (!qopt->enable)
+ return igc_tsn_clear_schedule(adapter);
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
+index 4a019954cadb..356c7455c5ce 100644
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
+@@ -36,7 +36,7 @@ static unsigned int igc_tsn_new_flags(struct igc_adapter *adapter)
+ {
+ unsigned int new_flags = adapter->flags & ~IGC_FLAG_TSN_ANY_ENABLED;
+
+- if (adapter->base_time)
++ if (adapter->qbv_enable)
+ new_flags |= IGC_FLAG_TSN_QBV_ENABLED;
+
+ if (is_any_launchtime(adapter))
+--
+2.35.1
+
--- /dev/null
+From c596208ac6b43d58403154e47e6e6c2b26377689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:17 +0800
+Subject: igc: Enhance Qbv scheduling by using first flag bit
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit db0b124f02ba68de6517ac303d431af220ccfe9f ]
+
+The I225 hardware has a limitation that packets can only be scheduled
+in the [0, cycle-time] interval. So, scheduling a packet to the start
+of the next cycle doesn't usually work.
+
+To overcome this, we use the Transmit Descriptor first flag to indicates
+that a packet should be the first packet (from a queue) in a cycle
+according to the section 7.5.2.9.3.4 The First Packet on Each QBV Cycle
+in Intel Discrete I225/6 User Manual.
+
+But this only works if there was any packet from that queue during the
+current cycle, to avoid this issue, we issue an empty packet if that's
+not the case. Also require one more descriptor to be available, to take
+into account the empty packet that might be issued.
+
+Test Setup:
+
+Talker: Use l2_tai to generate the launchtime into packet load.
+
+Listener: Use timedump.c to compute the delta between packet arrival
+and LaunchTime packet payload.
+
+Test Result:
+
+Before:
+
+1666000610127300000,1666000610127300096,96,621273
+1666000610127400000,1666000610127400192,192,621274
+1666000610127500000,1666000610127500032,32,621275
+1666000610127600000,1666000610127600128,128,621276
+1666000610127700000,1666000610127700224,224,621277
+1666000610127800000,1666000610127800064,64,621278
+1666000610127900000,1666000610127900160,160,621279
+1666000610128000000,1666000610128000000,0,621280
+1666000610128100000,1666000610128100096,96,621281
+1666000610128200000,1666000610128200192,192,621282
+1666000610128300000,1666000610128300032,32,621283
+1666000610128400000,1666000610128301056,-98944,621284
+1666000610128500000,1666000610128302080,-197920,621285
+1666000610128600000,1666000610128302848,-297152,621286
+1666000610128700000,1666000610128303872,-396128,621287
+1666000610128800000,1666000610128304896,-495104,621288
+1666000610128900000,1666000610128305664,-594336,621289
+1666000610129000000,1666000610128306688,-693312,621290
+1666000610129100000,1666000610128307712,-792288,621291
+1666000610129200000,1666000610128308480,-891520,621292
+1666000610129300000,1666000610128309504,-990496,621293
+1666000610129400000,1666000610128310528,-1089472,621294
+1666000610129500000,1666000610128311296,-1188704,621295
+1666000610129600000,1666000610128312320,-1287680,621296
+1666000610129700000,1666000610128313344,-1386656,621297
+1666000610129800000,1666000610128314112,-1485888,621298
+1666000610129900000,1666000610128315136,-1584864,621299
+1666000610130000000,1666000610128316160,-1683840,621300
+1666000610130100000,1666000610128316928,-1783072,621301
+1666000610130200000,1666000610128317952,-1882048,621302
+1666000610130300000,1666000610128318976,-1981024,621303
+1666000610130400000,1666000610128319744,-2080256,621304
+1666000610130500000,1666000610128320768,-2179232,621305
+1666000610130600000,1666000610128321792,-2278208,621306
+1666000610130700000,1666000610128322816,-2377184,621307
+1666000610130800000,1666000610128323584,-2476416,621308
+1666000610130900000,1666000610128324608,-2575392,621309
+1666000610131000000,1666000610128325632,-2674368,621310
+1666000610131100000,1666000610128326400,-2773600,621311
+1666000610131200000,1666000610128327424,-2872576,621312
+1666000610131300000,1666000610128328448,-2971552,621313
+1666000610131400000,1666000610128329216,-3070784,621314
+1666000610131500000,1666000610131500032,32,621315
+1666000610131600000,1666000610131600128,128,621316
+1666000610131700000,1666000610131700224,224,621317
+
+After:
+
+1666073510646200000,1666073510646200064,64,2676462
+1666073510646300000,1666073510646300160,160,2676463
+1666073510646400000,1666073510646400256,256,2676464
+1666073510646500000,1666073510646500096,96,2676465
+1666073510646600000,1666073510646600192,192,2676466
+1666073510646700000,1666073510646700032,32,2676467
+1666073510646800000,1666073510646800128,128,2676468
+1666073510646900000,1666073510646900224,224,2676469
+1666073510647000000,1666073510647000064,64,2676470
+1666073510647100000,1666073510647100160,160,2676471
+1666073510647200000,1666073510647200256,256,2676472
+1666073510647300000,1666073510647300096,96,2676473
+1666073510647400000,1666073510647400192,192,2676474
+1666073510647500000,1666073510647500032,32,2676475
+1666073510647600000,1666073510647600128,128,2676476
+1666073510647700000,1666073510647700224,224,2676477
+1666073510647800000,1666073510647800064,64,2676478
+1666073510647900000,1666073510647900160,160,2676479
+1666073510648000000,1666073510648000000,0,2676480
+1666073510648100000,1666073510648100096,96,2676481
+1666073510648200000,1666073510648200192,192,2676482
+1666073510648300000,1666073510648300032,32,2676483
+1666073510648400000,1666073510648400128,128,2676484
+1666073510648500000,1666073510648500224,224,2676485
+1666073510648600000,1666073510648600064,64,2676486
+1666073510648700000,1666073510648700160,160,2676487
+1666073510648800000,1666073510648800000,0,2676488
+1666073510648900000,1666073510648900096,96,2676489
+1666073510649000000,1666073510649000192,192,2676490
+1666073510649100000,1666073510649100032,32,2676491
+1666073510649200000,1666073510649200128,128,2676492
+1666073510649300000,1666073510649300224,224,2676493
+1666073510649400000,1666073510649400064,64,2676494
+1666073510649500000,1666073510649500160,160,2676495
+1666073510649600000,1666073510649600000,0,2676496
+1666073510649700000,1666073510649700096,96,2676497
+1666073510649800000,1666073510649800192,192,2676498
+1666073510649900000,1666073510649900032,32,2676499
+1666073510650000000,1666073510650000128,128,2676500
+
+Fixes: 82faa9b79950 ("igc: Add support for ETF offloading")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Co-developed-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
+Signed-off-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
+Co-developed-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Signed-off-by: Malli C <mallikarjuna.chilakala@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 +
+ drivers/net/ethernet/intel/igc/igc_defines.h | 2 +
+ drivers/net/ethernet/intel/igc/igc_main.c | 176 ++++++++++++++++---
+ 3 files changed, 151 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 1e7e7071f64d..66a57636d329 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -94,6 +94,8 @@ struct igc_ring {
+ u8 queue_index; /* logical index of the ring*/
+ u8 reg_idx; /* physical index of the ring */
+ bool launchtime_enable; /* true if LaunchTime is enabled */
++ ktime_t last_tx_cycle; /* end of the cycle with a launchtime transmission */
++ ktime_t last_ff_cycle; /* Last cycle with an active first flag */
+
+ u32 start_time;
+ u32 end_time;
+diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
+index 5c66b97c0cfa..4f2c446ace4d 100644
+--- a/drivers/net/ethernet/intel/igc/igc_defines.h
++++ b/drivers/net/ethernet/intel/igc/igc_defines.h
+@@ -321,6 +321,8 @@
+ #define IGC_ADVTXD_L4LEN_SHIFT 8 /* Adv ctxt L4LEN shift */
+ #define IGC_ADVTXD_MSS_SHIFT 16 /* Adv ctxt MSS shift */
+
++#define IGC_ADVTXD_TSN_CNTX_FIRST 0x00000080
++
+ /* Transmit Control */
+ #define IGC_TCTL_EN 0x00000002 /* enable Tx */
+ #define IGC_TCTL_PSP 0x00000008 /* pad short packets */
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index ebff0e04045d..19b7ff201c7d 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1000,25 +1000,118 @@ static int igc_write_mc_addr_list(struct net_device *netdev)
+ return netdev_mc_count(netdev);
+ }
+
+-static __le32 igc_tx_launchtime(struct igc_adapter *adapter, ktime_t txtime)
++static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime,
++ bool *first_flag, bool *insert_empty)
+ {
++ struct igc_adapter *adapter = netdev_priv(ring->netdev);
+ ktime_t cycle_time = adapter->cycle_time;
+ ktime_t base_time = adapter->base_time;
++ ktime_t now = ktime_get_clocktai();
++ ktime_t baset_est, end_of_cycle;
+ u32 launchtime;
++ s64 n;
+
+- /* FIXME: when using ETF together with taprio, we may have a
+- * case where 'delta' is larger than the cycle_time, this may
+- * cause problems if we don't read the current value of
+- * IGC_BASET, as the value writen into the launchtime
+- * descriptor field may be misinterpreted.
++ n = div64_s64(ktime_sub_ns(now, base_time), cycle_time);
++
++ baset_est = ktime_add_ns(base_time, cycle_time * (n));
++ end_of_cycle = ktime_add_ns(baset_est, cycle_time);
++
++ if (ktime_compare(txtime, end_of_cycle) >= 0) {
++ if (baset_est != ring->last_ff_cycle) {
++ *first_flag = true;
++ ring->last_ff_cycle = baset_est;
++
++ if (ktime_compare(txtime, ring->last_tx_cycle) > 0)
++ *insert_empty = true;
++ }
++ }
++
++ /* Introducing a window at end of cycle on which packets
++ * potentially not honor launchtime. Window of 5us chosen
++ * considering software update the tail pointer and packets
++ * are dma'ed to packet buffer.
+ */
+- div_s64_rem(ktime_sub_ns(txtime, base_time), cycle_time, &launchtime);
++ if ((ktime_sub_ns(end_of_cycle, now) < 5 * NSEC_PER_USEC))
++ netdev_warn(ring->netdev, "Packet with txtime=%llu may not be honoured\n",
++ txtime);
++
++ ring->last_tx_cycle = end_of_cycle;
++
++ launchtime = ktime_sub_ns(txtime, baset_est);
++ if (launchtime > 0)
++ div_s64_rem(launchtime, cycle_time, &launchtime);
++ else
++ launchtime = 0;
+
+ return cpu_to_le32(launchtime);
+ }
+
++static int igc_init_empty_frame(struct igc_ring *ring,
++ struct igc_tx_buffer *buffer,
++ struct sk_buff *skb)
++{
++ unsigned int size;
++ dma_addr_t dma;
++
++ size = skb_headlen(skb);
++
++ dma = dma_map_single(ring->dev, skb->data, size, DMA_TO_DEVICE);
++ if (dma_mapping_error(ring->dev, dma)) {
++ netdev_err_once(ring->netdev, "Failed to map DMA for TX\n");
++ return -ENOMEM;
++ }
++
++ buffer->skb = skb;
++ buffer->protocol = 0;
++ buffer->bytecount = skb->len;
++ buffer->gso_segs = 1;
++ buffer->time_stamp = jiffies;
++ dma_unmap_len_set(buffer, len, skb->len);
++ dma_unmap_addr_set(buffer, dma, dma);
++
++ return 0;
++}
++
++static int igc_init_tx_empty_descriptor(struct igc_ring *ring,
++ struct sk_buff *skb,
++ struct igc_tx_buffer *first)
++{
++ union igc_adv_tx_desc *desc;
++ u32 cmd_type, olinfo_status;
++ int err;
++
++ if (!igc_desc_unused(ring))
++ return -EBUSY;
++
++ err = igc_init_empty_frame(ring, first, skb);
++ if (err)
++ return err;
++
++ cmd_type = IGC_ADVTXD_DTYP_DATA | IGC_ADVTXD_DCMD_DEXT |
++ IGC_ADVTXD_DCMD_IFCS | IGC_TXD_DCMD |
++ first->bytecount;
++ olinfo_status = first->bytecount << IGC_ADVTXD_PAYLEN_SHIFT;
++
++ desc = IGC_TX_DESC(ring, ring->next_to_use);
++ desc->read.cmd_type_len = cpu_to_le32(cmd_type);
++ desc->read.olinfo_status = cpu_to_le32(olinfo_status);
++ desc->read.buffer_addr = cpu_to_le64(dma_unmap_addr(first, dma));
++
++ netdev_tx_sent_queue(txring_txq(ring), skb->len);
++
++ first->next_to_watch = desc;
++
++ ring->next_to_use++;
++ if (ring->next_to_use == ring->count)
++ ring->next_to_use = 0;
++
++ return 0;
++}
++
++#define IGC_EMPTY_FRAME_SIZE 60
++
+ static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
+- struct igc_tx_buffer *first,
++ __le32 launch_time, bool first_flag,
+ u32 vlan_macip_lens, u32 type_tucmd,
+ u32 mss_l4len_idx)
+ {
+@@ -1037,26 +1130,17 @@ static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
+ if (test_bit(IGC_RING_FLAG_TX_CTX_IDX, &tx_ring->flags))
+ mss_l4len_idx |= tx_ring->reg_idx << 4;
+
++ if (first_flag)
++ mss_l4len_idx |= IGC_ADVTXD_TSN_CNTX_FIRST;
++
+ context_desc->vlan_macip_lens = cpu_to_le32(vlan_macip_lens);
+ context_desc->type_tucmd_mlhl = cpu_to_le32(type_tucmd);
+ context_desc->mss_l4len_idx = cpu_to_le32(mss_l4len_idx);
+-
+- /* We assume there is always a valid Tx time available. Invalid times
+- * should have been handled by the upper layers.
+- */
+- if (tx_ring->launchtime_enable) {
+- struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
+- ktime_t txtime = first->skb->tstamp;
+-
+- skb_txtime_consumed(first->skb);
+- context_desc->launch_time = igc_tx_launchtime(adapter,
+- txtime);
+- } else {
+- context_desc->launch_time = 0;
+- }
++ context_desc->launch_time = launch_time;
+ }
+
+-static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
++static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first,
++ __le32 launch_time, bool first_flag)
+ {
+ struct sk_buff *skb = first->skb;
+ u32 vlan_macip_lens = 0;
+@@ -1096,7 +1180,8 @@ static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
+ vlan_macip_lens |= skb_network_offset(skb) << IGC_ADVTXD_MACLEN_SHIFT;
+ vlan_macip_lens |= first->tx_flags & IGC_TX_FLAGS_VLAN_MASK;
+
+- igc_tx_ctxtdesc(tx_ring, first, vlan_macip_lens, type_tucmd, 0);
++ igc_tx_ctxtdesc(tx_ring, launch_time, first_flag,
++ vlan_macip_lens, type_tucmd, 0);
+ }
+
+ static int __igc_maybe_stop_tx(struct igc_ring *tx_ring, const u16 size)
+@@ -1320,6 +1405,7 @@ static int igc_tx_map(struct igc_ring *tx_ring,
+
+ static int igc_tso(struct igc_ring *tx_ring,
+ struct igc_tx_buffer *first,
++ __le32 launch_time, bool first_flag,
+ u8 *hdr_len)
+ {
+ u32 vlan_macip_lens, type_tucmd, mss_l4len_idx;
+@@ -1406,8 +1492,8 @@ static int igc_tso(struct igc_ring *tx_ring,
+ vlan_macip_lens |= (ip.hdr - skb->data) << IGC_ADVTXD_MACLEN_SHIFT;
+ vlan_macip_lens |= first->tx_flags & IGC_TX_FLAGS_VLAN_MASK;
+
+- igc_tx_ctxtdesc(tx_ring, first, vlan_macip_lens,
+- type_tucmd, mss_l4len_idx);
++ igc_tx_ctxtdesc(tx_ring, launch_time, first_flag,
++ vlan_macip_lens, type_tucmd, mss_l4len_idx);
+
+ return 1;
+ }
+@@ -1415,11 +1501,14 @@ static int igc_tso(struct igc_ring *tx_ring,
+ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
+ struct igc_ring *tx_ring)
+ {
++ bool first_flag = false, insert_empty = false;
+ u16 count = TXD_USE_COUNT(skb_headlen(skb));
+ __be16 protocol = vlan_get_protocol(skb);
+ struct igc_tx_buffer *first;
++ __le32 launch_time = 0;
+ u32 tx_flags = 0;
+ unsigned short f;
++ ktime_t txtime;
+ u8 hdr_len = 0;
+ int tso = 0;
+
+@@ -1433,11 +1522,40 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
+ count += TXD_USE_COUNT(skb_frag_size(
+ &skb_shinfo(skb)->frags[f]));
+
+- if (igc_maybe_stop_tx(tx_ring, count + 3)) {
++ if (igc_maybe_stop_tx(tx_ring, count + 5)) {
+ /* this is a hard error */
+ return NETDEV_TX_BUSY;
+ }
+
++ if (!tx_ring->launchtime_enable)
++ goto done;
++
++ txtime = skb->tstamp;
++ skb->tstamp = ktime_set(0, 0);
++ launch_time = igc_tx_launchtime(tx_ring, txtime, &first_flag, &insert_empty);
++
++ if (insert_empty) {
++ struct igc_tx_buffer *empty_info;
++ struct sk_buff *empty;
++ void *data;
++
++ empty_info = &tx_ring->tx_buffer_info[tx_ring->next_to_use];
++ empty = alloc_skb(IGC_EMPTY_FRAME_SIZE, GFP_ATOMIC);
++ if (!empty)
++ goto done;
++
++ data = skb_put(empty, IGC_EMPTY_FRAME_SIZE);
++ memset(data, 0, IGC_EMPTY_FRAME_SIZE);
++
++ igc_tx_ctxtdesc(tx_ring, 0, false, 0, 0, 0);
++
++ if (igc_init_tx_empty_descriptor(tx_ring,
++ empty,
++ empty_info) < 0)
++ dev_kfree_skb_any(empty);
++ }
++
++done:
+ /* record the location of the first descriptor for this packet */
+ first = &tx_ring->tx_buffer_info[tx_ring->next_to_use];
+ first->type = IGC_TX_BUFFER_TYPE_SKB;
+@@ -1474,11 +1592,11 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
+ first->tx_flags = tx_flags;
+ first->protocol = protocol;
+
+- tso = igc_tso(tx_ring, first, &hdr_len);
++ tso = igc_tso(tx_ring, first, launch_time, first_flag, &hdr_len);
+ if (tso < 0)
+ goto out_drop;
+ else if (!tso)
+- igc_tx_csum(tx_ring, first);
++ igc_tx_csum(tx_ring, first, launch_time, first_flag);
+
+ igc_tx_map(tx_ring, first, hdr_len);
+
+--
+2.35.1
+
--- /dev/null
+From a2c6be7a1f017980172b5850436948ffdebb435d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:21 +0800
+Subject: igc: recalculate Qbv end_time by considering cycle time
+
+From: Tan Tee Min <tee.min.tan@linux.intel.com>
+
+[ Upstream commit 6d05251d537a4d3835959a8cdd8cbbbdcdc0c904 ]
+
+Qbv users can specify a cycle time that is not equal to the total GCL
+intervals. Hence, recalculation is necessary here to exclude the time
+interval that exceeds the cycle time. As those GCL which exceeds the
+cycle time will be truncated.
+
+According to IEEE Std. 802.1Q-2018 section 8.6.9.2, once the end of
+the list is reached, it will switch to the END_OF_CYCLE state and
+leave the gates in the same state until the next cycle is started.
+
+Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
+Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 10690a0cfae1..207b4b5b2e5f 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6023,6 +6023,21 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+
+ end_time += e->interval;
+
++ /* If any of the conditions below are true, we need to manually
++ * control the end time of the cycle.
++ * 1. Qbv users can specify a cycle time that is not equal
++ * to the total GCL intervals. Hence, recalculation is
++ * necessary here to exclude the time interval that
++ * exceeds the cycle time.
++ * 2. According to IEEE Std. 802.1Q-2018 section 8.6.9.2,
++ * once the end of the list is reached, it will switch
++ * to the END_OF_CYCLE state and leave the gates in the
++ * same state until the next cycle is started.
++ */
++ if (end_time > adapter->cycle_time ||
++ n + 1 == qopt->num_entries)
++ end_time = adapter->cycle_time;
++
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+ struct igc_ring *ring = adapter->tx_ring[i];
+
+--
+2.35.1
+
--- /dev/null
+From 6ba58a46e777a1d89f6b8c237600048a1181974b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:22 +0800
+Subject: igc: Set Qbv start_time and end_time to end_time if not being
+ configured in GCL
+
+From: Tan Tee Min <tee.min.tan@linux.intel.com>
+
+[ Upstream commit 72abeedd83982c1bc6023f631e412db78374d9b4 ]
+
+The default setting of end_time minus start_time is whole 1 second.
+Thus, if it's not being configured in any GCL entry then it will be
+staying at original 1 second.
+
+This patch is changing the start_time and end_time to be end_time as
+if setting zero will be having weird HW behavior where the gate will
+not be fully closed.
+
+Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
+Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 207b4b5b2e5f..76f015196fbf 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5999,6 +5999,7 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+ bool queue_configured[IGC_MAX_TX_QUEUES] = { };
+ u32 start_time = 0, end_time = 0;
+ size_t n;
++ int i;
+
+ adapter->qbv_enable = qopt->enable;
+
+@@ -6019,7 +6020,6 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+
+ for (n = 0; n < qopt->num_entries; n++) {
+ struct tc_taprio_sched_entry *e = &qopt->entries[n];
+- int i;
+
+ end_time += e->interval;
+
+@@ -6058,6 +6058,18 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
+ start_time += e->interval;
+ }
+
++ /* Check whether a queue gets configured.
++ * If not, set the start and end time to be end time.
++ */
++ for (i = 0; i < adapter->num_tx_queues; i++) {
++ if (!queue_configured[i]) {
++ struct igc_ring *ring = adapter->tx_ring[i];
++
++ ring->start_time = end_time;
++ ring->end_time = end_time;
++ }
++ }
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ab6f0bcad5ca1827394b017ead1fb0b0b1853118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:15:18 +0800
+Subject: igc: Use strict cycles for Qbv scheduling
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit d8f45be01dd9381065a3778a579385249ed011dc ]
+
+Configuring strict cycle mode in the controller forces more well
+behaved transmissions when taprio is offloaded.
+
+When set this strict_cycle and strict_end, transmission is not
+enabled if the whole packet cannot be completed before end of
+the Qbv cycle.
+
+Fixes: 82faa9b79950 ("igc: Add support for ETF offloading")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_tsn.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
+index 0fce22de2ab8..4a019954cadb 100644
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
+@@ -110,15 +110,8 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
+ wr32(IGC_STQT(i), ring->start_time);
+ wr32(IGC_ENDQT(i), ring->end_time);
+
+- if (adapter->base_time) {
+- /* If we have a base_time we are in "taprio"
+- * mode and we need to be strict about the
+- * cycles: only transmit a packet if it can be
+- * completed during that cycle.
+- */
+- txqctl |= IGC_TXQCTL_STRICT_CYCLE |
+- IGC_TXQCTL_STRICT_END;
+- }
++ txqctl |= IGC_TXQCTL_STRICT_CYCLE |
++ IGC_TXQCTL_STRICT_END;
+
+ if (ring->launchtime_enable)
+ txqctl |= IGC_TXQCTL_QUEUE_MODE_LAUNCHT;
+--
+2.35.1
+
--- /dev/null
+From d47460bc0932134c08c466e19a69269b94af7774 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 10:27:49 +0200
+Subject: iio: adis: add '__adis_enable_irq()' implementation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ramona Bolboaca <ramona.bolboaca@analog.com>
+
+[ Upstream commit 99c05e4283a19a02a256f14100ca4ec3b2da3f62 ]
+
+Add '__adis_enable_irq()' implementation which is the unlocked
+version of 'adis_enable_irq()'.
+Call '__adis_enable_irq()' instead of 'adis_enable_irq()' from
+'__adis_intial_startup()' to keep the expected unlocked functionality.
+
+This fix is needed to remove a deadlock for all devices which are
+using 'adis_initial_startup()'. The deadlock occurs because the
+same mutex is acquired twice, without releasing it.
+The mutex is acquired once inside 'adis_initial_startup()', before
+calling '__adis_initial_startup()', and once inside
+'adis_enable_irq()', which is called by '__adis_initial_startup()'.
+The deadlock is removed by calling '__adis_enable_irq()', instead of
+'adis_enable_irq()' from within '__adis_initial_startup()'.
+
+Fixes: b600bd7eb3335 ("iio: adis: do not disabe IRQs in 'adis_init()'")
+Signed-off-by: Ramona Bolboaca <ramona.bolboaca@analog.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20221122082757.449452-2-ramona.bolboaca@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis.c | 28 ++++++++++------------------
+ include/linux/iio/imu/adis.h | 13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
+index f7fcfd04f659..bc40240b29e2 100644
+--- a/drivers/iio/imu/adis.c
++++ b/drivers/iio/imu/adis.c
+@@ -270,23 +270,19 @@ EXPORT_SYMBOL_NS(adis_debugfs_reg_access, IIO_ADISLIB);
+ #endif
+
+ /**
+- * adis_enable_irq() - Enable or disable data ready IRQ
++ * __adis_enable_irq() - Enable or disable data ready IRQ (unlocked)
+ * @adis: The adis device
+ * @enable: Whether to enable the IRQ
+ *
+ * Returns 0 on success, negative error code otherwise
+ */
+-int adis_enable_irq(struct adis *adis, bool enable)
++int __adis_enable_irq(struct adis *adis, bool enable)
+ {
+- int ret = 0;
++ int ret;
+ u16 msc;
+
+- mutex_lock(&adis->state_lock);
+-
+- if (adis->data->enable_irq) {
+- ret = adis->data->enable_irq(adis, enable);
+- goto out_unlock;
+- }
++ if (adis->data->enable_irq)
++ return adis->data->enable_irq(adis, enable);
+
+ if (adis->data->unmasked_drdy) {
+ if (enable)
+@@ -294,12 +290,12 @@ int adis_enable_irq(struct adis *adis, bool enable)
+ else
+ disable_irq(adis->spi->irq);
+
+- goto out_unlock;
++ return 0;
+ }
+
+ ret = __adis_read_reg_16(adis, adis->data->msc_ctrl_reg, &msc);
+ if (ret)
+- goto out_unlock;
++ return ret;
+
+ msc |= ADIS_MSC_CTRL_DATA_RDY_POL_HIGH;
+ msc &= ~ADIS_MSC_CTRL_DATA_RDY_DIO2;
+@@ -308,13 +304,9 @@ int adis_enable_irq(struct adis *adis, bool enable)
+ else
+ msc &= ~ADIS_MSC_CTRL_DATA_RDY_EN;
+
+- ret = __adis_write_reg_16(adis, adis->data->msc_ctrl_reg, msc);
+-
+-out_unlock:
+- mutex_unlock(&adis->state_lock);
+- return ret;
++ return __adis_write_reg_16(adis, adis->data->msc_ctrl_reg, msc);
+ }
+-EXPORT_SYMBOL_NS(adis_enable_irq, IIO_ADISLIB);
++EXPORT_SYMBOL_NS(__adis_enable_irq, IIO_ADISLIB);
+
+ /**
+ * __adis_check_status() - Check the device for error conditions (unlocked)
+@@ -445,7 +437,7 @@ int __adis_initial_startup(struct adis *adis)
+ * with 'IRQF_NO_AUTOEN' anyways.
+ */
+ if (!adis->data->unmasked_drdy)
+- adis_enable_irq(adis, false);
++ __adis_enable_irq(adis, false);
+
+ if (!adis->data->prod_id_reg)
+ return 0;
+diff --git a/include/linux/iio/imu/adis.h b/include/linux/iio/imu/adis.h
+index 515ca09764fe..bcbefb757475 100644
+--- a/include/linux/iio/imu/adis.h
++++ b/include/linux/iio/imu/adis.h
+@@ -402,9 +402,20 @@ static inline int adis_update_bits_base(struct adis *adis, unsigned int reg,
+ __adis_update_bits_base(adis, reg, mask, val, sizeof(val)); \
+ })
+
+-int adis_enable_irq(struct adis *adis, bool enable);
+ int __adis_check_status(struct adis *adis);
+ int __adis_initial_startup(struct adis *adis);
++int __adis_enable_irq(struct adis *adis, bool enable);
++
++static inline int adis_enable_irq(struct adis *adis, bool enable)
++{
++ int ret;
++
++ mutex_lock(&adis->state_lock);
++ ret = __adis_enable_irq(adis, enable);
++ mutex_unlock(&adis->state_lock);
++
++ return ret;
++}
+
+ static inline int adis_check_status(struct adis *adis)
+ {
+--
+2.35.1
+
--- /dev/null
+From b0ba53676d8607913ad63d8b9df6045ab93d76ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:00:29 +0200
+Subject: iio: temperature: ltc2983: make bulk write buffer DMA-safe
+
+From: Cosmin Tanislav <cosmin.tanislav@analog.com>
+
+[ Upstream commit 5e0176213949724fbe9a8e4a39817edce337b8a0 ]
+
+regmap_bulk_write() does not guarantee implicit DMA-safety,
+even though the current implementation duplicates the given
+buffer. Do not rely on it.
+
+Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
+Signed-off-by: Cosmin Tanislav <cosmin.tanislav@analog.com>
+Link: https://lore.kernel.org/r/20221103130041.2153295-2-demonsingur@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/temperature/ltc2983.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/temperature/ltc2983.c b/drivers/iio/temperature/ltc2983.c
+index a60ccf183687..1117991ca2ab 100644
+--- a/drivers/iio/temperature/ltc2983.c
++++ b/drivers/iio/temperature/ltc2983.c
+@@ -209,6 +209,7 @@ struct ltc2983_data {
+ * Holds the converted temperature
+ */
+ __be32 temp __aligned(IIO_DMA_MINALIGN);
++ __be32 chan_val;
+ };
+
+ struct ltc2983_sensor {
+@@ -313,19 +314,18 @@ static int __ltc2983_fault_handler(const struct ltc2983_data *st,
+ return 0;
+ }
+
+-static int __ltc2983_chan_assign_common(const struct ltc2983_data *st,
++static int __ltc2983_chan_assign_common(struct ltc2983_data *st,
+ const struct ltc2983_sensor *sensor,
+ u32 chan_val)
+ {
+ u32 reg = LTC2983_CHAN_START_ADDR(sensor->chan);
+- __be32 __chan_val;
+
+ chan_val |= LTC2983_CHAN_TYPE(sensor->type);
+ dev_dbg(&st->spi->dev, "Assign reg:0x%04X, val:0x%08X\n", reg,
+ chan_val);
+- __chan_val = cpu_to_be32(chan_val);
+- return regmap_bulk_write(st->regmap, reg, &__chan_val,
+- sizeof(__chan_val));
++ st->chan_val = cpu_to_be32(chan_val);
++ return regmap_bulk_write(st->regmap, reg, &st->chan_val,
++ sizeof(st->chan_val));
+ }
+
+ static int __ltc2983_chan_custom_sensor_assign(struct ltc2983_data *st,
+--
+2.35.1
+
--- /dev/null
+From fe7b3449befaf0b02a6b248f26203f2efa5ea6fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 17:27:19 +0800
+Subject: ima: Fix misuse of dereference of pointer in
+ template_desc_init_fields()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ]
+
+The input parameter @fields is type of struct ima_template_field ***, so
+when allocates array memory for @fields, the size of element should be
+sizeof(**field) instead of sizeof(*field).
+
+Actually the original code would not cause any runtime error, but it's
+better to make it logically right.
+
+Fixes: adf53a778a0a ("ima: new templates management mechanism")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_template.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
+index c25079faa208..195ac18f0927 100644
+--- a/security/integrity/ima/ima_template.c
++++ b/security/integrity/ima/ima_template.c
+@@ -245,11 +245,11 @@ int template_desc_init_fields(const char *template_fmt,
+ }
+
+ if (fields && num_fields) {
+- *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL);
++ *fields = kmalloc_array(i, sizeof(**fields), GFP_KERNEL);
+ if (*fields == NULL)
+ return -ENOMEM;
+
+- memcpy(*fields, found_fields, i * sizeof(*fields));
++ memcpy(*fields, found_fields, i * sizeof(**fields));
+ *num_fields = i;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 78d3c151c359dac9031d797dfe7af9094976569d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 20:58:04 +0800
+Subject: ima: Handle -ESTALE returned by ima_filter_rule_match()
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit c7423dbdbc9ecef7fff5239d144cad4b9887f4de ]
+
+IMA relies on the blocking LSM policy notifier callback to update the
+LSM based IMA policy rules.
+
+When SELinux update its policies, IMA would be notified and starts
+updating all its lsm rules one-by-one. During this time, -ESTALE would
+be returned by ima_filter_rule_match() if it is called with a LSM rule
+that has not yet been updated. In ima_match_rules(), -ESTALE is not
+handled, and the LSM rule is considered a match, causing extra files
+to be measured by IMA.
+
+Fix it by re-initializing a temporary rule if -ESTALE is returned by
+ima_filter_rule_match(). The origin rule in the rule list would be
+updated by the LSM policy notifier callback.
+
+Fixes: b16942455193 ("ima: use the lsm policy update notifier")
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 41 ++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index a8802b8da946..bb3707160b01 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -549,6 +549,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+ const char *func_data)
+ {
+ int i;
++ bool result = false;
++ struct ima_rule_entry *lsm_rule = rule;
++ bool rule_reinitialized = false;
+
+ if ((rule->flags & IMA_FUNC) &&
+ (rule->func != func && func != POST_SETATTR))
+@@ -610,35 +613,55 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+ int rc = 0;
+ u32 osid;
+
+- if (!rule->lsm[i].rule) {
+- if (!rule->lsm[i].args_p)
++ if (!lsm_rule->lsm[i].rule) {
++ if (!lsm_rule->lsm[i].args_p)
+ continue;
+ else
+ return false;
+ }
++
++retry:
+ switch (i) {
+ case LSM_OBJ_USER:
+ case LSM_OBJ_ROLE:
+ case LSM_OBJ_TYPE:
+ security_inode_getsecid(inode, &osid);
+- rc = ima_filter_rule_match(osid, rule->lsm[i].type,
++ rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
+ Audit_equal,
+- rule->lsm[i].rule);
++ lsm_rule->lsm[i].rule);
+ break;
+ case LSM_SUBJ_USER:
+ case LSM_SUBJ_ROLE:
+ case LSM_SUBJ_TYPE:
+- rc = ima_filter_rule_match(secid, rule->lsm[i].type,
++ rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
+ Audit_equal,
+- rule->lsm[i].rule);
++ lsm_rule->lsm[i].rule);
+ break;
+ default:
+ break;
+ }
+- if (!rc)
+- return false;
++
++ if (rc == -ESTALE && !rule_reinitialized) {
++ lsm_rule = ima_lsm_copy_rule(rule);
++ if (lsm_rule) {
++ rule_reinitialized = true;
++ goto retry;
++ }
++ }
++ if (!rc) {
++ result = false;
++ goto out;
++ }
+ }
+- return true;
++ result = true;
++
++out:
++ if (rule_reinitialized) {
++ for (i = 0; i < MAX_LSM_RULES; i++)
++ ima_filter_rule_free(lsm_rule->lsm[i].rule);
++ kfree(lsm_rule);
++ }
++ return result;
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 186574315c37765b801e79bb72718500d2689dbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 14:52:56 -0700
+Subject: include/uapi/linux/swab: Fix potentially missing __always_inline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matt Redfearn <matt.redfearn@mips.com>
+
+[ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ]
+
+Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining
+of some byteswap operations") added __always_inline to swab functions
+and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to
+userspace headers") added a definition of __always_inline for use in
+exported headers when the kernel's compiler.h is not available.
+
+However, since swab.h does not include stddef.h, if the header soup does
+not indirectly include it, the definition of __always_inline is missing,
+resulting in a compilation failure, which was observed compiling the
+perf tool using exported headers containing this commit:
+
+In file included from /usr/include/linux/byteorder/little_endian.h:12:0,
+ from /usr/include/asm/byteorder.h:14,
+ from tools/include/uapi/linux/perf_event.h:20,
+ from perf.h:8,
+ from builtin-bench.c:18:
+/usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline'
+ static __always_inline __u16 __swab16p(const __u16 *p)
+
+Fix this by replacing the inclusion of linux/compiler.h with
+linux/stddef.h to ensure that we pick up that definition if required,
+without relying on it's indirect inclusion. compiler.h is then included
+indirectly, via stddef.h.
+
+Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers")
+Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Petr Vaněk <arkamar@atlas.cz>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/swab.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
+index 0723a9cce747..01717181339e 100644
+--- a/include/uapi/linux/swab.h
++++ b/include/uapi/linux/swab.h
+@@ -3,7 +3,7 @@
+ #define _UAPI_LINUX_SWAB_H
+
+ #include <linux/types.h>
+-#include <linux/compiler.h>
++#include <linux/stddef.h>
+ #include <asm/bitsperlong.h>
+ #include <asm/swab.h>
+
+--
+2.35.1
+
--- /dev/null
+From d5d31eecd00fda038e78920c3dc756f8b1580174 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 21:49:19 -0800
+Subject: Input: elants_i2c - properly handle the reset GPIO when power is off
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ]
+
+As can be seen in elants_i2c_power_off(), we want the reset GPIO
+asserted when power is off. The reset GPIO is active low so we need
+the reset line logic low when power is off to avoid leakage.
+
+We have a problem, though, at probe time. At probe time we haven't
+powered the regulators on yet but we have:
+
+ devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
+
+While that _looks_ right, it turns out that it's not. The
+GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the
+GPIO to "not asserted". Since this is an active low GPIO that inits it
+to be high.
+
+Let's fix this to properly init the GPIO. Now after both probe and
+power off the state of the GPIO is consistent (it's "asserted" or
+level low).
+
+Once we fix this, we can see that at power on time we no longer to
+assert the reset GPIO as the first thing. The reset GPIO is _always_
+asserted before powering on. Let's fix powering on to account for
+this.
+
+Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/elants_i2c.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
+index 879a4d984c90..e1308e179dd6 100644
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -1329,14 +1329,12 @@ static int elants_i2c_power_on(struct elants_data *ts)
+ if (IS_ERR_OR_NULL(ts->reset_gpio))
+ return 0;
+
+- gpiod_set_value_cansleep(ts->reset_gpio, 1);
+-
+ error = regulator_enable(ts->vcc33);
+ if (error) {
+ dev_err(&ts->client->dev,
+ "failed to enable vcc33 regulator: %d\n",
+ error);
+- goto release_reset_gpio;
++ return error;
+ }
+
+ error = regulator_enable(ts->vccio);
+@@ -1345,7 +1343,7 @@ static int elants_i2c_power_on(struct elants_data *ts)
+ "failed to enable vccio regulator: %d\n",
+ error);
+ regulator_disable(ts->vcc33);
+- goto release_reset_gpio;
++ return error;
+ }
+
+ /*
+@@ -1354,7 +1352,6 @@ static int elants_i2c_power_on(struct elants_data *ts)
+ */
+ udelay(ELAN_POWERON_DELAY_USEC);
+
+-release_reset_gpio:
+ gpiod_set_value_cansleep(ts->reset_gpio, 0);
+ if (error)
+ return error;
+@@ -1462,7 +1459,7 @@ static int elants_i2c_probe(struct i2c_client *client)
+ return error;
+ }
+
+- ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
++ ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(ts->reset_gpio)) {
+ error = PTR_ERR(ts->reset_gpio);
+
+--
+2.35.1
+
--- /dev/null
+From 0abd3bdef36bfb5bf143f74c46748985989f5f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 19:56:04 -0500
+Subject: Input: iqs7222 - drop unused device node references
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+[ Upstream commit bbd16b0d839978e8c8bec2b9a162373f64fc2fbb ]
+
+Each call to device/fwnode_get_named_child_node() must be matched
+with a call to fwnode_handle_put() once the corresponding node is
+no longer in use. This ensures a reference count remains balanced
+in the case of dynamic device tree support.
+
+Currently, the driver never calls fwnode_handle_put(). Solve this
+problem by moving the node handling from iqs7222_parse_props() to
+the new iqs7222_parse_reg_grp(), leaving the former to do nothing
+but parse properties. The latter then manages the reference count
+in a single location and consistent fashion.
+
+This change drastically simplifies iqs7222_parse_all(), which can
+then call iqs7222_parse_reg_grp() on every register group without
+having to treat each register group differently.
+
+For nested event nodes, common parsing code has been factored out
+to the new iqs7222_parse_event() so as to allow the event node to
+be dropped from as few locations as possible.
+
+As part of this refactor, the 'linux,code' property has been made
+optional. This enables applications that define an event with the
+sole purpose of enabling a GPIO.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/Y1SRJIQ3WPwNpC0K@nixie71
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Stable-dep-of: 2f6fd2329789 ("Input: iqs7222 - protect against undefined slider size")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/iqs7222.c | 340 +++++++++++++++--------------------
+ 1 file changed, 146 insertions(+), 194 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 8b3362169265..3b6e84689879 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -105,14 +105,14 @@ enum iqs7222_reg_grp_id {
+ IQS7222_NUM_REG_GRPS
+ };
+
+-static const char * const iqs7222_reg_grp_names[] = {
++static const char * const iqs7222_reg_grp_names[IQS7222_NUM_REG_GRPS] = {
+ [IQS7222_REG_GRP_CYCLE] = "cycle",
+ [IQS7222_REG_GRP_CHAN] = "channel",
+ [IQS7222_REG_GRP_SLDR] = "slider",
+ [IQS7222_REG_GRP_GPIO] = "gpio",
+ };
+
+-static const unsigned int iqs7222_max_cols[] = {
++static const unsigned int iqs7222_max_cols[IQS7222_NUM_REG_GRPS] = {
+ [IQS7222_REG_GRP_STAT] = IQS7222_MAX_COLS_STAT,
+ [IQS7222_REG_GRP_CYCLE] = IQS7222_MAX_COLS_CYCLE,
+ [IQS7222_REG_GRP_GLBL] = IQS7222_MAX_COLS_GLBL,
+@@ -1567,56 +1567,17 @@ static int iqs7222_gpio_select(struct iqs7222_private *iqs7222,
+ }
+
+ static int iqs7222_parse_props(struct iqs7222_private *iqs7222,
+- struct fwnode_handle **child_node,
+- int child_index,
++ struct fwnode_handle *reg_grp_node,
++ int reg_grp_index,
+ enum iqs7222_reg_grp_id reg_grp,
+ enum iqs7222_reg_key_id reg_key)
+ {
+- u16 *setup = iqs7222_setup(iqs7222, reg_grp, child_index);
++ u16 *setup = iqs7222_setup(iqs7222, reg_grp, reg_grp_index);
+ struct i2c_client *client = iqs7222->client;
+- struct fwnode_handle *reg_grp_node;
+- char reg_grp_name[16];
+ int i;
+
+- switch (reg_grp) {
+- case IQS7222_REG_GRP_CYCLE:
+- case IQS7222_REG_GRP_CHAN:
+- case IQS7222_REG_GRP_SLDR:
+- case IQS7222_REG_GRP_GPIO:
+- case IQS7222_REG_GRP_BTN:
+- /*
+- * These groups derive a child node and return it to the caller
+- * for additional group-specific processing. In some cases, the
+- * child node may have already been derived.
+- */
+- reg_grp_node = *child_node;
+- if (reg_grp_node)
+- break;
+-
+- snprintf(reg_grp_name, sizeof(reg_grp_name), "%s-%d",
+- iqs7222_reg_grp_names[reg_grp], child_index);
+-
+- reg_grp_node = device_get_named_child_node(&client->dev,
+- reg_grp_name);
+- if (!reg_grp_node)
+- return 0;
+-
+- *child_node = reg_grp_node;
+- break;
+-
+- case IQS7222_REG_GRP_GLBL:
+- case IQS7222_REG_GRP_FILT:
+- case IQS7222_REG_GRP_SYS:
+- /*
+- * These groups are not organized beneath a child node, nor are
+- * they subject to any additional processing by the caller.
+- */
+- reg_grp_node = dev_fwnode(&client->dev);
+- break;
+-
+- default:
+- return -EINVAL;
+- }
++ if (!setup)
++ return 0;
+
+ for (i = 0; i < ARRAY_SIZE(iqs7222_props); i++) {
+ const char *name = iqs7222_props[i].name;
+@@ -1686,11 +1647,66 @@ static int iqs7222_parse_props(struct iqs7222_private *iqs7222,
+ return 0;
+ }
+
+-static int iqs7222_parse_cycle(struct iqs7222_private *iqs7222, int cycle_index)
++static int iqs7222_parse_event(struct iqs7222_private *iqs7222,
++ struct fwnode_handle *event_node,
++ int reg_grp_index,
++ enum iqs7222_reg_grp_id reg_grp,
++ enum iqs7222_reg_key_id reg_key,
++ u16 event_enable, u16 event_link,
++ unsigned int *event_type,
++ unsigned int *event_code)
++{
++ struct i2c_client *client = iqs7222->client;
++ int error;
++
++ error = iqs7222_parse_props(iqs7222, event_node, reg_grp_index,
++ reg_grp, reg_key);
++ if (error)
++ return error;
++
++ error = iqs7222_gpio_select(iqs7222, event_node, event_enable,
++ event_link);
++ if (error)
++ return error;
++
++ error = fwnode_property_read_u32(event_node, "linux,code", event_code);
++ if (error == -EINVAL) {
++ return 0;
++ } else if (error) {
++ dev_err(&client->dev, "Failed to read %s code: %d\n",
++ fwnode_get_name(event_node), error);
++ return error;
++ }
++
++ if (!event_type) {
++ input_set_capability(iqs7222->keypad, EV_KEY, *event_code);
++ return 0;
++ }
++
++ error = fwnode_property_read_u32(event_node, "linux,input-type",
++ event_type);
++ if (error == -EINVAL) {
++ *event_type = EV_KEY;
++ } else if (error) {
++ dev_err(&client->dev, "Failed to read %s input type: %d\n",
++ fwnode_get_name(event_node), error);
++ return error;
++ } else if (*event_type != EV_KEY && *event_type != EV_SW) {
++ dev_err(&client->dev, "Invalid %s input type: %d\n",
++ fwnode_get_name(event_node), *event_type);
++ return -EINVAL;
++ }
++
++ input_set_capability(iqs7222->keypad, *event_type, *event_code);
++
++ return 0;
++}
++
++static int iqs7222_parse_cycle(struct iqs7222_private *iqs7222,
++ struct fwnode_handle *cycle_node, int cycle_index)
+ {
+ u16 *cycle_setup = iqs7222->cycle_setup[cycle_index];
+ struct i2c_client *client = iqs7222->client;
+- struct fwnode_handle *cycle_node = NULL;
+ unsigned int pins[9];
+ int error, count, i;
+
+@@ -1698,17 +1714,7 @@ static int iqs7222_parse_cycle(struct iqs7222_private *iqs7222, int cycle_index)
+ * Each channel shares a cycle with one other channel; the mapping of
+ * channels to cycles is fixed. Properties defined for a cycle impact
+ * both channels tied to the cycle.
+- */
+- error = iqs7222_parse_props(iqs7222, &cycle_node, cycle_index,
+- IQS7222_REG_GRP_CYCLE,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+- if (!cycle_node)
+- return 0;
+-
+- /*
++ *
+ * Unlike channels which are restricted to a select range of CRx pins
+ * based on channel number, any cycle can claim any of the device's 9
+ * CTx pins (CTx0-8).
+@@ -1750,11 +1756,11 @@ static int iqs7222_parse_cycle(struct iqs7222_private *iqs7222, int cycle_index)
+ return 0;
+ }
+
+-static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
++static int iqs7222_parse_chan(struct iqs7222_private *iqs7222,
++ struct fwnode_handle *chan_node, int chan_index)
+ {
+ const struct iqs7222_dev_desc *dev_desc = iqs7222->dev_desc;
+ struct i2c_client *client = iqs7222->client;
+- struct fwnode_handle *chan_node = NULL;
+ int num_chan = dev_desc->reg_grps[IQS7222_REG_GRP_CHAN].num_row;
+ int ext_chan = rounddown(num_chan, 10);
+ int error, i;
+@@ -1762,15 +1768,6 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ u16 *sys_setup = iqs7222->sys_setup;
+ unsigned int val;
+
+- error = iqs7222_parse_props(iqs7222, &chan_node, chan_index,
+- IQS7222_REG_GRP_CHAN,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+- if (!chan_node)
+- return 0;
+-
+ if (dev_desc->allow_offset &&
+ fwnode_property_present(chan_node, "azoteq,ulp-allow"))
+ sys_setup[dev_desc->allow_offset] &= ~BIT(chan_index);
+@@ -1892,18 +1889,6 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ if (!event_node)
+ continue;
+
+- error = iqs7222_parse_props(iqs7222, &event_node, chan_index,
+- IQS7222_REG_GRP_BTN,
+- iqs7222_kp_events[i].reg_key);
+- if (error)
+- return error;
+-
+- error = iqs7222_gpio_select(iqs7222, event_node,
+- BIT(chan_index),
+- dev_desc->touch_link - (i ? 0 : 2));
+- if (error)
+- return error;
+-
+ if (!fwnode_property_read_u32(event_node,
+ "azoteq,timeout-press-ms",
+ &val)) {
+@@ -1919,7 +1904,8 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ if (val > U8_MAX * 500) {
+ dev_err(&client->dev,
+ "Invalid %s press timeout: %u\n",
+- fwnode_get_name(chan_node), val);
++ fwnode_get_name(event_node), val);
++ fwnode_handle_put(event_node);
+ return -EINVAL;
+ }
+
+@@ -1927,49 +1913,16 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ *setup |= (val / 500 << i * 8);
+ }
+
+- error = fwnode_property_read_u32(event_node, "linux,code",
+- &val);
+- if (error) {
+- dev_err(&client->dev, "Failed to read %s code: %d\n",
+- fwnode_get_name(chan_node), error);
++ error = iqs7222_parse_event(iqs7222, event_node, chan_index,
++ IQS7222_REG_GRP_BTN,
++ iqs7222_kp_events[i].reg_key,
++ BIT(chan_index),
++ dev_desc->touch_link - (i ? 0 : 2),
++ &iqs7222->kp_type[chan_index][i],
++ &iqs7222->kp_code[chan_index][i]);
++ fwnode_handle_put(event_node);
++ if (error)
+ return error;
+- }
+-
+- iqs7222->kp_code[chan_index][i] = val;
+- iqs7222->kp_type[chan_index][i] = EV_KEY;
+-
+- if (fwnode_property_present(event_node, "linux,input-type")) {
+- error = fwnode_property_read_u32(event_node,
+- "linux,input-type",
+- &val);
+- if (error) {
+- dev_err(&client->dev,
+- "Failed to read %s input type: %d\n",
+- fwnode_get_name(chan_node), error);
+- return error;
+- }
+-
+- if (val != EV_KEY && val != EV_SW) {
+- dev_err(&client->dev,
+- "Invalid %s input type: %u\n",
+- fwnode_get_name(chan_node), val);
+- return -EINVAL;
+- }
+-
+- iqs7222->kp_type[chan_index][i] = val;
+- }
+-
+- /*
+- * Reference channels can opt out of event reporting by using
+- * KEY_RESERVED in place of a true key or switch code.
+- */
+- if (iqs7222->kp_type[chan_index][i] == EV_KEY &&
+- iqs7222->kp_code[chan_index][i] == KEY_RESERVED)
+- continue;
+-
+- input_set_capability(iqs7222->keypad,
+- iqs7222->kp_type[chan_index][i],
+- iqs7222->kp_code[chan_index][i]);
+
+ if (!dev_desc->event_offset)
+ continue;
+@@ -1981,16 +1934,16 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ * The following call handles a special pair of properties that apply
+ * to a channel node, but reside within the button (event) group.
+ */
+- return iqs7222_parse_props(iqs7222, &chan_node, chan_index,
++ return iqs7222_parse_props(iqs7222, chan_node, chan_index,
+ IQS7222_REG_GRP_BTN,
+ IQS7222_REG_KEY_DEBOUNCE);
+ }
+
+-static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
++static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
++ struct fwnode_handle *sldr_node, int sldr_index)
+ {
+ const struct iqs7222_dev_desc *dev_desc = iqs7222->dev_desc;
+ struct i2c_client *client = iqs7222->client;
+- struct fwnode_handle *sldr_node = NULL;
+ int num_chan = dev_desc->reg_grps[IQS7222_REG_GRP_CHAN].num_row;
+ int ext_chan = rounddown(num_chan, 10);
+ int count, error, reg_offset, i;
+@@ -1998,15 +1951,6 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ u16 *sldr_setup = iqs7222->sldr_setup[sldr_index];
+ unsigned int chan_sel[4], val;
+
+- error = iqs7222_parse_props(iqs7222, &sldr_node, sldr_index,
+- IQS7222_REG_GRP_SLDR,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+- if (!sldr_node)
+- return 0;
+-
+ /*
+ * Each slider can be spread across 3 to 4 channels. It is possible to
+ * select only 2 channels, but doing so prevents the slider from using
+@@ -2130,46 +2074,37 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ for (i = 0; i < ARRAY_SIZE(iqs7222_sl_events); i++) {
+ const char *event_name = iqs7222_sl_events[i].name;
+ struct fwnode_handle *event_node;
++ enum iqs7222_reg_key_id reg_key;
+
+ event_node = fwnode_get_named_child_node(sldr_node, event_name);
+ if (!event_node)
+ continue;
+
+- error = iqs7222_parse_props(iqs7222, &event_node, sldr_index,
+- IQS7222_REG_GRP_SLDR,
+- reg_offset ?
+- IQS7222_REG_KEY_RESERVED :
+- iqs7222_sl_events[i].reg_key);
+- if (error)
+- return error;
++ if (reg_offset)
++ reg_key = IQS7222_REG_KEY_RESERVED;
++ else
++ reg_key = iqs7222_sl_events[i].reg_key;
+
+ /*
+ * The press/release event does not expose a direct GPIO link,
+ * but one can be emulated by tying each of the participating
+ * channels to the same GPIO.
+ */
+- error = iqs7222_gpio_select(iqs7222, event_node,
++ error = iqs7222_parse_event(iqs7222, event_node, sldr_index,
++ IQS7222_REG_GRP_SLDR, reg_key,
+ i ? iqs7222_sl_events[i].enable
+ : sldr_setup[3 + reg_offset],
+ i ? 1568 + sldr_index * 30
+- : sldr_setup[4 + reg_offset]);
++ : sldr_setup[4 + reg_offset],
++ NULL,
++ &iqs7222->sl_code[sldr_index][i]);
++ fwnode_handle_put(event_node);
+ if (error)
+ return error;
+
+ if (!reg_offset)
+ sldr_setup[9] |= iqs7222_sl_events[i].enable;
+
+- error = fwnode_property_read_u32(event_node, "linux,code",
+- &val);
+- if (error) {
+- dev_err(&client->dev, "Failed to read %s code: %d\n",
+- fwnode_get_name(sldr_node), error);
+- return error;
+- }
+-
+- iqs7222->sl_code[sldr_index][i] = val;
+- input_set_capability(iqs7222->keypad, EV_KEY, val);
+-
+ if (!dev_desc->event_offset)
+ continue;
+
+@@ -2190,19 +2125,63 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ * The following call handles a special pair of properties that shift
+ * to make room for a wheel enable control in the case of IQS7222C.
+ */
+- return iqs7222_parse_props(iqs7222, &sldr_node, sldr_index,
++ return iqs7222_parse_props(iqs7222, sldr_node, sldr_index,
+ IQS7222_REG_GRP_SLDR,
+ dev_desc->wheel_enable ?
+ IQS7222_REG_KEY_WHEEL :
+ IQS7222_REG_KEY_NO_WHEEL);
+ }
+
++static int (*iqs7222_parse_extra[IQS7222_NUM_REG_GRPS])
++ (struct iqs7222_private *iqs7222,
++ struct fwnode_handle *reg_grp_node,
++ int reg_grp_index) = {
++ [IQS7222_REG_GRP_CYCLE] = iqs7222_parse_cycle,
++ [IQS7222_REG_GRP_CHAN] = iqs7222_parse_chan,
++ [IQS7222_REG_GRP_SLDR] = iqs7222_parse_sldr,
++};
++
++static int iqs7222_parse_reg_grp(struct iqs7222_private *iqs7222,
++ enum iqs7222_reg_grp_id reg_grp,
++ int reg_grp_index)
++{
++ struct i2c_client *client = iqs7222->client;
++ struct fwnode_handle *reg_grp_node;
++ int error;
++
++ if (iqs7222_reg_grp_names[reg_grp]) {
++ char reg_grp_name[16];
++
++ snprintf(reg_grp_name, sizeof(reg_grp_name), "%s-%d",
++ iqs7222_reg_grp_names[reg_grp], reg_grp_index);
++
++ reg_grp_node = device_get_named_child_node(&client->dev,
++ reg_grp_name);
++ } else {
++ reg_grp_node = fwnode_handle_get(dev_fwnode(&client->dev));
++ }
++
++ if (!reg_grp_node)
++ return 0;
++
++ error = iqs7222_parse_props(iqs7222, reg_grp_node, reg_grp_index,
++ reg_grp, IQS7222_REG_KEY_NONE);
++
++ if (!error && iqs7222_parse_extra[reg_grp])
++ error = iqs7222_parse_extra[reg_grp](iqs7222, reg_grp_node,
++ reg_grp_index);
++
++ fwnode_handle_put(reg_grp_node);
++
++ return error;
++}
++
+ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ {
+ const struct iqs7222_dev_desc *dev_desc = iqs7222->dev_desc;
+ const struct iqs7222_reg_grp_desc *reg_grps = dev_desc->reg_grps;
+ u16 *sys_setup = iqs7222->sys_setup;
+- int error, i;
++ int error, i, j;
+
+ if (dev_desc->allow_offset)
+ sys_setup[dev_desc->allow_offset] = U16_MAX;
+@@ -2210,32 +2189,13 @@ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ if (dev_desc->event_offset)
+ sys_setup[dev_desc->event_offset] = IQS7222_EVENT_MASK_ATI;
+
+- for (i = 0; i < reg_grps[IQS7222_REG_GRP_CYCLE].num_row; i++) {
+- error = iqs7222_parse_cycle(iqs7222, i);
+- if (error)
+- return error;
+- }
+-
+- error = iqs7222_parse_props(iqs7222, NULL, 0, IQS7222_REG_GRP_GLBL,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+ for (i = 0; i < reg_grps[IQS7222_REG_GRP_GPIO].num_row; i++) {
+- struct fwnode_handle *gpio_node = NULL;
+ u16 *gpio_setup = iqs7222->gpio_setup[i];
+- int j;
+
+ gpio_setup[0] &= ~IQS7222_GPIO_SETUP_0_GPIO_EN;
+ gpio_setup[1] = 0;
+ gpio_setup[2] = 0;
+
+- error = iqs7222_parse_props(iqs7222, &gpio_node, i,
+- IQS7222_REG_GRP_GPIO,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+ if (reg_grps[IQS7222_REG_GRP_GPIO].num_row == 1)
+ continue;
+
+@@ -2258,29 +2218,21 @@ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ chan_setup[5] = 0;
+ }
+
+- for (i = 0; i < reg_grps[IQS7222_REG_GRP_CHAN].num_row; i++) {
+- error = iqs7222_parse_chan(iqs7222, i);
+- if (error)
+- return error;
+- }
+-
+- error = iqs7222_parse_props(iqs7222, NULL, 0, IQS7222_REG_GRP_FILT,
+- IQS7222_REG_KEY_NONE);
+- if (error)
+- return error;
+-
+ for (i = 0; i < reg_grps[IQS7222_REG_GRP_SLDR].num_row; i++) {
+ u16 *sldr_setup = iqs7222->sldr_setup[i];
+
+ sldr_setup[0] &= ~IQS7222_SLDR_SETUP_0_CHAN_CNT_MASK;
++ }
+
+- error = iqs7222_parse_sldr(iqs7222, i);
+- if (error)
+- return error;
++ for (i = 0; i < IQS7222_NUM_REG_GRPS; i++) {
++ for (j = 0; j < reg_grps[i].num_row; j++) {
++ error = iqs7222_parse_reg_grp(iqs7222, i, j);
++ if (error)
++ return error;
++ }
+ }
+
+- return iqs7222_parse_props(iqs7222, NULL, 0, IQS7222_REG_GRP_SYS,
+- IQS7222_REG_KEY_NONE);
++ return 0;
+ }
+
+ static int iqs7222_report(struct iqs7222_private *iqs7222)
+--
+2.35.1
+
--- /dev/null
+From e619f0c92406920f6f5f9c1f215727e000463710 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 19:57:00 -0500
+Subject: Input: iqs7222 - protect against undefined slider size
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+[ Upstream commit 2f6fd232978906f6fb054529210b9faec384bd45 ]
+
+Select variants of silicon do not define a default slider size, in
+which case the size must be specified in the device tree. If it is
+not, the axis's maximum value is reported as 65535 due to unsigned
+integer overflow.
+
+To solve this problem, move the existing zero-check outside of the
+conditional block that checks whether the property is present.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/Y1SRXEi7XMlncDWk@nixie71
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/iqs7222.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 350be4f23f50..8fd665874a24 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -2024,7 +2024,7 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+
+ error = fwnode_property_read_u32(sldr_node, "azoteq,slider-size", &val);
+ if (!error) {
+- if (!val || val > dev_desc->sldr_res) {
++ if (val > dev_desc->sldr_res) {
+ dev_err(&client->dev, "Invalid %s size: %u\n",
+ fwnode_get_name(sldr_node), val);
+ return -EINVAL;
+@@ -2043,6 +2043,13 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+ return error;
+ }
+
++ if (!(reg_offset ? sldr_setup[3]
++ : sldr_setup[2] & IQS7222_SLDR_SETUP_2_RES_MASK)) {
++ dev_err(&client->dev, "Undefined %s size\n",
++ fwnode_get_name(sldr_node));
++ return -EINVAL;
++ }
++
+ error = fwnode_property_read_u32(sldr_node, "azoteq,top-speed", &val);
+ if (!error) {
+ if (val > (reg_offset ? U16_MAX : U8_MAX * 4)) {
+--
+2.35.1
+
--- /dev/null
+From 5f6b5c92264b269c63b9e6aa5b1d3596808c6cab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 19:56:38 -0500
+Subject: Input: iqs7222 - report malformed properties
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+[ Upstream commit 404f3b48e65f058d94429e4a1ec16a1f82ff3b2f ]
+
+Nonzero return values of several calls to fwnode_property_read_u32()
+are silently ignored, leaving no way to know the properties were not
+applied in the event of an error.
+
+Solve this problem by evaluating fwnode_property_read_u32()'s return
+value, and reporting an error for any nonzero return value not equal
+to -EINVAL which indicates the property was absent altogether.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Link: https://lore.kernel.org/r/Y1SRRrpQXvkETjfm@nixie71
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Stable-dep-of: 2f6fd2329789 ("Input: iqs7222 - protect against undefined slider size")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/iqs7222.c | 44 +++++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 3b6e84689879..350be4f23f50 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -1807,8 +1807,9 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222,
+ chan_setup[0] |= IQS7222_CHAN_SETUP_0_REF_MODE_FOLLOW;
+ chan_setup[4] = val * 42 + 1048;
+
+- if (!fwnode_property_read_u32(chan_node, "azoteq,ref-weight",
+- &val)) {
++ error = fwnode_property_read_u32(chan_node, "azoteq,ref-weight",
++ &val);
++ if (!error) {
+ if (val > U16_MAX) {
+ dev_err(&client->dev,
+ "Invalid %s reference weight: %u\n",
+@@ -1817,6 +1818,11 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222,
+ }
+
+ chan_setup[5] = val;
++ } else if (error != -EINVAL) {
++ dev_err(&client->dev,
++ "Failed to read %s reference weight: %d\n",
++ fwnode_get_name(chan_node), error);
++ return error;
+ }
+
+ /*
+@@ -1889,9 +1895,10 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222,
+ if (!event_node)
+ continue;
+
+- if (!fwnode_property_read_u32(event_node,
+- "azoteq,timeout-press-ms",
+- &val)) {
++ error = fwnode_property_read_u32(event_node,
++ "azoteq,timeout-press-ms",
++ &val);
++ if (!error) {
+ /*
+ * The IQS7222B employs a global pair of press timeout
+ * registers as opposed to channel-specific registers.
+@@ -1911,6 +1918,12 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222,
+
+ *setup &= ~(U8_MAX << i * 8);
+ *setup |= (val / 500 << i * 8);
++ } else if (error != -EINVAL) {
++ dev_err(&client->dev,
++ "Failed to read %s press timeout: %d\n",
++ fwnode_get_name(event_node), error);
++ fwnode_handle_put(event_node);
++ return error;
+ }
+
+ error = iqs7222_parse_event(iqs7222, event_node, chan_index,
+@@ -2009,7 +2022,8 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+ if (fwnode_property_present(sldr_node, "azoteq,use-prox"))
+ sldr_setup[4 + reg_offset] -= 2;
+
+- if (!fwnode_property_read_u32(sldr_node, "azoteq,slider-size", &val)) {
++ error = fwnode_property_read_u32(sldr_node, "azoteq,slider-size", &val);
++ if (!error) {
+ if (!val || val > dev_desc->sldr_res) {
+ dev_err(&client->dev, "Invalid %s size: %u\n",
+ fwnode_get_name(sldr_node), val);
+@@ -2023,9 +2037,14 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+ sldr_setup[2] |= (val / 16 <<
+ IQS7222_SLDR_SETUP_2_RES_SHIFT);
+ }
++ } else if (error != -EINVAL) {
++ dev_err(&client->dev, "Failed to read %s size: %d\n",
++ fwnode_get_name(sldr_node), error);
++ return error;
+ }
+
+- if (!fwnode_property_read_u32(sldr_node, "azoteq,top-speed", &val)) {
++ error = fwnode_property_read_u32(sldr_node, "azoteq,top-speed", &val);
++ if (!error) {
+ if (val > (reg_offset ? U16_MAX : U8_MAX * 4)) {
+ dev_err(&client->dev, "Invalid %s top speed: %u\n",
+ fwnode_get_name(sldr_node), val);
+@@ -2038,9 +2057,14 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+ sldr_setup[2] &= ~IQS7222_SLDR_SETUP_2_TOP_SPEED_MASK;
+ sldr_setup[2] |= (val / 4);
+ }
++ } else if (error != -EINVAL) {
++ dev_err(&client->dev, "Failed to read %s top speed: %d\n",
++ fwnode_get_name(sldr_node), error);
++ return error;
+ }
+
+- if (!fwnode_property_read_u32(sldr_node, "linux,axis", &val)) {
++ error = fwnode_property_read_u32(sldr_node, "linux,axis", &val);
++ if (!error) {
+ u16 sldr_max = sldr_setup[3] - 1;
+
+ if (!reg_offset) {
+@@ -2054,6 +2078,10 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222,
+
+ input_set_abs_params(iqs7222->keypad, val, 0, sldr_max, 0, 0);
+ iqs7222->sl_axis[sldr_index] = val;
++ } else if (error != -EINVAL) {
++ dev_err(&client->dev, "Failed to read %s axis: %d\n",
++ fwnode_get_name(sldr_node), error);
++ return error;
+ }
+
+ if (dev_desc->wheel_enable) {
+--
+2.35.1
+
--- /dev/null
+From 6938214051b65478eef0a3df50597f234f3b10a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 14:24:35 -0700
+Subject: Input: iqs7222 - set all ULP entry masks by default
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+[ Upstream commit d56111ed58482de0045e1e1201122e6e71516945 ]
+
+Some devices expose an ultra-low-power (ULP) mode entry mask for
+each channel. If the mask is set, the device cannot enter ULP so
+long as the corresponding channel remains in an active state.
+
+The vendor has advised setting the mask for any disabled channel.
+To accommodate this suggestion, initially set all masks and then
+clear them only if specified in the device tree.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220908131548.48120-8-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Stable-dep-of: 2f6fd2329789 ("Input: iqs7222 - protect against undefined slider size")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/iqs7222.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index b2e8097a2e6d..8b3362169265 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -1771,11 +1771,9 @@ static int iqs7222_parse_chan(struct iqs7222_private *iqs7222, int chan_index)
+ if (!chan_node)
+ return 0;
+
+- if (dev_desc->allow_offset) {
+- sys_setup[dev_desc->allow_offset] |= BIT(chan_index);
+- if (fwnode_property_present(chan_node, "azoteq,ulp-allow"))
+- sys_setup[dev_desc->allow_offset] &= ~BIT(chan_index);
+- }
++ if (dev_desc->allow_offset &&
++ fwnode_property_present(chan_node, "azoteq,ulp-allow"))
++ sys_setup[dev_desc->allow_offset] &= ~BIT(chan_index);
+
+ chan_setup[0] |= IQS7222_CHAN_SETUP_0_CHAN_EN;
+
+@@ -2206,6 +2204,9 @@ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ u16 *sys_setup = iqs7222->sys_setup;
+ int error, i;
+
++ if (dev_desc->allow_offset)
++ sys_setup[dev_desc->allow_offset] = U16_MAX;
++
+ if (dev_desc->event_offset)
+ sys_setup[dev_desc->event_offset] = IQS7222_EVENT_MASK_ATI;
+
+--
+2.35.1
+
--- /dev/null
+From 320243ad2d5c9b419def21aea4f997818f84df0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 13:12:38 -0700
+Subject: Input: joystick - fix Kconfig warning for JOYSTICK_ADC
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 6100a19c4fcfe154dd32f8a8ef4e8c0b1f607c75 ]
+
+Fix a Kconfig warning for JOYSTICK_ADC by also selecting
+IIO_BUFFER.
+
+WARNING: unmet direct dependencies detected for IIO_BUFFER_CB
+ Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
+ Selected by [y]:
+ - JOYSTICK_ADC [=y] && INPUT [=y] && INPUT_JOYSTICK [=y] && IIO [=y]
+
+Fixes: 2c2b364fddd5 ("Input: joystick - add ADC attached joystick driver.")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20221104201238.31628-1-rdunlap@infradead.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/joystick/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/joystick/Kconfig b/drivers/input/joystick/Kconfig
+index 9dcf3f51f2dd..04ca3d1c2816 100644
+--- a/drivers/input/joystick/Kconfig
++++ b/drivers/input/joystick/Kconfig
+@@ -46,6 +46,7 @@ config JOYSTICK_A3D
+ config JOYSTICK_ADC
+ tristate "Simple joystick connected over ADC"
+ depends on IIO
++ select IIO_BUFFER
+ select IIO_BUFFER_CB
+ help
+ Say Y here if you have a simple joystick connected over ADC.
+--
+2.35.1
+
--- /dev/null
+From 52b7f6dece052189dd32d91129f04c8dc37b6a9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 15:01:07 -0800
+Subject: Input: wistron_btns - disable on UML
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b2b80d9dd14cb5b70dc254bddbc4eea932694791 ]
+
+The wistron_btns driver calls rtc_cmos_read(), which isn't
+available with UML builds, so disable this driver on UML.
+
+Prevents this build error:
+
+ld: drivers/input/misc/wistron_btns.o: in function `poll_bios':
+wistron_btns.c:(.text+0x4be): undefined reference to `rtc_cmos_read'
+
+Fixes: 0bbadafdc49d ("um: allow disabling NO_IOMEM") # v5.14+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20221130161604.1879-1-rdunlap@infradead.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/misc/Kconfig b/drivers/input/misc/Kconfig
+index a18ab7358d8f..54c116e56e9d 100644
+--- a/drivers/input/misc/Kconfig
++++ b/drivers/input/misc/Kconfig
+@@ -330,7 +330,7 @@ config INPUT_CPCAP_PWRBUTTON
+
+ config INPUT_WISTRON_BTNS
+ tristate "x86 Wistron laptop button interface"
+- depends on X86_32
++ depends on X86_32 && !UML
+ select INPUT_SPARSEKMAP
+ select NEW_LEDS
+ select LEDS_CLASS
+--
+2.35.1
+
--- /dev/null
+From 1254791bb3d58a09b5d27dbeaff6ae29900cff49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 18:13:17 +0800
+Subject: integrity: Fix memory leakage in keyring allocation error path
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 39419ef7af0916cc3620ecf1ed42d29659109bf3 ]
+
+Key restriction is allocated in integrity_init_keyring(). However, if
+keyring allocation failed, it is not freed, causing memory leaks.
+
+Fixes: 2b6aa412ff23 ("KEYS: Use structure to capture key restriction function and data")
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/digsig.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
+index 8a82a6c7f48a..f2193c531f4a 100644
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -126,6 +126,7 @@ int __init integrity_init_keyring(const unsigned int id)
+ {
+ struct key_restriction *restriction;
+ key_perm_t perm;
++ int ret;
+
+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
+ | KEY_USR_READ | KEY_USR_SEARCH;
+@@ -154,7 +155,10 @@ int __init integrity_init_keyring(const unsigned int id)
+ perm |= KEY_USR_WRITE;
+
+ out:
+- return __integrity_init_keyring(id, perm, restriction);
++ ret = __integrity_init_keyring(id, perm, restriction);
++ if (ret)
++ kfree(restriction);
++ return ret;
+ }
+
+ static int __init integrity_add_key(const unsigned int id, const void *data,
+--
+2.35.1
+
--- /dev/null
+From ddaed27cc9f6712b0492ac6c7c0c33e1626124c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 11:48:46 -0400
+Subject: interconnect: qcom: sc7180: fix dropped const of qcom_icc_bcm
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f24227a640344f894522045f74bb2decbdc4f55e ]
+
+Pointers to struct qcom_icc_bcm are const, but the change was dropped
+during merge.
+
+Fixes: 016fca59f95f ("Merge branch 'icc-const' into icc-next")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221027154848.293523-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sc7180.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/interconnect/qcom/sc7180.c b/drivers/interconnect/qcom/sc7180.c
+index 35cd448efdfb..82d5e8a8c19e 100644
+--- a/drivers/interconnect/qcom/sc7180.c
++++ b/drivers/interconnect/qcom/sc7180.c
+@@ -369,7 +369,7 @@ static const struct qcom_icc_desc sc7180_gem_noc = {
+ .num_bcms = ARRAY_SIZE(gem_noc_bcms),
+ };
+
+-static struct qcom_icc_bcm *mc_virt_bcms[] = {
++static struct qcom_icc_bcm * const mc_virt_bcms[] = {
+ &bcm_acv,
+ &bcm_mc0,
+ };
+--
+2.35.1
+
--- /dev/null
+From ff03cb5f08004f331ed020919d3aa56bfde931fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:36:04 +0800
+Subject: iommu/amd: Fix pci device refcount leak in ppr_notifier()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6cf0981c2233f97d56938d9d61845383d6eb227c ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). So call it before returning from ppr_notifier()
+to avoid refcount leak.
+
+Fixes: daae2d25a477 ("iommu/amd: Don't copy GCR3 table root pointer")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221118093604.216371-1-yangyingliang@huawei.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iommu/amd/iommu_v2.c b/drivers/iommu/amd/iommu_v2.c
+index 6a1f02c62dff..9f7fab49a5a9 100644
+--- a/drivers/iommu/amd/iommu_v2.c
++++ b/drivers/iommu/amd/iommu_v2.c
+@@ -587,6 +587,7 @@ static int ppr_notifier(struct notifier_block *nb, unsigned long e, void *data)
+ put_device_state(dev_state);
+
+ out:
++ pci_dev_put(pdev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 09b38c28c27c900b8c18fe88fd555f570158c21d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 08:20:22 +0000
+Subject: iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ]
+
+The fsl_pamu_probe() returns directly when create_csd() failed, leaving
+irq and memories unreleased.
+Fix by jumping to error if create_csd() returns error.
+
+Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/fsl_pamu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/fsl_pamu.c b/drivers/iommu/fsl_pamu.c
+index 0d03f837a5d4..7a1a413f75ab 100644
+--- a/drivers/iommu/fsl_pamu.c
++++ b/drivers/iommu/fsl_pamu.c
+@@ -868,7 +868,7 @@ static int fsl_pamu_probe(struct platform_device *pdev)
+ ret = create_csd(ppaact_phys, mem_size, csd_port_id);
+ if (ret) {
+ dev_err(dev, "could not create coherence subdomain\n");
+- return ret;
++ goto error;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1d6cbddae1ae3a56d5f33ad85264fdd126ba61ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 10:42:55 +0800
+Subject: iommu/mediatek: Add error path for loop of mm_dts_parse
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit 26593928564cf5b576ff05d3cbd958f57c9534bb ]
+
+The mtk_iommu_mm_dts_parse will parse the smi larbs nodes. if the i+1
+larb is parsed fail, we should put_device for the i..0 larbs.
+
+There are two places need to comment:
+1) The larbid may be not linear mapping, we should loop whole
+ the array in the error path.
+2) I move this line position: "data->larb_imu[id].dev = &plarbdev->dev;"
+ before "if (!plarbdev->dev.driver)", That means set
+ data->larb_imu[id].dev before the error path. then we don't need
+ "platform_device_put(plarbdev)" again in probe_defer case. All depend
+ on "put_device" of the error path in error cases.
+
+Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE")
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20221018024258.19073-4-yong.wu@mediatek.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index ce9288695f9b..39f4c79e9c71 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1053,8 +1053,10 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ u32 id;
+
+ larbnode = of_parse_phandle(dev->of_node, "mediatek,larbs", i);
+- if (!larbnode)
+- return -EINVAL;
++ if (!larbnode) {
++ ret = -EINVAL;
++ goto err_larbdev_put;
++ }
+
+ if (!of_device_is_available(larbnode)) {
+ of_node_put(larbnode);
+@@ -1067,14 +1069,16 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+
+ plarbdev = of_find_device_by_node(larbnode);
+ of_node_put(larbnode);
+- if (!plarbdev)
+- return -ENODEV;
++ if (!plarbdev) {
++ ret = -ENODEV;
++ goto err_larbdev_put;
++ }
++ data->larb_imu[id].dev = &plarbdev->dev;
+
+ if (!plarbdev->dev.driver) {
+- platform_device_put(plarbdev);
+- return -EPROBE_DEFER;
++ ret = -EPROBE_DEFER;
++ goto err_larbdev_put;
+ }
+- data->larb_imu[id].dev = &plarbdev->dev;
+
+ component_match_add(dev, match, component_compare_dev, &plarbdev->dev);
+ platform_device_put(plarbdev);
+@@ -1109,6 +1113,15 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ return -EINVAL;
+ }
+ return 0;
++
++err_larbdev_put:
++ /* id may be not linear mapping, loop whole the array */
++ for (i = MTK_LARB_NR_MAX - 1; i >= 0; i++) {
++ if (!data->larb_imu[i].dev)
++ continue;
++ put_device(data->larb_imu[i].dev);
++ }
++ return ret;
+ }
+
+ static int mtk_iommu_probe(struct platform_device *pdev)
+--
+2.35.1
+
--- /dev/null
+From cb94ff01097778243a65b5456ec9f0dd31785507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 10:42:53 +0800
+Subject: iommu/mediatek: Add platform_device_put for recovering the device
+ refcnt
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit dcb40e9fcce9bd251eaff19f3724131db522846c ]
+
+Add platform_device_put to match with of_find_device_by_node.
+
+Meanwhile, I add a new variable "pcommdev" which is for smi common device.
+Otherwise, "platform_device_put(plarbdev)" for smi-common dev may be not
+readable. And add a checking for whether pcommdev is NULL.
+
+Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE")
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20221018024258.19073-2-yong.wu@mediatek.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 0c1c0d8e4d06..93005e63fc7f 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1041,7 +1041,7 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ struct mtk_iommu_data *data)
+ {
+ struct device_node *larbnode, *smicomm_node, *smi_subcomm_node;
+- struct platform_device *plarbdev;
++ struct platform_device *plarbdev, *pcommdev;
+ struct device_link *link;
+ int i, larb_nr, ret;
+
+@@ -1072,12 +1072,14 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ }
+ if (!plarbdev->dev.driver) {
+ of_node_put(larbnode);
++ platform_device_put(plarbdev);
+ return -EPROBE_DEFER;
+ }
+ data->larb_imu[id].dev = &plarbdev->dev;
+
+ component_match_add_release(dev, match, component_release_of,
+ component_compare_of, larbnode);
++ platform_device_put(plarbdev);
+ }
+
+ /* Get smi-(sub)-common dev from the last larb. */
+@@ -1095,12 +1097,15 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ else
+ smicomm_node = smi_subcomm_node;
+
+- plarbdev = of_find_device_by_node(smicomm_node);
++ pcommdev = of_find_device_by_node(smicomm_node);
+ of_node_put(smicomm_node);
+- data->smicomm_dev = &plarbdev->dev;
++ if (!pcommdev)
++ return -ENODEV;
++ data->smicomm_dev = &pcommdev->dev;
+
+ link = device_link_add(data->smicomm_dev, dev,
+ DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME);
++ platform_device_put(pcommdev);
+ if (!link) {
+ dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev));
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From cd925a93e27df5a5181f11b766397827e217b3f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 18:35:50 +0800
+Subject: iommu/mediatek: Check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 73b6924cdebc899de9b719e1319aa86c6bed4acf ]
+
+platform_get_resource() may return NULL pointer, we need check its
+return value to avoid null-ptr-deref in resource_size().
+
+Fixes: 42d57fc58aeb ("iommu/mediatek: Initialise/Remove for multi bank dev")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20221029103550.3774365-1-yangyingliang@huawei.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 7e363b1f24df..0c1c0d8e4d06 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1170,6 +1170,8 @@ static int mtk_iommu_probe(struct platform_device *pdev)
+
+ banks_num = data->plat_data->banks_num;
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res)
++ return -EINVAL;
+ if (resource_size(res) < banks_num * MTK_IOMMU_BANK_SZ) {
+ dev_err(dev, "banknr %d. res %pR is not enough.\n", banks_num, res);
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 936cfd0d5dcf6eafd5741c8b399607e6fac379ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 18:56:09 +0300
+Subject: iommu/mediatek: Fix forever loop in error handling
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 462e768b55a2331324ff72e74706261134369826 ]
+
+There is a typo so this loop does i++ where i-- was intended. It will
+result in looping until the kernel crashes.
+
+Fixes: 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Yong Wu <yong.wu@mediatek.com>
+Link: https://lore.kernel.org/r/Y5C3mTam2nkbaz6o@kili
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 213fc8f5b6c1..ec73720e239b 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1127,8 +1127,7 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ return 0;
+
+ err_larbdev_put:
+- /* id may be not linear mapping, loop whole the array */
+- for (i = MTK_LARB_NR_MAX - 1; i >= 0; i++) {
++ for (i = MTK_LARB_NR_MAX - 1; i >= 0; i--) {
+ if (!data->larb_imu[i].dev)
+ continue;
+ put_device(data->larb_imu[i].dev);
+--
+2.35.1
+
--- /dev/null
+From 24d0573601995905e332b77262f4057861154e4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 10:42:54 +0800
+Subject: iommu/mediatek: Use component_match_add
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit b5765a1b44bea9dfcae69c53ffeb4c689d0922a7 ]
+
+In order to simplify the error patch(avoid call of_node_put), Use
+component_match_add instead component_match_add_release since we are only
+interested in the "device" here. Then we could always call of_node_put in
+normal path.
+
+Strictly this is not a fixes patch, but it is a prepare for adding the
+error path, thus I add a Fixes tag too.
+
+Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE")
+Suggested-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20221018024258.19073-3-yong.wu@mediatek.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 93005e63fc7f..ce9288695f9b 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1066,19 +1066,17 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ id = i;
+
+ plarbdev = of_find_device_by_node(larbnode);
+- if (!plarbdev) {
+- of_node_put(larbnode);
++ of_node_put(larbnode);
++ if (!plarbdev)
+ return -ENODEV;
+- }
++
+ if (!plarbdev->dev.driver) {
+- of_node_put(larbnode);
+ platform_device_put(plarbdev);
+ return -EPROBE_DEFER;
+ }
+ data->larb_imu[id].dev = &plarbdev->dev;
+
+- component_match_add_release(dev, match, component_release_of,
+- component_compare_of, larbnode);
++ component_match_add(dev, match, component_compare_dev, &plarbdev->dev);
+ platform_device_put(plarbdev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 8de358edd2bdb1aedf8733603ef67893b11c59a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 10:42:56 +0800
+Subject: iommu/mediatek: Validate number of phandles associated with
+ "mediatek,larbs"
+
+From: Guenter Roeck <groeck@chromium.org>
+
+[ Upstream commit ef693a8440926884bfd9cc3d6d36f65719513350 ]
+
+Fix the smatch warnings:
+drivers/iommu/mtk_iommu.c:878 mtk_iommu_mm_dts_parse() error: uninitialized
+symbol 'larbnode'.
+
+If someone abuse the dtsi node(Don't follow the definition of dt-binding),
+for example "mediatek,larbs" is provided as boolean property, "larb_nr"
+will be zero and cause abnormal.
+
+To fix this problem and improve the code safety, add some checking
+for the invalid input from dtsi, e.g. checking the larb_nr/larbid valid
+range, and avoid "mediatek,larb-id" property conflicts in the smi-larb
+nodes.
+
+Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20221018024258.19073-5-yong.wu@mediatek.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 39f4c79e9c71..213fc8f5b6c1 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1048,6 +1048,8 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ larb_nr = of_count_phandle_with_args(dev->of_node, "mediatek,larbs", NULL);
+ if (larb_nr < 0)
+ return larb_nr;
++ if (larb_nr == 0 || larb_nr > MTK_LARB_NR_MAX)
++ return -EINVAL;
+
+ for (i = 0; i < larb_nr; i++) {
+ u32 id;
+@@ -1066,6 +1068,11 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ ret = of_property_read_u32(larbnode, "mediatek,larb-id", &id);
+ if (ret)/* The id is consecutive if there is no this property */
+ id = i;
++ if (id >= MTK_LARB_NR_MAX) {
++ of_node_put(larbnode);
++ ret = -EINVAL;
++ goto err_larbdev_put;
++ }
+
+ plarbdev = of_find_device_by_node(larbnode);
+ of_node_put(larbnode);
+@@ -1073,6 +1080,11 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m
+ ret = -ENODEV;
+ goto err_larbdev_put;
+ }
++ if (data->larb_imu[id].dev) {
++ platform_device_put(plarbdev);
++ ret = -EEXIST;
++ goto err_larbdev_put;
++ }
+ data->larb_imu[id].dev = &plarbdev->dev;
+
+ if (!plarbdev->dev.driver) {
+--
+2.35.1
+
--- /dev/null
+From 39378c2ec2884c54e41f0b32098b5ab515434b65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 07:35:53 +0100
+Subject: iommu/rockchip: fix permission bits in page table entries v2
+
+From: Michael Riesch <michael.riesch@wolfvision.net>
+
+[ Upstream commit 7eb99841f340b80be0d0973b0deb592d75fb8928 ]
+
+As pointed out in the corresponding downstream fix [0], the permission bits
+of the page table entries are compatible between v1 and v2 of the IOMMU.
+This is in contrast to the current mainline code that incorrectly assumes
+that the read and write permission bits are switched. Fix the permission
+bits by reusing the v1 bit defines.
+
+[0] https://github.com/rockchip-linux/kernel/commit/e3bc123a2260145e34b57454da3db0edd117eb8e
+
+Fixes: c55356c534aa ("iommu: rockchip: Add support for iommu v2")
+Signed-off-by: Michael Riesch <michael.riesch@wolfvision.net>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20221102063553.2464161-1-michael.riesch@wolfvision.net
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/rockchip-iommu.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c
+index ab57c4b8fade..a0652e9a7db3 100644
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -280,19 +280,17 @@ static u32 rk_mk_pte(phys_addr_t page, int prot)
+ * 11:9 - Page address bit 34:32
+ * 8:4 - Page address bit 39:35
+ * 3 - Security
+- * 2 - Readable
+- * 1 - Writable
++ * 2 - Writable
++ * 1 - Readable
+ * 0 - 1 if Page @ Page address is valid
+ */
+-#define RK_PTE_PAGE_READABLE_V2 BIT(2)
+-#define RK_PTE_PAGE_WRITABLE_V2 BIT(1)
+
+ static u32 rk_mk_pte_v2(phys_addr_t page, int prot)
+ {
+ u32 flags = 0;
+
+- flags |= (prot & IOMMU_READ) ? RK_PTE_PAGE_READABLE_V2 : 0;
+- flags |= (prot & IOMMU_WRITE) ? RK_PTE_PAGE_WRITABLE_V2 : 0;
++ flags |= (prot & IOMMU_READ) ? RK_PTE_PAGE_READABLE : 0;
++ flags |= (prot & IOMMU_WRITE) ? RK_PTE_PAGE_WRITABLE : 0;
+
+ return rk_mk_dte_v2(page) | flags;
+ }
+--
+2.35.1
+
--- /dev/null
+From 44530c8e04f89def9a19d1b7ece712c7c760c44d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 13:56:52 +0200
+Subject: iommu/s390: Fix duplicate domain attachments
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit bf8d2dd2ed0825a58f31cc510245a1eb46f8a87e ]
+
+Since commit fa7e9ecc5e1c ("iommu/s390: Tolerate repeat attach_dev
+calls") we can end up with duplicates in the list of devices attached to
+a domain. This is inefficient and confusing since only one domain can
+actually be in control of the IOMMU translations for a device. Fix this
+by detaching the device from the previous domain, if any, on attach.
+Add a WARN_ON() in case we still have attached devices on freeing the
+domain. While here remove the re-attach on failure dance as it was
+determined to be unlikely to help and may confuse debug and recovery.
+
+Fixes: fa7e9ecc5e1c ("iommu/s390: Tolerate repeat attach_dev calls")
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221025115657.1666860-2-schnelle@linux.ibm.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/s390-iommu.c | 106 ++++++++++++++++---------------------
+ 1 file changed, 45 insertions(+), 61 deletions(-)
+
+diff --git a/drivers/iommu/s390-iommu.c b/drivers/iommu/s390-iommu.c
+index c898bcbbce11..96173cfee324 100644
+--- a/drivers/iommu/s390-iommu.c
++++ b/drivers/iommu/s390-iommu.c
+@@ -79,10 +79,36 @@ static void s390_domain_free(struct iommu_domain *domain)
+ {
+ struct s390_domain *s390_domain = to_s390_domain(domain);
+
++ WARN_ON(!list_empty(&s390_domain->devices));
+ dma_cleanup_tables(s390_domain->dma_table);
+ kfree(s390_domain);
+ }
+
++static void __s390_iommu_detach_device(struct zpci_dev *zdev)
++{
++ struct s390_domain *s390_domain = zdev->s390_domain;
++ struct s390_domain_device *domain_device, *tmp;
++ unsigned long flags;
++
++ if (!s390_domain)
++ return;
++
++ spin_lock_irqsave(&s390_domain->list_lock, flags);
++ list_for_each_entry_safe(domain_device, tmp, &s390_domain->devices,
++ list) {
++ if (domain_device->zdev == zdev) {
++ list_del(&domain_device->list);
++ kfree(domain_device);
++ break;
++ }
++ }
++ spin_unlock_irqrestore(&s390_domain->list_lock, flags);
++
++ zpci_unregister_ioat(zdev, 0);
++ zdev->s390_domain = NULL;
++ zdev->dma_table = NULL;
++}
++
+ static int s390_iommu_attach_device(struct iommu_domain *domain,
+ struct device *dev)
+ {
+@@ -90,7 +116,7 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
+ struct zpci_dev *zdev = to_zpci_dev(dev);
+ struct s390_domain_device *domain_device;
+ unsigned long flags;
+- int cc, rc;
++ int cc, rc = 0;
+
+ if (!zdev)
+ return -ENODEV;
+@@ -99,24 +125,18 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
+ if (!domain_device)
+ return -ENOMEM;
+
+- if (zdev->dma_table && !zdev->s390_domain) {
+- cc = zpci_dma_exit_device(zdev);
+- if (cc) {
+- rc = -EIO;
+- goto out_free;
+- }
+- }
+-
+ if (zdev->s390_domain)
+- zpci_unregister_ioat(zdev, 0);
++ __s390_iommu_detach_device(zdev);
++ else if (zdev->dma_table)
++ zpci_dma_exit_device(zdev);
+
+- zdev->dma_table = s390_domain->dma_table;
+ cc = zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,
+- virt_to_phys(zdev->dma_table));
++ virt_to_phys(s390_domain->dma_table));
+ if (cc) {
+ rc = -EIO;
+- goto out_restore;
++ goto out_free;
+ }
++ zdev->dma_table = s390_domain->dma_table;
+
+ spin_lock_irqsave(&s390_domain->list_lock, flags);
+ /* First device defines the DMA range limits */
+@@ -127,9 +147,9 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
+ /* Allow only devices with identical DMA range limits */
+ } else if (domain->geometry.aperture_start != zdev->start_dma ||
+ domain->geometry.aperture_end != zdev->end_dma) {
+- rc = -EINVAL;
+ spin_unlock_irqrestore(&s390_domain->list_lock, flags);
+- goto out_restore;
++ rc = -EINVAL;
++ goto out_unregister;
+ }
+ domain_device->zdev = zdev;
+ zdev->s390_domain = s390_domain;
+@@ -138,14 +158,9 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
+
+ return 0;
+
+-out_restore:
+- if (!zdev->s390_domain) {
+- zpci_dma_init_device(zdev);
+- } else {
+- zdev->dma_table = zdev->s390_domain->dma_table;
+- zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,
+- virt_to_phys(zdev->dma_table));
+- }
++out_unregister:
++ zpci_unregister_ioat(zdev, 0);
++ zdev->dma_table = NULL;
+ out_free:
+ kfree(domain_device);
+
+@@ -155,32 +170,12 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
+ static void s390_iommu_detach_device(struct iommu_domain *domain,
+ struct device *dev)
+ {
+- struct s390_domain *s390_domain = to_s390_domain(domain);
+ struct zpci_dev *zdev = to_zpci_dev(dev);
+- struct s390_domain_device *domain_device, *tmp;
+- unsigned long flags;
+- int found = 0;
+
+- if (!zdev)
+- return;
++ WARN_ON(zdev->s390_domain != to_s390_domain(domain));
+
+- spin_lock_irqsave(&s390_domain->list_lock, flags);
+- list_for_each_entry_safe(domain_device, tmp, &s390_domain->devices,
+- list) {
+- if (domain_device->zdev == zdev) {
+- list_del(&domain_device->list);
+- kfree(domain_device);
+- found = 1;
+- break;
+- }
+- }
+- spin_unlock_irqrestore(&s390_domain->list_lock, flags);
+-
+- if (found && (zdev->s390_domain == s390_domain)) {
+- zdev->s390_domain = NULL;
+- zpci_unregister_ioat(zdev, 0);
+- zpci_dma_init_device(zdev);
+- }
++ __s390_iommu_detach_device(zdev);
++ zpci_dma_init_device(zdev);
+ }
+
+ static struct iommu_device *s390_iommu_probe_device(struct device *dev)
+@@ -193,24 +188,13 @@ static struct iommu_device *s390_iommu_probe_device(struct device *dev)
+ static void s390_iommu_release_device(struct device *dev)
+ {
+ struct zpci_dev *zdev = to_zpci_dev(dev);
+- struct iommu_domain *domain;
+
+ /*
+- * This is a workaround for a scenario where the IOMMU API common code
+- * "forgets" to call the detach_dev callback: After binding a device
+- * to vfio-pci and completing the VFIO_SET_IOMMU ioctl (which triggers
+- * the attach_dev), removing the device via
+- * "echo 1 > /sys/bus/pci/devices/.../remove" won't trigger detach_dev,
+- * only release_device will be called via the BUS_NOTIFY_REMOVED_DEVICE
+- * notifier.
+- *
+- * So let's call detach_dev from here if it hasn't been called before.
++ * release_device is expected to detach any domain currently attached
++ * to the device, but keep it attached to other devices in the group.
+ */
+- if (zdev && zdev->s390_domain) {
+- domain = iommu_get_domain_for_dev(dev);
+- if (domain)
+- s390_iommu_detach_device(domain, dev);
+- }
++ if (zdev)
++ __s390_iommu_detach_device(zdev);
+ }
+
+ static int s390_iommu_update_trans(struct s390_domain *s390_domain,
+--
+2.35.1
+
--- /dev/null
+From fb38428413dca3783e24ec5ee456e013c4addb40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 18:54:12 +0200
+Subject: iommu/sun50i: Consider all fault sources for reset
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit cef20703e2b2276aaa402ec5a65ec9a09963b83e ]
+
+We have to reset masters for all faults - permissions, L1 fault or L2
+fault. Currently it's done only for permissions. If other type of fault
+happens, master is in locked up state. Fix that by really considering
+all fault sources.
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221025165415.307591-3-jernej.skrabec@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index c777882d0ec2..38d1069cf383 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -869,8 +869,8 @@ static phys_addr_t sun50i_iommu_handle_perm_irq(struct sun50i_iommu *iommu)
+
+ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
+ {
++ u32 status, l1_status, l2_status, resets;
+ struct sun50i_iommu *iommu = dev_id;
+- u32 status;
+
+ spin_lock(&iommu->iommu_lock);
+
+@@ -880,6 +880,9 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
+ return IRQ_NONE;
+ }
+
++ l1_status = iommu_read(iommu, IOMMU_L1PG_INT_REG);
++ l2_status = iommu_read(iommu, IOMMU_L2PG_INT_REG);
++
+ if (status & IOMMU_INT_INVALID_L2PG)
+ sun50i_iommu_handle_pt_irq(iommu,
+ IOMMU_INT_ERR_ADDR_L2_REG,
+@@ -893,7 +896,8 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
+
+ iommu_write(iommu, IOMMU_INT_CLR_REG, status);
+
+- iommu_write(iommu, IOMMU_RESET_REG, ~status);
++ resets = (status | l1_status | l2_status) & IOMMU_INT_MASTER_MASK;
++ iommu_write(iommu, IOMMU_RESET_REG, ~resets);
+ iommu_write(iommu, IOMMU_RESET_REG, IOMMU_RESET_RELEASE_ALL);
+
+ spin_unlock(&iommu->iommu_lock);
+--
+2.35.1
+
--- /dev/null
+From 2aafcdabe3b7a13335d2a214e6f26464d950dd50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 18:54:14 +0200
+Subject: iommu/sun50i: Fix flush size
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 67a8a67f9eceb72e4c73d1d09ed9ab04f4b8e12d ]
+
+Function sun50i_table_flush() takes number of entries as an argument,
+not number of bytes. Fix that mistake in sun50i_dte_get_page_table().
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221025165415.307591-5-jernej.skrabec@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index 135df6934a9e..7c3b2ac552da 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -512,7 +512,7 @@ static u32 *sun50i_dte_get_page_table(struct sun50i_iommu_domain *sun50i_domain,
+ sun50i_iommu_free_page_table(iommu, drop_pt);
+ }
+
+- sun50i_table_flush(sun50i_domain, page_table, PT_SIZE);
++ sun50i_table_flush(sun50i_domain, page_table, NUM_PT_ENTRIES);
+ sun50i_table_flush(sun50i_domain, dte_addr, 1);
+
+ return page_table;
+--
+2.35.1
+
--- /dev/null
+From 734ce3afe2183683826a19bed0db6dd83cc7ba99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 18:54:13 +0200
+Subject: iommu/sun50i: Fix R/W permission check
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit eac0104dc69be50bed86926d6f32e82b44f8c921 ]
+
+Because driver has enum type permissions and iommu subsystem has bitmap
+type, we have to be careful how check for combined read and write
+permissions is done. In such case, we have to mask both permissions and
+check that both are set at the same time.
+
+Current code just masks both flags but doesn't check that both are set.
+In short, it always sets R/W permission, regardles if requested
+permissions were RO, WO or RW. Fix that.
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221025165415.307591-4-jernej.skrabec@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index 38d1069cf383..135df6934a9e 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -271,7 +271,7 @@ static u32 sun50i_mk_pte(phys_addr_t page, int prot)
+ enum sun50i_iommu_aci aci;
+ u32 flags = 0;
+
+- if (prot & (IOMMU_READ | IOMMU_WRITE))
++ if ((prot & (IOMMU_READ | IOMMU_WRITE)) == (IOMMU_READ | IOMMU_WRITE))
+ aci = SUN50I_IOMMU_ACI_RD_WR;
+ else if (prot & IOMMU_READ)
+ aci = SUN50I_IOMMU_ACI_RD;
+--
+2.35.1
+
--- /dev/null
+From 38aaaa46707262c7c87eac5db62043b749713b47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 18:54:11 +0200
+Subject: iommu/sun50i: Fix reset release
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 9ad0c1252e84dbc664f0462707182245ed603237 ]
+
+Reset signal is asserted by writing 0 to the corresponding locations of
+masters we want to reset. So in order to deassert all reset signals, we
+should write 1's to all locations.
+
+Current code writes 1's to locations of masters which were just reset
+which is good. However, at the same time it also writes 0's to other
+locations and thus asserts reset signals of remaining masters. Fix code
+by writing all 1's when we want to deassert all reset signals.
+
+This bug was discovered when working with Cedrus (video decoder). When
+it faulted, display went blank due to reset signal assertion.
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221025165415.307591-2-jernej.skrabec@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index a84c63518773..c777882d0ec2 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -27,6 +27,7 @@
+ #include <linux/types.h>
+
+ #define IOMMU_RESET_REG 0x010
++#define IOMMU_RESET_RELEASE_ALL 0xffffffff
+ #define IOMMU_ENABLE_REG 0x020
+ #define IOMMU_ENABLE_ENABLE BIT(0)
+
+@@ -893,7 +894,7 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
+ iommu_write(iommu, IOMMU_INT_CLR_REG, status);
+
+ iommu_write(iommu, IOMMU_RESET_REG, ~status);
+- iommu_write(iommu, IOMMU_RESET_REG, status);
++ iommu_write(iommu, IOMMU_RESET_REG, IOMMU_RESET_RELEASE_ALL);
+
+ spin_unlock(&iommu->iommu_lock);
+
+--
+2.35.1
+
--- /dev/null
+From dc9948fc96e955bf86f0e72273b065ac9af1a2e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 18:54:15 +0200
+Subject: iommu/sun50i: Implement .iotlb_sync_map
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit e563cc0c787c85a4d9def0a77078dc5d3f445e3d ]
+
+Allocated iova ranges need to be invalidated immediately or otherwise
+they might or might not work when used by master or CPU. This was
+discovered when running video decoder conformity test with Cedrus. Some
+videos were now and then decoded incorrectly and generated page faults.
+
+According to vendor driver, it's enough to invalidate just start and end
+TLB and PTW cache lines. Documentation says that neighbouring lines must
+be invalidated too. Finally, when page fault occurs, that iova must be
+invalidated the same way, according to documentation.
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221025165415.307591-6-jernej.skrabec@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 73 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 73 insertions(+)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index 7c3b2ac552da..d7c5e9b1a087 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -93,6 +93,8 @@
+ #define NUM_PT_ENTRIES 256
+ #define PT_SIZE (NUM_PT_ENTRIES * PT_ENTRY_SIZE)
+
++#define SPAGE_SIZE 4096
++
+ struct sun50i_iommu {
+ struct iommu_device iommu;
+
+@@ -295,6 +297,62 @@ static void sun50i_table_flush(struct sun50i_iommu_domain *sun50i_domain,
+ dma_sync_single_for_device(iommu->dev, dma, size, DMA_TO_DEVICE);
+ }
+
++static void sun50i_iommu_zap_iova(struct sun50i_iommu *iommu,
++ unsigned long iova)
++{
++ u32 reg;
++ int ret;
++
++ iommu_write(iommu, IOMMU_TLB_IVLD_ADDR_REG, iova);
++ iommu_write(iommu, IOMMU_TLB_IVLD_ADDR_MASK_REG, GENMASK(31, 12));
++ iommu_write(iommu, IOMMU_TLB_IVLD_ENABLE_REG,
++ IOMMU_TLB_IVLD_ENABLE_ENABLE);
++
++ ret = readl_poll_timeout_atomic(iommu->base + IOMMU_TLB_IVLD_ENABLE_REG,
++ reg, !reg, 1, 2000);
++ if (ret)
++ dev_warn(iommu->dev, "TLB invalidation timed out!\n");
++}
++
++static void sun50i_iommu_zap_ptw_cache(struct sun50i_iommu *iommu,
++ unsigned long iova)
++{
++ u32 reg;
++ int ret;
++
++ iommu_write(iommu, IOMMU_PC_IVLD_ADDR_REG, iova);
++ iommu_write(iommu, IOMMU_PC_IVLD_ENABLE_REG,
++ IOMMU_PC_IVLD_ENABLE_ENABLE);
++
++ ret = readl_poll_timeout_atomic(iommu->base + IOMMU_PC_IVLD_ENABLE_REG,
++ reg, !reg, 1, 2000);
++ if (ret)
++ dev_warn(iommu->dev, "PTW cache invalidation timed out!\n");
++}
++
++static void sun50i_iommu_zap_range(struct sun50i_iommu *iommu,
++ unsigned long iova, size_t size)
++{
++ assert_spin_locked(&iommu->iommu_lock);
++
++ iommu_write(iommu, IOMMU_AUTO_GATING_REG, 0);
++
++ sun50i_iommu_zap_iova(iommu, iova);
++ sun50i_iommu_zap_iova(iommu, iova + SPAGE_SIZE);
++ if (size > SPAGE_SIZE) {
++ sun50i_iommu_zap_iova(iommu, iova + size);
++ sun50i_iommu_zap_iova(iommu, iova + size + SPAGE_SIZE);
++ }
++ sun50i_iommu_zap_ptw_cache(iommu, iova);
++ sun50i_iommu_zap_ptw_cache(iommu, iova + SZ_1M);
++ if (size > SZ_1M) {
++ sun50i_iommu_zap_ptw_cache(iommu, iova + size);
++ sun50i_iommu_zap_ptw_cache(iommu, iova + size + SZ_1M);
++ }
++
++ iommu_write(iommu, IOMMU_AUTO_GATING_REG, IOMMU_AUTO_GATING_ENABLE);
++}
++
+ static int sun50i_iommu_flush_all_tlb(struct sun50i_iommu *iommu)
+ {
+ u32 reg;
+@@ -344,6 +402,18 @@ static void sun50i_iommu_flush_iotlb_all(struct iommu_domain *domain)
+ spin_unlock_irqrestore(&iommu->iommu_lock, flags);
+ }
+
++static void sun50i_iommu_iotlb_sync_map(struct iommu_domain *domain,
++ unsigned long iova, size_t size)
++{
++ struct sun50i_iommu_domain *sun50i_domain = to_sun50i_domain(domain);
++ struct sun50i_iommu *iommu = sun50i_domain->iommu;
++ unsigned long flags;
++
++ spin_lock_irqsave(&iommu->iommu_lock, flags);
++ sun50i_iommu_zap_range(iommu, iova, size);
++ spin_unlock_irqrestore(&iommu->iommu_lock, flags);
++}
++
+ static void sun50i_iommu_iotlb_sync(struct iommu_domain *domain,
+ struct iommu_iotlb_gather *gather)
+ {
+@@ -767,6 +837,7 @@ static const struct iommu_ops sun50i_iommu_ops = {
+ .attach_dev = sun50i_iommu_attach_device,
+ .detach_dev = sun50i_iommu_detach_device,
+ .flush_iotlb_all = sun50i_iommu_flush_iotlb_all,
++ .iotlb_sync_map = sun50i_iommu_iotlb_sync_map,
+ .iotlb_sync = sun50i_iommu_iotlb_sync,
+ .iova_to_phys = sun50i_iommu_iova_to_phys,
+ .map = sun50i_iommu_map,
+@@ -786,6 +857,8 @@ static void sun50i_iommu_report_fault(struct sun50i_iommu *iommu,
+ report_iommu_fault(iommu->domain, iommu->dev, iova, prot);
+ else
+ dev_err(iommu->dev, "Page fault while iommu not attached to any domain?\n");
++
++ sun50i_iommu_zap_range(iommu, iova, SPAGE_SIZE);
+ }
+
+ static phys_addr_t sun50i_iommu_handle_pt_irq(struct sun50i_iommu *iommu,
+--
+2.35.1
+
--- /dev/null
+From 307eb92ce814c4f30d2716d5d6991f65c78d3394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:06:28 -0400
+Subject: iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit ef5bb8e7a7127218f826b9ccdf7508e7a339f4c2 ]
+
+This driver treats IOMMU_DOMAIN_IDENTITY the same as UNMANAGED, which
+cannot possibly be correct.
+
+UNMANAGED domains are required to start out blocking all DMAs. This seems
+to be what this driver does as it allocates a first level 'dt' for the IO
+page table that is 0 filled.
+
+Thus UNMANAGED looks like a working IO page table, and so IDENTITY must be
+a mistake. Remove it.
+
+Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/0-v1-97f0adf27b5e+1f0-s50_identity_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index d7c5e9b1a087..1d81a6aa939b 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -672,7 +672,6 @@ static struct iommu_domain *sun50i_iommu_domain_alloc(unsigned type)
+ struct sun50i_iommu_domain *sun50i_domain;
+
+ if (type != IOMMU_DOMAIN_DMA &&
+- type != IOMMU_DOMAIN_IDENTITY &&
+ type != IOMMU_DOMAIN_UNMANAGED)
+ return NULL;
+
+--
+2.35.1
+
--- /dev/null
+From b38cc62cb2374c57f7816fc3472510bfb051152b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 17:29:29 +0800
+Subject: ipc: fix memory leak in init_mqueue_fs()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 12b677f2c697d61e5ddbcb6c1650050a39392f54 ]
+
+When setup_mq_sysctls() failed in init_mqueue_fs(), mqueue_inode_cachep is
+not released. In order to fix this issue, the release path is reordered.
+
+Link: https://lkml.kernel.org/r/20221209092929.1978875-1-shaozhengchao@huawei.com
+Fixes: dc55e35f9e81 ("ipc: Store mqueue sysctls in the ipc namespace")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Cc: Alexey Gladkov <legion@kernel.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Jingyu Wang <jingyuwang_vip@163.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Wei Yongjun <weiyongjun1@huawei.com>
+Cc: YueHaibing <yuehaibing@huawei.com>
+Cc: Yu Zhe <yuzhe@nfschina.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ ipc/mqueue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index 9cf314b3f079..b258f2455553 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -1727,7 +1727,8 @@ static int __init init_mqueue_fs(void)
+
+ if (!setup_mq_sysctls(&init_ipc_ns)) {
+ pr_warn("sysctl registration failed\n");
+- return -ENOMEM;
++ error = -ENOMEM;
++ goto out_kmem;
+ }
+
+ error = register_filesystem(&mqueue_fs_type);
+@@ -1745,8 +1746,9 @@ static int __init init_mqueue_fs(void)
+ out_filesystem:
+ unregister_filesystem(&mqueue_fs_type);
+ out_sysctl:
+- kmem_cache_destroy(mqueue_inode_cachep);
+ retire_mq_sysctls(&init_ipc_ns);
++out_kmem:
++ kmem_cache_destroy(mqueue_inode_cachep);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 770ad66659173f5e84b904cabc881565b0438825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Oct 2022 17:26:17 +0800
+Subject: ipmi: fix memleak when unload ipmi driver
+
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+
+[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ]
+
+After the IPMI disconnect problem, the memory kept rising and we tried
+to unload the driver to free the memory. However, only part of the
+free memory is recovered after the driver is uninstalled. Using
+ebpf to hook free functions, we find that neither ipmi_user nor
+ipmi_smi_msg is free, only ipmi_recv_msg is free.
+
+We find that the deliver_smi_err_response call in clean_smi_msgs does
+the destroy processing on each message from the xmit_msg queue without
+checking the return value and free ipmi_smi_msg.
+
+deliver_smi_err_response is called only at this location. Adding the
+free handling has no effect.
+
+To verify, try using ebpf to trace the free function.
+
+ $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv
+ %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n",
+ arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n",
+ retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}'
+
+Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com>
+[Fixed the comment above handle_one_recv_msg().]
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 703433493c85..c9e32d100b7e 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -3710,12 +3710,16 @@ static void deliver_smi_err_response(struct ipmi_smi *intf,
+ struct ipmi_smi_msg *msg,
+ unsigned char err)
+ {
++ int rv;
+ msg->rsp[0] = msg->data[0] | 4;
+ msg->rsp[1] = msg->data[1];
+ msg->rsp[2] = err;
+ msg->rsp_size = 3;
+- /* It's an error, so it will never requeue, no need to check return. */
+- handle_one_recv_msg(intf, msg);
++
++ /* This will never requeue, but it may ask us to free the message. */
++ rv = handle_one_recv_msg(intf, msg);
++ if (rv == 0)
++ ipmi_free_smi_msg(msg);
+ }
+
+ static void cleanup_smi_msgs(struct ipmi_smi *intf)
+--
+2.35.1
+
--- /dev/null
+From 9828b84a62c2f6f9f39722b00333c42b16100a40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Aug 2022 00:17:41 +0930
+Subject: ipmi: kcs: Poll OBF briefly to reduce OBE latency
+
+From: Andrew Jeffery <andrew@aj.id.au>
+
+[ Upstream commit f90bc0f97f2b65af233a37b2e32fc81871a1e3cf ]
+
+The ASPEED KCS devices don't provide a BMC-side interrupt for the host
+reading the output data register (ODR). The act of the host reading ODR
+clears the output buffer full (OBF) flag in the status register (STR),
+informing the BMC it can transmit a subsequent byte.
+
+On the BMC side the KCS client must enable the OBE event *and* perform a
+subsequent read of STR anyway to avoid races - the polling provides a
+window for the host to read ODR if data was freshly written while
+minimising BMC-side latency.
+
+Fixes: 28651e6c4237 ("ipmi: kcs_bmc: Allow clients to control KCS IRQ state")
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Message-Id: <20220812144741.240315-1-andrew@aj.id.au>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/kcs_bmc_aspeed.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/char/ipmi/kcs_bmc_aspeed.c b/drivers/char/ipmi/kcs_bmc_aspeed.c
+index cdc88cde1e9a..417e5a3ccfae 100644
+--- a/drivers/char/ipmi/kcs_bmc_aspeed.c
++++ b/drivers/char/ipmi/kcs_bmc_aspeed.c
+@@ -399,13 +399,31 @@ static void aspeed_kcs_check_obe(struct timer_list *timer)
+ static void aspeed_kcs_irq_mask_update(struct kcs_bmc_device *kcs_bmc, u8 mask, u8 state)
+ {
+ struct aspeed_kcs_bmc *priv = to_aspeed_kcs_bmc(kcs_bmc);
++ int rc;
++ u8 str;
+
+ /* We don't have an OBE IRQ, emulate it */
+ if (mask & KCS_BMC_EVENT_TYPE_OBE) {
+- if (KCS_BMC_EVENT_TYPE_OBE & state)
+- mod_timer(&priv->obe.timer, jiffies + OBE_POLL_PERIOD);
+- else
++ if (KCS_BMC_EVENT_TYPE_OBE & state) {
++ /*
++ * Given we don't have an OBE IRQ, delay by polling briefly to see if we can
++ * observe such an event before returning to the caller. This is not
++ * incorrect because OBF may have already become clear before enabling the
++ * IRQ if we had one, under which circumstance no event will be propagated
++ * anyway.
++ *
++ * The onus is on the client to perform a race-free check that it hasn't
++ * missed the event.
++ */
++ rc = read_poll_timeout_atomic(aspeed_kcs_inb, str,
++ !(str & KCS_BMC_STR_OBF), 1, 100, false,
++ &priv->kcs_bmc, priv->kcs_bmc.ioreg.str);
++ /* Time for the slow path? */
++ if (rc == -ETIMEDOUT)
++ mod_timer(&priv->obe.timer, jiffies + OBE_POLL_PERIOD);
++ } else {
+ del_timer(&priv->obe.timer);
++ }
+ }
+
+ if (mask & KCS_BMC_EVENT_TYPE_IBF) {
+--
+2.35.1
+
--- /dev/null
+From 469a2dd595a06f1f06e58f903582a33ec7a20e68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 08:53:56 +0000
+Subject: ipv6/sit: use DEV_STATS_INC() to avoid data-races
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cb34b7cf17ecf33499c9298943f85af247abc1e9 ]
+
+syzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error
+concurrently.
+
+This is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit()
+is not protected by a spinlock.
+
+While original KCSAN report was about tx path, rx path has the same issue.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/sit.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
+index 59b2d9a6210c..ccb39b1e730f 100644
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -694,7 +694,7 @@ static int ipip6_rcv(struct sk_buff *skb)
+ skb->dev = tunnel->dev;
+
+ if (packet_is_spoofed(skb, iph, tunnel)) {
+- tunnel->dev->stats.rx_errors++;
++ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto out;
+ }
+
+@@ -714,8 +714,8 @@ static int ipip6_rcv(struct sk_buff *skb)
+ net_info_ratelimited("non-ECT from %pI4 with TOS=%#x\n",
+ &iph->saddr, iph->tos);
+ if (err > 1) {
+- ++tunnel->dev->stats.rx_frame_errors;
+- ++tunnel->dev->stats.rx_errors;
++ DEV_STATS_INC(tunnel->dev, rx_frame_errors);
++ DEV_STATS_INC(tunnel->dev, rx_errors);
+ goto out;
+ }
+ }
+@@ -942,7 +942,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
+ if (!rt) {
+ rt = ip_route_output_flow(tunnel->net, &fl4, NULL);
+ if (IS_ERR(rt)) {
+- dev->stats.tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+ goto tx_error_icmp;
+ }
+ dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
+@@ -950,14 +950,14 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
+
+ if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
+ ip_rt_put(rt);
+- dev->stats.tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+ goto tx_error_icmp;
+ }
+ tdev = rt->dst.dev;
+
+ if (tdev == dev) {
+ ip_rt_put(rt);
+- dev->stats.collisions++;
++ DEV_STATS_INC(dev, collisions);
+ goto tx_error;
+ }
+
+@@ -970,7 +970,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
+ mtu = dst_mtu(&rt->dst) - t_hlen;
+
+ if (mtu < IPV4_MIN_MTU) {
+- dev->stats.collisions++;
++ DEV_STATS_INC(dev, collisions);
+ ip_rt_put(rt);
+ goto tx_error;
+ }
+@@ -1009,7 +1009,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
+ struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
+ if (!new_skb) {
+ ip_rt_put(rt);
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
+@@ -1039,7 +1039,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
+ dst_link_failure(skb);
+ tx_error:
+ kfree_skb(skb);
+- dev->stats.tx_errors++;
++ DEV_STATS_INC(dev, tx_errors);
+ return NETDEV_TX_OK;
+ }
+
+@@ -1058,7 +1058,7 @@ static netdev_tx_t sit_tunnel_xmit__(struct sk_buff *skb,
+ return NETDEV_TX_OK;
+ tx_error:
+ kfree_skb(skb);
+- dev->stats.tx_errors++;
++ DEV_STATS_INC(dev, tx_errors);
+ return NETDEV_TX_OK;
+ }
+
+@@ -1087,7 +1087,7 @@ static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb,
+ return NETDEV_TX_OK;
+
+ tx_err:
+- dev->stats.tx_errors++;
++ DEV_STATS_INC(dev, tx_errors);
+ kfree_skb(skb);
+ return NETDEV_TX_OK;
+
+--
+2.35.1
+
--- /dev/null
+From fc646860b98a21f4fd5cbe2fc9d93a8ba49d2fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 18:46:01 +0200
+Subject: ipvs: use u64_stats_t for the per-cpu counters
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 1dbd8d9a82e3f26b9d063292d47ece673f48fce2 ]
+
+Use the provided u64_stats_t type to avoid
+load/store tearing.
+
+Fixes: 316580b69d0a ("u64_stats: provide u64_stats_t type")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Cc: yunhong-cgl jiang <xintian1976@gmail.com>
+Cc: "dust.li" <dust.li@linux.alibaba.com>
+Reviewed-by: Jiri Wiesner <jwiesner@suse.de>
+Tested-by: Jiri Wiesner <jwiesner@suse.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_vs.h | 10 +++++-----
+ net/netfilter/ipvs/ip_vs_core.c | 30 +++++++++++++++---------------
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++-----
+ net/netfilter/ipvs/ip_vs_est.c | 20 ++++++++++----------
+ 4 files changed, 35 insertions(+), 35 deletions(-)
+
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index ff1804a0c469..1fca6a88114a 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -351,11 +351,11 @@ struct ip_vs_seq {
+
+ /* counters per cpu */
+ struct ip_vs_counters {
+- __u64 conns; /* connections scheduled */
+- __u64 inpkts; /* incoming packets */
+- __u64 outpkts; /* outgoing packets */
+- __u64 inbytes; /* incoming bytes */
+- __u64 outbytes; /* outgoing bytes */
++ u64_stats_t conns; /* connections scheduled */
++ u64_stats_t inpkts; /* incoming packets */
++ u64_stats_t outpkts; /* outgoing packets */
++ u64_stats_t inbytes; /* incoming bytes */
++ u64_stats_t outbytes; /* outgoing bytes */
+ };
+ /* Stats per cpu */
+ struct ip_vs_cpu_stats {
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 51ad557a525b..b5ae419661b8 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -132,21 +132,21 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.inpkts++;
+- s->cnt.inbytes += skb->len;
++ u64_stats_inc(&s->cnt.inpkts);
++ u64_stats_add(&s->cnt.inbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ svc = rcu_dereference(dest->svc);
+ s = this_cpu_ptr(svc->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.inpkts++;
+- s->cnt.inbytes += skb->len;
++ u64_stats_inc(&s->cnt.inpkts);
++ u64_stats_add(&s->cnt.inbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.inpkts++;
+- s->cnt.inbytes += skb->len;
++ u64_stats_inc(&s->cnt.inpkts);
++ u64_stats_add(&s->cnt.inbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ local_bh_enable();
+@@ -168,21 +168,21 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.outpkts++;
+- s->cnt.outbytes += skb->len;
++ u64_stats_inc(&s->cnt.outpkts);
++ u64_stats_add(&s->cnt.outbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ svc = rcu_dereference(dest->svc);
+ s = this_cpu_ptr(svc->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.outpkts++;
+- s->cnt.outbytes += skb->len;
++ u64_stats_inc(&s->cnt.outpkts);
++ u64_stats_add(&s->cnt.outbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.outpkts++;
+- s->cnt.outbytes += skb->len;
++ u64_stats_inc(&s->cnt.outpkts);
++ u64_stats_add(&s->cnt.outbytes, skb->len);
+ u64_stats_update_end(&s->syncp);
+
+ local_bh_enable();
+@@ -200,17 +200,17 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+
+ s = this_cpu_ptr(cp->dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.conns++;
++ u64_stats_inc(&s->cnt.conns);
+ u64_stats_update_end(&s->syncp);
+
+ s = this_cpu_ptr(svc->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.conns++;
++ u64_stats_inc(&s->cnt.conns);
+ u64_stats_update_end(&s->syncp);
+
+ s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+- s->cnt.conns++;
++ u64_stats_inc(&s->cnt.conns);
+ u64_stats_update_end(&s->syncp);
+
+ local_bh_enable();
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 5a7349002508..65bda976845d 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2297,11 +2297,11 @@ static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
+
+ do {
+ start = u64_stats_fetch_begin(&u->syncp);
+- conns = u->cnt.conns;
+- inpkts = u->cnt.inpkts;
+- outpkts = u->cnt.outpkts;
+- inbytes = u->cnt.inbytes;
+- outbytes = u->cnt.outbytes;
++ conns = u64_stats_read(&u->cnt.conns);
++ inpkts = u64_stats_read(&u->cnt.inpkts);
++ outpkts = u64_stats_read(&u->cnt.outpkts);
++ inbytes = u64_stats_read(&u->cnt.inbytes);
++ outbytes = u64_stats_read(&u->cnt.outbytes);
+ } while (u64_stats_fetch_retry(&u->syncp, start));
+
+ seq_printf(seq, "%3X %8LX %8LX %8LX %16LX %16LX\n",
+diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
+index 9a1a7af6a186..f53150d82a92 100644
+--- a/net/netfilter/ipvs/ip_vs_est.c
++++ b/net/netfilter/ipvs/ip_vs_est.c
+@@ -67,11 +67,11 @@ static void ip_vs_read_cpu_stats(struct ip_vs_kstats *sum,
+ if (add) {
+ do {
+ start = u64_stats_fetch_begin(&s->syncp);
+- conns = s->cnt.conns;
+- inpkts = s->cnt.inpkts;
+- outpkts = s->cnt.outpkts;
+- inbytes = s->cnt.inbytes;
+- outbytes = s->cnt.outbytes;
++ conns = u64_stats_read(&s->cnt.conns);
++ inpkts = u64_stats_read(&s->cnt.inpkts);
++ outpkts = u64_stats_read(&s->cnt.outpkts);
++ inbytes = u64_stats_read(&s->cnt.inbytes);
++ outbytes = u64_stats_read(&s->cnt.outbytes);
+ } while (u64_stats_fetch_retry(&s->syncp, start));
+ sum->conns += conns;
+ sum->inpkts += inpkts;
+@@ -82,11 +82,11 @@ static void ip_vs_read_cpu_stats(struct ip_vs_kstats *sum,
+ add = true;
+ do {
+ start = u64_stats_fetch_begin(&s->syncp);
+- sum->conns = s->cnt.conns;
+- sum->inpkts = s->cnt.inpkts;
+- sum->outpkts = s->cnt.outpkts;
+- sum->inbytes = s->cnt.inbytes;
+- sum->outbytes = s->cnt.outbytes;
++ sum->conns = u64_stats_read(&s->cnt.conns);
++ sum->inpkts = u64_stats_read(&s->cnt.inpkts);
++ sum->outpkts = u64_stats_read(&s->cnt.outpkts);
++ sum->inbytes = u64_stats_read(&s->cnt.inbytes);
++ sum->outbytes = u64_stats_read(&s->cnt.outbytes);
+ } while (u64_stats_fetch_retry(&s->syncp, start));
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 10942347981a2b82c67544690ec82fa92e293a31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 14:51:50 +0800
+Subject: irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ]
+
+gic_probe() calls pm_runtime_get_sync() and added fail path as
+rpm_put to put usage_counter. However, pm_runtime_get_sync()
+will increment usage_counter even it failed. Fix it by replacing it with
+pm_runtime_resume_and_get() to keep usage counter balanced.
+
+Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-pm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-pm.c b/drivers/irqchip/irq-gic-pm.c
+index b60e1853593f..3989d16f997b 100644
+--- a/drivers/irqchip/irq-gic-pm.c
++++ b/drivers/irqchip/irq-gic-pm.c
+@@ -102,7 +102,7 @@ static int gic_probe(struct platform_device *pdev)
+
+ pm_runtime_enable(dev);
+
+- ret = pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0)
+ goto rpm_disable;
+
+--
+2.35.1
+
--- /dev/null
+From ac4c618e64b66cfcf9970effbd24062d6e7881ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 19:07:12 +0800
+Subject: irqchip/loongson-liointc: Fix improper error handling in
+ liointc_init()
+
+From: Liu Peibao <liupeibao@loongson.cn>
+
+[ Upstream commit 4a60a3cdcf1875c965095eb9e22c3d12bbc5a53d ]
+
+For cores less than 4, eg, loongson2k1000 with 2 cores, the
+of_property_match_string() may return with an error value,
+which causes that liointc could not work. At least isr0 is
+what should be checked like previous commit b2c4c3969fd7
+("irqchip/loongson-liointc: irqchip add 2.0 version") did.
+
+Fixes: 0858ed035a85 ("irqchip/loongson-liointc: Add ACPI init support")
+Signed-off-by: Liu Peibao <liupeibao@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221104110712.23300-1-liupeibao@loongson.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-loongson-liointc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-loongson-liointc.c b/drivers/irqchip/irq-loongson-liointc.c
+index 0da8716f8f24..c4584e2f0ad3 100644
+--- a/drivers/irqchip/irq-loongson-liointc.c
++++ b/drivers/irqchip/irq-loongson-liointc.c
+@@ -207,10 +207,13 @@ static int liointc_init(phys_addr_t addr, unsigned long size, int revision,
+ "reg-names", core_reg_names[i]);
+
+ if (index < 0)
+- goto out_iounmap;
++ continue;
+
+ priv->core_isr[i] = of_iomap(node, index);
+ }
++
++ if (!priv->core_isr[0])
++ goto out_iounmap;
+ }
+
+ /* Setup IRQ domain */
+--
+2.35.1
+
--- /dev/null
+From 48448a92f61f42f23db06d6780567fff05fd0875 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 15:59:53 +0800
+Subject: irqchip/loongson-pch-pic: Fix translate callback for DT path
+
+From: Jianmin Lv <lvjianmin@loongson.cn>
+
+[ Upstream commit c7c00138015975c8f0e268564249cc47d8de632c ]
+
+In DT path of translate callback, if fwspec->param_count==1
+and of_node is non-null, fwspec->param[1] will be accessed,
+which is introduced from previous commit bcdd75c596c8
+(irqchip/loongson-pch-pic: Add ACPI init support).
+
+Before the patch, for non-null of_node, translate callback
+(use irq_domain_translate_twocell()) will return -EINVAL if
+fwspec->param_count < 2, so the check in the patch is added.
+
+Fixes: bcdd75c596c8 ("irqchip/loongson-pch-pic: Add ACPI init support")
+Signed-off-by: Jianmin Lv <lvjianmin@loongson.cn>
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221022075955.11726-3-lvjianmin@loongson.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-loongson-pch-pic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/irqchip/irq-loongson-pch-pic.c b/drivers/irqchip/irq-loongson-pch-pic.c
+index c01b9c257005..03493cda65a3 100644
+--- a/drivers/irqchip/irq-loongson-pch-pic.c
++++ b/drivers/irqchip/irq-loongson-pch-pic.c
+@@ -159,6 +159,9 @@ static int pch_pic_domain_translate(struct irq_domain *d,
+ return -EINVAL;
+
+ if (of_node) {
++ if (fwspec->param_count < 2)
++ return -EINVAL;
++
+ *hwirq = fwspec->param[0] + priv->ht_vec_base;
+ *type = fwspec->param[1] & IRQ_TYPE_SENSE_MASK;
+ } else {
+--
+2.35.1
+
--- /dev/null
+From fb5541ca8243a5e3d5a5be8d376e95dbe3a7067d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:25:32 +0000
+Subject: irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 4208d4faf36573a507b5e5de17abe342e9276759 ]
+
+If of_iomap() failed, 'aic' should be freed before return. Otherwise
+there is a memory leak.
+
+Fixes: fead4dd49663 ("irqchip: Add driver for WPCM450 interrupt controller")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221115092532.1704032-1-weiyongjun@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-wpcm450-aic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-wpcm450-aic.c b/drivers/irqchip/irq-wpcm450-aic.c
+index 0dcbeb1a05a1..91df62a64cd9 100644
+--- a/drivers/irqchip/irq-wpcm450-aic.c
++++ b/drivers/irqchip/irq-wpcm450-aic.c
+@@ -146,6 +146,7 @@ static int __init wpcm450_aic_of_init(struct device_node *node,
+ aic->regs = of_iomap(node, 0);
+ if (!aic->regs) {
+ pr_err("Failed to map WPCM450 AIC registers\n");
++ kfree(aic);
+ return -ENOMEM;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5c0cc762cc603ded5f6ae777ba8a07db94e9f092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 21:39:14 +0100
+Subject: jfs: Fix fortify moan in symlink
+
+From: Dr. David Alan Gilbert <linux@treblig.org>
+
+[ Upstream commit ebe060369f8d6e4588b115f252bebf5ba4d64350 ]
+
+JFS has in jfs_incore.h:
+
+ /* _inline may overflow into _inline_ea when needed */
+ /* _inline_ea may overlay the last part of
+ * file._xtroot if maxentry = XTROOTINITSLOT
+ */
+ union {
+ struct {
+ /* 128: inline symlink */
+ unchar _inline[128];
+ /* 128: inline extended attr */
+ unchar _inline_ea[128];
+ };
+ unchar _inline_all[256];
+
+and currently the symlink code copies into _inline;
+if this is larger than 128 bytes it triggers a fortify warning of the
+form:
+
+ memcpy: detected field-spanning write (size 132) of single field
+ "ip->i_link" at fs/jfs/namei.c:950 (size 18446744073709551615)
+
+when it's actually OK.
+
+Copy it into _inline_all instead.
+
+Reported-by: syzbot+5fc38b2ddbbca7f5c680@syzkaller.appspotmail.com
+Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
+index 9db4f5789c0e..4fbbf88435e6 100644
+--- a/fs/jfs/namei.c
++++ b/fs/jfs/namei.c
+@@ -946,7 +946,7 @@ static int jfs_symlink(struct user_namespace *mnt_userns, struct inode *dip,
+ if (ssize <= IDATASIZE) {
+ ip->i_op = &jfs_fast_symlink_inode_operations;
+
+- ip->i_link = JFS_IP(ip)->i_inline;
++ ip->i_link = JFS_IP(ip)->i_inline_all;
+ memcpy(ip->i_link, name, ssize);
+ ip->i_size = ssize - 1;
+
+--
+2.35.1
+
--- /dev/null
+From 616b15eb61bd68a4105f970a3b0af031638d22e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 19:43:16 +0800
+Subject: kprobes: Fix check for probe enabled in kill_kprobe()
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb ]
+
+In kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be
+called always fails. This is because before that we set the
+KPROBE_FLAG_GONE flag for kprobe so that "!kprobe_disabled(p)" is always
+false.
+
+The disarm_kprobe_ftrace() call introduced by commit:
+
+ 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler")
+
+to fix the NULL pointer reference problem. When the probe is enabled, if
+we do not disarm it, this problem still exists.
+
+Fix it by putting the probe enabled check before setting the
+KPROBE_FLAG_GONE flag.
+
+Link: https://lore.kernel.org/all/20221126114316.201857-1-lihuafei1@huawei.com/
+
+Fixes: 3031313eb3d54 ("kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index 6d2a8623ec7b..771fcce54fac 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2360,6 +2360,14 @@ static void kill_kprobe(struct kprobe *p)
+
+ lockdep_assert_held(&kprobe_mutex);
+
++ /*
++ * The module is going away. We should disarm the kprobe which
++ * is using ftrace, because ftrace framework is still available at
++ * 'MODULE_STATE_GOING' notification.
++ */
++ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed)
++ disarm_kprobe_ftrace(p);
++
+ p->flags |= KPROBE_FLAG_GONE;
+ if (kprobe_aggrprobe(p)) {
+ /*
+@@ -2376,14 +2384,6 @@ static void kill_kprobe(struct kprobe *p)
+ * the original probed function (which will be freed soon) any more.
+ */
+ arch_remove_kprobe(p);
+-
+- /*
+- * The module is going away. We should disarm the kprobe which
+- * is using ftrace, because ftrace framework is still available at
+- * 'MODULE_STATE_GOING' notification.
+- */
+- if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed)
+- disarm_kprobe_ftrace(p);
+ }
+
+ /* Disable one kprobe */
+--
+2.35.1
+
--- /dev/null
+From 23819bc2d7dc0dbd3cc0e1a7dd8db11d083337ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 20:22:37 +0800
+Subject: ksmbd: Fix resource leak in ksmbd_session_rpc_open()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit bc044414fa0326a4e5c3c509c00b1fcaf621b5f4 ]
+
+When ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to
+undo the result of ksmbd_ipc_id_alloc().
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/mgmt/user_session.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c
+index 3fa2139a0b30..92b1603b5abe 100644
+--- a/fs/ksmbd/mgmt/user_session.c
++++ b/fs/ksmbd/mgmt/user_session.c
+@@ -108,15 +108,17 @@ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name)
+ entry->method = method;
+ entry->id = ksmbd_ipc_id_alloc();
+ if (entry->id < 0)
+- goto error;
++ goto free_entry;
+
+ resp = ksmbd_rpc_open(sess, entry->id);
+ if (!resp)
+- goto error;
++ goto free_id;
+
+ kvfree(resp);
+ return entry->id;
+-error:
++free_id:
++ ksmbd_rpc_id_free(entry->id);
++free_entry:
+ list_del(&entry->list);
+ kfree(entry);
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 75db3cb70eae5f3ce8ccd11671d3179f0b43e379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 22:19:40 +0300
+Subject: led: qcom-lpg: Fix sleeping in atomic
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 3031993b3474794ecb71b6f969a3e60e4bda9d8a ]
+
+lpg_brighness_set() function can sleep, while led's brightness_set()
+callback must be non-blocking. Change LPG driver to use
+brightness_set_blocking() instead.
+
+BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0
+preempt_count: 101, expected: 0
+INFO: lockdep is turned off.
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.1.0-rc1-00014-gbe99b089c6fc-dirty #85
+Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
+Call trace:
+ dump_backtrace.part.0+0xe4/0xf0
+ show_stack+0x18/0x40
+ dump_stack_lvl+0x88/0xb4
+ dump_stack+0x18/0x34
+ __might_resched+0x170/0x254
+ __might_sleep+0x48/0x9c
+ __mutex_lock+0x4c/0x400
+ mutex_lock_nested+0x2c/0x40
+ lpg_brightness_single_set+0x40/0x90
+ led_set_brightness_nosleep+0x34/0x60
+ led_heartbeat_function+0x80/0x170
+ call_timer_fn+0xb8/0x340
+ __run_timers.part.0+0x20c/0x254
+ run_timer_softirq+0x3c/0x7c
+ _stext+0x14c/0x578
+ ____do_softirq+0x10/0x20
+ call_on_irq_stack+0x2c/0x5c
+ do_softirq_own_stack+0x1c/0x30
+ __irq_exit_rcu+0x164/0x170
+ irq_exit_rcu+0x10/0x40
+ el1_interrupt+0x38/0x50
+ el1h_64_irq_handler+0x18/0x2c
+ el1h_64_irq+0x64/0x68
+ cpuidle_enter_state+0xc8/0x380
+ cpuidle_enter+0x38/0x50
+ do_idle+0x244/0x2d0
+ cpu_startup_entry+0x24/0x30
+ rest_init+0x128/0x1a0
+ arch_post_acpi_subsys_init+0x0/0x18
+ start_kernel+0x6f4/0x734
+ __primary_switched+0xbc/0xc4
+
+Fixes: 24e2d05d1b68 ("leds: Add driver for Qualcomm LPG")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/rgb/leds-qcom-lpg.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/leds/rgb/leds-qcom-lpg.c b/drivers/leds/rgb/leds-qcom-lpg.c
+index 02f51cc61837..c1a56259226f 100644
+--- a/drivers/leds/rgb/leds-qcom-lpg.c
++++ b/drivers/leds/rgb/leds-qcom-lpg.c
+@@ -602,8 +602,8 @@ static void lpg_brightness_set(struct lpg_led *led, struct led_classdev *cdev,
+ lpg_lut_sync(lpg, lut_mask);
+ }
+
+-static void lpg_brightness_single_set(struct led_classdev *cdev,
+- enum led_brightness value)
++static int lpg_brightness_single_set(struct led_classdev *cdev,
++ enum led_brightness value)
+ {
+ struct lpg_led *led = container_of(cdev, struct lpg_led, cdev);
+ struct mc_subled info;
+@@ -614,10 +614,12 @@ static void lpg_brightness_single_set(struct led_classdev *cdev,
+ lpg_brightness_set(led, cdev, &info);
+
+ mutex_unlock(&led->lpg->lock);
++
++ return 0;
+ }
+
+-static void lpg_brightness_mc_set(struct led_classdev *cdev,
+- enum led_brightness value)
++static int lpg_brightness_mc_set(struct led_classdev *cdev,
++ enum led_brightness value)
+ {
+ struct led_classdev_mc *mc = lcdev_to_mccdev(cdev);
+ struct lpg_led *led = container_of(mc, struct lpg_led, mcdev);
+@@ -628,6 +630,8 @@ static void lpg_brightness_mc_set(struct led_classdev *cdev,
+ lpg_brightness_set(led, cdev, mc->subled_info);
+
+ mutex_unlock(&led->lpg->lock);
++
++ return 0;
+ }
+
+ static int lpg_blink_set(struct lpg_led *led,
+@@ -1118,7 +1122,7 @@ static int lpg_add_led(struct lpg *lpg, struct device_node *np)
+ led->mcdev.num_colors = num_channels;
+
+ cdev = &led->mcdev.led_cdev;
+- cdev->brightness_set = lpg_brightness_mc_set;
++ cdev->brightness_set_blocking = lpg_brightness_mc_set;
+ cdev->blink_set = lpg_blink_mc_set;
+
+ /* Register pattern accessors only if we have a LUT block */
+@@ -1132,7 +1136,7 @@ static int lpg_add_led(struct lpg *lpg, struct device_node *np)
+ return ret;
+
+ cdev = &led->cdev;
+- cdev->brightness_set = lpg_brightness_single_set;
++ cdev->brightness_set_blocking = lpg_brightness_single_set;
+ cdev->blink_set = lpg_blink_single_set;
+
+ /* Register pattern accessors only if we have a LUT block */
+@@ -1151,7 +1155,7 @@ static int lpg_add_led(struct lpg *lpg, struct device_node *np)
+ else
+ cdev->brightness = LED_OFF;
+
+- cdev->brightness_set(cdev, cdev->brightness);
++ cdev->brightness_set_blocking(cdev, cdev->brightness);
+
+ init_data.fwnode = of_fwnode_handle(np);
+
+--
+2.35.1
+
--- /dev/null
+From c40af7cf1aae7e8fa4808856720dd354def0fce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 22:29:01 +0100
+Subject: leds: is31fl319x: Fix setting current limit for is31fl319{0,1,3}
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit 135780f1048b3f956f5b10bb23dec9c2d2c4ef6d ]
+
+The current setting lives in bits 4:2 (as also defined by the mask) but
+the current limit defines in the driver use bits 2:0 which should be
+shifted over so they don't get masked out completely (except for 17.5mA
+which became 10mA).
+
+Now checking /sys/kernel/debug/regmap/1-0068/registers shows that the
+current limit is applied correctly and doesn't take the default b000 =
+42mA.
+
+Fixes: fa877cf1abb9 ("leds: is31fl319x: Add support for is31fl319{0,1,3} chips")
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Reviewed-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-is31fl319x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-is31fl319x.c b/drivers/leds/leds-is31fl319x.c
+index 52b59b62f437..b2f4c4ec7c56 100644
+--- a/drivers/leds/leds-is31fl319x.c
++++ b/drivers/leds/leds-is31fl319x.c
+@@ -38,6 +38,7 @@
+ #define IS31FL3190_CURRENT_uA_MIN 5000
+ #define IS31FL3190_CURRENT_uA_DEFAULT 42000
+ #define IS31FL3190_CURRENT_uA_MAX 42000
++#define IS31FL3190_CURRENT_SHIFT 2
+ #define IS31FL3190_CURRENT_MASK GENMASK(4, 2)
+ #define IS31FL3190_CURRENT_5_mA 0x02
+ #define IS31FL3190_CURRENT_10_mA 0x01
+@@ -553,7 +554,7 @@ static int is31fl319x_probe(struct i2c_client *client)
+ is31fl3196_db_to_gain(is31->audio_gain_db));
+ else
+ regmap_update_bits(is31->regmap, IS31FL3190_CURRENT, IS31FL3190_CURRENT_MASK,
+- is31fl3190_microamp_to_cs(dev, aggregated_led_microamp));
++ is31fl3190_microamp_to_cs(dev, aggregated_led_microamp) << IS31FL3190_CURRENT_SHIFT);
+
+ for (i = 0; i < is31->cdef->num_leds; i++) {
+ struct is31fl319x_led *led = &is31->leds[i];
+--
+2.35.1
+
--- /dev/null
+From 201467cf83b3a9bef6247c13b784e0242f282390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Jun 2022 21:06:34 +0800
+Subject: lib/debugobjects: fix stat count and optimize debug_objects_mem_init
+
+From: wuchi <wuchi.zero@gmail.com>
+
+[ Upstream commit eabb7f1ace53e127309407b2b5e74e8199e85270 ]
+
+1. Var debug_objects_allocated tracks valid kmem_cache_alloc calls, so
+ track it in debug_objects_replace_static_objects. Do similar things in
+ object_cpu_offline.
+
+2. In debug_objects_mem_init, there is no need to call function
+ cpuhp_setup_state_nocalls when debug_objects_enabled = 0 (out of
+ memory).
+
+Link: https://lkml.kernel.org/r/20220611130634.99741-1-wuchi.zero@gmail.com
+Fixes: 634d61f45d6f ("debugobjects: Percpu pool lookahead freeing/allocation")
+Fixes: c4b73aabd098 ("debugobjects: Track number of kmem_cache_alloc/kmem_cache_free done")
+Signed-off-by: wuchi <wuchi.zero@gmail.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/debugobjects.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/debugobjects.c b/lib/debugobjects.c
+index 337d797a7141..6f8e5dd1dcd0 100644
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -437,6 +437,7 @@ static int object_cpu_offline(unsigned int cpu)
+ struct debug_percpu_free *percpu_pool;
+ struct hlist_node *tmp;
+ struct debug_obj *obj;
++ unsigned long flags;
+
+ /* Remote access is safe as the CPU is dead already */
+ percpu_pool = per_cpu_ptr(&percpu_obj_pool, cpu);
+@@ -444,6 +445,12 @@ static int object_cpu_offline(unsigned int cpu)
+ hlist_del(&obj->node);
+ kmem_cache_free(obj_cache, obj);
+ }
++
++ raw_spin_lock_irqsave(&pool_lock, flags);
++ obj_pool_used -= percpu_pool->obj_free;
++ debug_objects_freed += percpu_pool->obj_free;
++ raw_spin_unlock_irqrestore(&pool_lock, flags);
++
+ percpu_pool->obj_free = 0;
+
+ return 0;
+@@ -1318,6 +1325,8 @@ static int __init debug_objects_replace_static_objects(void)
+ hlist_add_head(&obj->node, &objects);
+ }
+
++ debug_objects_allocated += i;
++
+ /*
+ * debug_objects_mem_init() is now called early that only one CPU is up
+ * and interrupts have been disabled, so it is safe to replace the
+@@ -1386,6 +1395,7 @@ void __init debug_objects_mem_init(void)
+ debug_objects_enabled = 0;
+ kmem_cache_destroy(obj_cache);
+ pr_warn("out of memory.\n");
++ return;
+ } else
+ debug_objects_selftest();
+
+--
+2.35.1
+
--- /dev/null
+From 726aac62ce89229faf57ed8c5bf31b81d4136b7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 19:38:29 +0800
+Subject: lib/fonts: fix undefined behavior in bit shift for get_default_font
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 6fe888c4d2fb174408e4540bb2d5602b9f507f90 ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20
+left shift of 1 by 31 places cannot be represented in type 'int'
+ <TASK>
+ dump_stack_lvl+0x7d/0xa5
+ dump_stack+0x15/0x1b
+ ubsan_epilogue+0xe/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
+ get_default_font+0x1c7/0x1f0
+ fbcon_startup+0x347/0x3a0
+ do_take_over_console+0xce/0x270
+ do_fbcon_takeover+0xa1/0x170
+ do_fb_registered+0x2a8/0x340
+ fbcon_fb_registered+0x47/0xe0
+ register_framebuffer+0x294/0x4a0
+ __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
+ drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
+ drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
+ drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
+ bochs_pci_probe+0x6ca/0x772 [bochs]
+ local_pci_probe+0x4d/0xb0
+ pci_device_probe+0x119/0x320
+ really_probe+0x181/0x550
+ __driver_probe_device+0xc6/0x220
+ driver_probe_device+0x32/0x100
+ __driver_attach+0x195/0x200
+ bus_for_each_dev+0xbb/0x120
+ driver_attach+0x27/0x30
+ bus_add_driver+0x22e/0x2f0
+ driver_register+0xa9/0x190
+ __pci_register_driver+0x90/0xa0
+ bochs_pci_driver_init+0x52/0x1000 [bochs]
+ do_one_initcall+0x76/0x430
+ do_init_module+0x61/0x28a
+ load_module+0x1f82/0x2e50
+ __do_sys_finit_module+0xf8/0x190
+ __x64_sys_finit_module+0x23/0x30
+ do_syscall_64+0x58/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+
+Link: https://lkml.kernel.org/r/20221031113829.4183153-1-cuigaosheng1@huawei.com
+Fixes: c81f717cb9e0 ("fbcon: Fix typo and bogus logic in get_default_font")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/fonts/fonts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/fonts/fonts.c b/lib/fonts/fonts.c
+index 5f4b07b56cd9..973866438608 100644
+--- a/lib/fonts/fonts.c
++++ b/lib/fonts/fonts.c
+@@ -135,8 +135,8 @@ const struct font_desc *get_default_font(int xres, int yres, u32 font_w,
+ if (res > 20)
+ c += 20 - res;
+
+- if ((font_w & (1 << (f->width - 1))) &&
+- (font_h & (1 << (f->height - 1))))
++ if ((font_w & (1U << (f->width - 1))) &&
++ (font_h & (1U << (f->height - 1))))
+ c += 1000;
+
+ if (c > cc) {
+--
+2.35.1
+
--- /dev/null
+From a3833642b291802fb5a201bac10de03853475b0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 02:24:17 +0900
+Subject: lib/notifier-error-inject: fix error when writing -errno to debugfs
+ file
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ]
+
+The simple attribute files do not accept a negative value since the commit
+488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()").
+
+This restores the previous behaviour by using newly introduced
+DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE.
+
+Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com
+Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Wei Yongjun <weiyongjun1@huawei.com>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/notifier-error-inject.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/notifier-error-inject.c b/lib/notifier-error-inject.c
+index 21016b32d313..2b24ea6c9497 100644
+--- a/lib/notifier-error-inject.c
++++ b/lib/notifier-error-inject.c
+@@ -15,7 +15,7 @@ static int debugfs_errno_get(void *data, u64 *val)
+ return 0;
+ }
+
+-DEFINE_SIMPLE_ATTRIBUTE(fops_errno, debugfs_errno_get, debugfs_errno_set,
++DEFINE_SIMPLE_ATTRIBUTE_SIGNED(fops_errno, debugfs_errno_get, debugfs_errno_set,
+ "%lld\n");
+
+ static struct dentry *debugfs_create_errno(const char *name, umode_t mode,
+--
+2.35.1
+
--- /dev/null
+From fad977c5a173643a1384e970e4365e338bab9c92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 12:00:12 -0800
+Subject: libbpf: Avoid enum forward-declarations in public API in C++ mode
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit b42693415b86f608049cf1b4870adc1dc65e58b0 ]
+
+C++ enum forward declarations are fundamentally not compatible with pure
+C enum definitions, and so libbpf's use of `enum bpf_stats_type;`
+forward declaration in libbpf/bpf.h public API header is causing C++
+compilation issues.
+
+More details can be found in [0], but it comes down to C++ supporting
+enum forward declaration only with explicitly specified backing type:
+
+ enum bpf_stats_type: int;
+
+In C (and I believe it's a GCC extension also), such forward declaration
+is simply:
+
+ enum bpf_stats_type;
+
+Further, in Linux UAPI this enum is defined in pure C way:
+
+enum bpf_stats_type { BPF_STATS_RUN_TIME = 0; }
+
+And even though in both cases backing type is int, which can be
+confirmed by looking at DWARF information, for C++ compiler actual enum
+definition and forward declaration are incompatible.
+
+To eliminate this problem, for C++ mode define input argument as int,
+which makes enum unnecessary in libbpf public header. This solves the
+issue and as demonstrated by next patch doesn't cause any unwanted
+compiler warnings, at least with default warnings setting.
+
+ [0] https://stackoverflow.com/questions/42766839/c11-enum-forward-causes-underlying-type-mismatch
+ [1] Closes: https://github.com/libbpf/libbpf/issues/249
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20221130200013.2997831-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
+index 9c50beabdd14..fddc05c667b5 100644
+--- a/tools/lib/bpf/bpf.h
++++ b/tools/lib/bpf/bpf.h
+@@ -393,8 +393,15 @@ LIBBPF_API int bpf_task_fd_query(int pid, int fd, __u32 flags, char *buf,
+ __u32 *buf_len, __u32 *prog_id, __u32 *fd_type,
+ __u64 *probe_offset, __u64 *probe_addr);
+
++#ifdef __cplusplus
++/* forward-declaring enums in C++ isn't compatible with pure C enums, so
++ * instead define bpf_enable_stats() as accepting int as an input
++ */
++LIBBPF_API int bpf_enable_stats(int type);
++#else
+ enum bpf_stats_type; /* defined in up-to-date linux/bpf.h */
+ LIBBPF_API int bpf_enable_stats(enum bpf_stats_type type);
++#endif
+
+ struct bpf_prog_bind_opts {
+ size_t sz; /* size of this struct for forward/backward compatibility */
+--
+2.35.1
+
--- /dev/null
+From 9c7f143d24e94af4c2c43abb258c991376e97a31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 15:38:29 +0100
+Subject: libbpf: Btf dedup identical struct test needs check for nested
+ structs/arrays
+
+From: Alan Maguire <alan.maguire@oracle.com>
+
+[ Upstream commit f3c51fe02c55bd944662714e5b91b96dc271ad9f ]
+
+When examining module BTF, it is common to see core kernel structures
+such as sk_buff, net_device duplicated in the module. After adding
+debug messaging to BTF it turned out that much of the problem
+was down to the identical struct test failing during deduplication;
+sometimes the compiler adds identical structs. However
+it turns out sometimes that type ids of identical struct members
+can also differ, even when the containing structs are still identical.
+
+To take an example, for struct sk_buff, debug messaging revealed
+that the identical struct matching was failing for the anon
+struct "headers"; specifically for the first field:
+
+__u8 __pkt_type_offset[0]; /* 128 0 */
+
+Looking at the code in BTF deduplication, we have code that guards
+against the possibility of identical struct definitions, down to
+type ids, and identical array definitions. However in this case
+we have a struct which is being defined twice but does not have
+identical type ids since each duplicate struct has separate type
+ids for the above array member. A similar problem (though not
+observed) could occur for struct-in-struct.
+
+The solution is to make the "identical struct" test check members
+not just for matching ids, but to also check if they in turn are
+identical structs or arrays.
+
+The results of doing this are quite dramatic (for some modules
+at least); I see the number of type ids drop from around 10000
+to just over 1000 in one module for example.
+
+For testing use latest pahole or apply [1], otherwise dedups
+can fail for the reasons described there.
+
+Also fix return type of btf_dedup_identical_arrays() as
+suggested by Andrii to match boolean return type used
+elsewhere.
+
+Fixes: efdd3eb8015e ("libbpf: Accommodate DWARF/compiler bug with duplicated structs")
+Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/1666622309-22289-1-git-send-email-alan.maguire@oracle.com
+
+[1] https://lore.kernel.org/bpf/1666364523-9648-1-git-send-email-alan.maguire
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index 2d14f1a52d7a..9b18cf3128ac 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -3889,14 +3889,14 @@ static inline __u16 btf_fwd_kind(struct btf_type *t)
+ }
+
+ /* Check if given two types are identical ARRAY definitions */
+-static int btf_dedup_identical_arrays(struct btf_dedup *d, __u32 id1, __u32 id2)
++static bool btf_dedup_identical_arrays(struct btf_dedup *d, __u32 id1, __u32 id2)
+ {
+ struct btf_type *t1, *t2;
+
+ t1 = btf_type_by_id(d->btf, id1);
+ t2 = btf_type_by_id(d->btf, id2);
+ if (!btf_is_array(t1) || !btf_is_array(t2))
+- return 0;
++ return false;
+
+ return btf_equal_array(t1, t2);
+ }
+@@ -3920,7 +3920,9 @@ static bool btf_dedup_identical_structs(struct btf_dedup *d, __u32 id1, __u32 id
+ m1 = btf_members(t1);
+ m2 = btf_members(t2);
+ for (i = 0, n = btf_vlen(t1); i < n; i++, m1++, m2++) {
+- if (m1->type != m2->type)
++ if (m1->type != m2->type &&
++ !btf_dedup_identical_arrays(d, m1->type, m2->type) &&
++ !btf_dedup_identical_structs(d, m1->type, m2->type))
+ return false;
+ }
+ return true;
+--
+2.35.1
+
--- /dev/null
+From 42a4da1d7fb7db56c29ba8e51efd06fb65b79b00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 10:23:52 +0800
+Subject: libbpf: Deal with section with no data gracefully
+
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+
+[ Upstream commit 35a855509e6ee3442477c8ebc6827b5b5d32a7b5 ]
+
+ELF section data pointer returned by libelf may be NULL (if section has
+SHT_NOBITS), so null check section data pointer before attempting to
+copy license and kversion section.
+
+Fixes: cb1e5e961991 ("bpf tools: Collect version and license from ELF sections")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221012022353.7350-3-shung-hsi.yu@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 7f3cec7e7349..5561b23338a7 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -1399,6 +1399,10 @@ static int bpf_object__check_endianness(struct bpf_object *obj)
+ static int
+ bpf_object__init_license(struct bpf_object *obj, void *data, size_t size)
+ {
++ if (!data) {
++ pr_warn("invalid license section in %s\n", obj->path);
++ return -LIBBPF_ERRNO__FORMAT;
++ }
+ /* libbpf_strlcpy() only copies first N - 1 bytes, so size + 1 won't
+ * go over allowed ELF data section buffer
+ */
+@@ -1412,7 +1416,7 @@ bpf_object__init_kversion(struct bpf_object *obj, void *data, size_t size)
+ {
+ __u32 kver;
+
+- if (size != sizeof(kver)) {
++ if (!data || size != sizeof(kver)) {
+ pr_warn("invalid kver section in %s\n", obj->path);
+ return -LIBBPF_ERRNO__FORMAT;
+ }
+--
+2.35.1
+
--- /dev/null
+From fb9b6631c5deed377c1f96a3bfc6ce074d7fa1ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:04 -0400
+Subject: libbpf: Fix memory leak in parse_usdt_arg()
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 0dc9254e03704c75f2ebc9cbef2ce4de83fba603 ]
+
+In the arm64 version of parse_usdt_arg(), when sscanf returns 2, reg_name
+is allocated but not freed. Fix it.
+
+Fixes: 0f8619929c57 ("libbpf: Usdt aarch64 arg parsing support")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-3-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/usdt.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/tools/lib/bpf/usdt.c b/tools/lib/bpf/usdt.c
+index d18e37982344..2ade9c7969d7 100644
+--- a/tools/lib/bpf/usdt.c
++++ b/tools/lib/bpf/usdt.c
+@@ -1348,25 +1348,23 @@ static int calc_pt_regs_off(const char *reg_name)
+
+ static int parse_usdt_arg(const char *arg_str, int arg_num, struct usdt_arg_spec *arg)
+ {
+- char *reg_name = NULL;
++ char reg_name[16];
+ int arg_sz, len, reg_off;
+ long off;
+
+- if (sscanf(arg_str, " %d @ \[ %m[a-z0-9], %ld ] %n", &arg_sz, ®_name, &off, &len) == 3) {
++ if (sscanf(arg_str, " %d @ \[ %15[a-z0-9], %ld ] %n", &arg_sz, reg_name, &off, &len) == 3) {
+ /* Memory dereference case, e.g., -4@[sp, 96] */
+ arg->arg_type = USDT_ARG_REG_DEREF;
+ arg->val_off = off;
+ reg_off = calc_pt_regs_off(reg_name);
+- free(reg_name);
+ if (reg_off < 0)
+ return reg_off;
+ arg->reg_off = reg_off;
+- } else if (sscanf(arg_str, " %d @ \[ %m[a-z0-9] ] %n", &arg_sz, ®_name, &len) == 2) {
++ } else if (sscanf(arg_str, " %d @ \[ %15[a-z0-9] ] %n", &arg_sz, reg_name, &len) == 2) {
+ /* Memory dereference case, e.g., -4@[sp] */
+ arg->arg_type = USDT_ARG_REG_DEREF;
+ arg->val_off = 0;
+ reg_off = calc_pt_regs_off(reg_name);
+- free(reg_name);
+ if (reg_off < 0)
+ return reg_off;
+ arg->reg_off = reg_off;
+@@ -1375,12 +1373,11 @@ static int parse_usdt_arg(const char *arg_str, int arg_num, struct usdt_arg_spec
+ arg->arg_type = USDT_ARG_CONST;
+ arg->val_off = off;
+ arg->reg_off = 0;
+- } else if (sscanf(arg_str, " %d @ %m[a-z0-9] %n", &arg_sz, ®_name, &len) == 2) {
++ } else if (sscanf(arg_str, " %d @ %15[a-z0-9] %n", &arg_sz, reg_name, &len) == 2) {
+ /* Register read case, e.g., -8@x4 */
+ arg->arg_type = USDT_ARG_REG;
+ arg->val_off = 0;
+ reg_off = calc_pt_regs_off(reg_name);
+- free(reg_name);
+ if (reg_off < 0)
+ return reg_off;
+ arg->reg_off = reg_off;
+--
+2.35.1
+
--- /dev/null
+From dcdfe1dac5db2dbfca3d39a5fcfeda698e75070f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 10:23:53 +0800
+Subject: libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
+
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+
+[ Upstream commit d0d382f95a9270dcf803539d6781d6bd67e3f5b2 ]
+
+When there are no program sections, obj->programs is left unallocated,
+and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL,
+and will cause null-pointer dereference in the following access to
+prog->sec_idx.
+
+Guard the search with obj->nr_programs similar to what's being done in
+__bpf_program__iter() to prevent null-pointer access from happening.
+
+Fixes: db2b8b06423c ("libbpf: Support CO-RE relocations for multi-prog sections")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 5561b23338a7..c01f57d31f89 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -4085,6 +4085,9 @@ static struct bpf_program *find_prog_by_sec_insn(const struct bpf_object *obj,
+ int l = 0, r = obj->nr_programs - 1, m;
+ struct bpf_program *prog;
+
++ if (!obj->nr_programs)
++ return NULL;
++
+ while (l < r) {
+ m = l + (r - l + 1) / 2;
+ prog = &obj->programs[m];
+--
+2.35.1
+
--- /dev/null
+From 9783a7a280444b54b3a84df32787ae0f0b52c1a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:03 -0400
+Subject: libbpf: Fix use-after-free in btf_dump_name_dups
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 93c660ca40b5d2f7c1b1626e955a8e9fa30e0749 ]
+
+ASAN reports an use-after-free in btf_dump_name_dups:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928
+READ of size 2 at 0xffff927006db thread T0
+ #0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614)
+ #1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127
+ #2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143
+ #3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212
+ #4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525
+ #5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552
+ #6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567
+ #7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912
+ #8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798
+ #9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282
+ #10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236
+ #11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+ #12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+ #13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+ #14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+ #15 0xaaaab5d65990 (test_progs+0x185990)
+
+0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0)
+freed by thread T0 here:
+ #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
+ #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
+ #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
+ #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
+ #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
+ #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
+ #6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032
+ #7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232
+ #8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+ #9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+ #10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+ #11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+ #12 0xaaaab5d65990 (test_progs+0x185990)
+
+previously allocated by thread T0 here:
+ #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
+ #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
+ #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
+ #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
+ #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
+ #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
+ #6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070
+ #7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102
+ #8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162
+ #9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+ #10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+ #11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+ #12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+ #13 0xaaaab5d65990 (test_progs+0x185990)
+
+The reason is that the key stored in hash table name_map is a string
+address, and the string memory is allocated by realloc() function, when
+the memory is resized by realloc() later, the old memory may be freed,
+so the address stored in name_map references to a freed memory, causing
+use-after-free.
+
+Fix it by storing duplicated string address in name_map.
+
+Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-2-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index 3937f66c7f8d..0b470169729e 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -219,6 +219,17 @@ static int btf_dump_resize(struct btf_dump *d)
+ return 0;
+ }
+
++static void btf_dump_free_names(struct hashmap *map)
++{
++ size_t bkt;
++ struct hashmap_entry *cur;
++
++ hashmap__for_each_entry(map, cur, bkt)
++ free((void *)cur->key);
++
++ hashmap__free(map);
++}
++
+ void btf_dump__free(struct btf_dump *d)
+ {
+ int i;
+@@ -237,8 +248,8 @@ void btf_dump__free(struct btf_dump *d)
+ free(d->cached_names);
+ free(d->emit_queue);
+ free(d->decl_stack);
+- hashmap__free(d->type_names);
+- hashmap__free(d->ident_names);
++ btf_dump_free_names(d->type_names);
++ btf_dump_free_names(d->ident_names);
+
+ free(d);
+ }
+@@ -1520,11 +1531,23 @@ static void btf_dump_emit_type_cast(struct btf_dump *d, __u32 id,
+ static size_t btf_dump_name_dups(struct btf_dump *d, struct hashmap *name_map,
+ const char *orig_name)
+ {
++ char *old_name, *new_name;
+ size_t dup_cnt = 0;
++ int err;
++
++ new_name = strdup(orig_name);
++ if (!new_name)
++ return 1;
+
+ hashmap__find(name_map, orig_name, (void **)&dup_cnt);
+ dup_cnt++;
+- hashmap__set(name_map, orig_name, (void *)dup_cnt, NULL, NULL);
++
++ err = hashmap__set(name_map, new_name, (void *)dup_cnt,
++ (const void **)&old_name, NULL);
++ if (err)
++ free(new_name);
++
++ free(old_name);
+
+ return dup_cnt;
+ }
+--
+2.35.1
+
--- /dev/null
+From 7af9408b768213ce5d05696117cacfad12ba2781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 14:42:02 -0700
+Subject: libbpf: Reject legacy 'maps' ELF section
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit e19db6762c18ab1ddf7a3ef4d0023780c24dc1e8 ]
+
+Add explicit error message if BPF object file is still using legacy BPF
+map definitions in SEC("maps"). Before this change, if BPF object file
+is still using legacy map definition user will see a bit confusing:
+
+ libbpf: elf: skipping unrecognized data section(4) maps
+ libbpf: prog 'handler': bad map relo against 'server_map' in section 'maps'
+
+Now libbpf will be explicit about rejecting "maps" ELF section:
+
+ libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220803214202.23750-1-andrii@kernel.org
+Stable-dep-of: 51deedc9b868 ("libbpf: Use elf_getshdrnum() instead of e_shnum")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 79ea83be21ce..264790796001 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -591,7 +591,6 @@ struct elf_state {
+ size_t strtabidx;
+ struct elf_sec_desc *secs;
+ int sec_cnt;
+- int maps_shndx;
+ int btf_maps_shndx;
+ __u32 btf_maps_sec_btf_id;
+ int text_shndx;
+@@ -1272,7 +1271,6 @@ static struct bpf_object *bpf_object__new(const char *path,
+ */
+ obj->efile.obj_buf = obj_buf;
+ obj->efile.obj_buf_sz = obj_buf_sz;
+- obj->efile.maps_shndx = -1;
+ obj->efile.btf_maps_shndx = -1;
+ obj->efile.st_ops_shndx = -1;
+ obj->kconfig_map_idx = -1;
+@@ -3359,7 +3357,8 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
+ if (err)
+ return err;
+ } else if (strcmp(name, "maps") == 0) {
+- obj->efile.maps_shndx = idx;
++ pr_warn("elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+\n");
++ return -ENOTSUP;
+ } else if (strcmp(name, MAPS_ELF_SEC) == 0) {
+ obj->efile.btf_maps_shndx = idx;
+ } else if (strcmp(name, BTF_ELF_SEC) == 0) {
+@@ -3891,8 +3890,7 @@ static bool bpf_object__shndx_is_data(const struct bpf_object *obj,
+ static bool bpf_object__shndx_is_maps(const struct bpf_object *obj,
+ int shndx)
+ {
+- return shndx == obj->efile.maps_shndx ||
+- shndx == obj->efile.btf_maps_shndx;
++ return shndx == obj->efile.btf_maps_shndx;
+ }
+
+ static enum libbpf_map_type
+--
+2.35.1
+
--- /dev/null
+From 141f0dc1324ca4ff7f01aa7b89f51a31f7a81327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 10:23:51 +0800
+Subject: libbpf: Use elf_getshdrnum() instead of e_shnum
+
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+
+[ Upstream commit 51deedc9b8680953437dfe359e5268120de10e30 ]
+
+This commit replace e_shnum with the elf_getshdrnum() helper to fix two
+oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
+reports are incorrectly marked as fixed and while still being
+reproducible in the latest libbpf.
+
+ # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
+ libbpf: loading object 'fuzz-object' from buffer
+ libbpf: sec_cnt is 0
+ libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
+ libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
+ =================================================================
+ ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
+ WRITE of size 4 at 0x6020000000c0 thread T0
+ SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
+ #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
+ #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
+ #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
+ ...
+
+The issue lie in libbpf's direct use of e_shnum field in ELF header as
+the section header count. Where as libelf implemented an extra logic
+that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the
+initial section header as the real section header count (part of ELF
+spec to accommodate situation where section header counter is larger
+than SHN_LORESERVE).
+
+The above inconsistency lead to libbpf writing into a zero-entry calloc
+area. So intead of using e_shnum directly, use the elf_getshdrnum()
+helper provided by libelf to retrieve the section header counter into
+sec_cnt.
+
+Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
+Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
+Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
+Link: https://lore.kernel.org/bpf/20221012022353.7350-2-shung-hsi.yu@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 264790796001..7f3cec7e7349 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -590,7 +590,7 @@ struct elf_state {
+ size_t shstrndx; /* section index for section name strings */
+ size_t strtabidx;
+ struct elf_sec_desc *secs;
+- int sec_cnt;
++ size_t sec_cnt;
+ int btf_maps_shndx;
+ __u32 btf_maps_sec_btf_id;
+ int text_shndx;
+@@ -3282,10 +3282,15 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
+ Elf64_Shdr *sh;
+
+ /* ELF section indices are 0-based, but sec #0 is special "invalid"
+- * section. e_shnum does include sec #0, so e_shnum is the necessary
+- * size of an array to keep all the sections.
++ * section. Since section count retrieved by elf_getshdrnum() does
++ * include sec #0, it is already the necessary size of an array to keep
++ * all the sections.
+ */
+- obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
++ if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
++ pr_warn("elf: failed to get the number of sections for %s: %s\n",
++ obj->path, elf_errmsg(-1));
++ return -LIBBPF_ERRNO__FORMAT;
++ }
+ obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
+ if (!obj->efile.secs)
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From c994c0bc808a4a0bf732991e5d9d244ca68149aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 02:24:16 +0900
+Subject: libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+[ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ]
+
+Patch series "fix error when writing negative value to simple attribute
+files".
+
+The simple attribute files do not accept a negative value since the commit
+488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()"), but some attribute files want to accept a negative
+value.
+
+This patch (of 3):
+
+The simple attribute files do not accept a negative value since the commit
+488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()"), so we have to use a 64-bit value to write a
+negative value.
+
+This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value.
+
+Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com
+Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com
+Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Wei Yongjun <weiyongjun1@huawei.com>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/libfs.c | 22 +++++++++++++++++++---
+ include/linux/fs.h | 12 ++++++++++--
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/fs/libfs.c b/fs/libfs.c
+index 31b0ddf01c31..76fb29a103a2 100644
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -994,8 +994,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
+ EXPORT_SYMBOL_GPL(simple_attr_read);
+
+ /* interpret the buffer as a number to call the set function with */
+-ssize_t simple_attr_write(struct file *file, const char __user *buf,
+- size_t len, loff_t *ppos)
++static ssize_t simple_attr_write_xsigned(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos, bool is_signed)
+ {
+ struct simple_attr *attr;
+ unsigned long long val;
+@@ -1016,7 +1016,10 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
+ goto out;
+
+ attr->set_buf[size] = '\0';
+- ret = kstrtoull(attr->set_buf, 0, &val);
++ if (is_signed)
++ ret = kstrtoll(attr->set_buf, 0, &val);
++ else
++ ret = kstrtoull(attr->set_buf, 0, &val);
+ if (ret)
+ goto out;
+ ret = attr->set(attr->data, val);
+@@ -1026,8 +1029,21 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
+ mutex_unlock(&attr->mutex);
+ return ret;
+ }
++
++ssize_t simple_attr_write(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return simple_attr_write_xsigned(file, buf, len, ppos, false);
++}
+ EXPORT_SYMBOL_GPL(simple_attr_write);
+
++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return simple_attr_write_xsigned(file, buf, len, ppos, true);
++}
++EXPORT_SYMBOL_GPL(simple_attr_write_signed);
++
+ /**
+ * generic_fh_to_dentry - generic helper for the fh_to_dentry export operation
+ * @sb: filesystem to do the file handle conversion on
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index be074b6895b9..8e79a761c56c 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3480,7 +3480,7 @@ void simple_transaction_set(struct file *file, size_t n);
+ * All attributes contain a text representation of a numeric value
+ * that are accessed with the get() and set() functions.
+ */
+-#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
++#define DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \
+ static int __fops ## _open(struct inode *inode, struct file *file) \
+ { \
+ __simple_attr_check_format(__fmt, 0ull); \
+@@ -3491,10 +3491,16 @@ static const struct file_operations __fops = { \
+ .open = __fops ## _open, \
+ .release = simple_attr_release, \
+ .read = simple_attr_read, \
+- .write = simple_attr_write, \
++ .write = (__is_signed) ? simple_attr_write_signed : simple_attr_write, \
+ .llseek = generic_file_llseek, \
+ }
+
++#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false)
++
++#define DEFINE_SIMPLE_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \
++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true)
++
+ static inline __printf(1, 2)
+ void __simple_attr_check_format(const char *fmt, ...)
+ {
+@@ -3509,6 +3515,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
+ size_t len, loff_t *ppos);
+ ssize_t simple_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
++ size_t len, loff_t *ppos);
+
+ struct ctl_table;
+ int __init list_bdev_fs_names(char *buf, size_t size);
+--
+2.35.1
+
--- /dev/null
+From 7d1a1c3b87a5c728fcc0696aa7ed97d655e1548f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 14:02:39 -0500
+Subject: lockd: set other missing fields when unlocking files
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 18ebd35b61b4693a0ddc270b6d4f18def232e770 ]
+
+vfs_lock_file() expects the struct file_lock to be fully initialised by
+the caller. Re-exported NFSv3 has been seen to Oops if the fl_file field
+is NULL.
+
+Fixes: aec158242b87 ("lockd: set fl_owner when unlocking files")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216582
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/lockd/svcsubs.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/fs/lockd/svcsubs.c b/fs/lockd/svcsubs.c
+index e1c4617de771..3515f17eaf3f 100644
+--- a/fs/lockd/svcsubs.c
++++ b/fs/lockd/svcsubs.c
+@@ -176,7 +176,7 @@ nlm_delete_file(struct nlm_file *file)
+ }
+ }
+
+-static int nlm_unlock_files(struct nlm_file *file, fl_owner_t owner)
++static int nlm_unlock_files(struct nlm_file *file, const struct file_lock *fl)
+ {
+ struct file_lock lock;
+
+@@ -184,12 +184,15 @@ static int nlm_unlock_files(struct nlm_file *file, fl_owner_t owner)
+ lock.fl_type = F_UNLCK;
+ lock.fl_start = 0;
+ lock.fl_end = OFFSET_MAX;
+- lock.fl_owner = owner;
+- if (file->f_file[O_RDONLY] &&
+- vfs_lock_file(file->f_file[O_RDONLY], F_SETLK, &lock, NULL))
++ lock.fl_owner = fl->fl_owner;
++ lock.fl_pid = fl->fl_pid;
++ lock.fl_flags = FL_POSIX;
++
++ lock.fl_file = file->f_file[O_RDONLY];
++ if (lock.fl_file && vfs_lock_file(lock.fl_file, F_SETLK, &lock, NULL))
+ goto out_err;
+- if (file->f_file[O_WRONLY] &&
+- vfs_lock_file(file->f_file[O_WRONLY], F_SETLK, &lock, NULL))
++ lock.fl_file = file->f_file[O_WRONLY];
++ if (lock.fl_file && vfs_lock_file(lock.fl_file, F_SETLK, &lock, NULL))
+ goto out_err;
+ return 0;
+ out_err:
+@@ -226,7 +229,7 @@ nlm_traverse_locks(struct nlm_host *host, struct nlm_file *file,
+ if (match(lockhost, host)) {
+
+ spin_unlock(&flctx->flc_lock);
+- if (nlm_unlock_files(file, fl->fl_owner))
++ if (nlm_unlock_files(file, fl))
+ return 1;
+ goto again;
+ }
+--
+2.35.1
+
--- /dev/null
+From 25970f58b90f0d2638bde02ef5f360f6c5aa7d99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 11:25:51 +0800
+Subject: macintosh: fix possible memory leak in macio_add_one_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically. It
+needs to be freed when of_device_register() fails. Call put_device() to
+give up the reference that's taken in device_initialize(), so that it
+can be freed in kobject_cleanup() when the refcount hits 0.
+
+macio device is freed in macio_release_dev(), so the kfree() can be
+removed.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/macio_asic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/macintosh/macio_asic.c b/drivers/macintosh/macio_asic.c
+index 1ec1e5984563..3bc1f374e657 100644
+--- a/drivers/macintosh/macio_asic.c
++++ b/drivers/macintosh/macio_asic.c
+@@ -424,7 +424,7 @@ static struct macio_dev * macio_add_one_device(struct macio_chip *chip,
+ if (of_device_register(&dev->ofdev) != 0) {
+ printk(KERN_DEBUG"macio: device registration error for %s!\n",
+ dev_name(&dev->ofdev.dev));
+- kfree(dev);
++ put_device(&dev->ofdev.dev);
+ return NULL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2edbd31799f2d96bdde094b505772e68241d0ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 15:41:48 +0800
+Subject: macintosh/macio-adb: check the return value of ioremap()
+
+From: Xie Shaowen <studentxswpy@163.com>
+
+[ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ]
+
+The function ioremap() in macio_init() can fail, so its return value
+should be checked.
+
+Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix")
+Reported-by: Hacash Robot <hacashRobot@santino.com>
+Signed-off-by: Xie Shaowen <studentxswpy@163.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/macio-adb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/macintosh/macio-adb.c b/drivers/macintosh/macio-adb.c
+index 9b63bd2551c6..cd4e34d15c26 100644
+--- a/drivers/macintosh/macio-adb.c
++++ b/drivers/macintosh/macio-adb.c
+@@ -108,6 +108,10 @@ int macio_init(void)
+ return -ENXIO;
+ }
+ adb = ioremap(r.start, sizeof(struct adb_regs));
++ if (!adb) {
++ of_node_put(adbs);
++ return -ENOMEM;
++ }
+
+ out_8(&adb->ctrl.r, 0);
+ out_8(&adb->intr.r, 0);
+--
+2.35.1
+
--- /dev/null
+From 26c513f38694ad3a6ec8f1355768979d5fd44e4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 14:35:48 +0800
+Subject: mailbox: arm_mhuv2: Fix return value check in mhuv2_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 165b7643f2df890066b1b4e8a387888a600ca9bf ]
+
+If devm_of_iomap() fails, it returns ERR_PTR() and never
+return NULL, so replace NULL pointer check with IS_ERR()
+to fix this problem.
+
+Fixes: 5a6338cce9f4 ("mailbox: arm_mhuv2: Add driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/arm_mhuv2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mailbox/arm_mhuv2.c b/drivers/mailbox/arm_mhuv2.c
+index a47aef8df52f..c6d4957c4da8 100644
+--- a/drivers/mailbox/arm_mhuv2.c
++++ b/drivers/mailbox/arm_mhuv2.c
+@@ -1062,8 +1062,8 @@ static int mhuv2_probe(struct amba_device *adev, const struct amba_id *id)
+ int ret = -EINVAL;
+
+ reg = devm_of_iomap(dev, dev->of_node, 0, NULL);
+- if (!reg)
+- return -ENOMEM;
++ if (IS_ERR(reg))
++ return PTR_ERR(reg);
+
+ mhu = devm_kzalloc(dev, sizeof(*mhu), GFP_KERNEL);
+ if (!mhu)
+--
+2.35.1
+
--- /dev/null
+From 05e4e022c1e24d1756b93b919c6ed9503ed5ab1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:56:52 +0000
+Subject: mailbox: mpfs: read the system controller's status
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit ab47d0bfdf88faac0eb02749e5bfaa306e004300 ]
+
+Some services explicitly return an error code in their response, but
+others rely on the system controller to set a status in its status
+register. The meaning of the bits varies based on what service is
+requested, so pass it back up to the driver that requested the service
+in the first place. The field in the message struct already existed, but
+was unused until now.
+
+If the system controller is busy, in which case we should never actually
+be in the interrupt handler, or if the service fails the mailbox itself
+should not be read. Callers should check the status before operating on
+the response.
+
+There's an existing, but unused, #define for the mailbox mask - but it
+was incorrect. It was doing a GENMASK_ULL(32, 16) which should've just
+been a GENMASK(31, 16), so fix that up and start using it.
+
+Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-mpfs.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c
+index cfacb3f320a6..853901acaeec 100644
+--- a/drivers/mailbox/mailbox-mpfs.c
++++ b/drivers/mailbox/mailbox-mpfs.c
+@@ -2,7 +2,7 @@
+ /*
+ * Microchip PolarFire SoC (MPFS) system controller/mailbox controller driver
+ *
+- * Copyright (c) 2020 Microchip Corporation. All rights reserved.
++ * Copyright (c) 2020-2022 Microchip Corporation. All rights reserved.
+ *
+ * Author: Conor Dooley <conor.dooley@microchip.com>
+ *
+@@ -56,7 +56,7 @@
+ #define SCB_STATUS_NOTIFY_MASK BIT(SCB_STATUS_NOTIFY)
+
+ #define SCB_STATUS_POS (16)
+-#define SCB_STATUS_MASK GENMASK_ULL(SCB_STATUS_POS + SCB_MASK_WIDTH, SCB_STATUS_POS)
++#define SCB_STATUS_MASK GENMASK(SCB_STATUS_POS + SCB_MASK_WIDTH - 1, SCB_STATUS_POS)
+
+ struct mpfs_mbox {
+ struct mbox_controller controller;
+@@ -130,13 +130,38 @@ static void mpfs_mbox_rx_data(struct mbox_chan *chan)
+ struct mpfs_mbox *mbox = (struct mpfs_mbox *)chan->con_priv;
+ struct mpfs_mss_response *response = mbox->response;
+ u16 num_words = ALIGN((response->resp_size), (4)) / 4U;
+- u32 i;
++ u32 i, status;
+
+ if (!response->resp_msg) {
+ dev_err(mbox->dev, "failed to assign memory for response %d\n", -ENOMEM);
+ return;
+ }
+
++ /*
++ * The status is stored in bits 31:16 of the SERVICES_SR register.
++ * It is only valid when BUSY == 0.
++ * We should *never* get an interrupt while the controller is
++ * still in the busy state. If we do, something has gone badly
++ * wrong & the content of the mailbox would not be valid.
++ */
++ if (mpfs_mbox_busy(mbox)) {
++ dev_err(mbox->dev, "got an interrupt but system controller is busy\n");
++ response->resp_status = 0xDEAD;
++ return;
++ }
++
++ status = readl_relaxed(mbox->ctrl_base + SERVICES_SR_OFFSET);
++
++ /*
++ * If the status of the individual servers is non-zero, the service has
++ * failed. The contents of the mailbox at this point are not be valid,
++ * so don't bother reading them. Set the status so that the driver
++ * implementing the service can handle the result.
++ */
++ response->resp_status = (status & SCB_STATUS_MASK) >> SCB_STATUS_POS;
++ if (response->resp_status)
++ return;
++
+ if (!mpfs_mbox_busy(mbox)) {
+ for (i = 0; i < num_words; i++) {
+ response->resp_msg[i] =
+--
+2.35.1
+
--- /dev/null
+From ceb7a10cfd5003cb046367b86396e54179446494 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 10:05:28 +0800
+Subject: mailbox: pcc: Reset pcc_chan_count to zero in case of PCC probe
+ failure
+
+From: Huisong Li <lihuisong@huawei.com>
+
+[ Upstream commit 6d7d3c287410c0ad499e478e2338dc3d7e3392b1 ]
+
+Currently, 'pcc_chan_count' is remains set to a non-zero value if PCC
+subspaces are parsed successfully but something else fail later during
+the initial PCC probing phase. This will result in pcc_mbox_request_channel
+trying to access the resources that are not initialised or allocated and
+may end up in a system crash.
+
+Reset pcc_chan_count to 0 when the PCC probe fails in order to prevent
+the possible issue as described above.
+
+Fixes: ce028702ddbc ("mailbox: pcc: Move bulk of PCCT parsing into pcc_mbox_probe")
+Signed-off-by: Huisong Li <lihuisong@huawei.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/pcc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
+index ebfa33a40fce..5e232b3fb72a 100644
+--- a/drivers/mailbox/pcc.c
++++ b/drivers/mailbox/pcc.c
+@@ -743,6 +743,7 @@ static int __init pcc_init(void)
+
+ if (IS_ERR(pcc_pdev)) {
+ pr_debug("Err creating PCC platform bundle\n");
++ pcc_chan_count = 0;
+ return PTR_ERR(pcc_pdev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a712630cd406eaa8769c2b77a29e038adc77f840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:08:22 +0800
+Subject: mailbox: zynq-ipi: fix error handling while device_register() fails
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit a6792a0cdef0b1c2d77920246283a72537e60e94 ]
+
+If device_register() fails, it has two issues:
+1. The name allocated by dev_set_name() is leaked.
+2. The parent of device is not NULL, device_unregister() is called
+ in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because
+ of removing not added device.
+
+Call put_device() to give up the reference, so the name is freed in
+kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()
+to avoid null-ptr-deref.
+
+Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/zynqmp-ipi-mailbox.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
+index 31a0fa914274..12e004ff1a14 100644
+--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
+@@ -493,6 +493,7 @@ static int zynqmp_ipi_mbox_probe(struct zynqmp_ipi_mbox *ipi_mbox,
+ ret = device_register(&ipi_mbox->dev);
+ if (ret) {
+ dev_err(dev, "Failed to register ipi mbox dev.\n");
++ put_device(&ipi_mbox->dev);
+ return ret;
+ }
+ mdev = &ipi_mbox->dev;
+@@ -619,7 +620,8 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
+ ipi_mbox = &pdata->ipi_mboxes[i];
+ if (ipi_mbox->dev.parent) {
+ mbox_controller_unregister(&ipi_mbox->mbox);
+- device_unregister(&ipi_mbox->dev);
++ if (device_is_registered(&ipi_mbox->dev))
++ device_unregister(&ipi_mbox->dev);
+ }
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 50baff6259a0a7b5fa1e5b85b60c72952469d71c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 01:38:50 -0800
+Subject: mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ]
+
+If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount
+of bus and device name are leaked. Fix this by calling put_device() to give up
+the reference, so they can be released in mcb_release_dev() and kobject_cleanup().
+
+Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
+Reviewed-by: Johannes Thumshirn <jth@kernel.org>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mcb/mcb-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
+index 0266bfddfbe2..aa6938da0db8 100644
+--- a/drivers/mcb/mcb-parse.c
++++ b/drivers/mcb/mcb-parse.c
+@@ -108,7 +108,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus,
+ return 0;
+
+ err:
+- mcb_free_dev(mdev);
++ put_device(&mdev->dev);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From e17f34c557bc9517764426ac33363a70363e74a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 13:49:33 +0800
+Subject: mctp: Remove device type check at unregister
+
+From: Matt Johnston <matt@codeconstruct.com.au>
+
+[ Upstream commit b389a902dd5be4ece505a2e0463b9b034de04bf5 ]
+
+The unregister check could be incorrectly triggered if a netdev
+changes its type after register. That is possible for a tun device
+using TUNSETLINK ioctl, resulting in mctp unregister failing
+and the netdev unregister waiting forever.
+
+This was encountered by https://github.com/openthread/openthread/issues/8523
+
+Neither check at register or unregister is required. They were added in
+an attempt to track down mctp_ptr being set unexpectedly, which should
+not happen in normal operation.
+
+Fixes: 7b1871af75f3 ("mctp: Warn if pointer is set for a wrong dev type")
+Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://lore.kernel.org/r/20221215054933.2403401-1-matt@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/device.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/net/mctp/device.c b/net/mctp/device.c
+index 99a3bda8852f..acb97b257428 100644
+--- a/net/mctp/device.c
++++ b/net/mctp/device.c
+@@ -429,12 +429,6 @@ static void mctp_unregister(struct net_device *dev)
+ struct mctp_dev *mdev;
+
+ mdev = mctp_dev_get_rtnl(dev);
+- if (mdev && !mctp_known(dev)) {
+- // Sanity check, should match what was set in mctp_register
+- netdev_warn(dev, "%s: BUG mctp_ptr set for unknown type %d",
+- __func__, dev->type);
+- return;
+- }
+ if (!mdev)
+ return;
+
+@@ -451,14 +445,8 @@ static int mctp_register(struct net_device *dev)
+ struct mctp_dev *mdev;
+
+ /* Already registered? */
+- mdev = rtnl_dereference(dev->mctp_ptr);
+-
+- if (mdev) {
+- if (!mctp_known(dev))
+- netdev_warn(dev, "%s: BUG mctp_ptr set for unknown type %d",
+- __func__, dev->type);
++ if (rtnl_dereference(dev->mctp_ptr))
+ return 0;
+- }
+
+ /* only register specific types */
+ if (!mctp_known(dev))
+--
+2.35.1
+
--- /dev/null
+From 0dafca945210e9bb5d5257e2d31509c181b789b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Dec 2022 11:44:09 +0800
+Subject: mctp: serial: Fix starting value for frame check sequence
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit 2856a62762c8409e360d4fd452194c8e57ba1058 ]
+
+RFC1662 defines the start state for the crc16 FCS to be 0xffff, but
+we're currently starting at zero.
+
+This change uses the correct start state. We're only early in the
+adoption for the serial binding, so there aren't yet any other users to
+interface to.
+
+Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding")
+Reported-by: Harsh Tyagi <harshtya@google.com>
+Tested-by: Harsh Tyagi <harshtya@google.com>
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mctp/mctp-serial.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c
+index 7cd103fd34ef..9f9eaf896047 100644
+--- a/drivers/net/mctp/mctp-serial.c
++++ b/drivers/net/mctp/mctp-serial.c
+@@ -35,6 +35,8 @@
+ #define BYTE_FRAME 0x7e
+ #define BYTE_ESC 0x7d
+
++#define FCS_INIT 0xffff
++
+ static DEFINE_IDA(mctp_serial_ida);
+
+ enum mctp_serial_state {
+@@ -123,7 +125,7 @@ static void mctp_serial_tx_work(struct work_struct *work)
+ buf[2] = dev->txlen;
+
+ if (!dev->txpos)
+- dev->txfcs = crc_ccitt(0, buf + 1, 2);
++ dev->txfcs = crc_ccitt(FCS_INIT, buf + 1, 2);
+
+ txlen = write_chunk(dev, buf + dev->txpos, 3 - dev->txpos);
+ if (txlen <= 0) {
+@@ -303,7 +305,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, unsigned char c)
+ case 1:
+ if (c == MCTP_SERIAL_VERSION) {
+ dev->rxpos++;
+- dev->rxfcs = crc_ccitt_byte(0, c);
++ dev->rxfcs = crc_ccitt_byte(FCS_INIT, c);
+ } else {
+ dev->rxstate = STATE_ERR;
+ }
+--
+2.35.1
+
--- /dev/null
+From 7a748e9bf290de755e34289e30d354c2611590cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 10:07:30 +0800
+Subject: md/raid0, raid10: Don't set discard sectors for request queue
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 8e1a2279ca2b0485cc379a153d02a9793f74a48f ]
+
+It should use disk_stack_limits to get a proper max_discard_sectors
+rather than setting a value by stack drivers.
+
+And there is a bug. If all member disks are rotational devices,
+raid0/raid10 set max_discard_sectors. So the member devices are
+not ssd/nvme, but raid0/raid10 export the wrong value. It reports
+warning messages in function __blkdev_issue_discard when mkfs.xfs
+like this:
+
+[ 4616.022599] ------------[ cut here ]------------
+[ 4616.027779] WARNING: CPU: 4 PID: 99634 at block/blk-lib.c:50 __blkdev_issue_discard+0x16a/0x1a0
+[ 4616.140663] RIP: 0010:__blkdev_issue_discard+0x16a/0x1a0
+[ 4616.146601] Code: 24 4c 89 20 31 c0 e9 fe fe ff ff c1 e8 09 8d 48 ff 4c 89 f0 4c 09 e8 48 85 c1 0f 84 55 ff ff ff b8 ea ff ff ff e9 df fe ff ff <0f> 0b 48 8d 74 24 08 e8 ea d6 00 00 48 c7 c6 20 1e 89 ab 48 c7 c7
+[ 4616.167567] RSP: 0018:ffffaab88cbffca8 EFLAGS: 00010246
+[ 4616.173406] RAX: ffff9ba1f9e44678 RBX: 0000000000000000 RCX: ffff9ba1c9792080
+[ 4616.181376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ba1c9792080
+[ 4616.189345] RBP: 0000000000000cc0 R08: ffffaab88cbffd10 R09: 0000000000000000
+[ 4616.197317] R10: 0000000000000012 R11: 0000000000000000 R12: 0000000000000000
+[ 4616.205288] R13: 0000000000400000 R14: 0000000000000cc0 R15: ffff9ba1c9792080
+[ 4616.213259] FS: 00007f9a5534e980(0000) GS:ffff9ba1b7c80000(0000) knlGS:0000000000000000
+[ 4616.222298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4616.228719] CR2: 000055a390a4c518 CR3: 0000000123e40006 CR4: 00000000001706e0
+[ 4616.236689] Call Trace:
+[ 4616.239428] blkdev_issue_discard+0x52/0xb0
+[ 4616.244108] blkdev_common_ioctl+0x43c/0xa00
+[ 4616.248883] blkdev_ioctl+0x116/0x280
+[ 4616.252977] __x64_sys_ioctl+0x8a/0xc0
+[ 4616.257163] do_syscall_64+0x5c/0x90
+[ 4616.261164] ? handle_mm_fault+0xc5/0x2a0
+[ 4616.265652] ? do_user_addr_fault+0x1d8/0x690
+[ 4616.270527] ? do_syscall_64+0x69/0x90
+[ 4616.274717] ? exc_page_fault+0x62/0x150
+[ 4616.279097] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 4616.284748] RIP: 0033:0x7f9a55398c6b
+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid0.c | 1 -
+ drivers/md/raid10.c | 2 --
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
+index 857c49399c28..b536befd8898 100644
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -398,7 +398,6 @@ static int raid0_run(struct mddev *mddev)
+
+ blk_queue_max_hw_sectors(mddev->queue, mddev->chunk_sectors);
+ blk_queue_max_write_zeroes_sectors(mddev->queue, mddev->chunk_sectors);
+- blk_queue_max_discard_sectors(mddev->queue, UINT_MAX);
+
+ blk_queue_io_min(mddev->queue, mddev->chunk_sectors << 9);
+ blk_queue_io_opt(mddev->queue,
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 64d6e4cd8a3a..b19c6ce89d5e 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -4104,8 +4104,6 @@ static int raid10_run(struct mddev *mddev)
+ conf->thread = NULL;
+
+ if (mddev->queue) {
+- blk_queue_max_discard_sectors(mddev->queue,
+- UINT_MAX);
+ blk_queue_max_write_zeroes_sectors(mddev->queue, 0);
+ blk_queue_io_min(mddev->queue, mddev->chunk_sectors << 9);
+ raid10_set_io_opt(conf);
+--
+2.35.1
+
--- /dev/null
+From 98a3399098ab0f7f1112854a327d1d3e87ab7d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 22:16:59 +0800
+Subject: md/raid1: stop mdx_raid1 thread when raid1 array run failed
+
+From: Jiang Li <jiang.li@ugreen.com>
+
+[ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ]
+
+fail run raid1 array when we assemble array with the inactive disk only,
+but the mdx_raid1 thread were not stop, Even if the associated resources
+have been released. it will caused a NULL dereference when we do poweroff.
+
+This causes the following Oops:
+ [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070
+ [ 287.594762] #PF: supervisor read access in kernel mode
+ [ 287.599912] #PF: error_code(0x0000) - not-present page
+ [ 287.605061] PGD 0 P4D 0
+ [ 287.607612] Oops: 0000 [#1] SMP NOPTI
+ [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0
+ [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022
+ [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]
+ [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......
+ [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202
+ [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000
+ [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800
+ [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff
+ [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800
+ [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500
+ [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000
+ [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0
+ [ 287.713033] Call Trace:
+ [ 287.715498] raid1d+0x6c/0xbbb [raid1]
+ [ 287.719256] ? __schedule+0x1ff/0x760
+ [ 287.722930] ? schedule+0x3b/0xb0
+ [ 287.726260] ? schedule_timeout+0x1ed/0x290
+ [ 287.730456] ? __switch_to+0x11f/0x400
+ [ 287.734219] md_thread+0xe9/0x140 [md_mod]
+ [ 287.738328] ? md_thread+0xe9/0x140 [md_mod]
+ [ 287.742601] ? wait_woken+0x80/0x80
+ [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]
+ [ 287.751064] kthread+0x11a/0x140
+ [ 287.754300] ? kthread_park+0x90/0x90
+ [ 287.757974] ret_from_fork+0x1f/0x30
+
+In fact, when raid1 array run fail, we need to do
+md_unregister_thread() before raid1_free().
+
+Signed-off-by: Jiang Li <jiang.li@ugreen.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 05d8438cfec8..58f705f42948 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -3159,6 +3159,7 @@ static int raid1_run(struct mddev *mddev)
+ * RAID1 needs at least one disk in active
+ */
+ if (conf->raid_disks - mddev->degraded < 1) {
++ md_unregister_thread(&conf->thread);
+ ret = -EINVAL;
+ goto abort;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3d65c986fd59b5e2cf395703653d813b4a777739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Oct 2022 16:41:46 +0200
+Subject: media: adv748x: afe: Select input port when initializing AFE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 23ddb85dafefdace1ad79d1a30b0a4e7c4b5cd8d ]
+
+When moving the input selection to adv748x_reset() it was missed that
+during probe the device is reset _before_ the initialization and parsing
+of DT by the AFE subdevice. This can lead to the wrong input port (in
+case it's not port 0) being selected until the device is reset for the
+first time.
+
+Fix this by restoring the call to adv748x_afe_s_input() in the AFE
+initialization while also keeping it in the adv748x_reset().
+
+Fixes: c30ed81afe89 ("media: adv748x: afe: Select input port when device is reset")
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv748x/adv748x-afe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/i2c/adv748x/adv748x-afe.c b/drivers/media/i2c/adv748x/adv748x-afe.c
+index 02eabe10ab97..00095c7762c2 100644
+--- a/drivers/media/i2c/adv748x/adv748x-afe.c
++++ b/drivers/media/i2c/adv748x/adv748x-afe.c
+@@ -521,6 +521,10 @@ int adv748x_afe_init(struct adv748x_afe *afe)
+ }
+ }
+
++ adv748x_afe_s_input(afe, afe->input);
++
++ adv_dbg(state, "AFE Default input set to %d\n", afe->input);
++
+ /* Entity pads and sinks are 0-indexed to match the pads */
+ for (i = ADV748X_AFE_SINK_AIN0; i <= ADV748X_AFE_SINK_AIN7; i++)
+ afe->pads[i].flags = MEDIA_PAD_FL_SINK;
+--
+2.35.1
+
--- /dev/null
+From 63daa632a26c8cdd498e90b0a574b1b94e46ac84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 16:04:20 +0800
+Subject: media: amphion: add lock around vdec_g_fmt
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 8480dd5fb3c82b5887d456b3fbe4201d99231814 ]
+
+the capture format may be changed when
+sequence header is parsed,
+it may be read and write in the same time,
+add lock around vdec_g_fmt to synchronize it
+
+Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vdec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c
+index 84c90ce265f2..b27e6bed85f0 100644
+--- a/drivers/media/platform/amphion/vdec.c
++++ b/drivers/media/platform/amphion/vdec.c
+@@ -286,6 +286,7 @@ static int vdec_g_fmt(struct file *file, void *fh, struct v4l2_format *f)
+ struct vpu_format *cur_fmt;
+ int i;
+
++ vpu_inst_lock(inst);
+ cur_fmt = vpu_get_format(inst, f->type);
+
+ pixmp->pixelformat = cur_fmt->pixfmt;
+@@ -303,6 +304,7 @@ static int vdec_g_fmt(struct file *file, void *fh, struct v4l2_format *f)
+ f->fmt.pix_mp.xfer_func = vdec->codec_info.transfer_chars;
+ f->fmt.pix_mp.ycbcr_enc = vdec->codec_info.matrix_coeffs;
+ f->fmt.pix_mp.quantization = vdec->codec_info.full_range;
++ vpu_inst_unlock(inst);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From b78557376023c4725ffe770e786bb7087aa86c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 16:04:53 +0800
+Subject: media: amphion: apply vb2_queue_error instead of setting manually
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 9d175a81e28f260916a0a13f457dd8b940eafb4e ]
+
+vb2_queue_error is help to set the error of vb2_queue,
+don't need to set it manually
+
+Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu_v4l2.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vpu_v4l2.c b/drivers/media/platform/amphion/vpu_v4l2.c
+index b779e0ba916c..4b714fab4c6b 100644
+--- a/drivers/media/platform/amphion/vpu_v4l2.c
++++ b/drivers/media/platform/amphion/vpu_v4l2.c
+@@ -65,18 +65,11 @@ unsigned int vpu_get_buffer_state(struct vb2_v4l2_buffer *vbuf)
+
+ void vpu_v4l2_set_error(struct vpu_inst *inst)
+ {
+- struct vb2_queue *src_q;
+- struct vb2_queue *dst_q;
+-
+ vpu_inst_lock(inst);
+ dev_err(inst->dev, "some error occurs in codec\n");
+ if (inst->fh.m2m_ctx) {
+- src_q = v4l2_m2m_get_src_vq(inst->fh.m2m_ctx);
+- dst_q = v4l2_m2m_get_dst_vq(inst->fh.m2m_ctx);
+- src_q->error = 1;
+- dst_q->error = 1;
+- wake_up(&src_q->done_wq);
+- wake_up(&dst_q->done_wq);
++ vb2_queue_error(v4l2_m2m_get_src_vq(inst->fh.m2m_ctx));
++ vb2_queue_error(v4l2_m2m_get_dst_vq(inst->fh.m2m_ctx));
+ }
+ vpu_inst_unlock(inst);
+ }
+--
+2.35.1
+
--- /dev/null
+From 03d1ef667bc70759ad1b2d37ffedf051fbfc1b18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 06:34:07 +0000
+Subject: media: amphion: cancel vpu before release instance
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit b3dd974af9de342c733492565ad02d7e23372876 ]
+
+Revert "media: amphion: release m2m ctx when releasing vpu instance"
+This reverts commit d91d7bc85062309aae6d8064563ddf17947cb6bc.
+
+Call v4l2_m2m_ctx_release() to cancel vpu,
+afterwards release the vpu instance.
+
+Fixes: d91d7bc85062 ("media: amphion: release m2m ctx when releasing vpu instance")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu_v4l2.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vpu_v4l2.c b/drivers/media/platform/amphion/vpu_v4l2.c
+index 4b714fab4c6b..a24e2d0e9542 100644
+--- a/drivers/media/platform/amphion/vpu_v4l2.c
++++ b/drivers/media/platform/amphion/vpu_v4l2.c
+@@ -596,10 +596,6 @@ static int vpu_v4l2_release(struct vpu_inst *inst)
+ inst->workqueue = NULL;
+ }
+
+- if (inst->fh.m2m_ctx) {
+- v4l2_m2m_ctx_release(inst->fh.m2m_ctx);
+- inst->fh.m2m_ctx = NULL;
+- }
+ v4l2_ctrl_handler_free(&inst->ctrl_handler);
+ mutex_destroy(&inst->lock);
+ v4l2_fh_del(&inst->fh);
+@@ -682,6 +678,13 @@ int vpu_v4l2_close(struct file *file)
+
+ vpu_trace(vpu->dev, "tgid = %d, pid = %d, inst = %p\n", inst->tgid, inst->pid, inst);
+
++ vpu_inst_lock(inst);
++ if (inst->fh.m2m_ctx) {
++ v4l2_m2m_ctx_release(inst->fh.m2m_ctx);
++ inst->fh.m2m_ctx = NULL;
++ }
++ vpu_inst_unlock(inst);
++
+ call_void_vop(inst, release);
+ vpu_inst_unregister(inst);
+ vpu_inst_put(inst);
+--
+2.35.1
+
--- /dev/null
+From 56a3f665ef6382bfe14f513f978db48c0b354d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 06:09:26 +0000
+Subject: media: amphion: Fix error handling in vpu_driver_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit a95cc6d11aae16a7b2d043b073a40de81bbea689 ]
+
+A problem about modprobe amphion-vpu failed is triggered with the
+following log given:
+
+ [ 2208.634841] Error: Driver 'amphion-vpu' is already registered, aborting...
+ modprobe: ERROR: could not insert 'amphion_vpu': Device or resource busy
+
+The reason is that vpu_driver_init() returns vpu_core_driver_init()
+directly without checking its return value, if vpu_core_driver_init()
+failed, it returns without unregister amphion_vpu_driver, resulting the
+amphion-vpu can never be installed later.
+A simple call graph is shown as below:
+
+ vpu_driver_init()
+ platform_driver_register() # register amphion_vpu_driver
+ vpu_core_driver_init()
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ dev = kzalloc(...) # OOM happened
+ # return without unregister amphion_vpu_driver
+
+Fix by unregister amphion_vpu_driver when vpu_core_driver_init() returns
+error.
+
+Fixes: b50a64fc54af ("media: amphion: add amphion vpu device driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: ming_qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu_drv.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/amphion/vpu_drv.c b/drivers/media/platform/amphion/vpu_drv.c
+index 9d5a5075343d..f01ce49d27e8 100644
+--- a/drivers/media/platform/amphion/vpu_drv.c
++++ b/drivers/media/platform/amphion/vpu_drv.c
+@@ -245,7 +245,11 @@ static int __init vpu_driver_init(void)
+ if (ret)
+ return ret;
+
+- return vpu_core_driver_init();
++ ret = vpu_core_driver_init();
++ if (ret)
++ platform_driver_unregister(&hion_vpu_driver);
++
++ return ret;
+ }
+
+ static void __exit vpu_driver_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 2a457d49c2676da0937999e496b72a4f936d7052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 06:34:42 +0000
+Subject: media: amphion: lock and check m2m_ctx in event handler
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 1ade3f3f16986cd7c6fce02feede957f03eb8a42 ]
+
+driver needs to cancel vpu before releasing the vpu instance,
+so call v4l2_m2m_ctx_release() first,
+to handle the redundant event triggered after m2m_ctx is released.
+
+lock and check m2m_ctx in the event handler.
+
+Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu_msgs.c | 2 ++
+ drivers/media/platform/amphion/vpu_v4l2.c | 8 ++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vpu_msgs.c b/drivers/media/platform/amphion/vpu_msgs.c
+index d8247f36d84b..92672a802b49 100644
+--- a/drivers/media/platform/amphion/vpu_msgs.c
++++ b/drivers/media/platform/amphion/vpu_msgs.c
+@@ -43,6 +43,7 @@ static void vpu_session_handle_mem_request(struct vpu_inst *inst, struct vpu_rpc
+ req_data.ref_frame_num,
+ req_data.act_buf_size,
+ req_data.act_buf_num);
++ vpu_inst_lock(inst);
+ call_void_vop(inst, mem_request,
+ req_data.enc_frame_size,
+ req_data.enc_frame_num,
+@@ -50,6 +51,7 @@ static void vpu_session_handle_mem_request(struct vpu_inst *inst, struct vpu_rpc
+ req_data.ref_frame_num,
+ req_data.act_buf_size,
+ req_data.act_buf_num);
++ vpu_inst_unlock(inst);
+ }
+
+ static void vpu_session_handle_stop_done(struct vpu_inst *inst, struct vpu_rpc_event *pkt)
+diff --git a/drivers/media/platform/amphion/vpu_v4l2.c b/drivers/media/platform/amphion/vpu_v4l2.c
+index a24e2d0e9542..590d1084e5a5 100644
+--- a/drivers/media/platform/amphion/vpu_v4l2.c
++++ b/drivers/media/platform/amphion/vpu_v4l2.c
+@@ -242,8 +242,12 @@ int vpu_process_capture_buffer(struct vpu_inst *inst)
+
+ struct vb2_v4l2_buffer *vpu_next_src_buf(struct vpu_inst *inst)
+ {
+- struct vb2_v4l2_buffer *src_buf = v4l2_m2m_next_src_buf(inst->fh.m2m_ctx);
++ struct vb2_v4l2_buffer *src_buf = NULL;
+
++ if (!inst->fh.m2m_ctx)
++ return NULL;
++
++ src_buf = v4l2_m2m_next_src_buf(inst->fh.m2m_ctx);
+ if (!src_buf || vpu_get_buffer_state(src_buf) == VPU_BUF_STATE_IDLE)
+ return NULL;
+
+@@ -266,7 +270,7 @@ void vpu_skip_frame(struct vpu_inst *inst, int count)
+ enum vb2_buffer_state state;
+ int i = 0;
+
+- if (count <= 0)
++ if (count <= 0 || !inst->fh.m2m_ctx)
+ return;
+
+ while (i < count) {
+--
+2.35.1
+
--- /dev/null
+From 8b58ab190bd902d912babe4e353b1372a820bcf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 14:40:47 +0800
+Subject: media: amphion: reset instance if it's aborted before codec header
+ parsed
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 3984ea32e83bcad06b4b034ddd4b0a934c1b2f91 ]
+
+there is hardware limitation that if it's aborted before
+the first codec header parsed, the codec may be stalled
+unless we do reset codec.
+
+and drop the source change event if it's triggered after reset.
+
+Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vdec.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c
+index feb75dc204de..84c90ce265f2 100644
+--- a/drivers/media/platform/amphion/vdec.c
++++ b/drivers/media/platform/amphion/vdec.c
+@@ -753,6 +753,9 @@ static bool vdec_check_source_change(struct vpu_inst *inst)
+ if (!inst->fh.m2m_ctx)
+ return false;
+
++ if (vdec->reset_codec)
++ return false;
++
+ if (!vb2_is_streaming(v4l2_m2m_get_dst_vq(inst->fh.m2m_ctx)))
+ return true;
+ fmt = vpu_helper_find_format(inst, inst->cap_format.type, vdec->codec_info.pixfmt);
+@@ -1088,7 +1091,8 @@ static void vdec_event_seq_hdr(struct vpu_inst *inst, struct vpu_dec_codec_info
+ vdec->seq_tag = vdec->codec_info.tag;
+ if (vdec->is_source_changed) {
+ vdec_update_state(inst, VPU_CODEC_STATE_DYAMIC_RESOLUTION_CHANGE, 0);
+- vpu_notify_source_change(inst);
++ vdec->source_change++;
++ vdec_handle_resolution_change(inst);
+ vdec->is_source_changed = false;
+ }
+ }
+@@ -1335,6 +1339,8 @@ static void vdec_abort(struct vpu_inst *inst)
+ vdec->decoded_frame_count,
+ vdec->display_frame_count,
+ vdec->sequence);
++ if (!vdec->seq_hdr_found)
++ vdec->reset_codec = true;
+ vdec->params.end_flag = 0;
+ vdec->drain = 0;
+ vdec->params.frame_count = 0;
+@@ -1342,6 +1348,7 @@ static void vdec_abort(struct vpu_inst *inst)
+ vdec->display_frame_count = 0;
+ vdec->sequence = 0;
+ vdec->aborting = false;
++ inst->extra_size = 0;
+ }
+
+ static void vdec_stop(struct vpu_inst *inst, bool free)
+@@ -1464,8 +1471,7 @@ static int vdec_start_session(struct vpu_inst *inst, u32 type)
+ }
+
+ if (V4L2_TYPE_IS_OUTPUT(type)) {
+- if (inst->state == VPU_CODEC_STATE_SEEK)
+- vdec_update_state(inst, vdec->state, 1);
++ vdec_update_state(inst, vdec->state, 1);
+ vdec->eos_received = 0;
+ vpu_process_output_buffer(inst);
+ } else {
+@@ -1629,6 +1635,7 @@ static int vdec_open(struct file *file)
+ return ret;
+
+ vdec->fixed_fmt = false;
++ vdec->state = VPU_CODEC_STATE_ACTIVE;
+ inst->min_buffer_cap = VDEC_MIN_BUFFER_CAP;
+ inst->min_buffer_out = VDEC_MIN_BUFFER_OUT;
+ vdec_init(file);
+--
+2.35.1
+
--- /dev/null
+From 0c743b443175f76e2fc4e561c6e1747caaafb28c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 08:51:29 +0000
+Subject: media: amphion: try to wakeup vpu core to avoid failure
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 082744433f7b96db7214a98202ed96f367684693 ]
+
+firmware should be waked up by start or configure command,
+but there is a very small chance that firmware failed to wakeup.
+in such case, try to wakeup firmware again by sending a noop command
+
+Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu.h | 1 +
+ drivers/media/platform/amphion/vpu_cmds.c | 39 ++++++++++++++++++--
+ drivers/media/platform/amphion/vpu_malone.c | 1 +
+ drivers/media/platform/amphion/vpu_windsor.c | 1 +
+ 4 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vpu.h b/drivers/media/platform/amphion/vpu.h
+index beac0309ca8d..048c23c2bf4d 100644
+--- a/drivers/media/platform/amphion/vpu.h
++++ b/drivers/media/platform/amphion/vpu.h
+@@ -13,6 +13,7 @@
+ #include <linux/mailbox_controller.h>
+ #include <linux/kfifo.h>
+
++#define VPU_TIMEOUT_WAKEUP msecs_to_jiffies(200)
+ #define VPU_TIMEOUT msecs_to_jiffies(1000)
+ #define VPU_INST_NULL_ID (-1L)
+ #define VPU_MSG_BUFFER_SIZE (8192)
+diff --git a/drivers/media/platform/amphion/vpu_cmds.c b/drivers/media/platform/amphion/vpu_cmds.c
+index f4d7ca78a621..fa581ba6bab2 100644
+--- a/drivers/media/platform/amphion/vpu_cmds.c
++++ b/drivers/media/platform/amphion/vpu_cmds.c
+@@ -269,7 +269,7 @@ static bool check_is_responsed(struct vpu_inst *inst, unsigned long key)
+ return flag;
+ }
+
+-static int sync_session_response(struct vpu_inst *inst, unsigned long key)
++static int sync_session_response(struct vpu_inst *inst, unsigned long key, long timeout, int try)
+ {
+ struct vpu_core *core;
+
+@@ -279,10 +279,12 @@ static int sync_session_response(struct vpu_inst *inst, unsigned long key)
+ core = inst->core;
+
+ call_void_vop(inst, wait_prepare);
+- wait_event_timeout(core->ack_wq, check_is_responsed(inst, key), VPU_TIMEOUT);
++ wait_event_timeout(core->ack_wq, check_is_responsed(inst, key), timeout);
+ call_void_vop(inst, wait_finish);
+
+ if (!check_is_responsed(inst, key)) {
++ if (try)
++ return -EINVAL;
+ dev_err(inst->dev, "[%d] sync session timeout\n", inst->id);
+ set_bit(inst->id, &core->hang_mask);
+ mutex_lock(&inst->core->cmd_lock);
+@@ -294,6 +296,19 @@ static int sync_session_response(struct vpu_inst *inst, unsigned long key)
+ return 0;
+ }
+
++static void vpu_core_keep_active(struct vpu_core *core)
++{
++ struct vpu_rpc_event pkt;
++
++ memset(&pkt, 0, sizeof(pkt));
++ vpu_iface_pack_cmd(core, &pkt, 0, VPU_CMD_ID_NOOP, NULL);
++
++ dev_dbg(core->dev, "try to wake up\n");
++ mutex_lock(&core->cmd_lock);
++ vpu_cmd_send(core, &pkt);
++ mutex_unlock(&core->cmd_lock);
++}
++
+ static int vpu_session_send_cmd(struct vpu_inst *inst, u32 id, void *data)
+ {
+ unsigned long key;
+@@ -304,9 +319,25 @@ static int vpu_session_send_cmd(struct vpu_inst *inst, u32 id, void *data)
+ return -EINVAL;
+
+ ret = vpu_request_cmd(inst, id, data, &key, &sync);
+- if (!ret && sync)
+- ret = sync_session_response(inst, key);
++ if (ret)
++ goto exit;
++
++ /* workaround for a firmware issue,
++ * firmware should be waked up by start or configure command,
++ * but there is a very small change that firmware failed to wakeup.
++ * in such case, try to wakeup firmware again by sending a noop command
++ */
++ if (sync && (id == VPU_CMD_ID_CONFIGURE_CODEC || id == VPU_CMD_ID_START)) {
++ if (sync_session_response(inst, key, VPU_TIMEOUT_WAKEUP, 1))
++ vpu_core_keep_active(inst->core);
++ else
++ goto exit;
++ }
++
++ if (sync)
++ ret = sync_session_response(inst, key, VPU_TIMEOUT, 0);
+
++exit:
+ if (ret)
+ dev_err(inst->dev, "[%d] send cmd(0x%x) fail\n", inst->id, id);
+
+diff --git a/drivers/media/platform/amphion/vpu_malone.c b/drivers/media/platform/amphion/vpu_malone.c
+index 51e0702f9ae1..9f2890730fd7 100644
+--- a/drivers/media/platform/amphion/vpu_malone.c
++++ b/drivers/media/platform/amphion/vpu_malone.c
+@@ -692,6 +692,7 @@ int vpu_malone_set_decode_params(struct vpu_shared_addr *shared,
+ }
+
+ static struct vpu_pair malone_cmds[] = {
++ {VPU_CMD_ID_NOOP, VID_API_CMD_NULL},
+ {VPU_CMD_ID_START, VID_API_CMD_START},
+ {VPU_CMD_ID_STOP, VID_API_CMD_STOP},
+ {VPU_CMD_ID_ABORT, VID_API_CMD_ABORT},
+diff --git a/drivers/media/platform/amphion/vpu_windsor.c b/drivers/media/platform/amphion/vpu_windsor.c
+index 1526af2ef9da..b93c8cfdee7f 100644
+--- a/drivers/media/platform/amphion/vpu_windsor.c
++++ b/drivers/media/platform/amphion/vpu_windsor.c
+@@ -658,6 +658,7 @@ int vpu_windsor_get_stream_buffer_size(struct vpu_shared_addr *shared)
+ }
+
+ static struct vpu_pair windsor_cmds[] = {
++ {VPU_CMD_ID_NOOP, GTB_ENC_CMD_NOOP},
+ {VPU_CMD_ID_CONFIGURE_CODEC, GTB_ENC_CMD_CONFIGURE_CODEC},
+ {VPU_CMD_ID_START, GTB_ENC_CMD_STREAM_START},
+ {VPU_CMD_ID_STOP, GTB_ENC_CMD_STREAM_STOP},
+--
+2.35.1
+
--- /dev/null
+From 02d0abe5802899959adf891cce481a53c60bf7aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 22:10:23 +0800
+Subject: media: c8sectpfe: Add of_node_put() when breaking out of loop
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ]
+
+In configure_channels(), we should call of_node_put() when breaking
+out of for_each_child_of_node() which will automatically increase
+and decrease the refcount.
+
+Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c
+index cefe6b7bfdc4..1dbb89f0ddb8 100644
+--- a/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c
++++ b/drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c
+@@ -925,6 +925,7 @@ static int configure_channels(struct c8sectpfei *fei)
+ if (ret) {
+ dev_err(fei->dev,
+ "configure_memdma_and_inputblock failed\n");
++ of_node_put(child);
+ goto err_unmap;
+ }
+ index++;
+--
+2.35.1
+
--- /dev/null
+From ff3e177207e1a39986ac1ba1b59ffc3c9e13a7e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 10:44:37 +0100
+Subject: media: camss: Clean up received buffers on failed start of streaming
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit c8f3582345e6a69da65ab588f7c4c2d1685b0e80 ]
+
+It is required to return the received buffers, if streaming can not be
+started. For instance media_pipeline_start() may fail with EPIPE, if
+a link validation between entities is not passed, and in such a case
+a user gets a kernel warning:
+
+ WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160
+ <snip>
+ Call trace:
+ vb2_start_streaming+0xec/0x160
+ vb2_core_streamon+0x9c/0x1a0
+ vb2_ioctl_streamon+0x68/0xbc
+ v4l_streamon+0x30/0x3c
+ __video_do_ioctl+0x184/0x3e0
+ video_usercopy+0x37c/0x7b0
+ video_ioctl2+0x24/0x40
+ v4l2_ioctl+0x4c/0x70
+
+The fix is to correct the error path in video_start_streaming() of camss.
+
+Fixes: 0ac2586c410f ("media: camss: Add files which handle the video device nodes")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss-video.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-video.c b/drivers/media/platform/qcom/camss/camss-video.c
+index 290df04c4d02..a25fffb0b8ec 100644
+--- a/drivers/media/platform/qcom/camss/camss-video.c
++++ b/drivers/media/platform/qcom/camss/camss-video.c
+@@ -495,7 +495,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count)
+
+ ret = media_pipeline_start(&vdev->entity, &video->pipe);
+ if (ret < 0)
+- return ret;
++ goto flush_buffers;
+
+ ret = video_check_format(video);
+ if (ret < 0)
+@@ -524,6 +524,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count)
+ error:
+ media_pipeline_stop(&vdev->entity);
+
++flush_buffers:
+ video->ops->flush_buffers(video, VB2_BUF_STATE_QUEUED);
+
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From d702fa05bf47b8244a177de7bcfb83aac70d97eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 23:08:14 +0100
+Subject: media: camss: Do not attach an already attached power domain on
+ MSM8916 platform
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit 3d658980e6dac2af6a024fdb6ded3d7bc44dc9ff ]
+
+The change to dynamically allocated power domains neglected a case of
+CAMSS on MSM8916 platform, where a single VFE power domain is neither
+attached, linked or managed in runtime in any way explicitly.
+
+This is a special case and it shall be kept as is, because the power
+domain management is done outside of the driver, and it's very different
+in comparison to all other platforms supported by CAMSS.
+
+Fixes: 6b1814e26989 ("media: camss: Allocate power domain resources dynamically")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
+index 1118c40886d5..a157cac72e0a 100644
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -1465,6 +1465,14 @@ static int camss_configure_pd(struct camss *camss)
+ return camss->genpd_num;
+ }
+
++ /*
++ * If a platform device has just one power domain, then it is attached
++ * at platform_probe() level, thus there shall be no need and even no
++ * option to attach it again, this is the case for CAMSS on MSM8916.
++ */
++ if (camss->genpd_num == 1)
++ return 0;
++
+ camss->genpd = devm_kmalloc_array(dev, camss->genpd_num,
+ sizeof(*camss->genpd), GFP_KERNEL);
+ if (!camss->genpd)
+@@ -1698,6 +1706,9 @@ void camss_delete(struct camss *camss)
+
+ pm_runtime_disable(camss->dev);
+
++ if (camss->genpd_num == 1)
++ return;
++
+ for (i = 0; i < camss->genpd_num; i++) {
+ device_link_del(camss->genpd_link[i]);
+ dev_pm_domain_detach(camss->genpd[i], true);
+--
+2.35.1
+
--- /dev/null
+From 9cafe26076e7915d7cf61a74d9f14e8a1e2ca5d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 21:44:13 +0200
+Subject: media: cedrus: hevc: Fix offset adjustments
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit e9120e76a6f7e19a8d26c03f2964937e4ce69784 ]
+
+As it turns out, current padding size check works fine in theory but it
+doesn't in practice. Most probable reason are caching issues.
+
+Let's rework reading data from bitstream using Cedrus engine instead of
+CPU. That way we avoid all cache issues and make sure that we're reading
+same data as Cedrus.
+
+Fixes: e7060d9a78c2 ("media: uapi: Change data_bit_offset definition")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/sunxi/cedrus/cedrus_h265.c | 25 ++++++++++++++-----
+ .../staging/media/sunxi/cedrus/cedrus_regs.h | 2 ++
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h265.c b/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
+index 095b8464f37a..a07fd28e1fcf 100644
+--- a/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
++++ b/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
+@@ -242,6 +242,18 @@ static void cedrus_h265_skip_bits(struct cedrus_dev *dev, int num)
+ }
+ }
+
++static u32 cedrus_h265_show_bits(struct cedrus_dev *dev, int num)
++{
++ cedrus_write(dev, VE_DEC_H265_TRIGGER,
++ VE_DEC_H265_TRIGGER_SHOW_BITS |
++ VE_DEC_H265_TRIGGER_TYPE_N_BITS(num));
++
++ cedrus_wait_for(dev, VE_DEC_H265_STATUS,
++ VE_DEC_H265_STATUS_VLD_BUSY);
++
++ return cedrus_read(dev, VE_DEC_H265_BITS_READ);
++}
++
+ static void cedrus_h265_write_scaling_list(struct cedrus_ctx *ctx,
+ struct cedrus_run *run)
+ {
+@@ -406,7 +418,7 @@ static int cedrus_h265_setup(struct cedrus_ctx *ctx, struct cedrus_run *run)
+ u32 num_entry_point_offsets;
+ u32 output_pic_list_index;
+ u32 pic_order_cnt[2];
+- u8 *padding;
++ u8 padding;
+ int count;
+ u32 reg;
+
+@@ -520,21 +532,22 @@ static int cedrus_h265_setup(struct cedrus_ctx *ctx, struct cedrus_run *run)
+ if (slice_params->data_byte_offset == 0)
+ return -EOPNOTSUPP;
+
+- padding = (u8 *)vb2_plane_vaddr(&run->src->vb2_buf, 0) +
+- slice_params->data_byte_offset - 1;
++ cedrus_h265_skip_bits(dev, (slice_params->data_byte_offset - 1) * 8);
++
++ padding = cedrus_h265_show_bits(dev, 8);
+
+ /* at least one bit must be set in that byte */
+- if (*padding == 0)
++ if (padding == 0)
+ return -EINVAL;
+
+ for (count = 0; count < 8; count++)
+- if (*padding & (1 << count))
++ if (padding & (1 << count))
+ break;
+
+ /* Include the one bit. */
+ count++;
+
+- cedrus_h265_skip_bits(dev, slice_params->data_byte_offset * 8 - count);
++ cedrus_h265_skip_bits(dev, 8 - count);
+
+ /* Bitstream parameters. */
+
+diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_regs.h b/drivers/staging/media/sunxi/cedrus/cedrus_regs.h
+index d81f7513ade0..655c05b389cf 100644
+--- a/drivers/staging/media/sunxi/cedrus/cedrus_regs.h
++++ b/drivers/staging/media/sunxi/cedrus/cedrus_regs.h
+@@ -505,6 +505,8 @@
+ #define VE_DEC_H265_LOW_ADDR_ENTRY_POINTS_BUF(a) \
+ SHIFT_AND_MASK_BITS(a, 7, 0)
+
++#define VE_DEC_H265_BITS_READ (VE_ENGINE_DEC_H265 + 0xdc)
++
+ #define VE_DEC_H265_SRAM_OFFSET (VE_ENGINE_DEC_H265 + 0xe0)
+
+ #define VE_DEC_H265_SRAM_OFFSET_PRED_WEIGHT_LUMA_L0 0x00
+--
+2.35.1
+
--- /dev/null
+From 4f20c92dedd25320def6b79e10cedffe31092ecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 14:56:52 +0800
+Subject: media: coda: Add check for dcoda_iram_alloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ]
+
+As the coda_iram_alloc may return NULL pointer,
+it should be better to check the return value
+in order to avoid NULL poineter dereference,
+same as the others.
+
+Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/chips-media/coda-bit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/chips-media/coda-bit.c b/drivers/media/platform/chips-media/coda-bit.c
+index 2736a902e3df..6d816fd69a17 100644
+--- a/drivers/media/platform/chips-media/coda-bit.c
++++ b/drivers/media/platform/chips-media/coda-bit.c
+@@ -854,7 +854,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
+ /* Only H.264BP and H.263P3 are considered */
+ iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w64);
+ iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w64);
+- if (!iram_info->buf_dbk_c_use)
++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
+ goto out;
+ iram_info->axi_sram_use |= dbk_bits;
+
+@@ -878,7 +878,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
+
+ iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w128);
+ iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w128);
+- if (!iram_info->buf_dbk_c_use)
++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
+ goto out;
+ iram_info->axi_sram_use |= dbk_bits;
+
+--
+2.35.1
+
--- /dev/null
+From 88374e9a3aca2555a769165915c920325f514bb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:02:36 +0800
+Subject: media: coda: Add check for kmalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ]
+
+As the kmalloc may return NULL pointer,
+it should be better to check the return value
+in order to avoid NULL poineter dereference,
+same as the others.
+
+Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/chips-media/coda-bit.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/chips-media/coda-bit.c b/drivers/media/platform/chips-media/coda-bit.c
+index 6d816fd69a17..ed47d5bd8d61 100644
+--- a/drivers/media/platform/chips-media/coda-bit.c
++++ b/drivers/media/platform/chips-media/coda-bit.c
+@@ -1084,10 +1084,16 @@ static int coda_start_encoding(struct coda_ctx *ctx)
+ }
+
+ if (dst_fourcc == V4L2_PIX_FMT_JPEG) {
+- if (!ctx->params.jpeg_qmat_tab[0])
++ if (!ctx->params.jpeg_qmat_tab[0]) {
+ ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL);
+- if (!ctx->params.jpeg_qmat_tab[1])
++ if (!ctx->params.jpeg_qmat_tab[0])
++ return -ENOMEM;
++ }
++ if (!ctx->params.jpeg_qmat_tab[1]) {
+ ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL);
++ if (!ctx->params.jpeg_qmat_tab[1])
++ return -ENOMEM;
++ }
+ coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 75770b65dbe40e852658d9aeefe92a84627ae18d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 09:28:13 +0800
+Subject: media: coda: jpeg: Add check for kmalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit f30ce3d3760b22ee33c8d9c2e223764ad30bdc5f ]
+
+As kmalloc can return NULL pointer, it should be better to
+check the return value and return error, same as
+coda_jpeg_decode_header.
+
+Fixes: 96f6f62c4656 ("media: coda: jpeg: add CODA960 JPEG encoder support")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/chips-media/coda-jpeg.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/chips-media/coda-jpeg.c b/drivers/media/platform/chips-media/coda-jpeg.c
+index a0b22b07f69a..2284e0420934 100644
+--- a/drivers/media/platform/chips-media/coda-jpeg.c
++++ b/drivers/media/platform/chips-media/coda-jpeg.c
+@@ -1053,10 +1053,16 @@ static int coda9_jpeg_start_encoding(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev, "error loading Huffman tables\n");
+ return ret;
+ }
+- if (!ctx->params.jpeg_qmat_tab[0])
++ if (!ctx->params.jpeg_qmat_tab[0]) {
+ ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL);
+- if (!ctx->params.jpeg_qmat_tab[1])
++ if (!ctx->params.jpeg_qmat_tab[0])
++ return -ENOMEM;
++ }
++ if (!ctx->params.jpeg_qmat_tab[1]) {
+ ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL);
++ if (!ctx->params.jpeg_qmat_tab[1])
++ return -ENOMEM;
++ }
+ coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 14c8ac93a2e0d5e2e5141b622062e38944febd76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 03:30:05 +0000
+Subject: media: dvb-core: Fix ignored return value in dvb_register_frontend()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit a574359e2e71ce16be212df3a082ed60a4bd2c5f ]
+
+In dvb_register_frontend(), dvb_register_device() is possible to fail
+but its return value is ignored.
+
+It will cause use-after-free when module is removed, because in
+dvb_unregister_frontend() it tries to unregister a not registered
+device.
+
+BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core]
+Read of size 4 at addr ffff88800dff4824 by task rmmod/428
+CPU: 3 PID: 428 Comm: rmmod
+Call Trace:
+ <TASK>
+ ...
+ dvb_remove_device+0x18b/0x1f0 [dvb_core]
+ dvb_unregister_frontend+0x7b/0x130 [dvb_core]
+ vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge]
+ ...
+
+Fix this by catching return value of dvb_register_device().
+However the fe->refcount can't be put to zero immediately, because
+there are still modules calling dvb_frontend_detach() when
+dvb_register_frontend() fails.
+
+Link: https://lore.kernel.org/linux-media/20221108033005.169095-1-chenzhongjin@huawei.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index 48e735cdbe6b..a7792ef4baf8 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -2986,6 +2986,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb,
+ .name = fe->ops.info.name,
+ #endif
+ };
++ int ret;
+
+ dev_dbg(dvb->device, "%s:\n", __func__);
+
+@@ -3019,8 +3020,13 @@ int dvb_register_frontend(struct dvb_adapter *dvb,
+ "DVB: registering adapter %i frontend %i (%s)...\n",
+ fe->dvb->num, fe->id, fe->ops.info.name);
+
+- dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template,
++ ret = dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template,
+ fe, DVB_DEVICE_FRONTEND, 0);
++ if (ret) {
++ dvb_frontend_put(fe);
++ mutex_unlock(&frontend_mutex);
++ return ret;
++ }
+
+ /*
+ * Initialize the cache to the proper values according with the
+--
+2.35.1
+
--- /dev/null
+From 5ab6282c759af8e67c296bc9ca0d6411ebeaf66b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Apr 2022 07:19:25 +0100
+Subject: media: dvb-frontends: fix leak of memory fw
+
+From: Yan Lei <yan_lei@dahuatech.com>
+
+[ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ]
+
+Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com
+Signed-off-by: Yan Lei <yan_lei@dahuatech.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/bcm3510.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c
+index da0ff7b44da4..68b92b4419cf 100644
+--- a/drivers/media/dvb-frontends/bcm3510.c
++++ b/drivers/media/dvb-frontends/bcm3510.c
+@@ -649,6 +649,7 @@ static int bcm3510_download_firmware(struct dvb_frontend* fe)
+ deb_info("firmware chunk, addr: 0x%04x, len: 0x%04x, total length: 0x%04zx\n",addr,len,fw->size);
+ if ((ret = bcm3510_write_ram(st,addr,&b[i+4],len)) < 0) {
+ err("firmware download failed: %d\n",ret);
++ release_firmware(fw);
+ return ret;
+ }
+ i += 4 + len;
+--
+2.35.1
+
--- /dev/null
+From 064ffc3469158b01a707c984768272c153cf92f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 06:59:18 +0000
+Subject: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
+
+From: Baisong Zhong <zhongbaisong@huawei.com>
+
+[ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ]
+
+Wei Chen reports a kernel bug as blew:
+
+general protection fault, probably for non-canonical address
+KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+...
+Call Trace:
+<TASK>
+__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109
+i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170
+i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297
+i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:870 [inline]
+__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fd834a8bded
+
+In az6027_i2c_xfer(), if msg[i].addr is 0x99,
+a null-ptr-deref will caused when accessing msg[i].buf.
+For msg[i].len is 0 and msg[i].buf is null.
+
+Fix this by checking msg[i].len in az6027_i2c_xfer().
+
+Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/
+
+Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com
+Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver")
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/az6027.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
+index cf15988dfb51..7d78ee09be5e 100644
+--- a/drivers/media/usb/dvb-usb/az6027.c
++++ b/drivers/media/usb/dvb-usb/az6027.c
+@@ -975,6 +975,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+ if (msg[i].addr == 0x99) {
+ req = 0xBE;
+ index = 0;
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ value = msg[i].buf[0] & 0x00ff;
+ length = 1;
+ az6027_usb_out_op(d, req, value, index, data, length);
+--
+2.35.1
+
--- /dev/null
+From 018a9c17b7499a856f56d6798216693973bdf2f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 02:21:52 +0100
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
+
+From: Mazin Al Haddad <mazinalhaddad05@gmail.com>
+
+[ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ]
+
+Syzbot reports a memory leak in "dvb_usb_adapter_init()".
+The leak is due to not accounting for and freeing current iteration's
+adapter->priv in case of an error. Currently if an error occurs,
+it will exit before incrementing "num_adapters_initalized",
+which is used as a reference counter to free all adap->priv
+in "dvb_usb_adapter_exit()". There are multiple error paths that
+can exit from before incrementing the counter. Including the
+error handling paths for "dvb_usb_adapter_stream_init()",
+"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"
+within "dvb_usb_adapter_init()".
+
+This means that in case of an error in any of these functions the
+current iteration is not accounted for and the current iteration's
+adap->priv is not freed.
+
+Fix this by freeing the current iteration's adap->priv in the
+"stream_init_err:" label in the error path. The rest of the
+(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()
+as expected using the num_adapters_initalized variable.
+
+Syzbot report:
+
+BUG: memory leak
+unreferenced object 0xffff8881172f1a00 (size 512):
+ comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+ [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
+ [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
+ [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
+ [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
+ [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
+ [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
+ [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
+ [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
+ [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
+ [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
+ [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+ [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
+ [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
+ [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
+ [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
+ [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+ [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
+ [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
+ [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
+ [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
+ [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
+
+Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be
+Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com
+
+Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com
+Signed-off-by: Mazin Al Haddad <mazinalhaddad05@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 61439c8f33ca..58eea8ab5477 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -81,7 +81,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+
+ ret = dvb_usb_adapter_stream_init(adap);
+ if (ret)
+- return ret;
++ goto stream_init_err;
+
+ ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
+ if (ret)
+@@ -114,6 +114,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+ dvb_usb_adapter_dvb_exit(adap);
+ dvb_init_err:
+ dvb_usb_adapter_stream_exit(adap);
++stream_init_err:
++ kfree(adap->priv);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ec81f0cbc0afd7bb6319ac638cdf3a2e89981d91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Aug 2022 15:59:52 +0100
+Subject: media: dvbdev: adopts refcnt to avoid UAF
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]
+
+dvb_unregister_device() is known that prone to use-after-free.
+That is, the cleanup from dvb_unregister_device() releases the dvb_device
+even if there are pointers stored in file->private_data still refer to it.
+
+This patch adds a reference counter into struct dvb_device and delays its
+deallocation until no pointer refers to the object.
+
+Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 2 +-
+ drivers/media/dvb-core/dvb_frontend.c | 2 +-
+ drivers/media/dvb-core/dvbdev.c | 32 +++++++++++++++++++------
+ include/media/dvbdev.h | 31 +++++++++++++-----------
+ 4 files changed, 44 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
+index 15a08d8c69ef..c2d2792227f8 100644
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -157,7 +157,7 @@ static void dvb_ca_private_free(struct dvb_ca_private *ca)
+ {
+ unsigned int i;
+
+- dvb_free_device(ca->dvbdev);
++ dvb_device_put(ca->dvbdev);
+ for (i = 0; i < ca->slot_count; i++)
+ vfree(ca->slot_info[i].rx_buffer.data);
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index a7792ef4baf8..c41a7e5c2b92 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -136,7 +136,7 @@ static void __dvb_frontend_free(struct dvb_frontend *fe)
+ struct dvb_frontend_private *fepriv = fe->frontend_priv;
+
+ if (fepriv)
+- dvb_free_device(fepriv->dvbdev);
++ dvb_device_put(fepriv->dvbdev);
+
+ dvb_frontend_invoke_release(fe, fe->ops.release);
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 675d877a67b2..14f0e140d541 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -97,7 +97,7 @@ static int dvb_device_open(struct inode *inode, struct file *file)
+ new_fops = fops_get(dvbdev->fops);
+ if (!new_fops)
+ goto fail;
+- file->private_data = dvbdev;
++ file->private_data = dvb_device_get(dvbdev);
+ replace_fops(file, new_fops);
+ if (file->f_op->open)
+ err = file->f_op->open(inode, file);
+@@ -161,6 +161,9 @@ int dvb_generic_release(struct inode *inode, struct file *file)
+ }
+
+ dvbdev->users++;
++
++ dvb_device_put(dvbdev);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(dvb_generic_release);
+@@ -477,6 +480,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ return -ENOMEM;
+ }
+
++ kref_init(&dvbdev->ref);
+ memcpy(dvbdev, template, sizeof(struct dvb_device));
+ dvbdev->type = type;
+ dvbdev->id = id;
+@@ -508,7 +512,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ #endif
+
+ dvbdev->minor = minor;
+- dvb_minors[minor] = dvbdev;
++ dvb_minors[minor] = dvb_device_get(dvbdev);
+ up_write(&minor_rwsem);
+
+ ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
+@@ -553,6 +557,7 @@ void dvb_remove_device(struct dvb_device *dvbdev)
+
+ down_write(&minor_rwsem);
+ dvb_minors[dvbdev->minor] = NULL;
++ dvb_device_put(dvbdev);
+ up_write(&minor_rwsem);
+
+ dvb_media_device_free(dvbdev);
+@@ -564,21 +569,34 @@ void dvb_remove_device(struct dvb_device *dvbdev)
+ EXPORT_SYMBOL(dvb_remove_device);
+
+
+-void dvb_free_device(struct dvb_device *dvbdev)
++static void dvb_free_device(struct kref *ref)
+ {
+- if (!dvbdev)
+- return;
++ struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref);
+
+ kfree (dvbdev->fops);
+ kfree (dvbdev);
+ }
+-EXPORT_SYMBOL(dvb_free_device);
++
++
++struct dvb_device *dvb_device_get(struct dvb_device *dvbdev)
++{
++ kref_get(&dvbdev->ref);
++ return dvbdev;
++}
++EXPORT_SYMBOL(dvb_device_get);
++
++
++void dvb_device_put(struct dvb_device *dvbdev)
++{
++ if (dvbdev)
++ kref_put(&dvbdev->ref, dvb_free_device);
++}
+
+
+ void dvb_unregister_device(struct dvb_device *dvbdev)
+ {
+ dvb_remove_device(dvbdev);
+- dvb_free_device(dvbdev);
++ dvb_device_put(dvbdev);
+ }
+ EXPORT_SYMBOL(dvb_unregister_device);
+
+diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h
+index 2f6b0861322a..149b3d33c24b 100644
+--- a/include/media/dvbdev.h
++++ b/include/media/dvbdev.h
+@@ -156,6 +156,7 @@ struct dvb_adapter {
+ */
+ struct dvb_device {
+ struct list_head list_head;
++ struct kref ref;
+ const struct file_operations *fops;
+ struct dvb_adapter *adapter;
+ enum dvb_device_type type;
+@@ -187,6 +188,20 @@ struct dvb_device {
+ void *priv;
+ };
+
++/**
++ * dvb_device_get - Increase dvb_device reference
++ *
++ * @dvbdev: pointer to struct dvb_device
++ */
++struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
++
++/**
++ * dvb_device_get - Decrease dvb_device reference
++ *
++ * @dvbdev: pointer to struct dvb_device
++ */
++void dvb_device_put(struct dvb_device *dvbdev);
++
+ /**
+ * dvb_register_adapter - Registers a new DVB adapter
+ *
+@@ -231,29 +246,17 @@ int dvb_register_device(struct dvb_adapter *adap,
+ /**
+ * dvb_remove_device - Remove a registered DVB device
+ *
+- * This does not free memory. To do that, call dvb_free_device().
++ * This does not free memory. dvb_free_device() will do that when
++ * reference counter is empty
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+ void dvb_remove_device(struct dvb_device *dvbdev);
+
+-/**
+- * dvb_free_device - Free memory occupied by a DVB device.
+- *
+- * Call dvb_unregister_device() before calling this function.
+- *
+- * @dvbdev: pointer to struct dvb_device
+- */
+-void dvb_free_device(struct dvb_device *dvbdev);
+
+ /**
+ * dvb_unregister_device - Unregisters a DVB device
+ *
+- * This is a combination of dvb_remove_device() and dvb_free_device().
+- * Using this function is usually a mistake, and is often an indicator
+- * for a use-after-free bug (when a userspace process keeps a file
+- * handle to a detached device).
+- *
+ * @dvbdev: pointer to struct dvb_device
+ */
+ void dvb_unregister_device(struct dvb_device *dvbdev);
+--
+2.35.1
+
--- /dev/null
+From f951d54a8ac0b237803d45037e64c4fd4e868795 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 11:42:01 +0200
+Subject: media: exynos4-is: don't rely on the v4l2_async_subdev internals
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit f98a5c2e1c4396488c27274ba82afc11725a4bcc ]
+
+Commit 1f391df44607 ("media: v4l2-async: Use endpoints in
+__v4l2_async_nf_add_fwnode_remote()") changed the data that is stored in
+the v4l2_async_subdev internals from the fwnode pointer to the parent
+device to the fwnode pointer to the matched endpoint. This broke the
+sensor matching code, which relied on the particular fwnode data in the
+v4l2_async_subdev internals. Fix this by simply matching the
+v4l2_async_subdev pointer, which is already available there.
+
+Reported-by: Daniel Scally <djrscally@gmail.com>
+Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Daniel Scally <djrscally@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/samsung/exynos4-is/media-dev.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/samsung/exynos4-is/media-dev.c b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+index 52b43ea04030..412213b0c384 100644
+--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c
++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+@@ -1380,9 +1380,7 @@ static int subdev_notifier_bound(struct v4l2_async_notifier *notifier,
+
+ /* Find platform data for this sensor subdev */
+ for (i = 0; i < ARRAY_SIZE(fmd->sensor); i++)
+- if (fmd->sensor[i].asd &&
+- fmd->sensor[i].asd->match.fwnode ==
+- of_fwnode_handle(subdev->dev->of_node))
++ if (fmd->sensor[i].asd == asd)
+ si = &fmd->sensor[i];
+
+ if (si == NULL)
+--
+2.35.1
+
--- /dev/null
+From 3da831465070ec2f1001ca0edf3d1e800a01de47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 13:38:00 +0200
+Subject: media: i2c: ad5820: Fix error path
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ]
+
+Error path seems to be swaped. Fix the order and provide some meaningful
+names.
+
+Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ad5820.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c
+index 2958a4694461..07639ecc85aa 100644
+--- a/drivers/media/i2c/ad5820.c
++++ b/drivers/media/i2c/ad5820.c
+@@ -327,18 +327,18 @@ static int ad5820_probe(struct i2c_client *client,
+
+ ret = media_entity_pads_init(&coil->subdev.entity, 0, NULL);
+ if (ret < 0)
+- goto cleanup2;
++ goto clean_mutex;
+
+ ret = v4l2_async_register_subdev(&coil->subdev);
+ if (ret < 0)
+- goto cleanup;
++ goto clean_entity;
+
+ return ret;
+
+-cleanup2:
+- mutex_destroy(&coil->power_lock);
+-cleanup:
++clean_entity:
+ media_entity_cleanup(&coil->subdev.entity);
++clean_mutex:
++ mutex_destroy(&coil->power_lock);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6fe3ad7848dc8bf7dd74af3cbc2452f5b0e2a9a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 23:12:51 -0300
+Subject: media: i2c: hi846: Fix memory leak in hi846_parse_dt()
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit 80113026d415e27483669db7a88b548d1ec3d3d1 ]
+
+If any of the checks related to the supported link frequencies fail, then
+the V4L2 fwnode resources don't get released before returning, which leads
+to a memleak. Fix this by properly freeing the V4L2 fwnode data in a
+designated label.
+
+Fixes: e8c0882685f9 ("media: i2c: add driver for the SK Hynix Hi-846 8M pixel camera")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Reviewed-by: Tommaso Merciai <tommaso.merciai@amarulasolutions.com>
+Reviewed-by: Martin Kepplinger <martink@posteo.de>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/hi846.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/i2c/hi846.c b/drivers/media/i2c/hi846.c
+index ad35c3ff3611..254031503c72 100644
+--- a/drivers/media/i2c/hi846.c
++++ b/drivers/media/i2c/hi846.c
+@@ -2008,22 +2008,24 @@ static int hi846_parse_dt(struct hi846 *hi846, struct device *dev)
+ bus_cfg.bus.mipi_csi2.num_data_lanes != 4) {
+ dev_err(dev, "number of CSI2 data lanes %d is not supported",
+ bus_cfg.bus.mipi_csi2.num_data_lanes);
+- v4l2_fwnode_endpoint_free(&bus_cfg);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto check_hwcfg_error;
+ }
+
+ hi846->nr_lanes = bus_cfg.bus.mipi_csi2.num_data_lanes;
+
+ if (!bus_cfg.nr_of_link_frequencies) {
+ dev_err(dev, "link-frequency property not found in DT\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto check_hwcfg_error;
+ }
+
+ /* Check that link frequences for all the modes are in device tree */
+ fq = hi846_check_link_freqs(hi846, &bus_cfg);
+ if (fq) {
+ dev_err(dev, "Link frequency of %lld is not supported\n", fq);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto check_hwcfg_error;
+ }
+
+ v4l2_fwnode_endpoint_free(&bus_cfg);
+@@ -2044,6 +2046,10 @@ static int hi846_parse_dt(struct hi846 *hi846, struct device *dev)
+ }
+
+ return 0;
++
++check_hwcfg_error:
++ v4l2_fwnode_endpoint_free(&bus_cfg);
++ return ret;
+ }
+
+ static int hi846_probe(struct i2c_client *client)
+--
+2.35.1
+
--- /dev/null
+From d7d4605baea6a5c7b9954322e5655c939b34508d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 11:27:48 -0300
+Subject: media: i2c: ov5648: Free V4L2 fwnode data on unbind
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit c95770e4fc172696dcb1450893cda7d6324d96fc ]
+
+The V4L2 fwnode data structure doesn't get freed on unbind, which leads to
+a memleak.
+
+Fixes: e43ccb0a045f ("media: i2c: Add support for the OV5648 image sensor")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Reviewed-by: Tommaso Merciai <tommaso.merciai@amarulasolutions.com>
+Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5648.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/ov5648.c b/drivers/media/i2c/ov5648.c
+index dfcd33e9ee13..220c53565b0a 100644
+--- a/drivers/media/i2c/ov5648.c
++++ b/drivers/media/i2c/ov5648.c
+@@ -2597,6 +2597,7 @@ static int ov5648_remove(struct i2c_client *client)
+ v4l2_ctrl_handler_free(&sensor->ctrls.handler);
+ mutex_destroy(&sensor->mutex);
+ media_entity_cleanup(&subdev->entity);
++ v4l2_fwnode_endpoint_free(&sensor->endpoint);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 229615f295322565f3b338f8016a7004800d9590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 06:02:14 +0100
+Subject: media: imon: fix a race condition in send_packet()
+
+From: Gautam Menghani <gautammenghani201@gmail.com>
+
+[ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ]
+
+The function send_packet() has a race condition as follows:
+
+func send_packet()
+{
+ // do work
+ call usb_submit_urb()
+ mutex_unlock()
+ wait_for_event_interruptible() <-- lock gone
+ mutex_lock()
+}
+
+func vfd_write()
+{
+ mutex_lock()
+ call send_packet() <- prev call is not completed
+ mutex_unlock()
+}
+
+When the mutex is unlocked and the function send_packet() waits for the
+call to complete, vfd_write() can start another call, which leads to the
+"URB submitted while active" warning in usb_submit_urb().
+Fix this by removing the mutex_unlock() call in send_packet() and using
+mutex_lock_interruptible().
+
+Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e
+
+Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")
+Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
+Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/imon.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
+index 735b925da998..91d8056666ec 100644
+--- a/drivers/media/rc/imon.c
++++ b/drivers/media/rc/imon.c
+@@ -646,15 +646,14 @@ static int send_packet(struct imon_context *ictx)
+ pr_err_ratelimited("error submitting urb(%d)\n", retval);
+ } else {
+ /* Wait for transmission to complete (or abort) */
+- mutex_unlock(&ictx->lock);
+ retval = wait_for_completion_interruptible(
+ &ictx->tx.finished);
+ if (retval) {
+ usb_kill_urb(ictx->tx_urb);
+ pr_err_ratelimited("task interrupted\n");
+ }
+- mutex_lock(&ictx->lock);
+
++ ictx->tx.busy = false;
+ retval = ictx->tx.status;
+ if (retval)
+ pr_err_ratelimited("packet tx failed (%d)\n", retval);
+@@ -955,7 +954,8 @@ static ssize_t vfd_write(struct file *file, const char __user *buf,
+ if (ictx->disconnected)
+ return -ENODEV;
+
+- mutex_lock(&ictx->lock);
++ if (mutex_lock_interruptible(&ictx->lock))
++ return -ERESTARTSYS;
+
+ if (!ictx->dev_present_intf0) {
+ pr_err_ratelimited("no iMON device present\n");
+--
+2.35.1
+
--- /dev/null
+From a2b074c8ece7abf6ff4364fcf8d9671613de4541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 19:42:16 +0100
+Subject: media: imx: imx7-media-csi: Clear BIT_MIPI_DOUBLE_CMPNT for <16b
+ formats
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit cccc08a95ca57624563daafd47df5691e8c38995 ]
+
+Commit 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for
+YUV 1X16") set BIT_MIPI_DOUBLE_CMPNT in the CR18 register for 16-bit YUV
+formats in imx7_csi_configure(). The CR18 register is always updated
+with read-modify-write cycles, so if a 16-bit YUV format is selected,
+the bit will stay set forever, even if the format is changed. Fix it by
+clearing the bit at the beginning of the imx7_csi_configure() function.
+
+While at it, swap two of the bits being cleared to match the MSB to LSB
+order. This doesn't cause any functional change.
+
+Fixes: 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
+Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx7-media-csi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx7-media-csi.c b/drivers/staging/media/imx/imx7-media-csi.c
+index a0553c24cce4..7eee2f8dca47 100644
+--- a/drivers/staging/media/imx/imx7-media-csi.c
++++ b/drivers/staging/media/imx/imx7-media-csi.c
+@@ -521,9 +521,9 @@ static void imx7_csi_configure(struct imx7_csi *csi)
+ cr18 = imx7_csi_reg_read(csi, CSI_CSICR18);
+
+ cr18 &= ~(BIT_CSI_HW_ENABLE | BIT_MIPI_DATA_FORMAT_MASK |
+- BIT_DATA_FROM_MIPI | BIT_BASEADDR_CHG_ERR_EN |
+- BIT_BASEADDR_SWITCH_EN | BIT_BASEADDR_SWITCH_SEL |
+- BIT_DEINTERLACE_EN);
++ BIT_DATA_FROM_MIPI | BIT_MIPI_DOUBLE_CMPNT |
++ BIT_BASEADDR_CHG_ERR_EN | BIT_BASEADDR_SWITCH_SEL |
++ BIT_BASEADDR_SWITCH_EN | BIT_DEINTERLACE_EN);
+
+ if (out_pix->field == V4L2_FIELD_INTERLACED) {
+ cr18 |= BIT_DEINTERLACE_EN;
+--
+2.35.1
+
--- /dev/null
+From 720aa66ffe2b1bb9282d7d8d351367ef5db74cb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:38:41 +0800
+Subject: media: imx-jpeg: Disable useless interrupt to avoid kernel panic
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit c3720e65c9013a7b2a5dbb63e6bf6d74a35dd894 ]
+
+There is a hardware bug that the interrupt STMBUF_HALF may be triggered
+after or when disable interrupt.
+It may led to unexpected kernel panic.
+And interrupt STMBUF_HALF and STMBUF_RTND have no other effect.
+So disable them and the unused interrupts.
+
+meanwhile clear the interrupt status when disable interrupt.
+
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Reviewed-by: Mirela Rabulea <mirela.rabulea@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c
+index 9418fcf740a8..ef28122a5ed4 100644
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.c
+@@ -76,12 +76,14 @@ void print_wrapper_info(struct device *dev, void __iomem *reg)
+
+ void mxc_jpeg_enable_irq(void __iomem *reg, int slot)
+ {
+- writel(0xFFFFFFFF, reg + MXC_SLOT_OFFSET(slot, SLOT_IRQ_EN));
++ writel(0xFFFFFFFF, reg + MXC_SLOT_OFFSET(slot, SLOT_STATUS));
++ writel(0xF0C, reg + MXC_SLOT_OFFSET(slot, SLOT_IRQ_EN));
+ }
+
+ void mxc_jpeg_disable_irq(void __iomem *reg, int slot)
+ {
+ writel(0x0, reg + MXC_SLOT_OFFSET(slot, SLOT_IRQ_EN));
++ writel(0xFFFFFFFF, reg + MXC_SLOT_OFFSET(slot, SLOT_STATUS));
+ }
+
+ void mxc_jpeg_sw_reset(void __iomem *reg)
+--
+2.35.1
+
--- /dev/null
+From b6904a37d8bfdd86bae2d080c5e71b4ec5f968cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:24:50 +0000
+Subject: media: mediatek: vcodec: Can't set dst buffer to done when lat decode
+ error
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 3568ecd3f3a6d133ab7feffbba34955c8c79bbc4 ]
+
+Core thread will call v4l2_m2m_buf_done to set dst buffer done for
+lat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to
+free dst buffer when lat decode error, core thread will access kernel
+NULL pointer dereference, then crash.
+
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
+index e86809052a9f..ffbcee04dc26 100644
+--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
+@@ -253,7 +253,7 @@ static void mtk_vdec_worker(struct work_struct *work)
+
+ state = ret ? VB2_BUF_STATE_ERROR : VB2_BUF_STATE_DONE;
+ if (!IS_VDEC_LAT_ARCH(dev->vdec_pdata->hw_arch) ||
+- ctx->current_codec == V4L2_PIX_FMT_VP8_FRAME || ret) {
++ ctx->current_codec == V4L2_PIX_FMT_VP8_FRAME) {
+ v4l2_m2m_buf_done_and_job_finish(dev->m2m_dev_dec, ctx->m2m_ctx, state);
+ if (src_buf_req)
+ v4l2_ctrl_request_complete(src_buf_req, &ctx->ctrl_hdl);
+--
+2.35.1
+
--- /dev/null
+From fe07f8fb489e45508af2e68d79a83dc5686c075d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:24:53 +0000
+Subject: media: mediatek: vcodec: Core thread depends on core_list
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 95bc23513c9188065a22194f9af870376fc38fdd ]
+
+Core thread will continue to work when core_list is not empty, not
+depends on lat_list.
+
+Fixes: 365e4ba01df4 ("media: mtk-vcodec: Add work queue for core hardware decode")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c
+index ae500980ad45..dc2004790a47 100644
+--- a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c
++++ b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c
+@@ -221,7 +221,7 @@ static void vdec_msg_queue_core_work(struct work_struct *work)
+ mtk_vcodec_dec_disable_hardware(ctx, MTK_VDEC_CORE);
+ vdec_msg_queue_qbuf(&ctx->msg_queue.lat_ctx, lat_buf);
+
+- if (!list_empty(&ctx->msg_queue.lat_ctx.ready_queue)) {
++ if (!list_empty(&dev->msg_queue_core_ctx.ready_queue)) {
+ mtk_v4l2_debug(3, "re-schedule to decode for core: %d",
+ dev->msg_queue_core_ctx.ready_num);
+ queue_work(dev->core_workqueue, &msg_queue->core_work);
+--
+2.35.1
+
--- /dev/null
+From 31f7b686681c2a9ba471648651d61596232fd101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:24:49 +0000
+Subject: media: mediatek: vcodec: Fix getting NULL pointer for dst buffer
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit d879f770e4d1d5f0d9b692d3a2702f23ee441dbb ]
+
+The driver may can't get v4l2 buffer when lat or core decode timeout,
+will lead to crash when call v4l2_m2m_buf_done to set dst buffer
+(NULL pointer) done.
+
+Fixes: 7b182b8d9c85 ("media: mediatek: vcodec: Refactor get and put capture buffer flow")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/mtk_vcodec_dec_stateless.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
+index c45bd2599bb2..e86809052a9f 100644
+--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_stateless.c
+@@ -138,10 +138,13 @@ static void mtk_vdec_stateless_cap_to_disp(struct mtk_vcodec_ctx *ctx, int error
+ state = VB2_BUF_STATE_DONE;
+
+ vb2_dst = v4l2_m2m_dst_buf_remove(ctx->m2m_ctx);
+- v4l2_m2m_buf_done(vb2_dst, state);
+-
+- mtk_v4l2_debug(2, "free frame buffer id:%d to done list",
+- vb2_dst->vb2_buf.index);
++ if (vb2_dst) {
++ v4l2_m2m_buf_done(vb2_dst, state);
++ mtk_v4l2_debug(2, "free frame buffer id:%d to done list",
++ vb2_dst->vb2_buf.index);
++ } else {
++ mtk_v4l2_err("dst buffer is NULL");
++ }
+
+ if (src_buf_req)
+ v4l2_ctrl_request_complete(src_buf_req, &ctx->ctrl_hdl);
+--
+2.35.1
+
--- /dev/null
+From b936db0fdb1d9b7f55db15cb87c5134d5409f331 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 19:41:22 +0800
+Subject: media: mediatek: vcodec: fix h264 cavlc bitstream fail
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit d555409dd1b7cc9e7e5b9e2924c0ef4bf23f6c9b ]
+
+Some cavlc bistream will decode fail when the frame size is less than
+20 bytes. Need to add pending data at the end of the bitstream.
+
+For the minimum size of mapped memory is 256 bytes(16x16), adding four
+bytes data won't lead to access unknown virtual memory.
+
+Fixes: 59fba9eed5a7 ("media: mediatek: vcodec: support stateless H.264 decoding for mt8192")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vcodec/vdec/vdec_h264_req_multi_if.c | 32 +++++++++++++++++--
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c b/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
+index 4cc92700692b..18e048755d11 100644
+--- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
++++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
+@@ -539,6 +539,29 @@ static int vdec_h264_slice_core_decode(struct vdec_lat_buf *lat_buf)
+ return 0;
+ }
+
++static void vdec_h264_insert_startcode(struct mtk_vcodec_dev *vcodec_dev, unsigned char *buf,
++ size_t *bs_size, struct mtk_h264_pps_param *pps)
++{
++ struct device *dev = &vcodec_dev->plat_dev->dev;
++
++ /* Need to add pending data at the end of bitstream when bs_sz is small than
++ * 20 bytes for cavlc bitstream, or lat will decode fail. This pending data is
++ * useful for mt8192 and mt8195 platform.
++ *
++ * cavlc bitstream when entropy_coding_mode_flag is false.
++ */
++ if (pps->entropy_coding_mode_flag || *bs_size > 20 ||
++ !(of_device_is_compatible(dev->of_node, "mediatek,mt8192-vcodec-dec") ||
++ of_device_is_compatible(dev->of_node, "mediatek,mt8195-vcodec-dec")))
++ return;
++
++ buf[*bs_size] = 0;
++ buf[*bs_size + 1] = 0;
++ buf[*bs_size + 2] = 1;
++ buf[*bs_size + 3] = 0xff;
++ (*bs_size) += 4;
++}
++
+ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ struct vdec_fb *fb, bool *res_chg)
+ {
+@@ -582,9 +605,6 @@ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ }
+
+ inst->vsi->dec.nal_info = buf[nal_start_idx];
+- inst->vsi->dec.bs_buf_addr = (u64)bs->dma_addr;
+- inst->vsi->dec.bs_buf_size = bs->size;
+-
+ lat_buf->src_buf_req = src_buf_info->m2m_buf.vb.vb2_buf.req_obj.req;
+ v4l2_m2m_buf_copy_metadata(&src_buf_info->m2m_buf.vb, &lat_buf->ts_info, true);
+
+@@ -592,6 +612,12 @@ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ if (err)
+ goto err_free_fb_out;
+
++ vdec_h264_insert_startcode(inst->ctx->dev, buf, &bs->size,
++ &share_info->h264_slice_params.pps);
++
++ inst->vsi->dec.bs_buf_addr = (uint64_t)bs->dma_addr;
++ inst->vsi->dec.bs_buf_size = bs->size;
++
+ *res_chg = inst->resolution_changed;
+ if (inst->resolution_changed) {
+ mtk_vcodec_debug(inst, "- resolution changed -");
+--
+2.35.1
+
--- /dev/null
+From a2f0ac533a4517aff392de825008abe09cb91424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:24:51 +0000
+Subject: media: mediatek: vcodec: Fix h264 set lat buffer error
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 23d677bd9cdd10323e6d290578bbb0a408f43499 ]
+
+Will set lat buffer to lat_list two times when lat decode timeout for
+inner racing mode.
+
+If core thread can't get frame buffer, need to return error value.
+
+Fixes: 59fba9eed5a7 ("media: mediatek: vcodec: support stateless H.264 decoding for mt8192")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vcodec/vdec/vdec_h264_req_multi_if.c | 28 +++++++++++--------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c b/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
+index 18e048755d11..955b2d0c8f53 100644
+--- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
++++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_h264_req_multi_if.c
+@@ -471,14 +471,19 @@ static int vdec_h264_slice_core_decode(struct vdec_lat_buf *lat_buf)
+ sizeof(share_info->h264_slice_params));
+
+ fb = ctx->dev->vdec_pdata->get_cap_buffer(ctx);
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
+- vdec_fb_va = (unsigned long)fb;
++ if (!fb) {
++ err = -EBUSY;
++ mtk_vcodec_err(inst, "fb buffer is NULL");
++ goto vdec_dec_end;
++ }
+
++ vdec_fb_va = (unsigned long)fb;
++ y_fb_dma = (u64)fb->base_y.dma_addr;
+ if (ctx->q_data[MTK_Q_DATA_DST].fmt->num_planes == 1)
+ c_fb_dma =
+ y_fb_dma + inst->ctx->picinfo.buf_w * inst->ctx->picinfo.buf_h;
+ else
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ c_fb_dma = (u64)fb->base_c.dma_addr;
+
+ mtk_vcodec_debug(inst, "[h264-core] y/c addr = 0x%llx 0x%llx", y_fb_dma,
+ c_fb_dma);
+@@ -656,7 +661,7 @@ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ err = vpu_dec_start(vpu, data, 2);
+ if (err) {
+ mtk_vcodec_debug(inst, "lat decode err: %d", err);
+- goto err_scp_decode;
++ goto err_free_fb_out;
+ }
+
+ share_info->trans_end = inst->ctx->msg_queue.wdma_addr.dma_addr +
+@@ -673,12 +678,17 @@ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ /* wait decoder done interrupt */
+ timeout = mtk_vcodec_wait_for_done_ctx(inst->ctx, MTK_INST_IRQ_RECEIVED,
+ WAIT_INTR_TIMEOUT_MS, MTK_VDEC_LAT0);
++ if (timeout)
++ mtk_vcodec_err(inst, "lat decode timeout: pic_%d", inst->slice_dec_num);
+ inst->vsi->dec.timeout = !!timeout;
+
+ err = vpu_dec_end(vpu);
+- if (err == SLICE_HEADER_FULL || timeout || err == TRANS_BUFFER_FULL) {
+- err = -EINVAL;
+- goto err_scp_decode;
++ if (err == SLICE_HEADER_FULL || err == TRANS_BUFFER_FULL) {
++ if (!IS_VDEC_INNER_RACING(inst->ctx->dev->dec_capability))
++ vdec_msg_queue_qbuf(&inst->ctx->msg_queue.lat_ctx, lat_buf);
++ inst->slice_dec_num++;
++ mtk_vcodec_err(inst, "lat dec fail: pic_%d err:%d", inst->slice_dec_num, err);
++ return -EINVAL;
+ }
+
+ share_info->trans_end = inst->ctx->msg_queue.wdma_addr.dma_addr +
+@@ -695,10 +705,6 @@ static int vdec_h264_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+
+ inst->slice_dec_num++;
+ return 0;
+-
+-err_scp_decode:
+- if (!IS_VDEC_INNER_RACING(inst->ctx->dev->dec_capability))
+- vdec_msg_queue_qbuf(&inst->ctx->msg_queue.lat_ctx, lat_buf);
+ err_free_fb_out:
+ vdec_msg_queue_qbuf(&inst->ctx->msg_queue.lat_ctx, lat_buf);
+ mtk_vcodec_err(inst, "slice dec number: %d err: %d", inst->slice_dec_num, err);
+--
+2.35.1
+
--- /dev/null
+From f46fb647f0b84c7eab6a26e8476b375e09994393 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:24:52 +0000
+Subject: media: mediatek: vcodec: Setting lat buf to lat_list when lat decode
+ error
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 12ac20d60213a439d1552382d04aabb905e0b784 ]
+
+Need to set lat buf to lat_list when lat decode error, or lat buffer will
+be lost.
+
+Fixes: 5d418351ca8f ("media: mediatek: vcodec: support stateless VP9 decoding")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c
+index fb1c36a3592d..cbb6728b8a40 100644
+--- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c
++++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c
+@@ -2073,21 +2073,23 @@ static int vdec_vp9_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ return -EBUSY;
+ }
+ pfc = (struct vdec_vp9_slice_pfc *)lat_buf->private_data;
+- if (!pfc)
+- return -EINVAL;
++ if (!pfc) {
++ ret = -EINVAL;
++ goto err_free_fb_out;
++ }
+ vsi = &pfc->vsi;
+
+ ret = vdec_vp9_slice_setup_lat(instance, bs, lat_buf, pfc);
+ if (ret) {
+ mtk_vcodec_err(instance, "Failed to setup VP9 lat ret %d\n", ret);
+- return ret;
++ goto err_free_fb_out;
+ }
+ vdec_vp9_slice_vsi_to_remote(vsi, instance->vsi);
+
+ ret = vpu_dec_start(&instance->vpu, NULL, 0);
+ if (ret) {
+ mtk_vcodec_err(instance, "Failed to dec VP9 ret %d\n", ret);
+- return ret;
++ goto err_free_fb_out;
+ }
+
+ if (instance->irq) {
+@@ -2107,7 +2109,7 @@ static int vdec_vp9_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ /* LAT trans full, no more UBE or decode timeout */
+ if (ret) {
+ mtk_vcodec_err(instance, "VP9 decode error: %d\n", ret);
+- return ret;
++ goto err_free_fb_out;
+ }
+
+ mtk_vcodec_debug(instance, "lat dma addr: 0x%lx 0x%lx\n",
+@@ -2120,6 +2122,9 @@ static int vdec_vp9_slice_lat_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ vdec_msg_queue_qbuf(&ctx->dev->msg_queue_core_ctx, lat_buf);
+
+ return 0;
++err_free_fb_out:
++ vdec_msg_queue_qbuf(&ctx->msg_queue.lat_ctx, lat_buf);
++ return ret;
+ }
+
+ static int vdec_vp9_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+--
+2.35.1
+
--- /dev/null
+From b7b0331d14898f286ab994548b973bcad0a87a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 14:13:04 +0000
+Subject: media: mt9p031: Drop bogus v4l2_subdev_get_try_crop() call from
+ mt9p031_init_cfg()
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e208ad015f9310a87b4bb1ba1e4d3e347f391aa4 ]
+
+The mt9p031_init_cfg() already calls __mt9p031_get_pad_crop(), which
+correctly calls v4l2_subdev_get_try_crop() on V4L2_SUBDEV_FORMAT_TRY
+or returns &mt9p031->crop on V4L2_SUBDEV_FORMAT_ACTIVE. No need to
+call v4l2_subdev_get_try_crop() in mt9p031_init_cfg() again in case
+of both V4L2_SUBDEV_FORMAT_TRY and V4L2_SUBDEV_FORMAT_ACTIVE.
+
+This also fixes a splat generated by this call since commit
+2ba3e38517f5a ("media: v4l: subdev: Fail graciously when getting try data for NULL state")
+because v4l2_subdev_get_try_crop() is called with sd_state = NULL
+in mt9p031_init_cfg().
+
+Fixes: 69681cd041648 ("media: mt9p031: Move open subdev op init code into init_cfg")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9p031.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
+index 1fd4dc6e4726..92f4e184353f 100644
+--- a/drivers/media/i2c/mt9p031.c
++++ b/drivers/media/i2c/mt9p031.c
+@@ -702,7 +702,6 @@ static int mt9p031_init_cfg(struct v4l2_subdev *subdev,
+ V4L2_SUBDEV_FORMAT_TRY;
+
+ crop = __mt9p031_get_pad_crop(mt9p031, sd_state, 0, which);
+- v4l2_subdev_get_try_crop(subdev, sd_state, 0);
+ crop->left = MT9P031_COLUMN_START_DEF;
+ crop->top = MT9P031_ROW_START_DEF;
+ crop->width = MT9P031_WINDOW_WIDTH_DEF;
+--
+2.35.1
+
--- /dev/null
+From fbd4c55e38648c9ffdec09e6ea7db73b4bbe94de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 09:20:24 +0000
+Subject: media: ov5640: set correct default link frequency
+
+From: Guoniu.zhou <guoniu.zhou@nxp.com>
+
+[ Upstream commit d7b41196927ba2a2b5badad1a85f9087eb90b076 ]
+
+current_link_freq field in ov5640_dev structure is link frequency,
+not link frequency array index, so correct it.
+
+Fixes: 3c28588f35d3 ("media: ov5640: Update pixel_rate and link_freq")
+Signed-off-by: Guoniu.zhou <guoniu.zhou@nxp.com>
+Acked-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5640.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
+index 502f0b62e950..7e72e7c7b0dd 100644
+--- a/drivers/media/i2c/ov5640.c
++++ b/drivers/media/i2c/ov5640.c
+@@ -3816,7 +3816,8 @@ static int ov5640_probe(struct i2c_client *client)
+ sensor->current_mode =
+ &ov5640_mode_data[OV5640_MODE_VGA_640_480];
+ sensor->last_mode = sensor->current_mode;
+- sensor->current_link_freq = OV5640_DEFAULT_LINK_FREQ;
++ sensor->current_link_freq =
++ ov5640_csi2_link_freqs[OV5640_DEFAULT_LINK_FREQ];
+
+ sensor->ae_target = 52;
+
+--
+2.35.1
+
--- /dev/null
+From 2a3eb23061a03f8d44ab18a3df1a194dd508fefc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 06:08:53 +0000
+Subject: media: platform: exynos4-is: Fix error handling in fimc_md_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ]
+
+A problem about modprobe s5p_fimc failed is triggered with the
+following log given:
+
+ [ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting...
+ modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy
+
+The reason is that fimc_md_init() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+failed, it returns without unregister fimc_driver, resulting the
+s5p_fimc can never be installed later.
+A simple call graph is shown as below:
+
+ fimc_md_init()
+ fimc_register_driver() # register fimc_driver
+ platform_driver_register()
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ dev = kzalloc(...) # OOM happened
+ # return without unregister fimc_driver
+
+Fix by unregister fimc_driver when platform_driver_register() returns
+error.
+
+Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/samsung/exynos4-is/fimc-core.c | 2 +-
+ drivers/media/platform/samsung/exynos4-is/media-dev.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/samsung/exynos4-is/fimc-core.c b/drivers/media/platform/samsung/exynos4-is/fimc-core.c
+index 91cc8d58a663..1791100b6935 100644
+--- a/drivers/media/platform/samsung/exynos4-is/fimc-core.c
++++ b/drivers/media/platform/samsung/exynos4-is/fimc-core.c
+@@ -1173,7 +1173,7 @@ int __init fimc_register_driver(void)
+ return platform_driver_register(&fimc_driver);
+ }
+
+-void __exit fimc_unregister_driver(void)
++void fimc_unregister_driver(void)
+ {
+ platform_driver_unregister(&fimc_driver);
+ }
+diff --git a/drivers/media/platform/samsung/exynos4-is/media-dev.c b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+index 383a1e0ab912..2f3071acb9c9 100644
+--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c
++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+@@ -1584,7 +1584,11 @@ static int __init fimc_md_init(void)
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&fimc_md_driver);
++ ret = platform_driver_register(&fimc_md_driver);
++ if (ret)
++ fimc_unregister_driver();
++
++ return ret;
+ }
+
+ static void __exit fimc_md_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 2d208262855d307b48824e0e8647629c32419160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 21:46:50 +0800
+Subject: media: platform: exynos4-is: fix return value check in
+ fimc_md_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e38e42c078da4af962d322b97e726dcb2f184e3f ]
+
+devm_pinctrl_get() may return ERR_PTR(-EPROBE_DEFER), add a minus sign
+to fix it.
+
+Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/samsung/exynos4-is/media-dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/samsung/exynos4-is/media-dev.c b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+index 412213b0c384..383a1e0ab912 100644
+--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c
++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c
+@@ -1472,7 +1472,7 @@ static int fimc_md_probe(struct platform_device *pdev)
+ pinctrl = devm_pinctrl_get(dev);
+ if (IS_ERR(pinctrl)) {
+ ret = PTR_ERR(pinctrl);
+- if (ret != EPROBE_DEFER)
++ if (ret != -EPROBE_DEFER)
+ dev_err(dev, "Failed to get pinctrl: %d\n", ret);
+ goto err_clk;
+ }
+--
+2.35.1
+
--- /dev/null
+From c4cc1bbc0deef49e892d0308f56be668706b9189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 10:02:17 +0200
+Subject: media: rkvdec: Add required padding
+
+From: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+
+[ Upstream commit 00c47aa85bb26450edc6059c3d245de062e60b5d ]
+
+The addresses of two elements of the segmap[][] member are passed to the
+hardware which expects 128-bit aligned addresses. However, without this
+patch offsetof(struct rkvdec_vp9_priv_tbl, segmap[0]) is an odd number
+(2421) but the hardware just ignores the 5 least significant bits of the
+address. As a result, the hardware writes the segmentation map to incorrect
+locations.
+
+Inserting 11 bytes of padding corrects this situation by making the said
+addresses divisible by 16 (i.e. aligned on a 128-bit boundary).
+
+Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Fixes: f25709c4ff15 ("media: rkvdec: Add the VP9 backend")
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+index d8c1c0db15c7..cfae99b40ccb 100644
+--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c
++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+@@ -84,6 +84,8 @@ struct rkvdec_vp9_probs {
+ struct rkvdec_vp9_inter_frame_probs inter;
+ struct rkvdec_vp9_intra_only_frame_probs intra_only;
+ };
++ /* 128 bit alignment */
++ u8 padding1[11];
+ };
+
+ /* Data structure describing auxiliary buffer format. */
+@@ -1006,6 +1008,7 @@ static int rkvdec_vp9_start(struct rkvdec_ctx *ctx)
+
+ ctx->priv = vp9_ctx;
+
++ BUILD_BUG_ON(sizeof(priv_tbl->probs) % 16); /* ensure probs size is 128-bit aligned */
+ priv_tbl = dma_alloc_coherent(rkvdec->dev, sizeof(*priv_tbl),
+ &vp9_ctx->priv_tbl.dma, GFP_KERNEL);
+ if (!priv_tbl) {
+--
+2.35.1
+
--- /dev/null
+From 1e241e1d9467d65a168f908dbed5b1a946e88134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:50:23 +0000
+Subject: media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250
+ SoC
+
+From: Aakarsh Jain <aakarsh.jain@samsung.com>
+
+[ Upstream commit f50ebe10f5d8092c37e2bd430c78e03bf38b1e20 ]
+
+Commit 5441e9dafdfc6dc40 ("[media] s5p-mfc: Core support for MFC v7")
+which adds mfc v7 support for Exynos3250 and use the same compatible
+string as used by Exynos5240 but both the IPs are a bit different in
+terms of IP clock.
+Add variant driver data based on the new compatible string
+"samsung,exynos3250-mfc" for Exynos3250 SoC.
+
+Suggested-by: Alim Akhtar <alim.akhtar@samsung.com>
+Fixes: 5441e9dafdfc ("[media] s5p-mfc: Core support for MFC v7")
+Signed-off-by: Aakarsh Jain <aakarsh.jain@samsung.com>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/samsung/s5p-mfc/s5p_mfc.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
+index f85d1eebafac..7bdbe767500e 100644
+--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
+@@ -1576,8 +1576,18 @@ static struct s5p_mfc_variant mfc_drvdata_v7 = {
+ .port_num = MFC_NUM_PORTS_V7,
+ .buf_size = &buf_size_v7,
+ .fw_name[0] = "s5p-mfc-v7.fw",
+- .clk_names = {"mfc", "sclk_mfc"},
+- .num_clocks = 2,
++ .clk_names = {"mfc"},
++ .num_clocks = 1,
++};
++
++static struct s5p_mfc_variant mfc_drvdata_v7_3250 = {
++ .version = MFC_VERSION_V7,
++ .version_bit = MFC_V7_BIT,
++ .port_num = MFC_NUM_PORTS_V7,
++ .buf_size = &buf_size_v7,
++ .fw_name[0] = "s5p-mfc-v7.fw",
++ .clk_names = {"mfc", "sclk_mfc"},
++ .num_clocks = 2,
+ };
+
+ static struct s5p_mfc_buf_size_v6 mfc_buf_size_v8 = {
+@@ -1647,6 +1657,9 @@ static const struct of_device_id exynos_mfc_match[] = {
+ }, {
+ .compatible = "samsung,mfc-v7",
+ .data = &mfc_drvdata_v7,
++ }, {
++ .compatible = "samsung,exynos3250-mfc",
++ .data = &mfc_drvdata_v7_3250,
+ }, {
+ .compatible = "samsung,mfc-v8",
+ .data = &mfc_drvdata_v8,
+--
+2.35.1
+
--- /dev/null
+From a6dc96ade3795ed8bba3f7792ca47b58bd95ff3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 11:31:26 +0000
+Subject: media: saa7164: fix missing pci_disable_device()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ]
+
+Add missing pci_disable_device() in the error path in saa7164_initdev().
+
+Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c
+index 7973ae42873a..c10997e2271d 100644
+--- a/drivers/media/pci/saa7164/saa7164-core.c
++++ b/drivers/media/pci/saa7164/saa7164-core.c
+@@ -1259,7 +1259,7 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
+
+ if (saa7164_dev_setup(dev) < 0) {
+ err = -EINVAL;
+- goto fail_free;
++ goto fail_dev;
+ }
+
+ /* print pci info */
+@@ -1427,6 +1427,8 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
+
+ fail_irq:
+ saa7164_dev_unregister(dev);
++fail_dev:
++ pci_disable_device(pci_dev);
+ fail_free:
+ v4l2_device_unregister(&dev->v4l2_dev);
+ kfree(dev);
+--
+2.35.1
+
--- /dev/null
+From 32bc32554b4c96854e6d9f46b2e282c028352fe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 03:51:59 +0900
+Subject: media: si470x: Fix use-after-free in si470x_int_in_callback()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ]
+
+syzbot reported use-after-free in si470x_int_in_callback() [1]. This
+indicates that urb->context, which contains struct si470x_device
+object, is freed when si470x_int_in_callback() is called.
+
+The cause of this issue is that si470x_int_in_callback() is called for
+freed urb.
+
+si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
+usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
+si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
+si470x_device object, as depicted below:
+
+si470x_usb_driver_probe()
+ ...
+ si470x_start_usb()
+ ...
+ usb_submit_urb()
+ retval = si470x_start()
+ return retval
+ if (retval < 0)
+ free struct si470x_device object, but don't kill urb
+
+This patch fixes this issue by killing urb when si470x_start_usb()
+fails and urb is submitted. If si470x_start_usb() fails and urb is
+not submitted, i.e. submitting usb fails, it just frees struct
+si470x_device object.
+
+Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
+index 6b2768623c88..aa7a580dbecc 100644
+--- a/drivers/media/radio/si470x/radio-si470x-usb.c
++++ b/drivers/media/radio/si470x/radio-si470x-usb.c
+@@ -727,8 +727,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
+
+ /* start radio */
+ retval = si470x_start_usb(radio);
+- if (retval < 0)
++ if (retval < 0 && !radio->int_in_running)
+ goto err_buf;
++ else if (retval < 0) /* in case of radio->int_in_running == 1 */
++ goto err_all;
+
+ /* set initial frequency */
+ si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
+--
+2.35.1
+
--- /dev/null
+From 714deb872a7b61d9b2bd48763b3f768bffc62cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:24:23 +0800
+Subject: media: solo6x10: fix possible memory leak in solo_sysfs_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ]
+
+If device_register() returns error in solo_sysfs_init(), the
+name allocated by dev_set_name() need be freed. As comment of
+device_register() says, it should use put_device() to give up
+the reference in the error path. So fix this by calling
+put_device(), then the name can be freed in kobject_cleanup().
+
+Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/solo6x10/solo6x10-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
+index 4a546eeefe38..6d87fbb0ee04 100644
+--- a/drivers/media/pci/solo6x10/solo6x10-core.c
++++ b/drivers/media/pci/solo6x10/solo6x10-core.c
+@@ -420,6 +420,7 @@ static int solo_sysfs_init(struct solo_dev *solo_dev)
+ solo_dev->nr_chans);
+
+ if (device_register(dev)) {
++ put_device(dev);
+ dev->parent = NULL;
+ return -ENOMEM;
+ }
+--
+2.35.1
+
--- /dev/null
+From 69ea540f5f0c52d2fb62fb51ab4ed33a4f0de9c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 16:58:33 +0100
+Subject: media: staging: stkwebcam: Restore MEDIA_{USB,CAMERA}_SUPPORT
+ dependencies
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit faaf901727eddcfbe889fe172ec9cdb5e63c8236 ]
+
+By moving support for the USB Syntek DC1125 Camera to staging, the
+dependencies on MEDIA_USB_SUPPORT and MEDIA_CAMERA_SUPPORT were lost.
+
+Fixes: 56280c64ecac ("media: stkwebcam: deprecate driver, move to staging")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/stkwebcam/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/stkwebcam/Kconfig b/drivers/staging/media/stkwebcam/Kconfig
+index 4450403dff41..7234498e634a 100644
+--- a/drivers/staging/media/stkwebcam/Kconfig
++++ b/drivers/staging/media/stkwebcam/Kconfig
+@@ -2,7 +2,7 @@
+ config VIDEO_STKWEBCAM
+ tristate "USB Syntek DC1125 Camera support (DEPRECATED)"
+ depends on VIDEO_DEV
+- depends on USB
++ depends on MEDIA_USB_SUPPORT && MEDIA_CAMERA_SUPPORT
+ help
+ Say Y here if you want to use this type of camera.
+ Supported devices are typically found in some Asus laptops,
+--
+2.35.1
+
--- /dev/null
+From 263aa63af54069660811eee24a068fb305beff96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 14:39:53 +0100
+Subject: media: sun6i-mipi-csi2: Register async subdev with no sensor attached
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit 67182951f1dde5a88479cf8befee5f32ea014a49 ]
+
+This allows the device to probe and register its async subdev without
+a sensor attached.
+
+The rationale is that the parent driver might otherwise wait for the
+subdev to be registered when it should be available (from the fwnode
+graph endpoint perspective). This is generally not problematic when
+the MIPI CSI-2 bridge is the only device attached to the parent, but
+in the case of a CSI controller that can feed from both MIPI CSI-2
+and parallel, it would prevent using the parallel sensor due to the
+parent waiting for the MIPI CSI-2 subdev to register.
+
+Fixes: af54b4f4c17f ("media: sunxi: Add support for the A31 MIPI CSI-2 controller")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c b/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
+index 340380a5f66f..484ac5f054d5 100644
+--- a/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
++++ b/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
+@@ -498,6 +498,7 @@ static int sun6i_mipi_csi2_bridge_setup(struct sun6i_mipi_csi2_device *csi2_dev)
+ struct v4l2_async_notifier *notifier = &bridge->notifier;
+ struct media_pad *pads = bridge->pads;
+ struct device *dev = csi2_dev->dev;
++ bool notifier_registered = false;
+ int ret;
+
+ mutex_init(&bridge->lock);
+@@ -535,12 +536,17 @@ static int sun6i_mipi_csi2_bridge_setup(struct sun6i_mipi_csi2_device *csi2_dev)
+ notifier->ops = &sun6i_mipi_csi2_notifier_ops;
+
+ ret = sun6i_mipi_csi2_bridge_source_setup(csi2_dev);
+- if (ret)
++ if (ret && ret != -ENODEV)
+ goto error_v4l2_notifier_cleanup;
+
+- ret = v4l2_async_subdev_nf_register(subdev, notifier);
+- if (ret < 0)
+- goto error_v4l2_notifier_cleanup;
++ /* Only register the notifier when a sensor is connected. */
++ if (ret != -ENODEV) {
++ ret = v4l2_async_subdev_nf_register(subdev, notifier);
++ if (ret < 0)
++ goto error_v4l2_notifier_cleanup;
++
++ notifier_registered = true;
++ }
+
+ /* V4L2 Subdev */
+
+@@ -551,7 +557,8 @@ static int sun6i_mipi_csi2_bridge_setup(struct sun6i_mipi_csi2_device *csi2_dev)
+ return 0;
+
+ error_v4l2_notifier_unregister:
+- v4l2_async_nf_unregister(notifier);
++ if (notifier_registered)
++ v4l2_async_nf_unregister(notifier);
+
+ error_v4l2_notifier_cleanup:
+ v4l2_async_nf_cleanup(notifier);
+--
+2.35.1
+
--- /dev/null
+From d69b480f7b1140ab847487709601dd63e6db4087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 14:39:51 +0100
+Subject: media: sun6i-mipi-csi2: Require both pads to be connected for
+ streaming
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit f042b08b833de3be810f8769d88ca44aeefd7eba ]
+
+The bridge needs both its pads connected to be able to stream data.
+Enforcing this is useful to produce an error when no sensor is
+connected.
+
+Fixes: af54b4f4c17f ("media: sunxi: Add support for the A31 MIPI CSI-2 controller")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c b/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
+index 30d6c0c5161f..340380a5f66f 100644
+--- a/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
++++ b/drivers/media/platform/sunxi/sun6i-mipi-csi2/sun6i_mipi_csi2.c
+@@ -519,8 +519,10 @@ static int sun6i_mipi_csi2_bridge_setup(struct sun6i_mipi_csi2_device *csi2_dev)
+
+ /* Media Pads */
+
+- pads[SUN6I_MIPI_CSI2_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+- pads[SUN6I_MIPI_CSI2_PAD_SOURCE].flags = MEDIA_PAD_FL_SOURCE;
++ pads[SUN6I_MIPI_CSI2_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
++ MEDIA_PAD_FL_MUST_CONNECT;
++ pads[SUN6I_MIPI_CSI2_PAD_SOURCE].flags = MEDIA_PAD_FL_SOURCE |
++ MEDIA_PAD_FL_MUST_CONNECT;
+
+ ret = media_entity_pads_init(&subdev->entity, SUN6I_MIPI_CSI2_PAD_COUNT,
+ pads);
+--
+2.35.1
+
--- /dev/null
+From d782b9c3985719acc887d5639e2889da7bcee7fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 14:39:54 +0100
+Subject: media: sun8i-a83t-mipi-csi2: Register async subdev with no sensor
+ attached
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit 614f6e35a9e214c80270ab942bf58d85066a3e34 ]
+
+This allows the device to probe and register its async subdev without
+a sensor attached.
+
+The rationale is that the parent driver might otherwise wait for the
+subdev to be registered when it should be available (from the fwnode
+graph endpoint perspective). This is generally not problematic when
+the MIPI CSI-2 bridge is the only device attached to the parent, but
+in the case of a CSI controller that can feed from both MIPI CSI-2
+and parallel, it would prevent using the parallel sensor due to the
+parent waiting for the MIPI CSI-2 subdev to register.
+
+Fixes: 576d196c522b ("media: sunxi: Add support for the A83T MIPI CSI-2 controller")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c b/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
+index 5e1c25db7bc4..d993c09a4820 100644
+--- a/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
++++ b/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
+@@ -536,6 +536,7 @@ sun8i_a83t_mipi_csi2_bridge_setup(struct sun8i_a83t_mipi_csi2_device *csi2_dev)
+ struct v4l2_async_notifier *notifier = &bridge->notifier;
+ struct media_pad *pads = bridge->pads;
+ struct device *dev = csi2_dev->dev;
++ bool notifier_registered = false;
+ int ret;
+
+ mutex_init(&bridge->lock);
+@@ -573,12 +574,17 @@ sun8i_a83t_mipi_csi2_bridge_setup(struct sun8i_a83t_mipi_csi2_device *csi2_dev)
+ notifier->ops = &sun8i_a83t_mipi_csi2_notifier_ops;
+
+ ret = sun8i_a83t_mipi_csi2_bridge_source_setup(csi2_dev);
+- if (ret)
++ if (ret && ret != -ENODEV)
+ goto error_v4l2_notifier_cleanup;
+
+- ret = v4l2_async_subdev_nf_register(subdev, notifier);
+- if (ret < 0)
+- goto error_v4l2_notifier_cleanup;
++ /* Only register the notifier when a sensor is connected. */
++ if (ret != -ENODEV) {
++ ret = v4l2_async_subdev_nf_register(subdev, notifier);
++ if (ret < 0)
++ goto error_v4l2_notifier_cleanup;
++
++ notifier_registered = true;
++ }
+
+ /* V4L2 Subdev */
+
+@@ -589,7 +595,8 @@ sun8i_a83t_mipi_csi2_bridge_setup(struct sun8i_a83t_mipi_csi2_device *csi2_dev)
+ return 0;
+
+ error_v4l2_notifier_unregister:
+- v4l2_async_nf_unregister(notifier);
++ if (notifier_registered)
++ v4l2_async_nf_unregister(notifier);
+
+ error_v4l2_notifier_cleanup:
+ v4l2_async_nf_cleanup(notifier);
+--
+2.35.1
+
--- /dev/null
+From bcb93aa67c93e0219a589c6a9312b0ea5596be6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 14:39:52 +0100
+Subject: media: sun8i-a83t-mipi-csi2: Require both pads to be connected for
+ streaming
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit 8985fc724ba89d9b00694304b3f9faf69f4073d0 ]
+
+The bridge needs both its pads connected to be able to stream data.
+Enforcing this is useful to produce an error when no sensor is
+connected.
+
+Fixes: 576d196c522b ("media: sunxi: Add support for the A83T MIPI CSI-2 controller")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c b/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
+index b032ec13a683..5e1c25db7bc4 100644
+--- a/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
++++ b/drivers/media/platform/sunxi/sun8i-a83t-mipi-csi2/sun8i_a83t_mipi_csi2.c
+@@ -557,8 +557,10 @@ sun8i_a83t_mipi_csi2_bridge_setup(struct sun8i_a83t_mipi_csi2_device *csi2_dev)
+
+ /* Media Pads */
+
+- pads[SUN8I_A83T_MIPI_CSI2_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+- pads[SUN8I_A83T_MIPI_CSI2_PAD_SOURCE].flags = MEDIA_PAD_FL_SOURCE;
++ pads[SUN8I_A83T_MIPI_CSI2_PAD_SINK].flags = MEDIA_PAD_FL_SINK |
++ MEDIA_PAD_FL_MUST_CONNECT;
++ pads[SUN8I_A83T_MIPI_CSI2_PAD_SOURCE].flags = MEDIA_PAD_FL_SOURCE |
++ MEDIA_PAD_FL_MUST_CONNECT;
+
+ ret = media_entity_pads_init(&subdev->entity,
+ SUN8I_A83T_MIPI_CSI2_PAD_COUNT, pads);
+--
+2.35.1
+
--- /dev/null
+From 6d82377c68473f3141290ec5bfc2690e5784fa36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 08:32:20 +0000
+Subject: media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 73278d483378cf850ade923a1107a70297b2602a ]
+
+The patch adding support for dynamically allocated arrays accidentally
+dropped the line setting ctrl->is_new to 1, thus new string values were
+always ignored.
+
+Fixes: fb582cba4492 ("media: v4l2-ctrls: add support for dynamically allocated arrays.")
+Reported-by: Alice Yuan <alice.yuan@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+index 50d012ba3c02..7781ebd7ee95 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+@@ -155,6 +155,7 @@ static int user_to_new(struct v4l2_ext_control *c, struct v4l2_ctrl *ctrl)
+ * then return an error.
+ */
+ if (strlen(ctrl->p_new.p_char) == ctrl->maximum && last)
++ ctrl->is_new = 1;
+ return -ERANGE;
+ }
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 017d166d7ce116b1df1a2d2d0a3fd4e124c622a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 19:31:51 +0300
+Subject: media: v4l2-ctrls: Fix off-by-one error in integer menu control check
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit b6bcdf763db1f5ea602bf876cfe91debfb3c7773 ]
+
+The V4L2 API defines the maximum value for an integer menu control as
+the number of elements minus one. The v4l2_ctrl_new_std_menu() validates
+this constraint with an off-by-one error. Fix it.
+
+Fixes: d1e9b7c12b74 ("[media] V4L: Add support for integer menu controls with standard menu items")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+index 1f85828d6694..322f9f715b65 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+@@ -1762,7 +1762,7 @@ struct v4l2_ctrl *v4l2_ctrl_new_std_menu(struct v4l2_ctrl_handler *hdl,
+ else if (type == V4L2_CTRL_TYPE_INTEGER_MENU)
+ qmenu_int = v4l2_ctrl_get_int_menu(id, &qmenu_int_len);
+
+- if ((!qmenu && !qmenu_int) || (qmenu_int && max > qmenu_int_len)) {
++ if ((!qmenu && !qmenu_int) || (qmenu_int && max >= qmenu_int_len)) {
+ handler_set_err(hdl, -EINVAL);
+ return NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 2927e11717e68a3550ffc6dc58e80abce86ac0d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Oct 2022 11:11:05 +0200
+Subject: media: v4l2-ioctl.c: Unify YCbCr/YUV terms in format descriptions
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 6a394d563dffb60c150d87dc6678994ef8028c53 ]
+
+Format descriptions use YCbCr and YUV terms interchangeably. Let's unify
+them so they all use YUV. While YCbCr is actually correct term here, YUV
+is shorter and thus it also fixes too long description of P010 tiled
+format.
+
+Fixes: 3c8e19d3d3f9 ("media: Add P010 tiled format")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 34 ++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
+index e6fd355a2e92..de83714f0d40 100644
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -1347,23 +1347,23 @@ static void v4l_fill_fmtdesc(struct v4l2_fmtdesc *fmt)
+ case V4L2_PIX_FMT_YUV420: descr = "Planar YUV 4:2:0"; break;
+ case V4L2_PIX_FMT_HI240: descr = "8-bit Dithered RGB (BTTV)"; break;
+ case V4L2_PIX_FMT_M420: descr = "YUV 4:2:0 (M420)"; break;
+- case V4L2_PIX_FMT_NV12: descr = "Y/CbCr 4:2:0"; break;
+- case V4L2_PIX_FMT_NV21: descr = "Y/CrCb 4:2:0"; break;
+- case V4L2_PIX_FMT_NV16: descr = "Y/CbCr 4:2:2"; break;
+- case V4L2_PIX_FMT_NV61: descr = "Y/CrCb 4:2:2"; break;
+- case V4L2_PIX_FMT_NV24: descr = "Y/CbCr 4:4:4"; break;
+- case V4L2_PIX_FMT_NV42: descr = "Y/CrCb 4:4:4"; break;
+- case V4L2_PIX_FMT_P010: descr = "10-bit Y/CbCr 4:2:0"; break;
+- case V4L2_PIX_FMT_NV12_4L4: descr = "Y/CbCr 4:2:0 (4x4 Linear)"; break;
+- case V4L2_PIX_FMT_NV12_16L16: descr = "Y/CbCr 4:2:0 (16x16 Linear)"; break;
+- case V4L2_PIX_FMT_NV12_32L32: descr = "Y/CbCr 4:2:0 (32x32 Linear)"; break;
+- case V4L2_PIX_FMT_P010_4L4: descr = "10-bit Y/CbCr 4:2:0 (4x4 Linear)"; break;
+- case V4L2_PIX_FMT_NV12M: descr = "Y/CbCr 4:2:0 (N-C)"; break;
+- case V4L2_PIX_FMT_NV21M: descr = "Y/CrCb 4:2:0 (N-C)"; break;
+- case V4L2_PIX_FMT_NV16M: descr = "Y/CbCr 4:2:2 (N-C)"; break;
+- case V4L2_PIX_FMT_NV61M: descr = "Y/CrCb 4:2:2 (N-C)"; break;
+- case V4L2_PIX_FMT_NV12MT: descr = "Y/CbCr 4:2:0 (64x32 MB, N-C)"; break;
+- case V4L2_PIX_FMT_NV12MT_16X16: descr = "Y/CbCr 4:2:0 (16x16 MB, N-C)"; break;
++ case V4L2_PIX_FMT_NV12: descr = "Y/UV 4:2:0"; break;
++ case V4L2_PIX_FMT_NV21: descr = "Y/VU 4:2:0"; break;
++ case V4L2_PIX_FMT_NV16: descr = "Y/UV 4:2:2"; break;
++ case V4L2_PIX_FMT_NV61: descr = "Y/VU 4:2:2"; break;
++ case V4L2_PIX_FMT_NV24: descr = "Y/UV 4:4:4"; break;
++ case V4L2_PIX_FMT_NV42: descr = "Y/VU 4:4:4"; break;
++ case V4L2_PIX_FMT_P010: descr = "10-bit Y/UV 4:2:0"; break;
++ case V4L2_PIX_FMT_NV12_4L4: descr = "Y/UV 4:2:0 (4x4 Linear)"; break;
++ case V4L2_PIX_FMT_NV12_16L16: descr = "Y/UV 4:2:0 (16x16 Linear)"; break;
++ case V4L2_PIX_FMT_NV12_32L32: descr = "Y/UV 4:2:0 (32x32 Linear)"; break;
++ case V4L2_PIX_FMT_P010_4L4: descr = "10-bit Y/UV 4:2:0 (4x4 Linear)"; break;
++ case V4L2_PIX_FMT_NV12M: descr = "Y/UV 4:2:0 (N-C)"; break;
++ case V4L2_PIX_FMT_NV21M: descr = "Y/VU 4:2:0 (N-C)"; break;
++ case V4L2_PIX_FMT_NV16M: descr = "Y/UV 4:2:2 (N-C)"; break;
++ case V4L2_PIX_FMT_NV61M: descr = "Y/VU 4:2:2 (N-C)"; break;
++ case V4L2_PIX_FMT_NV12MT: descr = "Y/UV 4:2:0 (64x32 MB, N-C)"; break;
++ case V4L2_PIX_FMT_NV12MT_16X16: descr = "Y/UV 4:2:0 (16x16 MB, N-C)"; break;
+ case V4L2_PIX_FMT_YUV420M: descr = "Planar YUV 4:2:0 (N-C)"; break;
+ case V4L2_PIX_FMT_YVU420M: descr = "Planar YVU 4:2:0 (N-C)"; break;
+ case V4L2_PIX_FMT_YUV422M: descr = "Planar YUV 4:2:2 (N-C)"; break;
+--
+2.35.1
+
--- /dev/null
+From df3bd65782d5594777c05e2eefa09fcf71bdc70b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 11:39:07 +0100
+Subject: media: videobuf-dma-contig: use dma_mmap_coherent
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit b3dc3f8e49577840dc8ac8a365c5b3da4edb10b8 ]
+
+dma_alloc_coherent does not return a physical address, but a DMA address,
+which might be remapped or have an offset. Passing the DMA address to
+vm_iomap_memory is thus broken.
+
+Use the proper dma_mmap_coherent helper instead, and stop passing
+__GFP_COMP to dma_alloc_coherent, as the memory management inside the
+DMA allocator is hidden from the callers and does not require it.
+
+With this the gfp_t argument to __videobuf_dc_alloc can be removed and
+hard coded to GFP_KERNEL.
+
+Fixes: a8f3c203e19b ("[media] videobuf-dma-contig: add cache support")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/videobuf-dma-contig.c | 22 +++++++------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c b/drivers/media/v4l2-core/videobuf-dma-contig.c
+index 52312ce2ba05..f2c439359557 100644
+--- a/drivers/media/v4l2-core/videobuf-dma-contig.c
++++ b/drivers/media/v4l2-core/videobuf-dma-contig.c
+@@ -36,12 +36,11 @@ struct videobuf_dma_contig_memory {
+
+ static int __videobuf_dc_alloc(struct device *dev,
+ struct videobuf_dma_contig_memory *mem,
+- unsigned long size, gfp_t flags)
++ unsigned long size)
+ {
+ mem->size = size;
+- mem->vaddr = dma_alloc_coherent(dev, mem->size,
+- &mem->dma_handle, flags);
+-
++ mem->vaddr = dma_alloc_coherent(dev, mem->size, &mem->dma_handle,
++ GFP_KERNEL);
+ if (!mem->vaddr) {
+ dev_err(dev, "memory alloc size %ld failed\n", mem->size);
+ return -ENOMEM;
+@@ -258,8 +257,7 @@ static int __videobuf_iolock(struct videobuf_queue *q,
+ return videobuf_dma_contig_user_get(mem, vb);
+
+ /* allocate memory for the read() method */
+- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size),
+- GFP_KERNEL))
++ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size)))
+ return -ENOMEM;
+ break;
+ case V4L2_MEMORY_OVERLAY:
+@@ -295,22 +293,18 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q,
+ BUG_ON(!mem);
+ MAGIC_CHECK(mem->magic, MAGIC_DC_MEM);
+
+- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize),
+- GFP_KERNEL | __GFP_COMP))
++ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize)))
+ goto error;
+
+- /* Try to remap memory */
+- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-
+ /* the "vm_pgoff" is just used in v4l2 to find the
+ * corresponding buffer data structure which is allocated
+ * earlier and it does not mean the offset from the physical
+ * buffer start address as usual. So set it to 0 to pass
+- * the sanity check in vm_iomap_memory().
++ * the sanity check in dma_mmap_coherent().
+ */
+ vma->vm_pgoff = 0;
+-
+- retval = vm_iomap_memory(vma, mem->dma_handle, mem->size);
++ retval = dma_mmap_coherent(q->dev, vma, mem->vaddr, mem->dma_handle,
++ mem->size);
+ if (retval) {
+ dev_err(q->dev, "mmap: remap failed with error %d. ",
+ retval);
+--
+2.35.1
+
--- /dev/null
+From 1c6af2e80f8014c4ae3854f3dcb63e3187cb4e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 15:06:30 +0800
+Subject: media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit ba8d9405935097e296bcf7a942c3a01df0edb865 ]
+
+KASAN reports a use-after-free:
+BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]
+Call Trace:
+ ...
+ dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]
+ vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge]
+ platform_probe+0xb6/0x170
+ ...
+Allocated by task 1238:
+ ...
+ dvb_register_device+0x1a7/0xa70 [dvb_core]
+ dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]
+ vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]
+ ...
+Freed by task 1238:
+ dvb_register_device+0x6d2/0xa70 [dvb_core]
+ dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]
+ vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]
+ ...
+
+It is because the error handling in vidtv_bridge_dvb_init() is wrong.
+
+First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but
+goto fail_dmx(_dev): calls release functions again, which causes
+use-after-free.
+
+Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause
+out-of-bound when i finished its loop (i == NUM_FE). And the loop
+releasing is wrong, although now NUM_FE is 1 so it won't cause problem.
+
+Fix this by correctly releasing everything.
+
+Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/test-drivers/vidtv/vidtv_bridge.c | 22 +++++++------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+index 82620613d56b..dff7265a42ca 100644
+--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+@@ -459,26 +459,20 @@ static int vidtv_bridge_dvb_init(struct vidtv_dvb *dvb)
+ for (j = j - 1; j >= 0; --j)
+ dvb->demux.dmx.remove_frontend(&dvb->demux.dmx,
+ &dvb->dmx_fe[j]);
+-fail_dmx_dev:
+ dvb_dmxdev_release(&dvb->dmx_dev);
+-fail_dmx:
++fail_dmx_dev:
+ dvb_dmx_release(&dvb->demux);
++fail_dmx:
++fail_demod_probe:
++ for (i = i - 1; i >= 0; --i) {
++ dvb_unregister_frontend(dvb->fe[i]);
+ fail_fe:
+- for (j = i; j >= 0; --j)
+- dvb_unregister_frontend(dvb->fe[j]);
++ dvb_module_release(dvb->i2c_client_tuner[i]);
+ fail_tuner_probe:
+- for (j = i; j >= 0; --j)
+- if (dvb->i2c_client_tuner[j])
+- dvb_module_release(dvb->i2c_client_tuner[j]);
+-
+-fail_demod_probe:
+- for (j = i; j >= 0; --j)
+- if (dvb->i2c_client_demod[j])
+- dvb_module_release(dvb->i2c_client_demod[j]);
+-
++ dvb_module_release(dvb->i2c_client_demod[i]);
++ }
+ fail_adapter:
+ dvb_unregister_adapter(&dvb->adapter);
+-
+ fail_i2c:
+ i2c_del_adapter(&dvb->i2c_adapter);
+
+--
+2.35.1
+
--- /dev/null
+From e5926b621d5b1d9e96ef2731999ffeb7b6c75432 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 07:26:33 +0000
+Subject: media: vimc: Fix wrong function called when vimc_init() fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit f74d3f326d1d5b8951ce263c59a121ecfa65e7c0 ]
+
+In vimc_init(), when platform_driver_register(&vimc_pdrv) fails,
+platform_driver_unregister(&vimc_pdrv) is wrongly called rather than
+platform_device_unregister(&vimc_pdev), which causes kernel warning:
+
+ Unexpected driver unregister!
+ WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0
+ RIP: 0010:driver_unregister+0x8f/0xb0
+ Call Trace:
+ <TASK>
+ vimc_init+0x7d/0x1000 [vimc]
+ do_one_initcall+0xd0/0x4e0
+ do_init_module+0x1cf/0x6b0
+ load_module+0x65c2/0x7820
+
+Fixes: 4a29b7090749 ("[media] vimc: Subdevices as modules")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vimc/vimc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/test-drivers/vimc/vimc-core.c b/drivers/media/test-drivers/vimc/vimc-core.c
+index 2ae7a0f11ebf..e82cfa5ffbf4 100644
+--- a/drivers/media/test-drivers/vimc/vimc-core.c
++++ b/drivers/media/test-drivers/vimc/vimc-core.c
+@@ -433,7 +433,7 @@ static int __init vimc_init(void)
+ if (ret) {
+ dev_err(&vimc_pdev.dev,
+ "platform driver registration failed (err=%d)\n", ret);
+- platform_driver_unregister(&vimc_pdrv);
++ platform_device_unregister(&vimc_pdev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 3c01dff74e7ee178cf08e90af1368291116080f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 20:38:55 +0800
+Subject: media: vivid: fix compose size exceed boundary
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ]
+
+syzkaller found a bug:
+
+ BUG: unable to handle page fault for address: ffffc9000a3b1000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
+ Oops: 0002 [#1] PREEMPT SMP
+ CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ RIP: 0010:memcpy_erms+0x6/0x10
+[...]
+ Call Trace:
+ <TASK>
+ ? tpg_fill_plane_buffer+0x856/0x15b0
+ vivid_fillbuff+0x8ac/0x1110
+ vivid_thread_vid_cap_tick+0x361/0xc90
+ vivid_thread_vid_cap+0x21a/0x3a0
+ kthread+0x143/0x180
+ ret_from_fork+0x1f/0x30
+ </TASK>
+
+This is because we forget to check boundary after adjust compose->height
+int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
+for this case.
+
+Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+index 99139a8cd4c4..331a3f4286d2 100644
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -961,6 +961,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection
+ if (dev->has_compose_cap) {
+ v4l2_rect_set_min_size(compose, &min_rect);
+ v4l2_rect_set_max_size(compose, &max_rect);
++ v4l2_rect_map_inside(compose, &fmt);
+ }
+ dev->fmt_cap_rect = fmt;
+ tpg_s_buf_height(&dev->tpg, fmt.height);
+--
+2.35.1
+
--- /dev/null
+From ca83b10bb455d5864fd2cb8ac24c3acfe84e5a80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 16:01:51 +0200
+Subject: memory: renesas-rpc-if: Clear HS bit during hardware initialization
+
+From: Cong Dang <cong.dang.xn@renesas.com>
+
+[ Upstream commit 5192481f908e576be42bd39ec12979b79e11f7e0 ]
+
+According to the datasheet, HS bit should be specified to 1 when using
+DMA transfer. As DMA transfer is not supported, it should be cleared to
+0.
+
+Previously, the driver relied on the HS bit being cleared by prior
+firmware but this is not always the case.
+
+Fix this by ensuring the bit is cleared during hardware initialization.
+
+Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver")
+Signed-off-by: Cong Dang <cong.dang.xn@renesas.com>
+Signed-off-by: Hai Pham <hai.pham.ud@renesas.com>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/08d9fb10b3051decebf871267a6e2e7cb2d4faf9.1665583089.git.geert+renesas@glider.be
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/renesas-rpc-if.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/memory/renesas-rpc-if.c b/drivers/memory/renesas-rpc-if.c
+index 4316988d791a..61c288d40375 100644
+--- a/drivers/memory/renesas-rpc-if.c
++++ b/drivers/memory/renesas-rpc-if.c
+@@ -317,6 +317,9 @@ int rpcif_hw_init(struct rpcif *rpc, bool hyperflash)
+ regmap_update_bits(rpc->regmap, RPCIF_PHYCNT, RPCIF_PHYCNT_PHYMEM_MASK,
+ RPCIF_PHYCNT_PHYMEM(hyperflash ? 3 : 0));
+
++ /* DMA Transfer is not supported */
++ regmap_update_bits(rpc->regmap, RPCIF_PHYCNT, RPCIF_PHYCNT_HS, 0);
++
+ if (rpc->type == RPCIF_RCAR_GEN3)
+ regmap_update_bits(rpc->regmap, RPCIF_PHYCNT,
+ RPCIF_PHYCNT_STRTIM(7), RPCIF_PHYCNT_STRTIM(7));
+--
+2.35.1
+
--- /dev/null
+From 6cb65b810e17a8cdb3be297f2d59b3728b1e08c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 09:25:58 +0800
+Subject: memstick/ms_block: Add check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 4f431a047a5c8698ed4b67e2760cfbeb5fffb69d ]
+
+As the alloc_ordered_workqueue may return NULL pointer, it should be better
+to add check for the return value. Moreover, the msb->io_queue should be
+freed if error occurs later.
+
+Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20221126012558.34374-1-jiasheng@iscas.ac.cn
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/core/ms_block.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c
+index ba8414519515..04115cd92433 100644
+--- a/drivers/memstick/core/ms_block.c
++++ b/drivers/memstick/core/ms_block.c
+@@ -2116,6 +2116,11 @@ static int msb_init_disk(struct memstick_dev *card)
+ dbg("Set total disk size to %lu sectors", capacity);
+
+ msb->io_queue = alloc_ordered_workqueue("ms_block", WQ_MEM_RECLAIM);
++ if (!msb->io_queue) {
++ rc = -ENOMEM;
++ goto out_cleanup_disk;
++ }
++
+ INIT_WORK(&msb->io_work, msb_io_work);
+ sg_init_table(msb->prealloc_sg, MS_BLOCK_MAX_SEGS+1);
+
+@@ -2125,10 +2130,12 @@ static int msb_init_disk(struct memstick_dev *card)
+ msb_start(card);
+ rc = device_add_disk(&card->dev, msb->disk, NULL);
+ if (rc)
+- goto out_cleanup_disk;
++ goto out_destroy_workqueue;
+ dbg("Disk added");
+ return 0;
+
++out_destroy_workqueue:
++ destroy_workqueue(msb->io_queue);
+ out_cleanup_disk:
+ put_disk(msb->disk);
+ out_free_tag_set:
+--
+2.35.1
+
--- /dev/null
+From 96c973a15f558f5aba992691fdcfe610b8476155 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 16:29:09 -0500
+Subject: mfd: axp20x: Do not sleep in the power off handler
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 3f37d4f695cff180033254b9ed5adc8ab927cba9 ]
+
+Since commit 856c288b0039 ("ARM: Use do_kernel_power_off()"), the
+function axp20x_power_off() now runs inside a RCU read-side critical
+section, so it is not allowed to call msleep(). Use mdelay() instead.
+
+Fixes: 856c288b0039 ("ARM: Use do_kernel_power_off()")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20221105212909.6526-1-samuel@sholland.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/axp20x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/axp20x.c b/drivers/mfd/axp20x.c
+index 88a212a8168c..880c41fa7021 100644
+--- a/drivers/mfd/axp20x.c
++++ b/drivers/mfd/axp20x.c
+@@ -842,7 +842,7 @@ static void axp20x_power_off(void)
+ AXP20X_OFF);
+
+ /* Give capacitors etc. time to drain to avoid kernel panic msg. */
+- msleep(500);
++ mdelay(500);
+ }
+
+ int axp20x_match_device(struct axp20x_dev *axp20x)
+--
+2.35.1
+
--- /dev/null
+From c455e1208637693c260922899f43d70b821ec475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 10:19:21 +0200
+Subject: mfd: bd957x: Fix Kconfig dependency on REGMAP_IRQ
+
+From: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+
+[ Upstream commit 85842c46fd47fa6bd78681c154223bed27d5fd19 ]
+
+The BD957x driver uses REGMAP_IRQ but does not 'select' to depend on
+it. This can cause build failures. Select REGMAP_IRQ for BD957X.
+
+Fixes: 0e9692607f94 ("mfd: bd9576: Add IRQ support")
+Signed-off-by: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/Y3SdCWkRr1L64SWK@dc75zzyyyyyyyyyyyyydt-3.rev.dnainternet.fi
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig
+index abb58ab1a1a4..3e8becef3cb0 100644
+--- a/drivers/mfd/Kconfig
++++ b/drivers/mfd/Kconfig
+@@ -1968,6 +1968,7 @@ config MFD_ROHM_BD957XMUF
+ depends on I2C=y
+ depends on OF
+ select REGMAP_I2C
++ select REGMAP_IRQ
+ select MFD_CORE
+ help
+ Select this option to get support for the ROHM BD9576MUF and
+--
+2.35.1
+
--- /dev/null
+From ada8072a634cdefcb34a2c6f474f628e1ae67547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:36:26 +0800
+Subject: mfd: pm8008: Fix return value check in pm8008_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 14f8c55d48e02157519fbcb3a5de557abd8a06e2 ]
+
+In case of error, the function devm_regmap_init_i2c() returns
+ERR_PTR() and never returns NULL. The NULL test in the return
+value check should be replaced with IS_ERR().
+
+Fixes: 6b149f3310a4 ("mfd: pm8008: Add driver for QCOM PM8008 PMIC")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Acked-by: Guru Das Srinagesh <gurus@codeaurora.org>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20221125073626.1868229-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/qcom-pm8008.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/qcom-pm8008.c b/drivers/mfd/qcom-pm8008.c
+index 4b8ff947762f..9f3c4a01b4c1 100644
+--- a/drivers/mfd/qcom-pm8008.c
++++ b/drivers/mfd/qcom-pm8008.c
+@@ -215,8 +215,8 @@ static int pm8008_probe(struct i2c_client *client)
+
+ dev = &client->dev;
+ regmap = devm_regmap_init_i2c(client, &qcom_mfd_regmap_cfg);
+- if (!regmap)
+- return -ENODEV;
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
+
+ i2c_set_clientdata(client, regmap);
+
+--
+2.35.1
+
--- /dev/null
+From ae3856dfdcf2d5c3468660a636e63d92c2200c3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 18:19:01 +0100
+Subject: mfd: qcom_rpm: Fix an error handling path in qcom_rpm_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 36579aca877a62f67ecd77eb3edefc4c86292406 ]
+
+If an error occurs after the clk_prepare_enable() call, a corresponding
+clk_disable_unprepare() should be called.
+
+Simplify code and switch to devm_clk_get_enabled() to fix it.
+
+Fixes: 3526403353c2 ("mfd: qcom_rpm: Handle message RAM clock")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/e39752476d02605b2be46cab7115f71255ce13a8.1668949256.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/qcom_rpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/mfd/qcom_rpm.c b/drivers/mfd/qcom_rpm.c
+index 71bc34b74bc9..ea5eb94427c4 100644
+--- a/drivers/mfd/qcom_rpm.c
++++ b/drivers/mfd/qcom_rpm.c
+@@ -547,7 +547,7 @@ static int qcom_rpm_probe(struct platform_device *pdev)
+ init_completion(&rpm->ack);
+
+ /* Enable message RAM clock */
+- rpm->ramclk = devm_clk_get(&pdev->dev, "ram");
++ rpm->ramclk = devm_clk_get_enabled(&pdev->dev, "ram");
+ if (IS_ERR(rpm->ramclk)) {
+ ret = PTR_ERR(rpm->ramclk);
+ if (ret == -EPROBE_DEFER)
+@@ -558,7 +558,6 @@ static int qcom_rpm_probe(struct platform_device *pdev)
+ */
+ rpm->ramclk = NULL;
+ }
+- clk_prepare_enable(rpm->ramclk); /* Accepts NULL */
+
+ irq_ack = platform_get_irq_byname(pdev, "ack");
+ if (irq_ack < 0)
+@@ -681,7 +680,6 @@ static int qcom_rpm_remove(struct platform_device *pdev)
+ struct qcom_rpm *rpm = dev_get_drvdata(&pdev->dev);
+
+ of_platform_depopulate(&pdev->dev);
+- clk_disable_unprepare(rpm->ramclk);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From c1a34c883d2fb4e8b5aeeb8e1788d3cf24338ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 13:05:50 +0300
+Subject: MIPS: BCM63xx: Add check for NULL for clk in clk_enable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ]
+
+Check clk for NULL before calling clk_enable_unlocked where clk
+is dereferenced. There is such check in other implementations
+of clk_enable.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/bcm63xx/clk.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
+index 6e6756e8fa0a..86a6e2590866 100644
+--- a/arch/mips/bcm63xx/clk.c
++++ b/arch/mips/bcm63xx/clk.c
+@@ -361,6 +361,8 @@ static struct clk clk_periph = {
+ */
+ int clk_enable(struct clk *clk)
+ {
++ if (!clk)
++ return 0;
+ mutex_lock(&clocks_mutex);
+ clk_enable_unlocked(clk);
+ mutex_unlock(&clocks_mutex);
+--
+2.35.1
+
--- /dev/null
+From 85d2598f4126619cc628c9e0a522ae537659d57b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 12:25:57 +0100
+Subject: MIPS: OCTEON: warn only once if deprecated link status is being used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+[ Upstream commit 4c587a982603d7e7e751b4925809a1512099a690 ]
+
+Avoid flooding kernel log with warnings.
+
+Fixes: 2c0756d306c2 ("MIPS: OCTEON: warn if deprecated link status is being used")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/cavium-octeon/executive/cvmx-helper-board.c | 2 +-
+ arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
+index d09d0769f549..0fd9ac76eb74 100644
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
+@@ -211,7 +211,7 @@ union cvmx_helper_link_info __cvmx_helper_board_link_get(int ipd_port)
+ {
+ union cvmx_helper_link_info result;
+
+- WARN(!octeon_is_simulation(),
++ WARN_ONCE(!octeon_is_simulation(),
+ "Using deprecated link status - please update your DT");
+
+ /* Unless we fix it later, all links are defaulted to down */
+diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+index 6f49fd9be1f3..9abfc4bf9bd8 100644
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+@@ -1096,7 +1096,7 @@ union cvmx_helper_link_info cvmx_helper_link_get(int ipd_port)
+ if (index == 0)
+ result = __cvmx_helper_rgmii_link_get(ipd_port);
+ else {
+- WARN(1, "Using deprecated link status - please update your DT");
++ WARN_ONCE(1, "Using deprecated link status - please update your DT");
+ result.s.full_duplex = 1;
+ result.s.link_up = 1;
+ result.s.speed = 1000;
+--
+2.35.1
+
--- /dev/null
+From 07f470e7fba8121dc942712f6dc0eabf9474430c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:56:56 +1000
+Subject: mips: ralink: mt7621: define MT7621_SYSC_BASE with __iomem
+
+From: John Thomson <git@johnthomson.fastmail.com.au>
+
+[ Upstream commit a2cab953b4c077cc02878d424466d3a6eac32aaf ]
+
+So that MT7621_SYSC_BASE can be used later in multiple functions without
+needing to repeat this __iomem declaration each time
+
+Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Stable-dep-of: 7c18b64bba3b ("mips: ralink: mt7621: do not use kzalloc too early")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-ralink/mt7621.h | 4 +++-
+ arch/mips/ralink/mt7621.c | 7 +++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-ralink/mt7621.h b/arch/mips/include/asm/mach-ralink/mt7621.h
+index 6bbf082dd149..79d5bb0e06d6 100644
+--- a/arch/mips/include/asm/mach-ralink/mt7621.h
++++ b/arch/mips/include/asm/mach-ralink/mt7621.h
+@@ -7,10 +7,12 @@
+ #ifndef _MT7621_REGS_H_
+ #define _MT7621_REGS_H_
+
++#define IOMEM(x) ((void __iomem *)(KSEG1ADDR(x)))
++
+ #define MT7621_PALMBUS_BASE 0x1C000000
+ #define MT7621_PALMBUS_SIZE 0x03FFFFFF
+
+-#define MT7621_SYSC_BASE 0x1E000000
++#define MT7621_SYSC_BASE IOMEM(0x1E000000)
+
+ #define SYSC_REG_CHIP_NAME0 0x00
+ #define SYSC_REG_CHIP_NAME1 0x04
+diff --git a/arch/mips/ralink/mt7621.c b/arch/mips/ralink/mt7621.c
+index fb0565bc34fd..17dbf28897e0 100644
+--- a/arch/mips/ralink/mt7621.c
++++ b/arch/mips/ralink/mt7621.c
+@@ -126,7 +126,6 @@ static void soc_dev_init(struct ralink_soc_info *soc_info, u32 rev)
+
+ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ {
+- void __iomem *sysc = (void __iomem *) KSEG1ADDR(MT7621_SYSC_BASE);
+ unsigned char *name = NULL;
+ u32 n0;
+ u32 n1;
+@@ -154,8 +153,8 @@ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ __sync();
+ }
+
+- n0 = __raw_readl(sysc + SYSC_REG_CHIP_NAME0);
+- n1 = __raw_readl(sysc + SYSC_REG_CHIP_NAME1);
++ n0 = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME0);
++ n1 = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME1);
+
+ if (n0 == MT7621_CHIP_NAME0 && n1 == MT7621_CHIP_NAME1) {
+ name = "MT7621";
+@@ -164,7 +163,7 @@ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ panic("mt7621: unknown SoC, n0:%08x n1:%08x\n", n0, n1);
+ }
+ ralink_soc = MT762X_SOC_MT7621AT;
+- rev = __raw_readl(sysc + SYSC_REG_CHIP_REV);
++ rev = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_REV);
+
+ snprintf(soc_info->sys_type, RAMIPS_SYS_TYPE_LEN,
+ "MediaTek %s ver:%u eco:%u",
+--
+2.35.1
+
--- /dev/null
+From b53545c196d0a38af46828a7399f85c0ee6ea6d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:56:58 +1000
+Subject: mips: ralink: mt7621: do not use kzalloc too early
+
+From: John Thomson <git@johnthomson.fastmail.com.au>
+
+[ Upstream commit 7c18b64bba3bcad1be94b404f47b94a04b91ce79 ]
+
+With CONFIG_SLUB=y, following commit 6edf2576a6cc ("mm/slub: enable
+debugging memory wasting of kmalloc") mt7621 failed to boot very early,
+without showing any console messages.
+This exposed the pre-existing bug of mt7621.c using kzalloc before normal
+memory management was available.
+Prior to this slub change, there existed the unintended protection against
+"kmem_cache *s" being NULL as slab_pre_alloc_hook() happened to
+return NULL and bailed out of slab_alloc_node().
+This allowed mt7621 prom_soc_init to fail in the soc_dev_init kzalloc,
+but continue booting without the SOC_BUS driver device registered.
+
+Console output from a DEBUG_ZBOOT vmlinuz kernel loading,
+with mm/slub modified to warn on kmem_cache zero or null:
+
+zimage at: 80B842A0 810B4BC0
+Uncompressing Linux at load address 80001000
+Copy device tree to address 80B80EE0
+Now, booting the kernel...
+
+[ 0.000000] Linux version 6.1.0-rc3+ (john@john)
+(mipsel-buildroot-linux-gnu-gcc.br_real (Buildroot
+2021.11-4428-g6b6741b) 12.2.0, GNU ld (GNU Binutils) 2.39) #73 SMP Wed
+ Nov 2 05:10:01 AEST 2022
+[ 0.000000] ------------[ cut here ]------------
+[ 0.000000] WARNING: CPU: 0 PID: 0 at mm/slub.c:3416
+kmem_cache_alloc+0x5a4/0x5e8
+[ 0.000000] Modules linked in:
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.1.0-rc3+ #73
+[ 0.000000] Stack : 810fff78 80084d98 00000000 00000004 00000000
+00000000 80889d04 80c90000
+[ 0.000000] 80920000 807bd328 8089d368 80923bd3 00000000
+00000001 80889cb0 00000000
+[ 0.000000] 00000000 00000000 807bd328 8084bcb1 00000002
+00000002 00000001 6d6f4320
+[ 0.000000] 00000000 80c97d3d 80c97d68 fffffffc 807bd328
+00000000 00000000 00000000
+[ 0.000000] 00000000 a0000000 80910000 8110a0b4 00000000
+00000020 80010000 80010000
+[ 0.000000] ...
+[ 0.000000] Call Trace:
+[ 0.000000] [<80008260>] show_stack+0x28/0xf0
+[ 0.000000] [<8070c958>] dump_stack_lvl+0x60/0x80
+[ 0.000000] [<8002e184>] __warn+0xc4/0xf8
+[ 0.000000] [<8002e210>] warn_slowpath_fmt+0x58/0xa4
+[ 0.000000] [<801c0fac>] kmem_cache_alloc+0x5a4/0x5e8
+[ 0.000000] [<8092856c>] prom_soc_init+0x1fc/0x2b4
+[ 0.000000] [<80928060>] prom_init+0x44/0xf0
+[ 0.000000] [<80929214>] setup_arch+0x4c/0x6a8
+[ 0.000000] [<809257e0>] start_kernel+0x88/0x7c0
+[ 0.000000]
+[ 0.000000] ---[ end trace 0000000000000000 ]---
+[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
+[ 0.000000] printk: bootconsole [early0] enabled
+
+Allowing soc_device_register to work exposed oops in the mt7621 phy pci,
+and pci controller drivers from soc_device_match_attr, due to missing
+sentinels in the quirks tables. These were fixed with:
+commit 819b885cd886 ("phy: ralink: mt7621-pci: add sentinel to quirks
+table")
+not yet applied ("PCI: mt7621: add sentinel to quirks table")
+
+Link: https://lore.kernel.org/linux-mm/becf2ac3-2a90-4f3a-96d9-a70f67c66e4a@app.fastmail.com/
+Fixes: 71b9b5e0130d ("MIPS: ralink: mt7621: introduce 'soc_device' initialization")
+Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/ralink/mt7621.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/arch/mips/ralink/mt7621.c b/arch/mips/ralink/mt7621.c
+index 6e126f570f0c..bbf5811afbf2 100644
+--- a/arch/mips/ralink/mt7621.c
++++ b/arch/mips/ralink/mt7621.c
+@@ -25,6 +25,7 @@
+ #define MT7621_MEM_TEST_PATTERN 0xaa5555aa
+
+ static u32 detect_magic __initdata;
++static struct ralink_soc_info *soc_info_ptr;
+
+ int pcibios_root_bridge_prepare(struct pci_host_bridge *bridge)
+ {
+@@ -147,27 +148,30 @@ static const char __init *mt7621_get_soc_revision(void)
+ return "E1";
+ }
+
+-static void soc_dev_init(struct ralink_soc_info *soc_info)
++static int __init mt7621_soc_dev_init(void)
+ {
+ struct soc_device *soc_dev;
+ struct soc_device_attribute *soc_dev_attr;
+
+ soc_dev_attr = kzalloc(sizeof(*soc_dev_attr), GFP_KERNEL);
+ if (!soc_dev_attr)
+- return;
++ return -ENOMEM;
+
+ soc_dev_attr->soc_id = "mt7621";
+ soc_dev_attr->family = "Ralink";
+ soc_dev_attr->revision = mt7621_get_soc_revision();
+
+- soc_dev_attr->data = soc_info;
++ soc_dev_attr->data = soc_info_ptr;
+
+ soc_dev = soc_device_register(soc_dev_attr);
+ if (IS_ERR(soc_dev)) {
+ kfree(soc_dev_attr);
+- return;
++ return PTR_ERR(soc_dev);
+ }
++
++ return 0;
+ }
++device_initcall(mt7621_soc_dev_init);
+
+ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ {
+@@ -209,7 +213,7 @@ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+
+ soc_info->mem_detect = mt7621_memory_detect;
+
+- soc_dev_init(soc_info);
++ soc_info_ptr = soc_info;
+
+ if (!register_cps_smp_ops())
+ return;
+--
+2.35.1
+
--- /dev/null
+From ce113cd01e9961e01dbb0377b3adbc92db10567f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:56:57 +1000
+Subject: mips: ralink: mt7621: soc queries and tests as functions
+
+From: John Thomson <git@johnthomson.fastmail.com.au>
+
+[ Upstream commit b4767d4c072583dec987225b6fe3f5524a735f42 ]
+
+Move the SoC register value queries and tests to specific functions,
+to remove repetition of logic
+No functional changes intended
+
+Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Stable-dep-of: 7c18b64bba3b ("mips: ralink: mt7621: do not use kzalloc too early")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/ralink/mt7621.c | 86 +++++++++++++++++++++++++++------------
+ 1 file changed, 61 insertions(+), 25 deletions(-)
+
+diff --git a/arch/mips/ralink/mt7621.c b/arch/mips/ralink/mt7621.c
+index 17dbf28897e0..6e126f570f0c 100644
+--- a/arch/mips/ralink/mt7621.c
++++ b/arch/mips/ralink/mt7621.c
+@@ -97,7 +97,57 @@ void __init ralink_of_remap(void)
+ panic("Failed to remap core resources");
+ }
+
+-static void soc_dev_init(struct ralink_soc_info *soc_info, u32 rev)
++static unsigned int __init mt7621_get_soc_name0(void)
++{
++ return __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME0);
++}
++
++static unsigned int __init mt7621_get_soc_name1(void)
++{
++ return __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME1);
++}
++
++static bool __init mt7621_soc_valid(void)
++{
++ if (mt7621_get_soc_name0() == MT7621_CHIP_NAME0 &&
++ mt7621_get_soc_name1() == MT7621_CHIP_NAME1)
++ return true;
++ else
++ return false;
++}
++
++static const char __init *mt7621_get_soc_id(void)
++{
++ if (mt7621_soc_valid())
++ return "MT7621";
++ else
++ return "invalid";
++}
++
++static unsigned int __init mt7621_get_soc_rev(void)
++{
++ return __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_REV);
++}
++
++static unsigned int __init mt7621_get_soc_ver(void)
++{
++ return (mt7621_get_soc_rev() >> CHIP_REV_VER_SHIFT) & CHIP_REV_VER_MASK;
++}
++
++static unsigned int __init mt7621_get_soc_eco(void)
++{
++ return (mt7621_get_soc_rev() & CHIP_REV_ECO_MASK);
++}
++
++static const char __init *mt7621_get_soc_revision(void)
++{
++ if (mt7621_get_soc_rev() == 1 && mt7621_get_soc_eco() == 1)
++ return "E2";
++ else
++ return "E1";
++}
++
++static void soc_dev_init(struct ralink_soc_info *soc_info)
+ {
+ struct soc_device *soc_dev;
+ struct soc_device_attribute *soc_dev_attr;
+@@ -108,12 +158,7 @@ static void soc_dev_init(struct ralink_soc_info *soc_info, u32 rev)
+
+ soc_dev_attr->soc_id = "mt7621";
+ soc_dev_attr->family = "Ralink";
+-
+- if (((rev >> CHIP_REV_VER_SHIFT) & CHIP_REV_VER_MASK) == 1 &&
+- (rev & CHIP_REV_ECO_MASK) == 1)
+- soc_dev_attr->revision = "E2";
+- else
+- soc_dev_attr->revision = "E1";
++ soc_dev_attr->revision = mt7621_get_soc_revision();
+
+ soc_dev_attr->data = soc_info;
+
+@@ -126,11 +171,6 @@ static void soc_dev_init(struct ralink_soc_info *soc_info, u32 rev)
+
+ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ {
+- unsigned char *name = NULL;
+- u32 n0;
+- u32 n1;
+- u32 rev;
+-
+ /* Early detection of CMP support */
+ mips_cm_probe();
+ mips_cpc_probe();
+@@ -153,27 +193,23 @@ void __init prom_soc_init(struct ralink_soc_info *soc_info)
+ __sync();
+ }
+
+- n0 = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME0);
+- n1 = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_NAME1);
+-
+- if (n0 == MT7621_CHIP_NAME0 && n1 == MT7621_CHIP_NAME1) {
+- name = "MT7621";
++ if (mt7621_soc_valid())
+ soc_info->compatible = "mediatek,mt7621-soc";
+- } else {
+- panic("mt7621: unknown SoC, n0:%08x n1:%08x\n", n0, n1);
+- }
++ else
++ panic("mt7621: unknown SoC, n0:%08x n1:%08x\n",
++ mt7621_get_soc_name0(),
++ mt7621_get_soc_name1());
+ ralink_soc = MT762X_SOC_MT7621AT;
+- rev = __raw_readl(MT7621_SYSC_BASE + SYSC_REG_CHIP_REV);
+
+ snprintf(soc_info->sys_type, RAMIPS_SYS_TYPE_LEN,
+ "MediaTek %s ver:%u eco:%u",
+- name,
+- (rev >> CHIP_REV_VER_SHIFT) & CHIP_REV_VER_MASK,
+- (rev & CHIP_REV_ECO_MASK));
++ mt7621_get_soc_id(),
++ mt7621_get_soc_ver(),
++ mt7621_get_soc_eco());
+
+ soc_info->mem_detect = mt7621_memory_detect;
+
+- soc_dev_init(soc_info, rev);
++ soc_dev_init(soc_info);
+
+ if (!register_cps_smp_ops())
+ return;
+--
+2.35.1
+
--- /dev/null
+From 6f9ff8bde2f52d6ff2e67406ad8b2290a8cd5c2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 11:39:45 +0800
+Subject: MIPS: vpe-cmp: fix possible memory leak while module exiting
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ]
+
+dev_set_name() allocates memory for name, it need be freed
+when module exiting, call put_device() to give up reference,
+so that it can be freed in kobject_cleanup() when the refcount
+hit to 0. The vpe_device is static, so remove kfree() from
+vpe_device_release().
+
+Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/vpe-cmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/kernel/vpe-cmp.c b/arch/mips/kernel/vpe-cmp.c
+index e673603e11e5..92140edb3ce3 100644
+--- a/arch/mips/kernel/vpe-cmp.c
++++ b/arch/mips/kernel/vpe-cmp.c
+@@ -75,7 +75,6 @@ ATTRIBUTE_GROUPS(vpe);
+
+ static void vpe_device_release(struct device *cd)
+ {
+- kfree(cd);
+ }
+
+ static struct class vpe_class = {
+@@ -157,6 +156,7 @@ int __init vpe_module_init(void)
+ device_del(&vpe_device);
+
+ out_class:
++ put_device(&vpe_device);
+ class_unregister(&vpe_class);
+
+ out_chrdev:
+@@ -169,7 +169,7 @@ void __exit vpe_module_exit(void)
+ {
+ struct vpe *v, *n;
+
+- device_del(&vpe_device);
++ device_unregister(&vpe_device);
+ class_unregister(&vpe_class);
+ unregister_chrdev(major, VPE_MODULE_NAME);
+
+--
+2.35.1
+
--- /dev/null
+From 5779dcf4d2c2b5e35434a6259e9cab4def6b8305 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 11:39:44 +0800
+Subject: MIPS: vpe-mt: fix possible memory leak while module exiting
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically,
+it need be freed when module exiting, call put_device() to give up
+reference, so that it can be freed in kobject_cleanup() when the
+refcount hit to 0. The vpe_device is static, so remove kfree() from
+vpe_device_release().
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/vpe-mt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c
+index bad6b0891b2b..84a82b551ec3 100644
+--- a/arch/mips/kernel/vpe-mt.c
++++ b/arch/mips/kernel/vpe-mt.c
+@@ -313,7 +313,6 @@ ATTRIBUTE_GROUPS(vpe);
+
+ static void vpe_device_release(struct device *cd)
+ {
+- kfree(cd);
+ }
+
+ static struct class vpe_class = {
+@@ -497,6 +496,7 @@ int __init vpe_module_init(void)
+ device_del(&vpe_device);
+
+ out_class:
++ put_device(&vpe_device);
+ class_unregister(&vpe_class);
+
+ out_chrdev:
+@@ -509,7 +509,7 @@ void __exit vpe_module_exit(void)
+ {
+ struct vpe *v, *n;
+
+- device_del(&vpe_device);
++ device_unregister(&vpe_device);
+ class_unregister(&vpe_class);
+ unregister_chrdev(major, VPE_MODULE_NAME);
+
+--
+2.35.1
+
--- /dev/null
+From 8c02317deaad943660938577808702e3f89367e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 22:59:29 +0800
+Subject: misc: ocxl: fix possible name leak in ocxl_file_register_afu()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit a4cb1004aeed2ab893a058fad00a5b41a12c4691 ]
+
+If device_register() returns error in ocxl_file_register_afu(),
+the name allocated by dev_set_name() need be freed. As comment
+of device_register() says, it should use put_device() to give
+up the reference in the error path. So fix this by calling
+put_device(), then the name can be freed in kobject_cleanup(),
+and info is freed in info_release().
+
+Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221111145929.2429271-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/ocxl/file.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c
+index d46dba2df5a1..452d5777a0e4 100644
+--- a/drivers/misc/ocxl/file.c
++++ b/drivers/misc/ocxl/file.c
+@@ -541,8 +541,11 @@ int ocxl_file_register_afu(struct ocxl_afu *afu)
+ goto err_put;
+
+ rc = device_register(&info->dev);
+- if (rc)
+- goto err_put;
++ if (rc) {
++ free_minor(info);
++ put_device(&info->dev);
++ return rc;
++ }
+
+ rc = ocxl_sysfs_register_afu(info);
+ if (rc)
+--
+2.35.1
+
--- /dev/null
+From 69d9587517665a9a7b47151c100ee2668d577130 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 11:50:33 +0800
+Subject: misc: sgi-gru: fix use-after-free error in gru_set_context_option,
+ gru_fault and gru_handle_user_call_os
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ]
+
+In some bad situation, the gts may be freed gru_check_chiplet_assignment.
+The call chain can be gru_unload_context->gru_free_gru_context->gts_drop
+and kfree finally. However, the caller didn't know if the gts is freed
+or not and use it afterwards. This will trigger a Use after Free bug.
+
+Fix it by introducing a return value to see if it's in error path or not.
+Free the gts in caller if gru_check_chiplet_assignment check failed.
+
+Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Acked-by: Dimitri Sivanich <sivanich@hpe.com>
+Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/sgi-gru/grufault.c | 13 +++++++++++--
+ drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++----
+ drivers/misc/sgi-gru/grutables.h | 2 +-
+ 3 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c
+index d7ef61e602ed..b836936e9747 100644
+--- a/drivers/misc/sgi-gru/grufault.c
++++ b/drivers/misc/sgi-gru/grufault.c
+@@ -648,6 +648,7 @@ int gru_handle_user_call_os(unsigned long cb)
+ if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB)
+ return -EINVAL;
+
++again:
+ gts = gru_find_lock_gts(cb);
+ if (!gts)
+ return -EINVAL;
+@@ -656,7 +657,11 @@ int gru_handle_user_call_os(unsigned long cb)
+ if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE)
+ goto exit;
+
+- gru_check_context_placement(gts);
++ if (gru_check_context_placement(gts)) {
++ gru_unlock_gts(gts);
++ gru_unload_context(gts, 1);
++ goto again;
++ }
+
+ /*
+ * CCH may contain stale data if ts_force_cch_reload is set.
+@@ -874,7 +879,11 @@ int gru_set_context_option(unsigned long arg)
+ } else {
+ gts->ts_user_blade_id = req.val1;
+ gts->ts_user_chiplet_id = req.val0;
+- gru_check_context_placement(gts);
++ if (gru_check_context_placement(gts)) {
++ gru_unlock_gts(gts);
++ gru_unload_context(gts, 1);
++ return ret;
++ }
+ }
+ break;
+ case sco_gseg_owner:
+diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
+index 9afda47efbf2..3a16eb8e03f7 100644
+--- a/drivers/misc/sgi-gru/grumain.c
++++ b/drivers/misc/sgi-gru/grumain.c
+@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru,
+ * chiplet. Misassignment can occur if the process migrates to a different
+ * blade or if the user changes the selected blade/chiplet.
+ */
+-void gru_check_context_placement(struct gru_thread_state *gts)
++int gru_check_context_placement(struct gru_thread_state *gts)
+ {
+ struct gru_state *gru;
++ int ret = 0;
+
+ /*
+ * If the current task is the context owner, verify that the
+@@ -726,15 +727,23 @@ void gru_check_context_placement(struct gru_thread_state *gts)
+ * references. Pthread apps use non-owner references to the CBRs.
+ */
+ gru = gts->ts_gru;
++ /*
++ * If gru or gts->ts_tgid_owner isn't initialized properly, return
++ * success to indicate that the caller does not need to unload the
++ * gru context.The caller is responsible for their inspection and
++ * reinitialization if needed.
++ */
+ if (!gru || gts->ts_tgid_owner != current->tgid)
+- return;
++ return ret;
+
+ if (!gru_check_chiplet_assignment(gru, gts)) {
+ STAT(check_context_unload);
+- gru_unload_context(gts, 1);
++ ret = -EINVAL;
+ } else if (gru_retarget_intr(gts)) {
+ STAT(check_context_retarget_intr);
+ }
++
++ return ret;
+ }
+
+
+@@ -934,7 +943,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf)
+ mutex_lock(>s->ts_ctxlock);
+ preempt_disable();
+
+- gru_check_context_placement(gts);
++ if (gru_check_context_placement(gts)) {
++ preempt_enable();
++ mutex_unlock(>s->ts_ctxlock);
++ gru_unload_context(gts, 1);
++ return VM_FAULT_NOPAGE;
++ }
+
+ if (!gts->ts_gru) {
+ STAT(load_user_context);
+diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
+index 5efc869fe59a..f4a5a787685f 100644
+--- a/drivers/misc/sgi-gru/grutables.h
++++ b/drivers/misc/sgi-gru/grutables.h
+@@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg);
+ extern int gru_user_unload_context(unsigned long arg);
+ extern int gru_get_exception_detail(unsigned long arg);
+ extern int gru_set_context_option(unsigned long address);
+-extern void gru_check_context_placement(struct gru_thread_state *gts);
++extern int gru_check_context_placement(struct gru_thread_state *gts);
+ extern int gru_cpu_fault_map_id(void);
+ extern struct vm_area_struct *gru_find_vma(unsigned long vaddr);
+ extern void gru_flush_all_tlb(struct gru_state *gru);
+--
+2.35.1
+
--- /dev/null
+From 21d208c83a8575cbaa08a988c384aa3c30035229 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 14:47:25 +0800
+Subject: misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ]
+
+If device_register() returns error in tifm_7xx1_switch_media(),
+name of kobject which is allocated in dev_set_name() called in device_add()
+is leaked.
+
+Never directly free @dev after calling device_register(), even
+if it returned an error! Always use put_device() to give up the
+reference initialized.
+
+Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core")
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/tifm_7xx1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/tifm_7xx1.c b/drivers/misc/tifm_7xx1.c
+index 017c2f7d6287..7dd86a9858ab 100644
+--- a/drivers/misc/tifm_7xx1.c
++++ b/drivers/misc/tifm_7xx1.c
+@@ -190,7 +190,7 @@ static void tifm_7xx1_switch_media(struct work_struct *work)
+ spin_unlock_irqrestore(&fm->lock, flags);
+ }
+ if (sock)
+- tifm_free_device(&sock->dev);
++ put_device(&sock->dev);
+ }
+ spin_lock_irqsave(&fm->lock, flags);
+ }
+--
+2.35.1
+
--- /dev/null
+From 68174236feca283d69c3ab3e4a4ec805410cd071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 16:41:39 +0800
+Subject: mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg()
+and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use
+skb_queue_splice_init() to move the dch->squeue to a free queue, also
+enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to
+free the SKBs afer unlock.
+
+Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
+index 4f7eaa17fb27..e840609c50eb 100644
+--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
+@@ -3217,6 +3217,7 @@ static int
+ hfcm_l1callback(struct dchannel *dch, u_int cmd)
+ {
+ struct hfc_multi *hc = dch->hw;
++ struct sk_buff_head free_queue;
+ u_long flags;
+
+ switch (cmd) {
+@@ -3245,6 +3246,7 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
+ l1_event(dch->l1, HW_POWERUP_IND);
+ break;
+ case HW_DEACT_REQ:
++ __skb_queue_head_init(&free_queue);
+ /* start deactivation */
+ spin_lock_irqsave(&hc->lock, flags);
+ if (hc->ctype == HFC_TYPE_E1) {
+@@ -3264,20 +3266,21 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
+ plxsd_checksync(hc, 0);
+ }
+ }
+- skb_queue_purge(&dch->squeue);
++ skb_queue_splice_init(&dch->squeue, &free_queue);
+ if (dch->tx_skb) {
+- dev_kfree_skb(dch->tx_skb);
++ __skb_queue_tail(&free_queue, dch->tx_skb);
+ dch->tx_skb = NULL;
+ }
+ dch->tx_idx = 0;
+ if (dch->rx_skb) {
+- dev_kfree_skb(dch->rx_skb);
++ __skb_queue_tail(&free_queue, dch->rx_skb);
+ dch->rx_skb = NULL;
+ }
+ test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
+ if (test_and_clear_bit(FLG_BUSY_TIMER, &dch->Flags))
+ del_timer(&dch->timer);
+ spin_unlock_irqrestore(&hc->lock, flags);
++ __skb_queue_purge(&free_queue);
+ break;
+ case HW_POWERUP_REQ:
+ spin_lock_irqsave(&hc->lock, flags);
+@@ -3384,6 +3387,9 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
+ case PH_DEACTIVATE_REQ:
+ test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
+ if (dch->dev.D.protocol != ISDN_P_TE_S0) {
++ struct sk_buff_head free_queue;
++
++ __skb_queue_head_init(&free_queue);
+ spin_lock_irqsave(&hc->lock, flags);
+ if (debug & DEBUG_HFCMULTI_MSG)
+ printk(KERN_DEBUG
+@@ -3405,14 +3411,14 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
+ /* deactivate */
+ dch->state = 1;
+ }
+- skb_queue_purge(&dch->squeue);
++ skb_queue_splice_init(&dch->squeue, &free_queue);
+ if (dch->tx_skb) {
+- dev_kfree_skb(dch->tx_skb);
++ __skb_queue_tail(&free_queue, dch->tx_skb);
+ dch->tx_skb = NULL;
+ }
+ dch->tx_idx = 0;
+ if (dch->rx_skb) {
+- dev_kfree_skb(dch->rx_skb);
++ __skb_queue_tail(&free_queue, dch->rx_skb);
+ dch->rx_skb = NULL;
+ }
+ test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
+@@ -3424,6 +3430,7 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
+ #endif
+ ret = 0;
+ spin_unlock_irqrestore(&hc->lock, flags);
++ __skb_queue_purge(&free_queue);
+ } else
+ ret = l1_event(dch->l1, hh->prim);
+ break;
+--
+2.35.1
+
--- /dev/null
+From 109d03a157287c1f52049df5ddc275284ad12b61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 16:41:38 +0800
+Subject: mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(),
+kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
+to move the dch->squeue to a free queue, also enqueue the tx_skb and
+rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
+
+Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcpci.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
+index af17459c1a5c..eba58b99cd29 100644
+--- a/drivers/isdn/hardware/mISDN/hfcpci.c
++++ b/drivers/isdn/hardware/mISDN/hfcpci.c
+@@ -1617,16 +1617,19 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
+ test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
+ spin_lock_irqsave(&hc->lock, flags);
+ if (hc->hw.protocol == ISDN_P_NT_S0) {
++ struct sk_buff_head free_queue;
++
++ __skb_queue_head_init(&free_queue);
+ /* prepare deactivation */
+ Write_hfc(hc, HFCPCI_STATES, 0x40);
+- skb_queue_purge(&dch->squeue);
++ skb_queue_splice_init(&dch->squeue, &free_queue);
+ if (dch->tx_skb) {
+- dev_kfree_skb(dch->tx_skb);
++ __skb_queue_tail(&free_queue, dch->tx_skb);
+ dch->tx_skb = NULL;
+ }
+ dch->tx_idx = 0;
+ if (dch->rx_skb) {
+- dev_kfree_skb(dch->rx_skb);
++ __skb_queue_tail(&free_queue, dch->rx_skb);
+ dch->rx_skb = NULL;
+ }
+ test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
+@@ -1639,10 +1642,12 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
+ hc->hw.mst_m &= ~HFCPCI_MASTER;
+ Write_hfc(hc, HFCPCI_MST_MODE, hc->hw.mst_m);
+ ret = 0;
++ spin_unlock_irqrestore(&hc->lock, flags);
++ __skb_queue_purge(&free_queue);
+ } else {
+ ret = l1_event(dch->l1, hh->prim);
++ spin_unlock_irqrestore(&hc->lock, flags);
+ }
+- spin_unlock_irqrestore(&hc->lock, flags);
+ break;
+ }
+ if (!ret)
+--
+2.35.1
+
--- /dev/null
+From 1666975f6411cbb0fe9e1a89c9d5adc976fc1546 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 16:41:37 +0800
+Subject: mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(),
+kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
+to move the dch->squeue to a free queue, also enqueue the tx_skb and
+rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
+
+In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted
+SKB, so replace it with dev_consume_skb_irq().
+
+Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 651f2f8f685b..1efd17979f24 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -326,20 +326,24 @@ hfcusb_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
+ test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
+
+ if (hw->protocol == ISDN_P_NT_S0) {
++ struct sk_buff_head free_queue;
++
++ __skb_queue_head_init(&free_queue);
+ hfcsusb_ph_command(hw, HFC_L1_DEACTIVATE_NT);
+ spin_lock_irqsave(&hw->lock, flags);
+- skb_queue_purge(&dch->squeue);
++ skb_queue_splice_init(&dch->squeue, &free_queue);
+ if (dch->tx_skb) {
+- dev_kfree_skb(dch->tx_skb);
++ __skb_queue_tail(&free_queue, dch->tx_skb);
+ dch->tx_skb = NULL;
+ }
+ dch->tx_idx = 0;
+ if (dch->rx_skb) {
+- dev_kfree_skb(dch->rx_skb);
++ __skb_queue_tail(&free_queue, dch->rx_skb);
+ dch->rx_skb = NULL;
+ }
+ test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
+ spin_unlock_irqrestore(&hw->lock, flags);
++ __skb_queue_purge(&free_queue);
+ #ifdef FIXME
+ if (test_and_clear_bit(FLG_L1_BUSY, &dch->Flags))
+ dchannel_sched_event(&hc->dch, D_CLEARBUSY);
+@@ -1330,7 +1334,7 @@ tx_iso_complete(struct urb *urb)
+ printk("\n");
+ }
+
+- dev_kfree_skb(tx_skb);
++ dev_consume_skb_irq(tx_skb);
+ tx_skb = NULL;
+ if (fifo->dch && get_next_dframe(fifo->dch))
+ tx_skb = fifo->dch->tx_skb;
+--
+2.35.1
+
--- /dev/null
+From babf79a286025137cd297197b77314180720f581 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:15 +0800
+Subject: mmc: alcor: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e93d1468f429475a753d6baa79b853b7ee5ef8c0 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and calling mmc_free_host() in the
+error path.
+
+Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-2-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/alcor.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/alcor.c b/drivers/mmc/host/alcor.c
+index bfb8efeb7eb8..d01df01d4b4d 100644
+--- a/drivers/mmc/host/alcor.c
++++ b/drivers/mmc/host/alcor.c
+@@ -1114,7 +1114,10 @@ static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev)
+ alcor_hw_init(host);
+
+ dev_set_drvdata(&pdev->dev, host);
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto free_host;
++
+ return 0;
+
+ free_host:
+--
+2.35.1
+
--- /dev/null
+From a908e5396533d66473dc3f638b90bf47a6135b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 20:28:19 +0800
+Subject: mmc: atmel-mci: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 9e6e8c43726673ca2abcaac87640b9215fd72f4c ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+So fix this by checking the return value and calling mmc_free_host()
+in the error path.
+
+Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221108122819.429975-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/atmel-mci.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c
+index 91d52ba7a39f..bb9bbf1c927b 100644
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -2222,6 +2222,7 @@ static int atmci_init_slot(struct atmel_mci *host,
+ {
+ struct mmc_host *mmc;
+ struct atmel_mci_slot *slot;
++ int ret;
+
+ mmc = mmc_alloc_host(sizeof(struct atmel_mci_slot), &host->pdev->dev);
+ if (!mmc)
+@@ -2305,11 +2306,13 @@ static int atmci_init_slot(struct atmel_mci *host,
+
+ host->slot[id] = slot;
+ mmc_regulator_get_supply(mmc);
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret) {
++ mmc_free_host(mmc);
++ return ret;
++ }
+
+ if (gpio_is_valid(slot->detect_pin)) {
+- int ret;
+-
+ timer_setup(&slot->detect_timer, atmci_detect_change, 0);
+
+ ret = request_irq(gpio_to_irq(slot->detect_pin),
+--
+2.35.1
+
--- /dev/null
+From 6e45dab975608898eeecfc564188687301e8cc30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 21:49:20 +0800
+Subject: mmc: core: Normalize the error handling branch in sd_read_ext_regs()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit fc02e2b52389c8fde02852b2f959c0b45f042bbd ]
+
+Let's use pr_err() to output the error messages and let's extend a comment
+to clarify why returning 0 (success) in one case make sense.
+
+Fixes: c784f92769ae ("mmc: core: Read the SD function extension registers for power management")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+[Ulf: Clarified the comment and the commit-msg]
+Link: https://lore.kernel.org/r/20221130134920.2109-1-thunder.leizhen@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
+index 3662bf5320ce..72b664ed90cf 100644
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -1259,7 +1259,7 @@ static int sd_read_ext_regs(struct mmc_card *card)
+ */
+ err = sd_read_ext_reg(card, 0, 0, 0, 512, gen_info_buf);
+ if (err) {
+- pr_warn("%s: error %d reading general info of SD ext reg\n",
++ pr_err("%s: error %d reading general info of SD ext reg\n",
+ mmc_hostname(card->host), err);
+ goto out;
+ }
+@@ -1273,7 +1273,12 @@ static int sd_read_ext_regs(struct mmc_card *card)
+ /* Number of extensions to be find. */
+ num_ext = gen_info_buf[4];
+
+- /* We support revision 0, but limit it to 512 bytes for simplicity. */
++ /*
++ * We only support revision 0 and limit it to 512 bytes for simplicity.
++ * No matter what, let's return zero to allow us to continue using the
++ * card, even if we can't support the features from the SD function
++ * extensions registers.
++ */
+ if (rev != 0 || len > 512) {
+ pr_warn("%s: non-supported SD ext reg layout\n",
+ mmc_hostname(card->host));
+@@ -1288,7 +1293,7 @@ static int sd_read_ext_regs(struct mmc_card *card)
+ for (i = 0; i < num_ext; i++) {
+ err = sd_parse_ext_reg(card, gen_info_buf, &next_ext_addr);
+ if (err) {
+- pr_warn("%s: error %d parsing SD ext reg\n",
++ pr_err("%s: error %d parsing SD ext reg\n",
+ mmc_hostname(card->host), err);
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From 90cc047409db8f72faad7e4aa2f7021ef3a41857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 17:10:33 +0900
+Subject: mmc: f-sdh30: Add quirks for broken timeout clock capability
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ]
+
+There is a case where the timeout clock is not supplied to the capability.
+Add a quirk for that.
+
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Acked-by: Jassi Brar <jaswinder.singh@linaro.org>
+Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci_f_sdh30.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci_f_sdh30.c b/drivers/mmc/host/sdhci_f_sdh30.c
+index 3f5977979cf2..6c4f43e11282 100644
+--- a/drivers/mmc/host/sdhci_f_sdh30.c
++++ b/drivers/mmc/host/sdhci_f_sdh30.c
+@@ -168,6 +168,9 @@ static int sdhci_f_sdh30_probe(struct platform_device *pdev)
+ if (reg & SDHCI_CAN_DO_8BIT)
+ priv->vendor_hs200 = F_SDH30_EMMC_HS200;
+
++ if (!(reg & SDHCI_TIMEOUT_CLK_MASK))
++ host->quirks |= SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK;
++
+ ret = sdhci_add_host(host);
+ if (ret)
+ goto err_add_host;
+--
+2.35.1
+
--- /dev/null
+From d4c8ac90a1e6a9243c54187c6b617c0decbd3f03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 10:55:16 -0500
+Subject: mmc: litex_mmc: ensure `host->irq == 0` if polling
+
+From: Gabriel Somlo <gsomlo@gmail.com>
+
+[ Upstream commit 5c1a2b77cd1b59112cf22b3e338f7e416797ad32 ]
+
+Ensure the flag is explicitly set to 0 if we determine that polling is
+needed during driver probe, to cover all possible cases.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Gabriel Somlo <gsomlo@gmail.com>
+Link: https://lore.kernel.org/r/20221107155516.2535912-1-gsomlo@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/litex_mmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/litex_mmc.c b/drivers/mmc/host/litex_mmc.c
+index 6ba0d63b8c07..39c6707fdfdb 100644
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -502,6 +502,7 @@ static int litex_mmc_irq_init(struct platform_device *pdev,
+
+ use_polling:
+ host->mmc->caps |= MMC_CAP_NEEDS_POLL;
++ host->irq = 0;
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 471c4f4d21b59f773615484d702ed9da08169662 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 20:34:17 +0800
+Subject: mmc: meson-gx: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+Fix this by checking the return value and goto error path which
+will call mmc_free_host().
+
+Fixes: 51c5d8447bd7 ("MMC: meson: initial support for GX platforms")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20221108123417.479045-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/meson-gx-mmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c
+index fc462995cf94..4fd3d545e408 100644
+--- a/drivers/mmc/host/meson-gx-mmc.c
++++ b/drivers/mmc/host/meson-gx-mmc.c
+@@ -1291,7 +1291,9 @@ static int meson_mmc_probe(struct platform_device *pdev)
+ }
+
+ mmc->ops = &meson_mmc_ops;
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto err_free_irq;
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From 5cbcfee7aa18631bd92cc10a8421dfbea2298546 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 21:35:39 +0800
+Subject: mmc: mmci: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+So fix this by checking the return value and goto error path which
+will call mmc_free_host().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
+index 012aa85489d8..b9e5dfe74e5c 100644
+--- a/drivers/mmc/host/mmci.c
++++ b/drivers/mmc/host/mmci.c
+@@ -2256,7 +2256,9 @@ static int mmci_probe(struct amba_device *dev,
+ pm_runtime_set_autosuspend_delay(&dev->dev, 50);
+ pm_runtime_use_autosuspend(&dev->dev);
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto clk_disable;
+
+ pm_runtime_put(&dev->dev);
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 42c78dad3b58ff85207e2780a3fbb5dee6fcb358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:16 +0800
+Subject: mmc: moxart: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host().
+
+Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
+index dfc3ffd5b1f8..52ed30f2d9f4 100644
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -665,7 +665,9 @@ static int moxart_probe(struct platform_device *pdev)
+ goto out;
+
+ dev_set_drvdata(dev, mmc);
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto out;
+
+ dev_dbg(dev, "IRQ=%d, FIFO is %d bytes\n", irq, host->fifo_width);
+
+--
+2.35.1
+
--- /dev/null
+From e2cd5bd3f88fb59e7a599b6d16494022c73825b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:17 +0800
+Subject: mmc: mxcmmc: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host().
+
+Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mxcmmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c
+index 2cf0413407ea..668f865f3efb 100644
+--- a/drivers/mmc/host/mxcmmc.c
++++ b/drivers/mmc/host/mxcmmc.c
+@@ -1143,7 +1143,9 @@ static int mxcmci_probe(struct platform_device *pdev)
+
+ timer_setup(&host->watchdog, mxcmci_watchdog, 0);
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto out_free_dma;
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From dea3e7ec8a50561d43c681f0f6f2be18b49a7d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 20:13:16 +0800
+Subject: mmc: omap_hsmmc: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit a525cad241c339ca00bf7ebf03c5180f2a9b767c ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+Fix this by checking the return value and goto error path wihch
+will call mmc_free_host().
+
+Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap hsmmc controller for 2430 and 34xx, v3")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221108121316.340354-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
+index fca30add563e..4bd744755205 100644
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1946,7 +1946,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
+ if (!ret)
+ mmc->caps |= MMC_CAP_SDIO_IRQ;
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto err_irq;
+
+ if (mmc_pdata(host)->name != NULL) {
+ ret = device_create_file(&mmc->class_dev, &dev_attr_slot_name);
+--
+2.35.1
+
--- /dev/null
+From 49e1c7f5e4f02f7f8bf1c05fc98703d8d745e290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:18 +0800
+Subject: mmc: pxamci: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 80e1ef3afb8bfbe768380b70ffe1b6cab87d1a3b ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host(), besides, ->exit() need be called to uninit the pdata.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-5-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/pxamci.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/pxamci.c b/drivers/mmc/host/pxamci.c
+index e4003f6058eb..2a988f942b6c 100644
+--- a/drivers/mmc/host/pxamci.c
++++ b/drivers/mmc/host/pxamci.c
+@@ -763,7 +763,12 @@ static int pxamci_probe(struct platform_device *pdev)
+ dev_warn(dev, "gpio_ro and get_ro() both defined\n");
+ }
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret) {
++ if (host->pdata && host->pdata->exit)
++ host->pdata->exit(dev, mmc);
++ goto out;
++ }
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From a01ebe414fe67a4da0f5a303173294a6ef81880c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 21:04:50 +0200
+Subject: mmc: renesas_sdhi: add quirk for broken register layout
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit ec9e80ae1719de541c719116a1ca0a0c70e9240c ]
+
+Some early Gen3 SoCs have the DTRANEND1 bit at a different location than
+all later SoCs. Because we need the bit soon, add a quirk so we know
+which bit to use.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20221006190452.5316-5-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/renesas_sdhi.h | 1 +
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/renesas_sdhi.h b/drivers/mmc/host/renesas_sdhi.h
+index c4abfee1ebae..e4c490729c98 100644
+--- a/drivers/mmc/host/renesas_sdhi.h
++++ b/drivers/mmc/host/renesas_sdhi.h
+@@ -44,6 +44,7 @@ struct renesas_sdhi_quirks {
+ bool fixed_addr_mode;
+ bool dma_one_rx_only;
+ bool manual_tap_correction;
++ bool old_info1_layout;
+ u32 hs400_bad_taps;
+ const u8 (*hs400_calib_table)[SDHI_CALIB_TABLE_MAX];
+ };
+diff --git a/drivers/mmc/host/renesas_sdhi_internal_dmac.c b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+index 42937596c4c4..7c81c2680701 100644
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -49,7 +49,8 @@
+ /* DM_CM_INFO1 and DM_CM_INFO1_MASK */
+ #define INFO1_CLEAR 0
+ #define INFO1_MASK_CLEAR GENMASK_ULL(31, 0)
+-#define INFO1_DTRANEND1 BIT(17)
++#define INFO1_DTRANEND1 BIT(20)
++#define INFO1_DTRANEND1_OLD BIT(17)
+ #define INFO1_DTRANEND0 BIT(16)
+
+ /* DM_CM_INFO2 and DM_CM_INFO2_MASK */
+@@ -165,6 +166,7 @@ static const struct renesas_sdhi_quirks sdhi_quirks_4tap_nohs400_one_rx = {
+ .hs400_disabled = true,
+ .hs400_4taps = true,
+ .dma_one_rx_only = true,
++ .old_info1_layout = true,
+ };
+
+ static const struct renesas_sdhi_quirks sdhi_quirks_4tap = {
+--
+2.35.1
+
--- /dev/null
+From 8dc411ac531b77f6331ca132069cc4ba6c28143d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 12:34:54 +0100
+Subject: mmc: renesas_sdhi: alway populate SCC pointer
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 3d4f9898c1c74323dd61d6a8a0efca9401232ad4 ]
+
+We need the SCC pointer to reset the device, so populate it even when we
+don't need it for tuning.
+
+Fixes: 45bffc371fef ("mmc: renesas_sdhi: only reset SCC when its pointer is populated")
+Signed-off-by: Takeshi Saito <takeshi.saito.xv@renesas.com>
+Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20221120113457.42010-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c
+index b970699743e0..22ccef7085f7 100644
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -1068,11 +1068,14 @@ int renesas_sdhi_probe(struct platform_device *pdev,
+ if (ver >= SDHI_VER_GEN3_SD)
+ host->get_timeout_cycles = renesas_sdhi_gen3_get_cycles;
+
++ /* Check for SCC so we can reset it if needed */
++ if (of_data && of_data->scc_offset && ver >= SDHI_VER_GEN2_SDR104)
++ priv->scc_ctl = host->ctl + of_data->scc_offset;
++
+ /* Enable tuning iff we have an SCC and a supported mode */
+- if (of_data && of_data->scc_offset &&
+- (host->mmc->caps & MMC_CAP_UHS_SDR104 ||
+- host->mmc->caps2 & (MMC_CAP2_HS200_1_8V_SDR |
+- MMC_CAP2_HS400_1_8V))) {
++ if (priv->scc_ctl && (host->mmc->caps & MMC_CAP_UHS_SDR104 ||
++ host->mmc->caps2 & (MMC_CAP2_HS200_1_8V_SDR |
++ MMC_CAP2_HS400_1_8V))) {
+ const struct renesas_sdhi_scc *taps = of_data->taps;
+ bool use_4tap = quirks && quirks->hs400_4taps;
+ bool hit = false;
+@@ -1092,7 +1095,6 @@ int renesas_sdhi_probe(struct platform_device *pdev,
+ if (!hit)
+ dev_warn(&host->pdev->dev, "Unknown clock rate for tuning\n");
+
+- priv->scc_ctl = host->ctl + of_data->scc_offset;
+ host->check_retune = renesas_sdhi_check_scc_error;
+ host->ops.execute_tuning = renesas_sdhi_execute_tuning;
+ host->ops.prepare_hs400_tuning = renesas_sdhi_prepare_hs400_tuning;
+--
+2.35.1
+
--- /dev/null
+From 309515fc3e2c56feae2a56c645b50e877e473524 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 12:34:55 +0100
+Subject: mmc: renesas_sdhi: better reset from HS400 mode
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 0da69dd2155019ed4c444ede0e79ce7a4a6af627 ]
+
+Up to now, HS400 adjustment mode was only disabled on soft reset when a
+calibration table was in use. It is safer, though, to disable it as soon
+as the instance has an adjustment related quirk set, i.e. bad taps or a
+calibration table.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20221120113457.42010-3-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c
+index 22ccef7085f7..e38d0e8b8e0e 100644
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -546,7 +546,7 @@ static void renesas_sdhi_reset_hs400_mode(struct tmio_mmc_host *host,
+ SH_MOBILE_SDHI_SCC_TMPPORT2_HS400OSEL) &
+ sd_scc_read32(host, priv, SH_MOBILE_SDHI_SCC_TMPPORT2));
+
+- if (priv->adjust_hs400_calib_table)
++ if (priv->quirks && (priv->quirks->hs400_calib_table || priv->quirks->hs400_bad_taps))
+ renesas_sdhi_adjust_hs400_mode_disable(host);
+
+ sd_ctrl_write16(host, CTL_SD_CARD_CLK_CTL, CLK_CTL_SCLKEN |
+--
+2.35.1
+
--- /dev/null
+From 11847822ba910ed826e81dd1222ce02fe7593c66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:19 +0800
+Subject: mmc: rtsx_pci: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0c87db77423a282b3b38b8a6daf057b822680516 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and calling mmc_free_host() in the
+error path, beside, runtime PM also needs be disabled.
+
+Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-6-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_pci_sdmmc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c
+index e1580f78c6b2..8098726dcc0b 100644
+--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
+@@ -1474,6 +1474,7 @@ static int rtsx_pci_sdmmc_drv_probe(struct platform_device *pdev)
+ struct realtek_pci_sdmmc *host;
+ struct rtsx_pcr *pcr;
+ struct pcr_handle *handle = pdev->dev.platform_data;
++ int ret;
+
+ if (!handle)
+ return -ENXIO;
+@@ -1511,7 +1512,13 @@ static int rtsx_pci_sdmmc_drv_probe(struct platform_device *pdev)
+ pm_runtime_mark_last_busy(&pdev->dev);
+ pm_runtime_use_autosuspend(&pdev->dev);
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret) {
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
++ mmc_free_host(mmc);
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 1a40dd2fb07e2e46caf1c9fc691b162858eb764f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:20 +0800
+Subject: mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and calling mmc_free_host() in the
+error path, besides, led_classdev_unregister() and pm_runtime_disable() also
+need be called.
+
+Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
+index 5fe4528e296e..1be3a355f10d 100644
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1332,6 +1332,7 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
+ #ifdef RTSX_USB_USE_LEDS_CLASS
+ int err;
+ #endif
++ int ret;
+
+ ucr = usb_get_intfdata(to_usb_interface(pdev->dev.parent));
+ if (!ucr)
+@@ -1368,7 +1369,15 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
+ INIT_WORK(&host->led_work, rtsx_usb_update_led);
+
+ #endif
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret) {
++#ifdef RTSX_USB_USE_LEDS_CLASS
++ led_classdev_unregister(&host->led);
++#endif
++ mmc_free_host(mmc);
++ pm_runtime_disable(&pdev->dev);
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 78ed719240109f6ac29efada98b47f41448b22b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:21 +0800
+Subject: mmc: toshsd: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host(), besides, free_irq() also needs be called.
+
+Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/toshsd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/toshsd.c b/drivers/mmc/host/toshsd.c
+index 8d037c2071ab..497791ffada6 100644
+--- a/drivers/mmc/host/toshsd.c
++++ b/drivers/mmc/host/toshsd.c
+@@ -651,7 +651,9 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto unmap;
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto free_irq;
+
+ base = pci_resource_start(pdev, 0);
+ dev_dbg(&pdev->dev, "MMIO %pa, IRQ %d\n", &base, pdev->irq);
+@@ -660,6 +662,8 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ return 0;
+
++free_irq:
++ free_irq(pdev->irq, host);
+ unmap:
+ pci_iounmap(pdev, host->ioaddr);
+ release:
+--
+2.35.1
+
--- /dev/null
+From 783c890c494e90d96539d9fb226532890b3c32e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:09:49 +0800
+Subject: mmc: via-sdmmc: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+Fix this by checking the return value and goto error path which
+will call mmc_free_host().
+
+Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index 88662a90ed96..a2b0d9461665 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -1151,7 +1151,9 @@ static int via_sd_probe(struct pci_dev *pcidev,
+ pcidev->subsystem_device == 0x3891)
+ sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY;
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto unmap;
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From 4f76c16d93ca0218a72602556b01f0b8c1370654 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:22 +0800
+Subject: mmc: vub300: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host(), besides, the timer added before mmc_add_host() needs be del.
+
+And this patch fixes another missing call mmc_free_host() if usb_control_msg()
+fails.
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/vub300.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c
+index 97beece62fec..ab36ec479747 100644
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -2299,14 +2299,14 @@ static int vub300_probe(struct usb_interface *interface,
+ 0x0000, 0x0000, &vub300->system_port_status,
+ sizeof(vub300->system_port_status), 1000);
+ if (retval < 0) {
+- goto error4;
++ goto error5;
+ } else if (sizeof(vub300->system_port_status) == retval) {
+ vub300->card_present =
+ (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0;
+ vub300->read_only =
+ (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0;
+ } else {
+- goto error4;
++ goto error5;
+ }
+ usb_set_intfdata(interface, vub300);
+ INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread);
+@@ -2329,8 +2329,13 @@ static int vub300_probe(struct usb_interface *interface,
+ "USB vub300 remote SDIO host controller[%d]"
+ "connected with no SD/SDIO card inserted\n",
+ interface_to_InterfaceNumber(interface));
+- mmc_add_host(mmc);
++ retval = mmc_add_host(mmc);
++ if (retval)
++ goto error6;
++
+ return 0;
++error6:
++ del_timer_sync(&vub300->inactivity_timer);
+ error5:
+ mmc_free_host(mmc);
+ /*
+--
+2.35.1
+
--- /dev/null
+From 95d2e1901eed9322295b451b62402916083e38df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 21:32:37 +0800
+Subject: mmc: wbsd: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ]
+
+mmc_add_host() may return error, if we ignore its return value,
+it will lead two issues:
+1. The memory that allocated in mmc_alloc_host() is leaked.
+2. In the remove() path, mmc_remove_host() will be called to
+ delete device, but it's not added yet, it will lead a kernel
+ crash because of null-ptr-deref in device_del().
+
+So fix this by checking the return value and goto error path which
+will call mmc_free_host(), besides, other resources also need be
+released.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/wbsd.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
+index 67ecd342fe5f..7c7ec8d10232 100644
+--- a/drivers/mmc/host/wbsd.c
++++ b/drivers/mmc/host/wbsd.c
+@@ -1698,7 +1698,17 @@ static int wbsd_init(struct device *dev, int base, int irq, int dma,
+ */
+ wbsd_init_device(host);
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret) {
++ if (!pnp)
++ wbsd_chip_poweroff(host);
++
++ wbsd_release_resources(host);
++ wbsd_free_mmc(dev);
++
++ mmc_free_host(mmc);
++ return ret;
++ }
+
+ pr_info("%s: W83L51xD", mmc_hostname(mmc));
+ if (host->chip_id != 0)
+--
+2.35.1
+
--- /dev/null
+From f6b592770a327eb966ed431f3ce9de829e14c4cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 14:30:23 +0800
+Subject: mmc: wmt-sdmmc: fix return value check of mmc_add_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 29276d56f6ed138db0f38cd31aedc0b725c8c76c ]
+
+mmc_add_host() may return error, if we ignore its return value, the memory
+that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
+crash because of deleting not added device in the remove path.
+
+So fix this by checking the return value and goto error path which will call
+mmc_free_host(), besides, clk_disable_unprepare() also needs be called.
+
+Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221101063023.1664968-10-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/wmt-sdmmc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c
+index 9b5c503e3a3f..9aa3027ca25e 100644
+--- a/drivers/mmc/host/wmt-sdmmc.c
++++ b/drivers/mmc/host/wmt-sdmmc.c
+@@ -856,11 +856,15 @@ static int wmt_mci_probe(struct platform_device *pdev)
+ /* configure the controller to a known 'ready' state */
+ wmt_reset_hardware(mmc);
+
+- mmc_add_host(mmc);
++ ret = mmc_add_host(mmc);
++ if (ret)
++ goto fail7;
+
+ dev_info(&pdev->dev, "WMT SDHC Controller initialized\n");
+
+ return 0;
++fail7:
++ clk_disable_unprepare(priv->clk_sdmmc);
+ fail6:
+ clk_put(priv->clk_sdmmc);
+ fail5_and_a_half:
+--
+2.35.1
+
--- /dev/null
+From 8a3e436261a25ff10c57daf19f3a6dc50a821217 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 06:58:34 +0400
+Subject: module: Fix NULL vs IS_ERR checking for module_get_next_page
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 45af1d7aae7d5520d2858f8517a1342646f015db ]
+
+The module_get_next_page() function return error pointers on error
+instead of NULL.
+Use IS_ERR() to check the return value to fix this.
+
+Fixes: b1ae6dc41eaa ("module: add in-kernel support for decompressing")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module/decompress.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/module/decompress.c b/kernel/module/decompress.c
+index 4d0bcb3d9e44..82c07b1d9797 100644
+--- a/kernel/module/decompress.c
++++ b/kernel/module/decompress.c
+@@ -114,8 +114,8 @@ static ssize_t module_gzip_decompress(struct load_info *info,
+ do {
+ struct page *page = module_get_next_page(info);
+
+- if (!page) {
+- retval = -ENOMEM;
++ if (IS_ERR(page)) {
++ retval = PTR_ERR(page);
+ goto out_inflate_end;
+ }
+
+@@ -173,8 +173,8 @@ static ssize_t module_xz_decompress(struct load_info *info,
+ do {
+ struct page *page = module_get_next_page(info);
+
+- if (!page) {
+- retval = -ENOMEM;
++ if (IS_ERR(page)) {
++ retval = PTR_ERR(page);
+ goto out;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From c3f0ac48d1f78ab6c90f9375f9981351675098ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 19:45:11 +0800
+Subject: mrp: introduce active flags to prevent UAF when applicant uninit
+
+From: Schspa Shi <schspa@gmail.com>
+
+[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ]
+
+The caller of del_timer_sync must prevent restarting of the timer, If
+we have no this synchronization, there is a small probability that the
+cancellation will not be successful.
+
+And syzbot report the fellowing crash:
+==================================================================
+BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
+BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
+Write at addr f9ff000024df6058 by task syz-fuzzer/2256
+Pointer tag: [f9], memory tag: [fe]
+
+CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
+ge01d50cbd6ee #0
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+ dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
+ dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
+ show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x1a8/0x4a0 mm/kasan/report.c:395
+ kasan_report+0x94/0xb4 mm/kasan/report.c:495
+ __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
+ do_bad_area arch/arm64/mm/fault.c:473 [inline]
+ do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
+ do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
+ el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
+ el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
+ el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
+ hlist_add_head include/linux/list.h:929 [inline]
+ enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
+ mod_timer+0x14/0x20 kernel/time/timer.c:1161
+ mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
+ mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
+ call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
+ expire_timers+0x98/0xc4 kernel/time/timer.c:1519
+
+To fix it, we can introduce a new active flags to make sure the timer will
+not restart.
+
+Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com
+
+Signed-off-by: Schspa Shi <schspa@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mrp.h | 1 +
+ net/802/mrp.c | 18 +++++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/mrp.h b/include/net/mrp.h
+index 92cd3fb6cf9d..b28915ffea28 100644
+--- a/include/net/mrp.h
++++ b/include/net/mrp.h
+@@ -124,6 +124,7 @@ struct mrp_applicant {
+ struct sk_buff *pdu;
+ struct rb_root mad;
+ struct rcu_head rcu;
++ bool active;
+ };
+
+ struct mrp_port {
+diff --git a/net/802/mrp.c b/net/802/mrp.c
+index 35e04cc5390c..c10a432a5b43 100644
+--- a/net/802/mrp.c
++++ b/net/802/mrp.c
+@@ -606,7 +606,10 @@ static void mrp_join_timer(struct timer_list *t)
+ spin_unlock(&app->lock);
+
+ mrp_queue_xmit(app);
+- mrp_join_timer_arm(app);
++ spin_lock(&app->lock);
++ if (likely(app->active))
++ mrp_join_timer_arm(app);
++ spin_unlock(&app->lock);
+ }
+
+ static void mrp_periodic_timer_arm(struct mrp_applicant *app)
+@@ -620,11 +623,12 @@ static void mrp_periodic_timer(struct timer_list *t)
+ struct mrp_applicant *app = from_timer(app, t, periodic_timer);
+
+ spin_lock(&app->lock);
+- mrp_mad_event(app, MRP_EVENT_PERIODIC);
+- mrp_pdu_queue(app);
++ if (likely(app->active)) {
++ mrp_mad_event(app, MRP_EVENT_PERIODIC);
++ mrp_pdu_queue(app);
++ mrp_periodic_timer_arm(app);
++ }
+ spin_unlock(&app->lock);
+-
+- mrp_periodic_timer_arm(app);
+ }
+
+ static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset)
+@@ -872,6 +876,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
+ app->dev = dev;
+ app->app = appl;
+ app->mad = RB_ROOT;
++ app->active = true;
+ spin_lock_init(&app->lock);
+ skb_queue_head_init(&app->queue);
+ rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app);
+@@ -900,6 +905,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
+
+ RCU_INIT_POINTER(port->applicants[appl->type], NULL);
+
++ spin_lock_bh(&app->lock);
++ app->active = false;
++ spin_unlock_bh(&app->lock);
+ /* Delete timer and generate a final TX event to flush out
+ * all pending messages before the applicant is gone.
+ */
+--
+2.35.1
+
--- /dev/null
+From de29736107606f9b0c6197932a8728a0532e1558 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 10:58:31 +0800
+Subject: mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 5938196cc188ba4323bc6357f5ac55127d715888 ]
+
+As comment of pci_get_device() says, it returns a pci_device with its
+refcount increased. We need to call pci_dev_put() to decrease the
+refcount. Save the return value of pci_get_device() and call
+pci_dev_put() to decrease the refcount.
+
+Fixes: 9093cfff72e3 ("mt76: mt7915: add support for using a secondary PCIe link for gen1")
+Fixes: 2e30db0dde61 ("mt76: mt7915: add device id for mt7916")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/pci.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/pci.c b/drivers/net/wireless/mediatek/mt76/mt7915/pci.c
+index d74f609775d3..7a44a4f88ccb 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/pci.c
+@@ -65,10 +65,17 @@ static void mt7915_put_hif2(struct mt7915_hif *hif)
+
+ static struct mt7915_hif *mt7915_pci_init_hif2(struct pci_dev *pdev)
+ {
++ struct pci_dev *tmp_pdev;
++
+ hif_idx++;
+- if (!pci_get_device(PCI_VENDOR_ID_MEDIATEK, 0x7916, NULL) &&
+- !pci_get_device(PCI_VENDOR_ID_MEDIATEK, 0x790a, NULL))
+- return NULL;
++
++ tmp_pdev = pci_get_device(PCI_VENDOR_ID_MEDIATEK, 0x7916, NULL);
++ if (!tmp_pdev) {
++ tmp_pdev = pci_get_device(PCI_VENDOR_ID_MEDIATEK, 0x790a, NULL);
++ if (!tmp_pdev)
++ return NULL;
++ }
++ pci_dev_put(tmp_pdev);
+
+ writel(hif_idx | MT_PCIE_RECOG_ID_SEM,
+ pcim_iomap_table(pdev)[0] + MT_PCIE_RECOG_ID);
+--
+2.35.1
+
--- /dev/null
+From 934d27ecf656fcebb3220de21e1037a8958a02b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 14:51:09 +0800
+Subject: mtd: core: fix possible resource leak in init_mtd()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 1aadf01e5076b9ab6bf294b9622335c651314895 ]
+
+I got the error report while inject fault in init_mtd():
+
+sysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0'
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x67/0x83
+ sysfs_warn_dup+0x60/0x70
+ sysfs_create_dir_ns+0x109/0x120
+ kobject_add_internal+0xce/0x2f0
+ kobject_add+0x98/0x110
+ device_add+0x179/0xc00
+ device_create_groups_vargs+0xf4/0x100
+ device_create+0x7b/0xb0
+ bdi_register_va.part.13+0x58/0x2d0
+ bdi_register+0x9b/0xb0
+ init_mtd+0x62/0x171 [mtd]
+ do_one_initcall+0x6c/0x3c0
+ do_init_module+0x58/0x222
+ load_module+0x268e/0x27d0
+ __do_sys_finit_module+0xd5/0x140
+ do_syscall_64+0x37/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+kobject_add_internal failed for mtd-0 with -EEXIST, don't try to register
+ things with the same name in the same directory.
+Error registering mtd class or bdi: -17
+
+If init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered,
+as a result, we can't load the mtd module again, to fix this by calling
+bdi_unregister(mtd_bdi) after out_procfs label.
+
+Fixes: 445caaa20c4d ("mtd: Allocate bdi objects dynamically")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221024065109.2050705-1-cuigaosheng1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index cc7e1fd1ef10..37050c551880 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -2452,6 +2452,7 @@ static int __init init_mtd(void)
+ out_procfs:
+ if (proc_mtd)
+ remove_proc_entry("mtd", NULL);
++ bdi_unregister(mtd_bdi);
+ bdi_put(mtd_bdi);
+ err_bdi:
+ class_unregister(&mtd_class);
+--
+2.35.1
+
--- /dev/null
+From b3d01dbd5f98619883bf946f9437d01531733e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 14:39:15 +0800
+Subject: mtd: core: Fix refcount error in del_mtd_device()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 56570bdad5e31c5c538cd6efff5c4510256e1bb4 ]
+
+del_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which
+is mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before
+of_node_put(). As the result, of_node_put() won't do anything in
+del_mtd_device(), and causes the refcount leak.
+
+del_mtd_device()
+ memset(&mtd->dev, 0, sizeof(mtd->dev) # clear mtd->dev
+ of_node_put()
+ mtd_get_of_node(mtd) # mtd->dev is cleared, can't locate of_node
+ # of_node_put(NULL) won't do anything
+
+Fix the error by caching the pointer of the device_node.
+
+OF: ERROR: memory leak, expected refcount 1 instead of 2,
+of_node_get()/of_node_put() unbalanced - destroy cset entry: attach
+overlay node /spi/spi-sram@0
+CPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54
+ 0d8a1edddf51f172ff5226989a7565c6313b08e2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+Call Trace:
+<TASK>
+ dump_stack_lvl+0x67/0x83
+ kobject_get+0x155/0x160
+ of_node_get+0x1f/0x30
+ of_fwnode_get+0x43/0x70
+ fwnode_handle_get+0x54/0x80
+ fwnode_get_nth_parent+0xc9/0xe0
+ fwnode_full_name_string+0x3f/0xa0
+ device_node_string+0x30f/0x750
+ pointer+0x598/0x7a0
+ vsnprintf+0x62d/0x9b0
+ ...
+ cfs_overlay_release+0x30/0x90
+ config_item_release+0xbe/0x1a0
+ config_item_put+0x5e/0x80
+ configfs_rmdir+0x3bd/0x540
+ vfs_rmdir+0x18c/0x320
+ do_rmdir+0x198/0x330
+ __x64_sys_rmdir+0x2c/0x40
+ do_syscall_64+0x37/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 00596576a051 ("mtd: core: clear out unregistered devices a bit more")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+[<miquel.raynal@bootlin.com>: Light reword of the commit log]
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221119063915.11108-1-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index 37050c551880..c14196bbf008 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -776,6 +776,7 @@ int del_mtd_device(struct mtd_info *mtd)
+ {
+ int ret;
+ struct mtd_notifier *not;
++ struct device_node *mtd_of_node;
+
+ mutex_lock(&mtd_table_mutex);
+
+@@ -794,6 +795,7 @@ int del_mtd_device(struct mtd_info *mtd)
+ mtd->index, mtd->name, mtd->usecount);
+ ret = -EBUSY;
+ } else {
++ mtd_of_node = mtd_get_of_node(mtd);
+ debugfs_remove_recursive(mtd->dbg.dfs_dir);
+
+ /* Try to remove the NVMEM provider */
+@@ -805,7 +807,7 @@ int del_mtd_device(struct mtd_info *mtd)
+ memset(&mtd->dev, 0, sizeof(mtd->dev));
+
+ idr_remove(&mtd_idr, mtd->index);
+- of_node_put(mtd_get_of_node(mtd));
++ of_node_put(mtd_of_node);
+
+ module_put(THIS_MODULE);
+ ret = 0;
+--
+2.35.1
+
--- /dev/null
+From 3d82bb7de37bbe00bb172bfdf49920d77151520c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 20:13:52 +0800
+Subject: mtd: Fix device name leak when register device failed in
+ add_mtd_device()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ]
+
+There is a kmemleak when register device failed:
+ unreferenced object 0xffff888101aab550 (size 8):
+ comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s)
+ hex dump (first 8 bytes):
+ 6d 74 64 30 00 88 ff ff mtd0....
+ backtrace:
+ [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150
+ [<000000003c32b416>] kvasprintf+0xb0/0x130
+ [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0
+ [<000000006e781163>] dev_set_name+0xab/0xe0
+ [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700
+ [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0
+ [<00000000c0d88488>] 0xffffffffa0238457
+ [<00000000b40d0922>] 0xffffffffa02a008f
+ [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0
+ [<00000000770f6ca6>] do_init_module+0xdf/0x320
+ [<000000007b6768fe>] load_module+0x2f98/0x3330
+ [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000674c2290>] do_syscall_64+0x35/0x80
+ [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+If register device failed, should call put_device() to give up the
+reference.
+
+Fixes: 1f24b5a8ecbb ("[MTD] driver model updates")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index 477707bcad97..cc7e1fd1ef10 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -723,8 +723,10 @@ int add_mtd_device(struct mtd_info *mtd)
+ mtd_check_of_node(mtd);
+ of_node_get(mtd_get_of_node(mtd));
+ error = device_register(&mtd->dev);
+- if (error)
++ if (error) {
++ put_device(&mtd->dev);
+ goto fail_added;
++ }
+
+ /* Add the nvmem provider */
+ error = mtd_nvmem_add(mtd);
+--
+2.35.1
+
--- /dev/null
+From 05b056c453e1ec84a99174063ff15b2809ae2b45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:02:40 +0800
+Subject: mtd: lpddr2_nvm: Fix possible null-ptr-deref
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hui Tang <tanghui20@huawei.com>
+
+[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ]
+
+It will cause null-ptr-deref when resource_size(add_range) invoked,
+if platform_get_resource() returns NULL.
+
+Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
+Signed-off-by: Hui Tang <tanghui20@huawei.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/lpddr/lpddr2_nvm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
+index 367e2d906de0..e71af4c49096 100644
+--- a/drivers/mtd/lpddr/lpddr2_nvm.c
++++ b/drivers/mtd/lpddr/lpddr2_nvm.c
+@@ -433,6 +433,8 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
+
+ /* lpddr2_nvm address range */
+ add_range = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!add_range)
++ return -ENODEV;
+
+ /* Populate map_info data structure */
+ *map = (struct map_info) {
+--
+2.35.1
+
--- /dev/null
+From bef4175f513fe41e7697fc3e6d5a32059a1b40cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 07:33:07 +0000
+Subject: mtd: maps: pxa2xx-flash: fix memory leak in probe
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ]
+
+Free 'info' upon remapping error to avoid a memory leak.
+
+Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+[<miquel.raynal@bootlin.com>: Reword the commit log]
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/maps/pxa2xx-flash.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/maps/pxa2xx-flash.c b/drivers/mtd/maps/pxa2xx-flash.c
+index 1749dbbacc13..62a5bf41a6d7 100644
+--- a/drivers/mtd/maps/pxa2xx-flash.c
++++ b/drivers/mtd/maps/pxa2xx-flash.c
+@@ -64,6 +64,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
+ if (!info->map.virt) {
+ printk(KERN_WARNING "Failed to ioremap %s\n",
+ info->map.name);
++ kfree(info);
+ return -ENOMEM;
+ }
+ info->map.cached = ioremap_cache(info->map.phys, info->map.size);
+@@ -85,6 +86,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
+ iounmap((void *)info->map.virt);
+ if (info->map.cached)
+ iounmap(info->map.cached);
++ kfree(info);
+ return -EIO;
+ }
+ info->mtd->dev.parent = &pdev->dev;
+--
+2.35.1
+
--- /dev/null
+From 76d3085aef4bd75729beab08274c228935861c11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 20:46:33 +0800
+Subject: mtd: spi-nor: Fix the number of bytes for the dummy cycles
+
+From: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+
+[ Upstream commit fdc20370d93e8c6d2f448a539d08c2c064af7694 ]
+
+The number of bytes used by spi_nor_spimem_check_readop() may be
+incorrect for the dummy cycles. Since nor->read_dummy is not initialized
+before spi_nor_spimem_adjust_hwcaps().
+
+We use both mode and wait state clock cycles instead of nor->read_dummy.
+
+Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol")
+Co-developed-by: Bayi Cheng <bayi.cheng@mediatek.com>
+Signed-off-by: Bayi Cheng <bayi.cheng@mediatek.com>
+Signed-off-by: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Tested-by: Dhruva Gole <d-gole@ti.com>
+Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Link: https://lore.kernel.org/r/20221031124633.13189-1-allen-kh.cheng@mediatek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
+index bee8fc4c9f07..0cf1a1797ea3 100644
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1914,7 +1914,8 @@ static int spi_nor_spimem_check_readop(struct spi_nor *nor,
+ spi_nor_spimem_setup_op(nor, &op, read->proto);
+
+ /* convert the dummy cycles to the number of bytes */
+- op.dummy.nbytes = (nor->read_dummy * op.dummy.buswidth) / 8;
++ op.dummy.nbytes = (read->num_mode_clocks + read->num_wait_states) *
++ op.dummy.buswidth / 8;
+ if (spi_nor_protocol_is_dtr(nor->read_proto))
+ op.dummy.nbytes *= 2;
+
+--
+2.35.1
+
--- /dev/null
+From 894fd5b7e5e0b7ee2e16332fa09fdfbd852fefb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 00:06:48 +0200
+Subject: mtd: spi-nor: hide jedec_id sysfs attribute if not present
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 7d388551b6888f3725e6c957f472526b35161a5b ]
+
+Some non-jedec compliant flashes (like the Everspin flashes) don't have
+an ID at all. Hide the attribute in this case.
+
+Fixes: 36ac02286265 ("mtd: spi-nor: add initial sysfs support")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Link: https://lore.kernel.org/r/20220810220654.1297699-2-michael@walle.cc
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ABI/testing/sysfs-bus-spi-devices-spi-nor | 3 +++
+ drivers/mtd/spi-nor/sysfs.c | 14 ++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-spi-devices-spi-nor b/Documentation/ABI/testing/sysfs-bus-spi-devices-spi-nor
+index d76cd3946434..e9ef69aef20b 100644
+--- a/Documentation/ABI/testing/sysfs-bus-spi-devices-spi-nor
++++ b/Documentation/ABI/testing/sysfs-bus-spi-devices-spi-nor
+@@ -5,6 +5,9 @@ Contact: linux-mtd@lists.infradead.org
+ Description: (RO) The JEDEC ID of the SPI NOR flash as reported by the
+ flash device.
+
++ The attribute is not present if the flash doesn't support
++ the "Read JEDEC ID" command (9Fh). This is the case for
++ non-JEDEC compliant flashes.
+
+ What: /sys/bus/spi/devices/.../spi-nor/manufacturer
+ Date: April 2021
+diff --git a/drivers/mtd/spi-nor/sysfs.c b/drivers/mtd/spi-nor/sysfs.c
+index 9aec9d8a98ad..4c3b351aef24 100644
+--- a/drivers/mtd/spi-nor/sysfs.c
++++ b/drivers/mtd/spi-nor/sysfs.c
+@@ -67,6 +67,19 @@ static struct bin_attribute *spi_nor_sysfs_bin_entries[] = {
+ NULL
+ };
+
++static umode_t spi_nor_sysfs_is_visible(struct kobject *kobj,
++ struct attribute *attr, int n)
++{
++ struct spi_device *spi = to_spi_device(kobj_to_dev(kobj));
++ struct spi_mem *spimem = spi_get_drvdata(spi);
++ struct spi_nor *nor = spi_mem_get_drvdata(spimem);
++
++ if (attr == &dev_attr_jedec_id.attr && !nor->info->id_len)
++ return 0;
++
++ return 0444;
++}
++
+ static umode_t spi_nor_sysfs_is_bin_visible(struct kobject *kobj,
+ struct bin_attribute *attr, int n)
+ {
+@@ -82,6 +95,7 @@ static umode_t spi_nor_sysfs_is_bin_visible(struct kobject *kobj,
+
+ static const struct attribute_group spi_nor_sysfs_group = {
+ .name = "spi-nor",
++ .is_visible = spi_nor_sysfs_is_visible,
+ .is_bin_visible = spi_nor_sysfs_is_bin_visible,
+ .attrs = spi_nor_sysfs_entries,
+ .bin_attrs = spi_nor_sysfs_bin_entries,
+--
+2.35.1
+
--- /dev/null
+From b6021e52c16fa8df1fcdac22b979876e76cf7ce6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Dec 2022 19:08:40 +0100
+Subject: myri10ge: Fix an error handling path in myri10ge_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ]
+
+Some memory allocated in myri10ge_probe_slices() is not released in the
+error handling path of myri10ge_probe().
+
+Add the corresponding kfree(), as already done in the remove function.
+
+Fixes: 0dcffac1a329 ("myri10ge: add multislices support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+index 971dde8c3286..35410c9a3ecf 100644
+--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+@@ -3913,6 +3913,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ myri10ge_free_slices(mgp);
+
+ abort_with_firmware:
++ kfree(mgp->msix_vectors);
+ myri10ge_dummy_rdma(mgp, 0);
+
+ abort_with_ioremap:
+--
+2.35.1
+
--- /dev/null
+From a0e5a192545bedbb2c91722eafd5b853b720493c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 08:53:55 +0000
+Subject: net: add atomic_long_t to net_device_stats fields
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6c1c5097781f563b70a81683ea6fdac21637573b ]
+
+Long standing KCSAN issues are caused by data-race around
+some dev->stats changes.
+
+Most performance critical paths already use per-cpu
+variables, or per-queue ones.
+
+It is reasonable (and more correct) to use atomic operations
+for the slow paths.
+
+This patch adds an union for each field of net_device_stats,
+so that we can convert paths that are not yet protected
+by a spinlock or a mutex.
+
+netdev_stats_to_stats64() no longer has an #if BITS_PER_LONG==64
+
+Note that the memcpy() we were using on 64bit arches
+had no provision to avoid load-tearing,
+while atomic_long_read() is providing the needed protection
+at no cost.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 58 +++++++++++++++++++++++----------------
+ include/net/dst.h | 5 ++--
+ net/core/dev.c | 14 ++--------
+ 3 files changed, 40 insertions(+), 37 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 05d6f3facd5a..47b8b0ab7694 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -171,31 +171,38 @@ static inline bool dev_xmit_complete(int rc)
+ * (unsigned long) so they can be read and written atomically.
+ */
+
++#define NET_DEV_STAT(FIELD) \
++ union { \
++ unsigned long FIELD; \
++ atomic_long_t __##FIELD; \
++ }
++
+ struct net_device_stats {
+- unsigned long rx_packets;
+- unsigned long tx_packets;
+- unsigned long rx_bytes;
+- unsigned long tx_bytes;
+- unsigned long rx_errors;
+- unsigned long tx_errors;
+- unsigned long rx_dropped;
+- unsigned long tx_dropped;
+- unsigned long multicast;
+- unsigned long collisions;
+- unsigned long rx_length_errors;
+- unsigned long rx_over_errors;
+- unsigned long rx_crc_errors;
+- unsigned long rx_frame_errors;
+- unsigned long rx_fifo_errors;
+- unsigned long rx_missed_errors;
+- unsigned long tx_aborted_errors;
+- unsigned long tx_carrier_errors;
+- unsigned long tx_fifo_errors;
+- unsigned long tx_heartbeat_errors;
+- unsigned long tx_window_errors;
+- unsigned long rx_compressed;
+- unsigned long tx_compressed;
++ NET_DEV_STAT(rx_packets);
++ NET_DEV_STAT(tx_packets);
++ NET_DEV_STAT(rx_bytes);
++ NET_DEV_STAT(tx_bytes);
++ NET_DEV_STAT(rx_errors);
++ NET_DEV_STAT(tx_errors);
++ NET_DEV_STAT(rx_dropped);
++ NET_DEV_STAT(tx_dropped);
++ NET_DEV_STAT(multicast);
++ NET_DEV_STAT(collisions);
++ NET_DEV_STAT(rx_length_errors);
++ NET_DEV_STAT(rx_over_errors);
++ NET_DEV_STAT(rx_crc_errors);
++ NET_DEV_STAT(rx_frame_errors);
++ NET_DEV_STAT(rx_fifo_errors);
++ NET_DEV_STAT(rx_missed_errors);
++ NET_DEV_STAT(tx_aborted_errors);
++ NET_DEV_STAT(tx_carrier_errors);
++ NET_DEV_STAT(tx_fifo_errors);
++ NET_DEV_STAT(tx_heartbeat_errors);
++ NET_DEV_STAT(tx_window_errors);
++ NET_DEV_STAT(rx_compressed);
++ NET_DEV_STAT(tx_compressed);
+ };
++#undef NET_DEV_STAT
+
+ /* per-cpu stats, allocated on demand.
+ * Try to fit them in a single cache line, for dev_get_stats() sake.
+@@ -5143,4 +5150,9 @@ extern struct list_head ptype_base[PTYPE_HASH_SIZE] __read_mostly;
+
+ extern struct net_device *blackhole_netdev;
+
++/* Note: Avoid these macros in fast path, prefer per-cpu or per-queue counters. */
++#define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD)
++#define DEV_STATS_ADD(DEV, FIELD, VAL) \
++ atomic_long_add((VAL), &(DEV)->stats.__##FIELD)
++
+ #endif /* _LINUX_NETDEVICE_H */
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 6aa252c3fc55..19af7a2713cc 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -362,9 +362,8 @@ static inline void __skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev,
+ static inline void skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev,
+ struct net *net)
+ {
+- /* TODO : stats should be SMP safe */
+- dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ DEV_STATS_INC(dev, rx_packets);
++ DEV_STATS_ADD(dev, rx_bytes, skb->len);
+ __skb_tunnel_rx(skb, dev, net);
+ }
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index d2ab54c9c3ed..25c73f967761 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -10398,24 +10398,16 @@ void netdev_run_todo(void)
+ void netdev_stats_to_stats64(struct rtnl_link_stats64 *stats64,
+ const struct net_device_stats *netdev_stats)
+ {
+-#if BITS_PER_LONG == 64
+- BUILD_BUG_ON(sizeof(*stats64) < sizeof(*netdev_stats));
+- memcpy(stats64, netdev_stats, sizeof(*netdev_stats));
+- /* zero out counters that only exist in rtnl_link_stats64 */
+- memset((char *)stats64 + sizeof(*netdev_stats), 0,
+- sizeof(*stats64) - sizeof(*netdev_stats));
+-#else
+- size_t i, n = sizeof(*netdev_stats) / sizeof(unsigned long);
+- const unsigned long *src = (const unsigned long *)netdev_stats;
++ size_t i, n = sizeof(*netdev_stats) / sizeof(atomic_long_t);
++ const atomic_long_t *src = (atomic_long_t *)netdev_stats;
+ u64 *dst = (u64 *)stats64;
+
+ BUILD_BUG_ON(n > sizeof(*stats64) / sizeof(u64));
+ for (i = 0; i < n; i++)
+- dst[i] = src[i];
++ dst[i] = atomic_long_read(&src[i]);
+ /* zero out counters that only exist in rtnl_link_stats64 */
+ memset((char *)stats64 + n * sizeof(u64), 0,
+ sizeof(*stats64) - n * sizeof(u64));
+-#endif
+ }
+ EXPORT_SYMBOL(netdev_stats_to_stats64);
+
+--
+2.35.1
+
--- /dev/null
+From 0729f2ab011b82eb122d28b2c6432cfba4c65c26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 22:21:47 +0800
+Subject: net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In these two cases, dev_kfree_skb() is called consume the xmited SKB,
+so replace it with dev_consume_skb_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/atarilance.c | 2 +-
+ drivers/net/ethernet/amd/lance.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/atarilance.c b/drivers/net/ethernet/amd/atarilance.c
+index 27869164c6e6..ca12f9f48839 100644
+--- a/drivers/net/ethernet/amd/atarilance.c
++++ b/drivers/net/ethernet/amd/atarilance.c
+@@ -824,7 +824,7 @@ lance_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ lp->memcpy_f( PKTBUF_ADDR(head), (void *)skb->data, skb->len );
+ head->flag = TMD1_OWN_CHIP | TMD1_ENP | TMD1_STP;
+ dev->stats.tx_bytes += skb->len;
+- dev_kfree_skb( skb );
++ dev_consume_skb_irq(skb);
+ lp->cur_tx++;
+ while( lp->cur_tx >= TX_RING_SIZE && lp->dirty_tx >= TX_RING_SIZE ) {
+ lp->cur_tx -= TX_RING_SIZE;
+diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c
+index 462016666752..e3b8de9fc728 100644
+--- a/drivers/net/ethernet/amd/lance.c
++++ b/drivers/net/ethernet/amd/lance.c
+@@ -1001,7 +1001,7 @@ static netdev_tx_t lance_start_xmit(struct sk_buff *skb,
+ skb_copy_from_linear_data(skb, &lp->tx_bounce_buffs[entry], skb->len);
+ lp->tx_ring[entry].base =
+ ((u32)isa_virt_to_bus((lp->tx_bounce_buffs + entry)) & 0xffffff) | 0x83000000;
+- dev_kfree_skb(skb);
++ dev_consume_skb_irq(skb);
+ } else {
+ lp->tx_skbuff[entry] = skb;
+ lp->tx_ring[entry].base = ((u32)isa_virt_to_bus(skb->data) & 0xffffff) | 0x83000000;
+--
+2.35.1
+
--- /dev/null
+From 7c1d4f29b22f44d406d19dd823c42efa139a4db6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 10:22:25 -0600
+Subject: net: amd-xgbe: Check only the minimum speed for active/passive cables
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+[ Upstream commit f8ab263d4d48e6dab752029bf562f20a2ee630ed ]
+
+There are cables that exist that can support speeds in excess of 10GbE.
+The driver, however, restricts the EEPROM advertised nominal bitrate to
+a specific range, which can prevent usage of cables that can support,
+for example, up to 25GbE.
+
+Rather than checking that an active or passive cable supports a specific
+range, only check for a minimum supported speed.
+
+Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index c7b0d69ee62f..1ef04326a572 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -237,10 +237,7 @@ enum xgbe_sfp_speed {
+
+ #define XGBE_SFP_BASE_BR 12
+ #define XGBE_SFP_BASE_BR_1GBE_MIN 0x0a
+-#define XGBE_SFP_BASE_BR_1GBE_MAX 0x0d
+ #define XGBE_SFP_BASE_BR_10GBE_MIN 0x64
+-#define XGBE_SFP_BASE_BR_10GBE_MAX 0x68
+-#define XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX 0x78
+
+ #define XGBE_SFP_BASE_CU_CABLE_LEN 18
+
+@@ -827,29 +824,22 @@ static void xgbe_phy_sfp_phy_settings(struct xgbe_prv_data *pdata)
+ static bool xgbe_phy_sfp_bit_rate(struct xgbe_sfp_eeprom *sfp_eeprom,
+ enum xgbe_sfp_speed sfp_speed)
+ {
+- u8 *sfp_base, min, max;
++ u8 *sfp_base, min;
+
+ sfp_base = sfp_eeprom->base;
+
+ switch (sfp_speed) {
+ case XGBE_SFP_SPEED_1000:
+ min = XGBE_SFP_BASE_BR_1GBE_MIN;
+- max = XGBE_SFP_BASE_BR_1GBE_MAX;
+ break;
+ case XGBE_SFP_SPEED_10000:
+ min = XGBE_SFP_BASE_BR_10GBE_MIN;
+- if (memcmp(&sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME],
+- XGBE_MOLEX_VENDOR, XGBE_SFP_BASE_VENDOR_NAME_LEN) == 0)
+- max = XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX;
+- else
+- max = XGBE_SFP_BASE_BR_10GBE_MAX;
+ break;
+ default:
+ return false;
+ }
+
+- return ((sfp_base[XGBE_SFP_BASE_BR] >= min) &&
+- (sfp_base[XGBE_SFP_BASE_BR] <= max));
++ return sfp_base[XGBE_SFP_BASE_BR] >= min;
+ }
+
+ static void xgbe_phy_free_phy_device(struct xgbe_prv_data *pdata)
+--
+2.35.1
+
--- /dev/null
+From 81bc0844644138bcd22e1128b785c2a4d95ea7b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 10:22:24 -0600
+Subject: net: amd-xgbe: Fix logic around active and passive cables
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+[ Upstream commit 4998006c73afe44e2f639d55bd331c6c26eb039f ]
+
+SFP+ active and passive cables are copper cables with fixed SFP+ end
+connectors. Due to a misinterpretation of this, SFP+ active cables could
+end up not being recognized, causing the driver to fail to establish a
+connection.
+
+Introduce a new enum in SFP+ cable types, XGBE_SFP_CABLE_FIBER, that is
+the default cable type, and handle active and passive cables when they are
+specifically detected.
+
+Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 601a9f2fa9bf..c7b0d69ee62f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -189,6 +189,7 @@ enum xgbe_sfp_cable {
+ XGBE_SFP_CABLE_UNKNOWN = 0,
+ XGBE_SFP_CABLE_ACTIVE,
+ XGBE_SFP_CABLE_PASSIVE,
++ XGBE_SFP_CABLE_FIBER,
+ };
+
+ enum xgbe_sfp_base {
+@@ -1149,16 +1150,18 @@ static void xgbe_phy_sfp_parse_eeprom(struct xgbe_prv_data *pdata)
+ phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data);
+ phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data);
+
+- /* Assume ACTIVE cable unless told it is PASSIVE */
++ /* Assume FIBER cable unless told otherwise */
+ if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_PASSIVE) {
+ phy_data->sfp_cable = XGBE_SFP_CABLE_PASSIVE;
+ phy_data->sfp_cable_len = sfp_base[XGBE_SFP_BASE_CU_CABLE_LEN];
+- } else {
++ } else if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_ACTIVE) {
+ phy_data->sfp_cable = XGBE_SFP_CABLE_ACTIVE;
++ } else {
++ phy_data->sfp_cable = XGBE_SFP_CABLE_FIBER;
+ }
+
+ /* Determine the type of SFP */
+- if (phy_data->sfp_cable == XGBE_SFP_CABLE_PASSIVE &&
++ if (phy_data->sfp_cable != XGBE_SFP_CABLE_FIBER &&
+ xgbe_phy_sfp_bit_rate(sfp_eeprom, XGBE_SFP_SPEED_10000))
+ phy_data->sfp_base = XGBE_SFP_BASE_10000_CR;
+ else if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_SR)
+--
+2.35.1
+
--- /dev/null
+From 1864b057876acc3065fd08fc4664341ad43a3f1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 21:37:35 +0800
+Subject: net: apple: bmac: don't call dev_kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop
+the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/apple/bmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
+index 334de0d93c89..9e653e2925f7 100644
+--- a/drivers/net/ethernet/apple/bmac.c
++++ b/drivers/net/ethernet/apple/bmac.c
+@@ -1510,7 +1510,7 @@ static void bmac_tx_timeout(struct timer_list *t)
+ i = bp->tx_empty;
+ ++dev->stats.tx_errors;
+ if (i != bp->tx_fill) {
+- dev_kfree_skb(bp->tx_bufs[i]);
++ dev_kfree_skb_irq(bp->tx_bufs[i]);
+ bp->tx_bufs[i] = NULL;
+ if (++i >= N_TX_RING) i = 0;
+ bp->tx_empty = i;
+--
+2.35.1
+
--- /dev/null
+From 31f5d11b72a0d35b80be24591438950624228d14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 21:37:34 +0800
+Subject: net: apple: mace: don't call dev_kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop
+the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/apple/mace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/apple/mace.c b/drivers/net/ethernet/apple/mace.c
+index d0a771b65e88..fd1b008b7208 100644
+--- a/drivers/net/ethernet/apple/mace.c
++++ b/drivers/net/ethernet/apple/mace.c
+@@ -846,7 +846,7 @@ static void mace_tx_timeout(struct timer_list *t)
+ if (mp->tx_bad_runt) {
+ mp->tx_bad_runt = 0;
+ } else if (i != mp->tx_fill) {
+- dev_kfree_skb(mp->tx_bufs[i]);
++ dev_kfree_skb_irq(mp->tx_bufs[i]);
+ if (++i >= N_TX_RING)
+ i = 0;
+ mp->tx_empty = i;
+--
+2.35.1
+
--- /dev/null
+From e318cd221814db5256b168bfa82f3a83a4c49910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 07:20:45 +0000
+Subject: net: defxx: Fix missing err handling in dfx_init()
+
+From: Yongqiang Liu <liuyongqiang13@huawei.com>
+
+[ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ]
+
+When eisa_driver_register() or tc_register_driver() failed,
+the modprobe defxx would fail with some err log as follows:
+
+ Error: Driver 'defxx' is already registered, aborting...
+
+Fix this issue by adding err hanling in dfx_init().
+
+Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support")
+Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fddi/defxx.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/fddi/defxx.c b/drivers/net/fddi/defxx.c
+index b584ffe38ad6..1fef8a9b1a0f 100644
+--- a/drivers/net/fddi/defxx.c
++++ b/drivers/net/fddi/defxx.c
+@@ -3831,10 +3831,24 @@ static int dfx_init(void)
+ int status;
+
+ status = pci_register_driver(&dfx_pci_driver);
+- if (!status)
+- status = eisa_driver_register(&dfx_eisa_driver);
+- if (!status)
+- status = tc_register_driver(&dfx_tc_driver);
++ if (status)
++ goto err_pci_register;
++
++ status = eisa_driver_register(&dfx_eisa_driver);
++ if (status)
++ goto err_eisa_register;
++
++ status = tc_register_driver(&dfx_tc_driver);
++ if (status)
++ goto err_tc_register;
++
++ return 0;
++
++err_tc_register:
++ eisa_driver_unregister(&dfx_eisa_driver);
++err_eisa_register:
++ pci_unregister_driver(&dfx_pci_driver);
++err_pci_register:
+ return status;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 003c7169a3d7ed7ba3c30bcf0c5e578634eea1c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 16:12:16 +0200
+Subject: net: dpaa2: publish MAC stringset to ethtool -S even if MAC is
+ missing
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 29811d6e19d795efcf26644b66c4152abbac35a6 ]
+
+DPNIs and DPSW objects can connect and disconnect at runtime from DPMAC
+objects on the same fsl-mc bus. The DPMAC object also holds "ethtool -S"
+unstructured counters. Those counters are only shown for the entity
+owning the netdev (DPNI, DPSW) if it's connected to a DPMAC.
+
+The ethtool stringset code path is split into multiple callbacks, but
+currently, connecting and disconnecting the DPMAC takes the rtnl_lock().
+This blocks the entire ethtool code path from running, see
+ethnl_default_doit() -> rtnl_lock() -> ops->prepare_data() ->
+strset_prepare_data().
+
+This is going to be a problem if we are going to no longer require
+rtnl_lock() when connecting/disconnecting the DPMAC, because the DPMAC
+could appear between ops->get_sset_count() and ops->get_strings().
+If it appears out of the blue, we will provide a stringset into an array
+that was dimensioned thinking the DPMAC wouldn't be there => array
+accessed out of bounds.
+
+There isn't really a good way to work around that, and I don't want to
+put too much pressure on the ethtool framework by playing locking games.
+Just make the DPMAC counters be always available. They'll be zeroes if
+the DPNI or DPSW isn't connected to a DPMAC.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 12 +++---------
+ .../ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c | 11 ++---------
+ 2 files changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c
+index eea7d7a07c00..8381cbdb9461 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c
+@@ -186,7 +186,6 @@ static int dpaa2_eth_set_pauseparam(struct net_device *net_dev,
+ static void dpaa2_eth_get_strings(struct net_device *netdev, u32 stringset,
+ u8 *data)
+ {
+- struct dpaa2_eth_priv *priv = netdev_priv(netdev);
+ u8 *p = data;
+ int i;
+
+@@ -200,22 +199,17 @@ static void dpaa2_eth_get_strings(struct net_device *netdev, u32 stringset,
+ strscpy(p, dpaa2_ethtool_extras[i], ETH_GSTRING_LEN);
+ p += ETH_GSTRING_LEN;
+ }
+- if (dpaa2_eth_has_mac(priv))
+- dpaa2_mac_get_strings(p);
++ dpaa2_mac_get_strings(p);
+ break;
+ }
+ }
+
+ static int dpaa2_eth_get_sset_count(struct net_device *net_dev, int sset)
+ {
+- int num_ss_stats = DPAA2_ETH_NUM_STATS + DPAA2_ETH_NUM_EXTRA_STATS;
+- struct dpaa2_eth_priv *priv = netdev_priv(net_dev);
+-
+ switch (sset) {
+ case ETH_SS_STATS: /* ethtool_get_stats(), ethtool_get_drvinfo() */
+- if (dpaa2_eth_has_mac(priv))
+- num_ss_stats += dpaa2_mac_get_sset_count();
+- return num_ss_stats;
++ return DPAA2_ETH_NUM_STATS + DPAA2_ETH_NUM_EXTRA_STATS +
++ dpaa2_mac_get_sset_count();
+ default:
+ return -EOPNOTSUPP;
+ }
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
+index 720c9230cab5..40ee57ef55be 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
+@@ -145,14 +145,9 @@ dpaa2_switch_set_link_ksettings(struct net_device *netdev,
+ static int
+ dpaa2_switch_ethtool_get_sset_count(struct net_device *netdev, int sset)
+ {
+- struct ethsw_port_priv *port_priv = netdev_priv(netdev);
+- int num_ss_stats = DPAA2_SWITCH_NUM_COUNTERS;
+-
+ switch (sset) {
+ case ETH_SS_STATS:
+- if (port_priv->mac)
+- num_ss_stats += dpaa2_mac_get_sset_count();
+- return num_ss_stats;
++ return DPAA2_SWITCH_NUM_COUNTERS + dpaa2_mac_get_sset_count();
+ default:
+ return -EOPNOTSUPP;
+ }
+@@ -161,7 +156,6 @@ dpaa2_switch_ethtool_get_sset_count(struct net_device *netdev, int sset)
+ static void dpaa2_switch_ethtool_get_strings(struct net_device *netdev,
+ u32 stringset, u8 *data)
+ {
+- struct ethsw_port_priv *port_priv = netdev_priv(netdev);
+ u8 *p = data;
+ int i;
+
+@@ -172,8 +166,7 @@ static void dpaa2_switch_ethtool_get_strings(struct net_device *netdev,
+ ETH_GSTRING_LEN);
+ p += ETH_GSTRING_LEN;
+ }
+- if (port_priv->mac)
+- dpaa2_mac_get_strings(p);
++ dpaa2_mac_get_strings(p);
+ break;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From b6e9552661c800a958eb1a494d2c2328f846e636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 13:01:20 +0200
+Subject: net: dsa: mv88e6xxx: avoid reg_lock deadlock in
+ mv88e6xxx_setup_port()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit a7d82367daa6baa5e8399e6327e7f2f463534505 ]
+
+In the blamed commit, it was not noticed that one implementation of
+chip->info->ops->phylink_get_caps(), called by mv88e6xxx_get_caps(),
+may access hardware registers, and in doing so, it takes the
+mv88e6xxx_reg_lock(). Namely, this is mv88e6352_phylink_get_caps().
+
+This is a problem because mv88e6xxx_get_caps(), apart from being
+a top-level function (method invoked by dsa_switch_ops), is now also
+directly called from mv88e6xxx_setup_port(), which runs under the
+mv88e6xxx_reg_lock() taken by mv88e6xxx_setup(). Therefore, when running
+on mv88e6352, the reg_lock would be acquired a second time and the
+system would deadlock on driver probe.
+
+The things that mv88e6xxx_setup() can compete with in terms of register
+access with are the IRQ handlers and MDIO bus operations registered by
+mv88e6xxx_probe(). So there is a real need to acquire the register lock.
+
+The register lock can, in principle, be dropped and re-acquired pretty
+much at will within the driver, as long as no operations that involve
+waiting for indirect access to complete (essentially, callers of
+mv88e6xxx_smi_direct_wait() and mv88e6xxx_wait_mask()) are interrupted
+with the lock released. However, I would guess that in mv88e6xxx_setup(),
+the critical section is kept open for such a long time just in order to
+optimize away multiple lock/unlock operations on the registers.
+
+We could, in principle, drop the reg_lock right before the
+mv88e6xxx_setup_port() -> mv88e6xxx_get_caps() call, and
+re-acquire it immediately afterwards. But this would look ugly, because
+mv88e6xxx_setup_port() would release a lock which it didn't acquire, but
+the caller did.
+
+A cleaner solution to this issue comes from the observation that struct
+mv88e6xxxx_ops methods generally assume they are called with the
+reg_lock already acquired. Whereas mv88e6352_phylink_get_caps() is more
+the exception rather than the norm, in that it acquires the lock itself.
+
+Let's enforce the same locking pattern/convention for
+chip->info->ops->phylink_get_caps() as well, and make
+mv88e6xxx_get_caps(), the top-level function, acquire the register lock
+explicitly, for this one implementation that will access registers for
+port 4 to work properly.
+
+This means that mv88e6xxx_setup_port() will no longer call the top-level
+function, but the low-level mv88e6xxx_ops method which expects the
+correct calling context (register lock held).
+
+Compared to chip->info->ops->phylink_get_caps(), mv88e6xxx_get_caps()
+also fixes up the supported_interfaces bitmap for internal ports, since
+that can be done generically and does not require per-switch knowledge.
+That's code which will no longer execute, however mv88e6xxx_setup_port()
+doesn't need that. It just needs to look at the mac_capabilities bitmap.
+
+Fixes: cc1049ccee20 ("net: dsa: mv88e6xxx: fix speed setting for CPU/DSA ports")
+Reported-by: Maksim Kiselev <bigunclemax@gmail.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Tested-by: Maksim Kiselev <bigunclemax@gmail.com>
+Link: https://lore.kernel.org/r/20221214110120.3368472-1-vladimir.oltean@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 546d90dae933..0fd978e3ce2d 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -689,13 +689,12 @@ static void mv88e6352_phylink_get_caps(struct mv88e6xxx_chip *chip, int port,
+
+ /* Port 4 supports automedia if the serdes is associated with it. */
+ if (port == 4) {
+- mv88e6xxx_reg_lock(chip);
+ err = mv88e6352_g2_scratch_port_has_serdes(chip, port);
+ if (err < 0)
+ dev_err(chip->dev, "p%d: failed to read scratch\n",
+ port);
+ if (err <= 0)
+- goto unlock;
++ return;
+
+ cmode = mv88e6352_get_port4_serdes_cmode(chip);
+ if (cmode < 0)
+@@ -703,8 +702,6 @@ static void mv88e6352_phylink_get_caps(struct mv88e6xxx_chip *chip, int port,
+ port);
+ else
+ mv88e6xxx_translate_cmode(cmode, supported);
+-unlock:
+- mv88e6xxx_reg_unlock(chip);
+ }
+ }
+
+@@ -823,7 +820,9 @@ static void mv88e6xxx_get_caps(struct dsa_switch *ds, int port,
+ {
+ struct mv88e6xxx_chip *chip = ds->priv;
+
++ mv88e6xxx_reg_lock(chip);
+ chip->info->ops->phylink_get_caps(chip, port, config);
++ mv88e6xxx_reg_unlock(chip);
+
+ if (mv88e6xxx_phy_is_internal(ds, port)) {
+ __set_bit(PHY_INTERFACE_MODE_INTERNAL,
+@@ -3299,7 +3298,7 @@ static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port)
+ struct phylink_config pl_config = {};
+ unsigned long caps;
+
+- mv88e6xxx_get_caps(ds, port, &pl_config);
++ chip->info->ops->phylink_get_caps(chip, port, &pl_config);
+
+ caps = pl_config.mac_capabilities;
+
+--
+2.35.1
+
--- /dev/null
+From 9a6d7fa55c79b824ac1016216d19e3ddb4ec5833 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Dec 2022 01:52:42 +0200
+Subject: net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register()
+ error path
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit e095493091e850d5292ad01d8fbf5cde1d89ac53 ]
+
+If dsa_tag_8021q_setup() fails, for example due to the inability of the
+device to install a VLAN, the tag_8021q context of the switch will leak.
+Make sure it is freed on the error path.
+
+Fixes: 328621f6131f ("net: dsa: tag_8021q: absorb dsa_8021q_setup into dsa_tag_8021q_{,un}register")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20221209235242.480344-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_8021q.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c
+index 01a427800797..6de53f5b40a7 100644
+--- a/net/dsa/tag_8021q.c
++++ b/net/dsa/tag_8021q.c
+@@ -400,6 +400,7 @@ static void dsa_tag_8021q_teardown(struct dsa_switch *ds)
+ int dsa_tag_8021q_register(struct dsa_switch *ds, __be16 proto)
+ {
+ struct dsa_8021q_context *ctx;
++ int err;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+@@ -412,7 +413,15 @@ int dsa_tag_8021q_register(struct dsa_switch *ds, __be16 proto)
+
+ ds->tag_8021q_ctx = ctx;
+
+- return dsa_tag_8021q_setup(ds);
++ err = dsa_tag_8021q_setup(ds);
++ if (err)
++ goto err_free;
++
++ return 0;
++
++err_free:
++ kfree(ctx);
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(dsa_tag_8021q_register);
+
+--
+2.35.1
+
--- /dev/null
+From 5856834c2a04e259ce121a237785bcd074d19c83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 22:21:44 +0800
+Subject: net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to
+drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
+
+Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+index 016a9c4f2c6c..ce0444b09664 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+@@ -536,7 +536,7 @@ static void xemaclite_tx_timeout(struct net_device *dev, unsigned int txqueue)
+ xemaclite_enable_interrupts(lp);
+
+ if (lp->deferred_skb) {
+- dev_kfree_skb(lp->deferred_skb);
++ dev_kfree_skb_irq(lp->deferred_skb);
+ lp->deferred_skb = NULL;
+ dev->stats.tx_errors++;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3c6907f6227287932291b6cfdb73d7a6de44c7b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 02:19:08 +0200
+Subject: net: enetc: avoid buffer leaks on xdp_do_redirect() failure
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 628050ec952d2e2e46ec9fb6aa07e41139e030c8 ]
+
+Before enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software
+BD in the RX ring between index orig_i and i can have one of 2 refcount
+values on its page.
+
+We are the owner of the current buffer that is being processed, so the
+refcount will be at least 1.
+
+If the current owner of the buffer at the diametrically opposed index
+in the RX ring (i.o.w, the other half of this page) has not yet called
+kfree(), this page's refcount could even be 2.
+
+enetc_page_reusable() in enetc_flip_rx_buff() tests for the page
+refcount against 1, and [ if it's 2 ] does not attempt to reuse it.
+
+But if enetc_flip_rx_buff() is put after the xdp_do_redirect() call,
+the page refcount can have one of 3 values. It can also be 0, if there
+is no owner of the other page half, and xdp_do_redirect() for this
+buffer ran so far that it triggered a flush of the devmap/cpumap bulk
+queue, and the consumers of those bulk queues also freed the buffer,
+all by the time xdp_do_redirect() returns the execution back to enetc.
+
+This is the reason why enetc_flip_rx_buff() is called before
+xdp_do_redirect(), but there is a big flaw with that reasoning:
+enetc_flip_rx_buff() will set rx_swbd->page = NULL on both sides of the
+enetc_page_reusable() branch, and if xdp_do_redirect() returns an error,
+we call enetc_xdp_free(), which does not deal gracefully with that.
+
+In fact, what happens is quite special. The page refcounts start as 1.
+enetc_flip_rx_buff() figures they're reusable, transfers these
+rx_swbd->page pointers to a different rx_swbd in enetc_reuse_page(), and
+bumps the refcount to 2. When xdp_do_redirect() later returns an error,
+we call the no-op enetc_xdp_free(), but we still haven't lost the
+reference to that page. A copy of it is still at rx_ring->next_to_alloc,
+but that has refcount 2 (and there are no concurrent owners of it in
+flight, to drop the refcount). What really kills the system is when
+we'll flip the rx_swbd->page the second time around. With an updated
+refcount of 2, the page will not be reusable and we'll really leak it.
+Then enetc_new_page() will have to allocate more pages, which will then
+eventually leak again on further errors from xdp_do_redirect().
+
+The problem, summarized, is that we zeroize rx_swbd->page before we're
+completely done with it, and this makes it impossible for the error path
+to do something with it.
+
+Since the packet is potentially multi-buffer and therefore the
+rx_swbd->page is potentially an array, manual passing of the old
+pointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit
+difficult.
+
+For the sake of going with a simple solution, we accept the possibility
+of racing with xdp_do_redirect(), and we move the flip procedure to
+execute only on the redirect success path. By racing, I mean that the
+page may be deemed as not reusable by enetc (having a refcount of 0),
+but there will be no leak in that case, either.
+
+Once we accept that, we have something better to do with buffers on
+XDP_REDIRECT failure. Since we haven't performed half-page flipping yet,
+we won't, either (and this way, we can avoid enetc_xdp_free()
+completely, which gives the entire page to the slab allocator).
+Instead, we'll call enetc_xdp_drop(), which will recycle this half of
+the buffer back to the RX ring.
+
+Fixes: 9d2b68cc108d ("net: enetc: add support for XDP_REDIRECT")
+Suggested-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20221213001908.2347046-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 35 +++++---------------
+ 1 file changed, 8 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index 1d8ec1b120a1..525d506797fc 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -1489,23 +1489,6 @@ static void enetc_xdp_drop(struct enetc_bdr *rx_ring, int rx_ring_first,
+ rx_ring->stats.xdp_drops++;
+ }
+
+-static void enetc_xdp_free(struct enetc_bdr *rx_ring, int rx_ring_first,
+- int rx_ring_last)
+-{
+- while (rx_ring_first != rx_ring_last) {
+- struct enetc_rx_swbd *rx_swbd = &rx_ring->rx_swbd[rx_ring_first];
+-
+- if (rx_swbd->page) {
+- dma_unmap_page(rx_ring->dev, rx_swbd->dma, PAGE_SIZE,
+- rx_swbd->dir);
+- __free_page(rx_swbd->page);
+- rx_swbd->page = NULL;
+- }
+- enetc_bdr_idx_inc(rx_ring, &rx_ring_first);
+- }
+- rx_ring->stats.xdp_redirect_failures++;
+-}
+-
+ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
+ struct napi_struct *napi, int work_limit,
+ struct bpf_prog *prog)
+@@ -1527,8 +1510,8 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
+ int orig_i, orig_cleaned_cnt;
+ struct xdp_buff xdp_buff;
+ struct sk_buff *skb;
+- int tmp_orig_i, err;
+ u32 bd_status;
++ int err;
+
+ rxbd = enetc_rxbd(rx_ring, i);
+ bd_status = le32_to_cpu(rxbd->r.lstatus);
+@@ -1615,18 +1598,16 @@ static int enetc_clean_rx_ring_xdp(struct enetc_bdr *rx_ring,
+ break;
+ }
+
+- tmp_orig_i = orig_i;
+-
+- while (orig_i != i) {
+- enetc_flip_rx_buff(rx_ring,
+- &rx_ring->rx_swbd[orig_i]);
+- enetc_bdr_idx_inc(rx_ring, &orig_i);
+- }
+-
+ err = xdp_do_redirect(rx_ring->ndev, &xdp_buff, prog);
+ if (unlikely(err)) {
+- enetc_xdp_free(rx_ring, tmp_orig_i, i);
++ enetc_xdp_drop(rx_ring, orig_i, i);
++ rx_ring->stats.xdp_redirect_failures++;
+ } else {
++ while (orig_i != i) {
++ enetc_flip_rx_buff(rx_ring,
++ &rx_ring->rx_swbd[orig_i]);
++ enetc_bdr_idx_inc(rx_ring, &orig_i);
++ }
+ xdp_redirect_frm_cnt++;
+ rx_ring->stats.xdp_redirect++;
+ }
+--
+2.35.1
+
--- /dev/null
+From 91dcb53e547787f0067fd9616a450a365b87831e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 22:21:45 +0800
+Subject: net: ethernet: dnet: don't call dev_kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+In this case, the lock is used to protected 'bp', so we can move
+dev_kfree_skb() after the spin_unlock_irqrestore().
+
+Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dnet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/dnet.c b/drivers/net/ethernet/dnet.c
+index 92462ed87bc4..d9f0c297ae2a 100644
+--- a/drivers/net/ethernet/dnet.c
++++ b/drivers/net/ethernet/dnet.c
+@@ -550,11 +550,11 @@ static netdev_tx_t dnet_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ skb_tx_timestamp(skb);
+
++ spin_unlock_irqrestore(&bp->lock, flags);
++
+ /* free the buffer */
+ dev_kfree_skb(skb);
+
+- spin_unlock_irqrestore(&bp->lock, flags);
+-
+ return NETDEV_TX_OK;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 705a6d7310357d6a79432dbf33d819fda4230374 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 00:35:04 +0100
+Subject: net: ethernet: mtk_eth_soc: do not overwrite mtu configuration
+ running reset routine
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit b677d6c7a695dad1b02d2e0e428c39b3b344f270 ]
+
+Restore user configured MTU running mtk_hw_init() during tx timeout routine
+since it will be overwritten after a hw reset.
+
+Reported-by: Felix Fietkau <nbd@nbd.name>
+Fixes: 9ea4d311509f ("net: ethernet: mediatek: add the whole ethernet reset into the reset process")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 53 +++++++++++++--------
+ 1 file changed, 34 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 5380caf0acc2..26e0a2af64cf 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -3209,6 +3209,30 @@ static void mtk_dim_tx(struct work_struct *work)
+ dim->state = DIM_START_MEASURE;
+ }
+
++static void mtk_set_mcr_max_rx(struct mtk_mac *mac, u32 val)
++{
++ struct mtk_eth *eth = mac->hw;
++ u32 mcr_cur, mcr_new;
++
++ if (MTK_HAS_CAPS(eth->soc->caps, MTK_SOC_MT7628))
++ return;
++
++ mcr_cur = mtk_r32(mac->hw, MTK_MAC_MCR(mac->id));
++ mcr_new = mcr_cur & ~MAC_MCR_MAX_RX_MASK;
++
++ if (val <= 1518)
++ mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1518);
++ else if (val <= 1536)
++ mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1536);
++ else if (val <= 1552)
++ mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1552);
++ else
++ mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_2048);
++
++ if (mcr_new != mcr_cur)
++ mtk_w32(mac->hw, mcr_new, MTK_MAC_MCR(mac->id));
++}
++
+ static int mtk_hw_init(struct mtk_eth *eth)
+ {
+ u32 dma_mask = ETHSYS_DMA_AG_MAP_PDMA | ETHSYS_DMA_AG_MAP_QDMA |
+@@ -3283,8 +3307,16 @@ static int mtk_hw_init(struct mtk_eth *eth)
+ * up with the more appropriate value when mtk_mac_config call is being
+ * invoked.
+ */
+- for (i = 0; i < MTK_MAC_COUNT; i++)
++ for (i = 0; i < MTK_MAC_COUNT; i++) {
++ struct net_device *dev = eth->netdev[i];
++
+ mtk_w32(eth, MAC_MCR_FORCE_LINK_DOWN, MTK_MAC_MCR(i));
++ if (dev) {
++ struct mtk_mac *mac = netdev_priv(dev);
++
++ mtk_set_mcr_max_rx(mac, dev->mtu + MTK_RX_ETH_HLEN);
++ }
++ }
+
+ /* Indicates CDM to parse the MTK special tag from CPU
+ * which also is working out for untag packets.
+@@ -3400,7 +3432,6 @@ static int mtk_change_mtu(struct net_device *dev, int new_mtu)
+ int length = new_mtu + MTK_RX_ETH_HLEN;
+ struct mtk_mac *mac = netdev_priv(dev);
+ struct mtk_eth *eth = mac->hw;
+- u32 mcr_cur, mcr_new;
+
+ if (rcu_access_pointer(eth->prog) &&
+ length > MTK_PP_MAX_BUF_SIZE) {
+@@ -3408,23 +3439,7 @@ static int mtk_change_mtu(struct net_device *dev, int new_mtu)
+ return -EINVAL;
+ }
+
+- if (!MTK_HAS_CAPS(eth->soc->caps, MTK_SOC_MT7628)) {
+- mcr_cur = mtk_r32(mac->hw, MTK_MAC_MCR(mac->id));
+- mcr_new = mcr_cur & ~MAC_MCR_MAX_RX_MASK;
+-
+- if (length <= 1518)
+- mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1518);
+- else if (length <= 1536)
+- mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1536);
+- else if (length <= 1552)
+- mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_1552);
+- else
+- mcr_new |= MAC_MCR_MAX_RX(MAC_MCR_MAX_RX_2048);
+-
+- if (mcr_new != mcr_cur)
+- mtk_w32(mac->hw, mcr_new, MTK_MAC_MCR(mac->id));
+- }
+-
++ mtk_set_mcr_max_rx(mac, length);
+ dev->mtu = new_mtu;
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 023ad51fc383b662635404a0fe791bd1999ac0cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 09:07:30 +0100
+Subject: net: ethernet: mtk_eth_soc: drop packets to WDMA if the ring is full
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit f4b2fa2c25e1ade78f766aa82e733a0b5198d484 ]
+
+Improves handling of DMA ring overflow.
+Clarify other WDMA drop related comment.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20221116080734.44013-3-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 5 ++++-
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 4c16f2df566f..559c7a42c1c9 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -3344,9 +3344,12 @@ static int mtk_hw_init(struct mtk_eth *eth)
+ mtk_w32(eth, 0x21021000, MTK_FE_INT_GRP);
+
+ if (MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) {
+- /* PSE should not drop port8 and port9 packets */
++ /* PSE should not drop port8 and port9 packets from WDMA Tx */
+ mtk_w32(eth, 0x00000300, PSE_DROP_CFG);
+
++ /* PSE should drop packets to port 8/9 on WDMA Rx ring full */
++ mtk_w32(eth, 0x00000300, PSE_PPE0_DROP);
++
+ /* PSE Free Queue Flow Control */
+ mtk_w32(eth, 0x01fa01f4, PSE_FQFC_CFG2);
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index da261dd49d6f..df8e6e95254e 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -121,6 +121,7 @@
+ #define PSE_FQFC_CFG1 0x100
+ #define PSE_FQFC_CFG2 0x104
+ #define PSE_DROP_CFG 0x108
++#define PSE_PPE0_DROP 0x110
+
+ /* PSE Input Queue Reservation Register*/
+ #define PSE_IQ_REV(x) (0x140 + (((x) - 1) << 2))
+--
+2.35.1
+
--- /dev/null
+From 5992635ae4d5f0e601b88239bff53954a7b16d84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:29:53 +0100
+Subject: net: ethernet: mtk_eth_soc: fix RSTCTRL_PPE{0,1} definitions
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit ef8c373bd91df3cf70596497da0955d218961ead ]
+
+Fix RSTCTRL_PPE0 and RSTCTRL_PPE1 register mask definitions for
+MTK_NETSYS_V2.
+Remove duplicated definitions.
+
+Fixes: 160d3a9b1929 ("net: ethernet: mtk_eth_soc: introduce MTK_NETSYS_V2 support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 13 +++++++------
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 10 +++-------
+ 2 files changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 26e0a2af64cf..4c16f2df566f 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -3272,16 +3272,17 @@ static int mtk_hw_init(struct mtk_eth *eth)
+ return 0;
+ }
+
+- val = RSTCTRL_FE | RSTCTRL_PPE;
+ if (MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) {
+ regmap_write(eth->ethsys, ETHSYS_FE_RST_CHK_IDLE_EN, 0);
+-
+- val |= RSTCTRL_ETH;
+- if (MTK_HAS_CAPS(eth->soc->caps, MTK_RSTCTRL_PPE1))
+- val |= RSTCTRL_PPE1;
++ val = RSTCTRL_PPE0_V2;
++ } else {
++ val = RSTCTRL_PPE0;
+ }
+
+- ethsys_reset(eth, val);
++ if (MTK_HAS_CAPS(eth->soc->caps, MTK_RSTCTRL_PPE1))
++ val |= RSTCTRL_PPE1;
++
++ ethsys_reset(eth, RSTCTRL_ETH | RSTCTRL_FE | val);
+
+ if (MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) {
+ regmap_write(eth->ethsys, ETHSYS_FE_RST_CHK_IDLE_EN,
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 0f9668a4079d..da261dd49d6f 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -451,18 +451,14 @@
+ /* ethernet reset control register */
+ #define ETHSYS_RSTCTRL 0x34
+ #define RSTCTRL_FE BIT(6)
+-#define RSTCTRL_PPE BIT(31)
+-#define RSTCTRL_PPE1 BIT(30)
++#define RSTCTRL_PPE0 BIT(31)
++#define RSTCTRL_PPE0_V2 BIT(30)
++#define RSTCTRL_PPE1 BIT(31)
+ #define RSTCTRL_ETH BIT(23)
+
+ /* ethernet reset check idle register */
+ #define ETHSYS_FE_RST_CHK_IDLE_EN 0x28
+
+-/* ethernet reset control register */
+-#define ETHSYS_RSTCTRL 0x34
+-#define RSTCTRL_FE BIT(6)
+-#define RSTCTRL_PPE BIT(31)
+-
+ /* ethernet dma channel agent map */
+ #define ETHSYS_DMA_AG_MAP 0x408
+ #define ETHSYS_DMA_AG_MAP_PDMA BIT(0)
+--
+2.35.1
+
--- /dev/null
+From 7d82db2d30c2c4cd5456827e698b60f70b10a94c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 12:55:34 +0200
+Subject: net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in
+ am65_cpsw_nuss_ndo_slave_open()
+
+From: Roger Quadros <rogerq@kernel.org>
+
+[ Upstream commit 5821504f5073983733465b8bc430049c4343bbd7 ]
+
+Ensure pm_runtime_put() is issued in error path.
+
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Link: https://lore.kernel.org/r/20221208105534.63709-1-rogerq@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 47da11b9ac28..58678843d794 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -562,13 +562,13 @@ static int am65_cpsw_nuss_ndo_slave_open(struct net_device *ndev)
+ ret = netif_set_real_num_tx_queues(ndev, common->tx_ch_num);
+ if (ret) {
+ dev_err(common->dev, "cannot set real number of tx queues\n");
+- return ret;
++ goto runtime_put;
+ }
+
+ ret = netif_set_real_num_rx_queues(ndev, AM65_CPSW_MAX_RX_QUEUES);
+ if (ret) {
+ dev_err(common->dev, "cannot set real number of rx queues\n");
+- return ret;
++ goto runtime_put;
+ }
+
+ for (i = 0; i < common->tx_ch_num; i++)
+@@ -576,7 +576,7 @@ static int am65_cpsw_nuss_ndo_slave_open(struct net_device *ndev)
+
+ ret = am65_cpsw_nuss_common_open(common, ndev->features);
+ if (ret)
+- return ret;
++ goto runtime_put;
+
+ common->usage_count++;
+
+@@ -609,6 +609,10 @@ static int am65_cpsw_nuss_ndo_slave_open(struct net_device *ndev)
+ error_cleanup:
+ am65_cpsw_nuss_ndo_slave_stop(ndev);
+ return ret;
++
++runtime_put:
++ pm_runtime_put(common->dev);
++ return ret;
+ }
+
+ static void am65_cpsw_nuss_rx_cleanup(void *data, dma_addr_t desc_dma)
+--
+2.35.1
+
--- /dev/null
+From aa4db831439dad5460be1c93fb2d59017713596e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 09:09:33 -0700
+Subject: net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = netcp_ndo_start_xmit,
+ ^~~~~~~~~~~~~~~~~~~~
+ 1 error generated.
+
+->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
+'netdev_tx_t', not 'int'. Adjust the return type of
+netcp_ndo_start_xmit() to match the prototype's to resolve the warning
+and CFI failure.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/netcp_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
+index b15d44261e76..267252560942 100644
+--- a/drivers/net/ethernet/ti/netcp_core.c
++++ b/drivers/net/ethernet/ti/netcp_core.c
+@@ -1261,7 +1261,7 @@ static int netcp_tx_submit_skb(struct netcp_intf *netcp,
+ }
+
+ /* Submit the packet */
+-static int netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
++static netdev_tx_t netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ {
+ struct netcp_intf *netcp = netdev_priv(ndev);
+ struct netcp_stats *tx_stats = &netcp->stats;
+--
+2.35.1
+
--- /dev/null
+From 4785f82d9fea0cc38c4b04165d89057653c37903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 20:05:40 +0800
+Subject: net: farsync: Fix kmemleak when rmmods farsync
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ]
+
+There are two memory leaks reported by kmemleak:
+
+ unreferenced object 0xffff888114b20200 (size 128):
+ comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s)
+ hex dump (first 32 bytes):
+ e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW.....
+ 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
+ [<ffffffff83d35c78>] __hw_addr_add_ex+0x198/0x6c0
+ [<ffffffff83d3989d>] dev_addr_init+0x13d/0x230
+ [<ffffffff83d1063d>] alloc_netdev_mqs+0x10d/0xe50
+ [<ffffffff82b4a06e>] alloc_hdlcdev+0x2e/0x80
+ [<ffffffffa016a741>] fst_add_one+0x601/0x10e0 [farsync]
+ ...
+
+ unreferenced object 0xffff88810b85b000 (size 1024):
+ comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s)
+ hex dump (first 32 bytes):
+ 00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p......
+ 00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................
+ backtrace:
+ [<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
+ [<ffffffffa016a294>] fst_add_one+0x154/0x10e0 [farsync]
+ [<ffffffff82060e83>] local_pci_probe+0xd3/0x170
+ ...
+
+The root cause is traced to the netdev and fst_card_info are not freed
+when removes one fst in fst_remove_one(), which may trigger oom if
+repeated insmod and rmmod module.
+
+Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as
+the operations on the error handling path in fst_add_one().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/farsync.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
+index 6a212c085435..5b01642ca44e 100644
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -2545,6 +2545,7 @@ fst_remove_one(struct pci_dev *pdev)
+ struct net_device *dev = port_to_dev(&card->ports[i]);
+
+ unregister_hdlc_device(dev);
++ free_netdev(dev);
+ }
+
+ fst_disable_intr(card);
+@@ -2564,6 +2565,7 @@ fst_remove_one(struct pci_dev *pdev)
+ card->tx_dma_handle_card);
+ }
+ fst_card_array[card->card_no] = NULL;
++ kfree(card);
+ }
+
+ static struct pci_driver fst_driver = {
+--
+2.35.1
+
--- /dev/null
+From e083a994dd590825534cc39edc0156bd79cac769 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 09:35:02 -0600
+Subject: net: lan9303: Fix read error execution path
+
+From: Jerry Ray <jerry.ray@microchip.com>
+
+[ Upstream commit 8964916d206071b058c6351f88b1966bd58cbde0 ]
+
+This patch fixes an issue where a read failure of a port statistic counter
+will return unknown results. While it is highly unlikely the read will
+ever fail, it is much cleaner to return a zero for the stat count.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221209153502.7429-1-jerry.ray@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index 1de62604434d..2ed64fa19d02 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -1003,9 +1003,11 @@ static void lan9303_get_ethtool_stats(struct dsa_switch *ds, int port,
+ ret = lan9303_read_switch_port(
+ chip, port, lan9303_mib[u].offset, ®);
+
+- if (ret)
++ if (ret) {
+ dev_warn(chip->dev, "Reading status port %d reg %u failed\n",
+ port, lan9303_mib[u].offset);
++ reg = 0;
++ }
+ data[u] = reg;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 3bd17ec683a6178f656a454db0813b65e8886326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Dec 2022 09:55:32 +0200
+Subject: net: macsec: fix net device access prior to holding a lock
+
+From: Emeel Hakim <ehakim@nvidia.com>
+
+[ Upstream commit f3b4a00f0f62da252c598310698dfc82ef2f2e2e ]
+
+Currently macsec offload selection update routine accesses
+the net device prior to holding the relevant lock.
+Fix by holding the lock prior to the device access.
+
+Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection")
+Reviewed-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+Link: https://lore.kernel.org/r/20221211075532.28099-1-ehakim@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 8dafc814282c..022b2daabd74 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2621,7 +2621,7 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
+ const struct macsec_ops *ops;
+ struct macsec_context ctx;
+ struct macsec_dev *macsec;
+- int ret;
++ int ret = 0;
+
+ if (!attrs[MACSEC_ATTR_IFINDEX])
+ return -EINVAL;
+@@ -2634,28 +2634,36 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
+ macsec_genl_offload_policy, NULL))
+ return -EINVAL;
+
++ rtnl_lock();
++
+ dev = get_dev_from_nl(genl_info_net(info), attrs);
+- if (IS_ERR(dev))
+- return PTR_ERR(dev);
++ if (IS_ERR(dev)) {
++ ret = PTR_ERR(dev);
++ goto out;
++ }
+ macsec = macsec_priv(dev);
+
+- if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE])
+- return -EINVAL;
++ if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
+ if (macsec->offload == offload)
+- return 0;
++ goto out;
+
+ /* Check if the offloading mode is supported by the underlying layers */
+ if (offload != MACSEC_OFFLOAD_OFF &&
+- !macsec_check_offload(offload, macsec))
+- return -EOPNOTSUPP;
++ !macsec_check_offload(offload, macsec)) {
++ ret = -EOPNOTSUPP;
++ goto out;
++ }
+
+ /* Check if the net device is busy. */
+- if (netif_running(dev))
+- return -EBUSY;
+-
+- rtnl_lock();
++ if (netif_running(dev)) {
++ ret = -EBUSY;
++ goto out;
++ }
+
+ prev_offload = macsec->offload;
+ macsec->offload = offload;
+@@ -2690,7 +2698,7 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
+
+ rollback:
+ macsec->offload = prev_offload;
+-
++out:
+ rtnl_unlock();
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 31e9f5392e629e5527cd49c17aacaf9bc95f6992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Oct 2022 07:34:21 +0100
+Subject: net, proc: Provide PROC_FS=n fallback for
+ proc_create_net_single_write()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit c3d96f690a790074b508fe183a41e36a00cd7ddd ]
+
+Provide a CONFIG_PROC_FS=n fallback for proc_create_net_single_write().
+
+Also provide a fallback for proc_create_net_data_write().
+
+Fixes: 564def71765c ("proc: Add a way to make network proc files writable")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+cc: netdev@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/proc_fs.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
+index 81d6e4ec2294..0260f5ea98fe 100644
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -208,8 +208,10 @@ static inline void proc_remove(struct proc_dir_entry *de) {}
+ static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) { return 0; }
+
+ #define proc_create_net_data(name, mode, parent, ops, state_size, data) ({NULL;})
++#define proc_create_net_data_write(name, mode, parent, ops, write, state_size, data) ({NULL;})
+ #define proc_create_net(name, mode, parent, state_size, ops) ({NULL;})
+ #define proc_create_net_single(name, mode, parent, show, data) ({NULL;})
++#define proc_create_net_single_write(name, mode, parent, show, write, data) ({NULL;})
+
+ static inline struct pid *tgid_pidfd_to_pid(const struct file *file)
+ {
+--
+2.35.1
+
--- /dev/null
+From 1bfe5b62b04165baeb3e059ea7a611cf8c02b09a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 15:22:15 +0200
+Subject: net: Remove the obsolte u64_stats_fetch_*_irq() users (net).
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit d120d1a63b2c484d6175873d8ee736a633f74b70 ]
+
+Now that the 32bit UP oddity is gone and 32bit uses always a sequence
+count, there is no need for the fetch_irq() variants anymore.
+
+Convert to the regular interface.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 1dbd8d9a82e3 ("ipvs: use u64_stats_t for the per-cpu counters")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_dev.c | 4 ++--
+ net/bridge/br_multicast.c | 4 ++--
+ net/bridge/br_vlan.c | 4 ++--
+ net/core/dev.c | 4 ++--
+ net/core/devlink.c | 4 ++--
+ net/core/drop_monitor.c | 8 ++++----
+ net/core/gen_stats.c | 16 ++++++++--------
+ net/dsa/slave.c | 4 ++--
+ net/ipv4/af_inet.c | 4 ++--
+ net/ipv6/seg6_local.c | 4 ++--
+ net/mac80211/sta_info.c | 8 ++++----
+ net/mpls/af_mpls.c | 4 ++--
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 ++--
+ net/netfilter/nf_tables_api.c | 4 ++--
+ net/openvswitch/datapath.c | 4 ++--
+ net/openvswitch/flow_table.c | 9 ++++-----
+ 16 files changed, 44 insertions(+), 45 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 035812b0461c..ecdb47712d95 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -712,13 +712,13 @@ static void vlan_dev_get_stats64(struct net_device *dev,
+
+ p = per_cpu_ptr(vlan_dev_priv(dev)->vlan_pcpu_stats, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&p->syncp);
++ start = u64_stats_fetch_begin(&p->syncp);
+ rxpackets = u64_stats_read(&p->rx_packets);
+ rxbytes = u64_stats_read(&p->rx_bytes);
+ rxmulticast = u64_stats_read(&p->rx_multicast);
+ txpackets = u64_stats_read(&p->tx_packets);
+ txbytes = u64_stats_read(&p->tx_bytes);
+- } while (u64_stats_fetch_retry_irq(&p->syncp, start));
++ } while (u64_stats_fetch_retry(&p->syncp, start));
+
+ stats->rx_packets += rxpackets;
+ stats->rx_bytes += rxbytes;
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index db4f2641d1cd..7e2a9fb5786c 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -4899,9 +4899,9 @@ void br_multicast_get_stats(const struct net_bridge *br,
+ unsigned int start;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ start = u64_stats_fetch_begin(&cpu_stats->syncp);
+ memcpy(&temp, &cpu_stats->mstats, sizeof(temp));
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, start));
+
+ mcast_stats_add_dir(tdst.igmp_v1queries, temp.igmp_v1queries);
+ mcast_stats_add_dir(tdst.igmp_v2queries, temp.igmp_v2queries);
+diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
+index 9ffd40b8270c..bc75fa1e4666 100644
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -1389,12 +1389,12 @@ void br_vlan_get_stats(const struct net_bridge_vlan *v,
+
+ cpu_stats = per_cpu_ptr(v->stats, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ start = u64_stats_fetch_begin(&cpu_stats->syncp);
+ rxpackets = u64_stats_read(&cpu_stats->rx_packets);
+ rxbytes = u64_stats_read(&cpu_stats->rx_bytes);
+ txbytes = u64_stats_read(&cpu_stats->tx_bytes);
+ txpackets = u64_stats_read(&cpu_stats->tx_packets);
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, start));
+
+ u64_stats_add(&stats->rx_packets, rxpackets);
+ u64_stats_add(&stats->rx_bytes, rxbytes);
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 2c14f48d2457..d2ab54c9c3ed 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -10496,12 +10496,12 @@ void dev_fetch_sw_netstats(struct rtnl_link_stats64 *s,
+
+ stats = per_cpu_ptr(netstats, cpu);
+ do {
+- start = u64_stats_fetch_begin_irq(&stats->syncp);
++ start = u64_stats_fetch_begin(&stats->syncp);
+ rx_packets = u64_stats_read(&stats->rx_packets);
+ rx_bytes = u64_stats_read(&stats->rx_bytes);
+ tx_packets = u64_stats_read(&stats->tx_packets);
+ tx_bytes = u64_stats_read(&stats->tx_bytes);
+- } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
++ } while (u64_stats_fetch_retry(&stats->syncp, start));
+
+ s->rx_packets += rx_packets;
+ s->rx_bytes += rx_bytes;
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index b50bcc18b8d9..cfa6a099457a 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -8268,10 +8268,10 @@ static void devlink_trap_stats_read(struct devlink_stats __percpu *trap_stats,
+
+ cpu_stats = per_cpu_ptr(trap_stats, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ start = u64_stats_fetch_begin(&cpu_stats->syncp);
+ rx_packets = u64_stats_read(&cpu_stats->rx_packets);
+ rx_bytes = u64_stats_read(&cpu_stats->rx_bytes);
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, start));
+
+ u64_stats_add(&stats->rx_packets, rx_packets);
+ u64_stats_add(&stats->rx_bytes, rx_bytes);
+diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
+index 75501e1bdd25..dfcaf61d972c 100644
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -1432,9 +1432,9 @@ static void net_dm_stats_read(struct net_dm_stats *stats)
+ u64 dropped;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ start = u64_stats_fetch_begin(&cpu_stats->syncp);
+ dropped = u64_stats_read(&cpu_stats->dropped);
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, start));
+
+ u64_stats_add(&stats->dropped, dropped);
+ }
+@@ -1476,9 +1476,9 @@ static void net_dm_hw_stats_read(struct net_dm_stats *stats)
+ u64 dropped;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ start = u64_stats_fetch_begin(&cpu_stats->syncp);
+ dropped = u64_stats_read(&cpu_stats->dropped);
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, start));
+
+ u64_stats_add(&stats->dropped, dropped);
+ }
+diff --git a/net/core/gen_stats.c b/net/core/gen_stats.c
+index c8d137ef5980..b71ccaec0991 100644
+--- a/net/core/gen_stats.c
++++ b/net/core/gen_stats.c
+@@ -135,10 +135,10 @@ static void gnet_stats_add_basic_cpu(struct gnet_stats_basic_sync *bstats,
+ u64 bytes, packets;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&bcpu->syncp);
++ start = u64_stats_fetch_begin(&bcpu->syncp);
+ bytes = u64_stats_read(&bcpu->bytes);
+ packets = u64_stats_read(&bcpu->packets);
+- } while (u64_stats_fetch_retry_irq(&bcpu->syncp, start));
++ } while (u64_stats_fetch_retry(&bcpu->syncp, start));
+
+ t_bytes += bytes;
+ t_packets += packets;
+@@ -162,10 +162,10 @@ void gnet_stats_add_basic(struct gnet_stats_basic_sync *bstats,
+ }
+ do {
+ if (running)
+- start = u64_stats_fetch_begin_irq(&b->syncp);
++ start = u64_stats_fetch_begin(&b->syncp);
+ bytes = u64_stats_read(&b->bytes);
+ packets = u64_stats_read(&b->packets);
+- } while (running && u64_stats_fetch_retry_irq(&b->syncp, start));
++ } while (running && u64_stats_fetch_retry(&b->syncp, start));
+
+ _bstats_update(bstats, bytes, packets);
+ }
+@@ -187,10 +187,10 @@ static void gnet_stats_read_basic(u64 *ret_bytes, u64 *ret_packets,
+ u64 bytes, packets;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&bcpu->syncp);
++ start = u64_stats_fetch_begin(&bcpu->syncp);
+ bytes = u64_stats_read(&bcpu->bytes);
+ packets = u64_stats_read(&bcpu->packets);
+- } while (u64_stats_fetch_retry_irq(&bcpu->syncp, start));
++ } while (u64_stats_fetch_retry(&bcpu->syncp, start));
+
+ t_bytes += bytes;
+ t_packets += packets;
+@@ -201,10 +201,10 @@ static void gnet_stats_read_basic(u64 *ret_bytes, u64 *ret_packets,
+ }
+ do {
+ if (running)
+- start = u64_stats_fetch_begin_irq(&b->syncp);
++ start = u64_stats_fetch_begin(&b->syncp);
+ *ret_bytes = u64_stats_read(&b->bytes);
+ *ret_packets = u64_stats_read(&b->packets);
+- } while (running && u64_stats_fetch_retry_irq(&b->syncp, start));
++ } while (running && u64_stats_fetch_retry(&b->syncp, start));
+ }
+
+ static int
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index 1291c2431d44..dcc550b87162 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -934,12 +934,12 @@ static void dsa_slave_get_ethtool_stats(struct net_device *dev,
+
+ s = per_cpu_ptr(dev->tstats, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&s->syncp);
++ start = u64_stats_fetch_begin(&s->syncp);
+ tx_packets = u64_stats_read(&s->tx_packets);
+ tx_bytes = u64_stats_read(&s->tx_bytes);
+ rx_packets = u64_stats_read(&s->rx_packets);
+ rx_bytes = u64_stats_read(&s->rx_bytes);
+- } while (u64_stats_fetch_retry_irq(&s->syncp, start));
++ } while (u64_stats_fetch_retry(&s->syncp, start));
+ data[0] += tx_packets;
+ data[1] += tx_bytes;
+ data[2] += rx_packets;
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 4c8782df8eef..31f463f46f6e 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1686,9 +1686,9 @@ u64 snmp_get_cpu_field64(void __percpu *mib, int cpu, int offt,
+ bhptr = per_cpu_ptr(mib, cpu);
+ syncp = (struct u64_stats_sync *)(bhptr + syncp_offset);
+ do {
+- start = u64_stats_fetch_begin_irq(syncp);
++ start = u64_stats_fetch_begin(syncp);
+ v = *(((u64 *)bhptr) + offt);
+- } while (u64_stats_fetch_retry_irq(syncp, start));
++ } while (u64_stats_fetch_retry(syncp, start));
+
+ return v;
+ }
+diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
+index b7de5e46fdd8..f84da849819c 100644
+--- a/net/ipv6/seg6_local.c
++++ b/net/ipv6/seg6_local.c
+@@ -1508,13 +1508,13 @@ static int put_nla_counters(struct sk_buff *skb, struct seg6_local_lwt *slwt)
+
+ pcounters = per_cpu_ptr(slwt->pcpu_counters, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&pcounters->syncp);
++ start = u64_stats_fetch_begin(&pcounters->syncp);
+
+ packets = u64_stats_read(&pcounters->packets);
+ bytes = u64_stats_read(&pcounters->bytes);
+ errors = u64_stats_read(&pcounters->errors);
+
+- } while (u64_stats_fetch_retry_irq(&pcounters->syncp, start));
++ } while (u64_stats_fetch_retry(&pcounters->syncp, start));
+
+ counters.packets += packets;
+ counters.bytes += bytes;
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 9d7b238a6737..965b9cb2ef3f 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2316,9 +2316,9 @@ static inline u64 sta_get_tidstats_msdu(struct ieee80211_sta_rx_stats *rxstats,
+ u64 value;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&rxstats->syncp);
++ start = u64_stats_fetch_begin(&rxstats->syncp);
+ value = rxstats->msdu[tid];
+- } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start));
++ } while (u64_stats_fetch_retry(&rxstats->syncp, start));
+
+ return value;
+ }
+@@ -2384,9 +2384,9 @@ static inline u64 sta_get_stats_bytes(struct ieee80211_sta_rx_stats *rxstats)
+ u64 value;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&rxstats->syncp);
++ start = u64_stats_fetch_begin(&rxstats->syncp);
+ value = rxstats->bytes;
+- } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start));
++ } while (u64_stats_fetch_retry(&rxstats->syncp, start));
+
+ return value;
+ }
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index b52afe316dc4..35b5f806fdda 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -1079,9 +1079,9 @@ static void mpls_get_stats(struct mpls_dev *mdev,
+
+ p = per_cpu_ptr(mdev->stats, i);
+ do {
+- start = u64_stats_fetch_begin_irq(&p->syncp);
++ start = u64_stats_fetch_begin(&p->syncp);
+ local = p->stats;
+- } while (u64_stats_fetch_retry_irq(&p->syncp, start));
++ } while (u64_stats_fetch_retry(&p->syncp, start));
+
+ stats->rx_packets += local.rx_packets;
+ stats->rx_bytes += local.rx_bytes;
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index efab2b06d373..5a7349002508 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2296,13 +2296,13 @@ static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
+ u64 conns, inpkts, outpkts, inbytes, outbytes;
+
+ do {
+- start = u64_stats_fetch_begin_irq(&u->syncp);
++ start = u64_stats_fetch_begin(&u->syncp);
+ conns = u->cnt.conns;
+ inpkts = u->cnt.inpkts;
+ outpkts = u->cnt.outpkts;
+ inbytes = u->cnt.inbytes;
+ outbytes = u->cnt.outbytes;
+- } while (u64_stats_fetch_retry_irq(&u->syncp, start));
++ } while (u64_stats_fetch_retry(&u->syncp, start));
+
+ seq_printf(seq, "%3X %8LX %8LX %8LX %16LX %16LX\n",
+ i, (u64)conns, (u64)inpkts,
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0a6f3c1e9ab7..7977f0422ecf 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1534,10 +1534,10 @@ static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
+ for_each_possible_cpu(cpu) {
+ cpu_stats = per_cpu_ptr(stats, cpu);
+ do {
+- seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
++ seq = u64_stats_fetch_begin(&cpu_stats->syncp);
+ pkts = cpu_stats->pkts;
+ bytes = cpu_stats->bytes;
+- } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
++ } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
+ total.pkts += pkts;
+ total.bytes += bytes;
+ }
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 8a22574ed7ad..ae7d4d03790c 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -715,9 +715,9 @@ static void get_dp_stats(const struct datapath *dp, struct ovs_dp_stats *stats,
+ percpu_stats = per_cpu_ptr(dp->stats_percpu, i);
+
+ do {
+- start = u64_stats_fetch_begin_irq(&percpu_stats->syncp);
++ start = u64_stats_fetch_begin(&percpu_stats->syncp);
+ local_stats = *percpu_stats;
+- } while (u64_stats_fetch_retry_irq(&percpu_stats->syncp, start));
++ } while (u64_stats_fetch_retry(&percpu_stats->syncp, start));
+
+ stats->n_hit += local_stats.n_hit;
+ stats->n_missed += local_stats.n_missed;
+diff --git a/net/openvswitch/flow_table.c b/net/openvswitch/flow_table.c
+index d4a2db0b2299..0a0e4c283f02 100644
+--- a/net/openvswitch/flow_table.c
++++ b/net/openvswitch/flow_table.c
+@@ -205,9 +205,9 @@ static void tbl_mask_array_reset_counters(struct mask_array *ma)
+
+ stats = per_cpu_ptr(ma->masks_usage_stats, cpu);
+ do {
+- start = u64_stats_fetch_begin_irq(&stats->syncp);
++ start = u64_stats_fetch_begin(&stats->syncp);
+ counter = stats->usage_cntrs[i];
+- } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
++ } while (u64_stats_fetch_retry(&stats->syncp, start));
+
+ ma->masks_usage_zero_cntr[i] += counter;
+ }
+@@ -1136,10 +1136,9 @@ void ovs_flow_masks_rebalance(struct flow_table *table)
+
+ stats = per_cpu_ptr(ma->masks_usage_stats, cpu);
+ do {
+- start = u64_stats_fetch_begin_irq(&stats->syncp);
++ start = u64_stats_fetch_begin(&stats->syncp);
+ counter = stats->usage_cntrs[i];
+- } while (u64_stats_fetch_retry_irq(&stats->syncp,
+- start));
++ } while (u64_stats_fetch_retry(&stats->syncp, start));
+
+ masks_and_count[i].counter += counter;
+ }
+--
+2.35.1
+
--- /dev/null
+From ff46a8c42f1796fb54f37f16060a9f662f669fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:25:06 -0800
+Subject: net: Return errno in sk->sk_prot->get_port().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 7a7160edf1bfde25422262fb26851cef65f695d3 ]
+
+We assume the correct errno is -EADDRINUSE when sk->sk_prot->get_port()
+fails, so some ->get_port() functions return just 1 on failure and the
+callers return -EADDRINUSE instead.
+
+However, mptcp_get_port() can return -EINVAL. Let's not ignore the error.
+
+Note the only exception is inet_autobind(), all of whose callers return
+-EAGAIN instead.
+
+Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/af_inet.c | 4 ++--
+ net/ipv4/inet_connection_sock.c | 5 +++--
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/udp.c | 2 +-
+ net/ipv6/af_inet6.c | 4 ++--
+ 5 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 7f6d7c355e38..4c8782df8eef 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -522,9 +522,9 @@ int __inet_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
+ /* Make sure we are allowed to bind here. */
+ if (snum || !(inet->bind_address_no_port ||
+ (flags & BIND_FORCE_ADDRESS_NO_PORT))) {
+- if (sk->sk_prot->get_port(sk, snum)) {
++ err = sk->sk_prot->get_port(sk, snum);
++ if (err) {
+ inet->inet_saddr = inet->inet_rcv_saddr = 0;
+- err = -EADDRINUSE;
+ goto out_release_sock;
+ }
+ if (!(flags & BIND_FROM_BPF)) {
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index eb31c7158b39..971969cc7e17 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -1041,7 +1041,7 @@ int inet_csk_listen_start(struct sock *sk)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
+- int err = -EADDRINUSE;
++ int err;
+
+ reqsk_queue_alloc(&icsk->icsk_accept_queue);
+
+@@ -1057,7 +1057,8 @@ int inet_csk_listen_start(struct sock *sk)
+ * after validation is complete.
+ */
+ inet_sk_state_store(sk, TCP_LISTEN);
+- if (!sk->sk_prot->get_port(sk, inet->inet_num)) {
++ err = sk->sk_prot->get_port(sk, inet->inet_num);
++ if (!err) {
+ inet->inet_sport = htons(inet->inet_num);
+
+ sk_dst_reset(sk);
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 3b2420829c23..948f4801f993 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -142,7 +142,7 @@ int ping_get_port(struct sock *sk, unsigned short ident)
+
+ fail:
+ spin_unlock(&ping_table.lock);
+- return 1;
++ return -EADDRINUSE;
+ }
+ EXPORT_SYMBOL_GPL(ping_get_port);
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index c04a26339bd1..7fe0ba3f0933 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -235,7 +235,7 @@ int udp_lib_get_port(struct sock *sk, unsigned short snum,
+ struct udp_table *udptable = sk->sk_prot->h.udp_table;
+ struct udp_hslot *hslot, *hslot2;
+ struct net *net = sock_net(sk);
+- int error = 1;
++ int error = -EADDRINUSE;
+
+ if (!snum) {
+ DECLARE_BITMAP(bitmap, PORTS_PER_CHAIN);
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index dbb1430d6cc2..cceda5c83302 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -403,10 +403,10 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
+ /* Make sure we are allowed to bind here. */
+ if (snum || !(inet->bind_address_no_port ||
+ (flags & BIND_FORCE_ADDRESS_NO_PORT))) {
+- if (sk->sk_prot->get_port(sk, snum)) {
++ err = sk->sk_prot->get_port(sk, snum);
++ if (err) {
+ sk->sk_ipv6only = saved_ipv6only;
+ inet_reset_saddr(sk);
+- err = -EADDRINUSE;
+ goto out;
+ }
+ if (!(flags & BIND_FROM_BPF)) {
+--
+2.35.1
+
--- /dev/null
+From 54ade678fd7b5bc4604e848d82866a684065fd52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 15:54:46 +0100
+Subject: net: setsockopt: fix IPV6_UNICAST_IF option for connected sockets
+
+From: Richard Gobert <richardbgobert@gmail.com>
+
+[ Upstream commit 526682b458b1b56d2e0db027df535cb5cdcfde59 ]
+
+Change the behaviour of ip6_datagram_connect to consider the interface
+set by the IPV6_UNICAST_IF socket option, similarly to udpv6_sendmsg.
+
+This change is the IPv6 counterpart of the fix for IP_UNICAST_IF.
+The tests introduced by that patch showed that the incorrect
+behavior is present in IPv6 as well.
+This patch fixes the broken test.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Link: https://lore.kernel.org/r/202210062117.c7eef1a3-oliver.sang@intel.com
+Fixes: 0e4d354762ce ("net-next: Fix IP_UNICAST_IF option behavior for connected sockets")
+
+Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/datagram.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 5ecb56522f9d..ba28aeb7cade 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -42,24 +42,29 @@ static void ip6_datagram_flow_key_init(struct flowi6 *fl6, struct sock *sk)
+ {
+ struct inet_sock *inet = inet_sk(sk);
+ struct ipv6_pinfo *np = inet6_sk(sk);
++ int oif = sk->sk_bound_dev_if;
+
+ memset(fl6, 0, sizeof(*fl6));
+ fl6->flowi6_proto = sk->sk_protocol;
+ fl6->daddr = sk->sk_v6_daddr;
+ fl6->saddr = np->saddr;
+- fl6->flowi6_oif = sk->sk_bound_dev_if;
+ fl6->flowi6_mark = sk->sk_mark;
+ fl6->fl6_dport = inet->inet_dport;
+ fl6->fl6_sport = inet->inet_sport;
+ fl6->flowlabel = np->flow_label;
+ fl6->flowi6_uid = sk->sk_uid;
+
+- if (!fl6->flowi6_oif)
+- fl6->flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
++ if (!oif)
++ oif = np->sticky_pktinfo.ipi6_ifindex;
+
+- if (!fl6->flowi6_oif && ipv6_addr_is_multicast(&fl6->daddr))
+- fl6->flowi6_oif = np->mcast_oif;
++ if (!oif) {
++ if (ipv6_addr_is_multicast(&fl6->daddr))
++ oif = np->mcast_oif;
++ else
++ oif = np->ucast_oif;
++ }
+
++ fl6->flowi6_oif = oif;
+ security_sk_classify_flow(sk, flowi6_to_flowi_common(fl6));
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1e4f02a03bc339e005caa6f5914ba96ada3fcdd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 16:34:13 +0800
+Subject: net: stmmac: fix possible memory leak in stmmac_dvr_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit a137f3f27f9290933fe7e40e6dc8a445781c31a2 ]
+
+The bitmap_free() should be called to free priv->af_xdp_zc_qps
+when create_singlethread_workqueue() fails, otherwise there will
+be a memory leak, so we add the err path error_wq_init to fix it.
+
+Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 0f080bfe8b17..40bf30de8402 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7115,7 +7115,7 @@ int stmmac_dvr_probe(struct device *device,
+ priv->wq = create_singlethread_workqueue("stmmac_wq");
+ if (!priv->wq) {
+ dev_err(priv->device, "failed to create workqueue\n");
+- return -ENOMEM;
++ goto error_wq_init;
+ }
+
+ INIT_WORK(&priv->service_task, stmmac_service_task);
+@@ -7343,6 +7343,7 @@ int stmmac_dvr_probe(struct device *device,
+ stmmac_napi_del(ndev);
+ error_hw_init:
+ destroy_workqueue(priv->wq);
++error_wq_init:
+ bitmap_free(priv->af_xdp_zc_qps);
+
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 4713c61676045f0ce7a7335e000b1066257dea7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 16:31:59 +0800
+Subject: net: stmmac: selftests: fix potential memleak in
+ stmmac_test_arpoffload()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit f150b63f3fa5fdd81e0dd6151e8850268e29438c ]
+
+The skb allocated by stmmac_test_get_arp_skb() hasn't been released in
+some error handling case, which will lead to a memory leak. Fix this up
+by adding kfree_skb() to release skb.
+
+Compile tested only.
+
+Fixes: 5e3fb0a6e2b3 ("net: stmmac: selftests: Implement the ARP Offload test")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+index 49af7e78b7f5..687f43cd466c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+@@ -1654,12 +1654,16 @@ static int stmmac_test_arpoffload(struct stmmac_priv *priv)
+ }
+
+ ret = stmmac_set_arp_offload(priv, priv->hw, true, ip_addr);
+- if (ret)
++ if (ret) {
++ kfree_skb(skb);
+ goto cleanup;
++ }
+
+ ret = dev_set_promiscuity(priv->dev, 1);
+- if (ret)
++ if (ret) {
++ kfree_skb(skb);
+ goto cleanup;
++ }
+
+ ret = dev_direct_xmit(skb, 0);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 61dbac6c61d2bba7898893a6769c6c8553913c12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Dec 2022 16:29:17 +0000
+Subject: net: stream: purge sk_error_queue in sk_stream_kill_queues()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ]
+
+Changheon Lee reported TCP socket leaks, with a nice repro.
+
+It seems we leak TCP sockets with the following sequence:
+
+1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.
+
+ Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().
+ __skb_tstamp_tx() is using skb_clone(), unless
+ SOF_TIMESTAMPING_OPT_TSONLY was also requested.
+
+2) If the application is also using MSG_ZEROCOPY, then we put in the
+ error queue cloned skbs that had a struct ubuf_info attached to them.
+
+ Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()
+ does a sock_hold().
+
+ As long as the cloned skbs are still in sk_error_queue,
+ socket refcount is kept elevated.
+
+3) Application closes the socket, while error queue is not empty.
+
+Since tcp_close() no longer purges the socket error queue,
+we might end up with a TCP socket with at least one skb in
+error queue keeping the socket alive forever.
+
+This bug can be (ab)used to consume all kernel memory
+and freeze the host.
+
+We need to purge the error queue, with proper synchronization
+against concurrent writers.
+
+Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()")
+Reported-by: Changheon Lee <darklight2357@icloud.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 1105057ce00a..2d03810841cb 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -196,6 +196,12 @@ void sk_stream_kill_queues(struct sock *sk)
+ /* First the read buffer. */
+ __skb_queue_purge(&sk->sk_receive_queue);
+
++ /* Next, the error queue.
++ * We need to use queue lock, because other threads might
++ * add packets to the queue without socket lock being held.
++ */
++ skb_queue_purge(&sk->sk_error_queue);
++
+ /* Next, the write queue. */
+ WARN_ON_ONCE(!skb_queue_empty(&sk->sk_write_queue));
+
+--
+2.35.1
+
--- /dev/null
+From f395d1727478b29764f4430b783ece2eb6b23040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 20:04:52 +0800
+Subject: net/tunnel: wait until all sk_user_data reader finish before
+ releasing the sock
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ]
+
+There is a race condition in vxlan that when deleting a vxlan device
+during receiving packets, there is a possibility that the sock is
+released after getting vxlan_sock vs from sk_user_data. Then in
+later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got
+NULL pointer dereference. e.g.
+
+ #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757
+ #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d
+ #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48
+ #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b
+ #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb
+ #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542
+ #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62
+ [exception RIP: vxlan_ecn_decapsulate+0x3b]
+ RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246
+ RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000
+ RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700
+ RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae
+ R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700
+ R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]
+ #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507
+ #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45
+ #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807
+ #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951
+ #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde
+ #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b
+ #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139
+ #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a
+ #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3
+ #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca
+ #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3
+
+Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh
+
+Fix this by waiting for all sk_user_data reader to finish before
+releasing the sock.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_tunnel_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
+index 8242c8947340..5f8104cf082d 100644
+--- a/net/ipv4/udp_tunnel_core.c
++++ b/net/ipv4/udp_tunnel_core.c
+@@ -176,6 +176,7 @@ EXPORT_SYMBOL_GPL(udp_tunnel_xmit_skb);
+ void udp_tunnel_sock_release(struct socket *sock)
+ {
+ rcu_assign_sk_user_data(sock->sk, NULL);
++ synchronize_rcu();
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+ }
+--
+2.35.1
+
--- /dev/null
+From d5d7d4c0494d146a1ab2a0f3a70a5360bfafbf1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 09:58:34 +0300
+Subject: net: vmw_vsock: vmci: Check memcpy_from_msg()
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ]
+
+vmci_transport_dgram_enqueue() does not check the return value
+of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
+uninitialized memory contents are sent unintentionally instead of user's
+message in the datagram to the destination. Return with an error if
+memcpy_from_msg() fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/vmci_transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index b14f0ed7427b..a794e8b01136 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
+ if (!dg)
+ return -ENOMEM;
+
+- memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
++ err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
++ if (err) {
++ kfree(dg);
++ return err;
++ }
+
+ dg->dst = vmci_make_handle(remote_addr->svm_cid,
+ remote_addr->svm_port);
+--
+2.35.1
+
--- /dev/null
+From 66245188947393daeac408ee77b21c336a06ea6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Dec 2022 14:17:07 -0800
+Subject: net_sched: reject TCF_EM_SIMPLE case for complex ematch module
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ]
+
+When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
+for ematch implementation:
+
+https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
+
+"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
+set will simply result in allocating & copy. It's an optimization,
+nothing more."
+
+So if an ematch module provides ops->datalen that means it wants a
+complex data structure (saved in its em->data) instead of a simple u32
+value. We should simply reject such a combination, otherwise this u32
+could be misinterpreted as a pointer.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
+Reported-by: Jun Nie <jun.nie@linaro.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/ematch.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sched/ematch.c b/net/sched/ematch.c
+index 4ce681361851..5c1235e6076a 100644
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
+ * the value carried.
+ */
+ if (em_hdr->flags & TCF_EM_SIMPLE) {
++ if (em->ops->datalen > 0)
++ goto errout;
+ if (data_len < sizeof(u32))
+ goto errout;
+ em->data = *(u32 *) data;
+--
+2.35.1
+
--- /dev/null
+From be184a5ebd46257e147f497c9dbacfd09dc4f275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 16:00:09 +0100
+Subject: netfilter: conntrack: set icmpv6 redirects as RELATED
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 7d7cfb48d81353e826493d24c7cec7360950968f ]
+
+icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not
+do this.
+
+For icmpv6, only icmp errors (code <= 128) are examined for RELATED state.
+ICMPV6 Redirects are part of neighbour discovery mechanism, those are
+handled by marking a selected subset (e.g. neighbour solicitations) as
+UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID.
+
+Add minimal support for REDIRECTs. No parsing of neighbour options is
+added for simplicity, so this will only check that we have the embeeded
+original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow
+lookup for this tuple.
+
+Also extend the existing test case to cover redirects.
+
+Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
+Reported-by: Eric Garver <eric@garver.life>
+Link: https://github.com/firewalld/firewalld/issues/1046
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Eric Garver <eric@garver.life>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++++++++++++++++++
+ .../netfilter/conntrack_icmp_related.sh | 36 ++++++++++++-
+ 2 files changed, 87 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
+index 61e3b05cf02c..1020d67600a9 100644
+--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
++++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
+@@ -129,6 +129,56 @@ static void icmpv6_error_log(const struct sk_buff *skb,
+ nf_l4proto_log_invalid(skb, state, IPPROTO_ICMPV6, "%s", msg);
+ }
+
++static noinline_for_stack int
++nf_conntrack_icmpv6_redirect(struct nf_conn *tmpl, struct sk_buff *skb,
++ unsigned int dataoff,
++ const struct nf_hook_state *state)
++{
++ u8 hl = ipv6_hdr(skb)->hop_limit;
++ union nf_inet_addr outer_daddr;
++ union {
++ struct nd_opt_hdr nd_opt;
++ struct rd_msg rd_msg;
++ } tmp;
++ const struct nd_opt_hdr *nd_opt;
++ const struct rd_msg *rd_msg;
++
++ rd_msg = skb_header_pointer(skb, dataoff, sizeof(*rd_msg), &tmp.rd_msg);
++ if (!rd_msg) {
++ icmpv6_error_log(skb, state, "short redirect");
++ return -NF_ACCEPT;
++ }
++
++ if (rd_msg->icmph.icmp6_code != 0)
++ return NF_ACCEPT;
++
++ if (hl != 255 || !(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
++ icmpv6_error_log(skb, state, "invalid saddr or hoplimit for redirect");
++ return -NF_ACCEPT;
++ }
++
++ dataoff += sizeof(*rd_msg);
++
++ /* warning: rd_msg no longer usable after this call */
++ nd_opt = skb_header_pointer(skb, dataoff, sizeof(*nd_opt), &tmp.nd_opt);
++ if (!nd_opt || nd_opt->nd_opt_len == 0) {
++ icmpv6_error_log(skb, state, "redirect without options");
++ return -NF_ACCEPT;
++ }
++
++ /* We could call ndisc_parse_options(), but it would need
++ * skb_linearize() and a bit more work.
++ */
++ if (nd_opt->nd_opt_type != ND_OPT_REDIRECT_HDR)
++ return NF_ACCEPT;
++
++ memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr,
++ sizeof(outer_daddr.ip6));
++ dataoff += 8;
++ return nf_conntrack_inet_error(tmpl, skb, dataoff, state,
++ IPPROTO_ICMPV6, &outer_daddr);
++}
++
+ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
+ struct sk_buff *skb,
+ unsigned int dataoff,
+@@ -159,6 +209,9 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
+ return NF_ACCEPT;
+ }
+
++ if (icmp6h->icmp6_type == NDISC_REDIRECT)
++ return nf_conntrack_icmpv6_redirect(tmpl, skb, dataoff, state);
++
+ /* is not error message ? */
+ if (icmp6h->icmp6_type >= 128)
+ return NF_ACCEPT;
+diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+index b48e1833bc89..76645aaf2b58 100755
+--- a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
++++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+@@ -35,6 +35,8 @@ cleanup() {
+ for i in 1 2;do ip netns del nsrouter$i;done
+ }
+
++trap cleanup EXIT
++
+ ipv4() {
+ echo -n 192.168.$1.2
+ }
+@@ -146,11 +148,17 @@ ip netns exec nsclient1 nft -f - <<EOF
+ table inet filter {
+ counter unknown { }
+ counter related { }
++ counter redir4 { }
++ counter redir6 { }
+ chain input {
+ type filter hook input priority 0; policy accept;
+- meta l4proto { icmp, icmpv6 } ct state established,untracked accept
+
++ icmp type "redirect" ct state "related" counter name "redir4" accept
++ icmpv6 type "nd-redirect" ct state "related" counter name "redir6" accept
++
++ meta l4proto { icmp, icmpv6 } ct state established,untracked accept
+ meta l4proto { icmp, icmpv6 } ct state "related" counter name "related" accept
++
+ counter name "unknown" drop
+ }
+ }
+@@ -279,5 +287,29 @@ else
+ echo "ERROR: icmp error RELATED state test has failed"
+ fi
+
+-cleanup
++# add 'bad' route, expect icmp REDIRECT to be generated
++ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1
++ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1
++
++ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null
++
++expect="packets 1 bytes 112"
++check_counter nsclient1 "redir4" "$expect"
++if [ $? -ne 0 ];then
++ ret=1
++fi
++
++ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null
++expect="packets 1 bytes 192"
++check_counter nsclient1 "redir6" "$expect"
++if [ $? -ne 0 ];then
++ ret=1
++fi
++
++if [ $ret -eq 0 ];then
++ echo "PASS: icmp redirects had RELATED state"
++else
++ echo "ERROR: icmp redirect RELATED state test has failed"
++fi
++
+ exit $ret
+--
+2.35.1
+
--- /dev/null
+From 86455596c0f0ec085509822a996392ba511e38f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 20:35:29 +0800
+Subject: netfilter: flowtable: really fix NAT IPv6 offload
+
+From: Qingfang DENG <dqfext@gmail.com>
+
+[ Upstream commit 5fb45f95eec682621748b7cb012c6a8f0f981e6a ]
+
+The for-loop was broken from the start. It translates to:
+
+ for (i = 0; i < 4; i += 4)
+
+which means the loop statement is run only once, so only the highest
+32-bit of the IPv6 address gets mangled.
+
+Fix the loop increment.
+
+Fixes: 0e07e25b481a ("netfilter: flowtable: fix NAT IPv6 offload mangling")
+Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
+Signed-off-by: Qingfang DENG <dqfext@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_offload.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
+index 0fdcdb2c9ae4..4d9b99abe37d 100644
+--- a/net/netfilter/nf_flow_table_offload.c
++++ b/net/netfilter/nf_flow_table_offload.c
+@@ -383,12 +383,12 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,
+ const __be32 *addr, const __be32 *mask)
+ {
+ struct flow_action_entry *entry;
+- int i, j;
++ int i;
+
+- for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
++ for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i++) {
+ entry = flow_action_entry_next(flow_rule);
+ flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
+- offset + i, &addr[j], mask);
++ offset + i * sizeof(u32), &addr[i], mask);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 8af9b425b7315978cf34bed0841c6643e92d1bd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 10:51:39 +0900
+Subject: nfc: pn533: Clear nfc_target before being used
+
+From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+
+[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]
+
+Fix a slab-out-of-bounds read that occurs in nla_put() called from
+nfc_genl_send_target() when target->sensb_res_len, which is duplicated
+from an nfc_target in pn533, is too large as the nfc_target is not
+properly initialized and retains garbage values. Clear nfc_targets with
+memset() before they are used.
+
+Found by a modified version of syzkaller.
+
+BUG: KASAN: slab-out-of-bounds in nla_put
+Call Trace:
+ memcpy
+ nla_put
+ nfc_genl_dump_targets
+ genl_lock_dumpit
+ netlink_dump
+ __netlink_dump_start
+ genl_family_rcv_msg_dumpit
+ genl_rcv_msg
+ netlink_rcv_skb
+ genl_rcv
+ netlink_unicast
+ netlink_sendmsg
+ sock_sendmsg
+ ____sys_sendmsg
+ ___sys_sendmsg
+ __sys_sendmsg
+ do_syscall_64
+
+Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
+Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
+Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/pn533.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
+index d9f6367b9993..f0cac1900552 100644
+--- a/drivers/nfc/pn533/pn533.c
++++ b/drivers/nfc/pn533/pn533.c
+@@ -1295,6 +1295,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
+ if (IS_ERR(resp))
+ return PTR_ERR(resp);
+
++ memset(&nfc_target, 0, sizeof(struct nfc_target));
++
+ rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
+
+ rc = rsp->status & PN533_CMD_RET_MASK;
+@@ -1926,6 +1928,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
+
+ dev_dbg(dev->dev, "Creating new target\n");
+
++ memset(&nfc_target, 0, sizeof(struct nfc_target));
++
+ nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
+ nfc_target.nfcid1_len = 10;
+ memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
+--
+2.35.1
+
--- /dev/null
+From f3805ae8ac3b5bcc01c426f8c5f9adb3bfdc623a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 15:30:47 -0500
+Subject: NFS: Allow very small rsize & wsize again
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit a60214c2465493aac0b014d87ee19327b6204c42 ]
+
+940261a19508 introduced nfs_io_size() to clamp the iosize to a multiple
+of PAGE_SIZE. This had the unintended side effect of no longer allowing
+iosizes less than a page, which could be useful in some situations.
+
+UDP already has an exception that causes it to fall back on the
+power-of-two style sizes instead. This patch adds an additional
+exception for very small iosizes.
+
+Reported-by: Jeff Layton <jlayton@kernel.org>
+Fixes: 940261a19508 ("NFS: Allow setting rsize / wsize to a multiple of PAGE_SIZE")
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/internal.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
+index 898dd95bc7a7..c194a1e50f0b 100644
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -741,12 +741,10 @@ unsigned long nfs_io_size(unsigned long iosize, enum xprt_transports proto)
+ iosize = NFS_DEF_FILE_IO_SIZE;
+ else if (iosize >= NFS_MAX_FILE_IO_SIZE)
+ iosize = NFS_MAX_FILE_IO_SIZE;
+- else
+- iosize = iosize & PAGE_MASK;
+
+- if (proto == XPRT_TRANSPORT_UDP)
++ if (proto == XPRT_TRANSPORT_UDP || iosize < PAGE_SIZE)
+ return nfs_block_bits(iosize, NULL);
+- return iosize;
++ return iosize & PAGE_MASK;
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 7ddc58a95a3440dc7855e1c6e5c265fa1c5cb13f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:30:39 -0500
+Subject: NFS: Fix an Oops in nfs_d_automount()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 35e3b6ae84935d0d7ff76cbdaa83411b0ad5e471 ]
+
+When mounting from a NFSv4 referral, path->dentry can end up being a
+negative dentry, so derive the struct nfs_server from the dentry
+itself instead.
+
+Fixes: 2b0143b5c986 ("VFS: normal filesystems (and lustre): d_inode() annotations")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
+index 3295af4110f1..c7363d9e11bf 100644
+--- a/fs/nfs/namespace.c
++++ b/fs/nfs/namespace.c
+@@ -147,7 +147,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
+ struct nfs_fs_context *ctx;
+ struct fs_context *fc;
+ struct vfsmount *mnt = ERR_PTR(-ENOMEM);
+- struct nfs_server *server = NFS_SERVER(d_inode(path->dentry));
++ struct nfs_server *server = NFS_SB(path->dentry->d_sb);
+ struct nfs_client *client = server->nfs_client;
+ int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout);
+ int ret;
+--
+2.35.1
+
--- /dev/null
+From a90182232e9778cb586a38d4d2b02be2c0722b4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 00:39:45 +0800
+Subject: nfs: fix possible null-ptr-deref when parsing param
+
+From: Hawkins Jiawei <yin31149@gmail.com>
+
+[ Upstream commit 5559405df652008e56eee88872126fe4c451da67 ]
+
+According to commit "vfs: parse: deal with zero length string value",
+kernel will set the param->string to null pointer in vfs_parse_fs_string()
+if fs string has zero length.
+
+Yet the problem is that, nfs_fs_context_parse_param() will dereferences the
+param->string, without checking whether it is a null pointer, which may
+trigger a null-ptr-deref bug.
+
+This patch solves it by adding sanity check on param->string
+in nfs_fs_context_parse_param().
+
+Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/fs_context.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c
+index 4da701fd1424..0c330bc13ef2 100644
+--- a/fs/nfs/fs_context.c
++++ b/fs/nfs/fs_context.c
+@@ -684,6 +684,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc,
+ return ret;
+ break;
+ case Opt_vers:
++ if (!param->string)
++ goto out_invalid_value;
+ trace_nfs_mount_assign(param->key, param->string);
+ ret = nfs_parse_version_string(fc, param->string);
+ if (ret < 0)
+@@ -696,6 +698,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc,
+ break;
+
+ case Opt_proto:
++ if (!param->string)
++ goto out_invalid_value;
+ trace_nfs_mount_assign(param->key, param->string);
+ protofamily = AF_INET;
+ switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) {
+@@ -732,6 +736,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc,
+ break;
+
+ case Opt_mountproto:
++ if (!param->string)
++ goto out_invalid_value;
+ trace_nfs_mount_assign(param->key, param->string);
+ mountfamily = AF_INET;
+ switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) {
+--
+2.35.1
+
--- /dev/null
+From 7f2498945494fa8ffa8b6dd6def4ab3aa1d8ec1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 08:13:53 -0400
+Subject: nfsd: don't call nfsd_file_put from client states seqfile display
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit e0aa651068bfd520afcd357af8ecd2de005fc83d ]
+
+We had a report of this:
+
+ BUG: sleeping function called from invalid context at fs/nfsd/filecache.c:440
+
+...with a stack trace showing nfsd_file_put being called from
+nfs4_show_open. This code has always tried to call fput while holding a
+spinlock, but we recently changed this to use the filecache, and that
+started triggering the might_sleep() in nfsd_file_put.
+
+states_start takes and holds the cl_lock while iterating over the
+client's states, and we can't sleep with that held.
+
+Have the various nfs4_show_* functions instead hold the fi_lock instead
+of taking a nfsd_file reference.
+
+Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2138357
+Reported-by: Zhi Li <yieli@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 51 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 33 insertions(+), 18 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index ddb2bf078fda..94420fad4c41 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -664,15 +664,26 @@ find_any_file(struct nfs4_file *f)
+ return ret;
+ }
+
+-static struct nfsd_file *find_deleg_file(struct nfs4_file *f)
++static struct nfsd_file *find_any_file_locked(struct nfs4_file *f)
+ {
+- struct nfsd_file *ret = NULL;
++ lockdep_assert_held(&f->fi_lock);
++
++ if (f->fi_fds[O_RDWR])
++ return f->fi_fds[O_RDWR];
++ if (f->fi_fds[O_WRONLY])
++ return f->fi_fds[O_WRONLY];
++ if (f->fi_fds[O_RDONLY])
++ return f->fi_fds[O_RDONLY];
++ return NULL;
++}
++
++static struct nfsd_file *find_deleg_file_locked(struct nfs4_file *f)
++{
++ lockdep_assert_held(&f->fi_lock);
+
+- spin_lock(&f->fi_lock);
+ if (f->fi_deleg_file)
+- ret = nfsd_file_get(f->fi_deleg_file);
+- spin_unlock(&f->fi_lock);
+- return ret;
++ return f->fi_deleg_file;
++ return NULL;
+ }
+
+ static atomic_long_t num_delegations;
+@@ -2606,9 +2617,11 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st)
+ ols = openlockstateid(st);
+ oo = ols->st_stateowner;
+ nf = st->sc_file;
+- file = find_any_file(nf);
++
++ spin_lock(&nf->fi_lock);
++ file = find_any_file_locked(nf);
+ if (!file)
+- return 0;
++ goto out;
+
+ seq_printf(s, "- ");
+ nfs4_show_stateid(s, &st->sc_stateid);
+@@ -2630,8 +2643,8 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st)
+ seq_printf(s, ", ");
+ nfs4_show_owner(s, oo);
+ seq_printf(s, " }\n");
+- nfsd_file_put(file);
+-
++out:
++ spin_unlock(&nf->fi_lock);
+ return 0;
+ }
+
+@@ -2645,9 +2658,10 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st)
+ ols = openlockstateid(st);
+ oo = ols->st_stateowner;
+ nf = st->sc_file;
+- file = find_any_file(nf);
++ spin_lock(&nf->fi_lock);
++ file = find_any_file_locked(nf);
+ if (!file)
+- return 0;
++ goto out;
+
+ seq_printf(s, "- ");
+ nfs4_show_stateid(s, &st->sc_stateid);
+@@ -2667,8 +2681,8 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st)
+ seq_printf(s, ", ");
+ nfs4_show_owner(s, oo);
+ seq_printf(s, " }\n");
+- nfsd_file_put(file);
+-
++out:
++ spin_unlock(&nf->fi_lock);
+ return 0;
+ }
+
+@@ -2680,9 +2694,10 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st)
+
+ ds = delegstateid(st);
+ nf = st->sc_file;
+- file = find_deleg_file(nf);
++ spin_lock(&nf->fi_lock);
++ file = find_deleg_file_locked(nf);
+ if (!file)
+- return 0;
++ goto out;
+
+ seq_printf(s, "- ");
+ nfs4_show_stateid(s, &st->sc_stateid);
+@@ -2698,8 +2713,8 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st)
+ seq_printf(s, ", ");
+ nfs4_show_fname(s, file);
+ seq_printf(s, " }\n");
+- nfsd_file_put(file);
+-
++out:
++ spin_unlock(&nf->fi_lock);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 20da791cef46a123550c94e11fcf4d22239d112e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Oct 2022 11:47:02 -0400
+Subject: NFSD: Finish converting the NFSv2 GETACL result encoder
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit ea5021e911d3479346a75ac9b7d9dcd751b0fb99 ]
+
+The xdr_stream conversion inadvertently left some code that set the
+page_len of the send buffer. The XDR stream encoders should handle
+this automatically now.
+
+This oversight adds garbage past the end of the Reply message.
+Clients typically ignore the garbage, but NFSD does not need to send
+it, as it leaks stale memory contents onto the wire.
+
+Fixes: f8cba47344f7 ("NFSD: Update the NFSv2 GETACL result encoder to use struct xdr_stream")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs2acl.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index 9edd3c1a30fb..87f224cd30a8 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -246,7 +246,6 @@ nfsaclsvc_encode_getaclres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
+ struct nfsd3_getaclres *resp = rqstp->rq_resp;
+ struct dentry *dentry = resp->fh.fh_dentry;
+ struct inode *inode;
+- int w;
+
+ if (!svcxdr_encode_stat(xdr, resp->status))
+ return false;
+@@ -260,15 +259,6 @@ nfsaclsvc_encode_getaclres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
+ if (xdr_stream_encode_u32(xdr, resp->mask) < 0)
+ return false;
+
+- rqstp->rq_res.page_len = w = nfsacl_size(
+- (resp->mask & NFS_ACL) ? resp->acl_access : NULL,
+- (resp->mask & NFS_DFACL) ? resp->acl_default : NULL);
+- while (w > 0) {
+- if (!*(rqstp->rq_next_page++))
+- return true;
+- w -= PAGE_SIZE;
+- }
+-
+ if (!nfs_stream_encode_acl(xdr, inode, resp->acl_access,
+ resp->mask & NFS_ACL, 0))
+ return false;
+--
+2.35.1
+
--- /dev/null
+From 2fa7bf1db8c2cda65bbf289d0d2fc4f5e3d04526 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Oct 2022 11:47:08 -0400
+Subject: NFSD: Finish converting the NFSv3 GETACL result encoder
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 841fd0a3cb490eae5dfd262eccb8c8b11d57f8b8 ]
+
+For some reason, the NFSv2 GETACL result encoder was fully converted
+to use the new nfs_stream_encode_acl(), but the NFSv3 equivalent was
+not similarly converted.
+
+Fixes: 20798dfe249a ("NFSD: Update the NFSv3 GETACL result encoder to use struct xdr_stream")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs3acl.c | 30 ++++++------------------------
+ 1 file changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c
+index 9446c6743664..7c798b5f4ec6 100644
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -171,11 +171,7 @@ nfs3svc_encode_getaclres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
+ {
+ struct nfsd3_getaclres *resp = rqstp->rq_resp;
+ struct dentry *dentry = resp->fh.fh_dentry;
+- struct kvec *head = rqstp->rq_res.head;
+ struct inode *inode;
+- unsigned int base;
+- int n;
+- int w;
+
+ if (!svcxdr_encode_nfsstat3(xdr, resp->status))
+ return false;
+@@ -187,26 +183,12 @@ nfs3svc_encode_getaclres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
+ if (xdr_stream_encode_u32(xdr, resp->mask) < 0)
+ return false;
+
+- base = (char *)xdr->p - (char *)head->iov_base;
+-
+- rqstp->rq_res.page_len = w = nfsacl_size(
+- (resp->mask & NFS_ACL) ? resp->acl_access : NULL,
+- (resp->mask & NFS_DFACL) ? resp->acl_default : NULL);
+- while (w > 0) {
+- if (!*(rqstp->rq_next_page++))
+- return false;
+- w -= PAGE_SIZE;
+- }
+-
+- n = nfsacl_encode(&rqstp->rq_res, base, inode,
+- resp->acl_access,
+- resp->mask & NFS_ACL, 0);
+- if (n > 0)
+- n = nfsacl_encode(&rqstp->rq_res, base + n, inode,
+- resp->acl_default,
+- resp->mask & NFS_DFACL,
+- NFS_ACL_DEFAULT);
+- if (n <= 0)
++ if (!nfs_stream_encode_acl(xdr, inode, resp->acl_access,
++ resp->mask & NFS_ACL, 0))
++ return false;
++ if (!nfs_stream_encode_acl(xdr, inode, resp->acl_default,
++ resp->mask & NFS_DFACL,
++ NFS_ACL_DEFAULT))
+ return false;
+ break;
+ default:
+--
+2.35.1
+
--- /dev/null
+From 549bfd0d3a6b77159c2e85bcac3771846227a04b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 10:28:36 -0500
+Subject: NFSD: pass range end to vfs_fsync_range() instead of count
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 79a1d88a36f77374c77fd41a4386d8c2736b8704 ]
+
+_nfsd_copy_file_range() calls vfs_fsync_range() with an offset and
+count (bytes written), but the former wants the start and end bytes
+of the range to sync. Fix it up.
+
+Fixes: eac0b17a77fb ("NFSD add vfs_fsync after async copy is done")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Tested-by: Dai Ngo <dai.ngo@oracle.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index b71a3c2d9409..cfc2da445658 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1650,6 +1650,7 @@ static ssize_t _nfsd_copy_file_range(struct nfsd4_copy *copy,
+ u64 src_pos = copy->cp_src_pos;
+ u64 dst_pos = copy->cp_dst_pos;
+ int status;
++ loff_t end;
+
+ /* See RFC 7862 p.67: */
+ if (bytes_total == 0)
+@@ -1669,8 +1670,8 @@ static ssize_t _nfsd_copy_file_range(struct nfsd4_copy *copy,
+ /* for a non-zero asynchronous copy do a commit of data */
+ if (nfsd4_copy_is_async(copy) && copy->cp_res.wr_bytes_written > 0) {
+ since = READ_ONCE(dst->f_wb_err);
+- status = vfs_fsync_range(dst, copy->cp_dst_pos,
+- copy->cp_res.wr_bytes_written, 0);
++ end = copy->cp_dst_pos + copy->cp_res.wr_bytes_written - 1;
++ status = vfs_fsync_range(dst, copy->cp_dst_pos, end, 0);
+ if (!status)
+ status = filemap_check_wb_err(dst->f_mapping, since);
+ if (!status)
+--
+2.35.1
+
--- /dev/null
+From d9513b5c13a01372e2ead3283c122de995f65c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 06:58:41 -0500
+Subject: nfsd: return error if nfs4_setacl fails
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 01d53a88c08951f88f2a42f1f1e6568928e0590e ]
+
+With the addition of POSIX ACLs to struct nfsd_attrs, we no longer
+return an error if setting the ACL fails. Ensure we return the na_aclerr
+error on SETATTR if there is one.
+
+Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs")
+Cc: Neil Brown <neilb@suse.de>
+Reported-by: Yongcheng Yang <yoyang@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 6ba25a5b76e1..b71a3c2d9409 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1141,6 +1141,8 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ 0, (time64_t)0);
+ if (!status)
+ status = nfserrno(attrs.na_labelerr);
++ if (!status)
++ status = nfserrno(attrs.na_aclerr);
+ out:
+ nfsd_attrs_free(&attrs);
+ fh_drop_write(&cstate->current_fh);
+--
+2.35.1
+
--- /dev/null
+From aec8f5b0d78194be279e899cedb8334b6762fe33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 13:11:06 +0200
+Subject: nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
+
+From: Dan Aloni <dan.aloni@vastdata.com>
+
+[ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ]
+
+On error situation `clp->cl_cb_conn.cb_xprt` should not be given
+a reference to the xprt otherwise both client cleanup and the
+error handling path of the caller call to put it. Better to
+delay handing over the reference to a later branch.
+
+[ 72.530665] refcount_t: underflow; use-after-free.
+[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120
+[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]
+[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1
+[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014
+[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]
+[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120
+[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48
+[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286
+[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000
+[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0
+[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff
+[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180
+[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0
+[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000
+[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0
+[ 72.554874] Call Trace:
+[ 72.555278] <TASK>
+[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]
+[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]
+[ 72.557087] ? update_load_avg+0x82/0x610
+[ 72.557652] ? cpuacct_charge+0x60/0x70
+[ 72.558212] ? dequeue_entity+0xdb/0x3e0
+[ 72.558765] ? queued_spin_unlock+0x9/0x20
+[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]
+[ 72.560031] process_one_work+0x1df/0x390
+[ 72.560600] worker_thread+0x37/0x3b0
+[ 72.561644] ? process_one_work+0x390/0x390
+[ 72.562247] kthread+0x12f/0x150
+[ 72.562710] ? set_kthread_struct+0x50/0x50
+[ 72.563309] ret_from_fork+0x22/0x30
+[ 72.563818] </TASK>
+[ 72.564189] ---[ end trace 031117b1c72ec616 ]---
+[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).
+[ 72.567647] ------------[ cut here ]------------
+
+Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed")
+Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Cc: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4callback.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index 4ce328209f61..775d38dc00fe 100644
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -916,7 +916,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
+ } else {
+ if (!conn->cb_xprt)
+ return -EINVAL;
+- clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
+ clp->cl_cb_session = ses;
+ args.bc_xprt = conn->cb_xprt;
+ args.prognumber = clp->cl_cb_session->se_cb_prog;
+@@ -936,6 +935,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
+ rpc_shutdown_client(client);
+ return -ENOMEM;
+ }
++
++ if (clp->cl_minorversion != 0)
++ clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
+ clp->cl_cb_client = client;
+ clp->cl_cb_cred = cred;
+ rcu_read_lock();
+--
+2.35.1
+
--- /dev/null
+From 52b8440c48478976fdf311ec5f0c617305163062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:50:12 -0400
+Subject: NFSv4: Fix a credential leak in _nfs4_discover_trunking()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit e83458fce080dc23c25353a1af90bfecf79c7369 ]
+
+Fixes: 4f40a5b55446 ("NFSv4: Add an fattr allocation to _nfs4_discover_trunking()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 0500da4dab57..f85559bbb422 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4017,7 +4017,7 @@ static int _nfs4_discover_trunking(struct nfs_server *server,
+
+ page = alloc_page(GFP_KERNEL);
+ if (!page)
+- return -ENOMEM;
++ goto out_put_cred;
+ locations = kmalloc(sizeof(struct nfs4_fs_locations), GFP_KERNEL);
+ if (!locations)
+ goto out_free;
+@@ -4039,6 +4039,8 @@ static int _nfs4_discover_trunking(struct nfs_server *server,
+ kfree(locations);
+ out_free:
+ __free_page(page);
++out_put_cred:
++ put_cred(cred);
+ return status;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b06fde29d67dfb0831157ef9a2289ce92006cb50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 13:20:01 -0400
+Subject: NFSv4: Fix a deadlock between nfs4_open_recover_helper() and
+ delegreturn
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ]
+
+If we're asked to recover open state while a delegation return is
+outstanding, then the state manager thread cannot use a cached open, so
+if the server returns a delegation, we can end up deadlocked behind the
+pending delegreturn.
+To avoid this problem, let's just ask the server not to give us a
+delegation unless we're explicitly reclaiming one.
+
+Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index f85559bbb422..6e247647a5fb 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2130,18 +2130,18 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context
+ }
+
+ static int nfs4_open_recover_helper(struct nfs4_opendata *opendata,
+- fmode_t fmode)
++ fmode_t fmode)
+ {
+ struct nfs4_state *newstate;
++ struct nfs_server *server = NFS_SB(opendata->dentry->d_sb);
++ int openflags = opendata->o_arg.open_flags;
+ int ret;
+
+ if (!nfs4_mode_match_open_stateid(opendata->state, fmode))
+ return 0;
+- opendata->o_arg.open_flags = 0;
+ opendata->o_arg.fmode = fmode;
+- opendata->o_arg.share_access = nfs4_map_atomic_open_share(
+- NFS_SB(opendata->dentry->d_sb),
+- fmode, 0);
++ opendata->o_arg.share_access =
++ nfs4_map_atomic_open_share(server, fmode, openflags);
+ memset(&opendata->o_res, 0, sizeof(opendata->o_res));
+ memset(&opendata->c_res, 0, sizeof(opendata->c_res));
+ nfs4_init_opendata_res(opendata);
+@@ -2723,10 +2723,15 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s
+ struct nfs4_opendata *opendata;
+ int ret;
+
+- opendata = nfs4_open_recoverdata_alloc(ctx, state,
+- NFS4_OPEN_CLAIM_FH);
++ opendata = nfs4_open_recoverdata_alloc(ctx, state, NFS4_OPEN_CLAIM_FH);
+ if (IS_ERR(opendata))
+ return PTR_ERR(opendata);
++ /*
++ * We're not recovering a delegation, so ask for no delegation.
++ * Otherwise the recovery thread could deadlock with an outstanding
++ * delegation return.
++ */
++ opendata->o_arg.open_flags = O_DIRECT;
+ ret = nfs4_open_recover(opendata, state);
+ if (ret == -ESTALE)
+ d_drop(ctx->dentry);
+--
+2.35.1
+
--- /dev/null
+From 3bdb62fdef677ab122686057a6efb5f1b0d648f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 17:41:30 -0400
+Subject: NFSv4.2: Always decode the security label
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit c8a62f440229ae7a10874776344dfcc17d860336 ]
+
+If the server returns a reply that includes a security label, then we
+must decode it whether or not we can store the results.
+
+Fixes: 1e2f67da8931 ("NFS: Remove the nfs4_label argument from decode_getattr_*() functions")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4xdr.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 8c5298e37f0f..9103e022376a 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4755,12 +4755,10 @@ static int decode_getfattr_attrs(struct xdr_stream *xdr, uint32_t *bitmap,
+ if (status < 0)
+ goto xdr_error;
+
+- if (fattr->label) {
+- status = decode_attr_security_label(xdr, bitmap, fattr->label);
+- if (status < 0)
+- goto xdr_error;
+- fattr->valid |= status;
+- }
++ status = decode_attr_security_label(xdr, bitmap, fattr->label);
++ if (status < 0)
++ goto xdr_error;
++ fattr->valid |= status;
+
+ xdr_error:
+ dprintk("%s: xdr returned %d\n", __func__, -status);
+--
+2.35.1
+
--- /dev/null
+From 052bfd36a897b21ee3b1b4e9d69dcb49a2e8b390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 16:44:47 -0400
+Subject: NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit eef7314caf2d73a94b68ba293cd105154d3a664e ]
+
+We need to clear the FATTR4_WORD2_SECURITY_LABEL bitmap flag
+irrespective of whether or not the label is too long.
+
+Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index acfe5f4bda48..8c5298e37f0f 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4234,6 +4234,7 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+ p = xdr_inline_decode(xdr, len);
+ if (unlikely(!p))
+ return -EIO;
++ bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+ if (len < NFS4_MAXLABELLEN) {
+ if (label) {
+ if (label->len) {
+@@ -4246,7 +4247,6 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+ label->lfs = lfs;
+ status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
+ }
+- bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+ } else
+ printk(KERN_WARNING "%s: label too long (%u)!\n",
+ __func__, len);
+--
+2.35.1
+
--- /dev/null
+From 2077e96ab6d875f9d609300f20a5a19de0f4a386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 18:21:14 -0400
+Subject: NFSv4.2: Fix a memory stomp in decode_attr_security_label
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ]
+
+We must not change the value of label->len if it is zero, since that
+indicates we stored a label.
+
+Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4xdr.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index 9103e022376a..deec76cf5afe 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4236,12 +4236,10 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
+ return -EIO;
+ bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+ if (len < NFS4_MAXLABELLEN) {
+- if (label) {
+- if (label->len) {
+- if (label->len < len)
+- return -ERANGE;
+- memcpy(label->label, p, len);
+- }
++ if (label && label->len) {
++ if (label->len < len)
++ return -ERANGE;
++ memcpy(label->label, p, len);
+ label->len = len;
+ label->pi = pi;
+ label->lfs = lfs;
+--
+2.35.1
+
--- /dev/null
+From b8c5964786449635cd5f062aef9c3e9c41beb79e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 13:12:11 -0400
+Subject: NFSv4.2: Fix initialisation of struct nfs4_label
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit c528f70f504434eaff993a5ddd52203a2010d51f ]
+
+The call to nfs4_label_init_security() should return a fully initialised
+label.
+
+Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 313e9145b6c9..0500da4dab57 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -122,6 +122,11 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
+ if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL) == 0)
+ return NULL;
+
++ label->lfs = 0;
++ label->pi = 0;
++ label->len = 0;
++ label->label = NULL;
++
+ err = security_dentry_init_security(dentry, sattr->ia_mode,
+ &dentry->d_name, NULL,
+ (void **)&label->label, &label->len);
+@@ -3795,7 +3800,7 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,
+ int open_flags, struct iattr *attr, int *opened)
+ {
+ struct nfs4_state *state;
+- struct nfs4_label l = {0, 0, 0, NULL}, *label = NULL;
++ struct nfs4_label l, *label;
+
+ label = nfs4_label_init_security(dir, ctx->dentry, attr, &l);
+
+@@ -4681,7 +4686,7 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
+ int flags)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+- struct nfs4_label l, *ilabel = NULL;
++ struct nfs4_label l, *ilabel;
+ struct nfs_open_context *ctx;
+ struct nfs4_state *state;
+ int status = 0;
+@@ -5032,7 +5037,7 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
+ struct nfs4_exception exception = {
+ .interruptible = true,
+ };
+- struct nfs4_label l, *label = NULL;
++ struct nfs4_label l, *label;
+ int err;
+
+ label = nfs4_label_init_security(dir, dentry, sattr, &l);
+@@ -5073,7 +5078,7 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
+ struct nfs4_exception exception = {
+ .interruptible = true,
+ };
+- struct nfs4_label l, *label = NULL;
++ struct nfs4_label l, *label;
+ int err;
+
+ label = nfs4_label_init_security(dir, dentry, sattr, &l);
+@@ -5192,7 +5197,7 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
+ struct nfs4_exception exception = {
+ .interruptible = true,
+ };
+- struct nfs4_label l, *label = NULL;
++ struct nfs4_label l, *label;
+ int err;
+
+ label = nfs4_label_init_security(dir, dentry, sattr, &l);
+--
+2.35.1
+
--- /dev/null
+From f741a2e39cf5ddd6f333cede4703dee930aeda73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 13:15:25 -0500
+Subject: NFSv4.2: Set the correct size scratch buffer for decoding READ_PLUS
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 36357fe74ef736524a29fbd3952948768510a8b9 ]
+
+The scratch_buf array is 16 bytes, but I was passing 32 to the
+xdr_set_scratch_buffer() function. Fix this by using sizeof(), which is
+what I probably should have been doing this whole time.
+
+Fixes: d3b00a802c84 ("NFS: Replace the READ_PLUS decoding code")
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
+index b56f05113d36..f742c7a5745e 100644
+--- a/fs/nfs/nfs42xdr.c
++++ b/fs/nfs/nfs42xdr.c
+@@ -1134,7 +1134,7 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
+ if (!segs)
+ return -ENOMEM;
+
+- xdr_set_scratch_buffer(xdr, &scratch_buf, 32);
++ xdr_set_scratch_buffer(xdr, &scratch_buf, sizeof(scratch_buf));
+ status = -EIO;
+ for (i = 0; i < segments; i++) {
+ status = decode_read_plus_segment(xdr, &segs[i]);
+--
+2.35.1
+
--- /dev/null
+From dcad0e55b0b6bded73787087e70e6908e4f04bfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 12:42:59 -0500
+Subject: NFSv4.x: Fail client initialisation if state manager thread can't run
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit b4e4f66901658fae0614dea5bf91062a5387eda7 ]
+
+If the state manager thread fails to start, then we should just mark the
+client initialisation as failed so that other processes or threads don't
+get stuck in nfs_wait_client_init_complete().
+
+Reported-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Fixes: 4697bd5e9419 ("NFSv4: Fix a race in the net namespace mount notification")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4state.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index a629d7db9420..0774355249c9 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1232,6 +1232,8 @@ void nfs4_schedule_state_manager(struct nfs_client *clp)
+ if (IS_ERR(task)) {
+ printk(KERN_ERR "%s: kthread_run: %ld\n",
+ __func__, PTR_ERR(task));
++ if (!nfs_client_init_is_complete(clp))
++ nfs_mark_client_ready(clp, PTR_ERR(task));
+ nfs4_clear_state_manager_bit(clp);
+ clear_bit(NFS4CLNT_MANAGER_AVAILABLE, &clp->cl_state);
+ nfs_put_client(clp);
+--
+2.35.1
+
--- /dev/null
+From d2e65ec4694ec5c16990501cc42b442f468a619d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 13:43:06 +0900
+Subject: nilfs2: fix shift-out-of-bounds due to too large exponent of block
+ size
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit ebeccaaef67a4895d2496ab8d9c2fb8d89201211 ]
+
+If field s_log_block_size of superblock data is corrupted and too large,
+init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds
+warning followed by a kernel panic (if panic_on_warn is set):
+
+ shift exponent 38973 is too large for 32-bit type 'int'
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ ubsan_epilogue+0xb/0x50
+ __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5
+ init_nilfs.cold.11+0x18/0x1d [nilfs2]
+ nilfs_mount+0x9b5/0x12b0 [nilfs2]
+ ...
+
+This fixes the issue by adding and using a new helper function for getting
+block size with sanity check.
+
+Link: https://lkml.kernel.org/r/20221027044306.42774-3-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/the_nilfs.c | 42 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index a7c829a7d4f1..2064e6473d30 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -193,6 +193,34 @@ static int nilfs_store_log_cursor(struct the_nilfs *nilfs,
+ return ret;
+ }
+
++/**
++ * nilfs_get_blocksize - get block size from raw superblock data
++ * @sb: super block instance
++ * @sbp: superblock raw data buffer
++ * @blocksize: place to store block size
++ *
++ * nilfs_get_blocksize() calculates the block size from the block size
++ * exponent information written in @sbp and stores it in @blocksize,
++ * or aborts with an error message if it's too large.
++ *
++ * Return Value: On success, 0 is returned. If the block size is too
++ * large, -EINVAL is returned.
++ */
++static int nilfs_get_blocksize(struct super_block *sb,
++ struct nilfs_super_block *sbp, int *blocksize)
++{
++ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size);
++
++ if (unlikely(shift_bits >
++ ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS)) {
++ nilfs_err(sb, "too large filesystem blocksize: 2 ^ %u KiB",
++ shift_bits);
++ return -EINVAL;
++ }
++ *blocksize = BLOCK_SIZE << shift_bits;
++ return 0;
++}
++
+ /**
+ * load_nilfs - load and recover the nilfs
+ * @nilfs: the_nilfs structure to be released
+@@ -246,11 +274,15 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
+ nilfs->ns_sbwtime = le64_to_cpu(sbp[0]->s_wtime);
+
+ /* verify consistency between two super blocks */
+- blocksize = BLOCK_SIZE << le32_to_cpu(sbp[0]->s_log_block_size);
++ err = nilfs_get_blocksize(sb, sbp[0], &blocksize);
++ if (err)
++ goto scan_error;
++
+ if (blocksize != nilfs->ns_blocksize) {
+ nilfs_warn(sb,
+ "blocksize differs between two super blocks (%d != %d)",
+ blocksize, nilfs->ns_blocksize);
++ err = -EINVAL;
+ goto scan_error;
+ }
+
+@@ -609,9 +641,11 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
+ if (err)
+ goto failed_sbh;
+
+- blocksize = BLOCK_SIZE << le32_to_cpu(sbp->s_log_block_size);
+- if (blocksize < NILFS_MIN_BLOCK_SIZE ||
+- blocksize > NILFS_MAX_BLOCK_SIZE) {
++ err = nilfs_get_blocksize(sb, sbp, &blocksize);
++ if (err)
++ goto failed_sbh;
++
++ if (blocksize < NILFS_MIN_BLOCK_SIZE) {
+ nilfs_err(sb,
+ "couldn't mount because of unsupported filesystem blocksize %d",
+ blocksize);
+--
+2.35.1
+
--- /dev/null
+From 781638a401d18a7d3b7e8cc12b169360da4ea6f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 13:43:05 +0900
+Subject: nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ]
+
+Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount
+time".
+
+The first patch fixes a bug reported by syzbot, and the second one fixes
+the remaining bug of the same kind. Although they are triggered by the
+same super block data anomaly, I divided it into the above two because the
+details of the issues and how to fix it are different.
+
+Both are required to eliminate the shift-out-of-bounds issues at mount
+time.
+
+This patch (of 2):
+
+If the block size exponent information written in an on-disk superblock is
+corrupted, nilfs_sb2_bad_offset helper function can trigger
+shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn
+is set):
+
+ shift exponent 38983 is too large for 64-bit type 'unsigned long long'
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
+ ubsan_epilogue lib/ubsan.c:151 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322
+ nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]
+ nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523
+ init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577
+ nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047
+ nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317
+ ...
+
+In addition, since nilfs_sb2_bad_offset() performs multiplication without
+considering the upper bound, the computation may overflow if the disk
+layout parameters are not normal.
+
+This fixes these issues by inserting preliminary sanity checks for those
+parameters and by converting the comparison from one involving
+multiplication and left bit-shifting to one using division and right
+bit-shifting.
+
+Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/the_nilfs.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index c8b89b4f94e0..a7c829a7d4f1 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -13,6 +13,7 @@
+ #include <linux/blkdev.h>
+ #include <linux/backing-dev.h>
+ #include <linux/random.h>
++#include <linux/log2.h>
+ #include <linux/crc32.h>
+ #include "nilfs.h"
+ #include "segment.h"
+@@ -443,11 +444,33 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp)
+ return crc == le32_to_cpu(sbp->s_sum);
+ }
+
+-static int nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
++/**
++ * nilfs_sb2_bad_offset - check the location of the second superblock
++ * @sbp: superblock raw data buffer
++ * @offset: byte offset of second superblock calculated from device size
++ *
++ * nilfs_sb2_bad_offset() checks if the position on the second
++ * superblock is valid or not based on the filesystem parameters
++ * stored in @sbp. If @offset points to a location within the segment
++ * area, or if the parameters themselves are not normal, it is
++ * determined to be invalid.
++ *
++ * Return Value: true if invalid, false if valid.
++ */
++static bool nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
+ {
+- return offset < ((le64_to_cpu(sbp->s_nsegments) *
+- le32_to_cpu(sbp->s_blocks_per_segment)) <<
+- (le32_to_cpu(sbp->s_log_block_size) + 10));
++ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size);
++ u32 blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment);
++ u64 nsegments = le64_to_cpu(sbp->s_nsegments);
++ u64 index;
++
++ if (blocks_per_segment < NILFS_SEG_MIN_BLOCKS ||
++ shift_bits > ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS)
++ return true;
++
++ index = offset >> (shift_bits + BLOCK_SIZE_BITS);
++ do_div(index, blocks_per_segment);
++ return index < nsegments;
+ }
+
+ static void nilfs_release_super_block(struct the_nilfs *nilfs)
+--
+2.35.1
+
--- /dev/null
+From fa1a8c0123b792b4600794e041121d0cf2123dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 16:06:59 -0800
+Subject: ntb_netdev: Use dev_kfree_skb_any() in interrupt context
+
+From: Eric Pilmore <epilmore@gigaio.com>
+
+[ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ]
+
+TX/RX callback handlers (ntb_netdev_tx_handler(),
+ntb_netdev_rx_handler()) can be called in interrupt
+context via the DMA framework when the respective
+DMA operations have completed. As such, any calls
+by these routines to free skb's, should use the
+interrupt context safe dev_kfree_skb_any() function.
+
+Previously, these callback handlers would call the
+interrupt unsafe version of dev_kfree_skb(). This has
+not presented an issue on Intel IOAT DMA engines as
+that driver utilizes tasklets rather than a hard
+interrupt handler, like the AMD PTDMA DMA driver.
+On AMD systems, a kernel WARNING message is
+encountered, which is being issued from
+skb_release_head_state() due to in_hardirq()
+being true.
+
+Besides the user visible WARNING from the kernel,
+the other symptom of this bug was that TCP/IP performance
+across the ntb_netdev interface was very poor, i.e.
+approximately an order of magnitude below what was
+expected. With the repair to use dev_kfree_skb_any(),
+kernel WARNINGs from skb_release_head_state() ceased
+and TCP/IP performance, as measured by iperf, was on
+par with expected results, approximately 20 Gb/s on
+AMD Milan based server. Note that this performance
+is comparable with Intel based servers.
+
+Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak")
+Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device")
+Signed-off-by: Eric Pilmore <epilmore@gigaio.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index dd7e273c90cb..29b198472a2c 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -137,7 +137,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data,
+ enqueue_again:
+ rc = ntb_transport_rx_enqueue(qp, skb, skb->data, ndev->mtu + ETH_HLEN);
+ if (rc) {
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ ndev->stats.rx_errors++;
+ ndev->stats.rx_fifo_errors++;
+ }
+@@ -192,7 +192,7 @@ static void ntb_netdev_tx_handler(struct ntb_transport_qp *qp, void *qp_data,
+ ndev->stats.tx_aborted_errors++;
+ }
+
+- dev_kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+
+ if (ntb_transport_tx_free_entry(dev->qp) >= tx_start) {
+ /* Make sure anybody stopping the queue after this sees the new
+--
+2.35.1
+
--- /dev/null
+From 8f860cf082871ce2c5ad98ddaf754616775a7575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 13:24:11 +0200
+Subject: nvme-auth: don't override ctrl keys before validation
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 01604350e14560d4d69323eb1ba12a257a643ea8 ]
+
+Replace ctrl ctrl_key/host_key only after nvme_auth_generate_key is successful.
+Also, this fixes a bug where the keys are leaked.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index cd2e2bfeae82..3582a28a1dce 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3739,13 +3739,17 @@ static ssize_t nvme_ctrl_dhchap_secret_store(struct device *dev,
+ memcpy(dhchap_secret, buf, count);
+ nvme_auth_stop(ctrl);
+ if (strcmp(dhchap_secret, opts->dhchap_secret)) {
++ struct nvme_dhchap_key *key, *host_key;
+ int ret;
+
+- ret = nvme_auth_generate_key(dhchap_secret, &ctrl->host_key);
++ ret = nvme_auth_generate_key(dhchap_secret, &key);
+ if (ret)
+ return ret;
+ kfree(opts->dhchap_secret);
+ opts->dhchap_secret = dhchap_secret;
++ host_key = ctrl->host_key;
++ ctrl->host_key = key;
++ nvme_auth_free_key(host_key);
+ /* Key has changed; re-authentication with new key */
+ nvme_auth_reset(ctrl);
+ }
+@@ -3789,13 +3793,17 @@ static ssize_t nvme_ctrl_dhchap_ctrl_secret_store(struct device *dev,
+ memcpy(dhchap_secret, buf, count);
+ nvme_auth_stop(ctrl);
+ if (strcmp(dhchap_secret, opts->dhchap_ctrl_secret)) {
++ struct nvme_dhchap_key *key, *ctrl_key;
+ int ret;
+
+- ret = nvme_auth_generate_key(dhchap_secret, &ctrl->ctrl_key);
++ ret = nvme_auth_generate_key(dhchap_secret, &key);
+ if (ret)
+ return ret;
+ kfree(opts->dhchap_ctrl_secret);
+ opts->dhchap_ctrl_secret = dhchap_secret;
++ ctrl_key = ctrl->ctrl_key;
++ ctrl->ctrl_key = key;
++ nvme_auth_free_key(ctrl_key);
+ /* Key has changed; re-authentication with new key */
+ nvme_auth_reset(ctrl);
+ }
+--
+2.35.1
+
--- /dev/null
+From 6e1ba318a5fa5efd80e6a1ce6ea60a6e7b830fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 18:17:08 +0100
+Subject: nvme: return err on nvme_init_non_mdts_limits fail
+
+From: Joel Granados <j.granados@samsung.com>
+
+[ Upstream commit bcaf434b8f04e1ee82a8b1e1bce0de99fbff67fa ]
+
+In nvme_init_non_mdts_limits function we were returning 0 when kzalloc
+failed; it now returns -ENOMEM.
+
+Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits")
+Signed-off-by: Joel Granados <j.granados@samsung.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index aca50bb93750..cd2e2bfeae82 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3043,7 +3043,7 @@ static int nvme_init_non_mdts_limits(struct nvme_ctrl *ctrl)
+
+ id = kzalloc(sizeof(*id), GFP_KERNEL);
+ if (!id)
+- return 0;
++ return -ENOMEM;
+
+ c.identify.opcode = nvme_admin_identify;
+ c.identify.cns = NVME_ID_CNS_CS_CTRL;
+--
+2.35.1
+
--- /dev/null
+From 90c74b5f4cbd0d72125643fd7118575f187eb8d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 14:01:24 +0100
+Subject: nvmet: only allocate a single slab for bvecs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit fa8f9ac42350edd3ce82d0d148a60f0fa088f995 ]
+
+There is no need to have a separate slab cache for each namespace,
+and having separate ones creates duplicate debugs file names as well.
+
+Fixes: d5eff33ee6f8 ("nvmet: add simple file backed ns support")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 22 ++++++++++++++--------
+ drivers/nvme/target/io-cmd-file.c | 16 +++-------------
+ drivers/nvme/target/nvmet.h | 3 ++-
+ 3 files changed, 19 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index aecb5853f8da..683b75a992b3 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -15,6 +15,7 @@
+
+ #include "nvmet.h"
+
++struct kmem_cache *nvmet_bvec_cache;
+ struct workqueue_struct *buffered_io_wq;
+ struct workqueue_struct *zbd_wq;
+ static const struct nvmet_fabrics_ops *nvmet_transports[NVMF_TRTYPE_MAX];
+@@ -1631,26 +1632,28 @@ void nvmet_subsys_put(struct nvmet_subsys *subsys)
+
+ static int __init nvmet_init(void)
+ {
+- int error;
++ int error = -ENOMEM;
+
+ nvmet_ana_group_enabled[NVMET_DEFAULT_ANA_GRPID] = 1;
+
++ nvmet_bvec_cache = kmem_cache_create("nvmet-bvec",
++ NVMET_MAX_MPOOL_BVEC * sizeof(struct bio_vec), 0,
++ SLAB_HWCACHE_ALIGN, NULL);
++ if (!nvmet_bvec_cache)
++ return -ENOMEM;
++
+ zbd_wq = alloc_workqueue("nvmet-zbd-wq", WQ_MEM_RECLAIM, 0);
+ if (!zbd_wq)
+- return -ENOMEM;
++ goto out_destroy_bvec_cache;
+
+ buffered_io_wq = alloc_workqueue("nvmet-buffered-io-wq",
+ WQ_MEM_RECLAIM, 0);
+- if (!buffered_io_wq) {
+- error = -ENOMEM;
++ if (!buffered_io_wq)
+ goto out_free_zbd_work_queue;
+- }
+
+ nvmet_wq = alloc_workqueue("nvmet-wq", WQ_MEM_RECLAIM, 0);
+- if (!nvmet_wq) {
+- error = -ENOMEM;
++ if (!nvmet_wq)
+ goto out_free_buffered_work_queue;
+- }
+
+ error = nvmet_init_discovery();
+ if (error)
+@@ -1669,6 +1672,8 @@ static int __init nvmet_init(void)
+ destroy_workqueue(buffered_io_wq);
+ out_free_zbd_work_queue:
+ destroy_workqueue(zbd_wq);
++out_destroy_bvec_cache:
++ kmem_cache_destroy(nvmet_bvec_cache);
+ return error;
+ }
+
+@@ -1680,6 +1685,7 @@ static void __exit nvmet_exit(void)
+ destroy_workqueue(nvmet_wq);
+ destroy_workqueue(buffered_io_wq);
+ destroy_workqueue(zbd_wq);
++ kmem_cache_destroy(nvmet_bvec_cache);
+
+ BUILD_BUG_ON(sizeof(struct nvmf_disc_rsp_page_entry) != 1024);
+ BUILD_BUG_ON(sizeof(struct nvmf_disc_rsp_page_hdr) != 1024);
+diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
+index 64b47e2a4633..e55ec6fefd7f 100644
+--- a/drivers/nvme/target/io-cmd-file.c
++++ b/drivers/nvme/target/io-cmd-file.c
+@@ -11,7 +11,6 @@
+ #include <linux/fs.h>
+ #include "nvmet.h"
+
+-#define NVMET_MAX_MPOOL_BVEC 16
+ #define NVMET_MIN_MPOOL_OBJ 16
+
+ void nvmet_file_ns_revalidate(struct nvmet_ns *ns)
+@@ -26,8 +25,6 @@ void nvmet_file_ns_disable(struct nvmet_ns *ns)
+ flush_workqueue(buffered_io_wq);
+ mempool_destroy(ns->bvec_pool);
+ ns->bvec_pool = NULL;
+- kmem_cache_destroy(ns->bvec_cache);
+- ns->bvec_cache = NULL;
+ fput(ns->file);
+ ns->file = NULL;
+ }
+@@ -59,16 +56,8 @@ int nvmet_file_ns_enable(struct nvmet_ns *ns)
+ ns->blksize_shift = min_t(u8,
+ file_inode(ns->file)->i_blkbits, 12);
+
+- ns->bvec_cache = kmem_cache_create("nvmet-bvec",
+- NVMET_MAX_MPOOL_BVEC * sizeof(struct bio_vec),
+- 0, SLAB_HWCACHE_ALIGN, NULL);
+- if (!ns->bvec_cache) {
+- ret = -ENOMEM;
+- goto err;
+- }
+-
+ ns->bvec_pool = mempool_create(NVMET_MIN_MPOOL_OBJ, mempool_alloc_slab,
+- mempool_free_slab, ns->bvec_cache);
++ mempool_free_slab, nvmet_bvec_cache);
+
+ if (!ns->bvec_pool) {
+ ret = -ENOMEM;
+@@ -77,9 +66,10 @@ int nvmet_file_ns_enable(struct nvmet_ns *ns)
+
+ return ret;
+ err:
++ fput(ns->file);
++ ns->file = NULL;
+ ns->size = 0;
+ ns->blksize_shift = 0;
+- nvmet_file_ns_disable(ns);
+ return ret;
+ }
+
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index dfe3894205aa..bda1c1f71f39 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -77,7 +77,6 @@ struct nvmet_ns {
+
+ struct completion disable_done;
+ mempool_t *bvec_pool;
+- struct kmem_cache *bvec_cache;
+
+ int use_p2pmem;
+ struct pci_dev *p2p_dev;
+@@ -393,6 +392,8 @@ struct nvmet_req {
+ u64 error_slba;
+ };
+
++#define NVMET_MAX_MPOOL_BVEC 16
++extern struct kmem_cache *nvmet_bvec_cache;
+ extern struct workqueue_struct *buffered_io_wq;
+ extern struct workqueue_struct *zbd_wq;
+ extern struct workqueue_struct *nvmet_wq;
+--
+2.35.1
+
--- /dev/null
+From 0cc870bcd4e92ade0f85e44381affaa1c747c464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 11:45:41 +0200
+Subject: objtool, kcsan: Add volatile read/write instrumentation to whitelist
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 63646fcba5bb4b59a19031c21913f94e46a3d0d4 ]
+
+Adds KCSAN's volatile instrumentation to objtool's uaccess whitelist.
+
+Recent kernel change have shown that this was missing from the uaccess
+whitelist (since the first upstreamed version of KCSAN):
+
+ mm/gup.o: warning: objtool: fault_in_readable+0x101: call to __tsan_volatile_write1() with UACCESS enabled
+
+Fixes: 75d75b7a4d54 ("kcsan: Support distinguishing volatile accesses")
+Signed-off-by: Marco Elver <elver@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index e55fdf952a3a..67afdce3421f 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -999,6 +999,16 @@ static const char *uaccess_safe_builtin[] = {
+ "__tsan_read_write4",
+ "__tsan_read_write8",
+ "__tsan_read_write16",
++ "__tsan_volatile_read1",
++ "__tsan_volatile_read2",
++ "__tsan_volatile_read4",
++ "__tsan_volatile_read8",
++ "__tsan_volatile_read16",
++ "__tsan_volatile_write1",
++ "__tsan_volatile_write2",
++ "__tsan_volatile_write4",
++ "__tsan_volatile_write8",
++ "__tsan_volatile_write16",
+ "__tsan_atomic8_load",
+ "__tsan_atomic16_load",
+ "__tsan_atomic32_load",
+--
+2.35.1
+
--- /dev/null
+From 9e0b8249d0f7a37755ba170d7ea5769f5e2d869b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 15:46:27 +0800
+Subject: ocfs2: fix memory leak in ocfs2_mount_volume()
+
+From: Li Zetao <ocfs2-devel@oss.oracle.com>
+
+[ Upstream commit ce2fcf1516d674a174d9b34d1e1024d64de9fba3 ]
+
+There is a memory leak reported by kmemleak:
+
+ unreferenced object 0xffff88810cc65e60 (size 32):
+ comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s)
+ hex dump (first 32 bytes):
+ 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................
+ 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8170f73d>] __kmalloc+0x4d/0x150
+ [<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]
+ [<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2]
+ [<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]
+ [<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]
+ [<ffffffff818e1fe2>] mount_bdev+0x312/0x400
+ [<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0
+ [<ffffffff818de82d>] vfs_get_tree+0x7d/0x230
+ [<ffffffff81957f92>] path_mount+0xd62/0x1760
+ [<ffffffff81958a5a>] do_mount+0xca/0xe0
+ [<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0
+ [<ffffffff82f26f15>] do_syscall_64+0x35/0x80
+ [<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+This call stack is related to two problems. Firstly, the ocfs2 super uses
+"replay_map" to trace online/offline slots, in order to recover offline
+slots during recovery and mount. But when ocfs2_truncate_log_init()
+returns an error in ocfs2_mount_volume(), the memory of "replay_map" will
+not be freed in error handling path. Secondly, the memory of "replay_map"
+will not be freed if d_make_root() returns an error in ocfs2_fill_super().
+But the memory of "replay_map" will be freed normally when completing
+recovery and mount in ocfs2_complete_mount_recovery().
+
+Fix the first problem by adding error handling path to free "replay_map"
+when ocfs2_truncate_log_init() fails. And fix the second problem by
+calling ocfs2_free_replay_slots(osb) in the error handling path
+"out_dismount". In addition, since ocfs2_free_replay_slots() is static,
+it is necessary to remove its static attribute and declare it in header
+file.
+
+Link: https://lkml.kernel.org/r/20221109074627.2303950-1-lizetao1@huawei.com
+Fixes: 9140db04ef18 ("ocfs2: recover orphans in offline slots during recovery and mount")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/journal.c | 2 +-
+ fs/ocfs2/journal.h | 1 +
+ fs/ocfs2/super.c | 5 ++++-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
+index fa87d89cf754..1be7d440eff3 100644
+--- a/fs/ocfs2/journal.c
++++ b/fs/ocfs2/journal.c
+@@ -157,7 +157,7 @@ static void ocfs2_queue_replay_slots(struct ocfs2_super *osb,
+ replay_map->rm_state = REPLAY_DONE;
+ }
+
+-static void ocfs2_free_replay_slots(struct ocfs2_super *osb)
++void ocfs2_free_replay_slots(struct ocfs2_super *osb)
+ {
+ struct ocfs2_replay_map *replay_map = osb->replay_map;
+
+diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
+index 969d0aa28718..41c382f68529 100644
+--- a/fs/ocfs2/journal.h
++++ b/fs/ocfs2/journal.h
+@@ -150,6 +150,7 @@ int ocfs2_recovery_init(struct ocfs2_super *osb);
+ void ocfs2_recovery_exit(struct ocfs2_super *osb);
+
+ int ocfs2_compute_replay_slots(struct ocfs2_super *osb);
++void ocfs2_free_replay_slots(struct ocfs2_super *osb);
+ /*
+ * Journal Control:
+ * Initialize, Load, Shutdown, Wipe a journal.
+diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
+index e2cc9eec287c..78441e466e6f 100644
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -1159,6 +1159,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
+ out_dismount:
+ atomic_set(&osb->vol_state, VOLUME_DISABLED);
+ wake_up(&osb->osb_mount_event);
++ ocfs2_free_replay_slots(osb);
+ ocfs2_dismount_volume(sb, 1);
+ goto out;
+
+@@ -1824,12 +1825,14 @@ static int ocfs2_mount_volume(struct super_block *sb)
+ status = ocfs2_truncate_log_init(osb);
+ if (status < 0) {
+ mlog_errno(status);
+- goto out_system_inodes;
++ goto out_check_volume;
+ }
+
+ ocfs2_super_unlock(osb, 1);
+ return 0;
+
++out_check_volume:
++ ocfs2_free_replay_slots(osb);
+ out_system_inodes:
+ if (osb->local_alloc_state == OCFS2_LA_ENABLED)
+ ocfs2_shutdown_local_alloc(osb);
+--
+2.35.1
+
--- /dev/null
+From 2e75b3036446698b56b53cf3a34c0a8f22a65e73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 19:15:33 +0800
+Subject: ocfs2: fix memory leak in ocfs2_stack_glue_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ]
+
+ocfs2_table_header should be free in ocfs2_stack_glue_init() if
+ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak.
+
+BUG: memory leak
+unreferenced object 0xffff88810eeb5800 (size 128):
+ comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s)
+ hex dump (first 32 bytes):
+ c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@..............
+ 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0
+ [<00000000c04f70f7>] 0xffffffffa0050037
+ [<000000001bd12912>] do_one_initcall+0xdb/0x480
+ [<0000000064f766c9>] do_init_module+0x1cf/0x680
+ [<000000002ba52db0>] load_module+0x6441/0x6f20
+ [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0
+ [<00000000380c1f22>] do_syscall_64+0x3f/0x90
+ [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com
+Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/stackglue.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
+index dd77b7aaabf5..3633da5f7117 100644
+--- a/fs/ocfs2/stackglue.c
++++ b/fs/ocfs2/stackglue.c
+@@ -669,6 +669,8 @@ static struct ctl_table_header *ocfs2_table_header;
+
+ static int __init ocfs2_stack_glue_init(void)
+ {
++ int ret;
++
+ strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB);
+
+ ocfs2_table_header = register_sysctl("fs/ocfs2/nm", ocfs2_nm_table);
+@@ -678,7 +680,11 @@ static int __init ocfs2_stack_glue_init(void)
+ return -ENOMEM; /* or something. */
+ }
+
+- return ocfs2_sysfs_init();
++ ret = ocfs2_sysfs_init();
++ if (ret)
++ unregister_sysctl_table(ocfs2_table_header);
++
++ return ret;
+ }
+
+ static void __exit ocfs2_stack_glue_exit(void)
+--
+2.35.1
+
--- /dev/null
+From bafe2b0417f40a1bf6fcd529716adbd78e44c408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 23:43:39 +0800
+Subject: ocxl: fix pci device refcount leak when calling get_function_0()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 27158c72678b39ee01cc01de1aba6b51c71abe2f ]
+
+get_function_0() calls pci_get_domain_bus_and_slot(), as comment
+says, it returns a pci device with refcount increment, so after
+using it, pci_dev_put() needs be called.
+
+Get the device reference when get_function_0() is not called, so
+pci_dev_put() can be called in the error path and callers
+unconditionally. And add comment above get_dvsec_vendor0() to tell
+callers to call pci_dev_put().
+
+Fixes: 87db7579ebd5 ("ocxl: control via sysfs whether the FPGA is reloaded on a link reset")
+Suggested-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221121154339.4088935-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/ocxl/config.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/ocxl/config.c b/drivers/misc/ocxl/config.c
+index e401a51596b9..92ab49705f64 100644
+--- a/drivers/misc/ocxl/config.c
++++ b/drivers/misc/ocxl/config.c
+@@ -193,6 +193,18 @@ static int read_dvsec_vendor(struct pci_dev *dev)
+ return 0;
+ }
+
++/**
++ * get_dvsec_vendor0() - Find a related PCI device (function 0)
++ * @dev: PCI device to match
++ * @dev0: The PCI device (function 0) found
++ * @out_pos: The position of PCI device (function 0)
++ *
++ * Returns 0 on success, negative on failure.
++ *
++ * NOTE: If it's successful, the reference of dev0 is increased,
++ * so after using it, the callers must call pci_dev_put() to give
++ * up the reference.
++ */
+ static int get_dvsec_vendor0(struct pci_dev *dev, struct pci_dev **dev0,
+ int *out_pos)
+ {
+@@ -202,10 +214,14 @@ static int get_dvsec_vendor0(struct pci_dev *dev, struct pci_dev **dev0,
+ dev = get_function_0(dev);
+ if (!dev)
+ return -1;
++ } else {
++ dev = pci_dev_get(dev);
+ }
+ pos = find_dvsec(dev, OCXL_DVSEC_VENDOR_ID);
+- if (!pos)
++ if (!pos) {
++ pci_dev_put(dev);
+ return -1;
++ }
+ *dev0 = dev;
+ *out_pos = pos;
+ return 0;
+@@ -222,6 +238,7 @@ int ocxl_config_get_reset_reload(struct pci_dev *dev, int *val)
+
+ pci_read_config_dword(dev0, pos + OCXL_DVSEC_VENDOR_RESET_RELOAD,
+ &reset_reload);
++ pci_dev_put(dev0);
+ *val = !!(reset_reload & BIT(0));
+ return 0;
+ }
+@@ -243,6 +260,7 @@ int ocxl_config_set_reset_reload(struct pci_dev *dev, int val)
+ reset_reload &= ~BIT(0);
+ pci_write_config_dword(dev0, pos + OCXL_DVSEC_VENDOR_RESET_RELOAD,
+ reset_reload);
++ pci_dev_put(dev0);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 517e86db9c6129e5fab22fff44c9b422b15b807e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Dec 2022 10:33:37 +0800
+Subject: of: overlay: fix null pointer dereferencing in
+ find_dup_cset_node_entry() and find_dup_cset_prop()
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit ee9d7a0e754568180a2f8ebc4aad226278a9116f ]
+
+When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will
+be NULL, and strcmp() will cause null pointer dereference.
+
+Fixes: 2fe0e8769df9 ("of: overlay: check prevents multiple fragments touching same property")
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20221211023337.592266-1-ruanjinjie@huawei.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/overlay.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
+index bd8ff4df723d..ed4e6c144a68 100644
+--- a/drivers/of/overlay.c
++++ b/drivers/of/overlay.c
+@@ -545,7 +545,7 @@ static int find_dup_cset_node_entry(struct overlay_changeset *ovcs,
+
+ fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np);
+ fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np);
+- node_path_match = !strcmp(fn_1, fn_2);
++ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2);
+ kfree(fn_1);
+ kfree(fn_2);
+ if (node_path_match) {
+@@ -580,7 +580,7 @@ static int find_dup_cset_prop(struct overlay_changeset *ovcs,
+
+ fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np);
+ fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np);
+- node_path_match = !strcmp(fn_1, fn_2);
++ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2);
+ kfree(fn_1);
+ kfree(fn_2);
+ if (node_path_match &&
+--
+2.35.1
+
--- /dev/null
+From c89fd269a1699fa4aee488b2d47836fb464c6a90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 15:46:33 +0100
+Subject: openvswitch: Fix flow lookup to use unmasked key
+
+From: Eelco Chaudron <echaudro@redhat.com>
+
+[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ]
+
+The commit mentioned below causes the ovs_flow_tbl_lookup() function
+to be called with the masked key. However, it's supposed to be called
+with the unmasked key. This due to the fact that the datapath supports
+installing wider flows, and OVS relies on this behavior. For example
+if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider
+flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/
+128.0.0.0) is allowed to be added.
+
+However, if we try to add a wildcard rule, the installation fails:
+
+$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
+ ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2
+$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
+ ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2
+ovs-vswitchd: updating flow table (File exists)
+
+The reason is that the key used to determine if the flow is already
+present in the system uses the original key ANDed with the mask.
+This results in the IP address not being part of the (miniflow) key,
+i.e., being substituted with an all-zero value. When doing the actual
+lookup, this results in the key wrongfully matching the first flow,
+and therefore the flow does not get installed.
+
+This change reverses the commit below, but rather than having the key
+on the stack, it's allocated.
+
+Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.")
+
+Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index ae7d4d03790c..ac66cdc7b67b 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -947,6 +947,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ struct sw_flow_mask mask;
+ struct sk_buff *reply;
+ struct datapath *dp;
++ struct sw_flow_key *key;
+ struct sw_flow_actions *acts;
+ struct sw_flow_match match;
+ u32 ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
+@@ -974,24 +975,26 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ /* Extract key. */
+- ovs_match_init(&match, &new_flow->key, false, &mask);
++ key = kzalloc(sizeof(*key), GFP_KERNEL);
++ if (!key) {
++ error = -ENOMEM;
++ goto err_kfree_key;
++ }
++
++ ovs_match_init(&match, key, false, &mask);
+ error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
+ a[OVS_FLOW_ATTR_MASK], log);
+ if (error)
+ goto err_kfree_flow;
+
++ ovs_flow_mask_key(&new_flow->key, key, true, &mask);
++
+ /* Extract flow identifier. */
+ error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
+- &new_flow->key, log);
++ key, log);
+ if (error)
+ goto err_kfree_flow;
+
+- /* unmasked key is needed to match when ufid is not used. */
+- if (ovs_identifier_is_key(&new_flow->id))
+- match.key = new_flow->id.unmasked_key;
+-
+- ovs_flow_mask_key(&new_flow->key, &new_flow->key, true, &mask);
+-
+ /* Validate actions. */
+ error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
+ &new_flow->key, &acts, log);
+@@ -1018,7 +1021,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ if (ovs_identifier_is_ufid(&new_flow->id))
+ flow = ovs_flow_tbl_lookup_ufid(&dp->table, &new_flow->id);
+ if (!flow)
+- flow = ovs_flow_tbl_lookup(&dp->table, &new_flow->key);
++ flow = ovs_flow_tbl_lookup(&dp->table, key);
+ if (likely(!flow)) {
+ rcu_assign_pointer(new_flow->sf_acts, acts);
+
+@@ -1088,6 +1091,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+
+ if (reply)
+ ovs_notify(&dp_flow_genl_family, reply, info);
++
++ kfree(key);
+ return 0;
+
+ err_unlock_ovs:
+@@ -1097,6 +1102,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ ovs_nla_free_flow_actions(acts);
+ err_kfree_flow:
+ ovs_flow_free(new_flow, false);
++err_kfree_key:
++ kfree(key);
+ error:
+ return error;
+ }
+--
+2.35.1
+
--- /dev/null
+From 302f71dd9883572c81771cc4ebae0542d0eab29c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 12:40:07 +0800
+Subject: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 31720a2b109b3080eb77e97b8f6f50a27b4ae599 ]
+
+When insert and remove the orangefs module, there are memory leaked
+as below:
+
+unreferenced object 0xffff88816b0cc000 (size 2048):
+ comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)
+ hex dump (first 32 bytes):
+ 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f
+ [<00000000e5a0085b>] 0xffffffffa02780f9
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Use the golbal variable as the buffer rather than dynamic allocate to
+slove the problem.
+
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 26 +++-----------------------
+ 1 file changed, 3 insertions(+), 23 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index a848b6ef9599..1b508f543384 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -194,15 +194,10 @@ void orangefs_debugfs_init(int debug_mask)
+ */
+ static void orangefs_kernel_debug_init(void)
+ {
+- int rc = -ENOMEM;
+- char *k_buffer = NULL;
++ static char k_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { };
+
+ gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__);
+
+- k_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
+- if (!k_buffer)
+- goto out;
+-
+ if (strlen(kernel_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcpy(k_buffer, kernel_debug_string);
+ strcat(k_buffer, "\n");
+@@ -213,9 +208,6 @@ static void orangefs_kernel_debug_init(void)
+
+ debugfs_create_file(ORANGEFS_KMOD_DEBUG_FILE, 0444, debug_dir, k_buffer,
+ &kernel_debug_fops);
+-
+-out:
+- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc);
+ }
+
+
+@@ -299,18 +291,13 @@ static int help_show(struct seq_file *m, void *v)
+ /*
+ * initialize the client-debug file.
+ */
+-static int orangefs_client_debug_init(void)
++static void orangefs_client_debug_init(void)
+ {
+
+- int rc = -ENOMEM;
+- char *c_buffer = NULL;
++ static char c_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { };
+
+ gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__);
+
+- c_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
+- if (!c_buffer)
+- goto out;
+-
+ if (strlen(client_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ strcpy(c_buffer, client_debug_string);
+ strcat(c_buffer, "\n");
+@@ -324,13 +311,6 @@ static int orangefs_client_debug_init(void)
+ debug_dir,
+ c_buffer,
+ &kernel_debug_fops);
+-
+- rc = 0;
+-
+-out:
+-
+- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc);
+- return rc;
+ }
+
+ /* open ORANGEFS_KMOD_DEBUG_FILE or ORANGEFS_CLIENT_DEBUG_FILE.*/
+--
+2.35.1
+
--- /dev/null
+From b784f30bef5f9c9788aa00b0fe9b48aedd5af925 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 12:40:05 +0800
+Subject: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ]
+
+When insert and remove the orangefs module, then debug_help_string will
+be leaked:
+
+ unreferenced object 0xffff8881652ba000 (size 4096):
+ comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s)
+ hex dump (first 32 bytes):
+ 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key
+ 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow
+ backtrace:
+ [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0
+ [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]
+ [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]
+ [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0
+ [<000000001d0614ae>] do_init_module+0xdf/0x320
+ [<00000000efef068c>] load_module+0x2f98/0x3330
+ [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000a0da6f99>] do_syscall_64+0x35/0x80
+ [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+When remove the module, should always free debug_help_string. Should
+always free the allocated buffer when change the free_debug_help_string.
+
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index 29eaa4544372..a848b6ef9599 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -222,6 +222,8 @@ static void orangefs_kernel_debug_init(void)
+ void orangefs_debugfs_cleanup(void)
+ {
+ debugfs_remove_recursive(debug_dir);
++ kfree(debug_help_string);
++ debug_help_string = NULL;
+ }
+
+ /* open ORANGEFS_KMOD_DEBUG_HELP_FILE */
+@@ -671,6 +673,7 @@ int orangefs_prepare_debugfs_help_string(int at_boot)
+ memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE);
+ strlcat(debug_help_string, new, string_size);
+ mutex_unlock(&orangefs_help_file_lock);
++ kfree(new);
+ }
+
+ rc = 0;
+--
+2.35.1
+
--- /dev/null
+From 6a7c27e7d2fe9238103433632c70d811b6b33d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 12:40:06 +0800
+Subject: orangefs: Fix kmemleak in orangefs_sysfs_init()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 1f2c0e8a587bcafad85019a2d80f158d8d41a868 ]
+
+When insert and remove the orangefs module, there are kobjects memory
+leaked as below:
+
+unreferenced object 0xffff88810f95af00 (size 64):
+ comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)
+ hex dump (first 32 bytes):
+ a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................
+ 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000005a6e4dfe>] orangefs_sysfs_init+0x42/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+unreferenced object 0xffff88810f95ae80 (size 64):
+ comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)
+ hex dump (first 32 bytes):
+ c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................
+ 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000001a4841fa>] orangefs_sysfs_init+0xc7/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+unreferenced object 0xffff88810f95ae00 (size 64):
+ comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)
+ hex dump (first 32 bytes):
+ 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `...............
+ 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000005915e797>] orangefs_sysfs_init+0x12b/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+unreferenced object 0xffff88810f95ad80 (size 64):
+ comm "insmod", pid 783, jiffies 4294813440 (age 65.511s)
+ hex dump (first 32 bytes):
+ 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x...............
+ 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000007a14eb35>] orangefs_sysfs_init+0x1ac/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+unreferenced object 0xffff88810f95ac00 (size 64):
+ comm "insmod", pid 783, jiffies 4294813440 (age 65.531s)
+ hex dump (first 32 bytes):
+ e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g.............
+ 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000001f38adcb>] orangefs_sysfs_init+0x291/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+unreferenced object 0xffff88810f95ab80 (size 64):
+ comm "insmod", pid 783, jiffies 4294813441 (age 65.530s)
+ hex dump (first 32 bytes):
+ 50 bf 2f 02 81 88 ff ff 88 ab 95 0f 81 88 ff ff P./.............
+ 88 ab 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
+ [<000000009cc7d95b>] orangefs_sysfs_init+0x2f5/0x3a0
+ [<00000000722645ca>] 0xffffffffa02780fe
+ [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
+ [<0000000054f22384>] do_init_module+0xdf/0x320
+ [<000000003263bdea>] load_module+0x2f98/0x3330
+ [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
+ [<00000000250ae02b>] do_syscall_64+0x35/0x80
+ [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Should add release function for each kobject_type to free the memory.
+
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-sysfs.c | 71 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 63 insertions(+), 8 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-sysfs.c b/fs/orangefs/orangefs-sysfs.c
+index de80b62553bb..be4ba03a01a0 100644
+--- a/fs/orangefs/orangefs-sysfs.c
++++ b/fs/orangefs/orangefs-sysfs.c
+@@ -896,9 +896,18 @@ static struct attribute *orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(orangefs_default);
+
++static struct kobject *orangefs_obj;
++
++static void orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(orangefs_obj);
++ orangefs_obj = NULL;
++}
++
+ static struct kobj_type orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = orangefs_default_groups,
++ .release = orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute acache_hard_limit_attribute =
+@@ -934,9 +943,18 @@ static struct attribute *acache_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(acache_orangefs_default);
+
++static struct kobject *acache_orangefs_obj;
++
++static void acache_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(acache_orangefs_obj);
++ acache_orangefs_obj = NULL;
++}
++
+ static struct kobj_type acache_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = acache_orangefs_default_groups,
++ .release = acache_orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute capcache_hard_limit_attribute =
+@@ -972,9 +990,18 @@ static struct attribute *capcache_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(capcache_orangefs_default);
+
++static struct kobject *capcache_orangefs_obj;
++
++static void capcache_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(capcache_orangefs_obj);
++ capcache_orangefs_obj = NULL;
++}
++
+ static struct kobj_type capcache_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = capcache_orangefs_default_groups,
++ .release = capcache_orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute ccache_hard_limit_attribute =
+@@ -1010,9 +1037,18 @@ static struct attribute *ccache_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(ccache_orangefs_default);
+
++static struct kobject *ccache_orangefs_obj;
++
++static void ccache_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(ccache_orangefs_obj);
++ ccache_orangefs_obj = NULL;
++}
++
+ static struct kobj_type ccache_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = ccache_orangefs_default_groups,
++ .release = ccache_orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute ncache_hard_limit_attribute =
+@@ -1048,9 +1084,18 @@ static struct attribute *ncache_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(ncache_orangefs_default);
+
++static struct kobject *ncache_orangefs_obj;
++
++static void ncache_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(ncache_orangefs_obj);
++ ncache_orangefs_obj = NULL;
++}
++
+ static struct kobj_type ncache_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = ncache_orangefs_default_groups,
++ .release = ncache_orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute pc_acache_attribute =
+@@ -1079,9 +1124,18 @@ static struct attribute *pc_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(pc_orangefs_default);
+
++static struct kobject *pc_orangefs_obj;
++
++static void pc_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(pc_orangefs_obj);
++ pc_orangefs_obj = NULL;
++}
++
+ static struct kobj_type pc_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = pc_orangefs_default_groups,
++ .release = pc_orangefs_obj_release,
+ };
+
+ static struct orangefs_attribute stats_reads_attribute =
+@@ -1103,19 +1157,20 @@ static struct attribute *stats_orangefs_default_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(stats_orangefs_default);
+
++static struct kobject *stats_orangefs_obj;
++
++static void stats_orangefs_obj_release(struct kobject *kobj)
++{
++ kfree(stats_orangefs_obj);
++ stats_orangefs_obj = NULL;
++}
++
+ static struct kobj_type stats_orangefs_ktype = {
+ .sysfs_ops = &orangefs_sysfs_ops,
+ .default_groups = stats_orangefs_default_groups,
++ .release = stats_orangefs_obj_release,
+ };
+
+-static struct kobject *orangefs_obj;
+-static struct kobject *acache_orangefs_obj;
+-static struct kobject *capcache_orangefs_obj;
+-static struct kobject *ccache_orangefs_obj;
+-static struct kobject *ncache_orangefs_obj;
+-static struct kobject *pc_orangefs_obj;
+-static struct kobject *stats_orangefs_obj;
+-
+ int orangefs_sysfs_init(void)
+ {
+ int rc = -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From d3048bab1ad348d81ea716000ca05dd83a18af66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 12:40:04 +0800
+Subject: orangefs: Fix sysfs not cleanup when dev init failed
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ]
+
+When the dev init failed, should cleanup the sysfs, otherwise, the
+module will never be loaded since can not create duplicate sysfs
+directory:
+
+ sysfs: cannot create duplicate filename '/fs/orangefs'
+
+ CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ sysfs_warn_dup.cold+0x17/0x24
+ sysfs_create_dir_ns+0x16d/0x180
+ kobject_add_internal+0x156/0x3a0
+ kobject_init_and_add+0xcf/0x120
+ orangefs_sysfs_init+0x7e/0x3a0 [orangefs]
+ orangefs_init+0xfe/0x1000 [orangefs]
+ do_one_initcall+0x87/0x2a0
+ do_init_module+0xdf/0x320
+ load_module+0x2f98/0x3330
+ __do_sys_finit_module+0x113/0x1b0
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+ kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory.
+
+Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-mod.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-mod.c b/fs/orangefs/orangefs-mod.c
+index cd7297815f91..5ab741c60b7e 100644
+--- a/fs/orangefs/orangefs-mod.c
++++ b/fs/orangefs/orangefs-mod.c
+@@ -141,7 +141,7 @@ static int __init orangefs_init(void)
+ gossip_err("%s: could not initialize device subsystem %d!\n",
+ __func__,
+ ret);
+- goto cleanup_device;
++ goto cleanup_sysfs;
+ }
+
+ ret = register_filesystem(&orangefs_fs_type);
+@@ -152,11 +152,11 @@ static int __init orangefs_init(void)
+ goto out;
+ }
+
+- orangefs_sysfs_exit();
+-
+-cleanup_device:
+ orangefs_dev_cleanup();
+
++cleanup_sysfs:
++ orangefs_sysfs_exit();
++
+ sysfs_init_failed:
+ orangefs_debugfs_cleanup();
+
+--
+2.35.1
+
--- /dev/null
+From c50800a9b2d5726534b7b30e8d85d49c781bc287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 17:06:38 +0200
+Subject: ovl: remove privs in ovl_copyfile()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 ]
+
+Underlying fs doesn't remove privs because copy_range/remap_range are
+called with privileged mounter credentials.
+
+This fixes some failures in fstest generic/673.
+
+Fixes: 8ede205541ff ("ovl: add reflink/copyfile/dedup support")
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/file.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index daff601b5c41..362a4eed92b5 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -567,14 +567,23 @@ static loff_t ovl_copyfile(struct file *file_in, loff_t pos_in,
+ const struct cred *old_cred;
+ loff_t ret;
+
++ inode_lock(inode_out);
++ if (op != OVL_DEDUPE) {
++ /* Update mode */
++ ovl_copyattr(inode_out);
++ ret = file_remove_privs(file_out);
++ if (ret)
++ goto out_unlock;
++ }
++
+ ret = ovl_real_fdget(file_out, &real_out);
+ if (ret)
+- return ret;
++ goto out_unlock;
+
+ ret = ovl_real_fdget(file_in, &real_in);
+ if (ret) {
+ fdput(real_out);
+- return ret;
++ goto out_unlock;
+ }
+
+ old_cred = ovl_override_creds(file_inode(file_out)->i_sb);
+@@ -603,6 +612,9 @@ static loff_t ovl_copyfile(struct file *file_in, loff_t pos_in,
+ fdput(real_in);
+ fdput(real_out);
+
++out_unlock:
++ inode_unlock(inode_out);
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7f85ed7a18545c4a48fbc327bd376bbf4208e142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 17:06:39 +0200
+Subject: ovl: remove privs in ovl_fallocate()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 23a8ce16419a3066829ad4a8b7032a75817af65b ]
+
+Underlying fs doesn't remove privs because fallocate is called with
+privileged mounter credentials.
+
+This fixes some failure in fstests generic/683..687.
+
+Fixes: aab8848cee5e ("ovl: add ovl_fallocate()")
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/file.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index 362a4eed92b5..a34f8042724c 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -517,9 +517,16 @@ static long ovl_fallocate(struct file *file, int mode, loff_t offset, loff_t len
+ const struct cred *old_cred;
+ int ret;
+
++ inode_lock(inode);
++ /* Update mode */
++ ovl_copyattr(inode);
++ ret = file_remove_privs(file);
++ if (ret)
++ goto out_unlock;
++
+ ret = ovl_real_fdget(file, &real);
+ if (ret)
+- return ret;
++ goto out_unlock;
+
+ old_cred = ovl_override_creds(file_inode(file)->i_sb);
+ ret = vfs_fallocate(real.file, mode, offset, len);
+@@ -530,6 +537,9 @@ static long ovl_fallocate(struct file *file, int mode, loff_t offset, loff_t len
+
+ fdput(real);
+
++out_unlock:
++ inode_unlock(inode);
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1683ce2726a7a6537de04cab79777a80a081ec6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 20:28:02 -0500
+Subject: padata: Always leave BHs disabled when running ->parallel()
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 34c3a47d20ae55b3600fed733bf96eafe9c500d5 ]
+
+A deadlock can happen when an overloaded system runs ->parallel() in the
+context of the current task:
+
+ padata_do_parallel
+ ->parallel()
+ pcrypt_aead_enc/dec
+ padata_do_serial
+ spin_lock(&reorder->lock) // BHs still enabled
+ <interrupt>
+ ...
+ __do_softirq
+ ...
+ padata_do_serial
+ spin_lock(&reorder->lock)
+
+It's a bug for BHs to be on in _do_serial as Steffen points out, so
+ensure they're off in the "current task" case like they are in
+padata_parallel_worker to avoid this situation.
+
+Reported-by: syzbot+bc05445bc14148d51915@syzkaller.appspotmail.com
+Fixes: 4611ce224688 ("padata: allocate work structures for parallel jobs from a pool")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index e5819bb8bd1d..97f51e0c1776 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -207,14 +207,16 @@ int padata_do_parallel(struct padata_shell *ps,
+ pw = padata_work_alloc();
+ spin_unlock(&padata_works_lock);
+
++ if (!pw) {
++ /* Maximum works limit exceeded, run in the current task. */
++ padata->parallel(padata);
++ }
++
+ rcu_read_unlock_bh();
+
+ if (pw) {
+ padata_work_init(pw, padata_parallel_worker, padata, 0);
+ queue_work(pinst->parallel_wq, &pw->pw_work);
+- } else {
+- /* Maximum works limit exceeded, run in the current task. */
+- padata->parallel(padata);
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 522dea0bf2eea942f71d410bd598beabfc55c572 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 20:28:04 -0500
+Subject: padata: Fix list iterator in padata_do_serial()
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 57ddfecc72a6c9941d159543e1c0c0a74fe9afdd ]
+
+list_for_each_entry_reverse() assumes that the iterated list is nonempty
+and that every list_head is embedded in the same type, but its use in
+padata_do_serial() breaks both rules.
+
+This doesn't cause any issues now because padata_priv and padata_list
+happen to have their list fields at the same offset, but we really
+shouldn't be relying on that.
+
+Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 97f51e0c1776..de90af5fcbe6 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -390,13 +390,16 @@ void padata_do_serial(struct padata_priv *padata)
+ int hashed_cpu = padata_cpu_hash(pd, padata->seq_nr);
+ struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
+ struct padata_priv *cur;
++ struct list_head *pos;
+
+ spin_lock(&reorder->lock);
+ /* Sort in ascending order of sequence number. */
+- list_for_each_entry_reverse(cur, &reorder->list, list)
++ list_for_each_prev(pos, &reorder->list) {
++ cur = list_entry(pos, struct padata_priv, list);
+ if (cur->seq_nr < padata->seq_nr)
+ break;
+- list_add(&padata->list, &cur->list);
++ }
++ list_add(&padata->list, pos);
+ spin_unlock(&reorder->lock);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From c2134b9ee27d1becdec0ef68a2de39b3c8014516 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:00:29 +0800
+Subject: PCI: Check for alloc failure in pci_request_irq()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 2d9cd957d40c3ac491b358e7cff0515bb07a3a9c ]
+
+When kvasprintf() fails to allocate memory, it returns a NULL pointer.
+Return error from pci_request_irq() so we don't dereference it.
+
+[bhelgaas: commit log]
+Fixes: 704e8953d3e9 ("PCI/irq: Add pci_request_irq() and pci_free_irq() helpers")
+Link: https://lore.kernel.org/r/20221121020029.3759444-1-zengheng4@huawei.com
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/irq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/irq.c b/drivers/pci/irq.c
+index 12ecd0aaa28d..0050e8f6814e 100644
+--- a/drivers/pci/irq.c
++++ b/drivers/pci/irq.c
+@@ -44,6 +44,8 @@ int pci_request_irq(struct pci_dev *dev, unsigned int nr, irq_handler_t handler,
+ va_start(ap, fmt);
+ devname = kvasprintf(GFP_KERNEL, fmt, ap);
+ va_end(ap);
++ if (!devname)
++ return -ENOMEM;
+
+ ret = request_threaded_irq(pci_irq_vector(dev, nr), handler, thread_fn,
+ irqflags, devname, dev_id);
+--
+2.35.1
+
--- /dev/null
+From 02b173b6f2bb6d80ca3fb7361bcdc7957dee1ae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 16:49:23 +0530
+Subject: PCI: dwc: Fix n_fts[] array overrun
+
+From: Vidya Sagar <vidyas@nvidia.com>
+
+[ Upstream commit 66110361281b2f7da0c8bd51eaf1f152f4236035 ]
+
+commit aeaa0bfe89654 ("PCI: dwc: Move N_FTS setup to common setup")
+incorrectly uses pci->link_gen in deriving the index to the
+n_fts[] array also introducing the issue of accessing beyond the
+boundaries of array for greater than Gen-2 speeds. This change fixes
+that issue.
+
+Link: https://lore.kernel.org/r/20220926111923.22487-1-vidyas@nvidia.com
+Fixes: aeaa0bfe8965 ("PCI: dwc: Move N_FTS setup to common setup")
+Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Acked-by: Jingoo Han <jingoohan1@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-designware.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
+index c6725c519a47..9e4d96e5a3f5 100644
+--- a/drivers/pci/controller/dwc/pcie-designware.c
++++ b/drivers/pci/controller/dwc/pcie-designware.c
+@@ -641,7 +641,7 @@ void dw_pcie_setup(struct dw_pcie *pci)
+ if (pci->n_fts[1]) {
+ val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+ val &= ~PORT_LOGIC_N_FTS_MASK;
+- val |= pci->n_fts[pci->link_gen - 1];
++ val |= pci->n_fts[1];
+ dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a51e28b24b05dffb576037a4365ac44743d939f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 10:10:10 -0400
+Subject: PCI: endpoint: pci-epf-vntb: Fix call pci_epc_mem_free_addr() in
+ error path
+
+From: Frank Li <frank.li@nxp.com>
+
+[ Upstream commit 0c031262d2ddfb938f9668d620d7ed674771646c ]
+
+Replace pci_epc_mem_free_addr() with pci_epf_free_space() in the
+error handle path to match pci_epf_alloc_space().
+
+Link: https://lore.kernel.org/r/20221102141014.1025893-4-Frank.Li@nxp.com
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Frank Li <frank.li@nxp.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+index 0ea85e1d292e..fba0179939b8 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -557,7 +557,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb)
+ return ret;
+
+ err_alloc_peer_mem:
+- pci_epc_mem_free_addr(ntb->epf->epc, epf_bar->phys_addr, mw_addr, epf_bar->size);
++ pci_epf_free_space(ntb->epf, mw_addr, barno, 0);
+ return -1;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fa95d9da9a2d777df5d0766ea4e42171860e8e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 10:57:14 +0100
+Subject: PCI: imx6: Initialize PHY before deasserting core reset
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit ae6b9a65af480144da323436d90e149501ea8937 ]
+
+When the PHY is the reference clock provider then it must be initialized
+and powered on before the reset on the client is deasserted, otherwise
+the link will never come up. The order was changed in cf236e0c0d59.
+Restore the correct order to make the driver work again on boards where
+the PHY provides the reference clock. This also changes the order for
+boards where the Soc is the PHY reference clock divider, but this
+shouldn't do any harm.
+
+Link: https://lore.kernel.org/r/20221101095714.440001-1-s.hauer@pengutronix.de
+Fixes: cf236e0c0d59 ("PCI: imx6: Do not hide PHY driver callbacks and refine the error handling")
+Tested-by: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-imx6.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
+index 6e5debdbc55b..6ffe95d68ae7 100644
+--- a/drivers/pci/controller/dwc/pci-imx6.c
++++ b/drivers/pci/controller/dwc/pci-imx6.c
+@@ -942,12 +942,6 @@ static int imx6_pcie_host_init(struct dw_pcie_rp *pp)
+ }
+ }
+
+- ret = imx6_pcie_deassert_core_reset(imx6_pcie);
+- if (ret < 0) {
+- dev_err(dev, "pcie deassert core reset failed: %d\n", ret);
+- goto err_phy_off;
+- }
+-
+ if (imx6_pcie->phy) {
+ ret = phy_init(imx6_pcie->phy);
+ if (ret) {
+@@ -955,6 +949,13 @@ static int imx6_pcie_host_init(struct dw_pcie_rp *pp)
+ goto err_phy_off;
+ }
+ }
++
++ ret = imx6_pcie_deassert_core_reset(imx6_pcie);
++ if (ret < 0) {
++ dev_err(dev, "pcie deassert core reset failed: %d\n", ret);
++ goto err_phy_off;
++ }
++
+ imx6_setup_phy_mpll(imx6_pcie);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From b3a1981fb543ad4450c1b8d51efe4b7ff03f8670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 18:01:01 +0900
+Subject: PCI: pci-epf-test: Register notifier if only core_init_notifier is
+ enabled
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 6acd25cc98ce0c9ee4fefdaf44fc8bca534b26e5 ]
+
+The pci_epf_test_notifier function should be installed also if only
+core_init_notifier is enabled. Fix the current logic.
+
+Link: https://lore.kernel.org/r/20220825090101.20474-1-hayashi.kunihiko@socionext.com
+Fixes: 5e50ee27d4a5 ("PCI: pci-epf-test: Add support to defer core initialization")
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Acked-by: Om Prakash Singh <omp@nvidia.com>
+Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
+index 36b1801a061b..55283d2379a6 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-test.c
++++ b/drivers/pci/endpoint/functions/pci-epf-test.c
+@@ -979,7 +979,7 @@ static int pci_epf_test_bind(struct pci_epf *epf)
+ if (ret)
+ epf_test->dma_supported = false;
+
+- if (linkup_notifier) {
++ if (linkup_notifier || core_init_notifier) {
+ epf->nb.notifier_call = pci_epf_test_notifier;
+ pci_epc_register_notifier(epc, &epf->nb);
+ } else {
+--
+2.35.1
+
--- /dev/null
+From a52a2f3d5001ef8a3c37145acc46a7ac97ec4434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 07:26:52 -0700
+Subject: PCI: vmd: Disable MSI remapping after suspend
+
+From: Nirmal Patel <nirmal.patel@linux.intel.com>
+
+[ Upstream commit d899aa668498c07ff217b666ae9712990306e682 ]
+
+MSI remapping is disabled by VMD driver for Intel's Icelake and
+newer systems in order to improve performance by setting
+VMCONFIG_MSI_REMAP. By design VMCONFIG_MSI_REMAP register is cleared
+by firmware during boot. The same register gets cleared when system
+is put in S3 power state. VMD driver needs to set this register again
+in order to avoid interrupt issues with devices behind VMD if MSI
+remapping was disabled before.
+
+Link: https://lore.kernel.org/r/20221109142652.450998-1-nirmal.patel@linux.intel.com
+Fixes: ee81ee84f873 ("PCI: vmd: Disable MSI-X remapping when possible")
+Signed-off-by: Nirmal Patel <nirmal.patel@linux.intel.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Francisco Munoz <francisco.munoz.ruiz@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/vmd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
+index e06e9f4fc50f..98e0746e681c 100644
+--- a/drivers/pci/controller/vmd.c
++++ b/drivers/pci/controller/vmd.c
+@@ -980,6 +980,11 @@ static int vmd_resume(struct device *dev)
+ struct vmd_dev *vmd = pci_get_drvdata(pdev);
+ int err, i;
+
++ if (vmd->irq_domain)
++ vmd_set_msi_remapping(vmd, true);
++ else
++ vmd_set_msi_remapping(vmd, false);
++
+ for (i = 0; i < vmd->msix_count; i++) {
+ err = devm_request_irq(dev, vmd->irqs[i].virq,
+ vmd_irq, IRQF_NO_THREAD,
+--
+2.35.1
+
--- /dev/null
+From a55ff0c4e7a60692df127d5d1e0d59b55b9a808d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 17:16:37 -0700
+Subject: PCI: vmd: Fix secondary bus reset for Intel bridges
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Francisco Munoz <francisco.munoz.ruiz@linux.intel.com>
+
+[ Upstream commit 0a584655ef89541dae4d48d2c523b1480ae80284 ]
+
+The reset was never applied in the current implementation because Intel
+Bridges owned by VMD are parentless. Internally, pci_reset_bus() applies
+a reset to the parent of the PCI device supplied as argument, but in this
+case it failed because there wasn't a parent.
+
+In more detail, this change allows the VMD driver to enumerate NVMe devices
+in pass-through configurations when guest reboots are performed. There was
+an attempted to fix this, but later we discovered that the code inside
+pci_reset_bus() wasn’t triggering secondary bus resets. Therefore, we
+updated the parameters passed to it, and now NVMe SSDs attached to VMD
+bridges are properly enumerated in VT-d pass-through scenarios.
+
+Link: https://lore.kernel.org/r/20221206001637.4744-1-francisco.munoz.ruiz@linux.intel.com
+Fixes: 6aab5622296b ("PCI: vmd: Clean up domain before enumeration")
+Signed-off-by: Francisco Munoz <francisco.munoz.ruiz@linux.intel.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Nirmal Patel <nirmal.patel@linux.intel.com>
+Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/vmd.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
+index 98e0746e681c..769eedeb8802 100644
+--- a/drivers/pci/controller/vmd.c
++++ b/drivers/pci/controller/vmd.c
+@@ -719,6 +719,7 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
+ resource_size_t offset[2] = {0};
+ resource_size_t membar2_offset = 0x2000;
+ struct pci_bus *child;
++ struct pci_dev *dev;
+ int ret;
+
+ /*
+@@ -859,8 +860,25 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
+
+ pci_scan_child_bus(vmd->bus);
+ vmd_domain_reset(vmd);
+- list_for_each_entry(child, &vmd->bus->children, node)
+- pci_reset_bus(child->self);
++
++ /* When Intel VMD is enabled, the OS does not discover the Root Ports
++ * owned by Intel VMD within the MMCFG space. pci_reset_bus() applies
++ * a reset to the parent of the PCI device supplied as argument. This
++ * is why we pass a child device, so the reset can be triggered at
++ * the Intel bridge level and propagated to all the children in the
++ * hierarchy.
++ */
++ list_for_each_entry(child, &vmd->bus->children, node) {
++ if (!list_empty(&child->devices)) {
++ dev = list_first_entry(&child->devices,
++ struct pci_dev, bus_list);
++ if (pci_reset_bus(dev))
++ pci_warn(dev, "can't reset device: %d\n", ret);
++
++ break;
++ }
++ }
++
+ pci_assign_unassigned_bus_resources(vmd->bus);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 40997405138c814bcc745c7735adf9aefabc338d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 19:55:39 +0800
+Subject: perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit d9f564c966e63925aac4ba273a9319d7fb6f4b4e ]
+
+dmc620_pmu_init() won't remove the callback added by
+cpuhp_setup_state_multi() when platform_driver_register() failed. Remove
+the callback by cpuhp_remove_multi_state() in fail path.
+
+Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
+arm-ccn: Prevent hotplug callback leak")
+
+Fixes: 53c218da220c ("driver/perf: Add PMU driver for the ARM DMC-620 memory controller")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Punit Agrawal <punit.agrawal@bytedance.com>
+Link: https://lore.kernel.org/r/20221115115540.6245-2-shangxiaojing@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_dmc620_pmu.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_dmc620_pmu.c b/drivers/perf/arm_dmc620_pmu.c
+index 280a6ae3e27c..54aa4658fb36 100644
+--- a/drivers/perf/arm_dmc620_pmu.c
++++ b/drivers/perf/arm_dmc620_pmu.c
+@@ -725,6 +725,8 @@ static struct platform_driver dmc620_pmu_driver = {
+
+ static int __init dmc620_pmu_init(void)
+ {
++ int ret;
++
+ cpuhp_state_num = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN,
+ DMC620_DRVNAME,
+ NULL,
+@@ -732,7 +734,11 @@ static int __init dmc620_pmu_init(void)
+ if (cpuhp_state_num < 0)
+ return cpuhp_state_num;
+
+- return platform_driver_register(&dmc620_pmu_driver);
++ ret = platform_driver_register(&dmc620_pmu_driver);
++ if (ret)
++ cpuhp_remove_multi_state(cpuhp_state_num);
++
++ return ret;
+ }
+
+ static void __exit dmc620_pmu_exit(void)
+--
+2.35.1
+
--- /dev/null
+From b75525e285e2f92080d1662acce1fcb647b24436 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 07:02:06 +0000
+Subject: perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit facafab7611f7b872c6b9eeaff53461ef11f482e ]
+
+dsu_pmu_init() won't remove the callback added by cpuhp_setup_state_multi()
+when platform_driver_register() failed. Remove the callback by
+cpuhp_remove_multi_state() in fail path.
+
+Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
+arm-ccn: Prevent hotplug callback leak")
+
+Fixes: 7520fa99246d ("perf: ARM DynamIQ Shared Unit PMU support")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20221115070207.32634-2-yuancan@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_dsu_pmu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_dsu_pmu.c b/drivers/perf/arm_dsu_pmu.c
+index a36698a90d2f..54b8ba032c78 100644
+--- a/drivers/perf/arm_dsu_pmu.c
++++ b/drivers/perf/arm_dsu_pmu.c
+@@ -858,7 +858,11 @@ static int __init dsu_pmu_init(void)
+ if (ret < 0)
+ return ret;
+ dsu_pmu_cpuhp_state = ret;
+- return platform_driver_register(&dsu_pmu_driver);
++ ret = platform_driver_register(&dsu_pmu_driver);
++ if (ret)
++ cpuhp_remove_multi_state(dsu_pmu_cpuhp_state);
++
++ return ret;
+ }
+
+ static void __exit dsu_pmu_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 1d142f5e92dfd0691f48fa98e39a88d433f0cbd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 18:36:53 +0800
+Subject: perf: Fix possible memleak in pmu_dev_alloc()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ]
+
+In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev
+and call put_device(pmu->dev) to release it.
+However pmu->dev->release is assigned after this, which makes warning
+and memleak.
+Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it.
+
+ Device '(null)' does not have a release() function...
+ WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240
+ ...
+ Call Trace:
+ <TASK>
+ kobject_put+0x17f/0x460
+ put_device+0x20/0x30
+ pmu_dev_alloc+0x152/0x400
+ perf_pmu_register+0x96b/0xee0
+ ...
+ kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+ unreferenced object 0xffff888014759000 (size 2048):
+ comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s)
+ backtrace:
+ [<0000000005aed3b4>] kmalloc_trace+0x27/0x110
+ [<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400
+ [<00000000735f17be>] perf_pmu_register+0x96b/0xee0
+ [<00000000e38477f1>] 0xffffffffc0ad8603
+ [<000000004e162216>] do_one_initcall+0xd0/0x4e0
+ ...
+
+Fixes: abe43400579d ("perf: Sysfs enumeration")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 91473e9f88cd..a636fab5e381 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -11136,13 +11136,15 @@ static int pmu_dev_alloc(struct pmu *pmu)
+
+ pmu->dev->groups = pmu->attr_groups;
+ device_initialize(pmu->dev);
+- ret = dev_set_name(pmu->dev, "%s", pmu->name);
+- if (ret)
+- goto free_dev;
+
+ dev_set_drvdata(pmu->dev, pmu);
+ pmu->dev->bus = &pmu_bus;
+ pmu->dev->release = pmu_dev_release;
++
++ ret = dev_set_name(pmu->dev, "%s", pmu->name);
++ if (ret)
++ goto free_dev;
++
+ ret = device_add(pmu->dev);
+ if (ret)
+ goto free_dev;
+--
+2.35.1
+
--- /dev/null
+From b8c1d050a0f2833deba71481fcdea769e1558b3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 10:26:36 -0800
+Subject: perf off_cpu: Fix a typo in BTF tracepoint name, it should be
+ 'btf_trace_sched_switch'
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 167b266bf66c5b93171011ef9d1f09b070c2c537 ]
+
+In BTF, tracepoint definitions have the "btf_trace_" prefix. The
+off-cpu profiler needs to check the signature of the sched_switch event
+using that definition. But there's a typo (s/bpf/btf/) so it failed
+always.
+
+Fixes: b36888f71c8542cd ("perf record: Handle argument change in sched_switch")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: bpf@vger.kernel.org
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20221208182636.524139-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/bpf_off_cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/bpf_off_cpu.c b/tools/perf/util/bpf_off_cpu.c
+index c257813e674e..01f70b8e705a 100644
+--- a/tools/perf/util/bpf_off_cpu.c
++++ b/tools/perf/util/bpf_off_cpu.c
+@@ -102,7 +102,7 @@ static void check_sched_switch_args(void)
+ const struct btf_type *t1, *t2, *t3;
+ u32 type_id;
+
+- type_id = btf__find_by_name_kind(btf, "bpf_trace_sched_switch",
++ type_id = btf__find_by_name_kind(btf, "btf_trace_sched_switch",
+ BTF_KIND_TYPEDEF);
+ if ((s32)type_id < 0)
+ return;
+--
+2.35.1
+
--- /dev/null
+From 80441f10d75fd07f656589b0b10d53549c2f1cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 19:55:40 +0800
+Subject: perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 6f2d566b46436a50a80d6445e82879686b89588c ]
+
+arm_smmu_pmu_init() won't remove the callback added by
+cpuhp_setup_state_multi() when platform_driver_register() failed. Remove
+the callback by cpuhp_remove_multi_state() in fail path.
+
+Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
+arm-ccn: Prevent hotplug callback leak")
+
+Fixes: 7d839b4b9e00 ("perf/smmuv3: Add arm64 smmuv3 pmu driver")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Punit Agrawal <punit.agrawal@bytedance.com>
+Link: https://lore.kernel.org/r/20221115115540.6245-3-shangxiaojing@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_smmuv3_pmu.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c
+index 00d4c45a8017..25a269d431e4 100644
+--- a/drivers/perf/arm_smmuv3_pmu.c
++++ b/drivers/perf/arm_smmuv3_pmu.c
+@@ -959,6 +959,8 @@ static struct platform_driver smmu_pmu_driver = {
+
+ static int __init arm_smmu_pmu_init(void)
+ {
++ int ret;
++
+ cpuhp_state_num = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN,
+ "perf/arm/pmcg:online",
+ NULL,
+@@ -966,7 +968,11 @@ static int __init arm_smmu_pmu_init(void)
+ if (cpuhp_state_num < 0)
+ return cpuhp_state_num;
+
+- return platform_driver_register(&smmu_pmu_driver);
++ ret = platform_driver_register(&smmu_pmu_driver);
++ if (ret)
++ cpuhp_remove_multi_state(cpuhp_state_num);
++
++ return ret;
+ }
+ module_init(arm_smmu_pmu_init);
+
+--
+2.35.1
+
--- /dev/null
+From 44e9a0d6af9819b423b53bd977b833f929713928 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 15:08:20 -0800
+Subject: perf stat: Do not delay the workload with --delay
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit c587e77e100fa40eb6af10e00497c67acf493f33 ]
+
+The -D/--delay option is to delay the measure after the program starts.
+But the current code goes to sleep before starting the program so the
+program is delayed too. This is not the intention, let's fix it.
+
+Before:
+
+ $ time sudo ./perf stat -a -e cycles -D 3000 sleep 4
+ Events disabled
+ Events enabled
+
+ Performance counter stats for 'system wide':
+
+ 4,326,949,337 cycles
+
+ 4.007494118 seconds time elapsed
+
+ real 0m7.474s
+ user 0m0.356s
+ sys 0m0.120s
+
+It ran the workload for 4 seconds and gave the 3 second delay. So it
+should skip the first 3 second and measure the last 1 second only. But
+as you can see, it delays 3 seconds and ran the workload after that for
+4 seconds. So the total time (real) was 7 seconds.
+
+After:
+
+ $ time sudo ./perf stat -a -e cycles -D 3000 sleep 4
+ Events disabled
+ Events enabled
+
+ Performance counter stats for 'system wide':
+
+ 1,063,551,013 cycles
+
+ 1.002769510 seconds time elapsed
+
+ real 0m4.484s
+ user 0m0.385s
+ sys 0m0.086s
+
+The bug was introduced when it changed enablement of system-wide events
+with a command line workload. But it should've considered the initial
+delay case. The code was reworked since then (in bb8bc52e7578) so I'm
+afraid it won't be applied cleanly.
+
+Fixes: d0a0a511493d2695 ("perf stat: Fix forked applications enablement of counters")
+Reported-by: Kevin Nomura <nomurak@google.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Tested-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221212230820.901382-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-stat.c | 33 +++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
+index 0b4a62e4ff67..cab6b70e95e2 100644
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -573,26 +573,14 @@ static int enable_counters(void)
+ return err;
+ }
+
+- if (stat_config.initial_delay < 0) {
+- pr_info(EVLIST_DISABLED_MSG);
+- return 0;
+- }
+-
+- if (stat_config.initial_delay > 0) {
+- pr_info(EVLIST_DISABLED_MSG);
+- usleep(stat_config.initial_delay * USEC_PER_MSEC);
+- }
+-
+ /*
+ * We need to enable counters only if:
+ * - we don't have tracee (attaching to task or cpu)
+ * - we have initial delay configured
+ */
+- if (!target__none(&target) || stat_config.initial_delay) {
++ if (!target__none(&target)) {
+ if (!all_counters_use_bpf)
+ evlist__enable(evsel_list);
+- if (stat_config.initial_delay > 0)
+- pr_info(EVLIST_ENABLED_MSG);
+ }
+ return 0;
+ }
+@@ -967,14 +955,27 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ return err;
+ }
+
+- err = enable_counters();
+- if (err)
+- return -1;
++ if (stat_config.initial_delay) {
++ pr_info(EVLIST_DISABLED_MSG);
++ } else {
++ err = enable_counters();
++ if (err)
++ return -1;
++ }
+
+ /* Exec the command, if any */
+ if (forks)
+ evlist__start_workload(evsel_list);
+
++ if (stat_config.initial_delay > 0) {
++ usleep(stat_config.initial_delay * USEC_PER_MSEC);
++ err = enable_counters();
++ if (err)
++ return -1;
++
++ pr_info(EVLIST_ENABLED_MSG);
++ }
++
+ t0 = rdclock();
+ clock_gettime(CLOCK_MONOTONIC, &ref_time);
+
+--
+2.35.1
+
--- /dev/null
+From 4d2d4ac978d4e06e03a2a4946f28934cc034646f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:48:16 +0530
+Subject: perf symbol: correction while adjusting symbol
+
+From: Ajay Kaher <akaher@vmware.com>
+
+[ Upstream commit 6f520ce17920b3cdfbd2479b3ccf27f9706219d0 ]
+
+perf doesn't provide proper symbol information for specially crafted
+.debug files.
+
+Sometimes .debug file may not have similar program header as runtime
+ELF file. For example if we generate .debug file using objcopy
+--only-keep-debug resulting file will not contain .text, .data and
+other runtime sections. That means corresponding program headers will
+have zero FileSiz and modified Offset.
+
+Example: program header of text section of libxxx.so:
+
+Type Offset VirtAddr PhysAddr
+ FileSiz MemSiz Flags Align
+LOAD 0x00000000003d3000 0x00000000003d3000 0x00000000003d3000
+ 0x000000000055ae80 0x000000000055ae80 R E 0x1000
+
+Same program header after executing:
+objcopy --only-keep-debug libxxx.so libxxx.so.debug
+
+LOAD 0x0000000000001000 0x00000000003d3000 0x00000000003d3000
+ 0x0000000000000000 0x000000000055ae80 R E 0x1000
+
+Offset and FileSiz have been changed.
+
+Following formula will not provide correct value, if program header
+taken from .debug file (syms_ss):
+
+ sym.st_value -= phdr.p_vaddr - phdr.p_offset;
+
+Correct program header information is located inside runtime ELF
+file (runtime_ss).
+
+Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols")
+Signed-off-by: Ajay Kaher <akaher@vmware.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Makhalov <amakhalov@vmware.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Srivatsa S. Bhat <srivatsab@vmware.com>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Vasavi Sirnapalli <vsirnapalli@vmware.com>
+Link: http://lore.kernel.org/lkml/1669198696-50547-1-git-send-email-akaher@vmware.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol-elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
+index 647b7dff8ef3..80345695b136 100644
+--- a/tools/perf/util/symbol-elf.c
++++ b/tools/perf/util/symbol-elf.c
+@@ -1303,7 +1303,7 @@ dso__load_sym_internal(struct dso *dso, struct map *map, struct symsrc *syms_ss,
+ (!used_opd && syms_ss->adjust_symbols)) {
+ GElf_Phdr phdr;
+
+- if (elf_read_program_header(syms_ss->elf,
++ if (elf_read_program_header(runtime_ss->elf,
+ (u64)sym.st_value, &phdr)) {
+ pr_debug4("%s: failed to find program header for "
+ "symbol: %s st_value: %#" PRIx64 "\n",
+--
+2.35.1
+
--- /dev/null
+From e8754044c53fb732ac39de056487457de202ddb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 07:52:35 +0000
+Subject: perf trace: Handle failure when trace point folder is missed
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 03e9a5d8eb552a1bf692a9c8a5ecd50f4e428006 ]
+
+On Arm64 a case is perf tools fails to find the corresponding trace
+point folder for system calls listed in the table 'syscalltbl_arm64',
+e.g. the generated system call table contains "lookup_dcookie" but we
+cannot find out the matched trace point folder for it.
+
+We need to figure out if there have any issue for the generated system
+call table, on the other hand, we need to handle the case when trace
+point folder is missed under sysfs, this patch sets the flag
+syscall::nonexistent as true and returns the error from
+trace__read_syscall_info().
+
+Another problem is for trace__syscall_info(), it returns two different
+values if a system call doesn't exist: at the first time calling
+trace__syscall_info() it returns NULL when the system call doesn't exist,
+later if call trace__syscall_info() again for the same missed system
+call, it returns pointer of syscall. trace__syscall_info() checks the
+condition 'syscalls.table[id].name == NULL', but the name will be
+assigned in the first invoking even the system call is not found.
+
+So checking system call's name in trace__syscall_info() is not the right
+thing to do, this patch simply checks flag syscall::nonexistent to make
+decision if a system call exists or not, finally trace__syscall_info()
+returns the consistent result (NULL) if a system call doesn't existed.
+
+Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: bpf@vger.kernel.org
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20221121075237.127706-4-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index cde14dfad200..73f4a83edc44 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -1814,13 +1814,19 @@ static int trace__read_syscall_info(struct trace *trace, int id)
+ sc->tp_format = trace_event__tp_format("syscalls", tp_name);
+ }
+
++ /*
++ * Fails to read trace point format via sysfs node, so the trace point
++ * doesn't exist. Set the 'nonexistent' flag as true.
++ */
++ if (IS_ERR(sc->tp_format)) {
++ sc->nonexistent = true;
++ return PTR_ERR(sc->tp_format);
++ }
++
+ if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
+ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
+ return -ENOMEM;
+
+- if (IS_ERR(sc->tp_format))
+- return PTR_ERR(sc->tp_format);
+-
+ sc->args = sc->tp_format->format.fields;
+ /*
+ * We need to check and discard the first variable '__syscall_nr'
+@@ -2137,11 +2143,8 @@ static struct syscall *trace__syscall_info(struct trace *trace,
+ (err = trace__read_syscall_info(trace, id)) != 0)
+ goto out_cant_read;
+
+- if (trace->syscalls.table[id].name == NULL) {
+- if (trace->syscalls.table[id].nonexistent)
+- return NULL;
++ if (trace->syscalls.table && trace->syscalls.table[id].nonexistent)
+ goto out_cant_read;
+- }
+
+ return &trace->syscalls.table[id];
+
+--
+2.35.1
+
--- /dev/null
+From 38bfe327afe46609250c154bc9b55519dc7d117a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 07:52:34 +0000
+Subject: perf trace: Return error if a system call doesn't exist
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit d4223e1776c30b2ce8d0e6eaadcbf696e60fca3c ]
+
+When a system call is not detected, the reason is either because the
+system call ID is out of scope or failure to find the corresponding path
+in the sysfs, trace__read_syscall_info() returns zero. Finally, without
+returning an error value it introduces confusion for the caller.
+
+This patch lets the function trace__read_syscall_info() to return
+-EEXIST when a system call doesn't exist.
+
+Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: bpf@vger.kernel.org
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20221121075237.127706-3-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 0bd9d01c0df9..cf3b6ca4af96 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -1794,11 +1794,11 @@ static int trace__read_syscall_info(struct trace *trace, int id)
+ #endif
+ sc = trace->syscalls.table + id;
+ if (sc->nonexistent)
+- return 0;
++ return -EEXIST;
+
+ if (name == NULL) {
+ sc->nonexistent = true;
+- return 0;
++ return -EEXIST;
+ }
+
+ sc->name = name;
+--
+2.35.1
+
--- /dev/null
+From 25910ad43dd95e0ada2b8aa5fa0cf9d22b544076 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 07:52:33 +0000
+Subject: perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit eadcab4c7a66e1df03d32da0db55d89fd9343fcc ]
+
+This patch defines a macro RAW_SYSCALL_ARGS_NUM to replace the open
+coded number '6'.
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: bpf@vger.kernel.org
+Link: https://lore.kernel.org/r/20221121075237.127706-2-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index cf3b6ca4af96..cde14dfad200 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -88,6 +88,8 @@
+ # define F_LINUX_SPECIFIC_BASE 1024
+ #endif
+
++#define RAW_SYSCALL_ARGS_NUM 6
++
+ /*
+ * strtoul: Go from a string to a value, i.e. for msr: MSR_FS_BASE to 0xc0000100
+ */
+@@ -108,7 +110,7 @@ struct syscall_fmt {
+ const char *sys_enter,
+ *sys_exit;
+ } bpf_prog_name;
+- struct syscall_arg_fmt arg[6];
++ struct syscall_arg_fmt arg[RAW_SYSCALL_ARGS_NUM];
+ u8 nr_args;
+ bool errpid;
+ bool timeout;
+@@ -1229,7 +1231,7 @@ struct syscall {
+ */
+ struct bpf_map_syscall_entry {
+ bool enabled;
+- u16 string_args_len[6];
++ u16 string_args_len[RAW_SYSCALL_ARGS_NUM];
+ };
+
+ /*
+@@ -1661,7 +1663,7 @@ static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args)
+ {
+ int idx;
+
+- if (nr_args == 6 && sc->fmt && sc->fmt->nr_args != 0)
++ if (nr_args == RAW_SYSCALL_ARGS_NUM && sc->fmt && sc->fmt->nr_args != 0)
+ nr_args = sc->fmt->nr_args;
+
+ sc->arg_fmt = calloc(nr_args, sizeof(*sc->arg_fmt));
+@@ -1812,7 +1814,8 @@ static int trace__read_syscall_info(struct trace *trace, int id)
+ sc->tp_format = trace_event__tp_format("syscalls", tp_name);
+ }
+
+- if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? 6 : sc->tp_format->format.nr_fields))
++ if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
++ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
+ return -ENOMEM;
+
+ if (IS_ERR(sc->tp_format))
+--
+2.35.1
+
--- /dev/null
+From 81792c3fa0f2ff83b964ef429184f32d757b793d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:31:37 +0800
+Subject: perf/x86/intel/uncore: Fix reference count leak in
+ __uncore_imc_init_box()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 17b8d847b92d815d1638f0de154654081d66b281 ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev, so tgl_uncore_get_mc_dev() will return a pci_dev with its
+reference count increased. We need to call pci_dev_put() to decrease the
+reference count before exiting from __uncore_imc_init_box(). Add
+pci_dev_put() for both normal and error path.
+
+Fixes: fdb64822443e ("perf/x86: Add Intel Tiger Lake uncore support")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lore.kernel.org/r/20221118063137.121512-5-wangxiongfeng2@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
+index 1ef4f7861e2e..1f4869227efb 100644
+--- a/arch/x86/events/intel/uncore_snb.c
++++ b/arch/x86/events/intel/uncore_snb.c
+@@ -1338,6 +1338,7 @@ static void __uncore_imc_init_box(struct intel_uncore_box *box,
+ /* MCHBAR is disabled */
+ if (!(mch_bar & BIT(0))) {
+ pr_warn("perf uncore: MCHBAR is disabled. Failed to map IMC free-running counters.\n");
++ pci_dev_put(pdev);
+ return;
+ }
+ mch_bar &= ~BIT(0);
+@@ -1352,6 +1353,8 @@ static void __uncore_imc_init_box(struct intel_uncore_box *box,
+ box->io_addr = ioremap(addr, type->mmio_map_size);
+ if (!box->io_addr)
+ pr_warn("perf uncore: Failed to ioremap for %s.\n", type->name);
++
++ pci_dev_put(pdev);
+ }
+
+ static void tgl_uncore_imc_freerunning_init_box(struct intel_uncore_box *box)
+--
+2.35.1
+
--- /dev/null
+From bd9cb89b3aa90016b1bab587b4bfe8a0acf019ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:31:35 +0800
+Subject: perf/x86/intel/uncore: Fix reference count leak in
+ hswep_has_limit_sbox()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 1ff9dd6e7071a561f803135c1d684b13c7a7d01d ]
+
+pci_get_device() will increase the reference count for the returned
+'dev'. We need to call pci_dev_put() to decrease the reference count.
+Since 'dev' is only used in pci_read_config_dword(), let's add
+pci_dev_put() right after it.
+
+Fixes: 9d480158ee86 ("perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lore.kernel.org/r/20221118063137.121512-3-wangxiongfeng2@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 76fedc8e12dd..f5d89d06c66a 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -2891,6 +2891,7 @@ static bool hswep_has_limit_sbox(unsigned int device)
+ return false;
+
+ pci_read_config_dword(dev, HSWEP_PCU_CAPID4_OFFET, &capid4);
++ pci_dev_put(dev);
+ if (!hswep_get_chop(capid4))
+ return true;
+
+--
+2.35.1
+
--- /dev/null
+From ac3f9d977b1f36368d3d5d1993a9eb090d7a5b6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:31:34 +0800
+Subject: perf/x86/intel/uncore: Fix reference count leak in
+ sad_cfg_iio_topology()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit c508eb042d9739bf9473526f53303721b70e9100 ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev, and also decrease the reference count for the input parameter
+*from* if it is not NULL.
+
+If we break the loop in sad_cfg_iio_topology() with 'dev' not NULL. We
+need to call pci_dev_put() to decrease the reference count. Since
+pci_dev_put() can handle the NULL input parameter, we can just add one
+pci_dev_put() right before 'return ret'.
+
+Fixes: c1777be3646b ("perf/x86/intel/uncore: Enable I/O stacks to IIO PMON mapping on SNR")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lore.kernel.org/r/20221118063137.121512-2-wangxiongfeng2@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index ed869443efb2..76fedc8e12dd 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -4492,6 +4492,8 @@ static int sad_cfg_iio_topology(struct intel_uncore_type *type, u8 *sad_pmon_map
+ type->topology = NULL;
+ }
+
++ pci_dev_put(dev);
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 84129c850fa78aecf7e191dd02da49360317b590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:31:36 +0800
+Subject: perf/x86/intel/uncore: Fix reference count leak in
+ snr_uncore_mmio_map()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 8ebd16c11c346751b3944d708e6c181ed4746c39 ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its
+reference count increased. We need to call pci_dev_put() to decrease the
+reference count. Let's add the missing pci_dev_put().
+
+Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lore.kernel.org/r/20221118063137.121512-4-wangxiongfeng2@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index f5d89d06c66a..fcd95e93f479 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -4860,6 +4860,8 @@ static int snr_uncore_mmio_map(struct intel_uncore_box *box,
+
+ addr += box_ctl;
+
++ pci_dev_put(pdev);
++
+ box->io_addr = ioremap(addr, type->mmio_map_size);
+ if (!box->io_addr) {
+ pr_warn("perf uncore: Failed to ioremap for %s.\n", type->name);
+--
+2.35.1
+
--- /dev/null
+From dfaa1a27ac8d58c43cd507df86c93233208c631d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 14:11:54 +0200
+Subject: phy: marvell: phy-mvebu-a3700-comphy: Reset COMPHY registers before
+ USB 3.0 power on
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit b01d622d76134e9401970ffd3fbbb9a7051f976a ]
+
+Turris MOX board with older ARM Trusted Firmware version v1.5 is not able
+to detect any USB 3.0 device connected to USB-A port on Mox-A module after
+commit 0a6fc70d76bd ("phy: marvell: phy-mvebu-a3700-comphy: Remove broken
+reset support"). On the other hand USB 2.0 devices connected to the same
+USB-A port are working fine.
+
+It looks as if the older firmware configures COMPHY registers for USB 3.0
+somehow incompatibly for kernel driver. Experiments show that resetting
+COMPHY registers via setting SFT_RST auto-clearing bit in COMPHY_SFT_RESET
+register fixes this issue.
+
+Reset the COMPHY in mvebu_a3700_comphy_usb3_power_on() function as a first
+step after selecting COMPHY lane and USB 3.0 function. With this change
+Turris MOX board can successfully detect USB 3.0 devices again.
+
+Before the above mentioned commit this reset was implemented in PHY reset
+method, so this is the reason why there was no issue with older firmware
+version then.
+
+Fixes: 0a6fc70d76bd ("phy: marvell: phy-mvebu-a3700-comphy: Remove broken reset support")
+Reported-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20220920121154.30115-1-pali@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/marvell/phy-mvebu-a3700-comphy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/phy/marvell/phy-mvebu-a3700-comphy.c b/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
+index 67712c77d806..d641b345afa3 100644
+--- a/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
++++ b/drivers/phy/marvell/phy-mvebu-a3700-comphy.c
+@@ -826,6 +826,9 @@ mvebu_a3700_comphy_usb3_power_on(struct mvebu_a3700_comphy_lane *lane)
+ if (ret)
+ return ret;
+
++ /* COMPHY register reset (cleared automatically) */
++ comphy_lane_reg_set(lane, COMPHY_SFT_RESET, SFT_RST, SFT_RST);
++
+ /*
+ * 0. Set PHY OTG Control(0x5d034), bit 4, Power up OTG module The
+ * register belong to UTMI module, so it is set in UTMI phy driver.
+--
+2.35.1
+
--- /dev/null
+From 98840539aa9eb1dce39c3f494f91b5852473d41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 08:50:13 +0200
+Subject: phy: qcom-qmp-pcie: drop bogus register update
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 2d93887cb4bac0a36ce9e146956f631ab7994680 ]
+
+Since commit 0d58280cf1e6 ("phy: Update PHY power control sequence") the
+PHY is powered on before configuring the registers and only the MSM8996
+PCIe PHY, which includes the POWER_DOWN_CONTROL register in its PCS
+initialisation table, may possibly require a second update afterwards.
+
+To make things worse, the POWER_DOWN_CONTROL register lies at a
+different offset on more recent SoCs so that the second update, which
+still used a hard-coded offset, would write to an unrelated register
+(e.g. a revision-id register on SC8280XP).
+
+As the MSM8996 PCIe PHY is now handled by a separate driver, simply drop
+the bogus register update.
+
+Fixes: e4d8b05ad5f9 ("phy: qcom-qmp: Use proper PWRDOWN offset for sm8150 USB") added support
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> #RB3
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20221017065013.19647-12-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index 2d65e1f56bfc..6d790f2107f5 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -2077,12 +2077,6 @@ static int qcom_qmp_phy_pcie_power_on(struct phy *phy)
+ qcom_qmp_phy_pcie_configure(pcs_misc, cfg->regs, cfg->pcs_misc_tbl_sec,
+ cfg->pcs_misc_tbl_num_sec);
+
+- /*
+- * Pull out PHY from POWER DOWN state.
+- * This is active low enable signal to power-down PHY.
+- */
+- qphy_setbits(pcs, QPHY_V2_PCS_POWER_DOWN_CONTROL, cfg->pwrdn_ctrl);
+-
+ if (cfg->has_pwrdn_delay)
+ usleep_range(cfg->pwrdn_delay_min, cfg->pwrdn_delay_max);
+
+--
+2.35.1
+
--- /dev/null
+From dbeca26bd16217701ca64875e57703dbb4e3578c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 10:49:44 +0200
+Subject: phy: qcom-qmp-pcie: fix ipq8074-gen3 initialisation
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 94b7288eadf6e2c09e6280c65a9d07cca01bf434 ]
+
+The phy_status mask was never set for IPQ8074 (gen3) which meant that
+the driver would not wait for the PHY to be initialised during power-on
+and would never detect PHY initialisation timeouts.
+
+Fixes: 334fad185415 ("phy: qcom-qmp-pcie: add IPQ8074 PCIe Gen3 QMP PHY support")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20221012085002.24099-2-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index 6d790f2107f5..b17248506fe8 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -1564,6 +1564,7 @@ static const struct qmp_phy_cfg ipq8074_pciephy_gen3_cfg = {
+
+ .start_ctrl = SERDES_START | PCS_START,
+ .pwrdn_ctrl = SW_PWRDN | REFCLK_DRV_DSBL,
++ .phy_status = PHYSTATUS,
+
+ .has_pwrdn_delay = true,
+ .pwrdn_delay_min = 995, /* us */
+--
+2.35.1
+
--- /dev/null
+From 2cc32243fe845ec9c7a5040b4fa042b1475eed88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 13:48:35 +0530
+Subject: phy: qcom-qmp-pcie: Fix sm8450_qmp_gen4x2_pcie_pcs_tbl[] register
+ names
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 883aebf6e1ea88145d64dcf940dbcb5181313338 ]
+
+sm8450_qmp_gen4x2_pcie_pcs_tbl[] contains the init sequence for PCS
+registers of QMP PHY v5.20. So use the v5.20 specific register names.
+Only major change is the rename of PCS_EQ_CONFIG{2/3} registers to
+PCS_EQ_CONFIG{4/5}.
+
+Fixes: 2c91bf6bf290 ("phy: qcom-qmp: Add SM8450 PCIe1 PHY support")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20221102081835.41892-2-manivannan.sadhasivam@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 8 ++++----
+ drivers/phy/qualcomm/phy-qcom-qmp-pcs-v5_20.h | 14 ++++++++++++++
+ drivers/phy/qualcomm/phy-qcom-qmp.h | 1 +
+ 3 files changed, 19 insertions(+), 4 deletions(-)
+ create mode 100644 drivers/phy/qualcomm/phy-qcom-qmp-pcs-v5_20.h
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index b17248506fe8..51dc4f2de106 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -1329,10 +1329,10 @@ static const struct qmp_phy_init_tbl sm8450_qmp_gen4x2_pcie_rx_tbl[] = {
+ };
+
+ static const struct qmp_phy_init_tbl sm8450_qmp_gen4x2_pcie_pcs_tbl[] = {
+- QMP_PHY_INIT_CFG(QPHY_V5_PCS_EQ_CONFIG2, 0x16),
+- QMP_PHY_INIT_CFG(QPHY_V5_PCS_EQ_CONFIG3, 0x22),
+- QMP_PHY_INIT_CFG(QPHY_V5_PCS_G3S2_PRE_GAIN, 0x2e),
+- QMP_PHY_INIT_CFG(QPHY_V5_PCS_RX_SIGDET_LVL, 0x99),
++ QMP_PHY_INIT_CFG(QPHY_V5_20_PCS_EQ_CONFIG4, 0x16),
++ QMP_PHY_INIT_CFG(QPHY_V5_20_PCS_EQ_CONFIG5, 0x22),
++ QMP_PHY_INIT_CFG(QPHY_V5_20_PCS_G3S2_PRE_GAIN, 0x2e),
++ QMP_PHY_INIT_CFG(QPHY_V5_20_PCS_RX_SIGDET_LVL, 0x99),
+ };
+
+ static const struct qmp_phy_init_tbl sm8450_qmp_gen4x2_pcie_pcs_misc_tbl[] = {
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcs-v5_20.h b/drivers/phy/qualcomm/phy-qcom-qmp-pcs-v5_20.h
+new file mode 100644
+index 000000000000..9a5a20daf62c
+--- /dev/null
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcs-v5_20.h
+@@ -0,0 +1,14 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Copyright (c) 2022, Linaro Ltd.
++ */
++
++#ifndef QCOM_PHY_QMP_PCS_V5_20_H_
++#define QCOM_PHY_QMP_PCS_V5_20_H_
++
++#define QPHY_V5_20_PCS_G3S2_PRE_GAIN 0x170
++#define QPHY_V5_20_PCS_RX_SIGDET_LVL 0x188
++#define QPHY_V5_20_PCS_EQ_CONFIG4 0x1e0
++#define QPHY_V5_20_PCS_EQ_CONFIG5 0x1e4
++
++#endif
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.h b/drivers/phy/qualcomm/phy-qcom-qmp.h
+index b139c8af5e8b..1a0c6c3026e3 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp.h
++++ b/drivers/phy/qualcomm/phy-qcom-qmp.h
+@@ -37,6 +37,7 @@
+ #include "phy-qcom-qmp-pcs-pcie-v4_20.h"
+
+ #include "phy-qcom-qmp-pcs-v5.h"
++#include "phy-qcom-qmp-pcs-v5_20.h"
+ #include "phy-qcom-qmp-pcs-pcie-v5.h"
+ #include "phy-qcom-qmp-pcs-usb-v5.h"
+ #include "phy-qcom-qmp-pcs-ufs-v5.h"
+--
+2.35.1
+
--- /dev/null
+From fdf6ddc1ad5fd4af4adde451cc5e6468310ebbe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 14:30:18 -0700
+Subject: phy: usb: Fix clock imbalance for suspend/resume
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 8484199c09347bdd5d81ee8a2bc530850f900797 ]
+
+We should be disabling clocks when wake from USB is not needed. Since
+this wasn't done, we had a clock imbalance since clocks were always
+being enabled on resume.
+
+Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers")
+Fixes: b0c0b66c0b43 ("phy: usb: Add support for wake and USB low power mode for 7211 S2/S5")
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/1665005418-15807-7-git-send-email-justinpopo6@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 2 --
+ drivers/phy/broadcom/phy-brcm-usb-init.h | 1 -
+ drivers/phy/broadcom/phy-brcm-usb.c | 8 +++++---
+ 3 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+index b3386e458dd4..3b374b37b965 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+@@ -424,7 +424,6 @@ void brcm_usb_dvr_init_7216(struct brcm_usb_init_params *params)
+
+ params->family_name = "7216";
+ params->ops = &bcm7216_ops;
+- params->suspend_with_clocks = true;
+ }
+
+ void brcm_usb_dvr_init_7211b0(struct brcm_usb_init_params *params)
+@@ -434,5 +433,4 @@ void brcm_usb_dvr_init_7211b0(struct brcm_usb_init_params *params)
+
+ params->family_name = "7211";
+ params->ops = &bcm7211b0_ops;
+- params->suspend_with_clocks = true;
+ }
+diff --git a/drivers/phy/broadcom/phy-brcm-usb-init.h b/drivers/phy/broadcom/phy-brcm-usb-init.h
+index 1ccb5ddab865..3236e9498842 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb-init.h
++++ b/drivers/phy/broadcom/phy-brcm-usb-init.h
+@@ -61,7 +61,6 @@ struct brcm_usb_init_params {
+ const struct brcm_usb_init_ops *ops;
+ struct regmap *syscon_piarbctl;
+ bool wake_enabled;
+- bool suspend_with_clocks;
+ };
+
+ void brcm_usb_dvr_init_4908(struct brcm_usb_init_params *params);
+diff --git a/drivers/phy/broadcom/phy-brcm-usb.c b/drivers/phy/broadcom/phy-brcm-usb.c
+index c0c3ab9b2a15..2bfd78e2d8fd 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb.c
++++ b/drivers/phy/broadcom/phy-brcm-usb.c
+@@ -598,7 +598,7 @@ static int brcm_usb_phy_suspend(struct device *dev)
+ * and newer XHCI->2.0-clks/3.0-clks.
+ */
+
+- if (!priv->ini.suspend_with_clocks) {
++ if (!priv->ini.wake_enabled) {
+ if (priv->phys[BRCM_USB_PHY_3_0].inited)
+ clk_disable_unprepare(priv->usb_30_clk);
+ if (priv->phys[BRCM_USB_PHY_2_0].inited ||
+@@ -615,8 +615,10 @@ static int brcm_usb_phy_resume(struct device *dev)
+ {
+ struct brcm_usb_phy_data *priv = dev_get_drvdata(dev);
+
+- clk_prepare_enable(priv->usb_20_clk);
+- clk_prepare_enable(priv->usb_30_clk);
++ if (!priv->ini.wake_enabled) {
++ clk_prepare_enable(priv->usb_20_clk);
++ clk_prepare_enable(priv->usb_30_clk);
++ }
+ brcm_usb_init_ipp(&priv->ini);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 0c00bab02de9f2adc40cd00b18c137c589e21249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 14:30:14 -0700
+Subject: phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
+
+From: Al Cooper <alcooperx@gmail.com>
+
+[ Upstream commit f7fc5b7090372fc4dd7798c874635ca41b8ba733 ]
+
+The PHY's "wakeup_count" is not incrementing when waking from
+WoL. The wakeup count can be found in sysfs at:
+/sys/bus/platform/devices/rdb/*.usb-phy/power/wakeup_count.
+The problem is that the system wakup event handler was being passed
+the wrong "device" by the PHY driver.
+
+Fixes: f1c0db40a3ad ("phy: usb: Add "wake on" functionality")
+Signed-off-by: Al Cooper <alcooperx@gmail.com>
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/1665005418-15807-3-git-send-email-justinpopo6@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-brcm-usb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-brcm-usb.c b/drivers/phy/broadcom/phy-brcm-usb.c
+index 2cb3779fcdf8..c0c3ab9b2a15 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb.c
++++ b/drivers/phy/broadcom/phy-brcm-usb.c
+@@ -102,9 +102,9 @@ static int brcm_pm_notifier(struct notifier_block *notifier,
+
+ static irqreturn_t brcm_usb_phy_wake_isr(int irq, void *dev_id)
+ {
+- struct phy *gphy = dev_id;
++ struct device *dev = dev_id;
+
+- pm_wakeup_event(&gphy->dev, 0);
++ pm_wakeup_event(dev, 0);
+
+ return IRQ_HANDLED;
+ }
+@@ -451,7 +451,7 @@ static int brcm_usb_phy_dvr_init(struct platform_device *pdev,
+ if (priv->wake_irq >= 0) {
+ err = devm_request_irq(dev, priv->wake_irq,
+ brcm_usb_phy_wake_isr, 0,
+- dev_name(dev), gphy);
++ dev_name(dev), dev);
+ if (err < 0)
+ return err;
+ device_set_wakeup_capable(dev, 1);
+--
+2.35.1
+
--- /dev/null
+From 15e2c1154c30e4ee704046b40544d441e31f3b72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 14:30:17 -0700
+Subject: phy: usb: Use slow clock for wake enabled suspend
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 700c44b508020a3ea29d297c677f8d4ab14b7e6a ]
+
+The logic was incorrect when switching to slow clock. We want the slow
+clock if wake_enabled is set.
+
+Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers")
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/1665005418-15807-6-git-send-email-justinpopo6@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+index d2524b70ea16..b3386e458dd4 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+@@ -331,13 +331,12 @@ static void usb_uninit_common_7216(struct brcm_usb_init_params *params)
+
+ pr_debug("%s\n", __func__);
+
+- if (!params->wake_enabled) {
+- USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN);
+-
++ if (params->wake_enabled) {
+ /* Switch to using slower clock during suspend to save power */
+ USB_CTRL_SET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN);
+- } else {
+ usb_wake_enable_7216(params, true);
++ } else {
++ USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 198ac0ddaa92161a85673a1f68e189d4b369f77b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 07:58:53 +0000
+Subject: pinctrl: k210: call of_node_put()
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+[ Upstream commit a8acc11643082a706de86a19f1f824712d971984 ]
+
+Since for_each_available_child_of_node() will increase the refcount of
+node, we need to call of_node_put() manually when breaking out of the
+iteration.
+
+Fixes: d4c34d09ab03 ("pinctrl: Add RISC-V Canaan Kendryte K210 FPIOA driver")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20221122075853.2496680-1-zhangpeng362@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-k210.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-k210.c b/drivers/pinctrl/pinctrl-k210.c
+index ecab6bf63dc6..ad4db99094a7 100644
+--- a/drivers/pinctrl/pinctrl-k210.c
++++ b/drivers/pinctrl/pinctrl-k210.c
+@@ -862,8 +862,10 @@ static int k210_pinctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+ for_each_available_child_of_node(np_config, np) {
+ ret = k210_pinctrl_dt_subnode_to_map(pctldev, np, map,
+ &reserved_maps, num_maps);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(np);
+ goto err;
++ }
+ }
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From 9af8974a756385f9155025f58d19141270b4ac50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 09:01:11 +0100
+Subject: pinctrl: mediatek: fix the pinconf register offset of some pins
+
+From: Sam Shih <sam.shih@mediatek.com>
+
+[ Upstream commit 3476b354c65db442580ef355885c69e60c546ef0 ]
+
+Correct the bias-pull-up, bias-pull-down and bias-disable register
+offset of mt7986 pin-42 to pin-49, in the original driver, the
+relative offset value was erroneously decremented by 1.
+
+Fixes: 360de6728064 ("pinctrl: mediatek: add support for MT7986 SoC")
+Signed-off-by: Sam Shih <sam.shih@mediatek.com>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221106080114.7426-5-linux@fw-web.de
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mt7986.c | 24 +++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mt7986.c b/drivers/pinctrl/mediatek/pinctrl-mt7986.c
+index f26869f1a367..5cb255455a54 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mt7986.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mt7986.c
+@@ -316,10 +316,10 @@ static const struct mtk_pin_field_calc mt7986_pin_pupd_range[] = {
+ PIN_FIELD_BASE(38, 38, IOCFG_LT_BASE, 0x30, 0x10, 9, 1),
+ PIN_FIELD_BASE(39, 40, IOCFG_RB_BASE, 0x60, 0x10, 18, 1),
+ PIN_FIELD_BASE(41, 41, IOCFG_RB_BASE, 0x60, 0x10, 12, 1),
+- PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x60, 0x10, 22, 1),
+- PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x60, 0x10, 20, 1),
+- PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x60, 0x10, 26, 1),
+- PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x60, 0x10, 24, 1),
++ PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x60, 0x10, 23, 1),
++ PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x60, 0x10, 21, 1),
++ PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x60, 0x10, 27, 1),
++ PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x60, 0x10, 25, 1),
+ PIN_FIELD_BASE(50, 57, IOCFG_RT_BASE, 0x40, 0x10, 2, 1),
+ PIN_FIELD_BASE(58, 58, IOCFG_RT_BASE, 0x40, 0x10, 1, 1),
+ PIN_FIELD_BASE(59, 59, IOCFG_RT_BASE, 0x40, 0x10, 0, 1),
+@@ -354,10 +354,10 @@ static const struct mtk_pin_field_calc mt7986_pin_r0_range[] = {
+ PIN_FIELD_BASE(38, 38, IOCFG_LT_BASE, 0x40, 0x10, 9, 1),
+ PIN_FIELD_BASE(39, 40, IOCFG_RB_BASE, 0x70, 0x10, 18, 1),
+ PIN_FIELD_BASE(41, 41, IOCFG_RB_BASE, 0x70, 0x10, 12, 1),
+- PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x70, 0x10, 22, 1),
+- PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x70, 0x10, 20, 1),
+- PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x70, 0x10, 26, 1),
+- PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x70, 0x10, 24, 1),
++ PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x70, 0x10, 23, 1),
++ PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x70, 0x10, 21, 1),
++ PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x70, 0x10, 27, 1),
++ PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x70, 0x10, 25, 1),
+ PIN_FIELD_BASE(50, 57, IOCFG_RT_BASE, 0x50, 0x10, 2, 1),
+ PIN_FIELD_BASE(58, 58, IOCFG_RT_BASE, 0x50, 0x10, 1, 1),
+ PIN_FIELD_BASE(59, 59, IOCFG_RT_BASE, 0x50, 0x10, 0, 1),
+@@ -392,10 +392,10 @@ static const struct mtk_pin_field_calc mt7986_pin_r1_range[] = {
+ PIN_FIELD_BASE(38, 38, IOCFG_LT_BASE, 0x50, 0x10, 9, 1),
+ PIN_FIELD_BASE(39, 40, IOCFG_RB_BASE, 0x80, 0x10, 18, 1),
+ PIN_FIELD_BASE(41, 41, IOCFG_RB_BASE, 0x80, 0x10, 12, 1),
+- PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x80, 0x10, 22, 1),
+- PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x80, 0x10, 20, 1),
+- PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x80, 0x10, 26, 1),
+- PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x80, 0x10, 24, 1),
++ PIN_FIELD_BASE(42, 43, IOCFG_RB_BASE, 0x80, 0x10, 23, 1),
++ PIN_FIELD_BASE(44, 45, IOCFG_RB_BASE, 0x80, 0x10, 21, 1),
++ PIN_FIELD_BASE(46, 47, IOCFG_RB_BASE, 0x80, 0x10, 27, 1),
++ PIN_FIELD_BASE(48, 49, IOCFG_RB_BASE, 0x80, 0x10, 25, 1),
+ PIN_FIELD_BASE(50, 57, IOCFG_RT_BASE, 0x60, 0x10, 2, 1),
+ PIN_FIELD_BASE(58, 58, IOCFG_RT_BASE, 0x60, 0x10, 1, 1),
+ PIN_FIELD_BASE(59, 59, IOCFG_RT_BASE, 0x60, 0x10, 0, 1),
+--
+2.35.1
+
--- /dev/null
+From f9e0579a886668564856a802cff23a95ccc958a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Sep 2022 10:12:58 +0800
+Subject: pinctrl: ocelot: add missing destroy_workqueue() in error path in
+ ocelot_pinctrl_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8ada020ade3bc4125b639a1dca50a6df687dd986 ]
+
+Using devm_add_action_or_reset() to make workqueue device-managed, so it can be
+destroy whenever the driver is unbound.
+
+Fixes: c297561bc98a ("pinctrl: ocelot: Fix interrupt controller")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://lore.kernel.org/r/20220925021258.1492905-1-yangyingliang@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-ocelot.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-ocelot.c b/drivers/pinctrl/pinctrl-ocelot.c
+index 105771ff82e6..19a61f697e99 100644
+--- a/drivers/pinctrl/pinctrl-ocelot.c
++++ b/drivers/pinctrl/pinctrl-ocelot.c
+@@ -2046,6 +2046,11 @@ static struct regmap *ocelot_pinctrl_create_pincfg(struct platform_device *pdev,
+ return devm_regmap_init_mmio(&pdev->dev, base, ®map_config);
+ }
+
++static void ocelot_destroy_workqueue(void *data)
++{
++ destroy_workqueue(data);
++}
++
+ static int ocelot_pinctrl_probe(struct platform_device *pdev)
+ {
+ const struct ocelot_match_data *data;
+@@ -2078,6 +2083,11 @@ static int ocelot_pinctrl_probe(struct platform_device *pdev)
+ if (!info->wq)
+ return -ENOMEM;
+
++ ret = devm_add_action_or_reset(dev, ocelot_destroy_workqueue,
++ info->wq);
++ if (ret)
++ return ret;
++
+ info->pincfg_data = &data->pincfg_data;
+
+ reset = devm_reset_control_get_optional_shared(dev, "switch");
+@@ -2125,15 +2135,6 @@ static int ocelot_pinctrl_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int ocelot_pinctrl_remove(struct platform_device *pdev)
+-{
+- struct ocelot_pinctrl *info = platform_get_drvdata(pdev);
+-
+- destroy_workqueue(info->wq);
+-
+- return 0;
+-}
+-
+ static struct platform_driver ocelot_pinctrl_driver = {
+ .driver = {
+ .name = "pinctrl-ocelot",
+@@ -2141,7 +2142,6 @@ static struct platform_driver ocelot_pinctrl_driver = {
+ .suppress_bind_attrs = true,
+ },
+ .probe = ocelot_pinctrl_probe,
+- .remove = ocelot_pinctrl_remove,
+ };
+ module_platform_driver(ocelot_pinctrl_driver);
+ MODULE_LICENSE("Dual MIT/GPL");
+--
+2.35.1
+
--- /dev/null
+From 093ef53d05afe4b9bb8b16040e3c03dc4647b905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 07:01:56 +0000
+Subject: pinctrl: pinconf-generic: add missing of_node_put()
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+[ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ]
+
+of_node_put() needs to be called when jumping out of the loop, since
+for_each_available_child_of_node() will increase the refcount of node.
+
+Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinconf-generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c
+index 415d1df8f46a..365c4b0ca465 100644
+--- a/drivers/pinctrl/pinconf-generic.c
++++ b/drivers/pinctrl/pinconf-generic.c
+@@ -395,8 +395,10 @@ int pinconf_generic_dt_node_to_map(struct pinctrl_dev *pctldev,
+ for_each_available_child_of_node(np_config, np) {
+ ret = pinconf_generic_dt_subnode_to_map(pctldev, np, map,
+ &reserved_maps, num_maps, type);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(np);
+ goto exit;
++ }
+ }
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From dd73048a5ceff3aa70d33f821974aa50fce9ead1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 20:01:26 +0800
+Subject: pinctrl: thunderbay: fix possible memory leak in
+ thunderbay_build_functions()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 83e1bcaf8cef26edaaf2a6098ef760f563683483 ]
+
+The thunderbay_add_functions() will free memory of thunderbay_funcs
+when everything is ok, but thunderbay_funcs will not be freed when
+thunderbay_add_functions() fails, then there will be a memory leak,
+so we need to add kfree() when thunderbay_add_functions() fails to
+fix it.
+
+In addition, doing some cleaner works, moving kfree(funcs) from
+thunderbay_add_functions() to thunderbay_build_functions().
+
+Fixes: 12422af8194d ("pinctrl: Add Intel Thunder Bay pinctrl driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20221129120126.1567338-1-cuigaosheng1@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-thunderbay.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-thunderbay.c b/drivers/pinctrl/pinctrl-thunderbay.c
+index 9328b17485cf..590bbbf619af 100644
+--- a/drivers/pinctrl/pinctrl-thunderbay.c
++++ b/drivers/pinctrl/pinctrl-thunderbay.c
+@@ -808,7 +808,7 @@ static int thunderbay_add_functions(struct thunderbay_pinctrl *tpc, struct funct
+ funcs[i].num_group_names,
+ funcs[i].data);
+ }
+- kfree(funcs);
++
+ return 0;
+ }
+
+@@ -817,6 +817,7 @@ static int thunderbay_build_functions(struct thunderbay_pinctrl *tpc)
+ struct function_desc *thunderbay_funcs;
+ void *ptr;
+ int pin;
++ int ret;
+
+ /*
+ * Allocate maximum possible number of functions. Assume every pin
+@@ -860,7 +861,10 @@ static int thunderbay_build_functions(struct thunderbay_pinctrl *tpc)
+ return -ENOMEM;
+
+ thunderbay_funcs = ptr;
+- return thunderbay_add_functions(tpc, thunderbay_funcs);
++ ret = thunderbay_add_functions(tpc, thunderbay_funcs);
++
++ kfree(thunderbay_funcs);
++ return ret;
+ }
+
+ static int thunderbay_pinconf_set_tristate(struct thunderbay_pinctrl *tpc,
+--
+2.35.1
+
--- /dev/null
+From 24f72e5ebe08ec7e306882a00f3e32b21fe2eb72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 21:48:34 +0000
+Subject: platform/chrome: cros_ec_typec: Cleanup switch handle return paths
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit d5f66527db9e0e6a871d9005200b3394156cf16f ]
+
+Some of the return paths for the cros_typec_get_switch_handles()
+aren't necessary. Clean up the return paths to only undo the handle
+get's which succeeded.
+
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220816214857.2088914-7-pmalani@chromium.org
+Stable-dep-of: 9a8aadcf0b45 ("platform/chrome: cros_ec_typec: zero out stale pointers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index dc5722db2066..fcfb98992920 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -159,12 +159,10 @@ static int cros_typec_get_switch_handles(struct cros_typec_port *port,
+ return 0;
+
+ role_sw_err:
+- usb_role_switch_put(port->role_sw);
+-ori_sw_err:
+ typec_switch_put(port->ori_sw);
+-mux_err:
++ori_sw_err:
+ typec_mux_put(port->mux);
+-
++mux_err:
+ return -ENODEV;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 8c17dc39b5cf2997a2714467532bbdd7a21bc798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 21:48:35 +0000
+Subject: platform/chrome: cros_ec_typec: Get retimer handle
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit 1a8912caba02522f612d465a4849ce98915b96ad ]
+
+Where available, obtain the handle to retimer switch specified via
+firmware, and update the mux configuration callsites to add retimer
+support for supported modes.
+
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220816214857.2088914-8-pmalani@chromium.org
+Stable-dep-of: 9a8aadcf0b45 ("platform/chrome: cros_ec_typec: zero out stale pointers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 44 +++++++++++++++++++++++--
+ 1 file changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index fcfb98992920..00208ffbe2e7 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -20,6 +20,7 @@
+ #include <linux/usb/typec_altmode.h>
+ #include <linux/usb/typec_dp.h>
+ #include <linux/usb/typec_mux.h>
++#include <linux/usb/typec_retimer.h>
+ #include <linux/usb/typec_tbt.h>
+ #include <linux/usb/role.h>
+
+@@ -56,6 +57,7 @@ struct cros_typec_port {
+ struct usb_pd_identity c_identity;
+ struct typec_switch *ori_sw;
+ struct typec_mux *mux;
++ struct typec_retimer *retimer;
+ struct usb_role_switch *role_sw;
+
+ /* Variables keeping track of switch state. */
+@@ -144,6 +146,12 @@ static int cros_typec_get_switch_handles(struct cros_typec_port *port,
+ goto mux_err;
+ }
+
++ port->retimer = fwnode_typec_retimer_get(fwnode);
++ if (IS_ERR(port->retimer)) {
++ dev_dbg(dev, "Retimer handle not found.\n");
++ goto retimer_sw_err;
++ }
++
+ port->ori_sw = fwnode_typec_switch_get(fwnode);
+ if (IS_ERR(port->ori_sw)) {
+ dev_dbg(dev, "Orientation switch handle not found.\n");
+@@ -161,6 +169,8 @@ static int cros_typec_get_switch_handles(struct cros_typec_port *port,
+ role_sw_err:
+ typec_switch_put(port->ori_sw);
+ ori_sw_err:
++ typec_retimer_put(port->retimer);
++retimer_sw_err:
+ typec_mux_put(port->mux);
+ mux_err:
+ return -ENODEV;
+@@ -205,6 +215,21 @@ static void cros_typec_unregister_altmodes(struct cros_typec_data *typec, int po
+ }
+ }
+
++/*
++ * Map the Type-C Mux state to retimer state and call the retimer set function. We need this
++ * because we re-use the Type-C mux state for retimers.
++ */
++static int cros_typec_retimer_set(struct typec_retimer *retimer, struct typec_mux_state state)
++{
++ struct typec_retimer_state rstate = {
++ .alt = state.alt,
++ .mode = state.mode,
++ .data = state.data,
++ };
++
++ return typec_retimer_set(retimer, &rstate);
++}
++
+ static int cros_typec_usb_disconnect_state(struct cros_typec_port *port)
+ {
+ port->state.alt = NULL;
+@@ -213,6 +238,7 @@ static int cros_typec_usb_disconnect_state(struct cros_typec_port *port)
+
+ usb_role_switch_set_role(port->role_sw, USB_ROLE_NONE);
+ typec_switch_set(port->ori_sw, TYPEC_ORIENTATION_NONE);
++ cros_typec_retimer_set(port->retimer, port->state);
+
+ return typec_mux_set(port->mux, &port->state);
+ }
+@@ -410,9 +436,14 @@ static int cros_typec_init_ports(struct cros_typec_data *typec)
+
+ static int cros_typec_usb_safe_state(struct cros_typec_port *port)
+ {
++ int ret;
+ port->state.mode = TYPEC_STATE_SAFE;
+
+- return typec_mux_set(port->mux, &port->state);
++ ret = cros_typec_retimer_set(port->retimer, port->state);
++ if (!ret)
++ ret = typec_mux_set(port->mux, &port->state);
++
++ return ret;
+ }
+
+ /*
+@@ -509,7 +540,11 @@ static int cros_typec_enable_dp(struct cros_typec_data *typec,
+ port->state.data = &dp_data;
+ port->state.mode = TYPEC_MODAL_STATE(ffs(pd_ctrl->dp_mode));
+
+- return typec_mux_set(port->mux, &port->state);
++ ret = cros_typec_retimer_set(port->retimer, port->state);
++ if (!ret)
++ ret = typec_mux_set(port->mux, &port->state);
++
++ return ret;
+ }
+
+ static int cros_typec_enable_usb4(struct cros_typec_data *typec,
+@@ -598,7 +633,10 @@ static int cros_typec_configure_mux(struct cros_typec_data *typec, int port_num,
+ } else if (port->mux_flags & USB_PD_MUX_USB_ENABLED) {
+ port->state.alt = NULL;
+ port->state.mode = TYPEC_STATE_USB;
+- ret = typec_mux_set(port->mux, &port->state);
++
++ ret = cros_typec_retimer_set(port->retimer, port->state);
++ if (!ret)
++ ret = typec_mux_set(port->mux, &port->state);
+ } else {
+ dev_dbg(typec->dev,
+ "Unrecognized mode requested, mux flags: %x\n",
+--
+2.35.1
+
--- /dev/null
+From 72b8ab2d95945833ccb17e65f1a9dc19783601d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:39:40 +0000
+Subject: platform/chrome: cros_ec_typec: zero out stale pointers
+
+From: Victor Ding <victording@chromium.org>
+
+[ Upstream commit 9a8aadcf0b459c1257b9477fd6402e1d5952ae07 ]
+
+`cros_typec_get_switch_handles` allocates four pointers when obtaining
+type-c switch handles. These pointers are all freed if failing to obtain
+any of them; therefore, pointers in `port` become stale. The stale
+pointers eventually cause use-after-free or double free in later code
+paths. Zeroing out all pointer fields after freeing to eliminate these
+stale pointers.
+
+Fixes: f28adb41dab4 ("platform/chrome: cros_ec_typec: Register Type C switches")
+Fixes: 1a8912caba02 ("platform/chrome: cros_ec_typec: Get retimer handle")
+Signed-off-by: Victor Ding <victording@chromium.org>
+Acked-by: Prashant Malani <pmalani@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20221207093924.v2.1.I1864b6a7ee98824118b93677868d22d3750f439b@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index 00208ffbe2e7..a54bf964521f 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -168,10 +168,13 @@ static int cros_typec_get_switch_handles(struct cros_typec_port *port,
+
+ role_sw_err:
+ typec_switch_put(port->ori_sw);
++ port->ori_sw = NULL;
+ ori_sw_err:
+ typec_retimer_put(port->retimer);
++ port->retimer = NULL;
+ retimer_sw_err:
+ typec_mux_put(port->mux);
++ port->mux = NULL;
+ mux_err:
+ return -ENODEV;
+ }
+--
+2.35.1
+
--- /dev/null
+From 22d8cdbc143d350c7440093c93fe4a012b62c2ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 08:08:23 +0000
+Subject: platform/chrome: cros_usbpd_notify: Fix error handling in
+ cros_usbpd_notify_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 5a2d96623670155d94aca72c320c0ac27bdc6bd2 ]
+
+The following WARNING message was given when rmmod cros_usbpd_notify:
+
+ Unexpected driver unregister!
+ WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0
+ Modules linked in: cros_usbpd_notify(-)
+ CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24
+ ...
+ Call Trace:
+ <TASK>
+ cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]
+ __x64_sys_delete_module+0x3c7/0x570
+ ? __ia32_sys_delete_module+0x570/0x570
+ ? lock_is_held_type+0xe3/0x140
+ ? syscall_enter_from_user_mode+0x17/0x50
+ ? rcu_read_lock_sched_held+0xa0/0xd0
+ ? syscall_enter_from_user_mode+0x1c/0x50
+ do_syscall_64+0x37/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0033:0x7f333fe9b1b7
+
+The reason is that the cros_usbpd_notify_init() does not check the return
+value of platform_driver_register(), and the cros_usbpd_notify can
+install successfully even if platform_driver_register() failed.
+
+Fix by checking the return value of platform_driver_register() and
+unregister cros_usbpd_notify_plat_driver when it failed.
+
+Fixes: ec2daf6e33f9 ("platform: chrome: Add cros-usbpd-notify driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20221117080823.77549-1-yuancan@huawei.com
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_usbpd_notify.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_usbpd_notify.c b/drivers/platform/chrome/cros_usbpd_notify.c
+index 4b5a81c9dc6d..10670b6588e3 100644
+--- a/drivers/platform/chrome/cros_usbpd_notify.c
++++ b/drivers/platform/chrome/cros_usbpd_notify.c
+@@ -239,7 +239,11 @@ static int __init cros_usbpd_notify_init(void)
+ return ret;
+
+ #ifdef CONFIG_ACPI
+- platform_driver_register(&cros_usbpd_notify_acpi_driver);
++ ret = platform_driver_register(&cros_usbpd_notify_acpi_driver);
++ if (ret) {
++ platform_driver_unregister(&cros_usbpd_notify_plat_driver);
++ return ret;
++ }
+ #endif
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 1a954a01d1cc9dc0ce9194a3a31f30af0469760c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 09:35:19 -0500
+Subject: platform/mellanox: mlxbf-pmc: Fix event typo
+
+From: James Hurley <jahurley@nvidia.com>
+
+[ Upstream commit b0b698b80c56b0712f0d4346d51bf0363ba03068 ]
+
+Had a duplicate event typo, so just fixed the 1 character typo.
+
+Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver")
+Signed-off-by: James Hurley <jahurley@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Link: https://lore.kernel.org/r/aadacdbbd3186c55e74ea9456fe011b77938eb6c.1670535330.git.jahurley@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 65b4a819f1bd..c2c9b0d3244c 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -358,7 +358,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_hnfnet_events[] = {
+ { 0x32, "DDN_DIAG_W_INGRESS" },
+ { 0x33, "DDN_DIAG_C_INGRESS" },
+ { 0x34, "DDN_DIAG_CORE_SENT" },
+- { 0x35, "NDN_DIAG_S_OUT_OF_CRED" },
++ { 0x35, "NDN_DIAG_N_OUT_OF_CRED" },
+ { 0x36, "NDN_DIAG_S_OUT_OF_CRED" },
+ { 0x37, "NDN_DIAG_E_OUT_OF_CRED" },
+ { 0x38, "NDN_DIAG_W_OUT_OF_CRED" },
+--
+2.35.1
+
--- /dev/null
+From e111c2793c2d557c11d8db31ca17651d588c28a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 15:00:45 +0000
+Subject: platform/x86: huawei-wmi: fix return value calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 0b9a1dcdb6a2c841899389bf2dd7a3e0e2aa0e99 ]
+
+Previously, `huawei_wmi_input_setup()` returned the result of
+logical or-ing the return values of two functions that return negative
+errno-style error codes and one that returns `acpi_status`. If this
+returned value was non-zero, then it was propagated from the platform
+driver's probe function. That function should return a negative
+errno-style error code, so the result of the logical or that
+`huawei_wmi_input_setup()` returned was not appropriate.
+
+Fix that by checking each function separately and returning the
+error code unmodified.
+
+Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20221005150032.173198-2-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/huawei-wmi.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
+index eac3e6b4ea11..935562c870c3 100644
+--- a/drivers/platform/x86/huawei-wmi.c
++++ b/drivers/platform/x86/huawei-wmi.c
+@@ -760,6 +760,9 @@ static int huawei_wmi_input_setup(struct device *dev,
+ const char *guid,
+ struct input_dev **idev)
+ {
++ acpi_status status;
++ int err;
++
+ *idev = devm_input_allocate_device(dev);
+ if (!*idev)
+ return -ENOMEM;
+@@ -769,10 +772,19 @@ static int huawei_wmi_input_setup(struct device *dev,
+ (*idev)->id.bustype = BUS_HOST;
+ (*idev)->dev.parent = dev;
+
+- return sparse_keymap_setup(*idev, huawei_wmi_keymap, NULL) ||
+- input_register_device(*idev) ||
+- wmi_install_notify_handler(guid, huawei_wmi_input_notify,
+- *idev);
++ err = sparse_keymap_setup(*idev, huawei_wmi_keymap, NULL);
++ if (err)
++ return err;
++
++ err = input_register_device(*idev);
++ if (err)
++ return err;
++
++ status = wmi_install_notify_handler(guid, huawei_wmi_input_notify, *idev);
++ if (ACPI_FAILURE(status))
++ return -EIO;
++
++ return 0;
+ }
+
+ static void huawei_wmi_input_exit(struct device *dev, const char *guid)
+--
+2.35.1
+
--- /dev/null
+From 89472cb6ae5d65f54886028570a5ee1ba211d982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 23:19:16 +0800
+Subject: platform/x86: intel_scu_ipc: fix possible name leak in
+ __intel_scu_ipc_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0b3d0cb7c0bed2fd6454f77ed75e7a662c6efd12 ]
+
+In some error paths before device_register(), the names allocated
+by dev_set_name() are not freed. Move dev_set_name() front to
+device_register(), so the name can be freed while calling
+put_device().
+
+Fixes: 54b34aa0a729 ("platform/x86: intel_scu_ipc: Split out SCU IPC functionality from the SCU driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221208151916.2404977-1-yangyingliang@huawei.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 7cc9089d1e14..e7a3e3402817 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -583,7 +583,6 @@ __intel_scu_ipc_register(struct device *parent,
+ scu->dev.parent = parent;
+ scu->dev.class = &intel_scu_ipc_class;
+ scu->dev.release = intel_scu_ipc_release;
+- dev_set_name(&scu->dev, "intel_scu_ipc");
+
+ if (!request_mem_region(scu_data->mem.start, resource_size(&scu_data->mem),
+ "intel_scu_ipc")) {
+@@ -612,6 +611,7 @@ __intel_scu_ipc_register(struct device *parent,
+ * After this point intel_scu_ipc_release() takes care of
+ * releasing the SCU IPC resources once refcount drops to zero.
+ */
++ dev_set_name(&scu->dev, "intel_scu_ipc");
+ err = device_register(&scu->dev);
+ if (err) {
+ put_device(&scu->dev);
+--
+2.35.1
+
--- /dev/null
+From d911fab40d69e4b56a3dd8a7bd2fe6cc9dacb115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 09:11:01 +0800
+Subject: platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
+
+From: Yu Liao <liaoyu15@huawei.com>
+
+[ Upstream commit 727cc0147f5066e359aca65cc6cc5e6d64cc15d8 ]
+
+The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()
+is not freed after the call, so it leads to memory leak.
+
+The method results in ACPI buffer is not used, so just pass NULL to
+wmi_evaluate_method() which fixes the memory leak.
+
+Fixes: 99b38b4acc0d ("platform/x86: add MXM WMI driver.")
+Signed-off-by: Yu Liao <liaoyu15@huawei.com>
+Link: https://lore.kernel.org/r/20221129011101.2042315-1-liaoyu15@huawei.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/mxm-wmi.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/platform/x86/mxm-wmi.c b/drivers/platform/x86/mxm-wmi.c
+index 9a19fbd2f734..9a457956025a 100644
+--- a/drivers/platform/x86/mxm-wmi.c
++++ b/drivers/platform/x86/mxm-wmi.c
+@@ -35,13 +35,11 @@ int mxm_wmi_call_mxds(int adapter)
+ .xarg = 1,
+ };
+ struct acpi_buffer input = { (acpi_size)sizeof(args), &args };
+- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
+ acpi_status status;
+
+ printk("calling mux switch %d\n", adapter);
+
+- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input,
+- &output);
++ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL);
+
+ if (ACPI_FAILURE(status))
+ return status;
+@@ -60,13 +58,11 @@ int mxm_wmi_call_mxmx(int adapter)
+ .xarg = 1,
+ };
+ struct acpi_buffer input = { (acpi_size)sizeof(args), &args };
+- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
+ acpi_status status;
+
+ printk("calling mux switch %d\n", adapter);
+
+- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input,
+- &output);
++ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL);
+
+ if (ACPI_FAILURE(status))
+ return status;
+--
+2.35.1
+
--- /dev/null
+From acefbfc5f083358d10946212b40f5fbd4c04549b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 10:28:39 +0800
+Subject: PM: hibernate: Fix mistake in kerneldoc comment
+
+From: xiongxin <xiongxin@kylinos.cn>
+
+[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ]
+
+The actual maximum image size formula in hibernate_preallocate_memory()
+is as follows:
+
+max_size = (count - (size + PAGES_FOR_IO)) / 2
+ - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE);
+
+but the one in the kerneldoc comment of the function is different and
+incorrect.
+
+Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers")
+Signed-off-by: xiongxin <xiongxin@kylinos.cn>
+[ rjw: Subject and changelog rewrite ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/snapshot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index 2a406753af90..c20ca5fb9adc 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -1723,8 +1723,8 @@ static unsigned long minimum_image_size(unsigned long saveable)
+ * /sys/power/reserved_size, respectively). To make this happen, we compute the
+ * total number of available page frames and allocate at least
+ *
+- * ([page frames total] + PAGES_FOR_IO + [metadata pages]) / 2
+- * + 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
++ * ([page frames total] - PAGES_FOR_IO - [metadata pages]) / 2
++ * - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
+ *
+ * of them, which corresponds to the maximum size of a hibernation image.
+ *
+--
+2.35.1
+
--- /dev/null
+From ef087e7e8a88c482fcb30e55261345c667d91e39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 15:30:28 +0100
+Subject: PM: runtime: Do not call __rpm_callback() from rpm_idle()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bc80c2e438dcbfcf748452ec0f7ad5b79ff3ad88 ]
+
+Calling __rpm_callback() from rpm_idle() after adding device links
+support to the former is a clear mistake.
+
+Not only it causes rpm_idle() to carry out unnecessary actions, but it
+is also against the assumption regarding the stability of PM-runtime
+status across __rpm_callback() invocations, because rpm_suspend() and
+rpm_resume() may run in parallel with __rpm_callback() when it is called
+by rpm_idle() and the device's PM-runtime status can be updated by any
+of them.
+
+Fixes: 21d5c57b3726 ("PM / runtime: Use device links")
+Link: https://lore.kernel.org/linux-pm/36aed941-a73e-d937-2721-4f0decd61ce0@quicinc.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 997be3ac20a7..d36fb07190bf 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -484,7 +484,17 @@ static int rpm_idle(struct device *dev, int rpmflags)
+
+ dev->power.idle_notification = true;
+
+- retval = __rpm_callback(callback, dev);
++ if (dev->power.irq_safe)
++ spin_unlock(&dev->power.lock);
++ else
++ spin_unlock_irq(&dev->power.lock);
++
++ retval = callback(dev);
++
++ if (dev->power.irq_safe)
++ spin_lock(&dev->power.lock);
++ else
++ spin_lock_irq(&dev->power.lock);
+
+ dev->power.idle_notification = false;
+ wake_up_all(&dev->power.wait_queue);
+--
+2.35.1
+
--- /dev/null
+From 68a9dbd6f7d062761c7c6e874a5c7656d32d048b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:23:58 +0800
+Subject: PNP: fix name memory leak in pnp_alloc_dev()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ]
+
+After commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically,
+move dev_set_name() after pnp_add_id() to avoid memory leak.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pnp/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pnp/core.c b/drivers/pnp/core.c
+index 4df5aa6a309c..6a60c5d83383 100644
+--- a/drivers/pnp/core.c
++++ b/drivers/pnp/core.c
+@@ -148,14 +148,14 @@ struct pnp_dev *pnp_alloc_dev(struct pnp_protocol *protocol, int id,
+ dev->dev.coherent_dma_mask = dev->dma_mask;
+ dev->dev.release = &pnp_release_device;
+
+- dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
+-
+ dev_id = pnp_add_id(dev, pnpid);
+ if (!dev_id) {
+ kfree(dev);
+ return NULL;
+ }
+
++ dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
++
+ return dev;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 93049d6a39af19874eddb9b4b0546606163f07f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 03:19:32 +0000
+Subject: power: supply: ab8500: Fix error handling in ab8500_charger_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit c4d33381b134da188ccd1084aef21e2b8c3c422e ]
+
+The ab8500_charger_init() returns the platform_driver_register() directly
+without checking its return value, if platform_driver_register() failed,
+all ab8500_charger_component_drivers are not unregistered.
+
+Fix by unregister ab8500_charger_component_drivers when
+platform_driver_register() failed.
+
+Fixes: 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/ab8500_charger.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/ab8500_charger.c b/drivers/power/supply/ab8500_charger.c
+index c19c50442761..58757a5799f8 100644
+--- a/drivers/power/supply/ab8500_charger.c
++++ b/drivers/power/supply/ab8500_charger.c
+@@ -3719,7 +3719,14 @@ static int __init ab8500_charger_init(void)
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&ab8500_charger_driver);
++ ret = platform_driver_register(&ab8500_charger_driver);
++ if (ret) {
++ platform_unregister_drivers(ab8500_charger_component_drivers,
++ ARRAY_SIZE(ab8500_charger_component_drivers));
++ return ret;
++ }
++
++ return 0;
+ }
+
+ static void __exit ab8500_charger_exit(void)
+--
+2.35.1
+
--- /dev/null
+From fd3a16f8e0b392258d3b4f0f0b51d60d51604604 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 23:44:14 +0100
+Subject: power: supply: bq25890: Convert to i2c's .probe_new()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit c5cddca2351b291c8787b45cd046b1dfeb86979f ]
+
+The probe function doesn't make use of the i2c_device_id * parameter so it
+can be trivially converted.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Stable-dep-of: a7aaa80098d5 ("power: supply: bq25890: Ensure pump_express_work is cancelled on remove")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq25890_charger.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c
+index 86228753e804..b4c8481ea17b 100644
+--- a/drivers/power/supply/bq25890_charger.c
++++ b/drivers/power/supply/bq25890_charger.c
+@@ -1189,8 +1189,7 @@ static int bq25890_fw_probe(struct bq25890_device *bq)
+ return 0;
+ }
+
+-static int bq25890_probe(struct i2c_client *client,
+- const struct i2c_device_id *id)
++static int bq25890_probe(struct i2c_client *client)
+ {
+ struct device *dev = &client->dev;
+ struct bq25890_device *bq;
+@@ -1391,7 +1390,7 @@ static struct i2c_driver bq25890_driver = {
+ .acpi_match_table = ACPI_PTR(bq25890_acpi_match),
+ .pm = &bq25890_pm,
+ },
+- .probe = bq25890_probe,
++ .probe_new = bq25890_probe,
+ .remove = bq25890_remove,
+ .shutdown = bq25890_shutdown,
+ .id_table = bq25890_i2c_ids,
+--
+2.35.1
+
--- /dev/null
+From 5d181ac5ad7841e5f0063937efe3e445111f8632 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:28:48 +0100
+Subject: power: supply: bq25890: Ensure pump_express_work is cancelled on
+ remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit a7aaa80098d5b7608b2dc1e883e3c3f929415243 ]
+
+The pump_express_work which gets queued from an external_power_changed
+callback might be pending / running on remove() (or on probe failure).
+
+Add a devm action cancelling the work, to ensure that it is cancelled.
+
+Note the devm action is added before devm_power_supply_register(), making
+it run after devm unregisters the power_supply, so that the work cannot
+be queued anymore (this is also why a devm action is used for this).
+
+Fixes: 48f45b094dbb ("power: supply: bq25890: Support higher charging voltages through Pump Express+ protocol")
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq25890_charger.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c
+index b4c8481ea17b..92fab662a51d 100644
+--- a/drivers/power/supply/bq25890_charger.c
++++ b/drivers/power/supply/bq25890_charger.c
+@@ -1189,6 +1189,13 @@ static int bq25890_fw_probe(struct bq25890_device *bq)
+ return 0;
+ }
+
++static void bq25890_non_devm_cleanup(void *data)
++{
++ struct bq25890_device *bq = data;
++
++ cancel_delayed_work_sync(&bq->pump_express_work);
++}
++
+ static int bq25890_probe(struct i2c_client *client)
+ {
+ struct device *dev = &client->dev;
+@@ -1244,6 +1251,14 @@ static int bq25890_probe(struct i2c_client *client)
+ /* OTG reporting */
+ bq->usb_phy = devm_usb_get_phy(dev, USB_PHY_TYPE_USB2);
+
++ /*
++ * This must be before bq25890_power_supply_init(), so that it runs
++ * after devm unregisters the power_supply.
++ */
++ ret = devm_add_action_or_reset(dev, bq25890_non_devm_cleanup, bq);
++ if (ret)
++ return ret;
++
+ ret = bq25890_register_regulator(bq);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From e550bff10c6c62c4a02d816f420778ed44174f3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 19:24:25 +0200
+Subject: power: supply: bq25890: Factor out regulator registration code
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 5f5c10ecaf3fdeba9b2b0af5301977420c2c4df0 ]
+
+Pull the regulator registration code into separate function, so it can
+be extended to register more regulators later. Currently this is only
+moving ifdeffery into one place and other preparatory changes. The
+dev_err_probe() output string is changed to explicitly list vbus
+regulator failure, so that once more regulators are registered, it
+would be clear which one failed.
+
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Stable-dep-of: a7aaa80098d5 ("power: supply: bq25890: Ensure pump_express_work is cancelled on remove")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq25890_charger.c | 51 ++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/power/supply/bq25890_charger.c b/drivers/power/supply/bq25890_charger.c
+index 852a6fec4339..86228753e804 100644
+--- a/drivers/power/supply/bq25890_charger.c
++++ b/drivers/power/supply/bq25890_charger.c
+@@ -1019,6 +1019,36 @@ static const struct regulator_desc bq25890_vbus_desc = {
+ .fixed_uV = 5000000,
+ .n_voltages = 1,
+ };
++
++static int bq25890_register_regulator(struct bq25890_device *bq)
++{
++ struct bq25890_platform_data *pdata = dev_get_platdata(bq->dev);
++ struct regulator_config cfg = {
++ .dev = bq->dev,
++ .driver_data = bq,
++ };
++ struct regulator_dev *reg;
++
++ if (!IS_ERR_OR_NULL(bq->usb_phy))
++ return 0;
++
++ if (pdata)
++ cfg.init_data = pdata->regulator_init_data;
++
++ reg = devm_regulator_register(bq->dev, &bq25890_vbus_desc, &cfg);
++ if (IS_ERR(reg)) {
++ return dev_err_probe(bq->dev, PTR_ERR(reg),
++ "registering vbus regulator");
++ }
++
++ return 0;
++}
++#else
++static inline int
++bq25890_register_regulator(struct bq25890_device *bq)
++{
++ return 0;
++}
+ #endif
+
+ static int bq25890_get_chip_version(struct bq25890_device *bq)
+@@ -1214,27 +1244,16 @@ static int bq25890_probe(struct i2c_client *client,
+
+ /* OTG reporting */
+ bq->usb_phy = devm_usb_get_phy(dev, USB_PHY_TYPE_USB2);
++
++ ret = bq25890_register_regulator(bq);
++ if (ret)
++ return ret;
++
+ if (!IS_ERR_OR_NULL(bq->usb_phy)) {
+ INIT_WORK(&bq->usb_work, bq25890_usb_work);
+ bq->usb_nb.notifier_call = bq25890_usb_notifier;
+ usb_register_notifier(bq->usb_phy, &bq->usb_nb);
+ }
+-#ifdef CONFIG_REGULATOR
+- else {
+- struct bq25890_platform_data *pdata = dev_get_platdata(dev);
+- struct regulator_config cfg = { };
+- struct regulator_dev *reg;
+-
+- cfg.dev = dev;
+- cfg.driver_data = bq;
+- if (pdata)
+- cfg.init_data = pdata->regulator_init_data;
+-
+- reg = devm_regulator_register(dev, &bq25890_vbus_desc, &cfg);
+- if (IS_ERR(reg))
+- return dev_err_probe(dev, PTR_ERR(reg), "registering regulator");
+- }
+-#endif
+
+ ret = bq25890_power_supply_init(bq);
+ if (ret < 0) {
+--
+2.35.1
+
--- /dev/null
+From 48df571f08b013391e9ed53cf55e6ae273f5e41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 10:45:58 +0800
+Subject: power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 97f2b4ddb0aa700d673691a7d5e44d226d22bab7 ]
+
+cw_bat_probe() calls create_singlethread_workqueue() and not checked the
+ret value, which may return NULL. And a null-ptr-deref may happen:
+
+cw_bat_probe()
+ create_singlethread_workqueue() # failed, cw_bat->wq is NULL
+ queue_delayed_work()
+ queue_delayed_work_on()
+ __queue_delayed_work() # warning here, but continue
+ __queue_work() # access wq->flags, null-ptr-deref
+
+Check the ret value and return -ENOMEM if it is NULL.
+
+Fixes: b4c7715c10c1 ("power: supply: add CellWise cw2015 fuel gauge driver")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cw2015_battery.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/power/supply/cw2015_battery.c b/drivers/power/supply/cw2015_battery.c
+index 6d52641151d9..473522b4326a 100644
+--- a/drivers/power/supply/cw2015_battery.c
++++ b/drivers/power/supply/cw2015_battery.c
+@@ -699,6 +699,9 @@ static int cw_bat_probe(struct i2c_client *client)
+ }
+
+ cw_bat->battery_workqueue = create_singlethread_workqueue("rk_battery");
++ if (!cw_bat->battery_workqueue)
++ return -ENOMEM;
++
+ devm_delayed_work_autocancel(&client->dev,
+ &cw_bat->battery_delay_work, cw_bat_work);
+ queue_delayed_work(cw_bat->battery_workqueue,
+--
+2.35.1
+
--- /dev/null
+From 67aeee3111da558c8ae26e45aaf88aa0f9980722 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Jul 2022 10:58:20 +0800
+Subject: power: supply: cw2015: Use device managed API to simplify the code
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 0cb172a4918e0b180400c3e1b2894641703eab6d ]
+
+Use devm_delayed_work_autocancel() instead of the INIT_DELAYED_WORK() to
+remove the cw_bat_remove() function.
+
+And power_supply_put_battery_info() can also be removed because the
+power_supply_get_battery_info() uses device managed memory allocation.
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Stable-dep-of: 97f2b4ddb0aa ("power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cw2015_battery.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/power/supply/cw2015_battery.c b/drivers/power/supply/cw2015_battery.c
+index 728e2a6cc9c3..6d52641151d9 100644
+--- a/drivers/power/supply/cw2015_battery.c
++++ b/drivers/power/supply/cw2015_battery.c
+@@ -21,6 +21,7 @@
+ #include <linux/regmap.h>
+ #include <linux/time.h>
+ #include <linux/workqueue.h>
++#include <linux/devm-helpers.h>
+
+ #define CW2015_SIZE_BATINFO 64
+
+@@ -698,7 +699,8 @@ static int cw_bat_probe(struct i2c_client *client)
+ }
+
+ cw_bat->battery_workqueue = create_singlethread_workqueue("rk_battery");
+- INIT_DELAYED_WORK(&cw_bat->battery_delay_work, cw_bat_work);
++ devm_delayed_work_autocancel(&client->dev,
++ &cw_bat->battery_delay_work, cw_bat_work);
+ queue_delayed_work(cw_bat->battery_workqueue,
+ &cw_bat->battery_delay_work, msecs_to_jiffies(10));
+ return 0;
+@@ -725,15 +727,6 @@ static int __maybe_unused cw_bat_resume(struct device *dev)
+
+ static SIMPLE_DEV_PM_OPS(cw_bat_pm_ops, cw_bat_suspend, cw_bat_resume);
+
+-static int cw_bat_remove(struct i2c_client *client)
+-{
+- struct cw_battery *cw_bat = i2c_get_clientdata(client);
+-
+- cancel_delayed_work_sync(&cw_bat->battery_delay_work);
+- power_supply_put_battery_info(cw_bat->rk_bat, cw_bat->battery);
+- return 0;
+-}
+-
+ static const struct i2c_device_id cw_bat_id_table[] = {
+ { "cw2015", 0 },
+ { }
+@@ -752,7 +745,6 @@ static struct i2c_driver cw_bat_driver = {
+ .pm = &cw_bat_pm_ops,
+ },
+ .probe_new = cw_bat_probe,
+- .remove = cw_bat_remove,
+ .id_table = cw_bat_id_table,
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 920c8978cb785e88e61b15b578d1a5df5d531343 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 15:51:53 +0800
+Subject: power: supply: fix null pointer dereferencing in
+ power_supply_get_battery_info
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit 104bb8a663451404a26331263ce5b96c34504049 ]
+
+when kmalloc() fail to allocate memory in kasprintf(), propname
+will be NULL, strcmp() called by of_get_property() will cause
+null pointer dereference.
+
+So return ENOMEM if kasprintf() return NULL pointer.
+
+Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table")
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/power_supply_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
+index 9bae94d2ea3a..01d1ac79d982 100644
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -750,6 +750,11 @@ int power_supply_get_battery_info(struct power_supply *psy,
+ int i, tab_len, size;
+
+ propname = kasprintf(GFP_KERNEL, "ocv-capacity-table-%d", index);
++ if (!propname) {
++ power_supply_put_battery_info(psy, info);
++ err = -ENOMEM;
++ goto out_put_node;
++ }
+ list = of_get_property(battery_np, propname, &size);
+ if (!list || !size) {
+ dev_err(&psy->dev, "failed to get %s\n", propname);
+--
+2.35.1
+
--- /dev/null
+From 871ac26008c5d667b9826b60a48244cb1ac3c660 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:32:19 +0800
+Subject: power: supply: fix residue sysfs file in error handle route of
+ __power_supply_register()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ]
+
+If device_add() succeeds, we should call device_del() when want to
+get rid of it, so move it into proper jump symbol.
+
+Otherwise, when __power_supply_register() returns fail and goto
+wakeup_init_failed to exit, there is still residue device file in sysfs.
+When attempt to probe device again, sysfs would complain as below:
+
+sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061'
+Call Trace:
+ dump_stack_lvl+0x68/0x85
+ sysfs_warn_dup.cold+0x1c/0x29
+ sysfs_create_dir_ns+0x1b1/0x1d0
+ kobject_add_internal+0x143/0x390
+ kobject_add+0x108/0x170
+
+Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/power_supply_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
+index 4b5fb172fa99..9bae94d2ea3a 100644
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -1387,8 +1387,8 @@ __power_supply_register(struct device *parent,
+ register_cooler_failed:
+ psy_unregister_thermal(psy);
+ register_thermal_failed:
+- device_del(dev);
+ wakeup_init_failed:
++ device_del(dev);
+ device_add_failed:
+ check_supplies_failed:
+ dev_set_name_failed:
+--
+2.35.1
+
--- /dev/null
+From 763ce3d2f7b3e30433f480acb46d3a77e292ccf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 09:18:31 +0800
+Subject: power: supply: z2_battery: Fix possible memleak in z2_batt_probe()
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 955bee204f3dd307642c101b75e370662987e735 ]
+
+If devm_gpiod_get_optional() returns error, the charger should be
+freed before z2_batt_probe returns according to the context. We
+fix it by just gotoing to 'err' branch.
+
+Fixes: a3b4388ea19b ("power: supply: z2_battery: Convert to GPIO descriptors")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/z2_battery.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/z2_battery.c b/drivers/power/supply/z2_battery.c
+index 7ed4e4bb26ec..fd33cdf9cf12 100644
+--- a/drivers/power/supply/z2_battery.c
++++ b/drivers/power/supply/z2_battery.c
+@@ -206,10 +206,12 @@ static int z2_batt_probe(struct i2c_client *client,
+
+ charger->charge_gpiod = devm_gpiod_get_optional(&client->dev,
+ NULL, GPIOD_IN);
+- if (IS_ERR(charger->charge_gpiod))
+- return dev_err_probe(&client->dev,
++ if (IS_ERR(charger->charge_gpiod)) {
++ ret = dev_err_probe(&client->dev,
+ PTR_ERR(charger->charge_gpiod),
+ "failed to get charge GPIO\n");
++ goto err;
++ }
+
+ if (charger->charge_gpiod) {
+ gpiod_set_consumer_name(charger->charge_gpiod, "BATT CHRG");
+--
+2.35.1
+
--- /dev/null
+From 65e3fe3fbc1348191968c6c4f0502c20ec2f660d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Jan 2022 08:16:04 +0100
+Subject: powerpc/52xx: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ]
+
+The error handling path of mpc52xx_lpbfifo_probe() has a request_irq()
+that is not balanced by a corresponding free_irq().
+
+Add the missing call, as already done in the remove function.
+
+Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
+index 48038aaedbd3..2875c206ac0f 100644
+--- a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
++++ b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
+@@ -531,6 +531,7 @@ static int mpc52xx_lpbfifo_probe(struct platform_device *op)
+ err_bcom_rx_irq:
+ bcom_gen_bd_rx_release(lpbfifo.bcom_rx_task);
+ err_bcom_rx:
++ free_irq(lpbfifo.irq, &lpbfifo);
+ err_irq:
+ iounmap(lpbfifo.regs);
+ lpbfifo.regs = NULL;
+--
+2.35.1
+
--- /dev/null
+From af589a0d7feaed2ee035026ebfa8ce186de0e2c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 19:16:26 +0800
+Subject: powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in
+ of_fsl_spi_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ]
+
+If platform_device_add() is not called or failed, it can not call
+platform_device_del() to clean up memory, it should call
+platform_device_put() in error case.
+
+Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/83xx/mpc832x_rdb.c b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
+index bb8caa5071f8..dddb5c6f8120 100644
+--- a/arch/powerpc/platforms/83xx/mpc832x_rdb.c
++++ b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
+@@ -107,7 +107,7 @@ static int __init of_fsl_spi_probe(char *type, char *compatible, u32 sysclk,
+
+ goto next;
+ unreg:
+- platform_device_del(pdev);
++ platform_device_put(pdev);
+ err:
+ pr_err("%pOF: registration failed\n", np);
+ next:
+--
+2.35.1
+
--- /dev/null
+From 663b528ff261d85d0f399a8307543ae0e2023740 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 16:22:39 -0400
+Subject: powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit 36926a7d70c2d462fca1ed85bfee000d17fd8662 ]
+
+On the T208X SoCs, MAC1 and MAC2 support XGMII. Add some new MAC dtsi
+fragments, and mark the QMAN ports as 10G.
+
+Fixes: da414bb923d9 ("powerpc/mpc85xx: Add FSL QorIQ DPAA FMan support to the SoC device tree(s)")
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi | 44 +++++++++++++++++++
+ .../boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi | 44 +++++++++++++++++++
+ arch/powerpc/boot/dts/fsl/t2081si-post.dtsi | 4 +-
+ 3 files changed, 90 insertions(+), 2 deletions(-)
+ create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi
+ create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi
+
+diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi
+new file mode 100644
+index 000000000000..437dab3fc017
+--- /dev/null
++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi
+@@ -0,0 +1,44 @@
++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
++/*
++ * QorIQ FMan v3 10g port #2 device tree stub [ controller @ offset 0x400000 ]
++ *
++ * Copyright 2022 Sean Anderson <sean.anderson@seco.com>
++ * Copyright 2012 - 2015 Freescale Semiconductor Inc.
++ */
++
++fman@400000 {
++ fman0_rx_0x08: port@88000 {
++ cell-index = <0x8>;
++ compatible = "fsl,fman-v3-port-rx";
++ reg = <0x88000 0x1000>;
++ fsl,fman-10g-port;
++ };
++
++ fman0_tx_0x28: port@a8000 {
++ cell-index = <0x28>;
++ compatible = "fsl,fman-v3-port-tx";
++ reg = <0xa8000 0x1000>;
++ fsl,fman-10g-port;
++ };
++
++ ethernet@e0000 {
++ cell-index = <0>;
++ compatible = "fsl,fman-memac";
++ reg = <0xe0000 0x1000>;
++ fsl,fman-ports = <&fman0_rx_0x08 &fman0_tx_0x28>;
++ ptp-timer = <&ptp_timer0>;
++ pcsphy-handle = <&pcsphy0>;
++ };
++
++ mdio@e1000 {
++ #address-cells = <1>;
++ #size-cells = <0>;
++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
++ reg = <0xe1000 0x1000>;
++ fsl,erratum-a011043; /* must ignore read errors */
++
++ pcsphy0: ethernet-phy@0 {
++ reg = <0x0>;
++ };
++ };
++};
+diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi
+new file mode 100644
+index 000000000000..ad116b17850a
+--- /dev/null
++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi
+@@ -0,0 +1,44 @@
++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
++/*
++ * QorIQ FMan v3 10g port #3 device tree stub [ controller @ offset 0x400000 ]
++ *
++ * Copyright 2022 Sean Anderson <sean.anderson@seco.com>
++ * Copyright 2012 - 2015 Freescale Semiconductor Inc.
++ */
++
++fman@400000 {
++ fman0_rx_0x09: port@89000 {
++ cell-index = <0x9>;
++ compatible = "fsl,fman-v3-port-rx";
++ reg = <0x89000 0x1000>;
++ fsl,fman-10g-port;
++ };
++
++ fman0_tx_0x29: port@a9000 {
++ cell-index = <0x29>;
++ compatible = "fsl,fman-v3-port-tx";
++ reg = <0xa9000 0x1000>;
++ fsl,fman-10g-port;
++ };
++
++ ethernet@e2000 {
++ cell-index = <1>;
++ compatible = "fsl,fman-memac";
++ reg = <0xe2000 0x1000>;
++ fsl,fman-ports = <&fman0_rx_0x09 &fman0_tx_0x29>;
++ ptp-timer = <&ptp_timer0>;
++ pcsphy-handle = <&pcsphy1>;
++ };
++
++ mdio@e3000 {
++ #address-cells = <1>;
++ #size-cells = <0>;
++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio";
++ reg = <0xe3000 0x1000>;
++ fsl,erratum-a011043; /* must ignore read errors */
++
++ pcsphy1: ethernet-phy@0 {
++ reg = <0x0>;
++ };
++ };
++};
+diff --git a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi
+index ecbb447920bc..74e17e134387 100644
+--- a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi
++++ b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi
+@@ -609,8 +609,8 @@ usb1: usb@211000 {
+ /include/ "qoriq-bman1.dtsi"
+
+ /include/ "qoriq-fman3-0.dtsi"
+-/include/ "qoriq-fman3-0-1g-0.dtsi"
+-/include/ "qoriq-fman3-0-1g-1.dtsi"
++/include/ "qoriq-fman3-0-10g-2.dtsi"
++/include/ "qoriq-fman3-0-10g-3.dtsi"
+ /include/ "qoriq-fman3-0-1g-2.dtsi"
+ /include/ "qoriq-fman3-0-1g-3.dtsi"
+ /include/ "qoriq-fman3-0-1g-4.dtsi"
+--
+2.35.1
+
--- /dev/null
+From 90205bff702467f541161b3e37e2c07030645d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 14:39:01 +0200
+Subject: powerpc: dts: turris1x.dts: Add channel labels for temperature sensor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 67bbb62f61e810734da0a1577a9802ddaed24140 ]
+
+Channel 0 of SA56004ED chip refers to internal SA56004ED chip sensor (chip
+itself is located on the board) and channel 1 of SA56004ED chip refers to
+external sensor which is connected to temperature diode of the P2020 CPU.
+
+Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220930123901.10251-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/turris1x.dts | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/arch/powerpc/boot/dts/turris1x.dts b/arch/powerpc/boot/dts/turris1x.dts
+index 045af668e928..e9cda34a140e 100644
+--- a/arch/powerpc/boot/dts/turris1x.dts
++++ b/arch/powerpc/boot/dts/turris1x.dts
+@@ -69,6 +69,20 @@ temperature-sensor@4c {
+ interrupt-parent = <&gpio>;
+ interrupts = <12 IRQ_TYPE_LEVEL_LOW>, /* GPIO12 - ALERT pin */
+ <13 IRQ_TYPE_LEVEL_LOW>; /* GPIO13 - CRIT pin */
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ /* Local temperature sensor (SA56004ED internal) */
++ channel@0 {
++ reg = <0>;
++ label = "board";
++ };
++
++ /* Remote temperature sensor (D+/D- connected to P2020 CPU Temperature Diode) */
++ channel@1 {
++ reg = <1>;
++ label = "cpu";
++ };
+ };
+
+ /* DDR3 SPD/EEPROM */
+--
+2.35.1
+
--- /dev/null
+From 08613e400355b88146243d90ab533f5d8ed2b460 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 23:15:13 +0530
+Subject: powerpc/hv-gpci: Fix hv_gpci event list
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ]
+
+Based on getPerfCountInfo v1.018 documentation, some of the
+hv_gpci events were deprecated for platform firmware that
+supports counter_info_version 0x8 or above.
+
+Fix the hv_gpci event list by adding a new attribute group
+called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6"
+macro to enable these events for platform firmware
+that supports counter_info_version 0x6 or below. And assigning
+the hv_gpci event list based on output counter info version
+of underlying plaform.
+
+Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Reviewed-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-gpci-requests.h | 4 ++++
+ arch/powerpc/perf/hv-gpci.c | 35 ++++++++++++++++++++++++++--
+ arch/powerpc/perf/hv-gpci.h | 1 +
+ arch/powerpc/perf/req-gen/perf.h | 20 ++++++++++++++++
+ 4 files changed, 58 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
+index 8965b4463d43..5e86371a20c7 100644
+--- a/arch/powerpc/perf/hv-gpci-requests.h
++++ b/arch/powerpc/perf/hv-gpci-requests.h
+@@ -79,6 +79,7 @@ REQUEST(__field(0, 8, partition_id)
+ )
+ #include I(REQUEST_END)
+
++#ifdef ENABLE_EVENTS_COUNTERINFO_V6
+ /*
+ * Not available for counter_info_version >= 0x8, use
+ * run_instruction_cycles_by_partition(0x100) instead.
+@@ -92,6 +93,7 @@ REQUEST(__field(0, 8, partition_id)
+ __count(0x10, 8, cycles)
+ )
+ #include I(REQUEST_END)
++#endif
+
+ #define REQUEST_NAME system_performance_capabilities
+ #define REQUEST_NUM 0x40
+@@ -103,6 +105,7 @@ REQUEST(__field(0, 1, perf_collect_privileged)
+ )
+ #include I(REQUEST_END)
+
++#ifdef ENABLE_EVENTS_COUNTERINFO_V6
+ #define REQUEST_NAME processor_bus_utilization_abc_links
+ #define REQUEST_NUM 0x50
+ #define REQUEST_IDX_KIND "hw_chip_id=?"
+@@ -194,6 +197,7 @@ REQUEST(__field(0, 4, phys_processor_idx)
+ __count(0x28, 8, instructions_completed)
+ )
+ #include I(REQUEST_END)
++#endif
+
+ /* Processor_core_power_mode (0x95) skipped, no counters */
+ /* Affinity_domain_information_by_virtual_processor (0xA0) skipped,
+diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c
+index 5eb60ed5b5e8..7ff8ff3509f5 100644
+--- a/arch/powerpc/perf/hv-gpci.c
++++ b/arch/powerpc/perf/hv-gpci.c
+@@ -70,9 +70,9 @@ static const struct attribute_group format_group = {
+ .attrs = format_attrs,
+ };
+
+-static const struct attribute_group event_group = {
++static struct attribute_group event_group = {
+ .name = "events",
+- .attrs = hv_gpci_event_attrs,
++ /* .attrs is set in init */
+ };
+
+ #define HV_CAPS_ATTR(_name, _format) \
+@@ -330,6 +330,7 @@ static int hv_gpci_init(void)
+ int r;
+ unsigned long hret;
+ struct hv_perf_caps caps;
++ struct hv_gpci_request_buffer *arg;
+
+ hv_gpci_assert_offsets_correct();
+
+@@ -353,6 +354,36 @@ static int hv_gpci_init(void)
+ /* sampling not supported */
+ h_gpci_pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT;
+
++ arg = (void *)get_cpu_var(hv_gpci_reqb);
++ memset(arg, 0, HGPCI_REQ_BUFFER_SIZE);
++
++ /*
++ * hcall H_GET_PERF_COUNTER_INFO populates the output
++ * counter_info_version value based on the system hypervisor.
++ * Pass the counter request 0x10 corresponds to request type
++ * 'Dispatch_timebase_by_processor', to get the supported
++ * counter_info_version.
++ */
++ arg->params.counter_request = cpu_to_be32(0x10);
++
++ r = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO,
++ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE);
++ if (r) {
++ pr_devel("hcall failed, can't get supported counter_info_version: 0x%x\n", r);
++ arg->params.counter_info_version_out = 0x8;
++ }
++
++ /*
++ * Use counter_info_version_out value to assign
++ * required hv-gpci event list.
++ */
++ if (arg->params.counter_info_version_out >= 0x8)
++ event_group.attrs = hv_gpci_event_attrs;
++ else
++ event_group.attrs = hv_gpci_event_attrs_v6;
++
++ put_cpu_var(hv_gpci_reqb);
++
+ r = perf_pmu_register(&h_gpci_pmu, h_gpci_pmu.name, -1);
+ if (r)
+ return r;
+diff --git a/arch/powerpc/perf/hv-gpci.h b/arch/powerpc/perf/hv-gpci.h
+index 4d108262bed7..c72020912dea 100644
+--- a/arch/powerpc/perf/hv-gpci.h
++++ b/arch/powerpc/perf/hv-gpci.h
+@@ -26,6 +26,7 @@ enum {
+ #define REQUEST_FILE "../hv-gpci-requests.h"
+ #define NAME_LOWER hv_gpci
+ #define NAME_UPPER HV_GPCI
++#define ENABLE_EVENTS_COUNTERINFO_V6
+ #include "req-gen/perf.h"
+ #undef REQUEST_FILE
+ #undef NAME_LOWER
+diff --git a/arch/powerpc/perf/req-gen/perf.h b/arch/powerpc/perf/req-gen/perf.h
+index fa9bc804e67a..6b2a59fefffa 100644
+--- a/arch/powerpc/perf/req-gen/perf.h
++++ b/arch/powerpc/perf/req-gen/perf.h
+@@ -139,6 +139,26 @@ PMU_EVENT_ATTR_STRING( \
+ #define REQUEST_(r_name, r_value, r_idx_1, r_fields) \
+ r_fields
+
++/* Generate event list for platforms with counter_info_version 0x6 or below */
++static __maybe_unused struct attribute *hv_gpci_event_attrs_v6[] = {
++#include REQUEST_FILE
++ NULL
++};
++
++/*
++ * Based on getPerfCountInfo v1.018 documentation, some of the hv-gpci
++ * events were deprecated for platform firmware that supports
++ * counter_info_version 0x8 or above.
++ * Those deprecated events are still part of platform firmware that
++ * support counter_info_version 0x6 and below. As per the getPerfCountInfo
++ * v1.018 documentation there is no counter_info_version 0x7.
++ * Undefining macro ENABLE_EVENTS_COUNTERINFO_V6, to disable the addition of
++ * deprecated events in "hv_gpci_event_attrs" attribute group, for platforms
++ * that supports counter_info_version 0x8 or above.
++ */
++#undef ENABLE_EVENTS_COUNTERINFO_V6
++
++/* Generate event list for platforms with counter_info_version 0x8 or above*/
+ static __maybe_unused struct attribute *hv_gpci_event_attrs[] = {
+ #include REQUEST_FILE
+ NULL
+--
+2.35.1
+
--- /dev/null
+From e5db69d45bc051628c1c766701658f46ae317637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Nov 2022 22:49:28 +1000
+Subject: powerpc/perf: callchain validate kernel stack pointer bounds
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ]
+
+The interrupt frame detection and loads from the hypothetical pt_regs
+are not bounds-checked. The next-frame validation only bounds-checks
+STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another
+test for this.
+
+The user could set r1 to be equal to the address matching the first
+interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
+due to the kernel redzone, and induce the kernel to load the marker from
+there. Possibly this could cause a crash at least. If the user could
+induce the previous page to contain a valid marker, then it might be
+able to direct perf to read specific memory addresses in a way that
+could be transmitted back to the user in the perf data.
+
+Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/callchain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
+index 082f6d0308a4..8718289c051d 100644
+--- a/arch/powerpc/perf/callchain.c
++++ b/arch/powerpc/perf/callchain.c
+@@ -61,6 +61,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re
+ next_sp = fp[0];
+
+ if (next_sp == sp + STACK_INT_FRAME_SIZE &&
++ validate_sp(sp, current, STACK_INT_FRAME_SIZE) &&
+ fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) {
+ /*
+ * This looks like an interrupt frame for an
+--
+2.35.1
+
--- /dev/null
+From 57b4b360db1f22346b580819394a6622a291dcb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 09:07:43 -0600
+Subject: powerpc/pseries/eeh: use correct API for error log size
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 9aafbfa5f57a4b75bafd3bed0191e8429c5fa618 ]
+
+rtas-error-log-max is not the name of an RTAS function, so rtas_token()
+is not the appropriate API for retrieving its value. We already have
+rtas_get_error_log_max() which returns a sensible value if the property
+is absent for any reason, so use that instead.
+
+Fixes: 8d633291b4fc ("powerpc/eeh: pseries platform EEH error log retrieval")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+[mpe: Drop no-longer possible error handling as noticed by ajd]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221118150751.469393-6-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/eeh_pseries.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
+index 8e40ccac0f44..e5a58a9b2fe9 100644
+--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
+@@ -848,16 +848,7 @@ static int __init eeh_pseries_init(void)
+ }
+
+ /* Initialize error log size */
+- eeh_error_buf_size = rtas_token("rtas-error-log-max");
+- if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) {
+- pr_info("%s: unknown EEH error log size\n",
+- __func__);
+- eeh_error_buf_size = 1024;
+- } else if (eeh_error_buf_size > RTAS_ERROR_LOG_MAX) {
+- pr_info("%s: EEH error log size %d exceeds the maximal %d\n",
+- __func__, eeh_error_buf_size, RTAS_ERROR_LOG_MAX);
+- eeh_error_buf_size = RTAS_ERROR_LOG_MAX;
+- }
++ eeh_error_buf_size = rtas_get_error_log_max();
+
+ /* Set EEH probe mode */
+ eeh_add_flag(EEH_PROBE_MODE_DEVTREE | EEH_ENABLE_IO_FOR_LOG);
+--
+2.35.1
+
--- /dev/null
+From de21473426e5353fc1817698bd7603f989467e36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 15:58:39 -0500
+Subject: powerpc/pseries: fix plpks_read_var() code for different consumers
+
+From: Nayna Jain <nayna@linux.ibm.com>
+
+[ Upstream commit 1f622f3f80cbf8999ff5955a2fcfbd801a1f32e0 ]
+
+Even though plpks_read_var() is currently called to read variables
+owned by different consumers, it internally supports only OS consumer.
+
+Fix plpks_read_var() to handle different consumers correctly.
+
+Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221106205839.600442-7-nayna@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/plpks.c | 28 +++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
+index cbea447122ca..63a1e1fe0185 100644
+--- a/arch/powerpc/platforms/pseries/plpks.c
++++ b/arch/powerpc/platforms/pseries/plpks.c
+@@ -366,22 +366,24 @@ static int plpks_read_var(u8 consumer, struct plpks_var *var)
+ {
+ unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 };
+ struct plpks_auth *auth;
+- struct label *label;
++ struct label *label = NULL;
+ u8 *output;
+ int rc;
+
+ if (var->namelen > MAX_NAME_SIZE)
+ return -EINVAL;
+
+- auth = construct_auth(PKS_OS_OWNER);
++ auth = construct_auth(consumer);
+ if (IS_ERR(auth))
+ return PTR_ERR(auth);
+
+- label = construct_label(var->component, var->os, var->name,
+- var->namelen);
+- if (IS_ERR(label)) {
+- rc = PTR_ERR(label);
+- goto out_free_auth;
++ if (consumer == PKS_OS_OWNER) {
++ label = construct_label(var->component, var->os, var->name,
++ var->namelen);
++ if (IS_ERR(label)) {
++ rc = PTR_ERR(label);
++ goto out_free_auth;
++ }
+ }
+
+ output = kzalloc(maxobjsize, GFP_KERNEL);
+@@ -390,9 +392,15 @@ static int plpks_read_var(u8 consumer, struct plpks_var *var)
+ goto out_free_label;
+ }
+
+- rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth),
+- virt_to_phys(label), label->size, virt_to_phys(output),
+- maxobjsize);
++ if (consumer == PKS_OS_OWNER)
++ rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth),
++ virt_to_phys(label), label->size, virt_to_phys(output),
++ maxobjsize);
++ else
++ rc = plpar_hcall(H_PKS_READ_OBJECT, retbuf, virt_to_phys(auth),
++ virt_to_phys(var->name), var->namelen, virt_to_phys(output),
++ maxobjsize);
++
+
+ if (rc != H_SUCCESS) {
+ pr_err("Failed to read variable %s for component %s with error %d\n",
+--
+2.35.1
+
--- /dev/null
+From d3c669332781fd2818feb7b2683b27d46cbef1bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 15:58:35 -0500
+Subject: powerpc/pseries: Fix the H_CALL error code in PLPKS driver
+
+From: Nayna Jain <nayna@linux.ibm.com>
+
+[ Upstream commit af223e1728c448073d1e12fe464bf344310edeba ]
+
+PAPR Spec defines H_P1 actually as H_PARAMETER and maps H_ABORTED to
+a different numerical value.
+
+Fix the error codes as per PAPR Specification.
+
+Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221106205839.600442-3-nayna@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/hvcall.h | 3 +--
+ arch/powerpc/platforms/pseries/plpks.c | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
+index 8abae463f6c1..95fd7f9485d5 100644
+--- a/arch/powerpc/include/asm/hvcall.h
++++ b/arch/powerpc/include/asm/hvcall.h
+@@ -79,7 +79,7 @@
+ #define H_NOT_ENOUGH_RESOURCES -44
+ #define H_R_STATE -45
+ #define H_RESCINDED -46
+-#define H_P1 -54
++#define H_ABORTED -54
+ #define H_P2 -55
+ #define H_P3 -56
+ #define H_P4 -57
+@@ -100,7 +100,6 @@
+ #define H_COP_HW -74
+ #define H_STATE -75
+ #define H_IN_USE -77
+-#define H_ABORTED -78
+ #define H_UNSUPPORTED_FLAG_START -256
+ #define H_UNSUPPORTED_FLAG_END -511
+ #define H_MULTI_THREADS_ACTIVE -9005
+diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
+index f4b5b5a64db3..32ce4d780d8f 100644
+--- a/arch/powerpc/platforms/pseries/plpks.c
++++ b/arch/powerpc/platforms/pseries/plpks.c
+@@ -75,7 +75,7 @@ static int pseries_status_to_err(int rc)
+ case H_FUNCTION:
+ err = -ENXIO;
+ break;
+- case H_P1:
++ case H_PARAMETER:
+ case H_P2:
+ case H_P3:
+ case H_P4:
+--
+2.35.1
+
--- /dev/null
+From 82ffd1b8167a5f4b4ae597b6bf4ddb65671d60f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 15:58:34 -0500
+Subject: powerpc/pseries: fix the object owners enum value in plpks driver
+
+From: Nayna Jain <nayna@linux.ibm.com>
+
+[ Upstream commit 2330757e0be0acad88852e211dcd6106390a729b ]
+
+OS_VAR_LINUX enum in PLPKS driver should be 0x02 instead of 0x01.
+
+Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221106205839.600442-2-nayna@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/plpks.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/plpks.h b/arch/powerpc/platforms/pseries/plpks.h
+index c6a291367bb1..275ccd86bfb5 100644
+--- a/arch/powerpc/platforms/pseries/plpks.h
++++ b/arch/powerpc/platforms/pseries/plpks.h
+@@ -17,7 +17,7 @@
+ #define WORLDREADABLE 0x08000000
+ #define SIGNEDUPDATE 0x01000000
+
+-#define PLPKS_VAR_LINUX 0x01
++#define PLPKS_VAR_LINUX 0x02
+ #define PLPKS_VAR_COMMON 0x04
+
+ struct plpks_var {
+--
+2.35.1
+
--- /dev/null
+From 3184595f5309ea188132a4b45169e88b528827e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 15:58:36 -0500
+Subject: powerpc/pseries: Return -EIO instead of -EINTR for H_ABORTED error
+
+From: Nayna Jain <nayna@linux.ibm.com>
+
+[ Upstream commit bb8e4c7cb759b90a04f2e94056b50288ff46a0ed ]
+
+Some commands for eg. "cat" might continue to retry on encountering
+EINTR. This is not expected for original error code H_ABORTED.
+
+Map H_ABORTED to more relevant Linux error code EIO.
+
+Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221106205839.600442-4-nayna@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/plpks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c
+index 32ce4d780d8f..cbea447122ca 100644
+--- a/arch/powerpc/platforms/pseries/plpks.c
++++ b/arch/powerpc/platforms/pseries/plpks.c
+@@ -111,7 +111,7 @@ static int pseries_status_to_err(int rc)
+ err = -EEXIST;
+ break;
+ case H_ABORTED:
+- err = -EINTR;
++ err = -EIO;
+ break;
+ default:
+ err = -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From e4a8bb3618819630c20745cba9c9c776c3e8de1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 11:23:33 +0800
+Subject: powerpc/xive: add missing iounmap() in error path in
+ xive_spapr_populate_irq_data()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8b49670f3bb3f10cd4d5a6dca17f5a31b173ecdc ]
+
+If remapping 'data->trig_page' fails, the 'data->eoi_mmio' need be unmapped
+before returning from xive_spapr_populate_irq_data().
+
+Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221017032333.1852406-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xive/spapr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c
+index e2c8f93b535b..e45419264391 100644
+--- a/arch/powerpc/sysdev/xive/spapr.c
++++ b/arch/powerpc/sysdev/xive/spapr.c
+@@ -439,6 +439,7 @@ static int xive_spapr_populate_irq_data(u32 hw_irq, struct xive_irq_data *data)
+
+ data->trig_mmio = ioremap(data->trig_page, 1u << data->esb_shift);
+ if (!data->trig_mmio) {
++ iounmap(data->eoi_mmio);
+ pr_err("Failed to map trigger page for irq 0x%x\n", hw_irq);
+ return -ENOMEM;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4886d4f8134f8676b06f969b2130ded2a7b790fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 15:15:04 +0100
+Subject: powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 1c4a4a4c8410be4a231a58b23e7a30923ff954ac ]
+
+When building with automatic stack variable initialization, GCC 12
+complains about variables defined outside of switch case statements.
+Move the variable into the case that uses it, which silences the warning:
+
+arch/powerpc/xmon/xmon.c: In function ‘bpt_cmds’:
+arch/powerpc/xmon/xmon.c:1529:13: warning: statement will never be executed [-Wswitch-unreachable]
+ 1529 | int mode;
+ | ^~~~
+
+Fixes: 09b6c1129f89 ("powerpc/xmon: Fix compile error with PPC_8xx=y")
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/YySE6FHiOcbWWR+9@work
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/xmon/xmon.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 26ef3388c24c..df91dfc7ff72 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1525,9 +1525,9 @@ bpt_cmds(void)
+ cmd = inchar();
+
+ switch (cmd) {
+- static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
+- int mode;
+- case 'd': /* bd - hardware data breakpoint */
++ case 'd': { /* bd - hardware data breakpoint */
++ static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
++ int mode;
+ if (xmon_is_ro) {
+ printf(xmon_ro_msg);
+ break;
+@@ -1560,6 +1560,7 @@ bpt_cmds(void)
+
+ force_enable_xmon();
+ break;
++ }
+
+ case 'i': /* bi - hardware instr breakpoint */
+ if (xmon_is_ro) {
+--
+2.35.1
+
--- /dev/null
+From 0b6f5cc2a9913d0e042e032778ddac4fbd196d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:29:13 -0800
+Subject: ppp: associate skb with a device at tx
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ]
+
+Syzkaller triggered flow dissector warning with the following:
+
+r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0)
+ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))
+ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})
+pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)
+
+[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0
+[ 9.485929] skb_get_poff+0x53/0xa0
+[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20
+[ 9.485944] ? ppp_send_frame+0xc2/0x5b0
+[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60
+[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0
+[ 9.485968] ? ppp_xmit_process+0x5b/0xb0
+[ 9.485974] ? ppp_write+0x12a/0x190
+[ 9.485981] ? do_iter_write+0x18e/0x2d0
+[ 9.485987] ? __import_iovec+0x30/0x130
+[ 9.485997] ? do_pwritev+0x1b6/0x240
+[ 9.486016] ? trace_hardirqs_on+0x47/0x50
+[ 9.486023] ? __x64_sys_pwritev+0x24/0x30
+[ 9.486026] ? do_syscall_64+0x3d/0x80
+[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Flow dissector tries to find skb net namespace either via device
+or via socket. Neigher is set in ppp_send_frame, so let's manually
+use ppp->dev.
+
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: linux-ppp@vger.kernel.org
+Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 9206c660a72e..d4c821c8cf57 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1743,6 +1743,8 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+ int len;
+ unsigned char *cp;
+
++ skb->dev = ppp->dev;
++
+ if (proto < 0x8000) {
+ #ifdef CONFIG_PPP_FILTER
+ /* check if we should pass this packet */
+--
+2.35.1
+
--- /dev/null
+From 0bde64d28d7c8731fcd5eb47aafd12952197737d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 21:08:09 +0300
+Subject: proc: fixup uptime selftest
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit 5cc81d5c81af0dee54da9a67a3ebe4be076a13db ]
+
+syscall(3) returns -1 and sets errno on error, unlike "syscall"
+instruction.
+
+Systems which have <= 32/64 CPUs are unaffected. Test won't bounce
+to all CPUs before completing if there are more of them.
+
+Link: https://lkml.kernel.org/r/Y1bUiT7VRXlXPQa1@p183
+Fixes: 1f5bd0547654 ("proc: selftests: test /proc/uptime")
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/proc/proc-uptime-002.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/proc/proc-uptime-002.c b/tools/testing/selftests/proc/proc-uptime-002.c
+index e7ceabed7f51..7d0aa22bdc12 100644
+--- a/tools/testing/selftests/proc/proc-uptime-002.c
++++ b/tools/testing/selftests/proc/proc-uptime-002.c
+@@ -17,6 +17,7 @@
+ // while shifting across CPUs.
+ #undef NDEBUG
+ #include <assert.h>
++#include <errno.h>
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <stdlib.h>
+@@ -54,7 +55,7 @@ int main(void)
+ len += sizeof(unsigned long);
+ free(m);
+ m = malloc(len);
+- } while (sys_sched_getaffinity(0, len, m) == -EINVAL);
++ } while (sys_sched_getaffinity(0, len, m) == -1 && errno == EINVAL);
+
+ fd = open("/proc/uptime", O_RDONLY);
+ assert(fd >= 0);
+--
+2.35.1
+
--- /dev/null
+From 07ec41ca279cdec9827a265d814dfe912f29efca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 15:31:36 -0800
+Subject: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ]
+
+An oops can be induced by running 'cat /proc/kcore > /dev/null' on
+devices using pstore with the ram backend because kmap_atomic() assumes
+lowmem pages are accessible with __va().
+
+ Unable to handle kernel paging request at virtual address ffffff807ff2b000
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x06: level 2 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000
+ [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] PREEMPT SMP
+ Modules linked in: dm_integrity
+ CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba
+ Hardware name: Google Lazor (rev3 - 8) (DT)
+ pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __memcpy+0x110/0x260
+ lr : vread+0x194/0x294
+ sp : ffffffc013ee39d0
+ x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000
+ x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000
+ x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000
+ x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60
+ x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001
+ x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b
+ x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78
+ x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000
+ Call trace:
+ __memcpy+0x110/0x260
+ read_kcore+0x584/0x778
+ proc_reg_read+0xb4/0xe4
+
+During early boot, memblock reserves the pages for the ramoops reserved
+memory node in DT that would otherwise be part of the direct lowmem
+mapping. Pstore's ram backend reuses those reserved pages to change the
+memory type (writeback or non-cached) by passing the pages to vmap()
+(see pfn_to_page() usage in persistent_ram_vmap() for more details) with
+specific flags. When read_kcore() starts iterating over the vmalloc
+region, it runs over the virtual address that vmap() returned for
+ramoops. In aligned_vread() the virtual address is passed to
+vmalloc_to_page() which returns the page struct for the reserved lowmem
+area. That lowmem page is passed to kmap_atomic(), which effectively
+calls page_to_virt() that assumes a lowmem page struct must be directly
+accessible with __va() and friends. These pages are mapped via vmap()
+though, and the lowmem mapping was never made, so accessing them via the
+lowmem virtual address oopses like above.
+
+Let's side-step this problem by passing VM_IOREMAP to vmap(). This will
+tell vread() to not include the ramoops region in the kcore. Instead the
+area will look like a bunch of zeros. The alternative is to teach kmap()
+about vmalloc areas that intersect with lowmem. Presumably such a change
+isn't a one-liner, and there isn't much interest in inspecting the
+ramoops region in kcore files anyway, so the most expedient route is
+taken for now.
+
+Cc: Brian Geffon <bgeffon@google.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram_core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
+index a89e33719fcf..8bf09886e7e6 100644
+--- a/fs/pstore/ram_core.c
++++ b/fs/pstore/ram_core.c
+@@ -439,7 +439,11 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size,
+ phys_addr_t addr = page_start + i * PAGE_SIZE;
+ pages[i] = pfn_to_page(addr >> PAGE_SHIFT);
+ }
+- vaddr = vmap(pages, page_count, VM_MAP, prot);
++ /*
++ * VM_IOREMAP used here to bypass this region during vread()
++ * and kmap_atomic() (i.e. kcore) to avoid __va() failures.
++ */
++ vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot);
+ kfree(pages);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 535432b7a3ad57d20f6f4483f4779113f5cd6c34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 16:22:54 +0800
+Subject: pstore/ram: Fix error return code in ramoops_probe()
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit e1fce564900f8734edf15b87f028c57e14f6e28d ]
+
+In the if (dev_of_node(dev) && !pdata) path, the "err" may be assigned a
+value of 0, so the error return code -EINVAL may be incorrectly set
+to 0. To fix set valid return code before calling to goto.
+
+Fixes: 35da60941e44 ("pstore/ram: add Device Tree bindings")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/1669969374-46582-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
+index fefe3d391d3a..74e4d93f3e08 100644
+--- a/fs/pstore/ram.c
++++ b/fs/pstore/ram.c
+@@ -735,6 +735,7 @@ static int ramoops_probe(struct platform_device *pdev)
+ /* Make sure we didn't get bogus platform data pointer. */
+ if (!pdata) {
+ pr_err("NULL platform data\n");
++ err = -EINVAL;
+ goto fail_out;
+ }
+
+@@ -742,6 +743,7 @@ static int ramoops_probe(struct platform_device *pdev)
+ !pdata->ftrace_size && !pdata->pmsg_size)) {
+ pr_err("The memory size and the record/console size must be "
+ "non-zero\n");
++ err = -EINVAL;
+ goto fail_out;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From dc937e5474bc7f813edcc32ebbacc3116db49928 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 19:35:08 +0100
+Subject: pwm: mediatek: always use bus clock for PWM on MT7622
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit aa3c668f2f98856af96e13f44da6ca4f26f0b98c ]
+
+According to MT7622 Reference Manual for Development Board v1.0 the PWM
+unit found in the MT7622 SoC also comes with the PWM_CK_26M_SEL register
+at offset 0x210 just like other modern MediaTek ARM64 SoCs.
+And also MT7622 sets that register to 0x00000001 on reset which is
+described as 'Select 26M fix CLK as BCLK' in the datasheet.
+Hence set has_ck_26m_sel to true also for MT7622 which results in the
+driver writing 0 to the PWM_CK_26M_SEL register which is described as
+'Select bus CLK as BCLK'.
+
+Fixes: 0c0ead76235db0 ("pwm: mediatek: Always use bus clock")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/Y1iF2slvSblf6bYK@makrotopia.org
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-mediatek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c
+index 6901a44dc428..a337b47dc2f7 100644
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -296,7 +296,7 @@ static const struct pwm_mediatek_of_data mt6795_pwm_data = {
+ static const struct pwm_mediatek_of_data mt7622_pwm_data = {
+ .num_pwms = 6,
+ .pwm45_fixup = false,
+- .has_ck_26m_sel = false,
++ .has_ck_26m_sel = true,
+ };
+
+ static const struct pwm_mediatek_of_data mt7623_pwm_data = {
+--
+2.35.1
+
--- /dev/null
+From a7f9e8ffffda77561a47af4de782c0ae448ac416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 19:35:06 +0100
+Subject: pwm: mtk-disp: Fix the parameters calculated by the enabled flag of
+ disp_pwm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: xinlei lee <xinlei.lee@mediatek.com>
+
+[ Upstream commit 0b5ef3429d8f78427558ab0dcbfd862098ba2a63 ]
+
+In the original mtk_disp_pwm_get_state() function wrongly uses bit 0 of
+CON0 to judge if the PWM is enabled.
+However that is indicated by a bit (at a machine dependent position) in
+the DISP_PWM_EN register. Fix this accordingly.
+
+Fixes: 3f2b16734914 ("pwm: mtk-disp: Implement atomic API .get_state()")
+Signed-off-by: xinlei lee <xinlei.lee@mediatek.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/1666172538-11652-1-git-send-email-xinlei.lee@mediatek.com
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-mtk-disp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-mtk-disp.c b/drivers/pwm/pwm-mtk-disp.c
+index c605013e4114..3fbb4bae93a4 100644
+--- a/drivers/pwm/pwm-mtk-disp.c
++++ b/drivers/pwm/pwm-mtk-disp.c
+@@ -178,7 +178,7 @@ static void mtk_disp_pwm_get_state(struct pwm_chip *chip,
+ {
+ struct mtk_disp_pwm *mdp = to_mtk_disp_pwm(chip);
+ u64 rate, period, high_width;
+- u32 clk_div, con0, con1;
++ u32 clk_div, pwm_en, con0, con1;
+ int err;
+
+ err = clk_prepare_enable(mdp->clk_main);
+@@ -197,7 +197,8 @@ static void mtk_disp_pwm_get_state(struct pwm_chip *chip,
+ rate = clk_get_rate(mdp->clk_main);
+ con0 = readl(mdp->base + mdp->data->con0);
+ con1 = readl(mdp->base + mdp->data->con1);
+- state->enabled = !!(con0 & BIT(0));
++ pwm_en = readl(mdp->base + DISP_PWM_EN);
++ state->enabled = !!(pwm_en & mdp->data->enable_mask);
+ clk_div = FIELD_GET(PWM_CLKDIV_MASK, con0);
+ period = FIELD_GET(PWM_PERIOD_MASK, con1);
+ /*
+--
+2.35.1
+
--- /dev/null
+From 81d04b405e40f32412d532d3923373935a12b457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 19:35:05 +0100
+Subject: pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 45558b3abb87eeb2cedb8a59cb2699c120b5102a ]
+
+As was documented in commit 0f02f491b786 ("pwm: sifive: Reduce time the
+controller lock is held") a caller of pwm_sifive_update_clock() must
+hold the mutex. So fix pwm_sifive_clock_notifier() to grab the lock.
+
+While this necessity was only documented later, the race exists since
+the driver was introduced.
+
+Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM")
+Reported-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Reviewed-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Link: https://lore.kernel.org/r/20221018061656.1428111-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sifive.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-sifive.c b/drivers/pwm/pwm-sifive.c
+index 2d4fa5e5fdd4..bb7239313401 100644
+--- a/drivers/pwm/pwm-sifive.c
++++ b/drivers/pwm/pwm-sifive.c
+@@ -204,8 +204,11 @@ static int pwm_sifive_clock_notifier(struct notifier_block *nb,
+ struct pwm_sifive_ddata *ddata =
+ container_of(nb, struct pwm_sifive_ddata, notifier);
+
+- if (event == POST_RATE_CHANGE)
++ if (event == POST_RATE_CHANGE) {
++ mutex_lock(&ddata->lock);
+ pwm_sifive_update_clock(ddata, ndata->new_rate);
++ mutex_unlock(&ddata->lock);
++ }
+
+ return NOTIFY_OK;
+ }
+--
+2.35.1
+
--- /dev/null
+From 94f6afbf9482e48f0fdc29bcd18d98acbb5b3068 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:33:56 +0100
+Subject: pwm: tegra: Ensure the clock rate is not less than needed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit 5eccd0d9fabc4d2ab8d2a0c056fb1d7e2ff892fc ]
+
+When dynamically scaling the PWM clock, the function
+dev_pm_opp_set_rate() may set the PWM clock to a rate that is lower than
+what is required. The clock rate requested when calling
+dev_pm_opp_set_rate() is the minimum clock rate that is needed to drive
+the PWM to achieve the required period. Hence, if the actual clock
+rate is less than the requested clock rate, then the required period
+cannot be achieved and configuring the PWM fails. Fix this by
+calling clk_round_rate() to check if the clock rate that will be provided
+is sufficient and if not, double the required clock rate to ensure the
+required period can be attained.
+
+Fixes: 8c193f4714df ("pwm: tegra: Optimize period calculation")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-tegra.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
+index b05ea2e8accc..6fc4b69a3ba7 100644
+--- a/drivers/pwm/pwm-tegra.c
++++ b/drivers/pwm/pwm-tegra.c
+@@ -148,6 +148,17 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH,
+ period_ns);
+
++ if (required_clk_rate > clk_round_rate(pc->clk, required_clk_rate))
++ /*
++ * required_clk_rate is a lower bound for the input
++ * rate; for lower rates there is no value for PWM_SCALE
++ * that yields a period less than or equal to the
++ * requested period. Hence, for lower rates, double the
++ * required_clk_rate to get a clock rate that can meet
++ * the requested period.
++ */
++ required_clk_rate *= 2;
++
+ err = dev_pm_opp_set_rate(pc->dev, required_clk_rate);
+ if (err < 0)
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 5b524e2a4148956e4fb5957a4dbb7b807abc4b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:33:55 +0100
+Subject: pwm: tegra: Improve required rate calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit f271946117dde2ca8741b8138b347b2d68e6ad56 ]
+
+For the case where dev_pm_opp_set_rate() is called to set the PWM clock
+rate, the requested rate is calculated as ...
+
+ required_clk_rate = (NSEC_PER_SEC / period_ns) << PWM_DUTY_WIDTH;
+
+The above calculation may lead to rounding errors because the
+NSEC_PER_SEC is divided by 'period_ns' before applying the
+PWM_DUTY_WIDTH multiplication factor. For example, if the period is
+45334ns, the above calculation yields a rate of 5646848Hz instead of
+5646976Hz. Fix this by applying the multiplication factor before
+dividing and using the DIV_ROUND_UP macro which yields the expected
+result of 5646976Hz.
+
+Fixes: 1d7796bdb63a ("pwm: tegra: Support dynamic clock frequency configuration")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-tegra.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
+index dad9978c9186..b05ea2e8accc 100644
+--- a/drivers/pwm/pwm-tegra.c
++++ b/drivers/pwm/pwm-tegra.c
+@@ -145,8 +145,8 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ * source clock rate as required_clk_rate, PWM controller will
+ * be able to configure the requested period.
+ */
+- required_clk_rate =
+- (NSEC_PER_SEC / period_ns) << PWM_DUTY_WIDTH;
++ required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH,
++ period_ns);
+
+ err = dev_pm_opp_set_rate(pc->dev, required_clk_rate);
+ if (err < 0)
+--
+2.35.1
+
--- /dev/null
+From 8157da162fcd683c8e41d69c0ee6f9ee6c2ed145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 12:43:54 +0100
+Subject: qed (gcc13): use u16 for fid to be big enough
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 7d84118229bf7f7290438c85caa8e49de52d50c1 ]
+
+gcc 13 correctly reports overflow in qed_grc_dump_addr_range():
+In file included from drivers/net/ethernet/qlogic/qed/qed.h:23,
+ from drivers/net/ethernet/qlogic/qed/qed_debug.c:10:
+drivers/net/ethernet/qlogic/qed/qed_debug.c: In function 'qed_grc_dump_addr_range':
+include/linux/qed/qed_if.h:1217:9: error: overflow in conversion from 'int' to 'u8' {aka 'unsigned char'} changes value from '(int)vf_id << 8 | 128' to '128' [-Werror=overflow]
+
+We do:
+ u8 fid;
+ ...
+ fid = vf_id << 8 | 128;
+
+Since fid is 16bit (and the stored value above too), fid should be u16,
+not u8. Fix that.
+
+Cc: Martin Liska <mliska@suse.cz>
+Cc: Ariel Elior <aelior@marvell.com>
+Cc: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20221031114354.10398-1-jirislaby@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+index 5250d1d1e49c..86ecb080b153 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+@@ -1972,9 +1972,10 @@ static u32 qed_grc_dump_addr_range(struct qed_hwfn *p_hwfn,
+ u8 split_id)
+ {
+ struct dbg_tools_data *dev_data = &p_hwfn->dbg_info;
+- u8 port_id = 0, pf_id = 0, vf_id = 0, fid = 0;
++ u8 port_id = 0, pf_id = 0, vf_id = 0;
+ bool read_using_dmae = false;
+ u32 thresh;
++ u16 fid;
+
+ if (!dump)
+ return len;
+--
+2.35.1
+
--- /dev/null
+From 16b7fd34edb5fc06a51c3bbd8e776b95c04f7d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 20:56:14 +0800
+Subject: r6040: Fix kmemleak in probe and remove
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ]
+
+There is a memory leaks reported by kmemleak:
+
+ unreferenced object 0xffff888116111000 (size 2048):
+ comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
+ hex dump (first 32 bytes):
+ 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
+ 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
+ [<ffffffff827e20ee>] phy_device_create+0x4e/0x90
+ [<ffffffff827e6072>] get_phy_device+0xd2/0x220
+ [<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
+ [<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
+ [<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
+ ...
+
+The problem occurs in probe process as follows:
+ r6040_init_one:
+ mdiobus_register
+ mdiobus_scan <- alloc and register phy_device,
+ the reference count of phy_device is 3
+ r6040_mii_probe
+ phy_connect <- connect to the first phy_device,
+ so the reference count of the first
+ phy_device is 4, others are 3
+ register_netdev <- fault inject succeeded, goto error handling path
+
+ // error handling path
+ err_out_mdio_unregister:
+ mdiobus_unregister(lp->mii_bus);
+ err_out_mdio:
+ mdiobus_free(lp->mii_bus); <- the reference count of the first
+ phy_device is 1, it is not released
+ and other phy_devices are released
+ // similarly, the remove process also has the same problem
+
+The root cause is traced to the phy_device is not disconnected when
+removes one r6040 device in r6040_remove_one() or on error handling path
+after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
+device is connected to the first PHY device of mii_bus, in order to
+notify the connected driver when the link status changes, which is the
+default behavior of the PHY infrastructure to handle everything.
+Therefore the phy_device should be disconnected when removes one r6040
+device or on error handling path.
+
+Fix it by adding phy_disconnect() when removes one r6040 device or on
+error handling path after r6040_mii probed successfully.
+
+Fixes: 3831861b4ad8 ("r6040: implement phylib")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rdc/r6040.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/rdc/r6040.c b/drivers/net/ethernet/rdc/r6040.c
+index a6bf7d505178..322d4d72d2e0 100644
+--- a/drivers/net/ethernet/rdc/r6040.c
++++ b/drivers/net/ethernet/rdc/r6040.c
+@@ -1159,10 +1159,12 @@ static int r6040_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err = register_netdev(dev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to register net device\n");
+- goto err_out_mdio_unregister;
++ goto err_out_phy_disconnect;
+ }
+ return 0;
+
++err_out_phy_disconnect:
++ phy_disconnect(dev->phydev);
+ err_out_mdio_unregister:
+ mdiobus_unregister(lp->mii_bus);
+ err_out_mdio:
+@@ -1186,6 +1188,7 @@ static void r6040_remove_one(struct pci_dev *pdev)
+ struct r6040_private *lp = netdev_priv(dev);
+
+ unregister_netdev(dev);
++ phy_disconnect(dev->phydev);
+ mdiobus_unregister(lp->mii_bus);
+ mdiobus_free(lp->mii_bus);
+ netif_napi_del(&lp->napi);
+--
+2.35.1
+
--- /dev/null
+From 32c5bb52a9760e1e31b7a1fd89e81e28cd18e4c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 08:57:21 +0000
+Subject: rapidio: devices: fix missing put_device in mport_cdev_open
+
+From: Cai Xinchen <caixinchen1@huawei.com>
+
+[ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ]
+
+When kfifo_alloc fails, the refcount of chdev->dev is left incremental.
+We should use put_device(&chdev->dev) to decrease the ref count of
+chdev->dev to avoid refcount leak.
+
+Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Dan Carpenter <error27@gmail.com>
+Cc: Jakob Koschel <jakobkoschel@gmail.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Wang Weiyang <wangweiyang2@huawei.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index fecf523f36d8..43db495f1986 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1912,6 +1912,7 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
+ sizeof(struct rio_event) * MPORT_EVENT_DEPTH,
+ GFP_KERNEL);
+ if (ret < 0) {
++ put_device(&chdev->dev);
+ dev_err(&chdev->dev, DRV_NAME ": kfifo_alloc failed\n");
+ ret = -ENOMEM;
+ goto err_fifo;
+--
+2.35.1
+
--- /dev/null
+From 8430b9d2c0efb8554ee89cb54fc0af1e5aed8408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 23:26:35 +0800
+Subject: rapidio: fix possible name leaks when rio_add_device() fails
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ]
+
+Patch series "rapidio: fix three possible memory leaks".
+
+This patchset fixes three name leaks in error handling.
+ - patch #1 fixes two name leaks while rio_add_device() fails.
+ - patch #2 fixes a name leak while rio_register_mport() fails.
+
+This patch (of 2):
+
+If rio_add_device() returns error, the name allocated by dev_set_name()
+need be freed. It should use put_device() to give up the reference in the
+error path, so that the name can be freed in kobject_cleanup(), and the
+'rdev' can be freed in rio_release_dev().
+
+Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com
+Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 7 +++++--
+ drivers/rapidio/rio-scan.c | 8 ++++++--
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index 2cdc054e53a5..3cc83997a1f8 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1804,8 +1804,11 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+ rio_init_dbell_res(&rdev->riores[RIO_DOORBELL_RESOURCE],
+ 0, 0xffff);
+ err = rio_add_device(rdev);
+- if (err)
+- goto cleanup;
++ if (err) {
++ put_device(&rdev->dev);
++ return err;
++ }
++
+ rio_dev_get(rdev);
+
+ return 0;
+diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c
+index 19b0c33f4a62..fdcf742b2adb 100644
+--- a/drivers/rapidio/rio-scan.c
++++ b/drivers/rapidio/rio-scan.c
+@@ -454,8 +454,12 @@ static struct rio_dev *rio_setup_device(struct rio_net *net,
+ 0, 0xffff);
+
+ ret = rio_add_device(rdev);
+- if (ret)
+- goto cleanup;
++ if (ret) {
++ if (rswitch)
++ kfree(rswitch->route_table);
++ put_device(&rdev->dev);
++ return NULL;
++ }
+
+ rio_dev_get(rdev);
+
+--
+2.35.1
+
--- /dev/null
+From 73b309f24d6026ec747bc901a97671b8df77071f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:51:47 +0800
+Subject: rapidio: fix possible UAF when kfifo_alloc() fails
+
+From: Wang Weiyang <wangweiyang2@huawei.com>
+
+[ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ]
+
+If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
+priv. But priv is still in the chdev->file_list, then list traversal
+may cause UAF. This fixes the following smatch warning:
+
+drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list
+
+Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Dan Carpenter <error27@gmail.com>
+Cc: Jakob Koschel <jakobkoschel@gmail.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index 3cc83997a1f8..fecf523f36d8 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1904,10 +1904,6 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
+
+ priv->md = chdev;
+
+- mutex_lock(&chdev->file_mutex);
+- list_add_tail(&priv->list, &chdev->file_list);
+- mutex_unlock(&chdev->file_mutex);
+-
+ INIT_LIST_HEAD(&priv->db_filters);
+ INIT_LIST_HEAD(&priv->pw_filters);
+ spin_lock_init(&priv->fifo_lock);
+@@ -1926,6 +1922,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
+ spin_lock_init(&priv->req_lock);
+ mutex_init(&priv->dma_lock);
+ #endif
++ mutex_lock(&chdev->file_mutex);
++ list_add_tail(&priv->list, &chdev->file_list);
++ mutex_unlock(&chdev->file_mutex);
+
+ filp->private_data = priv;
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From 6fd0734675c849ed05b2c2bacf88959f1fec817a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 23:26:36 +0800
+Subject: rapidio: rio: fix possible name leak in rio_register_mport()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ]
+
+If device_register() returns error, the name allocated by dev_set_name()
+need be freed. It should use put_device() to give up the reference in the
+error path, so that the name can be freed in kobject_cleanup(), and
+list_del() is called to delete the port from rio_mports.
+
+Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com
+Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/rio.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
+index e74cf09eeff0..9544b8ee0c96 100644
+--- a/drivers/rapidio/rio.c
++++ b/drivers/rapidio/rio.c
+@@ -2186,11 +2186,16 @@ int rio_register_mport(struct rio_mport *port)
+ atomic_set(&port->state, RIO_DEVICE_RUNNING);
+
+ res = device_register(&port->dev);
+- if (res)
++ if (res) {
+ dev_err(&port->dev, "RIO: mport%d registration failed ERR=%d\n",
+ port->id, res);
+- else
++ mutex_lock(&rio_mport_list_lock);
++ list_del(&port->node);
++ mutex_unlock(&rio_mport_list_lock);
++ put_device(&port->dev);
++ } else {
+ dev_dbg(&port->dev, "RIO: registered mport%d\n", port->id);
++ }
+
+ return res;
+ }
+--
+2.35.1
+
--- /dev/null
+From f5653abd38062b07a8a55c522489f80ce3e89c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 12:41:48 +0800
+Subject: rcu: Fix __this_cpu_read() lockdep warning in
+ rcu_force_quiescent_state()
+
+From: Zqiang <qiang1.zhang@intel.com>
+
+[ Upstream commit ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 ]
+
+Running rcutorture with non-zero fqs_duration module parameter in a
+kernel built with CONFIG_PREEMPTION=y results in the following splat:
+
+BUG: using __this_cpu_read() in preemptible [00000000]
+code: rcu_torture_fqs/398
+caller is __this_cpu_preempt_check+0x13/0x20
+CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+
+Call Trace:
+<TASK>
+dump_stack_lvl+0x5b/0x86
+dump_stack+0x10/0x16
+check_preemption_disabled+0xe5/0xf0
+__this_cpu_preempt_check+0x13/0x20
+rcu_force_quiescent_state.part.0+0x1c/0x170
+rcu_force_quiescent_state+0x1e/0x30
+rcu_torture_fqs+0xca/0x160
+? rcu_torture_boost+0x430/0x430
+kthread+0x192/0x1d0
+? kthread_complete_and_exit+0x30/0x30
+ret_from_fork+0x22/0x30
+</TASK>
+
+The problem is that rcu_force_quiescent_state() uses __this_cpu_read()
+in preemptible code instead of the proper raw_cpu_read(). This commit
+therefore changes __this_cpu_read() to raw_cpu_read().
+
+Signed-off-by: Zqiang <qiang1.zhang@intel.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 5b52727dcc1c..aedd43e1f21c 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -2415,7 +2415,7 @@ void rcu_force_quiescent_state(void)
+ struct rcu_node *rnp_old = NULL;
+
+ /* Funnel through hierarchy to reduce memory contention. */
+- rnp = __this_cpu_read(rcu_data.mynode);
++ rnp = raw_cpu_read(rcu_data.mynode);
+ for (; rnp != NULL; rnp = rnp->parent) {
+ ret = (READ_ONCE(rcu_state.gp_flags) & RCU_GP_FLAG_FQS) ||
+ !raw_spin_trylock(&rnp->fqslock);
+--
+2.35.1
+
--- /dev/null
+From 056862f9ff08ec27f66e4da67909a2b11af844f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 10:37:13 +0300
+Subject: RDMA/core: Fix order of nldev_exit call
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 4508d32ccced24c972bc4592104513e1ff8439b5 ]
+
+Create symmetrical exit flow by calling to nldev_exit() after
+call to rdma_nl_unregister(RDMA_NL_LS).
+
+Fixes: 6c80b41abe22 ("RDMA/netlink: Add nldev initialization flows")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/64e676774a53a406f4cde265d5a4cfd6b8e97df9.1666683334.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index 4053a09b8d33..267d6e7fb18e 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -2851,8 +2851,8 @@ static int __init ib_core_init(void)
+ static void __exit ib_core_cleanup(void)
+ {
+ roce_gid_mgmt_cleanup();
+- nldev_exit();
+ rdma_nl_unregister(RDMA_NL_LS);
++ nldev_exit();
+ unregister_pernet_device(&rdma_dev_net_ops);
+ unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
+ ib_sa_cleanup();
+--
+2.35.1
+
--- /dev/null
+From 19a70cbef54d50e72154b4a2eeeb763e64c9e781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 10:51:35 +0200
+Subject: RDMA/core: Make sure "ib_port" is valid when access sysfs node
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 5e15ff29b156bbbdeadae230c8ecd5ecd8ca2477 ]
+
+The "ib_port" structure must be set before adding the sysfs kobject,
+and reset after removing it, otherwise it may crash when accessing
+the sysfs node:
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
+ Mem abort info:
+ ESR = 0x96000006
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5
+ [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#2] PREEMPT SMP
+ Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]
+ Process grep (pid: 3372, stack limit = 0x0000000022055c92)
+ CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1
+ Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022
+ pstate: 40000005 (nZcv daif -PAN -UAO)
+ pc : hw_stat_port_show+0x4c/0x80 [ib_core]
+ lr : port_attr_show+0x40/0x58 [ib_core]
+ sp : ffff000029f43b50
+ x29: ffff000029f43b50 x28: 0000000019375000
+ x27: ffff8007b821a540 x26: ffff000029f43e30
+ x25: 0000000000008000 x24: ffff000000eaa958
+ x23: 0000000000001000 x22: ffff8007a4ce3000
+ x21: ffff8007baff8000 x20: ffff8007b9066ac0
+ x19: ffff8007bae97578 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : 0000000000000000 x8 : ffff8007a4ce4000
+ x7 : 0000000000000000 x6 : 000000000000003f
+ x5 : ffff000000e6a280 x4 : ffff8007a4ce3000
+ x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab
+ x1 : ffff8007b9066a10 x0 : ffff8007baff8000
+ Call trace:
+ hw_stat_port_show+0x4c/0x80 [ib_core]
+ port_attr_show+0x40/0x58 [ib_core]
+ sysfs_kf_seq_show+0x8c/0x150
+ kernfs_seq_show+0x44/0x50
+ seq_read+0x1b4/0x45c
+ kernfs_fop_read+0x148/0x1d8
+ __vfs_read+0x58/0x180
+ vfs_read+0x94/0x154
+ ksys_read+0x68/0xd8
+ __arm64_sys_read+0x28/0x34
+ el0_svc_common+0x88/0x18c
+ el0_svc_handler+0x78/0x94
+ el0_svc+0x8/0xe8
+ Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)
+
+Fixes: d8a5883814b9 ("RDMA/core: Replace the ib_port_data hw_stats pointers with a ib_port pointer")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/88867e705c42c1cd2011e45201c25eecdb9fef94.1667810736.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/sysfs.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
+index 84c53bd2a52d..ee59d7391568 100644
+--- a/drivers/infiniband/core/sysfs.c
++++ b/drivers/infiniband/core/sysfs.c
+@@ -1213,6 +1213,9 @@ static struct ib_port *setup_port(struct ib_core_device *coredev, int port_num,
+ p->port_num = port_num;
+ kobject_init(&p->kobj, &port_type);
+
++ if (device->port_data && is_full_dev)
++ device->port_data[port_num].sysfs = p;
++
+ cur_group = p->groups_list;
+ ret = alloc_port_table_group("gids", &p->groups[0], p->attrs_list,
+ attr->gid_tbl_len, show_port_gid);
+@@ -1258,9 +1261,6 @@ static struct ib_port *setup_port(struct ib_core_device *coredev, int port_num,
+ }
+
+ list_add_tail(&p->kobj.entry, &coredev->port_list);
+- if (device->port_data && is_full_dev)
+- device->port_data[port_num].sysfs = p;
+-
+ return p;
+
+ err_groups:
+@@ -1268,6 +1268,8 @@ static struct ib_port *setup_port(struct ib_core_device *coredev, int port_num,
+ err_del:
+ kobject_del(&p->kobj);
+ err_put:
++ if (device->port_data && is_full_dev)
++ device->port_data[port_num].sysfs = NULL;
+ kobject_put(&p->kobj);
+ return ERR_PTR(ret);
+ }
+@@ -1276,14 +1278,17 @@ static void destroy_port(struct ib_core_device *coredev, struct ib_port *port)
+ {
+ bool is_full_dev = &port->ibdev->coredev == coredev;
+
+- if (port->ibdev->port_data &&
+- port->ibdev->port_data[port->port_num].sysfs == port)
+- port->ibdev->port_data[port->port_num].sysfs = NULL;
+ list_del(&port->kobj.entry);
+ if (is_full_dev)
+ sysfs_remove_groups(&port->kobj, port->ibdev->ops.port_groups);
++
+ sysfs_remove_groups(&port->kobj, port->groups_list);
+ kobject_del(&port->kobj);
++
++ if (port->ibdev->port_data &&
++ port->ibdev->port_data[port->port_num].sysfs == port)
++ port->ibdev->port_data[port->port_num].sysfs = NULL;
++
+ kobject_put(&port->kobj);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 948c0e160ffc7ff5961ef6c8b6064926c9f31d20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:19:40 -0800
+Subject: RDMA: Disable IB HW for UML
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 323a74fc20f53c0d0e13a16aee703a30d9751235 ]
+
+Disable all of drivers/infiniband/hw/ and rdmavt for UML builds until
+someone needs it and provides patches to support it.
+
+This prevents build errors in hw/qib/qib_wc_x86_64.c.
+
+Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: linux-rdma@vger.kernel.org
+Cc: Jeff Dike <jdike@addtoit.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-um@lists.infradead.org
+Link: https://lore.kernel.org/r/20221202211940.29111-1-rdunlap@infradead.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/Kconfig b/drivers/infiniband/Kconfig
+index aa36ac618e72..17a227415277 100644
+--- a/drivers/infiniband/Kconfig
++++ b/drivers/infiniband/Kconfig
+@@ -78,6 +78,7 @@ config INFINIBAND_VIRT_DMA
+ def_bool !HIGHMEM
+
+ if INFINIBAND_USER_ACCESS || !INFINIBAND_USER_ACCESS
++if !UML
+ source "drivers/infiniband/hw/bnxt_re/Kconfig"
+ source "drivers/infiniband/hw/cxgb4/Kconfig"
+ source "drivers/infiniband/hw/efa/Kconfig"
+@@ -94,6 +95,7 @@ source "drivers/infiniband/hw/qib/Kconfig"
+ source "drivers/infiniband/hw/usnic/Kconfig"
+ source "drivers/infiniband/hw/vmw_pvrdma/Kconfig"
+ source "drivers/infiniband/sw/rdmavt/Kconfig"
++endif # !UML
+ source "drivers/infiniband/sw/rxe/Kconfig"
+ source "drivers/infiniband/sw/siw/Kconfig"
+ endif
+--
+2.35.1
+
--- /dev/null
+From 8c7fa46b44875de2df0292c87287c0663a8bf95c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 21:15:46 +0800
+Subject: RDMA/hfi: Decrease PCI device reference count in error path
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 9b51d072da1d27e1193e84708201c48e385ad912 ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev, and also decrease the reference count for the input parameter
+*from* if it is not NULL.
+
+If we break out the loop in node_affinity_init() with 'dev' not NULL, we
+need to call pci_dev_put() to decrease the reference count. Add missing
+pci_dev_put() in error path.
+
+Fixes: c513de490f80 ("IB/hfi1: Invalid NUMA node information can cause a divide by zero")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Link: https://lore.kernel.org/r/20221117131546.113280-1-wangxiongfeng2@huawei.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
+index 877f8e84a672..77ee77d4000f 100644
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -177,6 +177,8 @@ int node_affinity_init(void)
+ for (node = 0; node < node_affinity.num_possible_nodes; node++)
+ hfi1_per_node_cntr[node] = 1;
+
++ pci_dev_put(dev);
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 633594f0d5892b6976dbbaffccf190e65c2712db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:00:37 +0800
+Subject: RDMA/hfi1: Fix error return code in parse_platform_config()
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 725349f8ba1e78a146c6ff8f3ee5e2712e517106 ]
+
+In the previous iteration of the while loop, the "ret" may have been
+assigned a value of 0, so the error return code -EINVAL may have been
+incorrectly set to 0. To fix set valid return code before calling to
+goto.
+
+Fixes: 97167e813415 ("staging/rdma/hfi1: Tune for unknown channel if configuration file is absent")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Link: https://lore.kernel.org/r/1669953638-11747-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/firmware.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c
+index aa15a5cc7cf3..9705bd7ea064 100644
+--- a/drivers/infiniband/hw/hfi1/firmware.c
++++ b/drivers/infiniband/hw/hfi1/firmware.c
+@@ -1743,6 +1743,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+
+ if (!dd->platform_config.data) {
+ dd_dev_err(dd, "%s: Missing config file\n", __func__);
++ ret = -EINVAL;
+ goto bail;
+ }
+ ptr = (u32 *)dd->platform_config.data;
+@@ -1751,6 +1752,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ ptr++;
+ if (magic_num != PLATFORM_CONFIG_MAGIC_NUM) {
+ dd_dev_err(dd, "%s: Bad config file\n", __func__);
++ ret = -EINVAL;
+ goto bail;
+ }
+
+@@ -1774,6 +1776,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ if (file_length > dd->platform_config.size) {
+ dd_dev_info(dd, "%s:File claims to be larger than read size\n",
+ __func__);
++ ret = -EINVAL;
+ goto bail;
+ } else if (file_length < dd->platform_config.size) {
+ dd_dev_info(dd,
+@@ -1794,6 +1797,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ dd_dev_err(dd, "%s: Failed validation at offset %ld\n",
+ __func__, (ptr - (u32 *)
+ dd->platform_config.data));
++ ret = -EINVAL;
+ goto bail;
+ }
+
+@@ -1837,6 +1841,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ __func__, table_type,
+ (ptr - (u32 *)
+ dd->platform_config.data));
++ ret = -EINVAL;
+ goto bail; /* We don't trust this file now */
+ }
+ pcfgcache->config_tables[table_type].table = ptr;
+@@ -1856,6 +1861,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ __func__, table_type,
+ (ptr -
+ (u32 *)dd->platform_config.data));
++ ret = -EINVAL;
+ goto bail; /* We don't trust this file now */
+ }
+ pcfgcache->config_tables[table_type].table_metadata =
+--
+2.35.1
+
--- /dev/null
+From e4e90157d178d88e481dea7eaf7a8ee305ea5b71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:07 +0800
+Subject: RDMA/hns: Fix AH attr queried by query_qp
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit bc34c04f7b97c3794dec5a6d6d27ffd5f0e4f5c8 ]
+
+The queried AH attr is invalid. This patch fix it.
+
+This problem is found by rdma-core test test_mr_rereg_pd
+
+ERROR: test_mr_rereg_pd (tests.test_mr.MRTest)
+Test that cover rereg MR's PD with this flow:
+----------------------------------------------------------------------
+Traceback (most recent call last):
+ File "./tests/test_mr.py", line 157, in test_mr_rereg_pd
+ self.restate_qps()
+ File "./tests/test_mr.py", line 113, in restate_qps
+ self.server.qp.to_rts(self.server_qp_attr)
+ File "qp.pyx", line 1137, in pyverbs.qp.QP.to_rts
+ File "qp.pyx", line 1123, in pyverbs.qp.QP.to_rtr
+pyverbs.pyverbs_error.PyverbsRDMAError: Failed to modify QP state to RTR.
+Errno: 22, Invalid argument
+
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Link: https://lore.kernel.org/r/20221126102911.2921820-3-xuhaoyue1@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index d242fa192f0d..ba60496c8f01 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5470,6 +5470,8 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+
+ rdma_ah_set_sl(&qp_attr->ah_attr,
+ hr_reg_read(&context, QPC_SL));
++ rdma_ah_set_port_num(&qp_attr->ah_attr, hr_qp->port + 1);
++ rdma_ah_set_ah_flags(&qp_attr->ah_attr, IB_AH_GRH);
+ grh->flow_label = hr_reg_read(&context, QPC_FL);
+ grh->sgid_index = hr_reg_read(&context, QPC_GMV_IDX);
+ grh->hop_limit = hr_reg_read(&context, QPC_HOPLIMIT);
+--
+2.35.1
+
--- /dev/null
+From 72f7cea3ea79fcb9ca0af99c246aaae19856e1dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:10 +0800
+Subject: RDMA/hns: Fix error code of CMD
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 667d6164b84884c64de3fc18670cd5a98b0b10cf ]
+
+The error code is fixed to EIO when CMD fails to excute. This patch
+converts the error status reported by firmware to linux errno.
+
+Fixes: a04ff739f2a9 ("RDMA/hns: Add command queue support for hip08 RoCE driver")
+Link: https://lore.kernel.org/r/20221126102911.2921820-6-xuhaoyue1@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 26 +++++++++++++++++++++-
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 5 +++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 49c33baed69c..625e283f8d20 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -1273,6 +1273,30 @@ static void update_cmdq_status(struct hns_roce_dev *hr_dev)
+ hr_dev->cmd.state = HNS_ROCE_CMDQ_STATE_FATAL_ERR;
+ }
+
++static int hns_roce_cmd_err_convert_errno(u16 desc_ret)
++{
++ struct hns_roce_cmd_errcode errcode_table[] = {
++ {CMD_EXEC_SUCCESS, 0},
++ {CMD_NO_AUTH, -EPERM},
++ {CMD_NOT_EXIST, -EOPNOTSUPP},
++ {CMD_CRQ_FULL, -EXFULL},
++ {CMD_NEXT_ERR, -ENOSR},
++ {CMD_NOT_EXEC, -ENOTBLK},
++ {CMD_PARA_ERR, -EINVAL},
++ {CMD_RESULT_ERR, -ERANGE},
++ {CMD_TIMEOUT, -ETIME},
++ {CMD_HILINK_ERR, -ENOLINK},
++ {CMD_INFO_ILLEGAL, -ENXIO},
++ {CMD_INVALID, -EBADR},
++ };
++ u16 i;
++
++ for (i = 0; i < ARRAY_SIZE(errcode_table); i++)
++ if (desc_ret == errcode_table[i].return_status)
++ return errcode_table[i].errno;
++ return -EIO;
++}
++
+ static int __hns_roce_cmq_send(struct hns_roce_dev *hr_dev,
+ struct hns_roce_cmq_desc *desc, int num)
+ {
+@@ -1318,7 +1342,7 @@ static int __hns_roce_cmq_send(struct hns_roce_dev *hr_dev,
+ dev_err_ratelimited(hr_dev->dev,
+ "Cmdq IO error, opcode = 0x%x, return = 0x%x.\n",
+ desc->opcode, desc_ret);
+- ret = -EIO;
++ ret = hns_roce_cmd_err_convert_errno(desc_ret);
+ }
+ } else {
+ /* FW/HW reset or incorrect number of desc */
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index 5abea0416f5b..4bf89c1280dc 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -275,6 +275,11 @@ enum hns_roce_cmd_return_status {
+ CMD_OTHER_ERR = 0xff
+ };
+
++struct hns_roce_cmd_errcode {
++ enum hns_roce_cmd_return_status return_status;
++ int errno;
++};
++
+ enum hns_roce_sgid_type {
+ GID_TYPE_FLAG_ROCE_V1 = 0,
+ GID_TYPE_FLAG_ROCE_V2_IPV4,
+--
+2.35.1
+
--- /dev/null
+From ad7e9ec5993869a9e40514b1b0778c8f1d0f4170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:38:46 +0800
+Subject: RDMA/hns: Fix ext_sge num error when post send
+
+From: Luoyouming <luoyouming@huawei.com>
+
+[ Upstream commit 8eaa6f7d569b4a22bfc1b0a3fdfeeb401feb65a4 ]
+
+In the HNS ROCE driver, The sge is divided into standard sge and extended
+sge. There are 2 standard sge in RC/XRC, and the UD standard sge is 0.
+In the scenario of RC SQ inline, if the data does not exceed 32bytes, the
+standard sge will be used. If it exceeds, only the extended sge will be
+used to fill the data.
+
+Currently, when filling the extended sge, max_gs is directly used as the
+number of the extended sge, which did not subtract the number of standard
+sge. There is a logical error. The new algorithm subtracts the number of
+standard sge from max_gs to get the actual number of extended sge.
+
+Fixes: 30b707886aeb ("RDMA/hns: Support inline data in extented sge space for RC")
+Link: https://lore.kernel.org/r/20221108133847.2304539-2-xuhaoyue1@hisilicon.com
+Signed-off-by: Luoyouming <luoyouming@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index eb1601bd1255..ee05be2e3da6 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -187,20 +187,29 @@ static void set_atomic_seg(const struct ib_send_wr *wr,
+ hr_reg_write(rc_sq_wqe, RC_SEND_WQE_SGE_NUM, valid_num_sge);
+ }
+
++static unsigned int get_std_sge_num(struct hns_roce_qp *qp)
++{
++ if (qp->ibqp.qp_type == IB_QPT_GSI || qp->ibqp.qp_type == IB_QPT_UD)
++ return 0;
++
++ return HNS_ROCE_SGE_IN_WQE;
++}
++
+ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+ const struct ib_send_wr *wr,
+ unsigned int *sge_idx, u32 msg_len)
+ {
+ struct ib_device *ibdev = &(to_hr_dev(qp->ibqp.device))->ib_dev;
+- unsigned int ext_sge_sz = qp->sq.max_gs * HNS_ROCE_SGE_SIZE;
+ unsigned int left_len_in_pg;
+ unsigned int idx = *sge_idx;
++ unsigned int std_sge_num;
+ unsigned int i = 0;
+ unsigned int len;
+ void *addr;
+ void *dseg;
+
+- if (msg_len > ext_sge_sz) {
++ std_sge_num = get_std_sge_num(qp);
++ if (msg_len > (qp->sq.max_gs - std_sge_num) * HNS_ROCE_SGE_SIZE) {
+ ibdev_err(ibdev,
+ "no enough extended sge space for inline data.\n");
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 61da2794750a176619ce30216f8b183806330441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:38:47 +0800
+Subject: RDMA/hns: Fix incorrect sge nums calculation
+
+From: Luoyouming <luoyouming@huawei.com>
+
+[ Upstream commit 0c5e259b06a8efc69f929ad777ea49281bb58e37 ]
+
+The user usually configures the number of sge through the max_send_sge
+parameter when creating qp, and configures the maximum size of inline data
+that can be sent through max_inline_data. Inline uses sge to fill data to
+send. Expect the following:
+
+1) When the sge space cannot hold inline data, the sge space needs to be
+ expanded to accommodate all inline data
+
+2) When the sge space is enough to accommodate inline data, the upper
+ limit of inline data can be increased so that users can send larger
+ inline data
+
+Currently case one is not implemented. When the inline data is larger than
+the sge space, an error of insufficient sge space occurs. This part of
+the code needs to be reimplemented according to the expected rules. The
+calculation method of sge num is modified to take the maximum value of
+max_send_sge and the sge for max_inline_data to solve this problem.
+
+Fixes: 05201e01be93 ("RDMA/hns: Refactor process of setting extended sge")
+Fixes: 30b707886aeb ("RDMA/hns: Support inline data in extented sge space for RC")
+Link: https://lore.kernel.org/r/20221108133847.2304539-3-xuhaoyue1@hisilicon.com
+Signed-off-by: Luoyouming <luoyouming@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_device.h | 3 +
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 12 +--
+ drivers/infiniband/hw/hns/hns_roce_main.c | 18 +++-
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 107 ++++++++++++++++----
+ include/uapi/rdma/hns-abi.h | 15 +++
+ 5 files changed, 125 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index d24996526c4d..4dc296d856d8 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -202,6 +202,7 @@ struct hns_roce_ucontext {
+ struct list_head page_list;
+ struct mutex page_mutex;
+ struct hns_user_mmap_entry *db_mmap_entry;
++ u32 config;
+ };
+
+ struct hns_roce_pd {
+@@ -335,6 +336,7 @@ struct hns_roce_wq {
+ u32 head;
+ u32 tail;
+ void __iomem *db_reg;
++ u32 ext_sge_cnt;
+ };
+
+ struct hns_roce_sge {
+@@ -637,6 +639,7 @@ struct hns_roce_qp {
+ struct list_head rq_node; /* all recv qps are on a list */
+ struct list_head sq_node; /* all send qps are on a list */
+ struct hns_user_mmap_entry *dwqe_mmap_entry;
++ u32 config;
+ };
+
+ struct hns_roce_ib_iboe {
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index ee05be2e3da6..7e9853c6d412 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -187,14 +187,6 @@ static void set_atomic_seg(const struct ib_send_wr *wr,
+ hr_reg_write(rc_sq_wqe, RC_SEND_WQE_SGE_NUM, valid_num_sge);
+ }
+
+-static unsigned int get_std_sge_num(struct hns_roce_qp *qp)
+-{
+- if (qp->ibqp.qp_type == IB_QPT_GSI || qp->ibqp.qp_type == IB_QPT_UD)
+- return 0;
+-
+- return HNS_ROCE_SGE_IN_WQE;
+-}
+-
+ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+ const struct ib_send_wr *wr,
+ unsigned int *sge_idx, u32 msg_len)
+@@ -202,14 +194,12 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+ struct ib_device *ibdev = &(to_hr_dev(qp->ibqp.device))->ib_dev;
+ unsigned int left_len_in_pg;
+ unsigned int idx = *sge_idx;
+- unsigned int std_sge_num;
+ unsigned int i = 0;
+ unsigned int len;
+ void *addr;
+ void *dseg;
+
+- std_sge_num = get_std_sge_num(qp);
+- if (msg_len > (qp->sq.max_gs - std_sge_num) * HNS_ROCE_SGE_SIZE) {
++ if (msg_len > qp->sq.ext_sge_cnt * HNS_ROCE_SGE_SIZE) {
+ ibdev_err(ibdev,
+ "no enough extended sge space for inline data.\n");
+ return -EINVAL;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 4ccb217b2841..a4e7bb5bb194 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -354,10 +354,11 @@ static int hns_roce_alloc_uar_entry(struct ib_ucontext *uctx)
+ static int hns_roce_alloc_ucontext(struct ib_ucontext *uctx,
+ struct ib_udata *udata)
+ {
+- int ret;
+ struct hns_roce_ucontext *context = to_hr_ucontext(uctx);
+- struct hns_roce_ib_alloc_ucontext_resp resp = {};
+ struct hns_roce_dev *hr_dev = to_hr_dev(uctx->device);
++ struct hns_roce_ib_alloc_ucontext_resp resp = {};
++ struct hns_roce_ib_alloc_ucontext ucmd = {};
++ int ret;
+
+ if (!hr_dev->active)
+ return -EAGAIN;
+@@ -365,6 +366,19 @@ static int hns_roce_alloc_ucontext(struct ib_ucontext *uctx,
+ resp.qp_tab_size = hr_dev->caps.num_qps;
+ resp.srq_tab_size = hr_dev->caps.num_srqs;
+
++ ret = ib_copy_from_udata(&ucmd, udata,
++ min(udata->inlen, sizeof(ucmd)));
++ if (ret)
++ return ret;
++
++ if (hr_dev->pci_dev->revision >= PCI_REVISION_ID_HIP09)
++ context->config = ucmd.config & HNS_ROCE_EXSGE_FLAGS;
++
++ if (context->config & HNS_ROCE_EXSGE_FLAGS) {
++ resp.config |= HNS_ROCE_RSP_EXSGE_FLAGS;
++ resp.max_inline_data = hr_dev->caps.max_sq_inline;
++ }
++
+ ret = hns_roce_uar_alloc(hr_dev, &context->uar);
+ if (ret)
+ goto error_fail_uar_alloc;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 7bee7f6c5e70..a0040096ddb1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -479,38 +479,109 @@ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap,
+ return 0;
+ }
+
+-static u32 get_wqe_ext_sge_cnt(struct hns_roce_qp *qp)
++static u32 get_max_inline_data(struct hns_roce_dev *hr_dev,
++ struct ib_qp_cap *cap)
+ {
+- /* GSI/UD QP only has extended sge */
+- if (qp->ibqp.qp_type == IB_QPT_GSI || qp->ibqp.qp_type == IB_QPT_UD)
+- return qp->sq.max_gs;
+-
+- if (qp->sq.max_gs > HNS_ROCE_SGE_IN_WQE)
+- return qp->sq.max_gs - HNS_ROCE_SGE_IN_WQE;
++ if (cap->max_inline_data) {
++ cap->max_inline_data = roundup_pow_of_two(cap->max_inline_data);
++ return min(cap->max_inline_data,
++ hr_dev->caps.max_sq_inline);
++ }
+
+ return 0;
+ }
+
++static void update_inline_data(struct hns_roce_qp *hr_qp,
++ struct ib_qp_cap *cap)
++{
++ u32 sge_num = hr_qp->sq.ext_sge_cnt;
++
++ if (hr_qp->config & HNS_ROCE_EXSGE_FLAGS) {
++ if (!(hr_qp->ibqp.qp_type == IB_QPT_GSI ||
++ hr_qp->ibqp.qp_type == IB_QPT_UD))
++ sge_num = max((u32)HNS_ROCE_SGE_IN_WQE, sge_num);
++
++ cap->max_inline_data = max(cap->max_inline_data,
++ sge_num * HNS_ROCE_SGE_SIZE);
++ }
++
++ hr_qp->max_inline_data = cap->max_inline_data;
++}
++
++static u32 get_sge_num_from_max_send_sge(bool is_ud_or_gsi,
++ u32 max_send_sge)
++{
++ unsigned int std_sge_num;
++ unsigned int min_sge;
++
++ std_sge_num = is_ud_or_gsi ? 0 : HNS_ROCE_SGE_IN_WQE;
++ min_sge = is_ud_or_gsi ? 1 : 0;
++ return max_send_sge > std_sge_num ? (max_send_sge - std_sge_num) :
++ min_sge;
++}
++
++static unsigned int get_sge_num_from_max_inl_data(bool is_ud_or_gsi,
++ u32 max_inline_data)
++{
++ unsigned int inline_sge;
++
++ inline_sge = roundup_pow_of_two(max_inline_data) / HNS_ROCE_SGE_SIZE;
++
++ /*
++ * if max_inline_data less than
++ * HNS_ROCE_SGE_IN_WQE * HNS_ROCE_SGE_SIZE,
++ * In addition to ud's mode, no need to extend sge.
++ */
++ if (!is_ud_or_gsi && inline_sge <= HNS_ROCE_SGE_IN_WQE)
++ inline_sge = 0;
++
++ return inline_sge;
++}
++
+ static void set_ext_sge_param(struct hns_roce_dev *hr_dev, u32 sq_wqe_cnt,
+ struct hns_roce_qp *hr_qp, struct ib_qp_cap *cap)
+ {
++ bool is_ud_or_gsi = (hr_qp->ibqp.qp_type == IB_QPT_GSI ||
++ hr_qp->ibqp.qp_type == IB_QPT_UD);
++ unsigned int std_sge_num;
++ u32 inline_ext_sge = 0;
++ u32 ext_wqe_sge_cnt;
+ u32 total_sge_cnt;
+- u32 wqe_sge_cnt;
++
++ cap->max_inline_data = get_max_inline_data(hr_dev, cap);
+
+ hr_qp->sge.sge_shift = HNS_ROCE_SGE_SHIFT;
++ std_sge_num = is_ud_or_gsi ? 0 : HNS_ROCE_SGE_IN_WQE;
++ ext_wqe_sge_cnt = get_sge_num_from_max_send_sge(is_ud_or_gsi,
++ cap->max_send_sge);
+
+- hr_qp->sq.max_gs = max(1U, cap->max_send_sge);
++ if (hr_qp->config & HNS_ROCE_EXSGE_FLAGS) {
++ inline_ext_sge = max(ext_wqe_sge_cnt,
++ get_sge_num_from_max_inl_data(is_ud_or_gsi,
++ cap->max_inline_data));
++ hr_qp->sq.ext_sge_cnt = inline_ext_sge ?
++ roundup_pow_of_two(inline_ext_sge) : 0;
+
+- wqe_sge_cnt = get_wqe_ext_sge_cnt(hr_qp);
++ hr_qp->sq.max_gs = max(1U, (hr_qp->sq.ext_sge_cnt + std_sge_num));
++ hr_qp->sq.max_gs = min(hr_qp->sq.max_gs, hr_dev->caps.max_sq_sg);
++
++ ext_wqe_sge_cnt = hr_qp->sq.ext_sge_cnt;
++ } else {
++ hr_qp->sq.max_gs = max(1U, cap->max_send_sge);
++ hr_qp->sq.max_gs = min(hr_qp->sq.max_gs, hr_dev->caps.max_sq_sg);
++ hr_qp->sq.ext_sge_cnt = hr_qp->sq.max_gs;
++ }
+
+ /* If the number of extended sge is not zero, they MUST use the
+ * space of HNS_HW_PAGE_SIZE at least.
+ */
+- if (wqe_sge_cnt) {
+- total_sge_cnt = roundup_pow_of_two(sq_wqe_cnt * wqe_sge_cnt);
++ if (ext_wqe_sge_cnt) {
++ total_sge_cnt = roundup_pow_of_two(sq_wqe_cnt * ext_wqe_sge_cnt);
+ hr_qp->sge.sge_cnt = max(total_sge_cnt,
+ (u32)HNS_HW_PAGE_SIZE / HNS_ROCE_SGE_SIZE);
+ }
++
++ update_inline_data(hr_qp, cap);
+ }
+
+ static int check_sq_size_with_integrity(struct hns_roce_dev *hr_dev,
+@@ -559,6 +630,7 @@ static int set_user_sq_size(struct hns_roce_dev *hr_dev,
+
+ hr_qp->sq.wqe_shift = ucmd->log_sq_stride;
+ hr_qp->sq.wqe_cnt = cnt;
++ cap->max_send_sge = hr_qp->sq.max_gs;
+
+ return 0;
+ }
+@@ -989,13 +1061,9 @@ static int set_qp_param(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp,
+ struct hns_roce_ib_create_qp *ucmd)
+ {
+ struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct hns_roce_ucontext *uctx;
+ int ret;
+
+- if (init_attr->cap.max_inline_data > hr_dev->caps.max_sq_inline)
+- init_attr->cap.max_inline_data = hr_dev->caps.max_sq_inline;
+-
+- hr_qp->max_inline_data = init_attr->cap.max_inline_data;
+-
+ if (init_attr->sq_sig_type == IB_SIGNAL_ALL_WR)
+ hr_qp->sq_signal_bits = IB_SIGNAL_ALL_WR;
+ else
+@@ -1018,12 +1086,17 @@ static int set_qp_param(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp,
+ return ret;
+ }
+
++ uctx = rdma_udata_to_drv_context(udata, struct hns_roce_ucontext,
++ ibucontext);
++ hr_qp->config = uctx->config;
+ ret = set_user_sq_size(hr_dev, &init_attr->cap, hr_qp, ucmd);
+ if (ret)
+ ibdev_err(ibdev,
+ "failed to set user SQ size, ret = %d.\n",
+ ret);
+ } else {
++ if (hr_dev->pci_dev->revision >= PCI_REVISION_ID_HIP09)
++ hr_qp->config = HNS_ROCE_EXSGE_FLAGS;
+ ret = set_kernel_sq_size(hr_dev, &init_attr->cap, hr_qp);
+ if (ret)
+ ibdev_err(ibdev,
+diff --git a/include/uapi/rdma/hns-abi.h b/include/uapi/rdma/hns-abi.h
+index f6fde06db4b4..745790ce3c26 100644
+--- a/include/uapi/rdma/hns-abi.h
++++ b/include/uapi/rdma/hns-abi.h
+@@ -85,11 +85,26 @@ struct hns_roce_ib_create_qp_resp {
+ __aligned_u64 dwqe_mmap_key;
+ };
+
++enum {
++ HNS_ROCE_EXSGE_FLAGS = 1 << 0,
++};
++
++enum {
++ HNS_ROCE_RSP_EXSGE_FLAGS = 1 << 0,
++};
++
+ struct hns_roce_ib_alloc_ucontext_resp {
+ __u32 qp_tab_size;
+ __u32 cqe_size;
+ __u32 srq_tab_size;
+ __u32 reserved;
++ __u32 config;
++ __u32 max_inline_data;
++};
++
++struct hns_roce_ib_alloc_ucontext {
++ __u32 config;
++ __u32 reserved;
+ };
+
+ struct hns_roce_ib_alloc_pd_resp {
+--
+2.35.1
+
--- /dev/null
+From 02372d75cabd02c6ac561b3a52244656f37779f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 15:08:34 +0800
+Subject: RDMA/hns: fix memory leak in hns_roce_alloc_mr()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit a115aa00b18f7b8982b8f458149632caf64a862a ]
+
+When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not
+released. Compiled test only.
+
+Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221119070834.48502-1-shaozhengchao@huawei.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index dedfa56f5773..fb165069c8d9 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -392,10 +392,10 @@ struct ib_mr *hns_roce_alloc_mr(struct ib_pd *pd, enum ib_mr_type mr_type,
+
+ return &mr->ibmr;
+
+-err_key:
+- free_mr_key(hr_dev, mr);
+ err_pbl:
+ free_mr_pbl(hr_dev, mr);
++err_key:
++ free_mr_key(hr_dev, mr);
+ err_free:
+ kfree(mr);
+ return ERR_PTR(ret);
+--
+2.35.1
+
--- /dev/null
+From 2275cce71ec6c0db8bdf0225f7c29845f9ac2ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:09 +0800
+Subject: RDMA/hns: Fix page size cap from firmware
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 99dc5a0712883d5d13b620d25b3759d429577bc8 ]
+
+Add verification to make sure the roce page size cap is supported by the
+system page size.
+
+Fixes: ba6bb7e97421 ("RDMA/hns: Add interfaces to get pf capabilities from firmware")
+Link: https://lore.kernel.org/r/20221126102911.2921820-5-xuhaoyue1@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 5bd21e589565..49c33baed69c 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2344,6 +2344,9 @@ static int hns_roce_query_pf_caps(struct hns_roce_dev *hr_dev)
+ caps->wqe_sge_hop_num = hr_reg_read(resp_d, PF_CAPS_D_EX_SGE_HOP_NUM);
+ caps->wqe_rq_hop_num = hr_reg_read(resp_d, PF_CAPS_D_RQWQE_HOP_NUM);
+
++ if (!(caps->page_size_cap & PAGE_SIZE))
++ caps->page_size_cap = HNS_ROCE_V2_PAGE_SIZE_SUPPORTED;
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 3b537fb27e8d4da13eee3f596fde5fe89fa826ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:08 +0800
+Subject: RDMA/hns: Fix PBL page MTR find
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 9fb39ef2ff3e18f1740625ba04093dfbef086d2b ]
+
+Now, The address of the first two pages in the MR will be searched, which
+use to speed up the lookup of the pbl table for hardware. An exception
+will occur when there is only one page in this MR. This patch fix the
+number of page to search.
+
+Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process")
+Link: https://lore.kernel.org/r/20221126102911.2921820-4-xuhaoyue1@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index ba60496c8f01..5bd21e589565 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -3277,7 +3277,8 @@ static int set_mtpt_pbl(struct hns_roce_dev *hr_dev,
+ int i, count;
+
+ count = hns_roce_mtr_find(hr_dev, &mr->pbl_mtr, 0, pages,
+- ARRAY_SIZE(pages), &pbl_ba);
++ min_t(int, ARRAY_SIZE(pages), mr->npages),
++ &pbl_ba);
+ if (count < 1) {
+ ibdev_err(ibdev, "failed to find PBL mtr, count = %d.\n",
+ count);
+--
+2.35.1
+
--- /dev/null
+From 87fc2c0a47231b4862f1418b61de5ce20099a99e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:06 +0800
+Subject: RDMA/hns: Fix the gid problem caused by free mr
+
+From: Yixing Liu <liuyixing1@huawei.com>
+
+[ Upstream commit 487d65090a3dce1ae54946aded55d0f8ac87cbab ]
+
+After the hns roce driver is loaded, if you modify the mac address of the
+network port, the following error will appear:
+
+ __ib_cache_gid_add: unable to add gid fe80:0000:0000:0000:4600:4dff:fe22:abb5 error=-28
+ hns3 0000:7d:00.0 hns_0: attr path_mtu(1) invalid while modify qp
+
+The reason for the error is that the gid being occupied will cause the
+failure to modify the gid. The gid is occupied by the loopback QP used by
+free mr. When the mac address is modified, the gid will change. If there
+is a busy QP at this time, the gid will not be released and the
+modification will fail. The QP of free mr is created using the ib
+interface. The ib interface will add a reference count to the gid,
+resulting in this error scenario.
+
+Considering that free mr is solving a bug in HIP08, not an actual
+business, it is not necessary to use ib interfaces.
+
+Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT")
+Link: https://lore.kernel.org/r/20221126102911.2921820-2-xuhaoyue1@hisilicon.com
+Signed-off-by: Yixing Liu <liuyixing1@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 175 ++++++++++++++++-----
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +-
+ 2 files changed, 137 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index eb14df9fe70c..d242fa192f0d 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2633,31 +2633,124 @@ static void free_dip_list(struct hns_roce_dev *hr_dev)
+ spin_unlock_irqrestore(&hr_dev->dip_list_lock, flags);
+ }
+
+-static void free_mr_exit(struct hns_roce_dev *hr_dev)
++static struct ib_pd *free_mr_init_pd(struct hns_roce_dev *hr_dev)
++{
++ struct hns_roce_v2_priv *priv = hr_dev->priv;
++ struct hns_roce_v2_free_mr *free_mr = &priv->free_mr;
++ struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct hns_roce_pd *hr_pd;
++ struct ib_pd *pd;
++
++ hr_pd = kzalloc(sizeof(*hr_pd), GFP_KERNEL);
++ if (ZERO_OR_NULL_PTR(hr_pd))
++ return NULL;
++ pd = &hr_pd->ibpd;
++ pd->device = ibdev;
++
++ if (hns_roce_alloc_pd(pd, NULL)) {
++ ibdev_err(ibdev, "failed to create pd for free mr.\n");
++ kfree(hr_pd);
++ return NULL;
++ }
++ free_mr->rsv_pd = to_hr_pd(pd);
++ free_mr->rsv_pd->ibpd.device = &hr_dev->ib_dev;
++ free_mr->rsv_pd->ibpd.uobject = NULL;
++ free_mr->rsv_pd->ibpd.__internal_mr = NULL;
++ atomic_set(&free_mr->rsv_pd->ibpd.usecnt, 0);
++
++ return pd;
++}
++
++static struct ib_cq *free_mr_init_cq(struct hns_roce_dev *hr_dev)
++{
++ struct hns_roce_v2_priv *priv = hr_dev->priv;
++ struct hns_roce_v2_free_mr *free_mr = &priv->free_mr;
++ struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct ib_cq_init_attr cq_init_attr = {};
++ struct hns_roce_cq *hr_cq;
++ struct ib_cq *cq;
++
++ cq_init_attr.cqe = HNS_ROCE_FREE_MR_USED_CQE_NUM;
++
++ hr_cq = kzalloc(sizeof(*hr_cq), GFP_KERNEL);
++ if (ZERO_OR_NULL_PTR(hr_cq))
++ return NULL;
++
++ cq = &hr_cq->ib_cq;
++ cq->device = ibdev;
++
++ if (hns_roce_create_cq(cq, &cq_init_attr, NULL)) {
++ ibdev_err(ibdev, "failed to create cq for free mr.\n");
++ kfree(hr_cq);
++ return NULL;
++ }
++ free_mr->rsv_cq = to_hr_cq(cq);
++ free_mr->rsv_cq->ib_cq.device = &hr_dev->ib_dev;
++ free_mr->rsv_cq->ib_cq.uobject = NULL;
++ free_mr->rsv_cq->ib_cq.comp_handler = NULL;
++ free_mr->rsv_cq->ib_cq.event_handler = NULL;
++ free_mr->rsv_cq->ib_cq.cq_context = NULL;
++ atomic_set(&free_mr->rsv_cq->ib_cq.usecnt, 0);
++
++ return cq;
++}
++
++static int free_mr_init_qp(struct hns_roce_dev *hr_dev, struct ib_cq *cq,
++ struct ib_qp_init_attr *init_attr, int i)
+ {
+ struct hns_roce_v2_priv *priv = hr_dev->priv;
+ struct hns_roce_v2_free_mr *free_mr = &priv->free_mr;
++ struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct hns_roce_qp *hr_qp;
++ struct ib_qp *qp;
+ int ret;
++
++ hr_qp = kzalloc(sizeof(*hr_qp), GFP_KERNEL);
++ if (ZERO_OR_NULL_PTR(hr_qp))
++ return -ENOMEM;
++
++ qp = &hr_qp->ibqp;
++ qp->device = ibdev;
++
++ ret = hns_roce_create_qp(qp, init_attr, NULL);
++ if (ret) {
++ ibdev_err(ibdev, "failed to create qp for free mr.\n");
++ kfree(hr_qp);
++ return ret;
++ }
++
++ free_mr->rsv_qp[i] = hr_qp;
++ free_mr->rsv_qp[i]->ibqp.recv_cq = cq;
++ free_mr->rsv_qp[i]->ibqp.send_cq = cq;
++
++ return 0;
++}
++
++static void free_mr_exit(struct hns_roce_dev *hr_dev)
++{
++ struct hns_roce_v2_priv *priv = hr_dev->priv;
++ struct hns_roce_v2_free_mr *free_mr = &priv->free_mr;
++ struct ib_qp *qp;
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(free_mr->rsv_qp); i++) {
+ if (free_mr->rsv_qp[i]) {
+- ret = ib_destroy_qp(free_mr->rsv_qp[i]);
+- if (ret)
+- ibdev_err(&hr_dev->ib_dev,
+- "failed to destroy qp in free mr.\n");
+-
++ qp = &free_mr->rsv_qp[i]->ibqp;
++ hns_roce_v2_destroy_qp(qp, NULL);
++ kfree(free_mr->rsv_qp[i]);
+ free_mr->rsv_qp[i] = NULL;
+ }
+ }
+
+ if (free_mr->rsv_cq) {
+- ib_destroy_cq(free_mr->rsv_cq);
++ hns_roce_destroy_cq(&free_mr->rsv_cq->ib_cq, NULL);
++ kfree(free_mr->rsv_cq);
+ free_mr->rsv_cq = NULL;
+ }
+
+ if (free_mr->rsv_pd) {
+- ib_dealloc_pd(free_mr->rsv_pd);
++ hns_roce_dealloc_pd(&free_mr->rsv_pd->ibpd, NULL);
++ kfree(free_mr->rsv_pd);
+ free_mr->rsv_pd = NULL;
+ }
+ }
+@@ -2666,55 +2759,46 @@ static int free_mr_alloc_res(struct hns_roce_dev *hr_dev)
+ {
+ struct hns_roce_v2_priv *priv = hr_dev->priv;
+ struct hns_roce_v2_free_mr *free_mr = &priv->free_mr;
+- struct ib_device *ibdev = &hr_dev->ib_dev;
+- struct ib_cq_init_attr cq_init_attr = {};
+ struct ib_qp_init_attr qp_init_attr = {};
+ struct ib_pd *pd;
+ struct ib_cq *cq;
+- struct ib_qp *qp;
+ int ret;
+ int i;
+
+- pd = ib_alloc_pd(ibdev, 0);
+- if (IS_ERR(pd)) {
+- ibdev_err(ibdev, "failed to create pd for free mr.\n");
+- return PTR_ERR(pd);
+- }
+- free_mr->rsv_pd = pd;
++ pd = free_mr_init_pd(hr_dev);
++ if (!pd)
++ return -ENOMEM;
+
+- cq_init_attr.cqe = HNS_ROCE_FREE_MR_USED_CQE_NUM;
+- cq = ib_create_cq(ibdev, NULL, NULL, NULL, &cq_init_attr);
+- if (IS_ERR(cq)) {
+- ibdev_err(ibdev, "failed to create cq for free mr.\n");
+- ret = PTR_ERR(cq);
+- goto create_failed;
++ cq = free_mr_init_cq(hr_dev);
++ if (!cq) {
++ ret = -ENOMEM;
++ goto create_failed_cq;
+ }
+- free_mr->rsv_cq = cq;
+
+ qp_init_attr.qp_type = IB_QPT_RC;
+ qp_init_attr.sq_sig_type = IB_SIGNAL_ALL_WR;
+- qp_init_attr.send_cq = free_mr->rsv_cq;
+- qp_init_attr.recv_cq = free_mr->rsv_cq;
++ qp_init_attr.send_cq = cq;
++ qp_init_attr.recv_cq = cq;
+ for (i = 0; i < ARRAY_SIZE(free_mr->rsv_qp); i++) {
+ qp_init_attr.cap.max_send_wr = HNS_ROCE_FREE_MR_USED_SQWQE_NUM;
+ qp_init_attr.cap.max_send_sge = HNS_ROCE_FREE_MR_USED_SQSGE_NUM;
+ qp_init_attr.cap.max_recv_wr = HNS_ROCE_FREE_MR_USED_RQWQE_NUM;
+ qp_init_attr.cap.max_recv_sge = HNS_ROCE_FREE_MR_USED_RQSGE_NUM;
+
+- qp = ib_create_qp(free_mr->rsv_pd, &qp_init_attr);
+- if (IS_ERR(qp)) {
+- ibdev_err(ibdev, "failed to create qp for free mr.\n");
+- ret = PTR_ERR(qp);
+- goto create_failed;
+- }
+-
+- free_mr->rsv_qp[i] = qp;
++ ret = free_mr_init_qp(hr_dev, cq, &qp_init_attr, i);
++ if (ret)
++ goto create_failed_qp;
+ }
+
+ return 0;
+
+-create_failed:
+- free_mr_exit(hr_dev);
++create_failed_qp:
++ hns_roce_destroy_cq(cq, NULL);
++ kfree(cq);
++
++create_failed_cq:
++ hns_roce_dealloc_pd(pd, NULL);
++ kfree(pd);
+
+ return ret;
+ }
+@@ -2730,14 +2814,17 @@ static int free_mr_modify_rsv_qp(struct hns_roce_dev *hr_dev,
+ int mask;
+ int ret;
+
+- hr_qp = to_hr_qp(free_mr->rsv_qp[sl_num]);
++ hr_qp = to_hr_qp(&free_mr->rsv_qp[sl_num]->ibqp);
+ hr_qp->free_mr_en = 1;
++ hr_qp->ibqp.device = ibdev;
++ hr_qp->ibqp.qp_type = IB_QPT_RC;
+
+ mask = IB_QP_STATE | IB_QP_PKEY_INDEX | IB_QP_PORT | IB_QP_ACCESS_FLAGS;
+ attr->qp_state = IB_QPS_INIT;
+ attr->port_num = 1;
+ attr->qp_access_flags = IB_ACCESS_REMOTE_WRITE;
+- ret = ib_modify_qp(&hr_qp->ibqp, attr, mask);
++ ret = hr_dev->hw->modify_qp(&hr_qp->ibqp, attr, mask, IB_QPS_INIT,
++ IB_QPS_INIT);
+ if (ret) {
+ ibdev_err(ibdev, "failed to modify qp to init, ret = %d.\n",
+ ret);
+@@ -2758,7 +2845,8 @@ static int free_mr_modify_rsv_qp(struct hns_roce_dev *hr_dev,
+
+ rdma_ah_set_sl(&attr->ah_attr, (u8)sl_num);
+
+- ret = ib_modify_qp(&hr_qp->ibqp, attr, mask);
++ ret = hr_dev->hw->modify_qp(&hr_qp->ibqp, attr, mask, IB_QPS_INIT,
++ IB_QPS_RTR);
+ hr_dev->loop_idc = loopback;
+ if (ret) {
+ ibdev_err(ibdev, "failed to modify qp to rtr, ret = %d.\n",
+@@ -2772,7 +2860,8 @@ static int free_mr_modify_rsv_qp(struct hns_roce_dev *hr_dev,
+ attr->sq_psn = HNS_ROCE_FREE_MR_USED_PSN;
+ attr->retry_cnt = HNS_ROCE_FREE_MR_USED_QP_RETRY_CNT;
+ attr->timeout = HNS_ROCE_FREE_MR_USED_QP_TIMEOUT;
+- ret = ib_modify_qp(&hr_qp->ibqp, attr, mask);
++ ret = hr_dev->hw->modify_qp(&hr_qp->ibqp, attr, mask, IB_QPS_RTR,
++ IB_QPS_RTS);
+ if (ret)
+ ibdev_err(ibdev, "failed to modify qp to rts, ret = %d.\n",
+ ret);
+@@ -3416,7 +3505,7 @@ static void free_mr_send_cmd_to_hw(struct hns_roce_dev *hr_dev)
+ mutex_lock(&free_mr->mutex);
+
+ for (i = 0; i < ARRAY_SIZE(free_mr->rsv_qp); i++) {
+- hr_qp = to_hr_qp(free_mr->rsv_qp[i]);
++ hr_qp = free_mr->rsv_qp[i];
+
+ ret = free_mr_post_send_lp_wqe(hr_qp);
+ if (ret) {
+@@ -3431,7 +3520,7 @@ static void free_mr_send_cmd_to_hw(struct hns_roce_dev *hr_dev)
+
+ end = msecs_to_jiffies(HNS_ROCE_V2_FREE_MR_TIMEOUT) + jiffies;
+ while (cqe_cnt) {
+- npolled = hns_roce_v2_poll_cq(free_mr->rsv_cq, cqe_cnt, wc);
++ npolled = hns_roce_v2_poll_cq(&free_mr->rsv_cq->ib_cq, cqe_cnt, wc);
+ if (npolled < 0) {
+ ibdev_err(ibdev,
+ "failed to poll cqe for free mr, remain %d cqe.\n",
+@@ -5474,7 +5563,7 @@ static int hns_roce_v2_destroy_qp_common(struct hns_roce_dev *hr_dev,
+ return ret;
+ }
+
+-static int hns_roce_v2_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
++int hns_roce_v2_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+ {
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
+ struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index 12d54bf6d954..5abea0416f5b 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -1328,9 +1328,9 @@ struct hns_roce_link_table {
+ #define HNS_ROCE_EXT_LLM_MIN_PAGES(que_num) ((que_num) * 4 + 2)
+
+ struct hns_roce_v2_free_mr {
+- struct ib_qp *rsv_qp[HNS_ROCE_FREE_MR_USED_QP_NUM];
+- struct ib_cq *rsv_cq;
+- struct ib_pd *rsv_pd;
++ struct hns_roce_qp *rsv_qp[HNS_ROCE_FREE_MR_USED_QP_NUM];
++ struct hns_roce_cq *rsv_cq;
++ struct hns_roce_pd *rsv_pd;
+ struct mutex mutex;
+ };
+
+@@ -1460,6 +1460,8 @@ struct hns_roce_sccc_clr_done {
+ __le32 rsv[5];
+ };
+
++int hns_roce_v2_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata);
++
+ static inline void hns_roce_write64(struct hns_roce_dev *hr_dev, __le32 val[2],
+ void __iomem *dest)
+ {
+--
+2.35.1
+
--- /dev/null
+From 3b9bdeb22d2af072ce71039337dde859204a1905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 18:29:11 +0800
+Subject: RDMA/hns: Fix XRC caps on HIP08
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 682c0722addae4b4a1440c9db9d8c86cb8e09ce5 ]
+
+XRC caps has been set by default. But in fact, XRC is not supported in
+HIP08.
+
+Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09")
+Link: https://lore.kernel.org/r/20221126102911.2921820-7-xuhaoyue1@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 625e283f8d20..b55a96863d1a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2049,13 +2049,14 @@ static void set_default_caps(struct hns_roce_dev *hr_dev)
+
+ caps->flags |= HNS_ROCE_CAP_FLAG_ATOMIC | HNS_ROCE_CAP_FLAG_MW |
+ HNS_ROCE_CAP_FLAG_SRQ | HNS_ROCE_CAP_FLAG_FRMR |
+- HNS_ROCE_CAP_FLAG_QP_FLOW_CTRL | HNS_ROCE_CAP_FLAG_XRC;
++ HNS_ROCE_CAP_FLAG_QP_FLOW_CTRL;
+
+ caps->gid_table_len[0] = HNS_ROCE_V2_GID_INDEX_NUM;
+
+ if (hr_dev->pci_dev->revision >= PCI_REVISION_ID_HIP09) {
+ caps->flags |= HNS_ROCE_CAP_FLAG_STASH |
+- HNS_ROCE_CAP_FLAG_DIRECT_WQE;
++ HNS_ROCE_CAP_FLAG_DIRECT_WQE |
++ HNS_ROCE_CAP_FLAG_XRC;
+ caps->max_sq_inline = HNS_ROCE_V3_MAX_SQ_INLINE;
+ } else {
+ caps->max_sq_inline = HNS_ROCE_V2_MAX_SQ_INLINE;
+--
+2.35.1
+
--- /dev/null
+From 751d5013e26f82fd2a805df7ab4334ecc642f736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 18:44:49 +0800
+Subject: RDMA/hns: Remove redundant DFX file and DFX ops structure
+
+From: Wenpeng Liang <liangwenpeng@huawei.com>
+
+[ Upstream commit 40b4b79c866ffc1414a3989cc480263e76f28589 ]
+
+There is no need to use a dedicated DXF file and DFX structure to manage
+the interface of the query queue context.
+
+Link: https://lore.kernel.org/r/20220822104455.2311053-2-liangwenpeng@huawei.com
+Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: 487d65090a3d ("RDMA/hns: Fix the gid problem caused by free mr")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/Makefile | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_device.h | 10 ++----
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 35 ++++++++++++++++---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 3 --
+ .../infiniband/hw/hns/hns_roce_hw_v2_dfx.c | 34 ------------------
+ drivers/infiniband/hw/hns/hns_roce_main.c | 6 +++-
+ drivers/infiniband/hw/hns/hns_roce_restrack.c | 35 +++++++------------
+ 7 files changed, 50 insertions(+), 75 deletions(-)
+ delete mode 100644 drivers/infiniband/hw/hns/hns_roce_hw_v2_dfx.c
+
+diff --git a/drivers/infiniband/hw/hns/Makefile b/drivers/infiniband/hw/hns/Makefile
+index 9f04f25d9631..a7d259238305 100644
+--- a/drivers/infiniband/hw/hns/Makefile
++++ b/drivers/infiniband/hw/hns/Makefile
+@@ -10,6 +10,6 @@ hns-roce-objs := hns_roce_main.o hns_roce_cmd.o hns_roce_pd.o \
+ hns_roce_cq.o hns_roce_alloc.o hns_roce_db.o hns_roce_srq.o hns_roce_restrack.o
+
+ ifdef CONFIG_INFINIBAND_HNS_HIP08
+-hns-roce-hw-v2-objs := hns_roce_hw_v2.o hns_roce_hw_v2_dfx.o $(hns-roce-objs)
++hns-roce-hw-v2-objs := hns_roce_hw_v2.o $(hns-roce-objs)
+ obj-$(CONFIG_INFINIBAND_HNS) += hns-roce-hw-v2.o
+ endif
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index 4dc296d856d8..48db4a42b7d3 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -851,11 +851,6 @@ struct hns_roce_caps {
+ enum cong_type cong_type;
+ };
+
+-struct hns_roce_dfx_hw {
+- int (*query_cqc_info)(struct hns_roce_dev *hr_dev, u32 cqn,
+- int *buffer);
+-};
+-
+ enum hns_roce_device_state {
+ HNS_ROCE_DEVICE_STATE_INITED,
+ HNS_ROCE_DEVICE_STATE_RST_DOWN,
+@@ -901,6 +896,7 @@ struct hns_roce_hw {
+ int (*init_eq)(struct hns_roce_dev *hr_dev);
+ void (*cleanup_eq)(struct hns_roce_dev *hr_dev);
+ int (*write_srqc)(struct hns_roce_srq *srq, void *mb_buf);
++ int (*query_cqc)(struct hns_roce_dev *hr_dev, u32 cqn, void *buffer);
+ const struct ib_device_ops *hns_roce_dev_ops;
+ const struct ib_device_ops *hns_roce_dev_srq_ops;
+ };
+@@ -962,7 +958,6 @@ struct hns_roce_dev {
+ void *priv;
+ struct workqueue_struct *irq_workq;
+ struct work_struct ecc_work;
+- const struct hns_roce_dfx_hw *dfx;
+ u32 func_num;
+ u32 is_vf;
+ u32 cong_algo_tmpl_id;
+@@ -1230,8 +1225,7 @@ u8 hns_get_gid_index(struct hns_roce_dev *hr_dev, u32 port, int gid_index);
+ void hns_roce_handle_device_err(struct hns_roce_dev *hr_dev);
+ int hns_roce_init(struct hns_roce_dev *hr_dev);
+ void hns_roce_exit(struct hns_roce_dev *hr_dev);
+-int hns_roce_fill_res_cq_entry(struct sk_buff *msg,
+- struct ib_cq *ib_cq);
++int hns_roce_fill_res_cq_entry(struct sk_buff *msg, struct ib_cq *ib_cq);
+ struct hns_user_mmap_entry *
+ hns_roce_user_mmap_entry_insert(struct ib_ucontext *ucontext, u64 address,
+ size_t length,
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 7e9853c6d412..eb14df9fe70c 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5764,6 +5764,35 @@ static int hns_roce_v2_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period)
+ return ret;
+ }
+
++static int hns_roce_v2_query_cqc(struct hns_roce_dev *hr_dev, u32 cqn,
++ void *buffer)
++{
++ struct hns_roce_v2_cq_context *context;
++ struct hns_roce_cmd_mailbox *mailbox;
++ int ret;
++
++ mailbox = hns_roce_alloc_cmd_mailbox(hr_dev);
++ if (IS_ERR(mailbox))
++ return PTR_ERR(mailbox);
++
++ context = mailbox->buf;
++ ret = hns_roce_cmd_mbox(hr_dev, 0, mailbox->dma,
++ HNS_ROCE_CMD_QUERY_CQC, cqn);
++ if (ret) {
++ ibdev_err(&hr_dev->ib_dev,
++ "failed to process cmd when querying CQ, ret = %d.\n",
++ ret);
++ goto err_mailbox;
++ }
++
++ memcpy(buffer, context, sizeof(*context));
++
++err_mailbox:
++ hns_roce_free_cmd_mailbox(hr_dev, mailbox);
++
++ return ret;
++}
++
+ static void hns_roce_irq_work_handle(struct work_struct *work)
+ {
+ struct hns_roce_work *irq_work =
+@@ -6565,10 +6594,6 @@ static void hns_roce_v2_cleanup_eq_table(struct hns_roce_dev *hr_dev)
+ kfree(eq_table->eq);
+ }
+
+-static const struct hns_roce_dfx_hw hns_roce_dfx_hw_v2 = {
+- .query_cqc_info = hns_roce_v2_query_cqc_info,
+-};
+-
+ static const struct ib_device_ops hns_roce_v2_dev_ops = {
+ .destroy_qp = hns_roce_v2_destroy_qp,
+ .modify_cq = hns_roce_v2_modify_cq,
+@@ -6609,6 +6634,7 @@ static const struct hns_roce_hw hns_roce_hw_v2 = {
+ .init_eq = hns_roce_v2_init_eq_table,
+ .cleanup_eq = hns_roce_v2_cleanup_eq_table,
+ .write_srqc = hns_roce_v2_write_srqc,
++ .query_cqc = hns_roce_v2_query_cqc,
+ .hns_roce_dev_ops = &hns_roce_v2_dev_ops,
+ .hns_roce_dev_srq_ops = &hns_roce_v2_dev_srq_ops,
+ };
+@@ -6640,7 +6666,6 @@ static void hns_roce_hw_v2_get_cfg(struct hns_roce_dev *hr_dev,
+ hr_dev->is_vf = id->driver_data;
+ hr_dev->dev = &handle->pdev->dev;
+ hr_dev->hw = &hns_roce_hw_v2;
+- hr_dev->dfx = &hns_roce_dfx_hw_v2;
+ hr_dev->sdb_offset = ROCEE_DB_SQ_L_0_REG;
+ hr_dev->odb_offset = hr_dev->sdb_offset;
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index 4544a8775ce5..12d54bf6d954 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -1460,9 +1460,6 @@ struct hns_roce_sccc_clr_done {
+ __le32 rsv[5];
+ };
+
+-int hns_roce_v2_query_cqc_info(struct hns_roce_dev *hr_dev, u32 cqn,
+- int *buffer);
+-
+ static inline void hns_roce_write64(struct hns_roce_dev *hr_dev, __le32 val[2],
+ void __iomem *dest)
+ {
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2_dfx.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2_dfx.c
+deleted file mode 100644
+index f7a75a7cda74..000000000000
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2_dfx.c
++++ /dev/null
+@@ -1,34 +0,0 @@
+-// SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+-// Copyright (c) 2019 Hisilicon Limited.
+-
+-#include "hnae3.h"
+-#include "hns_roce_device.h"
+-#include "hns_roce_cmd.h"
+-#include "hns_roce_hw_v2.h"
+-
+-int hns_roce_v2_query_cqc_info(struct hns_roce_dev *hr_dev, u32 cqn,
+- int *buffer)
+-{
+- struct hns_roce_v2_cq_context *cq_context;
+- struct hns_roce_cmd_mailbox *mailbox;
+- int ret;
+-
+- mailbox = hns_roce_alloc_cmd_mailbox(hr_dev);
+- if (IS_ERR(mailbox))
+- return PTR_ERR(mailbox);
+-
+- cq_context = mailbox->buf;
+- ret = hns_roce_cmd_mbox(hr_dev, 0, mailbox->dma, HNS_ROCE_CMD_QUERY_CQC,
+- cqn);
+- if (ret) {
+- dev_err(hr_dev->dev, "QUERY cqc cmd process error\n");
+- goto err_mailbox;
+- }
+-
+- memcpy(buffer, cq_context, sizeof(*cq_context));
+-
+-err_mailbox:
+- hns_roce_free_cmd_mailbox(hr_dev, mailbox);
+-
+- return ret;
+-}
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index a4e7bb5bb194..bf5c7729d7e8 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -529,7 +529,6 @@ static const struct ib_device_ops hns_roce_dev_ops = {
+ .destroy_ah = hns_roce_destroy_ah,
+ .destroy_cq = hns_roce_destroy_cq,
+ .disassociate_ucontext = hns_roce_disassociate_ucontext,
+- .fill_res_cq_entry = hns_roce_fill_res_cq_entry,
+ .get_dma_mr = hns_roce_get_dma_mr,
+ .get_link_layer = hns_roce_get_link_layer,
+ .get_port_immutable = hns_roce_port_immutable,
+@@ -580,6 +579,10 @@ static const struct ib_device_ops hns_roce_dev_xrcd_ops = {
+ INIT_RDMA_OBJ_SIZE(ib_xrcd, hns_roce_xrcd, ibxrcd),
+ };
+
++static const struct ib_device_ops hns_roce_dev_restrack_ops = {
++ .fill_res_cq_entry = hns_roce_fill_res_cq_entry,
++};
++
+ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
+ {
+ int ret;
+@@ -619,6 +622,7 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
+
+ ib_set_device_ops(ib_dev, hr_dev->hw->hns_roce_dev_ops);
+ ib_set_device_ops(ib_dev, &hns_roce_dev_ops);
++ ib_set_device_ops(ib_dev, &hns_roce_dev_restrack_ops);
+ for (i = 0; i < hr_dev->caps.num_ports; i++) {
+ if (!hr_dev->iboe.netdevs[i])
+ continue;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+index 24a154d64630..83417be15d3f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+@@ -55,45 +55,34 @@ static int hns_roce_fill_cq(struct sk_buff *msg,
+ return -EMSGSIZE;
+ }
+
+-int hns_roce_fill_res_cq_entry(struct sk_buff *msg,
+- struct ib_cq *ib_cq)
++int hns_roce_fill_res_cq_entry(struct sk_buff *msg, struct ib_cq *ib_cq)
+ {
+ struct hns_roce_dev *hr_dev = to_hr_dev(ib_cq->device);
+ struct hns_roce_cq *hr_cq = to_hr_cq(ib_cq);
+- struct hns_roce_v2_cq_context *context;
++ struct hns_roce_v2_cq_context context;
+ struct nlattr *table_attr;
+ int ret;
+
+- if (!hr_dev->dfx->query_cqc_info)
++ if (!hr_dev->hw->query_cqc)
+ return -EINVAL;
+
+- context = kzalloc(sizeof(struct hns_roce_v2_cq_context), GFP_KERNEL);
+- if (!context)
+- return -ENOMEM;
+-
+- ret = hr_dev->dfx->query_cqc_info(hr_dev, hr_cq->cqn, (int *)context);
++ ret = hr_dev->hw->query_cqc(hr_dev, hr_cq->cqn, &context);
+ if (ret)
+- goto err;
++ return -EINVAL;
+
+ table_attr = nla_nest_start(msg, RDMA_NLDEV_ATTR_DRIVER);
+- if (!table_attr) {
+- ret = -EMSGSIZE;
+- goto err;
+- }
++ if (!table_attr)
++ return -EMSGSIZE;
+
+- if (hns_roce_fill_cq(msg, context)) {
+- ret = -EMSGSIZE;
+- goto err_cancel_table;
+- }
++ if (hns_roce_fill_cq(msg, &context))
++ goto err;
+
+ nla_nest_end(msg, table_attr);
+- kfree(context);
+
+ return 0;
+
+-err_cancel_table:
+- nla_nest_cancel(msg, table_attr);
+ err:
+- kfree(context);
+- return ret;
++ nla_nest_cancel(msg, table_attr);
++
++ return -EMSGSIZE;
+ }
+--
+2.35.1
+
--- /dev/null
+From ae194f1a6c68dc92ea2cda7cbd1ffe2b2b45ab60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 20:33:13 +0800
+Subject: RDMA/hns: Repacing 'dseg_len' by macros in fill_ext_sge_inl_data()
+
+From: Luoyouming <luoyouming@huawei.com>
+
+[ Upstream commit 3b1f864c904915b3baebffb31ea05ee704b0df3c ]
+
+The sge size is known to be constant, so it's unnecessary to use sizeof to
+calculate.
+
+Link: https://lore.kernel.org/r/20220922123315.3732205-11-xuhaoyue1@hisilicon.com
+Signed-off-by: Luoyouming <luoyouming@huawei.com>
+Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: 8eaa6f7d569b ("RDMA/hns: Fix ext_sge num error when post send")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 105888c6ccb7..eb1601bd1255 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -192,8 +192,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+ unsigned int *sge_idx, u32 msg_len)
+ {
+ struct ib_device *ibdev = &(to_hr_dev(qp->ibqp.device))->ib_dev;
+- unsigned int dseg_len = sizeof(struct hns_roce_v2_wqe_data_seg);
+- unsigned int ext_sge_sz = qp->sq.max_gs * dseg_len;
++ unsigned int ext_sge_sz = qp->sq.max_gs * HNS_ROCE_SGE_SIZE;
+ unsigned int left_len_in_pg;
+ unsigned int idx = *sge_idx;
+ unsigned int i = 0;
+@@ -221,7 +220,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+ if (len <= left_len_in_pg) {
+ memcpy(dseg, addr, len);
+
+- idx += len / dseg_len;
++ idx += len / HNS_ROCE_SGE_SIZE;
+
+ i++;
+ if (i >= wr->num_sge)
+@@ -236,7 +235,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
+
+ len -= left_len_in_pg;
+ addr += left_len_in_pg;
+- idx += left_len_in_pg / dseg_len;
++ idx += left_len_in_pg / HNS_ROCE_SGE_SIZE;
+ dseg = hns_roce_get_extend_sge(qp,
+ idx & (qp->sge.sge_cnt - 1));
+ left_len_in_pg = 1 << HNS_HW_PAGE_SHIFT;
+--
+2.35.1
+
--- /dev/null
+From 140d004e33b8d23641fa40d43699e4f8509d5c96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:17:01 -0600
+Subject: RDMA/irdma: Do not request 2-level PBLEs for CQ alloc
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 8f7e2daa6336f9f4b6f8a4715a809674606df16b ]
+
+When allocating PBLE's for a large CQ, it is possible
+that a 2-level PBLE is returned which would cause the
+CQ allocation to fail since 1-level is assumed and checked for.
+Fix this by requesting a level one PBLE only.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20221115011701.1379-4-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 01d0dc4b5649..dc3f5f3fee90 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -2329,9 +2329,10 @@ static bool irdma_check_mr_contiguous(struct irdma_pble_alloc *palloc,
+ * @rf: RDMA PCI function
+ * @iwmr: mr pointer for this memory registration
+ * @use_pbles: flag if to use pble's
++ * @lvl_1_only: request only level 1 pble if true
+ */
+ static int irdma_setup_pbles(struct irdma_pci_f *rf, struct irdma_mr *iwmr,
+- bool use_pbles)
++ bool use_pbles, bool lvl_1_only)
+ {
+ struct irdma_pbl *iwpbl = &iwmr->iwpbl;
+ struct irdma_pble_alloc *palloc = &iwpbl->pble_alloc;
+@@ -2342,7 +2343,7 @@ static int irdma_setup_pbles(struct irdma_pci_f *rf, struct irdma_mr *iwmr,
+
+ if (use_pbles) {
+ status = irdma_get_pble(rf->pble_rsrc, palloc, iwmr->page_cnt,
+- false);
++ lvl_1_only);
+ if (status)
+ return status;
+
+@@ -2385,16 +2386,10 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
+ bool ret = true;
+
+ pg_size = iwmr->page_size;
+- err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles);
++ err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles, true);
+ if (err)
+ return err;
+
+- if (use_pbles && palloc->level != PBLE_LEVEL_1) {
+- irdma_free_pble(iwdev->rf->pble_rsrc, palloc);
+- iwpbl->pbl_allocated = false;
+- return -ENOMEM;
+- }
+-
+ if (use_pbles)
+ arr = palloc->level1.addr;
+
+@@ -2870,7 +2865,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
+ case IRDMA_MEMREG_TYPE_MEM:
+ use_pbles = (iwmr->page_cnt != 1);
+
+- err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles);
++ err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles, false);
+ if (err)
+ goto error;
+
+--
+2.35.1
+
--- /dev/null
+From f54084ced1bb1328d6a6544ca0ed381783fec2db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:16:59 -0600
+Subject: RDMA/irdma: Fix inline for multiple SGE's
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 4f44e519b6a945068755708119cca5b74d01d1f6 ]
+
+Currently, inline send and inline write assume a single
+SGE and only copy data from the first one. Add support
+for multiple SGE's.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20221115011701.1379-2-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/uk.c | 149 ++++++++++++++++++----------
+ drivers/infiniband/hw/irdma/user.h | 19 +---
+ drivers/infiniband/hw/irdma/verbs.c | 55 ++++------
+ 3 files changed, 119 insertions(+), 104 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
+index a6e5d350a94c..1a57ed9d77ff 100644
+--- a/drivers/infiniband/hw/irdma/uk.c
++++ b/drivers/infiniband/hw/irdma/uk.c
+@@ -566,21 +566,37 @@ static void irdma_set_mw_bind_wqe_gen_1(__le64 *wqe,
+
+ /**
+ * irdma_copy_inline_data_gen_1 - Copy inline data to wqe
+- * @dest: pointer to wqe
+- * @src: pointer to inline data
+- * @len: length of inline data to copy
++ * @wqe: pointer to wqe
++ * @sge_list: table of pointers to inline data
++ * @num_sges: Total inline data length
+ * @polarity: compatibility parameter
+ */
+-static void irdma_copy_inline_data_gen_1(u8 *dest, u8 *src, u32 len,
+- u8 polarity)
++static void irdma_copy_inline_data_gen_1(u8 *wqe, struct ib_sge *sge_list,
++ u32 num_sges, u8 polarity)
+ {
+- if (len <= 16) {
+- memcpy(dest, src, len);
+- } else {
+- memcpy(dest, src, 16);
+- src += 16;
+- dest = dest + 32;
+- memcpy(dest, src, len - 16);
++ u32 quanta_bytes_remaining = 16;
++ int i;
++
++ for (i = 0; i < num_sges; i++) {
++ u8 *cur_sge = (u8 *)(uintptr_t)sge_list[i].addr;
++ u32 sge_len = sge_list[i].length;
++
++ while (sge_len) {
++ u32 bytes_copied;
++
++ bytes_copied = min(sge_len, quanta_bytes_remaining);
++ memcpy(wqe, cur_sge, bytes_copied);
++ wqe += bytes_copied;
++ cur_sge += bytes_copied;
++ quanta_bytes_remaining -= bytes_copied;
++ sge_len -= bytes_copied;
++
++ if (!quanta_bytes_remaining) {
++ /* Remaining inline bytes reside after hdr */
++ wqe += 16;
++ quanta_bytes_remaining = 32;
++ }
++ }
+ }
+ }
+
+@@ -612,35 +628,51 @@ static void irdma_set_mw_bind_wqe(__le64 *wqe,
+
+ /**
+ * irdma_copy_inline_data - Copy inline data to wqe
+- * @dest: pointer to wqe
+- * @src: pointer to inline data
+- * @len: length of inline data to copy
++ * @wqe: pointer to wqe
++ * @sge_list: table of pointers to inline data
++ * @num_sges: number of SGE's
+ * @polarity: polarity of wqe valid bit
+ */
+-static void irdma_copy_inline_data(u8 *dest, u8 *src, u32 len, u8 polarity)
++static void irdma_copy_inline_data(u8 *wqe, struct ib_sge *sge_list,
++ u32 num_sges, u8 polarity)
+ {
+ u8 inline_valid = polarity << IRDMA_INLINE_VALID_S;
+- u32 copy_size;
+-
+- dest += 8;
+- if (len <= 8) {
+- memcpy(dest, src, len);
+- return;
+- }
+-
+- *((u64 *)dest) = *((u64 *)src);
+- len -= 8;
+- src += 8;
+- dest += 24; /* point to additional 32 byte quanta */
+-
+- while (len) {
+- copy_size = len < 31 ? len : 31;
+- memcpy(dest, src, copy_size);
+- *(dest + 31) = inline_valid;
+- len -= copy_size;
+- dest += 32;
+- src += copy_size;
++ u32 quanta_bytes_remaining = 8;
++ bool first_quanta = true;
++ int i;
++
++ wqe += 8;
++
++ for (i = 0; i < num_sges; i++) {
++ u8 *cur_sge = (u8 *)(uintptr_t)sge_list[i].addr;
++ u32 sge_len = sge_list[i].length;
++
++ while (sge_len) {
++ u32 bytes_copied;
++
++ bytes_copied = min(sge_len, quanta_bytes_remaining);
++ memcpy(wqe, cur_sge, bytes_copied);
++ wqe += bytes_copied;
++ cur_sge += bytes_copied;
++ quanta_bytes_remaining -= bytes_copied;
++ sge_len -= bytes_copied;
++
++ if (!quanta_bytes_remaining) {
++ quanta_bytes_remaining = 31;
++
++ /* Remaining inline bytes reside after hdr */
++ if (first_quanta) {
++ first_quanta = false;
++ wqe += 16;
++ } else {
++ *wqe = inline_valid;
++ wqe++;
++ }
++ }
++ }
+ }
++ if (!first_quanta && quanta_bytes_remaining < 31)
++ *(wqe + quanta_bytes_remaining) = inline_valid;
+ }
+
+ /**
+@@ -679,20 +711,27 @@ int irdma_uk_inline_rdma_write(struct irdma_qp_uk *qp,
+ struct irdma_post_sq_info *info, bool post_sq)
+ {
+ __le64 *wqe;
+- struct irdma_inline_rdma_write *op_info;
++ struct irdma_rdma_write *op_info;
+ u64 hdr = 0;
+ u32 wqe_idx;
+ bool read_fence = false;
++ u32 i, total_size = 0;
+ u16 quanta;
+
+ info->push_wqe = qp->push_db ? true : false;
+- op_info = &info->op.inline_rdma_write;
++ op_info = &info->op.rdma_write;
++
++ if (unlikely(qp->max_sq_frag_cnt < op_info->num_lo_sges))
++ return -EINVAL;
+
+- if (op_info->len > qp->max_inline_data)
++ for (i = 0; i < op_info->num_lo_sges; i++)
++ total_size += op_info->lo_sg_list[i].length;
++
++ if (unlikely(total_size > qp->max_inline_data))
+ return -EINVAL;
+
+- quanta = qp->wqe_ops.iw_inline_data_size_to_quanta(op_info->len);
+- wqe = irdma_qp_get_next_send_wqe(qp, &wqe_idx, quanta, op_info->len,
++ quanta = qp->wqe_ops.iw_inline_data_size_to_quanta(total_size);
++ wqe = irdma_qp_get_next_send_wqe(qp, &wqe_idx, quanta, total_size,
+ info);
+ if (!wqe)
+ return -ENOMEM;
+@@ -705,7 +744,7 @@ int irdma_uk_inline_rdma_write(struct irdma_qp_uk *qp,
+
+ hdr = FIELD_PREP(IRDMAQPSQ_REMSTAG, op_info->rem_addr.lkey) |
+ FIELD_PREP(IRDMAQPSQ_OPCODE, info->op_type) |
+- FIELD_PREP(IRDMAQPSQ_INLINEDATALEN, op_info->len) |
++ FIELD_PREP(IRDMAQPSQ_INLINEDATALEN, total_size) |
+ FIELD_PREP(IRDMAQPSQ_REPORTRTT, info->report_rtt ? 1 : 0) |
+ FIELD_PREP(IRDMAQPSQ_INLINEDATAFLAG, 1) |
+ FIELD_PREP(IRDMAQPSQ_IMMDATAFLAG, info->imm_data_valid ? 1 : 0) |
+@@ -719,7 +758,8 @@ int irdma_uk_inline_rdma_write(struct irdma_qp_uk *qp,
+ set_64bit_val(wqe, 0,
+ FIELD_PREP(IRDMAQPSQ_IMMDATA, info->imm_data));
+
+- qp->wqe_ops.iw_copy_inline_data((u8 *)wqe, op_info->data, op_info->len,
++ qp->wqe_ops.iw_copy_inline_data((u8 *)wqe, op_info->lo_sg_list,
++ op_info->num_lo_sges,
+ qp->swqe_polarity);
+ dma_wmb(); /* make sure WQE is populated before valid bit is set */
+
+@@ -745,20 +785,27 @@ int irdma_uk_inline_send(struct irdma_qp_uk *qp,
+ struct irdma_post_sq_info *info, bool post_sq)
+ {
+ __le64 *wqe;
+- struct irdma_post_inline_send *op_info;
++ struct irdma_post_send *op_info;
+ u64 hdr;
+ u32 wqe_idx;
+ bool read_fence = false;
++ u32 i, total_size = 0;
+ u16 quanta;
+
+ info->push_wqe = qp->push_db ? true : false;
+- op_info = &info->op.inline_send;
++ op_info = &info->op.send;
+
+- if (op_info->len > qp->max_inline_data)
++ if (unlikely(qp->max_sq_frag_cnt < op_info->num_sges))
+ return -EINVAL;
+
+- quanta = qp->wqe_ops.iw_inline_data_size_to_quanta(op_info->len);
+- wqe = irdma_qp_get_next_send_wqe(qp, &wqe_idx, quanta, op_info->len,
++ for (i = 0; i < op_info->num_sges; i++)
++ total_size += op_info->sg_list[i].length;
++
++ if (unlikely(total_size > qp->max_inline_data))
++ return -EINVAL;
++
++ quanta = qp->wqe_ops.iw_inline_data_size_to_quanta(total_size);
++ wqe = irdma_qp_get_next_send_wqe(qp, &wqe_idx, quanta, total_size,
+ info);
+ if (!wqe)
+ return -ENOMEM;
+@@ -773,7 +820,7 @@ int irdma_uk_inline_send(struct irdma_qp_uk *qp,
+ hdr = FIELD_PREP(IRDMAQPSQ_REMSTAG, info->stag_to_inv) |
+ FIELD_PREP(IRDMAQPSQ_AHID, op_info->ah_id) |
+ FIELD_PREP(IRDMAQPSQ_OPCODE, info->op_type) |
+- FIELD_PREP(IRDMAQPSQ_INLINEDATALEN, op_info->len) |
++ FIELD_PREP(IRDMAQPSQ_INLINEDATALEN, total_size) |
+ FIELD_PREP(IRDMAQPSQ_IMMDATAFLAG,
+ (info->imm_data_valid ? 1 : 0)) |
+ FIELD_PREP(IRDMAQPSQ_REPORTRTT, (info->report_rtt ? 1 : 0)) |
+@@ -789,8 +836,8 @@ int irdma_uk_inline_send(struct irdma_qp_uk *qp,
+ if (info->imm_data_valid)
+ set_64bit_val(wqe, 0,
+ FIELD_PREP(IRDMAQPSQ_IMMDATA, info->imm_data));
+- qp->wqe_ops.iw_copy_inline_data((u8 *)wqe, op_info->data, op_info->len,
+- qp->swqe_polarity);
++ qp->wqe_ops.iw_copy_inline_data((u8 *)wqe, op_info->sg_list,
++ op_info->num_sges, qp->swqe_polarity);
+
+ dma_wmb(); /* make sure WQE is populated before valid bit is set */
+
+diff --git a/drivers/infiniband/hw/irdma/user.h b/drivers/infiniband/hw/irdma/user.h
+index 2ef61923c926..424d4aa8cdcd 100644
+--- a/drivers/infiniband/hw/irdma/user.h
++++ b/drivers/infiniband/hw/irdma/user.h
+@@ -173,14 +173,6 @@ struct irdma_post_send {
+ u32 ah_id;
+ };
+
+-struct irdma_post_inline_send {
+- void *data;
+- u32 len;
+- u32 qkey;
+- u32 dest_qp;
+- u32 ah_id;
+-};
+-
+ struct irdma_post_rq_info {
+ u64 wr_id;
+ struct ib_sge *sg_list;
+@@ -193,12 +185,6 @@ struct irdma_rdma_write {
+ struct ib_sge rem_addr;
+ };
+
+-struct irdma_inline_rdma_write {
+- void *data;
+- u32 len;
+- struct ib_sge rem_addr;
+-};
+-
+ struct irdma_rdma_read {
+ struct ib_sge *lo_sg_list;
+ u32 num_lo_sges;
+@@ -241,8 +227,6 @@ struct irdma_post_sq_info {
+ struct irdma_rdma_read rdma_read;
+ struct irdma_bind_window bind_window;
+ struct irdma_inv_local_stag inv_local_stag;
+- struct irdma_inline_rdma_write inline_rdma_write;
+- struct irdma_post_inline_send inline_send;
+ } op;
+ };
+
+@@ -291,7 +275,8 @@ int irdma_uk_stag_local_invalidate(struct irdma_qp_uk *qp,
+ bool post_sq);
+
+ struct irdma_wqe_uk_ops {
+- void (*iw_copy_inline_data)(u8 *dest, u8 *src, u32 len, u8 polarity);
++ void (*iw_copy_inline_data)(u8 *dest, struct ib_sge *sge_list,
++ u32 num_sges, u8 polarity);
+ u16 (*iw_inline_data_size_to_quanta)(u32 data_size);
+ void (*iw_set_fragment)(__le64 *wqe, u32 offset, struct ib_sge *sge,
+ u8 valid);
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 434241789f12..e252f431e2ac 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3136,30 +3136,20 @@ static int irdma_post_send(struct ib_qp *ibqp,
+ info.stag_to_inv = ib_wr->ex.invalidate_rkey;
+ }
+
+- if (ib_wr->send_flags & IB_SEND_INLINE) {
+- info.op.inline_send.data = (void *)(unsigned long)
+- ib_wr->sg_list[0].addr;
+- info.op.inline_send.len = ib_wr->sg_list[0].length;
+- if (iwqp->ibqp.qp_type == IB_QPT_UD ||
+- iwqp->ibqp.qp_type == IB_QPT_GSI) {
+- ah = to_iwah(ud_wr(ib_wr)->ah);
+- info.op.inline_send.ah_id = ah->sc_ah.ah_info.ah_idx;
+- info.op.inline_send.qkey = ud_wr(ib_wr)->remote_qkey;
+- info.op.inline_send.dest_qp = ud_wr(ib_wr)->remote_qpn;
+- }
++ info.op.send.num_sges = ib_wr->num_sge;
++ info.op.send.sg_list = ib_wr->sg_list;
++ if (iwqp->ibqp.qp_type == IB_QPT_UD ||
++ iwqp->ibqp.qp_type == IB_QPT_GSI) {
++ ah = to_iwah(ud_wr(ib_wr)->ah);
++ info.op.send.ah_id = ah->sc_ah.ah_info.ah_idx;
++ info.op.send.qkey = ud_wr(ib_wr)->remote_qkey;
++ info.op.send.dest_qp = ud_wr(ib_wr)->remote_qpn;
++ }
++
++ if (ib_wr->send_flags & IB_SEND_INLINE)
+ err = irdma_uk_inline_send(ukqp, &info, false);
+- } else {
+- info.op.send.num_sges = ib_wr->num_sge;
+- info.op.send.sg_list = ib_wr->sg_list;
+- if (iwqp->ibqp.qp_type == IB_QPT_UD ||
+- iwqp->ibqp.qp_type == IB_QPT_GSI) {
+- ah = to_iwah(ud_wr(ib_wr)->ah);
+- info.op.send.ah_id = ah->sc_ah.ah_info.ah_idx;
+- info.op.send.qkey = ud_wr(ib_wr)->remote_qkey;
+- info.op.send.dest_qp = ud_wr(ib_wr)->remote_qpn;
+- }
++ else
+ err = irdma_uk_send(ukqp, &info, false);
+- }
+ break;
+ case IB_WR_RDMA_WRITE_WITH_IMM:
+ if (ukqp->qp_caps & IRDMA_WRITE_WITH_IMM) {
+@@ -3176,22 +3166,15 @@ static int irdma_post_send(struct ib_qp *ibqp,
+ else
+ info.op_type = IRDMA_OP_TYPE_RDMA_WRITE;
+
+- if (ib_wr->send_flags & IB_SEND_INLINE) {
+- info.op.inline_rdma_write.data = (void *)(uintptr_t)ib_wr->sg_list[0].addr;
+- info.op.inline_rdma_write.len =
+- ib_wr->sg_list[0].length;
+- info.op.inline_rdma_write.rem_addr.addr =
+- rdma_wr(ib_wr)->remote_addr;
+- info.op.inline_rdma_write.rem_addr.lkey =
+- rdma_wr(ib_wr)->rkey;
++ info.op.rdma_write.num_lo_sges = ib_wr->num_sge;
++ info.op.rdma_write.lo_sg_list = ib_wr->sg_list;
++ info.op.rdma_write.rem_addr.addr =
++ rdma_wr(ib_wr)->remote_addr;
++ info.op.rdma_write.rem_addr.lkey = rdma_wr(ib_wr)->rkey;
++ if (ib_wr->send_flags & IB_SEND_INLINE)
+ err = irdma_uk_inline_rdma_write(ukqp, &info, false);
+- } else {
+- info.op.rdma_write.lo_sg_list = (void *)ib_wr->sg_list;
+- info.op.rdma_write.num_lo_sges = ib_wr->num_sge;
+- info.op.rdma_write.rem_addr.addr = rdma_wr(ib_wr)->remote_addr;
+- info.op.rdma_write.rem_addr.lkey = rdma_wr(ib_wr)->rkey;
++ else
+ err = irdma_uk_rdma_write(ukqp, &info, false);
+- }
+ break;
+ case IB_WR_RDMA_READ_WITH_INV:
+ inv_stag = true;
+--
+2.35.1
+
--- /dev/null
+From c43be8db35ee0e476724ded570ef68d74f70b8ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:17:00 -0600
+Subject: RDMA/irdma: Fix RQ completion opcode
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 24419777e9431137d5923a747f546facb1e49b1f ]
+
+The opcode written by HW, in the RQ CQE, is the
+RoCEv2/iWARP protocol opcode from the received
+packet and not the SW opcode as currently assumed.
+Fix this by returning the raw operation type and
+queue type in the CQE to irdma_process_cqe and add
+2 helpers set_ib_wc_op_sq set_ib_wc_op_rq to map
+IRDMA HW op types to IB op types.
+
+Note that for iWARP, only Write with Immediate is
+supported so the opcode can only be IB_WC_RECV_RDMA_WITH_IMM
+when there is immediate data present.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20221115011701.1379-3-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/uk.c | 21 +++++-------
+ drivers/infiniband/hw/irdma/user.h | 1 +
+ drivers/infiniband/hw/irdma/utils.c | 2 ++
+ drivers/infiniband/hw/irdma/verbs.c | 39 ++++-----------------
+ drivers/infiniband/hw/irdma/verbs.h | 53 +++++++++++++++++++++++++++++
+ 5 files changed, 71 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
+index 1a57ed9d77ff..16183e894da7 100644
+--- a/drivers/infiniband/hw/irdma/uk.c
++++ b/drivers/infiniband/hw/irdma/uk.c
+@@ -1049,11 +1049,10 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+ __le64 *cqe;
+ struct irdma_qp_uk *qp;
+ struct irdma_ring *pring = NULL;
+- u32 wqe_idx, q_type;
++ u32 wqe_idx;
+ int ret_code;
+ bool move_cq_head = true;
+ u8 polarity;
+- u8 op_type;
+ bool ext_valid;
+ __le64 *ext_cqe;
+
+@@ -1121,7 +1120,7 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+ info->ud_vlan_valid = false;
+ }
+
+- q_type = (u8)FIELD_GET(IRDMA_CQ_SQ, qword3);
++ info->q_type = (u8)FIELD_GET(IRDMA_CQ_SQ, qword3);
+ info->error = (bool)FIELD_GET(IRDMA_CQ_ERROR, qword3);
+ info->push_dropped = (bool)FIELD_GET(IRDMACQ_PSHDROP, qword3);
+ info->ipv4 = (bool)FIELD_GET(IRDMACQ_IPV4, qword3);
+@@ -1160,8 +1159,9 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+ }
+ wqe_idx = (u32)FIELD_GET(IRDMA_CQ_WQEIDX, qword3);
+ info->qp_handle = (irdma_qp_handle)(unsigned long)qp;
++ info->op_type = (u8)FIELD_GET(IRDMA_CQ_SQ, qword3);
+
+- if (q_type == IRDMA_CQE_QTYPE_RQ) {
++ if (info->q_type == IRDMA_CQE_QTYPE_RQ) {
+ u32 array_idx;
+
+ array_idx = wqe_idx / qp->rq_wqe_size_multiplier;
+@@ -1181,10 +1181,6 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+
+ info->bytes_xfered = (u32)FIELD_GET(IRDMACQ_PAYLDLEN, qword0);
+
+- if (info->imm_valid)
+- info->op_type = IRDMA_OP_TYPE_REC_IMM;
+- else
+- info->op_type = IRDMA_OP_TYPE_REC;
+ if (qword3 & IRDMACQ_STAG) {
+ info->stag_invalid_set = true;
+ info->inv_stag = (u32)FIELD_GET(IRDMACQ_INVSTAG, qword2);
+@@ -1242,17 +1238,18 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+ sw_wqe = qp->sq_base[tail].elem;
+ get_64bit_val(sw_wqe, 24,
+ &wqe_qword);
+- op_type = (u8)FIELD_GET(IRDMAQPSQ_OPCODE, wqe_qword);
+- info->op_type = op_type;
++ info->op_type = (u8)FIELD_GET(IRDMAQPSQ_OPCODE,
++ wqe_qword);
+ IRDMA_RING_SET_TAIL(qp->sq_ring,
+ tail + qp->sq_wrtrk_array[tail].quanta);
+- if (op_type != IRDMAQP_OP_NOP) {
++ if (info->op_type != IRDMAQP_OP_NOP) {
+ info->wr_id = qp->sq_wrtrk_array[tail].wrid;
+ info->bytes_xfered = qp->sq_wrtrk_array[tail].wr_len;
+ break;
+ }
+ } while (1);
+- if (op_type == IRDMA_OP_TYPE_BIND_MW && info->minor_err == FLUSH_PROT_ERR)
++ if (info->op_type == IRDMA_OP_TYPE_BIND_MW &&
++ info->minor_err == FLUSH_PROT_ERR)
+ info->minor_err = FLUSH_MW_BIND_ERR;
+ qp->sq_flush_seen = true;
+ if (!IRDMA_RING_MORE_WORK(qp->sq_ring))
+diff --git a/drivers/infiniband/hw/irdma/user.h b/drivers/infiniband/hw/irdma/user.h
+index 424d4aa8cdcd..d0cdf609f5e0 100644
+--- a/drivers/infiniband/hw/irdma/user.h
++++ b/drivers/infiniband/hw/irdma/user.h
+@@ -245,6 +245,7 @@ struct irdma_cq_poll_info {
+ u16 ud_vlan;
+ u8 ud_smac[6];
+ u8 op_type;
++ u8 q_type;
+ bool stag_invalid_set:1; /* or L_R_Key set */
+ bool push_dropped:1;
+ bool error:1;
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 8dfc9e154d73..445e69e86409 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -2591,6 +2591,7 @@ void irdma_generate_flush_completions(struct irdma_qp *iwqp)
+ sw_wqe = qp->sq_base[wqe_idx].elem;
+ get_64bit_val(sw_wqe, 24, &wqe_qword);
+ cmpl->cpi.op_type = (u8)FIELD_GET(IRDMAQPSQ_OPCODE, IRDMAQPSQ_OPCODE);
++ cmpl->cpi.q_type = IRDMA_CQE_QTYPE_SQ;
+ /* remove the SQ WR by moving SQ tail*/
+ IRDMA_RING_SET_TAIL(*sq_ring,
+ sq_ring->tail + qp->sq_wrtrk_array[sq_ring->tail].quanta);
+@@ -2629,6 +2630,7 @@ void irdma_generate_flush_completions(struct irdma_qp *iwqp)
+
+ cmpl->cpi.wr_id = qp->rq_wrid_array[wqe_idx];
+ cmpl->cpi.op_type = IRDMA_OP_TYPE_REC;
++ cmpl->cpi.q_type = IRDMA_CQE_QTYPE_RQ;
+ /* remove the RQ WR by moving RQ tail */
+ IRDMA_RING_SET_TAIL(*rq_ring, rq_ring->tail + 1);
+ ibdev_dbg(iwqp->iwrcq->ibcq.device,
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index e252f431e2ac..01d0dc4b5649 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3334,7 +3334,6 @@ static enum ib_wc_status irdma_flush_err_to_ib_wc_status(enum irdma_flush_opcode
+ static void irdma_process_cqe(struct ib_wc *entry,
+ struct irdma_cq_poll_info *cq_poll_info)
+ {
+- struct irdma_qp *iwqp;
+ struct irdma_sc_qp *qp;
+
+ entry->wc_flags = 0;
+@@ -3342,7 +3341,6 @@ static void irdma_process_cqe(struct ib_wc *entry,
+ entry->wr_id = cq_poll_info->wr_id;
+
+ qp = cq_poll_info->qp_handle;
+- iwqp = qp->qp_uk.back_qp;
+ entry->qp = qp->qp_uk.back_qp;
+
+ if (cq_poll_info->error) {
+@@ -3375,42 +3373,17 @@ static void irdma_process_cqe(struct ib_wc *entry,
+ }
+ }
+
+- switch (cq_poll_info->op_type) {
+- case IRDMA_OP_TYPE_RDMA_WRITE:
+- case IRDMA_OP_TYPE_RDMA_WRITE_SOL:
+- entry->opcode = IB_WC_RDMA_WRITE;
+- break;
+- case IRDMA_OP_TYPE_RDMA_READ_INV_STAG:
+- case IRDMA_OP_TYPE_RDMA_READ:
+- entry->opcode = IB_WC_RDMA_READ;
+- break;
+- case IRDMA_OP_TYPE_SEND_INV:
+- case IRDMA_OP_TYPE_SEND_SOL:
+- case IRDMA_OP_TYPE_SEND_SOL_INV:
+- case IRDMA_OP_TYPE_SEND:
+- entry->opcode = IB_WC_SEND;
+- break;
+- case IRDMA_OP_TYPE_FAST_REG_NSMR:
+- entry->opcode = IB_WC_REG_MR;
+- break;
+- case IRDMA_OP_TYPE_INV_STAG:
+- entry->opcode = IB_WC_LOCAL_INV;
+- break;
+- case IRDMA_OP_TYPE_REC_IMM:
+- case IRDMA_OP_TYPE_REC:
+- entry->opcode = cq_poll_info->op_type == IRDMA_OP_TYPE_REC_IMM ?
+- IB_WC_RECV_RDMA_WITH_IMM : IB_WC_RECV;
++ if (cq_poll_info->q_type == IRDMA_CQE_QTYPE_SQ) {
++ set_ib_wc_op_sq(cq_poll_info, entry);
++ } else {
++ set_ib_wc_op_rq(cq_poll_info, entry,
++ qp->qp_uk.qp_caps & IRDMA_SEND_WITH_IMM ?
++ true : false);
+ if (qp->qp_uk.qp_type != IRDMA_QP_TYPE_ROCE_UD &&
+ cq_poll_info->stag_invalid_set) {
+ entry->ex.invalidate_rkey = cq_poll_info->inv_stag;
+ entry->wc_flags |= IB_WC_WITH_INVALIDATE;
+ }
+- break;
+- default:
+- ibdev_err(&iwqp->iwdev->ibdev,
+- "Invalid opcode = %d in CQE\n", cq_poll_info->op_type);
+- entry->status = IB_WC_GENERAL_ERR;
+- return;
+ }
+
+ if (qp->qp_uk.qp_type == IRDMA_QP_TYPE_ROCE_UD) {
+diff --git a/drivers/infiniband/hw/irdma/verbs.h b/drivers/infiniband/hw/irdma/verbs.h
+index 4309b7159f42..a536e9fa85eb 100644
+--- a/drivers/infiniband/hw/irdma/verbs.h
++++ b/drivers/infiniband/hw/irdma/verbs.h
+@@ -232,6 +232,59 @@ static inline u16 irdma_fw_minor_ver(struct irdma_sc_dev *dev)
+ return (u16)FIELD_GET(IRDMA_FW_VER_MINOR, dev->feature_info[IRDMA_FEATURE_FW_INFO]);
+ }
+
++static inline void set_ib_wc_op_sq(struct irdma_cq_poll_info *cq_poll_info,
++ struct ib_wc *entry)
++{
++ switch (cq_poll_info->op_type) {
++ case IRDMA_OP_TYPE_RDMA_WRITE:
++ case IRDMA_OP_TYPE_RDMA_WRITE_SOL:
++ entry->opcode = IB_WC_RDMA_WRITE;
++ break;
++ case IRDMA_OP_TYPE_RDMA_READ_INV_STAG:
++ case IRDMA_OP_TYPE_RDMA_READ:
++ entry->opcode = IB_WC_RDMA_READ;
++ break;
++ case IRDMA_OP_TYPE_SEND_SOL:
++ case IRDMA_OP_TYPE_SEND_SOL_INV:
++ case IRDMA_OP_TYPE_SEND_INV:
++ case IRDMA_OP_TYPE_SEND:
++ entry->opcode = IB_WC_SEND;
++ break;
++ case IRDMA_OP_TYPE_FAST_REG_NSMR:
++ entry->opcode = IB_WC_REG_MR;
++ break;
++ case IRDMA_OP_TYPE_INV_STAG:
++ entry->opcode = IB_WC_LOCAL_INV;
++ break;
++ default:
++ entry->status = IB_WC_GENERAL_ERR;
++ }
++}
++
++static inline void set_ib_wc_op_rq(struct irdma_cq_poll_info *cq_poll_info,
++ struct ib_wc *entry, bool send_imm_support)
++{
++ /**
++ * iWARP does not support sendImm, so the presence of Imm data
++ * must be WriteImm.
++ */
++ if (!send_imm_support) {
++ entry->opcode = cq_poll_info->imm_valid ?
++ IB_WC_RECV_RDMA_WITH_IMM :
++ IB_WC_RECV;
++ return;
++ }
++
++ switch (cq_poll_info->op_type) {
++ case IB_OPCODE_RDMA_WRITE_ONLY_WITH_IMMEDIATE:
++ case IB_OPCODE_RDMA_WRITE_LAST_WITH_IMMEDIATE:
++ entry->opcode = IB_WC_RECV_RDMA_WITH_IMM;
++ break;
++ default:
++ entry->opcode = IB_WC_RECV;
++ }
++}
++
+ void irdma_mcast_mac(u32 *ip_addr, u8 *mac, bool ipv4);
+ int irdma_ib_register_device(struct irdma_device *iwdev);
+ void irdma_ib_unregister_device(struct irdma_device *iwdev);
+--
+2.35.1
+
--- /dev/null
+From 05f0664922d675b2685b7279eefe25fe8ad62633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:44:10 -0600
+Subject: RDMA/irdma: Initialize net_type before checking it
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 9907526d25c4ad8a6e3006487a544140776ba005 ]
+
+The av->net_type is not initialized before it is checked in
+irdma_modify_qp_roce. This leads to an incorrect update to the ARP cache
+and QP context. RoCEv2 connections might fail as result.
+
+Set the net_type using rdma_gid_attr_network_type.
+
+Fixes: 80005c43d4c8 ("RDMA/irdma: Use net_type to check network type")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20221122004410.1471-1-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index dc3f5f3fee90..f6973ea55eda 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -1213,6 +1213,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ av->attrs = attr->ah_attr;
+ rdma_gid2ip((struct sockaddr *)&av->sgid_addr, &sgid_attr->gid);
+ rdma_gid2ip((struct sockaddr *)&av->dgid_addr, &attr->ah_attr.grh.dgid);
++ av->net_type = rdma_gid_attr_network_type(sgid_attr);
+ if (av->net_type == RDMA_NETWORK_IPV6) {
+ __be32 *daddr =
+ av->dgid_addr.saddr_in6.sin6_addr.in6_u.u6_addr32;
+--
+2.35.1
+
--- /dev/null
+From 1e61e2a8b6c9d887964c0e864f33d0821b8917b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 18:49:57 -0500
+Subject: RDMA/irdma: Report the correct link speed
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit 4eace75e0853273755b878ffa9cce6de84df975a ]
+
+The active link speed is currently hard-coded in irdma_query_port due
+to which the port rate in ibstatus does reflect the active link speed.
+
+Call ib_get_eth_speed in irdma_query_port to get the active link speed.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Reported-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20221104234957.1135-1-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 35 +++--------------------------
+ 1 file changed, 3 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index a22afbb25bc5..434241789f12 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -63,36 +63,6 @@ static int irdma_query_device(struct ib_device *ibdev,
+ return 0;
+ }
+
+-/**
+- * irdma_get_eth_speed_and_width - Get IB port speed and width from netdev speed
+- * @link_speed: netdev phy link speed
+- * @active_speed: IB port speed
+- * @active_width: IB port width
+- */
+-static void irdma_get_eth_speed_and_width(u32 link_speed, u16 *active_speed,
+- u8 *active_width)
+-{
+- if (link_speed <= SPEED_1000) {
+- *active_width = IB_WIDTH_1X;
+- *active_speed = IB_SPEED_SDR;
+- } else if (link_speed <= SPEED_10000) {
+- *active_width = IB_WIDTH_1X;
+- *active_speed = IB_SPEED_FDR10;
+- } else if (link_speed <= SPEED_20000) {
+- *active_width = IB_WIDTH_4X;
+- *active_speed = IB_SPEED_DDR;
+- } else if (link_speed <= SPEED_25000) {
+- *active_width = IB_WIDTH_1X;
+- *active_speed = IB_SPEED_EDR;
+- } else if (link_speed <= SPEED_40000) {
+- *active_width = IB_WIDTH_4X;
+- *active_speed = IB_SPEED_FDR10;
+- } else {
+- *active_width = IB_WIDTH_4X;
+- *active_speed = IB_SPEED_EDR;
+- }
+-}
+-
+ /**
+ * irdma_query_port - get port attributes
+ * @ibdev: device pointer from stack
+@@ -120,8 +90,9 @@ static int irdma_query_port(struct ib_device *ibdev, u32 port,
+ props->state = IB_PORT_DOWN;
+ props->phys_state = IB_PORT_PHYS_STATE_DISABLED;
+ }
+- irdma_get_eth_speed_and_width(SPEED_100000, &props->active_speed,
+- &props->active_width);
++
++ ib_get_eth_speed(ibdev, port, &props->active_speed,
++ &props->active_width);
+
+ if (rdma_protocol_roce(ibdev, 1)) {
+ props->gid_tbl_len = 32;
+--
+2.35.1
+
--- /dev/null
+From 5f7ca0d5301d760199475c842e4164d64eb6140a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 04:34:10 +0000
+Subject: RDMA/nldev: Add checks for nla_nest_start() in
+ fill_stat_counter_qps()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit ea5ef136e215fdef35f14010bc51fcd6686e6922 ]
+
+As the nla_nest_start() may fail with NULL returned, the return value needs
+to be checked.
+
+Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221126043410.85632-1-yuancan@huawei.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index f1e0755cd56e..54d4e693e03b 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -894,6 +894,8 @@ static int fill_stat_counter_qps(struct sk_buff *msg,
+ int ret = 0;
+
+ table_attr = nla_nest_start(msg, RDMA_NLDEV_ATTR_RES_QP);
++ if (!table_attr)
++ return -EMSGSIZE;
+
+ rt = &counter->device->res[RDMA_RESTRACK_QP];
+ xa_lock(&rt->xa);
+--
+2.35.1
+
--- /dev/null
+From a779b15773e1ba88464ce861437fd2f8a204044c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 13:52:46 +0200
+Subject: RDMA/nldev: Fix failure to send large messages
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit fc8f93ad3e5485d45c992233c96acd902992dfc4 ]
+
+Return "-EMSGSIZE" instead of "-EINVAL" when filling a QP entry, so that
+new SKBs will be allocated if there's not enough room in current SKB.
+
+Fixes: 65959522f806 ("RDMA: Add support to dump resource tracker in RAW format")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://lore.kernel.org/r/b5e9c62f6b8369acab5648b661bf539cbceeffdc.1669636336.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 54d4e693e03b..222733a83ddb 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -513,7 +513,7 @@ static int fill_res_qp_entry(struct sk_buff *msg, bool has_cap_net_admin,
+
+ /* In create_qp() port is not set yet */
+ if (qp->port && nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, qp->port))
+- return -EINVAL;
++ return -EMSGSIZE;
+
+ ret = nla_put_u32(msg, RDMA_NLDEV_ATTR_RES_LQPN, qp->qp_num);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 316558e5010728ccc6351b2fa62c72a9a1a37932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 10:51:36 +0200
+Subject: RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit ecacb3751f254572af0009b9501e2cdc83a30b6a ]
+
+When filling a cm_id entry, return "-EAGAIN" instead of 0 if the cm_id
+doesn'the have the same port as requested, otherwise an incomplete entry
+may be returned, which causes "rdam res show cm_id" to return an error.
+
+For example on a machine with two rdma devices with "rping -C 1 -v -s"
+running background, the "rdma" command fails:
+ $ rdma -V
+ rdma utility, iproute2-5.19.0
+ $ rdma res show cm_id
+ link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 28056 comm rping src-addr 0.0.0.0:7174
+ error: Protocol not available
+
+While with this fix it succeeds:
+ $ rdma res show cm_id
+ link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174
+ link mlx5_1/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174
+
+Fixes: 00313983cda6 ("RDMA/nldev: provide detailed CM_ID information")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Link: https://lore.kernel.org/r/a08e898cdac5e28428eb749a99d9d981571b8ea7.1667810736.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 12dc97067ed2..f1e0755cd56e 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -552,7 +552,7 @@ static int fill_res_cm_id_entry(struct sk_buff *msg, bool has_cap_net_admin,
+ struct rdma_cm_id *cm_id = &id_priv->id;
+
+ if (port && port != cm_id->port_num)
+- return 0;
++ return -EAGAIN;
+
+ if (cm_id->port_num &&
+ nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, cm_id->port_num))
+--
+2.35.1
+
--- /dev/null
+From 7cea0359b77e110edfa9ddabdf8497168a4c4cc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 10:51:34 +0200
+Subject: RDMA/restrack: Release MR restrack when delete
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit dac153f2802db1ad46207283cb9b2aae3d707a45 ]
+
+The MR restrack also needs to be released when delete it, otherwise it
+cause memory leak as the task struct won't be released.
+
+Fixes: 13ef5539def7 ("RDMA/restrack: Count references to the verbs objects")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/703db18e8d4ef628691fb93980a709be673e62e3.1667810736.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/restrack.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c
+index 1f935d9f6178..01a499a8b88d 100644
+--- a/drivers/infiniband/core/restrack.c
++++ b/drivers/infiniband/core/restrack.c
+@@ -343,8 +343,6 @@ void rdma_restrack_del(struct rdma_restrack_entry *res)
+ rt = &dev->res[res->type];
+
+ old = xa_erase(&rt->xa, res->id);
+- if (res->type == RDMA_RESTRACK_MR)
+- return;
+ WARN_ON(old != res);
+
+ out:
+--
+2.35.1
+
--- /dev/null
+From b4c0451e4d775d28eeb8d13bb095ff6420820be0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 03:04:33 +0000
+Subject: RDMA/rxe: Fix mr->map double free
+
+From: Li Zhijian <lizhijian@fujitsu.com>
+
+[ Upstream commit 7d984dac8f6bf4ebd3398af82b357e1d181ecaac ]
+
+rxe_mr_cleanup() which tries to free mr->map again will be called when
+rxe_mr_init_user() fails:
+
+ CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x45/0x5d
+ panic+0x19e/0x349
+ end_report.part.0+0x54/0x7c
+ kasan_report.cold+0xa/0xf
+ rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
+ __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
+ rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
+ ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
+ ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
+ ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]
+
+This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix
+memory leak in error path code") and then we fixed it in commit
+8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this
+fix was reverted together at last by commit 1e75550648da (Revert
+"RDMA/rxe: Create duplicate mapping tables for FMRs")
+
+Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is
+successfully allocated.
+
+Fixes: 1e75550648da ("Revert "RDMA/rxe: Create duplicate mapping tables for FMRs"")
+Link: https://lore.kernel.org/r/1667099073-2-1-git-send-email-lizhijian@fujitsu.com
+Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index af34f198e645..8cd6f1b165d5 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -99,6 +99,7 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf)
+ kfree(mr->map[i]);
+
+ kfree(mr->map);
++ mr->map = NULL;
+ err1:
+ return -ENOMEM;
+ }
+@@ -122,7 +123,6 @@ int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova,
+ int num_buf;
+ void *vaddr;
+ int err;
+- int i;
+
+ umem = ib_umem_get(&rxe->ib_dev, start, length, access);
+ if (IS_ERR(umem)) {
+@@ -163,9 +163,8 @@ int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova,
+ pr_warn("%s: Unable to get virtual address\n",
+ __func__);
+ err = -ENOMEM;
+- goto err_cleanup_map;
++ goto err_release_umem;
+ }
+-
+ buf->addr = (uintptr_t)vaddr;
+ buf->size = PAGE_SIZE;
+ num_buf++;
+@@ -185,10 +184,6 @@ int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova,
+
+ return 0;
+
+-err_cleanup_map:
+- for (i = 0; i < mr->num_map; i++)
+- kfree(mr->map[i]);
+- kfree(mr->map);
+ err_release_umem:
+ ib_umem_release(umem);
+ err_out:
+--
+2.35.1
+
--- /dev/null
+From e1d65c9123fda42f3c43d39f8f3137dcac2c6203 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 23:14:37 +0800
+Subject: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket
+ create failed
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit f67376d801499f4fa0838c18c1efcad8840e550d ]
+
+There is a null-ptr-deref when mount.cifs over rdma:
+
+ BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
+ Read of size 8 at addr 0000000000000018 by task mount.cifs/3046
+
+ CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ kasan_report+0xad/0x130
+ rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
+ execute_in_process_context+0x25/0x90
+ __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
+ rxe_create_qp+0x16a/0x180 [rdma_rxe]
+ create_qp.part.0+0x27d/0x340
+ ib_create_qp_kernel+0x73/0x160
+ rdma_create_qp+0x100/0x230
+ _smbd_get_connection+0x752/0x20f0
+ smbd_get_connection+0x21/0x40
+ cifs_get_tcp_session+0x8ef/0xda0
+ mount_get_conns+0x60/0x750
+ cifs_mount+0x103/0xd00
+ cifs_smb3_do_mount+0x1dd/0xcb0
+ smb3_get_tree+0x1d5/0x300
+ vfs_get_tree+0x41/0xf0
+ path_mount+0x9b3/0xdd0
+ __x64_sys_mount+0x190/0x1d0
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+The root cause of the issue is the socket create failed in
+rxe_qp_init_req().
+
+So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20221122151437.1057671-1-zhangxiaoxu5@huawei.com
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index d776dfda43b1..e9c573fe7155 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -830,12 +830,12 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
+ if (qp->resp.mr)
+ rxe_put(qp->resp.mr);
+
+- if (qp_type(qp) == IB_QPT_RC)
+- sk_dst_reset(qp->sk->sk);
+-
+ free_rd_atomic_resources(qp);
+
+ if (qp->sk) {
++ if (qp_type(qp) == IB_QPT_RC)
++ sk_dst_reset(qp->sk->sk);
++
+ kernel_sock_shutdown(qp->sk, SHUT_RDWR);
+ sock_release(qp->sk);
+ }
+--
+2.35.1
+
--- /dev/null
+From 25c23c1246902fef480be8e7a67f3417f64c74f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:50:57 +0100
+Subject: RDMA/siw: Fix immediate work request flush to completion queue
+
+From: Bernard Metzler <bmt@zurich.ibm.com>
+
+[ Upstream commit bdf1da5df9da680589a7f74448dd0a94dd3e1446 ]
+
+Correctly set send queue element opcode during immediate work request
+flushing in post sendqueue operation, if the QP is in ERROR state.
+An undefined ocode value results in out-of-bounds access to an array
+for mapping the opcode between siw internal and RDMA core representation
+in work completion generation. It resulted in a KASAN BUG report
+of type 'global-out-of-bounds' during NFSoRDMA testing.
+
+This patch further fixes a potential case of a malicious user which may
+write undefined values for completion queue elements status or opcode,
+if the CQ is memory mapped to user land. It avoids the same out-of-bounds
+access to arrays for status and opcode mapping as described above.
+
+Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
+Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods")
+Reported-by: Olga Kornievskaia <kolga@netapp.com>
+Reviewed-by: Tom Talpey <tom@talpey.com>
+Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
+Link: https://lore.kernel.org/r/20221107145057.895747-1-bmt@zurich.ibm.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_cq.c | 24 ++++++++++++++--
+ drivers/infiniband/sw/siw/siw_verbs.c | 40 ++++++++++++++++++++++++---
+ 2 files changed, 58 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
+index d68e37859e73..acc7bcd538b5 100644
+--- a/drivers/infiniband/sw/siw/siw_cq.c
++++ b/drivers/infiniband/sw/siw/siw_cq.c
+@@ -56,8 +56,6 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
+ if (READ_ONCE(cqe->flags) & SIW_WQE_VALID) {
+ memset(wc, 0, sizeof(*wc));
+ wc->wr_id = cqe->id;
+- wc->status = map_cqe_status[cqe->status].ib;
+- wc->opcode = map_wc_opcode[cqe->opcode];
+ wc->byte_len = cqe->bytes;
+
+ /*
+@@ -71,10 +69,32 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
+ wc->wc_flags = IB_WC_WITH_INVALIDATE;
+ }
+ wc->qp = cqe->base_qp;
++ wc->opcode = map_wc_opcode[cqe->opcode];
++ wc->status = map_cqe_status[cqe->status].ib;
+ siw_dbg_cq(cq,
+ "idx %u, type %d, flags %2x, id 0x%pK\n",
+ cq->cq_get % cq->num_cqe, cqe->opcode,
+ cqe->flags, (void *)(uintptr_t)cqe->id);
++ } else {
++ /*
++ * A malicious user may set invalid opcode or
++ * status in the user mmapped CQE array.
++ * Sanity check and correct values in that case
++ * to avoid out-of-bounds access to global arrays
++ * for opcode and status mapping.
++ */
++ u8 opcode = cqe->opcode;
++ u16 status = cqe->status;
++
++ if (opcode >= SIW_NUM_OPCODES) {
++ opcode = 0;
++ status = IB_WC_GENERAL_ERR;
++ } else if (status >= SIW_NUM_WC_STATUS) {
++ status = IB_WC_GENERAL_ERR;
++ }
++ wc->opcode = map_wc_opcode[opcode];
++ wc->status = map_cqe_status[status].ib;
++
+ }
+ WRITE_ONCE(cqe->flags, 0);
+ cq->cq_get++;
+diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
+index 3e814cfb298c..906fde1a2a0d 100644
+--- a/drivers/infiniband/sw/siw/siw_verbs.c
++++ b/drivers/infiniband/sw/siw/siw_verbs.c
+@@ -676,13 +676,45 @@ static int siw_copy_inline_sgl(const struct ib_send_wr *core_wr,
+ static int siw_sq_flush_wr(struct siw_qp *qp, const struct ib_send_wr *wr,
+ const struct ib_send_wr **bad_wr)
+ {
+- struct siw_sqe sqe = {};
+ int rv = 0;
+
+ while (wr) {
+- sqe.id = wr->wr_id;
+- sqe.opcode = wr->opcode;
+- rv = siw_sqe_complete(qp, &sqe, 0, SIW_WC_WR_FLUSH_ERR);
++ struct siw_sqe sqe = {};
++
++ switch (wr->opcode) {
++ case IB_WR_RDMA_WRITE:
++ sqe.opcode = SIW_OP_WRITE;
++ break;
++ case IB_WR_RDMA_READ:
++ sqe.opcode = SIW_OP_READ;
++ break;
++ case IB_WR_RDMA_READ_WITH_INV:
++ sqe.opcode = SIW_OP_READ_LOCAL_INV;
++ break;
++ case IB_WR_SEND:
++ sqe.opcode = SIW_OP_SEND;
++ break;
++ case IB_WR_SEND_WITH_IMM:
++ sqe.opcode = SIW_OP_SEND_WITH_IMM;
++ break;
++ case IB_WR_SEND_WITH_INV:
++ sqe.opcode = SIW_OP_SEND_REMOTE_INV;
++ break;
++ case IB_WR_LOCAL_INV:
++ sqe.opcode = SIW_OP_INVAL_STAG;
++ break;
++ case IB_WR_REG_MR:
++ sqe.opcode = SIW_OP_REG_MR;
++ break;
++ default:
++ rv = -EINVAL;
++ break;
++ }
++ if (!rv) {
++ sqe.id = wr->wr_id;
++ rv = siw_sqe_complete(qp, &sqe, 0,
++ SIW_WC_WR_FLUSH_ERR);
++ }
+ if (rv) {
+ if (bad_wr)
+ *bad_wr = wr;
+--
+2.35.1
+
--- /dev/null
+From 3741e7fac1de5187906dbd3ee70cfadb3c26a8f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 18:03:43 +0100
+Subject: RDMA/siw: Fix pointer cast warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 5244ca88671a1981ceec09c5c8809f003e6a62aa ]
+
+The previous build fix left a remaining issue in configurations with
+64-bit dma_addr_t on 32-bit architectures:
+
+drivers/infiniband/sw/siw/siw_qp_tx.c: In function 'siw_get_pblpage':
+drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
+ 32 | return virt_to_page((void *)paddr);
+ | ^
+
+Use the same double cast here that the driver uses elsewhere to convert
+between dma_addr_t and void*.
+
+Fixes: 0d1b756acf60 ("RDMA/siw: Pass a pointer to virt_to_page()")
+Link: https://lore.kernel.org/r/20221215170347.2612403-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Bernard Metzler <bmt@zurich.ibm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c
+index 7d47b521070b..05052b49107f 100644
+--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
+@@ -29,7 +29,7 @@ static struct page *siw_get_pblpage(struct siw_mem *mem, u64 addr, int *idx)
+ dma_addr_t paddr = siw_pbl_get_buffer(pbl, offset, NULL, idx);
+
+ if (paddr)
+- return virt_to_page((void *)paddr);
++ return virt_to_page((void *)(uintptr_t)paddr);
+
+ return NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 96a522332fad898f076bff03499ef4d95757ae37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 18:07:47 +0100
+Subject: RDMA/siw: Set defined status for work completion with undefined
+ status
+
+From: Bernard Metzler <bmt@zurich.ibm.com>
+
+[ Upstream commit 60da2d11fcbc043304910e4d2ca82f9bab953e63 ]
+
+A malicious user may write undefined values into memory mapped completion
+queue elements status or opcode. Undefined status or opcode values will
+result in out-of-bounds access to an array mapping siw internal
+representation of opcode and status to RDMA core representation when
+reaping CQ elements. While siw detects those undefined values, it did not
+correctly set completion status to a defined value, thus defeating the
+whole purpose of the check.
+
+This bug leads to the following Smatch static checker warning:
+
+ drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
+ error: buffer overflow 'map_cqe_status' 10 <= 21
+
+Fixes: bdf1da5df9da ("RDMA/siw: Fix immediate work request flush to completion queue")
+Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@zurich.ibm.com
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_cq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
+index acc7bcd538b5..403029de6b92 100644
+--- a/drivers/infiniband/sw/siw/siw_cq.c
++++ b/drivers/infiniband/sw/siw/siw_cq.c
+@@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
+
+ if (opcode >= SIW_NUM_OPCODES) {
+ opcode = 0;
+- status = IB_WC_GENERAL_ERR;
++ status = SIW_WC_GENERAL_ERR;
+ } else if (status >= SIW_NUM_WC_STATUS) {
+- status = IB_WC_GENERAL_ERR;
++ status = SIW_WC_GENERAL_ERR;
+ }
+ wc->opcode = map_wc_opcode[opcode];
+ wc->status = map_cqe_status[status].ib;
+--
+2.35.1
+
--- /dev/null
+From 3e0d1ad7fe14f37ab3d5fc0ca940b9813081c8fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:00:38 +0800
+Subject: RDMA/srp: Fix error return code in srp_parse_options()
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit ed461b30b22c8fa85c25189c14cb89f29595cd14 ]
+
+In the previous iteration of the while loop, the "ret" may have been
+assigned a value of 0, so the error return code -EINVAL may have been
+incorrectly set to 0. To fix set valid return code before calling to
+goto. Also investigate each case separately as Andy suggessted.
+
+Fixes: e711f968c49c ("IB/srp: replace custom implementation of hex2bin()")
+Fixes: 2a174df0c602 ("IB/srp: Use kstrtoull() instead of simple_strtoull()")
+Fixes: 19f313438c77 ("IB/srp: Add RDMA/CM support")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Link: https://lore.kernel.org/r/1669953638-11747-2-git-send-email-wangyufen@huawei.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 96 ++++++++++++++++++++++++-----
+ 1 file changed, 82 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 9c9872868aee..4f5e49393c85 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -3405,7 +3405,8 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_PKEY:
+- if (match_hex(args, &token)) {
++ ret = match_hex(args, &token);
++ if (ret) {
+ pr_warn("bad P_Key parameter '%s'\n", p);
+ goto out;
+ }
+@@ -3465,7 +3466,8 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_MAX_SECT:
+- if (match_int(args, &token)) {
++ ret = match_int(args, &token);
++ if (ret) {
+ pr_warn("bad max sect parameter '%s'\n", p);
+ goto out;
+ }
+@@ -3473,8 +3475,15 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_QUEUE_SIZE:
+- if (match_int(args, &token) || token < 1) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for queue_size parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1) {
+ pr_warn("bad queue_size parameter '%s'\n", p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->scsi_host->can_queue = token;
+@@ -3485,25 +3494,40 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_MAX_CMD_PER_LUN:
+- if (match_int(args, &token) || token < 1) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for max cmd_per_lun parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1) {
+ pr_warn("bad max cmd_per_lun parameter '%s'\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->scsi_host->cmd_per_lun = token;
+ break;
+
+ case SRP_OPT_TARGET_CAN_QUEUE:
+- if (match_int(args, &token) || token < 1) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for max target_can_queue parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1) {
+ pr_warn("bad max target_can_queue parameter '%s'\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->target_can_queue = token;
+ break;
+
+ case SRP_OPT_IO_CLASS:
+- if (match_hex(args, &token)) {
++ ret = match_hex(args, &token);
++ if (ret) {
+ pr_warn("bad IO class parameter '%s'\n", p);
+ goto out;
+ }
+@@ -3512,6 +3536,7 @@ static int srp_parse_options(struct net *net, const char *buf,
+ pr_warn("unknown IO class parameter value %x specified (use %x or %x).\n",
+ token, SRP_REV10_IB_IO_CLASS,
+ SRP_REV16A_IB_IO_CLASS);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->io_class = token;
+@@ -3534,16 +3559,24 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_CMD_SG_ENTRIES:
+- if (match_int(args, &token) || token < 1 || token > 255) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for max cmd_sg_entries parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1 || token > 255) {
+ pr_warn("bad max cmd_sg_entries parameter '%s'\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->cmd_sg_cnt = token;
+ break;
+
+ case SRP_OPT_ALLOW_EXT_SG:
+- if (match_int(args, &token)) {
++ ret = match_int(args, &token);
++ if (ret) {
+ pr_warn("bad allow_ext_sg parameter '%s'\n", p);
+ goto out;
+ }
+@@ -3551,43 +3584,77 @@ static int srp_parse_options(struct net *net, const char *buf,
+ break;
+
+ case SRP_OPT_SG_TABLESIZE:
+- if (match_int(args, &token) || token < 1 ||
+- token > SG_MAX_SEGMENTS) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for max sg_tablesize parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1 || token > SG_MAX_SEGMENTS) {
+ pr_warn("bad max sg_tablesize parameter '%s'\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->sg_tablesize = token;
+ break;
+
+ case SRP_OPT_COMP_VECTOR:
+- if (match_int(args, &token) || token < 0) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for comp_vector parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 0) {
+ pr_warn("bad comp_vector parameter '%s'\n", p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->comp_vector = token;
+ break;
+
+ case SRP_OPT_TL_RETRY_COUNT:
+- if (match_int(args, &token) || token < 2 || token > 7) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for tl_retry_count parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 2 || token > 7) {
+ pr_warn("bad tl_retry_count parameter '%s' (must be a number between 2 and 7)\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->tl_retry_count = token;
+ break;
+
+ case SRP_OPT_MAX_IT_IU_SIZE:
+- if (match_int(args, &token) || token < 0) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for max it_iu_size parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 0) {
+ pr_warn("bad maximum initiator to target IU size '%s'\n", p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->max_it_iu_size = token;
+ break;
+
+ case SRP_OPT_CH_COUNT:
+- if (match_int(args, &token) || token < 1) {
++ ret = match_int(args, &token);
++ if (ret) {
++ pr_warn("match_int() failed for channel count parameter '%s', Error %d\n",
++ p, ret);
++ goto out;
++ }
++ if (token < 1) {
+ pr_warn("bad channel count %s\n", p);
++ ret = -EINVAL;
+ goto out;
+ }
+ target->ch_count = token;
+@@ -3596,6 +3663,7 @@ static int srp_parse_options(struct net *net, const char *buf,
+ default:
+ pr_warn("unknown parameter or missing value '%s' in target creation request\n",
+ p);
++ ret = -EINVAL;
+ goto out;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From fa74e6f343dfd9cc58c2859ae52549aa902d6ecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 23:21:14 +0300
+Subject: regmap-irq: Use the new num_config_regs property in
+ regmap_add_irq_chip_fwnode
+
+From: Yassine Oudjana <y.oudjana@protonmail.com>
+
+[ Upstream commit 84498d1fb35de6ab71bdfdb6270a464fb4a0951b ]
+
+Commit faa87ce9196d ("regmap-irq: Introduce config registers for irq
+types") added the num_config_regs, then commit 9edd4f5aee84 ("regmap-irq:
+Deprecate type registers and virtual registers") suggested to replace
+num_type_reg with it. However, regmap_add_irq_chip_fwnode wasn't modified
+to use the new property. Later on, commit 255a03bb1bb3 ("ASoC: wcd9335:
+Convert irq chip to config regs") removed the old num_type_reg property
+from the WCD9335 driver's struct regmap_irq_chip, causing a null pointer
+dereference in regmap_irq_set_type when it tried to index d->type_buf as
+it was never allocated in regmap_add_irq_chip_fwnode:
+
+[ 39.199374] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+
+[ 39.200006] Call trace:
+[ 39.200014] regmap_irq_set_type+0x84/0x1c0
+[ 39.200026] __irq_set_trigger+0x60/0x1c0
+[ 39.200040] __setup_irq+0x2f4/0x78c
+[ 39.200051] request_threaded_irq+0xe8/0x1a0
+
+Use num_config_regs in regmap_add_irq_chip_fwnode instead of num_type_reg,
+and fall back to it if num_config_regs isn't defined to maintain backward
+compatibility.
+
+Fixes: faa87ce9196d ("regmap-irq: Introduce config registers for irq types")
+Signed-off-by: Yassine Oudjana <y.oudjana@protonmail.com>
+Link: https://lore.kernel.org/r/20221107202114.823975-1-y.oudjana@protonmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index 4ef9488d05cd..3de89795f584 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -722,6 +722,7 @@ int regmap_add_irq_chip_fwnode(struct fwnode_handle *fwnode,
+ int i;
+ int ret = -ENOMEM;
+ int num_type_reg;
++ int num_regs;
+ u32 reg;
+
+ if (chip->num_regs <= 0)
+@@ -796,14 +797,20 @@ int regmap_add_irq_chip_fwnode(struct fwnode_handle *fwnode,
+ goto err_alloc;
+ }
+
+- num_type_reg = chip->type_in_mask ? chip->num_regs : chip->num_type_reg;
+- if (num_type_reg) {
+- d->type_buf_def = kcalloc(num_type_reg,
++ /*
++ * Use num_config_regs if defined, otherwise fall back to num_type_reg
++ * to maintain backward compatibility.
++ */
++ num_type_reg = chip->num_config_regs ? chip->num_config_regs
++ : chip->num_type_reg;
++ num_regs = chip->type_in_mask ? chip->num_regs : num_type_reg;
++ if (num_regs) {
++ d->type_buf_def = kcalloc(num_regs,
+ sizeof(*d->type_buf_def), GFP_KERNEL);
+ if (!d->type_buf_def)
+ goto err_alloc;
+
+- d->type_buf = kcalloc(num_type_reg, sizeof(*d->type_buf),
++ d->type_buf = kcalloc(num_regs, sizeof(*d->type_buf),
+ GFP_KERNEL);
+ if (!d->type_buf)
+ goto err_alloc;
+--
+2.35.1
+
--- /dev/null
+From e36070c5440c5eed112fb2e98dd4f9e5c085801b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:27:05 +0800
+Subject: regulator: core: fix module refcount leak in set_supply()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ]
+
+If create_regulator() fails in set_supply(), the module refcount
+needs be put to keep refcount balanced.
+
+Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index b7e7eec1084e..9b839dced470 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1622,6 +1622,7 @@ static int set_supply(struct regulator_dev *rdev,
+
+ rdev->supply = create_regulator(supply_rdev, &rdev->dev, "SUPPLY");
+ if (rdev->supply == NULL) {
++ module_put(supply_rdev->owner);
+ err = -ENOMEM;
+ return err;
+ }
+--
+2.35.1
+
--- /dev/null
+From 79e8ff7e38970b9790dc5121374c5a3ace285900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 09:37:11 +0800
+Subject: regulator: core: Fix resolve supply lookup issue
+
+From: ChiYuan Huang <cy_huang@richtek.com>
+
+[ Upstream commit 0debed5b117d11e33cba52870c4dcb64f5911891 ]
+
+From Marek's log, the previous change modify the parent of rdev.
+https://lore.kernel.org/all/58b92e75-f373-dae7-7031-8abd465bb874@samsung.com/
+
+In 'regulator_resolve_supply', it uses the parent DT node of rdev as the
+DT-lookup starting node. But the parent DT node may not exist. This will
+cause the NULL supply issue.
+
+This patch modify the parent of rdev back to the device that provides
+from 'regulator_config' in 'regulator_register'.
+
+Fixes: 8f3cbcd6b440 ("regulator: core: Use different devices for resource allocation and DT lookup")
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
+Link: https://lore.kernel.org/r/1670981831-12583-1-git-send-email-u0084500@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index c095ca9f01e8..93da2b4cbc72 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5531,7 +5531,7 @@ regulator_register(struct device *dev,
+
+ /* register with sysfs */
+ rdev->dev.class = ®ulator_class;
+- rdev->dev.parent = dev;
++ rdev->dev.parent = config->dev;
+ dev_set_name(&rdev->dev, "regulator.%lu",
+ (unsigned long) atomic_inc_return(®ulator_no));
+ dev_set_drvdata(&rdev->dev, rdev);
+--
+2.35.1
+
--- /dev/null
+From d4730700c7c0acadac1335442c5a4deb887b5150 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 10:51:11 +0800
+Subject: regulator: core: fix resource leak in regulator_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ba62319a42c50e6254e98b3f316464fac8e77968 ]
+
+I got some resource leak reports while doing fault injection test:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 100,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /i2c/pmic@64/regulators/buck1
+
+unreferenced object 0xffff88810deea000 (size 512):
+ comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................
+ backtrace:
+ [<00000000d78541e2>] kmalloc_trace+0x21/0x110
+ [<00000000b343d153>] device_private_init+0x32/0xd0
+ [<00000000be1f0c70>] device_add+0xb2d/0x1030
+ [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0
+ [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
+ [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
+
+unreferenced object 0xffff88810b617b80 (size 32):
+ comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s)
+ hex dump (first 32 bytes):
+ 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S
+ 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+...
+ backtrace:
+ [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0
+ [<0000000025c6a4e5>] kstrdup+0x3a/0x70
+ [<00000000790efb69>] create_regulator+0xc0/0x4e0
+ [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440
+ [<0000000045796214>] regulator_register+0x10b3/0x12a0
+ [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
+ [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
+
+After calling regulator_resolve_supply(), the 'rdev->supply' is set
+by set_supply(), after this set, in the error path, the resources
+need be released, so call regulator_put() to avoid the leaks.
+
+Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
+Fixes: 8a866d527ac0 ("regulator: core: Resolve supply name earlier to prevent double-init")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221202025111.496402-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 9b839dced470..4a93154bb574 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5615,6 +5615,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ regulator_remove_coupling(rdev);
+ mutex_unlock(®ulator_list_mutex);
+ wash:
++ regulator_put(rdev->supply);
+ kfree(rdev->coupling_desc.coupled_rdevs);
+ mutex_lock(®ulator_list_mutex);
+ regulator_ena_gpio_free(rdev);
+--
+2.35.1
+
--- /dev/null
+From 1ac685c9017711c54018fbf15f13f8d923f8c4b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 17:15:08 +0800
+Subject: regulator: core: fix unbalanced of node refcount in
+ regulator_dev_lookup()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ]
+
+I got the the following report:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 2,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /i2c/pmic@62/regulators/exten
+
+In of_get_regulator(), the node is returned from of_parse_phandle()
+with refcount incremented, after using it, of_node_put() need be called.
+
+Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index c0f368f1b49f..afd17b13de7c 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1925,6 +1925,7 @@ static struct regulator_dev *regulator_dev_lookup(struct device *dev,
+ node = of_get_regulator(dev, supply);
+ if (node) {
+ r = of_find_regulator_by_node(node);
++ of_node_put(node);
+ if (r)
+ return r;
+
+--
+2.35.1
+
--- /dev/null
+From 4f46b6ad2e890af01059925f9b8eacc355a093cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 11:38:06 +0800
+Subject: regulator: core: fix use_count leakage when handling boot-on
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rui Zhang <zr.zhang@vivo.com>
+
+[ Upstream commit 0591b14ce0398125439c759f889647369aa616a0 ]
+
+I found a use_count leakage towards supply regulator of rdev with
+boot-on option.
+
+┌───────────────────┐ ┌───────────────────┐
+│ regulator_dev A │ │ regulator_dev B │
+│ (boot-on) │ │ (boot-on) │
+│ use_count=0 │◀──supply──│ use_count=1 │
+│ │ │ │
+└───────────────────┘ └───────────────────┘
+
+In case of rdev(A) configured with `regulator-boot-on', the use_count
+of supplying regulator(B) will increment inside
+regulator_enable(rdev->supply).
+
+Thus, B will acts like always-on, and further balanced
+regulator_enable/disable cannot actually disable it anymore.
+
+However, B was also configured with `regulator-boot-on', we wish it
+could be disabled afterwards.
+
+Signed-off-by: Rui Zhang <zr.zhang@vivo.com>
+Link: https://lore.kernel.org/r/20221201033806.2567812-1-zr.zhang@vivo.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 4a93154bb574..1c1710d367d3 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1578,7 +1578,13 @@ static int set_machine_constraints(struct regulator_dev *rdev)
+ if (rdev->supply_name && !rdev->supply)
+ return -EPROBE_DEFER;
+
+- if (rdev->supply) {
++ /* If supplying regulator has already been enabled,
++ * it's not intended to have use_count increment
++ * when rdev is only boot-on.
++ */
++ if (rdev->supply &&
++ (rdev->constraints->always_on ||
++ !regulator_is_enabled(rdev->supply))) {
+ ret = regulator_enable(rdev->supply);
+ if (ret < 0) {
+ _regulator_put(rdev->supply);
+--
+2.35.1
+
--- /dev/null
+From 2e175aab4ab4415d677e73de4d7065547b88bc4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 15:22:21 +0800
+Subject: regulator: core: Use different devices for resource allocation and DT
+ lookup
+
+From: ChiYuan Huang <cy_huang@richtek.com>
+
+[ Upstream commit 8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 ]
+
+Following by the below discussion, there's the potential UAF issue
+between regulator and mfd.
+https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/
+
+From the analysis of Yingliang
+
+CPU A |CPU B
+mt6370_probe() |
+ devm_mfd_add_devices() |
+ |mt6370_regulator_probe()
+ | regulator_register()
+ | //allocate init_data and add it to devres
+ | regulator_of_get_init_data()
+i2c_unregister_device() |
+ device_del() |
+ devres_release_all() |
+ // init_data is freed |
+ release_nodes() |
+ | // using init_data causes UAF
+ | regulator_register()
+
+It's common to use mfd core to create child device for the regulator.
+In order to do the DT lookup for init data, the child that registered
+the regulator would pass its parent as the parameter. And this causes
+init data resource allocated to its parent, not itself. The issue happen
+when parent device is going to release and regulator core is still doing
+some operation of init data constraint for the regulator of child device.
+
+To fix it, this patch expand 'regulator_register' API to use the
+different devices for init data allocation and DT lookup.
+
+Reported-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
+Link: https://lore.kernel.org/r/1670311341-32664-1-git-send-email-u0084500@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/int3472/clk_and_regulator.c | 3 ++-
+ drivers/regulator/core.c | 8 ++++----
+ drivers/regulator/devres.c | 2 +-
+ drivers/regulator/of_regulator.c | 2 +-
+ drivers/regulator/stm32-vrefbuf.c | 2 +-
+ include/linux/regulator/driver.h | 3 ++-
+ 6 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/int3472/clk_and_regulator.c b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
+index 1cf958983e86..b2342b3d78c7 100644
+--- a/drivers/platform/x86/intel/int3472/clk_and_regulator.c
++++ b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
+@@ -185,7 +185,8 @@ int skl_int3472_register_regulator(struct int3472_discrete_device *int3472,
+ cfg.init_data = &init_data;
+ cfg.ena_gpiod = int3472->regulator.gpio;
+
+- int3472->regulator.rdev = regulator_register(&int3472->regulator.rdesc,
++ int3472->regulator.rdev = regulator_register(int3472->dev,
++ &int3472->regulator.rdesc,
+ &cfg);
+ if (IS_ERR(int3472->regulator.rdev)) {
+ ret = PTR_ERR(int3472->regulator.rdev);
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 1c1710d367d3..c095ca9f01e8 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5388,6 +5388,7 @@ static struct regulator_coupler generic_regulator_coupler = {
+
+ /**
+ * regulator_register - register regulator
++ * @dev: the device that drive the regulator
+ * @regulator_desc: regulator to register
+ * @cfg: runtime configuration for regulator
+ *
+@@ -5396,7 +5397,8 @@ static struct regulator_coupler generic_regulator_coupler = {
+ * or an ERR_PTR() on error.
+ */
+ struct regulator_dev *
+-regulator_register(const struct regulator_desc *regulator_desc,
++regulator_register(struct device *dev,
++ const struct regulator_desc *regulator_desc,
+ const struct regulator_config *cfg)
+ {
+ const struct regulator_init_data *init_data;
+@@ -5405,7 +5407,6 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ struct regulator_dev *rdev;
+ bool dangling_cfg_gpiod = false;
+ bool dangling_of_gpiod = false;
+- struct device *dev;
+ int ret, i;
+
+ if (cfg == NULL)
+@@ -5417,8 +5418,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ goto rinse;
+ }
+
+- dev = cfg->dev;
+- WARN_ON(!dev);
++ WARN_ON(!dev || !cfg->dev);
+
+ if (regulator_desc->name == NULL || regulator_desc->ops == NULL) {
+ ret = -EINVAL;
+diff --git a/drivers/regulator/devres.c b/drivers/regulator/devres.c
+index 32823a87fd40..d94db64cd490 100644
+--- a/drivers/regulator/devres.c
++++ b/drivers/regulator/devres.c
+@@ -221,7 +221,7 @@ struct regulator_dev *devm_regulator_register(struct device *dev,
+ if (!ptr)
+ return ERR_PTR(-ENOMEM);
+
+- rdev = regulator_register(regulator_desc, config);
++ rdev = regulator_register(dev, regulator_desc, config);
+ if (!IS_ERR(rdev)) {
+ *ptr = rdev;
+ devres_add(dev, ptr);
+diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
+index e12b681c72e5..bd0c5d1fd647 100644
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -505,7 +505,7 @@ struct regulator_init_data *regulator_of_get_init_data(struct device *dev,
+ struct device_node *child;
+ struct regulator_init_data *init_data = NULL;
+
+- child = regulator_of_get_init_node(dev, desc);
++ child = regulator_of_get_init_node(config->dev, desc);
+ if (!child)
+ return NULL;
+
+diff --git a/drivers/regulator/stm32-vrefbuf.c b/drivers/regulator/stm32-vrefbuf.c
+index 30ea3bc8ca19..7a454b7b6eab 100644
+--- a/drivers/regulator/stm32-vrefbuf.c
++++ b/drivers/regulator/stm32-vrefbuf.c
+@@ -210,7 +210,7 @@ static int stm32_vrefbuf_probe(struct platform_device *pdev)
+ pdev->dev.of_node,
+ &stm32_vrefbuf_regu);
+
+- rdev = regulator_register(&stm32_vrefbuf_regu, &config);
++ rdev = regulator_register(&pdev->dev, &stm32_vrefbuf_regu, &config);
+ if (IS_ERR(rdev)) {
+ ret = PTR_ERR(rdev);
+ dev_err(&pdev->dev, "register failed with error %d\n", ret);
+diff --git a/include/linux/regulator/driver.h b/include/linux/regulator/driver.h
+index f9a7461e72b8..d3b4a3d4514a 100644
+--- a/include/linux/regulator/driver.h
++++ b/include/linux/regulator/driver.h
+@@ -687,7 +687,8 @@ static inline int regulator_err2notif(int err)
+
+
+ struct regulator_dev *
+-regulator_register(const struct regulator_desc *regulator_desc,
++regulator_register(struct device *dev,
++ const struct regulator_desc *regulator_desc,
+ const struct regulator_config *config);
+ struct regulator_dev *
+ devm_regulator_register(struct device *dev,
+--
+2.35.1
+
--- /dev/null
+From d2db90322b2d8f7336837ca7cc0e30fbec9c57a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 11:46:16 +0800
+Subject: regulator: core: use kfree_const() to free space conditionally
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit dc8d006d15b623c1d80b90b45d6dcb6e890dad09 ]
+
+Use kfree_const() to free supply_name conditionally in create_regulator()
+as supply_name may be allocated from kmalloc() or directly from .rodata
+section.
+
+Fixes: 87fe29b61f95 ("regulator: push allocations in create_regulator() outside of lock")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/r/20221123034616.3609537-1-bobo.shaobowang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index afd17b13de7c..b7e7eec1084e 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1795,7 +1795,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev,
+
+ regulator = kzalloc(sizeof(*regulator), GFP_KERNEL);
+ if (regulator == NULL) {
+- kfree(supply_name);
++ kfree_const(supply_name);
+ return NULL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d4ee0aabfb8fef0f1648ad43c3e4af84f83a4ec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 06:21:09 +0000
+Subject: regulator: qcom-labibb: Fix missing of_node_put() in
+ qcom_labibb_regulator_probe()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit cf34ac6aa2b12fb0c3aacfdcae8acd7904b949ec ]
+
+The reg_node needs to be released through of_node_put() in the error
+handling path when of_irq_get_byname() failed.
+
+Fixes: 390af53e0411 ("regulator: qcom-labibb: Implement short-circuit and over-current IRQs")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221203062109.115043-1-yuancan@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/qcom-labibb-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/qcom-labibb-regulator.c b/drivers/regulator/qcom-labibb-regulator.c
+index 639b71eb41ff..bcf7140f3bc9 100644
+--- a/drivers/regulator/qcom-labibb-regulator.c
++++ b/drivers/regulator/qcom-labibb-regulator.c
+@@ -822,6 +822,7 @@ static int qcom_labibb_regulator_probe(struct platform_device *pdev)
+ if (irq == 0)
+ irq = -EINVAL;
+
++ of_node_put(reg_node);
+ return dev_err_probe(vreg->dev, irq,
+ "Short-circuit irq not found.\n");
+ }
+--
+2.35.1
+
--- /dev/null
+From 4e14e84a451e23a4537618e681f3e967fb9e5904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 22:07:05 +0100
+Subject: regulator: qcom-rpmh: Fix PMR735a S3 regulator spec
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit dd801b2265c81bf0c8b0b4b8f7c1e7bfed078403 ]
+
+PMR735a has a wider range than previously defined. Fix it.
+
+Fixes: c4e5aa3dbee5 ("regulator: qcom-rpmh: Add PM7325/PMR735A regulator support")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20221110210706.80301-1-konrad.dybcio@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/qcom-rpmh-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/qcom-rpmh-regulator.c b/drivers/regulator/qcom-rpmh-regulator.c
+index 561de6b2e6e3..5839e4732336 100644
+--- a/drivers/regulator/qcom-rpmh-regulator.c
++++ b/drivers/regulator/qcom-rpmh-regulator.c
+@@ -1188,7 +1188,7 @@ static const struct rpmh_vreg_init_data pm7325_vreg_data[] = {
+ static const struct rpmh_vreg_init_data pmr735a_vreg_data[] = {
+ RPMH_VREG("smps1", "smp%s1", &pmic5_ftsmps520, "vdd-s1"),
+ RPMH_VREG("smps2", "smp%s2", &pmic5_ftsmps520, "vdd-s2"),
+- RPMH_VREG("smps3", "smp%s3", &pmic5_hfsmps510, "vdd-s3"),
++ RPMH_VREG("smps3", "smp%s3", &pmic5_hfsmps515, "vdd-s3"),
+ RPMH_VREG("ldo1", "ldo%s1", &pmic5_nldo, "vdd-l1-l2"),
+ RPMH_VREG("ldo2", "ldo%s2", &pmic5_nldo, "vdd-l1-l2"),
+ RPMH_VREG("ldo3", "ldo%s3", &pmic5_nldo, "vdd-l3"),
+--
+2.35.1
+
--- /dev/null
+From 5f1cfb6d098b4f8ef73ed594d4600aeb51204756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 09:23:38 +0000
+Subject: relay: fix type mismatch when allocating memory in relay_create_buf()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 4d8586e04602fe42f0a782d2005956f8b6302678 ]
+
+The 'padding' field of the 'rchan_buf' structure is an array of 'size_t'
+elements, but the memory is allocated for an array of 'size_t *' elements.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Link: https://lkml.kernel.org/r/20221129092002.3538384-1-Ilia.Gavrilov@infotecs.ru
+Fixes: b86ff981a825 ("[PATCH] relay: migrate from relayfs to a generic relay API")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: wuchi <wuchi.zero@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/relay.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 6a611e779e95..fd1d196e04d4 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -151,13 +151,13 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
+ {
+ struct rchan_buf *buf;
+
+- if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t))
+ return NULL;
+
+ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+ if (!buf)
+ return NULL;
+- buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t *),
++ buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t),
+ GFP_KERNEL);
+ if (!buf->padding)
+ goto free_buf;
+--
+2.35.1
+
--- /dev/null
+From 7c08fd7d553078b3e4785079d500885fe70cfbb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 16:27:57 +0800
+Subject: remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in
+ q6v5_wcss_qcs404_power_on()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 7ff5d60f18bba5cbaf17b2926aa9da44d5beca01 ]
+
+q6v5_wcss_qcs404_power_on() have no fail path for readl_poll_timeout().
+Add fail path for readl_poll_timeout().
+
+Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221204082757.18850-1-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_wcss.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_wcss.c b/drivers/remoteproc/qcom_q6v5_wcss.c
+index de232337e082..ba24d745b2d6 100644
+--- a/drivers/remoteproc/qcom_q6v5_wcss.c
++++ b/drivers/remoteproc/qcom_q6v5_wcss.c
+@@ -351,7 +351,7 @@ static int q6v5_wcss_qcs404_power_on(struct q6v5_wcss *wcss)
+ if (ret) {
+ dev_err(wcss->dev,
+ "xo cbcr enabling timed out (rc:%d)\n", ret);
+- return ret;
++ goto disable_xo_cbcr_clk;
+ }
+
+ writel(0, wcss->reg_base + Q6SS_CGC_OVERRIDE);
+@@ -417,6 +417,7 @@ static int q6v5_wcss_qcs404_power_on(struct q6v5_wcss *wcss)
+ val = readl(wcss->reg_base + Q6SS_SLEEP_CBCR);
+ val &= ~Q6SS_CLK_ENABLE;
+ writel(val, wcss->reg_base + Q6SS_SLEEP_CBCR);
++disable_xo_cbcr_clk:
+ val = readl(wcss->reg_base + Q6SS_XO_CBCR);
+ val &= ~Q6SS_CLK_ENABLE;
+ writel(val, wcss->reg_base + Q6SS_XO_CBCR);
+--
+2.35.1
+
--- /dev/null
+From a536f3fd75f40574e06260d924a3e0b7b9371e62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 10:16:41 +0800
+Subject: remoteproc: qcom: q6v5: Fix potential null-ptr-deref in
+ q6v5_wcss_init_mmio()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit f360e2b275efbb745ba0af8b47d9ef44221be586 ]
+
+q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may
+fail and return NULL. devm_ioremap() will use res->start as input, which
+may causes null-ptr-deref. Check the ret value of
+platform_get_resource_byname() to avoid the null-ptr-deref.
+
+Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221125021641.29392-1-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_wcss.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_wcss.c b/drivers/remoteproc/qcom_q6v5_wcss.c
+index bb0947f7770e..de232337e082 100644
+--- a/drivers/remoteproc/qcom_q6v5_wcss.c
++++ b/drivers/remoteproc/qcom_q6v5_wcss.c
+@@ -827,6 +827,9 @@ static int q6v5_wcss_init_mmio(struct q6v5_wcss *wcss,
+ int ret;
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qdsp6");
++ if (!res)
++ return -EINVAL;
++
+ wcss->reg_base = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
+ if (!wcss->reg_base)
+--
+2.35.1
+
--- /dev/null
+From ee41ec4588474185c7dcfaf4a474a7f92848d7ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:08:16 +0100
+Subject: remoteproc: qcom_q6v5_pas: detach power domains on remove
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 34d01df00b84127be04c914fc9f8e8be1fcdf851 ]
+
+We need to detach from the power domains also on remove, not just on
+probe fail so a subsequent probe works as expected.
+
+Otherwise the following error appears on re-probe:
+
+[ 29.452005] sysfs: cannot create duplicate filename '/devices/genpd:0:3000000.remoteproc'
+[ 29.477121] CPU: 1 PID: 483 Comm: sh Tainted: G W 6.1.0-rc4-00075-g71a113770bda #78
+[ 29.510319] Hardware name: Fairphone 4 (DT)
+[ 29.538335] Call trace:
+[ 29.564470] dump_backtrace.part.0+0xe0/0xf0
+[ 29.592602] show_stack+0x18/0x30
+[ 29.619616] dump_stack_lvl+0x64/0x80
+[ 29.646834] dump_stack+0x18/0x34
+[ 29.673541] sysfs_warn_dup+0x60/0x7c
+[ 29.700592] sysfs_create_dir_ns+0xec/0x110
+[ 29.728057] kobject_add_internal+0xb8/0x374
+[ 29.755530] kobject_add+0x9c/0x104
+[ 29.782072] device_add+0xbc/0x8a0
+[ 29.808445] device_register+0x20/0x30
+[ 29.835175] genpd_dev_pm_attach_by_id+0xa4/0x190
+[ 29.862851] genpd_dev_pm_attach_by_name+0x3c/0xb0
+[ 29.890472] dev_pm_domain_attach_by_name+0x20/0x30
+[ 29.918212] adsp_probe+0x278/0x580
+[ 29.944384] platform_probe+0x68/0xc0
+[ 29.970603] really_probe+0xbc/0x2dc
+[ 29.996662] __driver_probe_device+0x78/0xe0
+[ 30.023491] device_driver_attach+0x48/0xac
+[ 30.050215] bind_store+0xb8/0x114
+[ 30.075957] drv_attr_store+0x24/0x3c
+[ 30.101874] sysfs_kf_write+0x44/0x54
+[ 30.127751] kernfs_fop_write_iter+0x120/0x1f0
+[ 30.154448] vfs_write+0x1ac/0x380
+[ 30.179937] ksys_write+0x70/0x104
+[ 30.205274] __arm64_sys_write+0x1c/0x2c
+[ 30.231060] invoke_syscall+0x48/0x114
+[ 30.256594] el0_svc_common.constprop.0+0x44/0xec
+[ 30.283183] do_el0_svc+0x2c/0xd0
+[ 30.308320] el0_svc+0x2c/0x84
+[ 30.333059] el0t_64_sync_handler+0xf4/0x120
+[ 30.359001] el0t_64_sync+0x18c/0x190
+[ 30.384385] kobject_add_internal failed for genpd:0:3000000.remoteproc with -EEXIST, don't try to register things with the same name in the same directory.
+[ 30.406029] remoteproc remoteproc0: releasing 3000000.remoteproc
+[ 30.416064] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17
+
+Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains")
+Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221118090816.100012-2-luca.weiss@fairphone.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index 67f5152e2398..a14ff1142e76 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -573,6 +573,7 @@ static int adsp_remove(struct platform_device *pdev)
+ qcom_remove_sysmon_subdev(adsp->sysmon);
+ qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev);
+ qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev);
++ adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
+ device_init_wakeup(adsp->dev, false);
+ rproc_free(adsp->rproc);
+
+--
+2.35.1
+
--- /dev/null
+From 10f228cd3e1d049d457bfaabd9fa21fca0f98908 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:08:15 +0100
+Subject: remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 9a70551996e699fda262e8d54bbd41739d7aad6d ]
+
+Leaving wakeup enabled during probe fail (-EPROBE_DEFER) or remove makes
+the subsequent probe fail.
+
+[ 3.749454] remoteproc remoteproc0: releasing 3000000.remoteproc
+[ 3.752949] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17
+[ 3.878935] remoteproc remoteproc0: releasing 4080000.remoteproc
+[ 3.887602] qcom_q6v5_pas: probe of 4080000.remoteproc failed with error -17
+[ 4.319552] remoteproc remoteproc0: releasing 8300000.remoteproc
+[ 4.332716] qcom_q6v5_pas: probe of 8300000.remoteproc failed with error -17
+
+Fix this by disabling wakeup in both cases so the driver can properly
+probe on the next try.
+
+Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery")
+Fixes: dc86c129b4fb ("remoteproc: qcom: pas: Mark devices as wakeup capable")
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
+Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221118090816.100012-1-luca.weiss@fairphone.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index 6afd0941e552..67f5152e2398 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -556,6 +556,7 @@ static int adsp_probe(struct platform_device *pdev)
+ detach_proxy_pds:
+ adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
+ free_rproc:
++ device_init_wakeup(adsp->dev, false);
+ rproc_free(rproc);
+
+ return ret;
+@@ -572,6 +573,7 @@ static int adsp_remove(struct platform_device *pdev)
+ qcom_remove_sysmon_subdev(adsp->sysmon);
+ qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev);
+ qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev);
++ device_init_wakeup(adsp->dev, false);
+ rproc_free(adsp->rproc);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 9e8534156b89a10c6e3604c335d48dd123b75681 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 07:06:39 +0000
+Subject: remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in
+ adsp_alloc_memory_region()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 38e7d9c19276832ebb0277f415b9214bf7baeb37 ]
+
+The pointer node is returned by of_parse_phandle() with refcount
+incremented. We should use of_node_put() on it when done.
+
+Fixes: b9e718e950c3 ("remoteproc: Introduce Qualcomm ADSP PIL")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221203070639.15128-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index a14ff1142e76..dc6f07ca8341 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -449,6 +449,7 @@ static int adsp_alloc_memory_region(struct qcom_adsp *adsp)
+ }
+
+ ret = of_address_to_resource(node, 0, &r);
++ of_node_put(node);
+ if (ret)
+ return ret;
+
+--
+2.35.1
+
--- /dev/null
+From e5de5eb221f58cfdeb8de7c593802b3ccf6b1052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 18:56:50 +0800
+Subject: remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e01ce676aaef3b13d02343d7e70f9637d93a3367 ]
+
+The kfree() should be called when of_irq_get_byname() fails or
+devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(),
+otherwise there will be a memory leak, so add kfree() to fix it.
+
+Fixes: 027045a6e2b7 ("remoteproc: qcom: Add shutdown-ack irq")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221129105650.1539187-1-cuigaosheng1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_sysmon.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
+index 57dde2a69b9d..15af52f8499e 100644
+--- a/drivers/remoteproc/qcom_sysmon.c
++++ b/drivers/remoteproc/qcom_sysmon.c
+@@ -652,7 +652,9 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc,
+ if (sysmon->shutdown_irq != -ENODATA) {
+ dev_err(sysmon->dev,
+ "failed to retrieve shutdown-ack IRQ\n");
+- return ERR_PTR(sysmon->shutdown_irq);
++ ret = sysmon->shutdown_irq;
++ kfree(sysmon);
++ return ERR_PTR(ret);
+ }
+ } else {
+ ret = devm_request_threaded_irq(sysmon->dev,
+@@ -663,6 +665,7 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc,
+ if (ret) {
+ dev_err(sysmon->dev,
+ "failed to acquire shutdown-ack IRQ\n");
++ kfree(sysmon);
+ return ERR_PTR(ret);
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From ef5250518888e35369ef4aece0c6474801be28b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 15:04:36 -0400
+Subject: Revert "drm/amd/display: Limit max DSC target bpp for specific
+ monitors"
+
+From: Hamza Mahfooz <hamza.mahfooz@amd.com>
+
+[ Upstream commit 6803dfd3a69ccb318772463a86e40929fd4fbac7 ]
+
+This reverts commit 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059.
+
+This quirk is now handled in the DRM core, so we can drop all of
+the internal code that was added to handle it.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 35 -------------------
+ 1 file changed, 35 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+index a0154a5f7183..e2d3027c3993 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+@@ -41,39 +41,6 @@
+ #include "dm_helpers.h"
+ #include "ddc_service_types.h"
+
+-struct monitor_patch_info {
+- unsigned int manufacturer_id;
+- unsigned int product_id;
+- void (*patch_func)(struct dc_edid_caps *edid_caps, unsigned int param);
+- unsigned int patch_param;
+-};
+-static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param);
+-
+-static const struct monitor_patch_info monitor_patch_table[] = {
+-{0x6D1E, 0x5BBF, set_max_dsc_bpp_limit, 15},
+-{0x6D1E, 0x5B9A, set_max_dsc_bpp_limit, 15},
+-};
+-
+-static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param)
+-{
+- if (edid_caps)
+- edid_caps->panel_patch.max_dsc_target_bpp_limit = param;
+-}
+-
+-static int amdgpu_dm_patch_edid_caps(struct dc_edid_caps *edid_caps)
+-{
+- int i, ret = 0;
+-
+- for (i = 0; i < ARRAY_SIZE(monitor_patch_table); i++)
+- if ((edid_caps->manufacturer_id == monitor_patch_table[i].manufacturer_id)
+- && (edid_caps->product_id == monitor_patch_table[i].product_id)) {
+- monitor_patch_table[i].patch_func(edid_caps, monitor_patch_table[i].patch_param);
+- ret++;
+- }
+-
+- return ret;
+-}
+-
+ /* dm_helpers_parse_edid_caps
+ *
+ * Parse edid caps
+@@ -148,8 +115,6 @@ enum dc_edid_status dm_helpers_parse_edid_caps(
+ kfree(sads);
+ kfree(sadb);
+
+- amdgpu_dm_patch_edid_caps(edid_caps);
+-
+ return result;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e6b57ea689c5960afac8bd3cf70281d78ff7bee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:48:08 +0100
+Subject: Revert "net: hsr: use hlist_head instead of list_head for mac
+ addresses"
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit e012764cebf6e33097f6833ff15a936fbe7b846c ]
+
+The hlist optimisation (which not only uses hlist_head instead of
+list_head but also splits hsr_priv::node_db into an array of 256 slots)
+does not consider the "node merge":
+Upon starting the hsr network (with three nodes) a packet that is
+sent from node1 to node3 will also be sent from node1 to node2 and then
+forwarded to node3.
+As a result node3 will receive 2 packets because it is not able
+to filter out the duplicate. Each packet received will create a new
+struct hsr_node with macaddress_A only set the MAC address it received
+from (the two MAC addesses from node1).
+At some point (early in the process) two supervision frames will be
+received from node1. They will be processed by hsr_handle_sup_frame()
+and one frame will leave early ("Node has already been merged") and does
+nothing. The other frame will be merged as portB and have its MAC
+address written to macaddress_B and the hsr_node (that was created for
+it as macaddress_A) will be removed.
+From now on HSR is able to identify a duplicate because both packets
+sent from one node will result in the same struct hsr_node because
+hsr_get_node() will find the MAC address either on macaddress_A or
+macaddress_B.
+
+Things get tricky with the optimisation: If sender's MAC address is
+saved as macaddress_A then the lookup will work as usual. If the MAC
+address has been merged into macaddress_B of another hsr_node then the
+lookup won't work because it is likely that the data structure is in
+another bucket. This results in creating a new struct hsr_node and not
+recognising a possible duplicate.
+
+A way around it would be to add another hsr_node::mac_list_B and attach
+it to the other bucket to ensure that this hsr_node will be looked up
+either via macaddress_A _or_ macaddress_B.
+
+I however prefer to revert it because it sounds like an academic problem
+rather than real life workload plus it adds complexity. I'm not an HSR
+expert with what is usual size of a network but I would guess 40 to 60
+nodes. With 10.000 nodes and assuming 60us for pass-through (from node
+to node) then it would take almost 600ms for a packet to almost wrap
+around which sounds a lot.
+
+Revert the hash MAC addresses optimisation.
+
+Fixes: 4acc45db71158 ("net: hsr: use hlist_head instead of list_head for mac addresses")
+Cc: Juhee Kang <claudiajkang@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_debugfs.c | 40 ++++----
+ net/hsr/hsr_device.c | 10 +-
+ net/hsr/hsr_forward.c | 7 +-
+ net/hsr/hsr_framereg.c | 209 ++++++++++++++++-------------------------
+ net/hsr/hsr_framereg.h | 14 +--
+ net/hsr/hsr_main.h | 9 +-
+ net/hsr/hsr_netlink.c | 4 +-
+ 7 files changed, 106 insertions(+), 187 deletions(-)
+
+diff --git a/net/hsr/hsr_debugfs.c b/net/hsr/hsr_debugfs.c
+index de476a417631..1a195efc79cd 100644
+--- a/net/hsr/hsr_debugfs.c
++++ b/net/hsr/hsr_debugfs.c
+@@ -9,7 +9,6 @@
+ #include <linux/module.h>
+ #include <linux/errno.h>
+ #include <linux/debugfs.h>
+-#include <linux/jhash.h>
+ #include "hsr_main.h"
+ #include "hsr_framereg.h"
+
+@@ -21,7 +20,6 @@ hsr_node_table_show(struct seq_file *sfp, void *data)
+ {
+ struct hsr_priv *priv = (struct hsr_priv *)sfp->private;
+ struct hsr_node *node;
+- int i;
+
+ seq_printf(sfp, "Node Table entries for (%s) device\n",
+ (priv->prot_version == PRP_V1 ? "PRP" : "HSR"));
+@@ -33,28 +31,22 @@ hsr_node_table_show(struct seq_file *sfp, void *data)
+ seq_puts(sfp, "DAN-H\n");
+
+ rcu_read_lock();
+-
+- for (i = 0 ; i < priv->hash_buckets; i++) {
+- hlist_for_each_entry_rcu(node, &priv->node_db[i], mac_list) {
+- /* skip self node */
+- if (hsr_addr_is_self(priv, node->macaddress_A))
+- continue;
+- seq_printf(sfp, "%pM ", &node->macaddress_A[0]);
+- seq_printf(sfp, "%pM ", &node->macaddress_B[0]);
+- seq_printf(sfp, "%10lx, ",
+- node->time_in[HSR_PT_SLAVE_A]);
+- seq_printf(sfp, "%10lx, ",
+- node->time_in[HSR_PT_SLAVE_B]);
+- seq_printf(sfp, "%14x, ", node->addr_B_port);
+-
+- if (priv->prot_version == PRP_V1)
+- seq_printf(sfp, "%5x, %5x, %5x\n",
+- node->san_a, node->san_b,
+- (node->san_a == 0 &&
+- node->san_b == 0));
+- else
+- seq_printf(sfp, "%5x\n", 1);
+- }
++ list_for_each_entry_rcu(node, &priv->node_db, mac_list) {
++ /* skip self node */
++ if (hsr_addr_is_self(priv, node->macaddress_A))
++ continue;
++ seq_printf(sfp, "%pM ", &node->macaddress_A[0]);
++ seq_printf(sfp, "%pM ", &node->macaddress_B[0]);
++ seq_printf(sfp, "%10lx, ", node->time_in[HSR_PT_SLAVE_A]);
++ seq_printf(sfp, "%10lx, ", node->time_in[HSR_PT_SLAVE_B]);
++ seq_printf(sfp, "%14x, ", node->addr_B_port);
++
++ if (priv->prot_version == PRP_V1)
++ seq_printf(sfp, "%5x, %5x, %5x\n",
++ node->san_a, node->san_b,
++ (node->san_a == 0 && node->san_b == 0));
++ else
++ seq_printf(sfp, "%5x\n", 1);
+ }
+ rcu_read_unlock();
+ return 0;
+diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
+index 6ffef47e9be5..7518f7e93043 100644
+--- a/net/hsr/hsr_device.c
++++ b/net/hsr/hsr_device.c
+@@ -485,16 +485,12 @@ int hsr_dev_finalize(struct net_device *hsr_dev, struct net_device *slave[2],
+ {
+ bool unregister = false;
+ struct hsr_priv *hsr;
+- int res, i;
++ int res;
+
+ hsr = netdev_priv(hsr_dev);
+ INIT_LIST_HEAD(&hsr->ports);
+- INIT_HLIST_HEAD(&hsr->self_node_db);
+- hsr->hash_buckets = HSR_HSIZE;
+- get_random_bytes(&hsr->hash_seed, sizeof(hsr->hash_seed));
+- for (i = 0; i < hsr->hash_buckets; i++)
+- INIT_HLIST_HEAD(&hsr->node_db[i]);
+-
++ INIT_LIST_HEAD(&hsr->node_db);
++ INIT_LIST_HEAD(&hsr->self_node_db);
+ spin_lock_init(&hsr->list_lock);
+
+ eth_hw_addr_set(hsr_dev, slave[0]->dev_addr);
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 56bb27d67a2e..3e58d310b4d4 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -571,23 +571,20 @@ static int fill_frame_info(struct hsr_frame_info *frame,
+ struct ethhdr *ethhdr;
+ __be16 proto;
+ int ret;
+- u32 hash;
+
+ /* Check if skb contains ethhdr */
+ if (skb->mac_len < sizeof(struct ethhdr))
+ return -EINVAL;
+
+ memset(frame, 0, sizeof(*frame));
+-
+- ethhdr = (struct ethhdr *)skb_mac_header(skb);
+- hash = hsr_mac_hash(port->hsr, ethhdr->h_source);
+ frame->is_supervision = is_supervision_frame(port->hsr, skb);
+- frame->node_src = hsr_get_node(port, &hsr->node_db[hash], skb,
++ frame->node_src = hsr_get_node(port, &hsr->node_db, skb,
+ frame->is_supervision,
+ port->type);
+ if (!frame->node_src)
+ return -1; /* Unknown node and !is_supervision, or no mem */
+
++ ethhdr = (struct ethhdr *)skb_mac_header(skb);
+ frame->is_vlan = false;
+ proto = ethhdr->h_proto;
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 584e21788799..9b8eaebce254 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -15,37 +15,10 @@
+ #include <linux/etherdevice.h>
+ #include <linux/slab.h>
+ #include <linux/rculist.h>
+-#include <linux/jhash.h>
+ #include "hsr_main.h"
+ #include "hsr_framereg.h"
+ #include "hsr_netlink.h"
+
+-#ifdef CONFIG_LOCKDEP
+-int lockdep_hsr_is_held(spinlock_t *lock)
+-{
+- return lockdep_is_held(lock);
+-}
+-#endif
+-
+-u32 hsr_mac_hash(struct hsr_priv *hsr, const unsigned char *addr)
+-{
+- u32 hash = jhash(addr, ETH_ALEN, hsr->hash_seed);
+-
+- return reciprocal_scale(hash, hsr->hash_buckets);
+-}
+-
+-struct hsr_node *hsr_node_get_first(struct hlist_head *head, spinlock_t *lock)
+-{
+- struct hlist_node *first;
+-
+- first = rcu_dereference_bh_check(hlist_first_rcu(head),
+- lockdep_hsr_is_held(lock));
+- if (first)
+- return hlist_entry(first, struct hsr_node, mac_list);
+-
+- return NULL;
+-}
+-
+ /* seq_nr_after(a, b) - return true if a is after (higher in sequence than) b,
+ * false otherwise.
+ */
+@@ -67,7 +40,8 @@ bool hsr_addr_is_self(struct hsr_priv *hsr, unsigned char *addr)
+ {
+ struct hsr_node *node;
+
+- node = hsr_node_get_first(&hsr->self_node_db, &hsr->list_lock);
++ node = list_first_or_null_rcu(&hsr->self_node_db, struct hsr_node,
++ mac_list);
+ if (!node) {
+ WARN_ONCE(1, "HSR: No self node\n");
+ return false;
+@@ -83,12 +57,12 @@ bool hsr_addr_is_self(struct hsr_priv *hsr, unsigned char *addr)
+
+ /* Search for mac entry. Caller must hold rcu read lock.
+ */
+-static struct hsr_node *find_node_by_addr_A(struct hlist_head *node_db,
++static struct hsr_node *find_node_by_addr_A(struct list_head *node_db,
+ const unsigned char addr[ETH_ALEN])
+ {
+ struct hsr_node *node;
+
+- hlist_for_each_entry_rcu(node, node_db, mac_list) {
++ list_for_each_entry_rcu(node, node_db, mac_list) {
+ if (ether_addr_equal(node->macaddress_A, addr))
+ return node;
+ }
+@@ -103,7 +77,7 @@ int hsr_create_self_node(struct hsr_priv *hsr,
+ const unsigned char addr_a[ETH_ALEN],
+ const unsigned char addr_b[ETH_ALEN])
+ {
+- struct hlist_head *self_node_db = &hsr->self_node_db;
++ struct list_head *self_node_db = &hsr->self_node_db;
+ struct hsr_node *node, *oldnode;
+
+ node = kmalloc(sizeof(*node), GFP_KERNEL);
+@@ -114,13 +88,14 @@ int hsr_create_self_node(struct hsr_priv *hsr,
+ ether_addr_copy(node->macaddress_B, addr_b);
+
+ spin_lock_bh(&hsr->list_lock);
+- oldnode = hsr_node_get_first(self_node_db, &hsr->list_lock);
++ oldnode = list_first_or_null_rcu(self_node_db,
++ struct hsr_node, mac_list);
+ if (oldnode) {
+- hlist_replace_rcu(&oldnode->mac_list, &node->mac_list);
++ list_replace_rcu(&oldnode->mac_list, &node->mac_list);
+ spin_unlock_bh(&hsr->list_lock);
+ kfree_rcu(oldnode, rcu_head);
+ } else {
+- hlist_add_tail_rcu(&node->mac_list, self_node_db);
++ list_add_tail_rcu(&node->mac_list, self_node_db);
+ spin_unlock_bh(&hsr->list_lock);
+ }
+
+@@ -129,25 +104,25 @@ int hsr_create_self_node(struct hsr_priv *hsr,
+
+ void hsr_del_self_node(struct hsr_priv *hsr)
+ {
+- struct hlist_head *self_node_db = &hsr->self_node_db;
++ struct list_head *self_node_db = &hsr->self_node_db;
+ struct hsr_node *node;
+
+ spin_lock_bh(&hsr->list_lock);
+- node = hsr_node_get_first(self_node_db, &hsr->list_lock);
++ node = list_first_or_null_rcu(self_node_db, struct hsr_node, mac_list);
+ if (node) {
+- hlist_del_rcu(&node->mac_list);
++ list_del_rcu(&node->mac_list);
+ kfree_rcu(node, rcu_head);
+ }
+ spin_unlock_bh(&hsr->list_lock);
+ }
+
+-void hsr_del_nodes(struct hlist_head *node_db)
++void hsr_del_nodes(struct list_head *node_db)
+ {
+ struct hsr_node *node;
+- struct hlist_node *tmp;
++ struct hsr_node *tmp;
+
+- hlist_for_each_entry_safe(node, tmp, node_db, mac_list)
+- kfree_rcu(node, rcu_head);
++ list_for_each_entry_safe(node, tmp, node_db, mac_list)
++ kfree(node);
+ }
+
+ void prp_handle_san_frame(bool san, enum hsr_port_type port,
+@@ -168,7 +143,7 @@ void prp_handle_san_frame(bool san, enum hsr_port_type port,
+ * originating from the newly added node.
+ */
+ static struct hsr_node *hsr_add_node(struct hsr_priv *hsr,
+- struct hlist_head *node_db,
++ struct list_head *node_db,
+ unsigned char addr[],
+ u16 seq_out, bool san,
+ enum hsr_port_type rx_port)
+@@ -198,14 +173,14 @@ static struct hsr_node *hsr_add_node(struct hsr_priv *hsr,
+ hsr->proto_ops->handle_san_frame(san, rx_port, new_node);
+
+ spin_lock_bh(&hsr->list_lock);
+- hlist_for_each_entry_rcu(node, node_db, mac_list,
+- lockdep_hsr_is_held(&hsr->list_lock)) {
++ list_for_each_entry_rcu(node, node_db, mac_list,
++ lockdep_is_held(&hsr->list_lock)) {
+ if (ether_addr_equal(node->macaddress_A, addr))
+ goto out;
+ if (ether_addr_equal(node->macaddress_B, addr))
+ goto out;
+ }
+- hlist_add_tail_rcu(&new_node->mac_list, node_db);
++ list_add_tail_rcu(&new_node->mac_list, node_db);
+ spin_unlock_bh(&hsr->list_lock);
+ return new_node;
+ out:
+@@ -225,7 +200,7 @@ void prp_update_san_info(struct hsr_node *node, bool is_sup)
+
+ /* Get the hsr_node from which 'skb' was sent.
+ */
+-struct hsr_node *hsr_get_node(struct hsr_port *port, struct hlist_head *node_db,
++struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db,
+ struct sk_buff *skb, bool is_sup,
+ enum hsr_port_type rx_port)
+ {
+@@ -241,7 +216,7 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct hlist_head *node_db,
+
+ ethhdr = (struct ethhdr *)skb_mac_header(skb);
+
+- hlist_for_each_entry_rcu(node, node_db, mac_list) {
++ list_for_each_entry_rcu(node, node_db, mac_list) {
+ if (ether_addr_equal(node->macaddress_A, ethhdr->h_source)) {
+ if (hsr->proto_ops->update_san_info)
+ hsr->proto_ops->update_san_info(node, is_sup);
+@@ -291,12 +266,11 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ struct hsr_sup_tlv *hsr_sup_tlv;
+ struct hsr_node *node_real;
+ struct sk_buff *skb = NULL;
+- struct hlist_head *node_db;
++ struct list_head *node_db;
+ struct ethhdr *ethhdr;
+ int i;
+ unsigned int pull_size = 0;
+ unsigned int total_pull_size = 0;
+- u32 hash;
+
+ /* Here either frame->skb_hsr or frame->skb_prp should be
+ * valid as supervision frame always will have protocol
+@@ -334,13 +308,11 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ hsr_sp = (struct hsr_sup_payload *)skb->data;
+
+ /* Merge node_curr (registered on macaddress_B) into node_real */
+- node_db = port_rcv->hsr->node_db;
+- hash = hsr_mac_hash(hsr, hsr_sp->macaddress_A);
+- node_real = find_node_by_addr_A(&node_db[hash], hsr_sp->macaddress_A);
++ node_db = &port_rcv->hsr->node_db;
++ node_real = find_node_by_addr_A(node_db, hsr_sp->macaddress_A);
+ if (!node_real)
+ /* No frame received from AddrA of this node yet */
+- node_real = hsr_add_node(hsr, &node_db[hash],
+- hsr_sp->macaddress_A,
++ node_real = hsr_add_node(hsr, node_db, hsr_sp->macaddress_A,
+ HSR_SEQNR_START - 1, true,
+ port_rcv->type);
+ if (!node_real)
+@@ -374,8 +346,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ hsr_sp = (struct hsr_sup_payload *)skb->data;
+
+ /* Check if redbox mac and node mac are equal. */
+- if (!ether_addr_equal(node_real->macaddress_A,
+- hsr_sp->macaddress_A)) {
++ if (!ether_addr_equal(node_real->macaddress_A, hsr_sp->macaddress_A)) {
+ /* This is a redbox supervision frame for a VDAN! */
+ goto done;
+ }
+@@ -395,7 +366,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+ node_real->addr_B_port = port_rcv->type;
+
+ spin_lock_bh(&hsr->list_lock);
+- hlist_del_rcu(&node_curr->mac_list);
++ list_del_rcu(&node_curr->mac_list);
+ spin_unlock_bh(&hsr->list_lock);
+ kfree_rcu(node_curr, rcu_head);
+
+@@ -433,7 +404,6 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb,
+ struct hsr_port *port)
+ {
+ struct hsr_node *node_dst;
+- u32 hash;
+
+ if (!skb_mac_header_was_set(skb)) {
+ WARN_ONCE(1, "%s: Mac header not set\n", __func__);
+@@ -443,8 +413,7 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb,
+ if (!is_unicast_ether_addr(eth_hdr(skb)->h_dest))
+ return;
+
+- hash = hsr_mac_hash(port->hsr, eth_hdr(skb)->h_dest);
+- node_dst = find_node_by_addr_A(&port->hsr->node_db[hash],
++ node_dst = find_node_by_addr_A(&port->hsr->node_db,
+ eth_hdr(skb)->h_dest);
+ if (!node_dst) {
+ if (net_ratelimit())
+@@ -520,73 +489,59 @@ static struct hsr_port *get_late_port(struct hsr_priv *hsr,
+ void hsr_prune_nodes(struct timer_list *t)
+ {
+ struct hsr_priv *hsr = from_timer(hsr, t, prune_timer);
+- struct hlist_node *tmp;
+ struct hsr_node *node;
++ struct hsr_node *tmp;
+ struct hsr_port *port;
+ unsigned long timestamp;
+ unsigned long time_a, time_b;
+- int i;
+
+ spin_lock_bh(&hsr->list_lock);
++ list_for_each_entry_safe(node, tmp, &hsr->node_db, mac_list) {
++ /* Don't prune own node. Neither time_in[HSR_PT_SLAVE_A]
++ * nor time_in[HSR_PT_SLAVE_B], will ever be updated for
++ * the master port. Thus the master node will be repeatedly
++ * pruned leading to packet loss.
++ */
++ if (hsr_addr_is_self(hsr, node->macaddress_A))
++ continue;
++
++ /* Shorthand */
++ time_a = node->time_in[HSR_PT_SLAVE_A];
++ time_b = node->time_in[HSR_PT_SLAVE_B];
++
++ /* Check for timestamps old enough to risk wrap-around */
++ if (time_after(jiffies, time_a + MAX_JIFFY_OFFSET / 2))
++ node->time_in_stale[HSR_PT_SLAVE_A] = true;
++ if (time_after(jiffies, time_b + MAX_JIFFY_OFFSET / 2))
++ node->time_in_stale[HSR_PT_SLAVE_B] = true;
++
++ /* Get age of newest frame from node.
++ * At least one time_in is OK here; nodes get pruned long
++ * before both time_ins can get stale
++ */
++ timestamp = time_a;
++ if (node->time_in_stale[HSR_PT_SLAVE_A] ||
++ (!node->time_in_stale[HSR_PT_SLAVE_B] &&
++ time_after(time_b, time_a)))
++ timestamp = time_b;
++
++ /* Warn of ring error only as long as we get frames at all */
++ if (time_is_after_jiffies(timestamp +
++ msecs_to_jiffies(1.5 * MAX_SLAVE_DIFF))) {
++ rcu_read_lock();
++ port = get_late_port(hsr, node);
++ if (port)
++ hsr_nl_ringerror(hsr, node->macaddress_A, port);
++ rcu_read_unlock();
++ }
+
+- for (i = 0; i < hsr->hash_buckets; i++) {
+- hlist_for_each_entry_safe(node, tmp, &hsr->node_db[i],
+- mac_list) {
+- /* Don't prune own node.
+- * Neither time_in[HSR_PT_SLAVE_A]
+- * nor time_in[HSR_PT_SLAVE_B], will ever be updated
+- * for the master port. Thus the master node will be
+- * repeatedly pruned leading to packet loss.
+- */
+- if (hsr_addr_is_self(hsr, node->macaddress_A))
+- continue;
+-
+- /* Shorthand */
+- time_a = node->time_in[HSR_PT_SLAVE_A];
+- time_b = node->time_in[HSR_PT_SLAVE_B];
+-
+- /* Check for timestamps old enough to
+- * risk wrap-around
+- */
+- if (time_after(jiffies, time_a + MAX_JIFFY_OFFSET / 2))
+- node->time_in_stale[HSR_PT_SLAVE_A] = true;
+- if (time_after(jiffies, time_b + MAX_JIFFY_OFFSET / 2))
+- node->time_in_stale[HSR_PT_SLAVE_B] = true;
+-
+- /* Get age of newest frame from node.
+- * At least one time_in is OK here; nodes get pruned
+- * long before both time_ins can get stale
+- */
+- timestamp = time_a;
+- if (node->time_in_stale[HSR_PT_SLAVE_A] ||
+- (!node->time_in_stale[HSR_PT_SLAVE_B] &&
+- time_after(time_b, time_a)))
+- timestamp = time_b;
+-
+- /* Warn of ring error only as long as we get
+- * frames at all
+- */
+- if (time_is_after_jiffies(timestamp +
+- msecs_to_jiffies(1.5 * MAX_SLAVE_DIFF))) {
+- rcu_read_lock();
+- port = get_late_port(hsr, node);
+- if (port)
+- hsr_nl_ringerror(hsr,
+- node->macaddress_A,
+- port);
+- rcu_read_unlock();
+- }
+-
+- /* Prune old entries */
+- if (time_is_before_jiffies(timestamp +
+- msecs_to_jiffies(HSR_NODE_FORGET_TIME))) {
+- hsr_nl_nodedown(hsr, node->macaddress_A);
+- hlist_del_rcu(&node->mac_list);
+- /* Note that we need to free this
+- * entry later:
+- */
+- kfree_rcu(node, rcu_head);
+- }
++ /* Prune old entries */
++ if (time_is_before_jiffies(timestamp +
++ msecs_to_jiffies(HSR_NODE_FORGET_TIME))) {
++ hsr_nl_nodedown(hsr, node->macaddress_A);
++ list_del_rcu(&node->mac_list);
++ /* Note that we need to free this entry later: */
++ kfree_rcu(node, rcu_head);
+ }
+ }
+ spin_unlock_bh(&hsr->list_lock);
+@@ -600,20 +555,17 @@ void *hsr_get_next_node(struct hsr_priv *hsr, void *_pos,
+ unsigned char addr[ETH_ALEN])
+ {
+ struct hsr_node *node;
+- u32 hash;
+-
+- hash = hsr_mac_hash(hsr, addr);
+
+ if (!_pos) {
+- node = hsr_node_get_first(&hsr->node_db[hash],
+- &hsr->list_lock);
++ node = list_first_or_null_rcu(&hsr->node_db,
++ struct hsr_node, mac_list);
+ if (node)
+ ether_addr_copy(addr, node->macaddress_A);
+ return node;
+ }
+
+ node = _pos;
+- hlist_for_each_entry_continue_rcu(node, mac_list) {
++ list_for_each_entry_continue_rcu(node, &hsr->node_db, mac_list) {
+ ether_addr_copy(addr, node->macaddress_A);
+ return node;
+ }
+@@ -633,11 +585,8 @@ int hsr_get_node_data(struct hsr_priv *hsr,
+ struct hsr_node *node;
+ struct hsr_port *port;
+ unsigned long tdiff;
+- u32 hash;
+-
+- hash = hsr_mac_hash(hsr, addr);
+
+- node = find_node_by_addr_A(&hsr->node_db[hash], addr);
++ node = find_node_by_addr_A(&hsr->node_db, addr);
+ if (!node)
+ return -ENOENT;
+
+diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h
+index f3762e9e42b5..bdbb8c822ba1 100644
+--- a/net/hsr/hsr_framereg.h
++++ b/net/hsr/hsr_framereg.h
+@@ -28,17 +28,9 @@ struct hsr_frame_info {
+ bool is_from_san;
+ };
+
+-#ifdef CONFIG_LOCKDEP
+-int lockdep_hsr_is_held(spinlock_t *lock);
+-#else
+-#define lockdep_hsr_is_held(lock) 1
+-#endif
+-
+-u32 hsr_mac_hash(struct hsr_priv *hsr, const unsigned char *addr);
+-struct hsr_node *hsr_node_get_first(struct hlist_head *head, spinlock_t *lock);
+ void hsr_del_self_node(struct hsr_priv *hsr);
+-void hsr_del_nodes(struct hlist_head *node_db);
+-struct hsr_node *hsr_get_node(struct hsr_port *port, struct hlist_head *node_db,
++void hsr_del_nodes(struct list_head *node_db);
++struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db,
+ struct sk_buff *skb, bool is_sup,
+ enum hsr_port_type rx_port);
+ void hsr_handle_sup_frame(struct hsr_frame_info *frame);
+@@ -76,7 +68,7 @@ void prp_handle_san_frame(bool san, enum hsr_port_type port,
+ void prp_update_san_info(struct hsr_node *node, bool is_sup);
+
+ struct hsr_node {
+- struct hlist_node mac_list;
++ struct list_head mac_list;
+ unsigned char macaddress_A[ETH_ALEN];
+ unsigned char macaddress_B[ETH_ALEN];
+ /* Local slave through which AddrB frames are received from this node */
+diff --git a/net/hsr/hsr_main.h b/net/hsr/hsr_main.h
+index b158ba409f9a..16ae9fb09ccd 100644
+--- a/net/hsr/hsr_main.h
++++ b/net/hsr/hsr_main.h
+@@ -47,9 +47,6 @@
+
+ #define HSR_V1_SUP_LSDUSIZE 52
+
+-#define HSR_HSIZE_SHIFT 8
+-#define HSR_HSIZE BIT(HSR_HSIZE_SHIFT)
+-
+ /* The helper functions below assumes that 'path' occupies the 4 most
+ * significant bits of the 16-bit field shared by 'path' and 'LSDU_size' (or
+ * equivalently, the 4 most significant bits of HSR tag byte 14).
+@@ -188,8 +185,8 @@ struct hsr_proto_ops {
+ struct hsr_priv {
+ struct rcu_head rcu_head;
+ struct list_head ports;
+- struct hlist_head node_db[HSR_HSIZE]; /* Known HSR nodes */
+- struct hlist_head self_node_db; /* MACs of slaves */
++ struct list_head node_db; /* Known HSR nodes */
++ struct list_head self_node_db; /* MACs of slaves */
+ struct timer_list announce_timer; /* Supervision frame dispatch */
+ struct timer_list prune_timer;
+ int announce_count;
+@@ -199,8 +196,6 @@ struct hsr_priv {
+ spinlock_t seqnr_lock; /* locking for sequence_nr */
+ spinlock_t list_lock; /* locking for node list */
+ struct hsr_proto_ops *proto_ops;
+- u32 hash_buckets;
+- u32 hash_seed;
+ #define PRP_LAN_ID 0x5 /* 0x1010 for A and 0x1011 for B. Bit 0 is set
+ * based on SLAVE_A or SLAVE_B
+ */
+diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
+index 1405c037cf7a..f3c8f91dbe2c 100644
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -105,7 +105,6 @@ static int hsr_newlink(struct net *src_net, struct net_device *dev,
+ static void hsr_dellink(struct net_device *dev, struct list_head *head)
+ {
+ struct hsr_priv *hsr = netdev_priv(dev);
+- int i;
+
+ del_timer_sync(&hsr->prune_timer);
+ del_timer_sync(&hsr->announce_timer);
+@@ -114,8 +113,7 @@ static void hsr_dellink(struct net_device *dev, struct list_head *head)
+ hsr_del_ports(hsr);
+
+ hsr_del_self_node(hsr);
+- for (i = 0; i < hsr->hash_buckets; i++)
+- hsr_del_nodes(&hsr->node_db[i]);
++ hsr_del_nodes(&hsr->node_db);
+
+ unregister_netdevice_queue(dev, head);
+ }
+--
+2.35.1
+
--- /dev/null
+From 6fe5c42f1c69abd07610fb34f280e1d8dd88de5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:31:08 -0600
+Subject: Revert "PCI: Clear PCI_STATUS when setting up device"
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit 44e985938e85503d0a69ec538e15fd33c1a4df05 ]
+
+This reverts commit 6cd514e58f12b211d638dbf6f791fa18d854f09c.
+
+Christophe Fergeau reported that 6cd514e58f12 ("PCI: Clear PCI_STATUS when
+setting up device") causes boot failures when trying to start linux guests
+with Apple's virtualization framework (for example using
+https://developer.apple.com/documentation/virtualization/running_linux_in_a_virtual_machine?language=objc)
+
+6cd514e58f12 only solved a cosmetic problem, so revert it to fix the boot
+failures.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2137803
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index c5286b027f00..bdcad5e0f057 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1890,9 +1890,6 @@ int pci_setup_device(struct pci_dev *dev)
+
+ dev->broken_intx_masking = pci_intx_mask_broken(dev);
+
+- /* Clear errors left from system firmware */
+- pci_write_config_word(dev, PCI_STATUS, 0xffff);
+-
+ switch (dev->hdr_type) { /* header type */
+ case PCI_HEADER_TYPE_NORMAL: /* standard header */
+ if (class == PCI_CLASS_BRIDGE_PCI)
+--
+2.35.1
+
--- /dev/null
+From 5996b113deb6b1307f1da1746f2ae18a5a724e7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 18:35:14 -0800
+Subject: RISC-V: Align the shadow stack
+
+From: Palmer Dabbelt <palmer@rivosinc.com>
+
+[ Upstream commit b003b3b77d65133a0011ae3b7b255347438c12f6 ]
+
+The standard RISC-V ABIs all require 16-byte stack alignment. We're
+only calling that one function on the shadow stack so I doubt it'd
+result in a real issue, but might as well keep this lined up.
+
+Fixes: 31da94c25aea ("riscv: add VMAP_STACK overflow detection")
+Reviewed-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20221130023515.20217-1-palmer@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
+index 6e8822446069..026b45833158 100644
+--- a/arch/riscv/kernel/traps.c
++++ b/arch/riscv/kernel/traps.c
+@@ -211,7 +211,7 @@ static DEFINE_PER_CPU(unsigned long [OVERFLOW_STACK_SIZE/sizeof(long)],
+ * shadow stack, handled_ kernel_ stack_ overflow(in kernel/entry.S) is used
+ * to get per-cpu overflow stack(get_overflow_stack).
+ */
+-long shadow_stack[SHADOW_OVERFLOW_STACK_SIZE/sizeof(long)];
++long shadow_stack[SHADOW_OVERFLOW_STACK_SIZE/sizeof(long)] __aligned(16);
+ asmlinkage unsigned long get_overflow_stack(void)
+ {
+ return (unsigned long)this_cpu_ptr(overflow_stack) +
+--
+2.35.1
+
--- /dev/null
+From 709e5012264be30bb6e3491efbbd19de49cfad11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 14:35:34 +0530
+Subject: RISC-V: Fix MEMREMAP_WB for systems with Svpbmt
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+[ Upstream commit b91676fc16cd384a81e3af52c641aa61985cc231 ]
+
+Currently, the memremap() called with MEMREMAP_WB maps memory using
+the generic ioremap() function which breaks on system with Svpbmt
+because memory mapped using _PAGE_IOREMAP page attributes is treated
+as strongly-ordered non-cacheable IO memory.
+
+To address this, we implement RISC-V specific arch_memremap_wb()
+which maps memory using _PAGE_KERNEL page attributes resulting in
+write-back cacheable mapping on systems with Svpbmt.
+
+Fixes: ff689fd21cb1 ("riscv: add RISC-V Svpbmt extension support")
+Co-developed-by: Mayuresh Chitale <mchitale@ventanamicro.com>
+Signed-off-by: Mayuresh Chitale <mchitale@ventanamicro.com>
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20221114090536.1662624-2-apatel@ventanamicro.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/io.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/riscv/include/asm/io.h b/arch/riscv/include/asm/io.h
+index 92080a227937..42497d487a17 100644
+--- a/arch/riscv/include/asm/io.h
++++ b/arch/riscv/include/asm/io.h
+@@ -135,4 +135,9 @@ __io_writes_outs(outs, u64, q, __io_pbr(), __io_paw())
+
+ #include <asm-generic/io.h>
+
++#ifdef CONFIG_MMU
++#define arch_memremap_wb(addr, size) \
++ ((__force void *)ioremap_prot((addr), (size), _PAGE_KERNEL))
++#endif
++
+ #endif /* _ASM_RISCV_IO_H */
+--
+2.35.1
+
--- /dev/null
+From b6922da4bcb141bf2fcb420106816926ed6e6fc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 17:31:08 -0500
+Subject: RISC-V: Fix unannoted hardirqs-on in return to userspace slow-path
+
+From: Andrew Bresticker <abrestic@rivosinc.com>
+
+[ Upstream commit b0f4c74eadbf69a3298f38566bfaa2e202541f2f ]
+
+The return to userspace path in entry.S may enable interrupts without the
+corresponding lockdep annotation, producing a splat[0] when DEBUG_LOCKDEP
+is enabled. Simply calling __trace_hardirqs_on() here gets a bit messy
+due to the use of RA to point back to ret_from_exception, so just move
+the whole slow-path loop into C. It's more readable and it lets us use
+local_irq_{enable,disable}(), avoiding the need for manual annotations
+altogether.
+
+[0]:
+ ------------[ cut here ]------------
+ DEBUG_LOCKS_WARN_ON(!lockdep_hardirqs_enabled())
+ WARNING: CPU: 2 PID: 1 at kernel/locking/lockdep.c:5512 check_flags+0x10a/0x1e0
+ Modules linked in:
+ CPU: 2 PID: 1 Comm: init Not tainted 6.1.0-rc4-00160-gb56b6e2b4f31 #53
+ Hardware name: riscv-virtio,qemu (DT)
+ epc : check_flags+0x10a/0x1e0
+ ra : check_flags+0x10a/0x1e0
+ <snip>
+ status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
+ [<ffffffff808edb90>] lock_is_held_type+0x78/0x14e
+ [<ffffffff8003dae2>] __might_resched+0x26/0x22c
+ [<ffffffff8003dd24>] __might_sleep+0x3c/0x66
+ [<ffffffff80022c60>] get_signal+0x9e/0xa70
+ [<ffffffff800054a2>] do_notify_resume+0x6e/0x422
+ [<ffffffff80003c68>] ret_from_exception+0x0/0x10
+ irq event stamp: 44512
+ hardirqs last enabled at (44511): [<ffffffff808f901c>] _raw_spin_unlock_irqrestore+0x54/0x62
+ hardirqs last disabled at (44512): [<ffffffff80008200>] __trace_hardirqs_off+0xc/0x14
+ softirqs last enabled at (44472): [<ffffffff808f9fbe>] __do_softirq+0x3de/0x51e
+ softirqs last disabled at (44467): [<ffffffff80017760>] irq_exit+0xd6/0x104
+ ---[ end trace 0000000000000000 ]---
+ possible reason: unannotated irqs-on.
+
+Signed-off-by: Andrew Bresticker <abrestic@rivosinc.com>
+Fixes: 3c4697982982 ("riscv: Enable LOCKDEP_SUPPORT & fixup TRACE_IRQFLAGS_SUPPORT")
+Link: https://lore.kernel.org/r/20221111223108.1976562-1-abrestic@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/entry.S | 18 +++++-------------
+ arch/riscv/kernel/signal.c | 34 +++++++++++++++++++++-------------
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
+index 186abd146eaf..3221a9e5f372 100644
+--- a/arch/riscv/kernel/entry.S
++++ b/arch/riscv/kernel/entry.S
+@@ -263,12 +263,11 @@ ret_from_exception:
+ #endif
+ bnez s0, resume_kernel
+
+-resume_userspace:
+ /* Interrupts must be disabled here so flags are checked atomically */
+ REG_L s0, TASK_TI_FLAGS(tp) /* current_thread_info->flags */
+ andi s1, s0, _TIF_WORK_MASK
+- bnez s1, work_pending
+-
++ bnez s1, resume_userspace_slow
++resume_userspace:
+ #ifdef CONFIG_CONTEXT_TRACKING_USER
+ call user_enter_callable
+ #endif
+@@ -368,19 +367,12 @@ resume_kernel:
+ j restore_all
+ #endif
+
+-work_pending:
++resume_userspace_slow:
+ /* Enter slow path for supplementary processing */
+- la ra, ret_from_exception
+- andi s1, s0, _TIF_NEED_RESCHED
+- bnez s1, work_resched
+-work_notifysig:
+- /* Handle pending signals and notify-resume requests */
+- csrs CSR_STATUS, SR_IE /* Enable interrupts for do_notify_resume() */
+ move a0, sp /* pt_regs */
+ move a1, s0 /* current_thread_info->flags */
+- tail do_notify_resume
+-work_resched:
+- tail schedule
++ call do_work_pending
++ j resume_userspace
+
+ /* Slow paths for ptrace. */
+ handle_syscall_trace_enter:
+diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c
+index 5c591123c440..bfb2afa4135f 100644
+--- a/arch/riscv/kernel/signal.c
++++ b/arch/riscv/kernel/signal.c
+@@ -313,19 +313,27 @@ static void do_signal(struct pt_regs *regs)
+ }
+
+ /*
+- * notification of userspace execution resumption
+- * - triggered by the _TIF_WORK_MASK flags
++ * Handle any pending work on the resume-to-userspace path, as indicated by
++ * _TIF_WORK_MASK. Entered from assembly with IRQs off.
+ */
+-asmlinkage __visible void do_notify_resume(struct pt_regs *regs,
+- unsigned long thread_info_flags)
++asmlinkage __visible void do_work_pending(struct pt_regs *regs,
++ unsigned long thread_info_flags)
+ {
+- if (thread_info_flags & _TIF_UPROBE)
+- uprobe_notify_resume(regs);
+-
+- /* Handle pending signal delivery */
+- if (thread_info_flags & (_TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL))
+- do_signal(regs);
+-
+- if (thread_info_flags & _TIF_NOTIFY_RESUME)
+- resume_user_mode_work(regs);
++ do {
++ if (thread_info_flags & _TIF_NEED_RESCHED) {
++ schedule();
++ } else {
++ local_irq_enable();
++ if (thread_info_flags & _TIF_UPROBE)
++ uprobe_notify_resume(regs);
++ /* Handle pending signal delivery */
++ if (thread_info_flags & (_TIF_SIGPENDING |
++ _TIF_NOTIFY_SIGNAL))
++ do_signal(regs);
++ if (thread_info_flags & _TIF_NOTIFY_RESUME)
++ resume_user_mode_work(regs);
++ }
++ local_irq_disable();
++ thread_info_flags = read_thread_flags();
++ } while (thread_info_flags & _TIF_WORK_MASK);
+ }
+--
+2.35.1
+
--- /dev/null
+From df5ac5424bef988baca627faa6075213eea5c278 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:16:51 +0530
+Subject: RISC-V: KVM: Fix reg_val check in kvm_riscv_vcpu_set_reg_config()
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+[ Upstream commit e482d9e33d5b0f222cbef7341dcd52cead6b9edc ]
+
+The reg_val check in kvm_riscv_vcpu_set_reg_config() should only
+be done for isa config register.
+
+Fixes: 9bfd900beeec ("RISC-V: KVM: Improve ISA extension by using a bitmap")
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Reviewed-by: Atish Patra <atishp@rivosinc.com>
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c
+index f692c0716aa7..aa7ae6327044 100644
+--- a/arch/riscv/kvm/vcpu.c
++++ b/arch/riscv/kvm/vcpu.c
+@@ -286,12 +286,15 @@ static int kvm_riscv_vcpu_set_reg_config(struct kvm_vcpu *vcpu,
+ if (copy_from_user(®_val, uaddr, KVM_REG_SIZE(reg->id)))
+ return -EFAULT;
+
+- /* This ONE REG interface is only defined for single letter extensions */
+- if (fls(reg_val) >= RISCV_ISA_EXT_BASE)
+- return -EINVAL;
+-
+ switch (reg_num) {
+ case KVM_REG_RISCV_CONFIG_REG(isa):
++ /*
++ * This ONE REG interface is only defined for
++ * single letter extensions.
++ */
++ if (fls(reg_val) >= RISCV_ISA_EXT_BASE)
++ return -EINVAL;
++
+ if (!vcpu->arch.ran_atleast_once) {
+ /* Ignore the enable/disable request for certain extensions */
+ for (i = 0; i < RISCV_ISA_EXT_BASE; i++) {
+--
+2.35.1
+
--- /dev/null
+From 40b8a241d7c3693b806bbca3bc2ec42a225138d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 17:14:10 +0800
+Subject: riscv, bpf: Emit fixed-length instructions for BPF_PSEUDO_FUNC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit b54b6003612a376e7be32cbc5c1af3754bbbbb3d ]
+
+For BPF_PSEUDO_FUNC instruction, verifier will refill imm with
+correct addresses of bpf_calls and then run last pass of JIT.
+Since the emit_imm of RV64 is variable-length, which will emit
+appropriate length instructions accorroding to the imm, it may
+broke ctx->offset, and lead to unpredictable problem, such as
+inaccurate jump. So let's fix it with fixed-length instructions.
+
+Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper")
+Suggested-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Björn Töpel <bjorn@kernel.org>
+Link: https://lore.kernel.org/bpf/20221206091410.1584784-1-pulehui@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index 00df3a8f92ac..f2417ac54edd 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -136,6 +136,25 @@ static bool in_auipc_jalr_range(s64 val)
+ val < ((1L << 31) - (1L << 11));
+ }
+
++/* Emit fixed-length instructions for address */
++static int emit_addr(u8 rd, u64 addr, bool extra_pass, struct rv_jit_context *ctx)
++{
++ u64 ip = (u64)(ctx->insns + ctx->ninsns);
++ s64 off = addr - ip;
++ s64 upper = (off + (1 << 11)) >> 12;
++ s64 lower = off & 0xfff;
++
++ if (extra_pass && !in_auipc_jalr_range(off)) {
++ pr_err("bpf-jit: target offset 0x%llx is out of range\n", off);
++ return -ERANGE;
++ }
++
++ emit(rv_auipc(rd, upper), ctx);
++ emit(rv_addi(rd, rd, lower), ctx);
++ return 0;
++}
++
++/* Emit variable-length instructions for 32-bit and 64-bit imm */
+ static void emit_imm(u8 rd, s64 val, struct rv_jit_context *ctx)
+ {
+ /* Note that the immediate from the add is sign-extended,
+@@ -1050,7 +1069,15 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ u64 imm64;
+
+ imm64 = (u64)insn1.imm << 32 | (u32)imm;
+- emit_imm(rd, imm64, ctx);
++ if (bpf_pseudo_func(insn)) {
++ /* fixed-length insns for extra jit pass */
++ ret = emit_addr(rd, imm64, extra_pass, ctx);
++ if (ret)
++ return ret;
++ } else {
++ emit_imm(rd, imm64, ctx);
++ }
++
+ return 1;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f989742c2e31eb23d68143ca32794e76611a59fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 00:09:19 -0600
+Subject: riscv: Fix crash during early errata patching
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 0c49688174f5347c3f8012e84c0ffa0d2b2890c8 ]
+
+The patch function for the T-Head PBMT errata calls __pa_symbol() before
+relocation. This crashes when CONFIG_DEBUG_VIRTUAL is enabled, because
+__pa_symbol() forwards to __phys_addr_symbol(), and __phys_addr_symbol()
+checks against the absolute kernel start/end address.
+
+Fix this by checking against the kernel map instead of a symbol address.
+
+Fixes: a35707c3d850 ("riscv: add memory-type errata for T-Head")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Link: https://lore.kernel.org/r/20221126060920.65009-1-samuel@sholland.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/physaddr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/physaddr.c b/arch/riscv/mm/physaddr.c
+index 19cf25a74ee2..9b18bda74154 100644
+--- a/arch/riscv/mm/physaddr.c
++++ b/arch/riscv/mm/physaddr.c
+@@ -22,7 +22,7 @@ EXPORT_SYMBOL(__virt_to_phys);
+ phys_addr_t __phys_addr_symbol(unsigned long x)
+ {
+ unsigned long kernel_start = kernel_map.virt_addr;
+- unsigned long kernel_end = (unsigned long)_end;
++ unsigned long kernel_end = kernel_start + kernel_map.size;
+
+ /*
+ * Boundary checking aginst the kernel image mapping.
+--
+2.35.1
+
--- /dev/null
+From 261d9e1c722c9407e9342a44c27abedf9bc9f462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 14:51:28 +0100
+Subject: riscv: Fix P4D_SHIFT definition for 3-level page table mode
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+[ Upstream commit 71fc3621efc38ace9640ee6a0db3300900689592 ]
+
+RISC-V kernels support 3,4,5-level page tables at runtime by folding
+upper levels.
+
+In case of a 3-level page table, PGDIR is folded into P4D which in turn
+is folded into PUD: PGDIR_SHIFT value is correctly set to the same value
+as PUD_SHIFT, but P4D_SHIFT is not, then any use of P4D_SHIFT will access
+invalid address bits (all set to 1).
+
+Fix this by dynamically defining P4D_SHIFT value, like we already do for
+PGDIR_SHIFT.
+
+Fixes: d10efa21a937 ("riscv: mm: Control p4d's folding by pgtable_l5_enabled")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com>
+Link: https://lore.kernel.org/r/20221201135128.1482189-2-alexghiti@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/pgtable-64.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/include/asm/pgtable-64.h b/arch/riscv/include/asm/pgtable-64.h
+index dc42375c2357..42a042c0e13e 100644
+--- a/arch/riscv/include/asm/pgtable-64.h
++++ b/arch/riscv/include/asm/pgtable-64.h
+@@ -25,7 +25,11 @@ extern bool pgtable_l5_enabled;
+ #define PGDIR_MASK (~(PGDIR_SIZE - 1))
+
+ /* p4d is folded into pgd in case of 4-level page table */
+-#define P4D_SHIFT 39
++#define P4D_SHIFT_L3 30
++#define P4D_SHIFT_L4 39
++#define P4D_SHIFT_L5 39
++#define P4D_SHIFT (pgtable_l5_enabled ? P4D_SHIFT_L5 : \
++ (pgtable_l4_enabled ? P4D_SHIFT_L4 : P4D_SHIFT_L3))
+ #define P4D_SIZE (_AC(1, UL) << P4D_SHIFT)
+ #define P4D_MASK (~(P4D_SIZE - 1))
+
+--
+2.35.1
+
--- /dev/null
+From 97ea2b18f6365b71a8d5b512410f6fd3f2e98deb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 09:47:25 +0000
+Subject: riscv/mm: add arch hook arch_clear_hugepage_flags
+
+From: Tong Tiangen <tongtiangen@huawei.com>
+
+[ Upstream commit d8bf77a1dc3079692f54be3087a5fd16d90027b0 ]
+
+With the PG_arch_1 we keep track if the page's data cache is clean,
+architecture rely on this property to treat new pages as dirty with
+respect to the data cache and perform the flushing before mapping the pages
+into userspace.
+
+This patch adds a new architecture hook, arch_clear_hugepage_flags,so that
+architectures which rely on the page flags being in a particular state for
+fresh allocations can adjust the flags accordingly when a page is freed
+into the pool.
+
+Fixes: 9e953cda5cdf ("riscv: Introduce huge page support for 32/64bit kernel")
+Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>
+Link: https://lore.kernel.org/r/20221024094725.3054311-3-tongtiangen@huawei.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/hugetlb.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/riscv/include/asm/hugetlb.h b/arch/riscv/include/asm/hugetlb.h
+index a5c2ca1d1cd8..ec19d6afc896 100644
+--- a/arch/riscv/include/asm/hugetlb.h
++++ b/arch/riscv/include/asm/hugetlb.h
+@@ -5,4 +5,10 @@
+ #include <asm-generic/hugetlb.h>
+ #include <asm/page.h>
+
++static inline void arch_clear_hugepage_flags(struct page *page)
++{
++ clear_bit(PG_dcache_clean, &page->flags);
++}
++#define arch_clear_hugepage_flags arch_clear_hugepage_flags
++
+ #endif /* _ASM_RISCV_HUGETLB_H */
+--
+2.35.1
+
--- /dev/null
+From 8d7fda7c077fc0e98d76e887e7f1572641bb365d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 17:08:10 +0800
+Subject: rtc: class: Fix potential memleak in devm_rtc_allocate_device()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 60da73808298ff2cfa9f165d55eb3d7aa7078601 ]
+
+devm_rtc_allocate_device() will alloc a rtc_device first, and then run
+dev_set_name(). If dev_set_name() failed, the rtc_device will memleak.
+Move devm_add_action_or_reset() in front of dev_set_name() to prevent
+memleak.
+
+unreferenced object 0xffff888110a53000 (size 2048):
+ comm "python3", pid 470, jiffies 4296078308 (age 58.882s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 08 30 a5 10 81 88 ff ff .........0......
+ 08 30 a5 10 81 88 ff ff 00 00 00 00 00 00 00 00 .0..............
+ backtrace:
+ [<000000004aac0364>] kmalloc_trace+0x21/0x110
+ [<000000000ff02202>] devm_rtc_allocate_device+0xd4/0x400
+ [<000000001bdf5639>] devm_rtc_device_register+0x1a/0x80
+ [<00000000351bf81c>] rx4581_probe+0xdd/0x110 [rtc_rx4581]
+ [<00000000f0eba0ae>] spi_probe+0xde/0x130
+ [<00000000bff89ee8>] really_probe+0x175/0x3f0
+ [<00000000128e8d84>] __driver_probe_device+0xe6/0x170
+ [<00000000ee5bf913>] device_driver_attach+0x32/0x80
+ [<00000000f3f28f92>] bind_store+0x10b/0x1a0
+ [<000000009ff812d8>] drv_attr_store+0x49/0x70
+ [<000000008139c323>] sysfs_kf_write+0x8d/0xb0
+ [<00000000b6146e01>] kernfs_fop_write_iter+0x214/0x2d0
+ [<00000000ecbe3895>] vfs_write+0x61a/0x7d0
+ [<00000000aa2196ea>] ksys_write+0xc8/0x190
+ [<0000000046a600f5>] do_syscall_64+0x37/0x90
+ [<00000000541a336f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 24d23181e43d ("rtc: class: check return value when calling dev_set_name()")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221110090810.11225-1-shangxiaojing@huawei.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/class.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
+index e48223c00c67..e5b7b48cffac 100644
+--- a/drivers/rtc/class.c
++++ b/drivers/rtc/class.c
+@@ -374,11 +374,11 @@ struct rtc_device *devm_rtc_allocate_device(struct device *dev)
+
+ rtc->id = id;
+ rtc->dev.parent = dev;
+- err = dev_set_name(&rtc->dev, "rtc%d", id);
++ err = devm_add_action_or_reset(dev, devm_rtc_release_device, rtc);
+ if (err)
+ return ERR_PTR(err);
+
+- err = devm_add_action_or_reset(dev, devm_rtc_release_device, rtc);
++ err = dev_set_name(&rtc->dev, "rtc%d", id);
+ if (err)
+ return ERR_PTR(err);
+
+--
+2.35.1
+
--- /dev/null
+From db8ae7fe0fefb998e1d279615d69b1e4a4e9852f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 13:07:08 +0100
+Subject: rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 508ccdfb86b21da37ad091003a4d4567709d5dfb ]
+
+Notice that cmos_wake_setup() is the only user of acpi_rtc_info and it
+can operate on the cmos_rtc variable directly, so it need not set the
+platform_data pointer before cmos_do_probe() is called. Instead, it
+can be called by cmos_do_probe() in the case when the platform_data
+pointer is not set to implement the default behavior (which is to use
+the FADT information as long as ACPI support is enabled).
+
+Modify the code accordingly.
+
+While at it, drop a comment that doesn't really match the code it is
+supposed to be describing.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/4803444.31r3eYUQgx@kreacher
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-cmos.c | 47 ++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
+index 58cc2bae2f8a..a84262265d6d 100644
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -744,6 +744,8 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
+ return IRQ_NONE;
+ }
+
++static void cmos_wake_setup(struct device *dev);
++
+ #ifdef CONFIG_PNP
+ #define INITSECTION
+
+@@ -827,19 +829,27 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
+ if (info->address_space)
+ address_space = info->address_space;
+
+- if (info->rtc_day_alarm && info->rtc_day_alarm < 128)
+- cmos_rtc.day_alrm = info->rtc_day_alarm;
+- if (info->rtc_mon_alarm && info->rtc_mon_alarm < 128)
+- cmos_rtc.mon_alrm = info->rtc_mon_alarm;
+- if (info->rtc_century && info->rtc_century < 128)
+- cmos_rtc.century = info->rtc_century;
++ cmos_rtc.day_alrm = info->rtc_day_alarm;
++ cmos_rtc.mon_alrm = info->rtc_mon_alarm;
++ cmos_rtc.century = info->rtc_century;
+
+ if (info->wake_on && info->wake_off) {
+ cmos_rtc.wake_on = info->wake_on;
+ cmos_rtc.wake_off = info->wake_off;
+ }
++ } else {
++ cmos_wake_setup(dev);
+ }
+
++ if (cmos_rtc.day_alrm >= 128)
++ cmos_rtc.day_alrm = 0;
++
++ if (cmos_rtc.mon_alrm >= 128)
++ cmos_rtc.mon_alrm = 0;
++
++ if (cmos_rtc.century >= 128)
++ cmos_rtc.century = 0;
++
+ cmos_rtc.dev = dev;
+ dev_set_drvdata(dev, &cmos_rtc);
+
+@@ -1275,13 +1285,6 @@ static void use_acpi_alarm_quirks(void)
+ static inline void use_acpi_alarm_quirks(void) { }
+ #endif
+
+-/* Every ACPI platform has a mc146818 compatible "cmos rtc". Here we find
+- * its device node and pass extra config data. This helps its driver use
+- * capabilities that the now-obsolete mc146818 didn't have, and informs it
+- * that this board's RTC is wakeup-capable (per ACPI spec).
+- */
+-static struct cmos_rtc_board_info acpi_rtc_info;
+-
+ static void cmos_wake_setup(struct device *dev)
+ {
+ if (acpi_disabled)
+@@ -1289,26 +1292,23 @@ static void cmos_wake_setup(struct device *dev)
+
+ use_acpi_alarm_quirks();
+
+- acpi_rtc_info.wake_on = rtc_wake_on;
+- acpi_rtc_info.wake_off = rtc_wake_off;
++ cmos_rtc.wake_on = rtc_wake_on;
++ cmos_rtc.wake_off = rtc_wake_off;
+
+- /* workaround bug in some ACPI tables */
++ /* ACPI tables bug workaround. */
+ if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
+ dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
+ acpi_gbl_FADT.month_alarm);
+ acpi_gbl_FADT.month_alarm = 0;
+ }
+
+- acpi_rtc_info.rtc_day_alarm = acpi_gbl_FADT.day_alarm;
+- acpi_rtc_info.rtc_mon_alarm = acpi_gbl_FADT.month_alarm;
+- acpi_rtc_info.rtc_century = acpi_gbl_FADT.century;
++ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
++ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
++ cmos_rtc.century = acpi_gbl_FADT.century;
+
+- /* NOTE: S4_RTC_WAKE is NOT currently useful to Linux */
+ if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
+ dev_info(dev, "RTC can wake from S4\n");
+
+- dev->platform_data = &acpi_rtc_info;
+-
+ /* RTC always wakes from S1/S2/S3, and often S4/STD */
+ device_init_wakeup(dev, 1);
+ }
+@@ -1359,8 +1359,6 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
+ {
+ int irq, ret;
+
+- cmos_wake_setup(&pnp->dev);
+-
+ if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
+ irq = 0;
+ #ifdef CONFIG_X86
+@@ -1468,7 +1466,6 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
+ int irq, ret;
+
+ cmos_of_init(pdev);
+- cmos_wake_setup(&pdev->dev);
+
+ if (RTC_IOMAPPED)
+ resource = platform_get_resource(pdev, IORESOURCE_IO, 0);
+--
+2.35.1
+
--- /dev/null
+From 4ddf5fb66cddf658c0540f904335d602f3f51f95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 13:09:07 +0100
+Subject: rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 375bbba09692fe4c5218eddee8e312dd733fa846 ]
+
+To reduce code duplication, move the invocation of rtc_wake_setup()
+into cmos_do_probe() and simplify the callers of the latter.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/2143522.irdbgypaU6@kreacher
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-cmos.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
+index a84262265d6d..583116994a37 100644
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -744,6 +744,7 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
+ return IRQ_NONE;
+ }
+
++static inline void rtc_wake_setup(struct device *dev);
+ static void cmos_wake_setup(struct device *dev);
+
+ #ifdef CONFIG_PNP
+@@ -938,6 +939,13 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
+ nvmem_cfg.size = address_space - NVRAM_OFFSET;
+ devm_rtc_nvmem_register(cmos_rtc.rtc, &nvmem_cfg);
+
++ /*
++ * Everything has gone well so far, so by default register a handler for
++ * the ACPI RTC fixed event.
++ */
++ if (!info)
++ rtc_wake_setup(dev);
++
+ dev_info(dev, "%s%s, %d bytes nvram%s\n",
+ !is_valid_irq(rtc_irq) ? "no alarms" :
+ cmos_rtc.mon_alrm ? "alarms up to one year" :
+@@ -1357,7 +1365,7 @@ static void rtc_wake_setup(struct device *dev)
+
+ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
+ {
+- int irq, ret;
++ int irq;
+
+ if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
+ irq = 0;
+@@ -1373,13 +1381,7 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
+ irq = pnp_irq(pnp, 0);
+ }
+
+- ret = cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
+- if (ret)
+- return ret;
+-
+- rtc_wake_setup(&pnp->dev);
+-
+- return 0;
++ return cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
+ }
+
+ static void cmos_pnp_remove(struct pnp_dev *pnp)
+@@ -1463,7 +1465,7 @@ static inline void cmos_of_init(struct platform_device *pdev) {}
+ static int __init cmos_platform_probe(struct platform_device *pdev)
+ {
+ struct resource *resource;
+- int irq, ret;
++ int irq;
+
+ cmos_of_init(pdev);
+
+@@ -1475,13 +1477,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
+ if (irq < 0)
+ irq = -1;
+
+- ret = cmos_do_probe(&pdev->dev, resource, irq);
+- if (ret)
+- return ret;
+-
+- rtc_wake_setup(&pdev->dev);
+-
+- return 0;
++ return cmos_do_probe(&pdev->dev, resource, irq);
+ }
+
+ static int cmos_platform_remove(struct platform_device *pdev)
+--
+2.35.1
+
--- /dev/null
+From 581c4f7d4033b9dfac38a75c8b02885fb44ba70e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 13:15:36 +0100
+Subject: rtc: cmos: Disable ACPI RTC event on removal
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 83ebb7b3036d151ee39a4a752018665648fc3bd4 ]
+
+Make cmos_do_remove() drop the ACPI RTC fixed event handler so as to
+prevent it from operating on stale data in case the event triggers
+after driver removal.
+
+Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/2224609.iZASKD2KPV@kreacher
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-cmos.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
+index 039486bfedf4..00e2ca7374ec 100644
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -798,6 +798,14 @@ static void acpi_rtc_event_setup(struct device *dev)
+ acpi_disable_event(ACPI_EVENT_RTC, 0);
+ }
+
++static void acpi_rtc_event_cleanup(void)
++{
++ if (acpi_disabled)
++ return;
++
++ acpi_remove_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler);
++}
++
+ static void rtc_wake_on(struct device *dev)
+ {
+ acpi_clear_event(ACPI_EVENT_RTC);
+@@ -884,6 +892,10 @@ static inline void acpi_rtc_event_setup(struct device *dev)
+ {
+ }
+
++static inline void acpi_rtc_event_cleanup(void)
++{
++}
++
+ static inline void acpi_cmos_wake_setup(struct device *dev)
+ {
+ }
+@@ -1138,6 +1150,9 @@ static void cmos_do_remove(struct device *dev)
+ hpet_unregister_irq_handler(cmos_interrupt);
+ }
+
++ if (!dev_get_platdata(dev))
++ acpi_rtc_event_cleanup();
++
+ cmos->rtc = NULL;
+
+ ports = cmos->iomem;
+--
+2.35.1
+
--- /dev/null
+From 22fa74c5f392adf63e6ff69d9d8588554211aa7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 13:09:32 +0100
+Subject: rtc: cmos: Eliminate forward declarations of some functions
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit dca4d3b71c8a09a16951add656711fbd6f5bfbb0 ]
+
+Reorder the ACPI-related code before cmos_do_probe() so as to eliminate
+excessive forward declarations of some functions.
+
+While at it, for consistency, add the inline modifier to the
+definitions of empty stub static funtions and remove it from the
+corresponding definitions of functions with non-empty bodies.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/13157911.uLZWGnKmhe@kreacher
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-cmos.c | 304 ++++++++++++++++++++---------------------
+ 1 file changed, 149 insertions(+), 155 deletions(-)
+
+diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
+index 583116994a37..2a21d8281aa6 100644
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -744,8 +744,155 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
+ return IRQ_NONE;
+ }
+
+-static inline void rtc_wake_setup(struct device *dev);
+-static void cmos_wake_setup(struct device *dev);
++#ifdef CONFIG_ACPI
++
++#include <linux/acpi.h>
++
++static u32 rtc_handler(void *context)
++{
++ struct device *dev = context;
++ struct cmos_rtc *cmos = dev_get_drvdata(dev);
++ unsigned char rtc_control = 0;
++ unsigned char rtc_intr;
++ unsigned long flags;
++
++
++ /*
++ * Always update rtc irq when ACPI is used as RTC Alarm.
++ * Or else, ACPI SCI is enabled during suspend/resume only,
++ * update rtc irq in that case.
++ */
++ if (cmos_use_acpi_alarm())
++ cmos_interrupt(0, (void *)cmos->rtc);
++ else {
++ /* Fix me: can we use cmos_interrupt() here as well? */
++ spin_lock_irqsave(&rtc_lock, flags);
++ if (cmos_rtc.suspend_ctrl)
++ rtc_control = CMOS_READ(RTC_CONTROL);
++ if (rtc_control & RTC_AIE) {
++ cmos_rtc.suspend_ctrl &= ~RTC_AIE;
++ CMOS_WRITE(rtc_control, RTC_CONTROL);
++ rtc_intr = CMOS_READ(RTC_INTR_FLAGS);
++ rtc_update_irq(cmos->rtc, 1, rtc_intr);
++ }
++ spin_unlock_irqrestore(&rtc_lock, flags);
++ }
++
++ pm_wakeup_hard_event(dev);
++ acpi_clear_event(ACPI_EVENT_RTC);
++ acpi_disable_event(ACPI_EVENT_RTC, 0);
++ return ACPI_INTERRUPT_HANDLED;
++}
++
++static void rtc_wake_setup(struct device *dev)
++{
++ if (acpi_disabled)
++ return;
++
++ acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev);
++ /*
++ * After the RTC handler is installed, the Fixed_RTC event should
++ * be disabled. Only when the RTC alarm is set will it be enabled.
++ */
++ acpi_clear_event(ACPI_EVENT_RTC);
++ acpi_disable_event(ACPI_EVENT_RTC, 0);
++}
++
++static void rtc_wake_on(struct device *dev)
++{
++ acpi_clear_event(ACPI_EVENT_RTC);
++ acpi_enable_event(ACPI_EVENT_RTC, 0);
++}
++
++static void rtc_wake_off(struct device *dev)
++{
++ acpi_disable_event(ACPI_EVENT_RTC, 0);
++}
++
++#ifdef CONFIG_X86
++/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */
++static void use_acpi_alarm_quirks(void)
++{
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
++ return;
++
++ if (!is_hpet_enabled())
++ return;
++
++ if (dmi_get_bios_year() < 2015)
++ return;
++
++ use_acpi_alarm = true;
++}
++#else
++static inline void use_acpi_alarm_quirks(void) { }
++#endif
++
++static void cmos_wake_setup(struct device *dev)
++{
++ if (acpi_disabled)
++ return;
++
++ use_acpi_alarm_quirks();
++
++ cmos_rtc.wake_on = rtc_wake_on;
++ cmos_rtc.wake_off = rtc_wake_off;
++
++ /* ACPI tables bug workaround. */
++ if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
++ dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
++ acpi_gbl_FADT.month_alarm);
++ acpi_gbl_FADT.month_alarm = 0;
++ }
++
++ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
++ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
++ cmos_rtc.century = acpi_gbl_FADT.century;
++
++ if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
++ dev_info(dev, "RTC can wake from S4\n");
++
++ /* RTC always wakes from S1/S2/S3, and often S4/STD */
++ device_init_wakeup(dev, 1);
++}
++
++static void cmos_check_acpi_rtc_status(struct device *dev,
++ unsigned char *rtc_control)
++{
++ struct cmos_rtc *cmos = dev_get_drvdata(dev);
++ acpi_event_status rtc_status;
++ acpi_status status;
++
++ if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC)
++ return;
++
++ status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status);
++ if (ACPI_FAILURE(status)) {
++ dev_err(dev, "Could not get RTC status\n");
++ } else if (rtc_status & ACPI_EVENT_FLAG_SET) {
++ unsigned char mask;
++ *rtc_control &= ~RTC_AIE;
++ CMOS_WRITE(*rtc_control, RTC_CONTROL);
++ mask = CMOS_READ(RTC_INTR_FLAGS);
++ rtc_update_irq(cmos->rtc, 1, mask);
++ }
++}
++
++#else /* !CONFIG_ACPI */
++
++static inline void rtc_wake_setup(struct device *dev)
++{
++}
++
++static inline void cmos_wake_setup(struct device *dev)
++{
++}
++
++static inline void cmos_check_acpi_rtc_status(struct device *dev,
++ unsigned char *rtc_control)
++{
++}
++#endif /* CONFIG_ACPI */
+
+ #ifdef CONFIG_PNP
+ #define INITSECTION
+@@ -1140,9 +1287,6 @@ static void cmos_check_wkalrm(struct device *dev)
+ }
+ }
+
+-static void cmos_check_acpi_rtc_status(struct device *dev,
+- unsigned char *rtc_control);
+-
+ static int __maybe_unused cmos_resume(struct device *dev)
+ {
+ struct cmos_rtc *cmos = dev_get_drvdata(dev);
+@@ -1209,156 +1353,6 @@ static SIMPLE_DEV_PM_OPS(cmos_pm_ops, cmos_suspend, cmos_resume);
+ * predate even PNPBIOS should set up platform_bus devices.
+ */
+
+-#ifdef CONFIG_ACPI
+-
+-#include <linux/acpi.h>
+-
+-static u32 rtc_handler(void *context)
+-{
+- struct device *dev = context;
+- struct cmos_rtc *cmos = dev_get_drvdata(dev);
+- unsigned char rtc_control = 0;
+- unsigned char rtc_intr;
+- unsigned long flags;
+-
+-
+- /*
+- * Always update rtc irq when ACPI is used as RTC Alarm.
+- * Or else, ACPI SCI is enabled during suspend/resume only,
+- * update rtc irq in that case.
+- */
+- if (cmos_use_acpi_alarm())
+- cmos_interrupt(0, (void *)cmos->rtc);
+- else {
+- /* Fix me: can we use cmos_interrupt() here as well? */
+- spin_lock_irqsave(&rtc_lock, flags);
+- if (cmos_rtc.suspend_ctrl)
+- rtc_control = CMOS_READ(RTC_CONTROL);
+- if (rtc_control & RTC_AIE) {
+- cmos_rtc.suspend_ctrl &= ~RTC_AIE;
+- CMOS_WRITE(rtc_control, RTC_CONTROL);
+- rtc_intr = CMOS_READ(RTC_INTR_FLAGS);
+- rtc_update_irq(cmos->rtc, 1, rtc_intr);
+- }
+- spin_unlock_irqrestore(&rtc_lock, flags);
+- }
+-
+- pm_wakeup_hard_event(dev);
+- acpi_clear_event(ACPI_EVENT_RTC);
+- acpi_disable_event(ACPI_EVENT_RTC, 0);
+- return ACPI_INTERRUPT_HANDLED;
+-}
+-
+-static inline void rtc_wake_setup(struct device *dev)
+-{
+- if (acpi_disabled)
+- return;
+-
+- acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev);
+- /*
+- * After the RTC handler is installed, the Fixed_RTC event should
+- * be disabled. Only when the RTC alarm is set will it be enabled.
+- */
+- acpi_clear_event(ACPI_EVENT_RTC);
+- acpi_disable_event(ACPI_EVENT_RTC, 0);
+-}
+-
+-static void rtc_wake_on(struct device *dev)
+-{
+- acpi_clear_event(ACPI_EVENT_RTC);
+- acpi_enable_event(ACPI_EVENT_RTC, 0);
+-}
+-
+-static void rtc_wake_off(struct device *dev)
+-{
+- acpi_disable_event(ACPI_EVENT_RTC, 0);
+-}
+-
+-#ifdef CONFIG_X86
+-/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */
+-static void use_acpi_alarm_quirks(void)
+-{
+- if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
+- return;
+-
+- if (!is_hpet_enabled())
+- return;
+-
+- if (dmi_get_bios_year() < 2015)
+- return;
+-
+- use_acpi_alarm = true;
+-}
+-#else
+-static inline void use_acpi_alarm_quirks(void) { }
+-#endif
+-
+-static void cmos_wake_setup(struct device *dev)
+-{
+- if (acpi_disabled)
+- return;
+-
+- use_acpi_alarm_quirks();
+-
+- cmos_rtc.wake_on = rtc_wake_on;
+- cmos_rtc.wake_off = rtc_wake_off;
+-
+- /* ACPI tables bug workaround. */
+- if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
+- dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
+- acpi_gbl_FADT.month_alarm);
+- acpi_gbl_FADT.month_alarm = 0;
+- }
+-
+- cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
+- cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
+- cmos_rtc.century = acpi_gbl_FADT.century;
+-
+- if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
+- dev_info(dev, "RTC can wake from S4\n");
+-
+- /* RTC always wakes from S1/S2/S3, and often S4/STD */
+- device_init_wakeup(dev, 1);
+-}
+-
+-static void cmos_check_acpi_rtc_status(struct device *dev,
+- unsigned char *rtc_control)
+-{
+- struct cmos_rtc *cmos = dev_get_drvdata(dev);
+- acpi_event_status rtc_status;
+- acpi_status status;
+-
+- if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC)
+- return;
+-
+- status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status);
+- if (ACPI_FAILURE(status)) {
+- dev_err(dev, "Could not get RTC status\n");
+- } else if (rtc_status & ACPI_EVENT_FLAG_SET) {
+- unsigned char mask;
+- *rtc_control &= ~RTC_AIE;
+- CMOS_WRITE(*rtc_control, RTC_CONTROL);
+- mask = CMOS_READ(RTC_INTR_FLAGS);
+- rtc_update_irq(cmos->rtc, 1, mask);
+- }
+-}
+-
+-#else
+-
+-static void cmos_wake_setup(struct device *dev)
+-{
+-}
+-
+-static void cmos_check_acpi_rtc_status(struct device *dev,
+- unsigned char *rtc_control)
+-{
+-}
+-
+-static void rtc_wake_setup(struct device *dev)
+-{
+-}
+-#endif
+-
+ #ifdef CONFIG_PNP
+
+ #include <linux/pnp.h>
+--
+2.35.1
+
--- /dev/null
+From 7365a54b7b65afa21e1ba569f810ccc972d6d059 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 13:12:00 +0100
+Subject: rtc: cmos: Rename ACPI-related functions
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d13e9ad9f5146f066a5c5a1cc993d09e4fb21ead ]
+
+The names of rtc_wake_setup() and cmos_wake_setup() don't indicate
+that these functions are ACPI-related, which is the case, and the
+former doesn't really reflect the role of the function.
+
+Rename them to acpi_rtc_event_setup() and acpi_cmos_wake_setup(),
+respectively, to address this shortcoming.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/3225614.44csPzL39Z@kreacher
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-cmos.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
+index 2a21d8281aa6..039486bfedf4 100644
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -784,7 +784,7 @@ static u32 rtc_handler(void *context)
+ return ACPI_INTERRUPT_HANDLED;
+ }
+
+-static void rtc_wake_setup(struct device *dev)
++static void acpi_rtc_event_setup(struct device *dev)
+ {
+ if (acpi_disabled)
+ return;
+@@ -828,7 +828,7 @@ static void use_acpi_alarm_quirks(void)
+ static inline void use_acpi_alarm_quirks(void) { }
+ #endif
+
+-static void cmos_wake_setup(struct device *dev)
++static void acpi_cmos_wake_setup(struct device *dev)
+ {
+ if (acpi_disabled)
+ return;
+@@ -880,11 +880,11 @@ static void cmos_check_acpi_rtc_status(struct device *dev,
+
+ #else /* !CONFIG_ACPI */
+
+-static inline void rtc_wake_setup(struct device *dev)
++static inline void acpi_rtc_event_setup(struct device *dev)
+ {
+ }
+
+-static inline void cmos_wake_setup(struct device *dev)
++static inline void acpi_cmos_wake_setup(struct device *dev)
+ {
+ }
+
+@@ -986,7 +986,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
+ cmos_rtc.wake_off = info->wake_off;
+ }
+ } else {
+- cmos_wake_setup(dev);
++ acpi_cmos_wake_setup(dev);
+ }
+
+ if (cmos_rtc.day_alrm >= 128)
+@@ -1091,7 +1091,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
+ * the ACPI RTC fixed event.
+ */
+ if (!info)
+- rtc_wake_setup(dev);
++ acpi_rtc_event_setup(dev);
+
+ dev_info(dev, "%s%s, %d bytes nvram%s\n",
+ !is_valid_irq(rtc_irq) ? "no alarms" :
+--
+2.35.1
+
--- /dev/null
+From 83199ef3802c0c1aba2adbb54350bb90b6d0091d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 16:50:46 +0800
+Subject: rtc: mxc_v2: Add missing clk_disable_unprepare()
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 55d5a86618d3b1a768bce01882b74cbbd2651975 ]
+
+The call to clk_disable_unprepare() is left out in the error handling of
+devm_rtc_allocate_device. Add it back.
+
+Fixes: 5490a1e018a4 ("rtc: mxc_v2: fix possible race condition")
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20221122085046.21689-1-guozihua@huawei.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-mxc_v2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-mxc_v2.c b/drivers/rtc/rtc-mxc_v2.c
+index 5e0383401629..f6d2ad91ff7a 100644
+--- a/drivers/rtc/rtc-mxc_v2.c
++++ b/drivers/rtc/rtc-mxc_v2.c
+@@ -336,8 +336,10 @@ static int mxc_rtc_probe(struct platform_device *pdev)
+ }
+
+ pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
+- if (IS_ERR(pdata->rtc))
++ if (IS_ERR(pdata->rtc)) {
++ clk_disable_unprepare(pdata->clk);
+ return PTR_ERR(pdata->rtc);
++ }
+
+ pdata->rtc->ops = &mxc_rtc_ops;
+ pdata->rtc->range_max = U32_MAX;
+--
+2.35.1
+
--- /dev/null
+From 6e994e5aee6134e3525b76345bb612c2bba077bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Dec 2022 23:35:53 +0100
+Subject: rtc: pcf85063: fix pcf85063_clkout_control
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit c2d12e85336f6d4172fb2bab5935027c446d7343 ]
+
+pcf85063_clkout_control reads the wrong register but then update the
+correct one.
+
+Reported-by: Janne Terho <janne.terho@ouman.fi>
+Fixes: 8c229ab6048b ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework")
+Link: https://lore.kernel.org/r/20221211223553.59955-1-alexandre.belloni@bootlin.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 99f9cc57c7b3..754e03984f98 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -424,7 +424,7 @@ static int pcf85063_clkout_control(struct clk_hw *hw, bool enable)
+ unsigned int buf;
+ int ret;
+
+- ret = regmap_read(pcf85063->regmap, PCF85063_REG_OFFSET, &buf);
++ ret = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL2, &buf);
+ if (ret < 0)
+ return ret;
+ buf &= PCF85063_REG_CLKO_F_MASK;
+--
+2.35.1
+
--- /dev/null
+From bdd770092dcefd46b1991232722de9acd9bc15f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 09:41:41 +0200
+Subject: rtc: pcf85063: Fix reading alarm
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit a6ceee26fd5ed9b5bd37322b1ca88e4548cee4a3 ]
+
+If the alarms are disabled the topmost bit (AEN_*) is set in the alarm
+registers. This is also interpreted in BCD number leading to this warning:
+rtc rtc0: invalid alarm value: 2022-09-21T80:80:80
+
+Fix this by masking alarm enabling and reserved bits.
+
+Fixes: 05cb3a56ee8c ("rtc: pcf85063: add alarm support")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20220921074141.3903104-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 095891999da1..99f9cc57c7b3 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -169,10 +169,10 @@ static int pcf85063_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
+ if (ret)
+ return ret;
+
+- alrm->time.tm_sec = bcd2bin(buf[0]);
+- alrm->time.tm_min = bcd2bin(buf[1]);
+- alrm->time.tm_hour = bcd2bin(buf[2]);
+- alrm->time.tm_mday = bcd2bin(buf[3]);
++ alrm->time.tm_sec = bcd2bin(buf[0] & 0x7f);
++ alrm->time.tm_min = bcd2bin(buf[1] & 0x7f);
++ alrm->time.tm_hour = bcd2bin(buf[2] & 0x3f);
++ alrm->time.tm_mday = bcd2bin(buf[3] & 0x3f);
+
+ ret = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL2, &val);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From ba70959d19ea0fc8eff4a1897e619576bd85f955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 09:59:53 +0800
+Subject: rtc: pic32: Move devm_rtc_allocate_device earlier in
+ pic32_rtc_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 90cd5c88830140c9fade92a8027e0fb2c6e4cc49 ]
+
+The pic32_rtc_enable(pdata, 0) and clk_disable_unprepare(pdata->clk)
+should be called in the error handling of devm_rtc_allocate_device(),
+so we should move devm_rtc_allocate_device earlier in pic32_rtc_probe()
+to fix it.
+
+Fixes: 6515e23b9fde ("rtc: pic32: convert to devm_rtc_allocate_device")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221123015953.1998521-1-cuigaosheng1@huawei.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pic32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rtc/rtc-pic32.c b/drivers/rtc/rtc-pic32.c
+index 7fb9145c43bd..fa351ac20158 100644
+--- a/drivers/rtc/rtc-pic32.c
++++ b/drivers/rtc/rtc-pic32.c
+@@ -324,16 +324,16 @@ static int pic32_rtc_probe(struct platform_device *pdev)
+
+ spin_lock_init(&pdata->alarm_lock);
+
++ pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(pdata->rtc))
++ return PTR_ERR(pdata->rtc);
++
+ clk_prepare_enable(pdata->clk);
+
+ pic32_rtc_enable(pdata, 1);
+
+ device_init_wakeup(&pdev->dev, 1);
+
+- pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
+- if (IS_ERR(pdata->rtc))
+- return PTR_ERR(pdata->rtc);
+-
+ pdata->rtc->ops = &pic32_rtcops;
+ pdata->rtc->range_min = RTC_TIMESTAMP_BEGIN_2000;
+ pdata->rtc->range_max = RTC_TIMESTAMP_END_2099;
+--
+2.35.1
+
--- /dev/null
+From c5e071679a641e4a913a4923ee3a082b070a8df2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 17:25:44 +0800
+Subject: rtc: rzn1: Check return value in rzn1_rtc_probe
+
+From: Yushan Zhou <katrinzhou@tencent.com>
+
+[ Upstream commit 9800f24f7bd5b99fb4fc4ce981427102e2e15a1c ]
+
+The rzn1_rtc_probe() function utilizes devm_pm_runtime_enable()
+but wasn't checking the return value. Fix it by adding missing
+check.
+
+Fixes: deeb4b5393e1 ("rtc: rzn1: Add new RTC driver")
+
+Signed-off-by: Yushan Zhou <katrinzhou@tencent.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20221107092544.3721053-1-zys.zljxml@gmail.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-rzn1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-rzn1.c b/drivers/rtc/rtc-rzn1.c
+index ac788799c8e3..0d36bc50197c 100644
+--- a/drivers/rtc/rtc-rzn1.c
++++ b/drivers/rtc/rtc-rzn1.c
+@@ -355,7 +355,9 @@ static int rzn1_rtc_probe(struct platform_device *pdev)
+ set_bit(RTC_FEATURE_ALARM_RES_MINUTE, rtc->rtcdev->features);
+ clear_bit(RTC_FEATURE_UPDATE_INTERRUPT, rtc->rtcdev->features);
+
+- devm_pm_runtime_enable(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
++ if (ret < 0)
++ return ret;
+ ret = pm_runtime_resume_and_get(&pdev->dev);
+ if (ret < 0)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 5702194b3191c90db0e52c1f9014673b47f3dc7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Nov 2022 12:59:15 +0100
+Subject: rtc: snvs: Allow a time difference on clock register read
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+[ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ]
+
+On an iMX6ULL the following message appears when a wakealarm is set:
+
+echo 0 > /sys/class/rtc/rtc1/wakealarm
+rtc rtc1: Timeout trying to get valid LPSRT Counter read
+
+This does not always happen but is reproducible quite often (7 out of 10
+times). The problem appears because the iMX6ULL is not able to read the
+registers within one 32kHz clock cycle which is the base clock of the
+RTC. Therefore, this patch allows a difference of up to 320 cycles
+(10ms). 10ms was chosen to be big enough even on systems with less cpu
+power (e.g. iMX6ULL). According to the reference manual a difference is
+fine:
+- If the two consecutive reads are similar, the value is correct.
+The values have to be similar, not equal.
+
+Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups")
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco@dolcini.it>
+Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-snvs.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c
+index bd929b0e7d7d..d82acf1af1fa 100644
+--- a/drivers/rtc/rtc-snvs.c
++++ b/drivers/rtc/rtc-snvs.c
+@@ -32,6 +32,14 @@
+ #define SNVS_LPPGDR_INIT 0x41736166
+ #define CNTR_TO_SECS_SH 15
+
++/* The maximum RTC clock cycles that are allowed to pass between two
++ * consecutive clock counter register reads. If the values are corrupted a
++ * bigger difference is expected. The RTC frequency is 32kHz. With 320 cycles
++ * we end at 10ms which should be enough for most cases. If it once takes
++ * longer than expected we do a retry.
++ */
++#define MAX_RTC_READ_DIFF_CYCLES 320
++
+ struct snvs_rtc_data {
+ struct rtc_device *rtc;
+ struct regmap *regmap;
+@@ -56,6 +64,7 @@ static u64 rtc_read_lpsrt(struct snvs_rtc_data *data)
+ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
+ {
+ u64 read1, read2;
++ s64 diff;
+ unsigned int timeout = 100;
+
+ /* As expected, the registers might update between the read of the LSB
+@@ -66,7 +75,8 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
+ do {
+ read2 = read1;
+ read1 = rtc_read_lpsrt(data);
+- } while (read1 != read2 && --timeout);
++ diff = read1 - read2;
++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
+ if (!timeout)
+ dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
+
+@@ -78,13 +88,15 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
+ static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb)
+ {
+ u32 count1, count2;
++ s32 diff;
+ unsigned int timeout = 100;
+
+ regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
+ do {
+ count2 = count1;
+ regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
+- } while (count1 != count2 && --timeout);
++ diff = count1 - count2;
++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
+ if (!timeout) {
+ dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
+ return -ETIMEDOUT;
+--
+2.35.1
+
--- /dev/null
+From b816ee9b4e7ef841ef283db638a2e48ae87a99e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 09:48:05 +0800
+Subject: rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ]
+
+The clk_disable_unprepare() should be called in the error handling
+of clk_get_rate(), fix it.
+
+Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-st-lpc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c
+index bdb20f63254e..0f8e4231098e 100644
+--- a/drivers/rtc/rtc-st-lpc.c
++++ b/drivers/rtc/rtc-st-lpc.c
+@@ -238,6 +238,7 @@ static int st_rtc_probe(struct platform_device *pdev)
+
+ rtc->clkrate = clk_get_rate(rtc->clk);
+ if (!rtc->clkrate) {
++ clk_disable_unprepare(rtc->clk);
+ dev_err(&pdev->dev, "Unable to fetch clock rate\n");
+ return -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8b71315448c759d717ca5223e6114afe3dc9a2d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 19:17:29 +0100
+Subject: rxrpc: Fix ack.bufferSize to be 0 when generating an ack
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 8889a711f9b4dcf4dd1330fa493081beebd118c9 ]
+
+ack.bufferSize should be set to 0 when generating an ack.
+
+Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
+Reported-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
+index 9683617db704..08c117bc083e 100644
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -93,7 +93,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
+ *_hard_ack = hard_ack;
+ *_top = top;
+
+- pkt->ack.bufferSpace = htons(8);
++ pkt->ack.bufferSpace = htons(0);
+ pkt->ack.maxSkew = htons(0);
+ pkt->ack.firstPacket = htonl(hard_ack + 1);
+ pkt->ack.previousPacket = htonl(call->ackr_highest_seq);
+--
+2.35.1
+
--- /dev/null
+From 3e1a19274c1c2aad4d16adcb56797ec33f4f6ee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 16:19:47 +0000
+Subject: rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 4feb2c44629e6f9b459b41a5a60491069d346a95 ]
+
+One of the error paths in rxrpc_do_sendmsg() doesn't unlock the call mutex
+before returning. Fix it to do this.
+
+Note that this still doesn't get rid of the checker warning:
+
+ ../net/rxrpc/sendmsg.c:617:5: warning: context imbalance in 'rxrpc_do_sendmsg' - wrong count at exit
+
+I think the interplay between the socket lock and the call's user_mutex may
+be too complicated for checker to analyse, especially as
+rxrpc_new_client_call_for_sendmsg(), which it calls, returns with the
+call's user_mutex if successful but unconditionally drops the socket lock.
+
+Fixes: e754eba685aa ("rxrpc: Provide a cmsg to specify the amount of Tx data for a call")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/sendmsg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
+index 3c3a626459de..d4e4e94f4f98 100644
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -716,7 +716,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
+ if (call->tx_total_len != -1 ||
+ call->tx_pending ||
+ call->tx_top != 0)
+- goto error_put;
++ goto out_put_unlock;
+ call->tx_total_len = p.call.tx_total_len;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 9bffe5ce1080c96ca819a045339cca1df6448bee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 10:01:28 -0700
+Subject: s390/ctcm: Fix return type of ctc{mp,}m_tx()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = ctcm_tx,
+ ^~~~~~~
+ drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = ctcmpc_tx,
+ ^~~~~~~~~
+
+->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
+'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to
+match the prototype's to resolve the warning and potential CFI failure,
+should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
+
+Additionally, while in the area, remove a comment block that is no
+longer relevant.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/ctcm_main.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
+index e0fdd54bfeb7..f672c610cb24 100644
+--- a/drivers/s390/net/ctcm_main.c
++++ b/drivers/s390/net/ctcm_main.c
+@@ -825,16 +825,9 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb)
+ /*
+ * Start transmission of a packet.
+ * Called from generic network device layer.
+- *
+- * skb Pointer to buffer containing the packet.
+- * dev Pointer to interface struct.
+- *
+- * returns 0 if packet consumed, !0 if packet rejected.
+- * Note: If we return !0, then the packet is free'd by
+- * the generic network layer.
+ */
+ /* first merge version - leaving both functions separated */
+-static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ctcm_priv *priv = dev->ml_priv;
+
+@@ -877,7 +870,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
+ }
+
+ /* unmerged MPC variant of ctcm_tx */
+-static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
+ {
+ int len = 0;
+ struct ctcm_priv *priv = dev->ml_priv;
+--
+2.35.1
+
--- /dev/null
+From d872c40b1c8995dbb6f617be00e36c82be97c33d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 10:01:30 -0700
+Subject: s390/lcs: Fix return type of lcs_start_xmit()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = lcs_start_xmit,
+ ^~~~~~~~~~~~~~
+ drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = lcs_start_xmit,
+ ^~~~~~~~~~~~~~
+
+->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
+'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to
+match the prototype's to resolve the warning and potential CFI failure,
+should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/lcs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c
+index 84c8981317b4..38f312664ce7 100644
+--- a/drivers/s390/net/lcs.c
++++ b/drivers/s390/net/lcs.c
+@@ -1519,9 +1519,8 @@ lcs_txbuffer_cb(struct lcs_channel *channel, struct lcs_buffer *buffer)
+ /*
+ * Packet transmit function called by network stack
+ */
+-static int
+-__lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
+- struct net_device *dev)
++static netdev_tx_t __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
++ struct net_device *dev)
+ {
+ struct lcs_header *header;
+ int rc = NETDEV_TX_OK;
+@@ -1582,8 +1581,7 @@ __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
+ return rc;
+ }
+
+-static int
+-lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct lcs_card *card;
+ int rc;
+--
+2.35.1
+
--- /dev/null
+From d8a261af3db50a466c6a4c09efed0907dfd9f6e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 10:01:29 -0700
+Subject: s390/netiucv: Fix return type of netiucv_tx()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function
+pointer prototype to make sure the call target is valid to help mitigate
+ROP attacks. If they are not identical, there is a failure at run time,
+which manifests as either a kernel panic or thread getting killed. A
+proposed warning in clang aims to catch these at compile time, which
+reveals:
+
+ drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ .ndo_start_xmit = netiucv_tx,
+ ^~~~~~~~~~
+
+->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
+'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to
+match the prototype's to resolve the warning and potential CFI failure,
+should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
+
+Additionally, while in the area, remove a comment block that is no
+longer relevant.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/netiucv.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c
+index 65aa0a96c21d..66076cada8ae 100644
+--- a/drivers/s390/net/netiucv.c
++++ b/drivers/s390/net/netiucv.c
+@@ -1248,15 +1248,8 @@ static int netiucv_close(struct net_device *dev)
+ /*
+ * Start transmission of a packet.
+ * Called from generic network device layer.
+- *
+- * @param skb Pointer to buffer containing the packet.
+- * @param dev Pointer to interface struct.
+- *
+- * @return 0 if packet consumed, !0 if packet rejected.
+- * Note: If we return !0, then the packet is free'd by
+- * the generic network layer.
+ */
+-static int netiucv_tx(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t netiucv_tx(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct netiucv_priv *privptr = netdev_priv(dev);
+ int rc;
+--
+2.35.1
+
--- /dev/null
+From 3c9b9bb042dfa2ed85e080b38469271bd37b3318 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Oct 2022 23:30:50 +0200
+Subject: samples/bpf: Fix MAC address swapping in xdp2_kern
+
+From: Gerhard Engleder <gerhard@engleder-embedded.com>
+
+[ Upstream commit 7a698edf954cb3f8b6e8dacdb77615355170420c ]
+
+xdp2_kern rewrites and forwards packets out on the same interface.
+Forwarding still works but rewrite got broken when xdp multibuffer
+support has been added.
+
+With xdp multibuffer a local copy of the packet has been introduced. The
+MAC address is now swapped in the local copy, but the local copy in not
+written back.
+
+Fix MAC address swapping be adding write back of modified packet.
+
+Fixes: 772251742262 ("samples/bpf: fixup some tools to be able to support xdp multibuffer")
+Signed-off-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
+Link: https://lore.kernel.org/r/20221015213050.65222-1-gerhard@engleder-embedded.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp2_kern.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/samples/bpf/xdp2_kern.c b/samples/bpf/xdp2_kern.c
+index 3332ba6bb95f..67804ecf7ce3 100644
+--- a/samples/bpf/xdp2_kern.c
++++ b/samples/bpf/xdp2_kern.c
+@@ -112,6 +112,10 @@ int xdp_prog1(struct xdp_md *ctx)
+
+ if (ipproto == IPPROTO_UDP) {
+ swap_src_dst_mac(data);
++
++ if (bpf_xdp_store_bytes(ctx, 0, pkt, sizeof(pkt)))
++ return rc;
++
+ rc = XDP_TX;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 9a5b67429990e0e5746cb67f538218e84bf59693 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 22:09:22 +0200
+Subject: samples/bpf: Fix map iteration in xdp1_user
+
+From: Gerhard Engleder <gerhard@engleder-embedded.com>
+
+[ Upstream commit 05ee658c654bacda03f7fecef367e62aaf8e1cfe ]
+
+BPF map iteration in xdp1_user results in endless loop without any
+output, because the return value of bpf_map_get_next_key() is checked
+against the wrong value.
+
+Other call locations of bpf_map_get_next_key() check for equal 0 for
+continuing the iteration. xdp1_user checks against unequal -1. This is
+wrong for a function which can return arbitrary negative errno values,
+because a return value of e.g. -2 results in an endless loop.
+
+With this fix xdp1_user is printing statistics again:
+proto 0: 1 pkt/s
+proto 0: 1 pkt/s
+proto 17: 107383 pkt/s
+proto 17: 881655 pkt/s
+proto 17: 882083 pkt/s
+proto 17: 881758 pkt/s
+
+Fixes: bd054102a8c7 ("libbpf: enforce strict libbpf 1.0 behaviors")
+Signed-off-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Acked-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20221013200922.17167-1-gerhard@engleder-embedded.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp1_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/xdp1_user.c b/samples/bpf/xdp1_user.c
+index ac370e638fa3..281dc964de8d 100644
+--- a/samples/bpf/xdp1_user.c
++++ b/samples/bpf/xdp1_user.c
+@@ -51,7 +51,7 @@ static void poll_stats(int map_fd, int interval)
+
+ sleep(interval);
+
+- while (bpf_map_get_next_key(map_fd, &key, &key) != -1) {
++ while (bpf_map_get_next_key(map_fd, &key, &key) == 0) {
+ __u64 sum = 0;
+
+ assert(bpf_map_lookup_elem(map_fd, &key, values) == 0);
+--
+2.35.1
+
--- /dev/null
+From 951410666795f072f474f99c10eb6966a17b893a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 09:33:41 +0800
+Subject: samples: vfio-mdev: Fix missing pci_disable_device() in
+ mdpy_fb_probe()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit d1f0f50fbbbbca1e3e8157e51934613bf88f6d44 ]
+
+Add missing pci_disable_device() in fail path of mdpy_fb_probe().
+Besides, fix missing release functions in mdpy_fb_remove().
+
+Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Link: https://lore.kernel.org/r/20221208013341.3999-1-shangxiaojing@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/vfio-mdev/mdpy-fb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c
+index 9ec93d90e8a5..4eb7aa11cfbb 100644
+--- a/samples/vfio-mdev/mdpy-fb.c
++++ b/samples/vfio-mdev/mdpy-fb.c
+@@ -109,7 +109,7 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
+
+ ret = pci_request_regions(pdev, "mdpy-fb");
+ if (ret < 0)
+- return ret;
++ goto err_disable_dev;
+
+ pci_read_config_dword(pdev, MDPY_FORMAT_OFFSET, &format);
+ pci_read_config_dword(pdev, MDPY_WIDTH_OFFSET, &width);
+@@ -191,6 +191,9 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
+ err_release_regions:
+ pci_release_regions(pdev);
+
++err_disable_dev:
++ pci_disable_device(pdev);
++
+ return ret;
+ }
+
+@@ -199,7 +202,10 @@ static void mdpy_fb_remove(struct pci_dev *pdev)
+ struct fb_info *info = pci_get_drvdata(pdev);
+
+ unregister_framebuffer(info);
++ iounmap(info->screen_base);
+ framebuffer_release(info);
++ pci_release_regions(pdev);
++ pci_disable_device(pdev);
+ }
+
+ static struct pci_device_id mdpy_fb_pci_table[] = {
+--
+2.35.1
+
--- /dev/null
+From af7fff64c6278fb2167ebaad6b2c831b8c4af587 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 13:13:03 +0200
+Subject: sched/core: Introduce sched_asym_cpucap_active()
+
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+
+[ Upstream commit 740cf8a760b73e8375bfb4bedcbe9746183350f9 ]
+
+Create an inline helper for conditional code to be only executed on
+asymmetric CPU capacity systems. This makes these (currently ~10 and
+future) conditions a lot more readable.
+
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20220729111305.1275158-2-dietmar.eggemann@arm.com
+Stable-dep-of: a2e7f03ed28f ("sched/uclamp: Make asym_fits_capacity() use util_fits_cpu()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpudeadline.c | 2 +-
+ kernel/sched/deadline.c | 4 ++--
+ kernel/sched/fair.c | 8 ++++----
+ kernel/sched/rt.c | 4 ++--
+ kernel/sched/sched.h | 5 +++++
+ 5 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/cpudeadline.c b/kernel/sched/cpudeadline.c
+index 02d970a879ed..57c92d751bcd 100644
+--- a/kernel/sched/cpudeadline.c
++++ b/kernel/sched/cpudeadline.c
+@@ -123,7 +123,7 @@ int cpudl_find(struct cpudl *cp, struct task_struct *p,
+ unsigned long cap, max_cap = 0;
+ int cpu, max_cpu = -1;
+
+- if (!static_branch_unlikely(&sched_asym_cpucapacity))
++ if (!sched_asym_cpucap_active())
+ return 1;
+
+ /* Ensure the capacity of the CPUs fits the task. */
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 0ab79d819a0d..8bebc36a1b71 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -144,7 +144,7 @@ static inline unsigned long __dl_bw_capacity(int i)
+ */
+ static inline unsigned long dl_bw_capacity(int i)
+ {
+- if (!static_branch_unlikely(&sched_asym_cpucapacity) &&
++ if (!sched_asym_cpucap_active() &&
+ capacity_orig_of(i) == SCHED_CAPACITY_SCALE) {
+ return dl_bw_cpus(i) << SCHED_CAPACITY_SHIFT;
+ } else {
+@@ -1849,7 +1849,7 @@ select_task_rq_dl(struct task_struct *p, int cpu, int flags)
+ * Take the capacity of the CPU into account to
+ * ensure it fits the requirement of the task.
+ */
+- if (static_branch_unlikely(&sched_asym_cpucapacity))
++ if (sched_asym_cpucap_active())
+ select_rq |= !dl_task_fits_capacity(p, cpu);
+
+ if (select_rq) {
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 892ea83864a7..1fe3f3b96251 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4387,7 +4387,7 @@ static inline int task_fits_cpu(struct task_struct *p, int cpu)
+
+ static inline void update_misfit_status(struct task_struct *p, struct rq *rq)
+ {
+- if (!static_branch_unlikely(&sched_asym_cpucapacity))
++ if (!sched_asym_cpucap_active())
+ return;
+
+ if (!p || p->nr_cpus_allowed == 1) {
+@@ -6633,7 +6633,7 @@ select_idle_capacity(struct task_struct *p, struct sched_domain *sd, int target)
+
+ static inline bool asym_fits_capacity(unsigned long task_util, int cpu)
+ {
+- if (static_branch_unlikely(&sched_asym_cpucapacity))
++ if (sched_asym_cpucap_active())
+ return fits_capacity(task_util, capacity_of(cpu));
+
+ return true;
+@@ -6653,7 +6653,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ * On asymmetric system, update task utilization because we will check
+ * that the task fits with cpu's capacity.
+ */
+- if (static_branch_unlikely(&sched_asym_cpucapacity)) {
++ if (sched_asym_cpucap_active()) {
+ sync_entity_load_avg(&p->se);
+ task_util = uclamp_task_util(p);
+ }
+@@ -6707,7 +6707,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ * For asymmetric CPU capacity systems, our domain of interest is
+ * sd_asym_cpucapacity rather than sd_llc.
+ */
+- if (static_branch_unlikely(&sched_asym_cpucapacity)) {
++ if (sched_asym_cpucap_active()) {
+ sd = rcu_dereference(per_cpu(sd_asym_cpucapacity, target));
+ /*
+ * On an asymmetric CPU capacity system where an exclusive
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index 55f39c8f4203..054b6711e961 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -509,7 +509,7 @@ static inline bool rt_task_fits_capacity(struct task_struct *p, int cpu)
+ unsigned int cpu_cap;
+
+ /* Only heterogeneous systems can benefit from this check */
+- if (!static_branch_unlikely(&sched_asym_cpucapacity))
++ if (!sched_asym_cpucap_active())
+ return true;
+
+ min_cap = uclamp_eff_value(p, UCLAMP_MIN);
+@@ -1897,7 +1897,7 @@ static int find_lowest_rq(struct task_struct *task)
+ * If we're on asym system ensure we consider the different capacities
+ * of the CPUs when searching for the lowest_mask.
+ */
+- if (static_branch_unlikely(&sched_asym_cpucapacity)) {
++ if (sched_asym_cpucap_active()) {
+
+ ret = cpupri_find_fitness(&task_rq(task)->rd->cpupri,
+ task, lowest_mask,
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 0dfcd12e184a..2fcb7eb56c01 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -1815,6 +1815,11 @@ DECLARE_PER_CPU(struct sched_domain __rcu *, sd_asym_packing);
+ DECLARE_PER_CPU(struct sched_domain __rcu *, sd_asym_cpucapacity);
+ extern struct static_key_false sched_asym_cpucapacity;
+
++static __always_inline bool sched_asym_cpucap_active(void)
++{
++ return static_branch_unlikely(&sched_asym_cpucapacity);
++}
++
+ struct sched_group_capacity {
+ atomic_t ref;
+ /*
+--
+2.35.1
+
--- /dev/null
+From 2edf35859c58e5cb34ac63eac152912be79e0389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 07:23:56 +0000
+Subject: sched/psi: Fix possible missing or delayed pending event
+
+From: Hao Lee <haolee.swjtu@gmail.com>
+
+[ Upstream commit e38f89af6a13e895805febd3a329a13ab7e66fa4 ]
+
+When a pending event exists and growth is less than the threshold, the
+current logic is to skip this trigger without generating event. However,
+from e6df4ead85d9 ("psi: fix possible trigger missing in the window"),
+our purpose is to generate event as long as pending event exists and the
+rate meets the limit, no matter what growth is.
+This patch handles this case properly.
+
+Fixes: e6df4ead85d9 ("psi: fix possible trigger missing in the window")
+Signed-off-by: Hao Lee <haolee.swjtu@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Suren Baghdasaryan <surenb@google.com>
+Link: https://lore.kernel.org/r/20220919072356.GA29069@haolee.io
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/psi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index ecb4b4ff4ce0..559416a27c0e 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -537,10 +537,12 @@ static u64 update_triggers(struct psi_group *group, u64 now)
+
+ /* Calculate growth since last update */
+ growth = window_update(&t->win, now, total[t->state]);
+- if (growth < t->threshold)
+- continue;
++ if (!t->pending_event) {
++ if (growth < t->threshold)
++ continue;
+
+- t->pending_event = true;
++ t->pending_event = true;
++ }
+ }
+ /* Limit event signaling to once per window */
+ if (now < t->last_event_time + t->win.size)
+--
+2.35.1
+
--- /dev/null
+From 700e30bf88cc442b6115310d89fcd749082fadd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:07 +0100
+Subject: sched/uclamp: Cater for uclamp in find_energy_efficient_cpu()'s early
+ exit condition
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit d81304bc6193554014d4372a01debdf65e1e9a4d ]
+
+If the utilization of the woken up task is 0, we skip the energy
+calculation because it has no impact.
+
+But if the task is boosted (uclamp_min != 0) will have an impact on task
+placement and frequency selection. Only skip if the util is truly
+0 after applying uclamp values.
+
+Change uclamp_task_cpu() signature to avoid unnecessary additional calls
+to uclamp_eff_get(). feec() is the only user now.
+
+Fixes: 732cd75b8c920 ("sched/fair: Select an energy-efficient CPU on task wake-up")
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-8-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 2e782d79e80f..532e6cdf706d 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4108,14 +4108,16 @@ static inline unsigned long task_util_est(struct task_struct *p)
+ }
+
+ #ifdef CONFIG_UCLAMP_TASK
+-static inline unsigned long uclamp_task_util(struct task_struct *p)
++static inline unsigned long uclamp_task_util(struct task_struct *p,
++ unsigned long uclamp_min,
++ unsigned long uclamp_max)
+ {
+- return clamp(task_util_est(p),
+- uclamp_eff_value(p, UCLAMP_MIN),
+- uclamp_eff_value(p, UCLAMP_MAX));
++ return clamp(task_util_est(p), uclamp_min, uclamp_max);
+ }
+ #else
+-static inline unsigned long uclamp_task_util(struct task_struct *p)
++static inline unsigned long uclamp_task_util(struct task_struct *p,
++ unsigned long uclamp_min,
++ unsigned long uclamp_max)
+ {
+ return task_util_est(p);
+ }
+@@ -7029,7 +7031,7 @@ static int find_energy_efficient_cpu(struct task_struct *p, int prev_cpu)
+ target = prev_cpu;
+
+ sync_entity_load_avg(&p->se);
+- if (!task_util_est(p))
++ if (!uclamp_task_util(p, p_util_min, p_util_max))
+ goto unlock;
+
+ eenv_task_busy_time(&eenv, p, prev_cpu);
+--
+2.35.1
+
--- /dev/null
+From 02c7310c580c69714ee6a76d3b95b25f5de49fa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:03 +0100
+Subject: sched/uclamp: Fix fits_capacity() check in feec()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 244226035a1f9b2b6c326e55ae5188fab4f428cb ]
+
+As reported by Yun Hsiang [1], if a task has its uclamp_min >= 0.8 * 1024,
+it'll always pick the previous CPU because fits_capacity() will always
+return false in this case.
+
+The new util_fits_cpu() logic should handle this correctly for us beside
+more corner cases where similar failures could occur, like when using
+UCLAMP_MAX.
+
+We open code uclamp_rq_util_with() except for the clamp() part,
+util_fits_cpu() needs the 'raw' values to be passed to it.
+
+Also introduce uclamp_rq_{set, get}() shorthand accessors to get uclamp
+value for the rq. Makes the code more readable and ensures the right
+rules (use READ_ONCE/WRITE_ONCE) are respected transparently.
+
+[1] https://lists.linaro.org/pipermail/eas-dev/2020-July/001488.html
+
+Fixes: 1d42509e475c ("sched/fair: Make EAS wakeup placement consider uclamp restrictions")
+Reported-by: Yun Hsiang <hsiang023167@gmail.com>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-4-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 10 +++++-----
+ kernel/sched/fair.c | 26 ++++++++++++++++++++++++--
+ kernel/sched/sched.h | 42 +++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 68 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index ee28253c9ac0..cb9d8ae7c4db 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1398,7 +1398,7 @@ static inline void uclamp_idle_reset(struct rq *rq, enum uclamp_id clamp_id,
+ if (!(rq->uclamp_flags & UCLAMP_FLAG_IDLE))
+ return;
+
+- WRITE_ONCE(rq->uclamp[clamp_id].value, clamp_value);
++ uclamp_rq_set(rq, clamp_id, clamp_value);
+ }
+
+ static inline
+@@ -1549,8 +1549,8 @@ static inline void uclamp_rq_inc_id(struct rq *rq, struct task_struct *p,
+ if (bucket->tasks == 1 || uc_se->value > bucket->value)
+ bucket->value = uc_se->value;
+
+- if (uc_se->value > READ_ONCE(uc_rq->value))
+- WRITE_ONCE(uc_rq->value, uc_se->value);
++ if (uc_se->value > uclamp_rq_get(rq, clamp_id))
++ uclamp_rq_set(rq, clamp_id, uc_se->value);
+ }
+
+ /*
+@@ -1616,7 +1616,7 @@ static inline void uclamp_rq_dec_id(struct rq *rq, struct task_struct *p,
+ if (likely(bucket->tasks))
+ return;
+
+- rq_clamp = READ_ONCE(uc_rq->value);
++ rq_clamp = uclamp_rq_get(rq, clamp_id);
+ /*
+ * Defensive programming: this should never happen. If it happens,
+ * e.g. due to future modification, warn and fixup the expected value.
+@@ -1624,7 +1624,7 @@ static inline void uclamp_rq_dec_id(struct rq *rq, struct task_struct *p,
+ SCHED_WARN_ON(bucket->value > rq_clamp);
+ if (bucket->value >= rq_clamp) {
+ bkt_clamp = uclamp_rq_max_value(rq, clamp_id, uc_se->value);
+- WRITE_ONCE(uc_rq->value, bkt_clamp);
++ uclamp_rq_set(rq, clamp_id, bkt_clamp);
+ }
+ }
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index fd0eb93e1bbb..abe0e6baaa2e 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -6993,6 +6993,8 @@ static int find_energy_efficient_cpu(struct task_struct *p, int prev_cpu)
+ {
+ struct cpumask *cpus = this_cpu_cpumask_var_ptr(select_rq_mask);
+ unsigned long prev_delta = ULONG_MAX, best_delta = ULONG_MAX;
++ unsigned long p_util_min = uclamp_is_used() ? uclamp_eff_value(p, UCLAMP_MIN) : 0;
++ unsigned long p_util_max = uclamp_is_used() ? uclamp_eff_value(p, UCLAMP_MAX) : 1024;
+ struct root_domain *rd = this_rq()->rd;
+ int cpu, best_energy_cpu, target = -1;
+ struct sched_domain *sd;
+@@ -7025,6 +7027,8 @@ static int find_energy_efficient_cpu(struct task_struct *p, int prev_cpu)
+ for (; pd; pd = pd->next) {
+ unsigned long cpu_cap, cpu_thermal_cap, util;
+ unsigned long cur_delta, max_spare_cap = 0;
++ unsigned long rq_util_min, rq_util_max;
++ unsigned long util_min, util_max;
+ bool compute_prev_delta = false;
+ int max_spare_cap_cpu = -1;
+ unsigned long base_energy;
+@@ -7061,8 +7065,26 @@ static int find_energy_efficient_cpu(struct task_struct *p, int prev_cpu)
+ * much capacity we can get out of the CPU; this is
+ * aligned with sched_cpu_util().
+ */
+- util = uclamp_rq_util_with(cpu_rq(cpu), util, p);
+- if (!fits_capacity(util, cpu_cap))
++ if (uclamp_is_used()) {
++ if (uclamp_rq_is_idle(cpu_rq(cpu))) {
++ util_min = p_util_min;
++ util_max = p_util_max;
++ } else {
++ /*
++ * Open code uclamp_rq_util_with() except for
++ * the clamp() part. Ie: apply max aggregation
++ * only. util_fits_cpu() logic requires to
++ * operate on non clamped util but must use the
++ * max-aggregated uclamp_{min, max}.
++ */
++ rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN);
++ rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX);
++
++ util_min = max(rq_util_min, p_util_min);
++ util_max = max(rq_util_max, p_util_max);
++ }
++ }
++ if (!util_fits_cpu(util, util_min, util_max, cpu))
+ continue;
+
+ lsub_positive(&cpu_cap, util);
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 1b8a5d791907..0dfcd12e184a 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -2963,6 +2963,23 @@ static inline unsigned long cpu_util_rt(struct rq *rq)
+ #ifdef CONFIG_UCLAMP_TASK
+ unsigned long uclamp_eff_value(struct task_struct *p, enum uclamp_id clamp_id);
+
++static inline unsigned long uclamp_rq_get(struct rq *rq,
++ enum uclamp_id clamp_id)
++{
++ return READ_ONCE(rq->uclamp[clamp_id].value);
++}
++
++static inline void uclamp_rq_set(struct rq *rq, enum uclamp_id clamp_id,
++ unsigned int value)
++{
++ WRITE_ONCE(rq->uclamp[clamp_id].value, value);
++}
++
++static inline bool uclamp_rq_is_idle(struct rq *rq)
++{
++ return rq->uclamp_flags & UCLAMP_FLAG_IDLE;
++}
++
+ /**
+ * uclamp_rq_util_with - clamp @util with @rq and @p effective uclamp values.
+ * @rq: The rq to clamp against. Must not be NULL.
+@@ -2998,12 +3015,12 @@ unsigned long uclamp_rq_util_with(struct rq *rq, unsigned long util,
+ * Ignore last runnable task's max clamp, as this task will
+ * reset it. Similarly, no need to read the rq's min clamp.
+ */
+- if (rq->uclamp_flags & UCLAMP_FLAG_IDLE)
++ if (uclamp_rq_is_idle(rq))
+ goto out;
+ }
+
+- min_util = max_t(unsigned long, min_util, READ_ONCE(rq->uclamp[UCLAMP_MIN].value));
+- max_util = max_t(unsigned long, max_util, READ_ONCE(rq->uclamp[UCLAMP_MAX].value));
++ min_util = max_t(unsigned long, min_util, uclamp_rq_get(rq, UCLAMP_MIN));
++ max_util = max_t(unsigned long, max_util, uclamp_rq_get(rq, UCLAMP_MAX));
+ out:
+ /*
+ * Since CPU's {min,max}_util clamps are MAX aggregated considering
+@@ -3066,6 +3083,25 @@ static inline bool uclamp_is_used(void)
+ {
+ return false;
+ }
++
++static inline unsigned long uclamp_rq_get(struct rq *rq,
++ enum uclamp_id clamp_id)
++{
++ if (clamp_id == UCLAMP_MIN)
++ return 0;
++
++ return SCHED_CAPACITY_SCALE;
++}
++
++static inline void uclamp_rq_set(struct rq *rq, enum uclamp_id clamp_id,
++ unsigned int value)
++{
++}
++
++static inline bool uclamp_rq_is_idle(struct rq *rq)
++{
++ return false;
++}
+ #endif /* CONFIG_UCLAMP_TASK */
+
+ #ifdef CONFIG_HAVE_SCHED_AVG_IRQ
+--
+2.35.1
+
--- /dev/null
+From 4e9253ac386a7eddd1741670ca9dc6a473248424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:01 +0100
+Subject: sched/uclamp: Fix relationship between uclamp and migration margin
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 48d5e9daa8b767e75ed9421665b037a49ce4bc04 ]
+
+fits_capacity() verifies that a util is within 20% margin of the
+capacity of a CPU, which is an attempt to speed up upmigration.
+
+But when uclamp is used, this 20% margin is problematic because for
+example if a task is boosted to 1024, then it will not fit on any CPU
+according to fits_capacity() logic.
+
+Or if a task is boosted to capacity_orig_of(medium_cpu). The task will
+end up on big instead on the desired medium CPU.
+
+Similar corner cases exist for uclamp and usage of capacity_of().
+Slightest irq pressure on biggest CPU for example will make a 1024
+boosted task look like it can't fit.
+
+What we really want is for uclamp comparisons to ignore the migration
+margin and capacity pressure, yet retain them for when checking the
+_actual_ util signal.
+
+For example, task p:
+
+ p->util_avg = 300
+ p->uclamp[UCLAMP_MIN] = 1024
+
+Will fit a big CPU. But
+
+ p->util_avg = 900
+ p->uclamp[UCLAMP_MIN] = 1024
+
+will not, this should trigger overutilized state because the big CPU is
+now *actually* being saturated.
+
+Similar reasoning applies to capping tasks with UCLAMP_MAX. For example:
+
+ p->util_avg = 1024
+ p->uclamp[UCLAMP_MAX] = capacity_orig_of(medium_cpu)
+
+Should fit the task on medium cpus without triggering overutilized
+state.
+
+Inlined comments expand more on desired behavior in more scenarios.
+
+Introduce new util_fits_cpu() function which encapsulates the new logic.
+The new function is not used anywhere yet, but will be used to update
+various users of fits_capacity() in later patches.
+
+Fixes: af24bde8df202 ("sched/uclamp: Add uclamp support to energy_compute()")
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-2-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 123 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 123 insertions(+)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 914096c5b1ae..4ccd21e9a29f 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4254,6 +4254,129 @@ static inline void util_est_update(struct cfs_rq *cfs_rq,
+ trace_sched_util_est_se_tp(&p->se);
+ }
+
++static inline int util_fits_cpu(unsigned long util,
++ unsigned long uclamp_min,
++ unsigned long uclamp_max,
++ int cpu)
++{
++ unsigned long capacity_orig, capacity_orig_thermal;
++ unsigned long capacity = capacity_of(cpu);
++ bool fits, uclamp_max_fits;
++
++ /*
++ * Check if the real util fits without any uclamp boost/cap applied.
++ */
++ fits = fits_capacity(util, capacity);
++
++ if (!uclamp_is_used())
++ return fits;
++
++ /*
++ * We must use capacity_orig_of() for comparing against uclamp_min and
++ * uclamp_max. We only care about capacity pressure (by using
++ * capacity_of()) for comparing against the real util.
++ *
++ * If a task is boosted to 1024 for example, we don't want a tiny
++ * pressure to skew the check whether it fits a CPU or not.
++ *
++ * Similarly if a task is capped to capacity_orig_of(little_cpu), it
++ * should fit a little cpu even if there's some pressure.
++ *
++ * Only exception is for thermal pressure since it has a direct impact
++ * on available OPP of the system.
++ *
++ * We honour it for uclamp_min only as a drop in performance level
++ * could result in not getting the requested minimum performance level.
++ *
++ * For uclamp_max, we can tolerate a drop in performance level as the
++ * goal is to cap the task. So it's okay if it's getting less.
++ *
++ * In case of capacity inversion, which is not handled yet, we should
++ * honour the inverted capacity for both uclamp_min and uclamp_max all
++ * the time.
++ */
++ capacity_orig = capacity_orig_of(cpu);
++ capacity_orig_thermal = capacity_orig - arch_scale_thermal_pressure(cpu);
++
++ /*
++ * We want to force a task to fit a cpu as implied by uclamp_max.
++ * But we do have some corner cases to cater for..
++ *
++ *
++ * C=z
++ * | ___
++ * | C=y | |
++ * |_ _ _ _ _ _ _ _ _ ___ _ _ _ | _ | _ _ _ _ _ uclamp_max
++ * | C=x | | | |
++ * | ___ | | | |
++ * | | | | | | | (util somewhere in this region)
++ * | | | | | | |
++ * | | | | | | |
++ * +----------------------------------------
++ * cpu0 cpu1 cpu2
++ *
++ * In the above example if a task is capped to a specific performance
++ * point, y, then when:
++ *
++ * * util = 80% of x then it does not fit on cpu0 and should migrate
++ * to cpu1
++ * * util = 80% of y then it is forced to fit on cpu1 to honour
++ * uclamp_max request.
++ *
++ * which is what we're enforcing here. A task always fits if
++ * uclamp_max <= capacity_orig. But when uclamp_max > capacity_orig,
++ * the normal upmigration rules should withhold still.
++ *
++ * Only exception is when we are on max capacity, then we need to be
++ * careful not to block overutilized state. This is so because:
++ *
++ * 1. There's no concept of capping at max_capacity! We can't go
++ * beyond this performance level anyway.
++ * 2. The system is being saturated when we're operating near
++ * max capacity, it doesn't make sense to block overutilized.
++ */
++ uclamp_max_fits = (capacity_orig == SCHED_CAPACITY_SCALE) && (uclamp_max == SCHED_CAPACITY_SCALE);
++ uclamp_max_fits = !uclamp_max_fits && (uclamp_max <= capacity_orig);
++ fits = fits || uclamp_max_fits;
++
++ /*
++ *
++ * C=z
++ * | ___ (region a, capped, util >= uclamp_max)
++ * | C=y | |
++ * |_ _ _ _ _ _ _ _ _ ___ _ _ _ | _ | _ _ _ _ _ uclamp_max
++ * | C=x | | | |
++ * | ___ | | | | (region b, uclamp_min <= util <= uclamp_max)
++ * |_ _ _|_ _|_ _ _ _| _ | _ _ _| _ | _ _ _ _ _ uclamp_min
++ * | | | | | | |
++ * | | | | | | | (region c, boosted, util < uclamp_min)
++ * +----------------------------------------
++ * cpu0 cpu1 cpu2
++ *
++ * a) If util > uclamp_max, then we're capped, we don't care about
++ * actual fitness value here. We only care if uclamp_max fits
++ * capacity without taking margin/pressure into account.
++ * See comment above.
++ *
++ * b) If uclamp_min <= util <= uclamp_max, then the normal
++ * fits_capacity() rules apply. Except we need to ensure that we
++ * enforce we remain within uclamp_max, see comment above.
++ *
++ * c) If util < uclamp_min, then we are boosted. Same as (b) but we
++ * need to take into account the boosted value fits the CPU without
++ * taking margin/pressure into account.
++ *
++ * Cases (a) and (b) are handled in the 'fits' variable already. We
++ * just need to consider an extra check for case (c) after ensuring we
++ * handle the case uclamp_min > uclamp_max.
++ */
++ uclamp_min = min(uclamp_min, uclamp_max);
++ if (util < uclamp_min && capacity_orig != SCHED_CAPACITY_SCALE)
++ fits = fits && (uclamp_min <= capacity_orig_thermal);
++
++ return fits;
++}
++
+ static inline int task_fits_capacity(struct task_struct *p,
+ unsigned long capacity)
+ {
+--
+2.35.1
+
--- /dev/null
+From c36960427772cf9d121fdb687b3e0de8e928f0fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:05 +0100
+Subject: sched/uclamp: Make asym_fits_capacity() use util_fits_cpu()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit a2e7f03ed28fce26c78b985f87913b6ce3accf9d ]
+
+Use the new util_fits_cpu() to ensure migration margin and capacity
+pressure are taken into account correctly when uclamp is being used
+otherwise we will fail to consider CPUs as fitting in scenarios where
+they should.
+
+s/asym_fits_capacity/asym_fits_cpu/ to better reflect what it does now.
+
+Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path")
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-6-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 1fe3f3b96251..cb4d47441a41 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -6631,10 +6631,13 @@ select_idle_capacity(struct task_struct *p, struct sched_domain *sd, int target)
+ return best_cpu;
+ }
+
+-static inline bool asym_fits_capacity(unsigned long task_util, int cpu)
++static inline bool asym_fits_cpu(unsigned long util,
++ unsigned long util_min,
++ unsigned long util_max,
++ int cpu)
+ {
+ if (sched_asym_cpucap_active())
+- return fits_capacity(task_util, capacity_of(cpu));
++ return util_fits_cpu(util, util_min, util_max, cpu);
+
+ return true;
+ }
+@@ -6646,7 +6649,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ {
+ bool has_idle_core = false;
+ struct sched_domain *sd;
+- unsigned long task_util;
++ unsigned long task_util, util_min, util_max;
+ int i, recent_used_cpu;
+
+ /*
+@@ -6655,7 +6658,9 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ */
+ if (sched_asym_cpucap_active()) {
+ sync_entity_load_avg(&p->se);
+- task_util = uclamp_task_util(p);
++ task_util = task_util_est(p);
++ util_min = uclamp_eff_value(p, UCLAMP_MIN);
++ util_max = uclamp_eff_value(p, UCLAMP_MAX);
+ }
+
+ /*
+@@ -6664,7 +6669,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ lockdep_assert_irqs_disabled();
+
+ if ((available_idle_cpu(target) || sched_idle_cpu(target)) &&
+- asym_fits_capacity(task_util, target))
++ asym_fits_cpu(task_util, util_min, util_max, target))
+ return target;
+
+ /*
+@@ -6672,7 +6677,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ */
+ if (prev != target && cpus_share_cache(prev, target) &&
+ (available_idle_cpu(prev) || sched_idle_cpu(prev)) &&
+- asym_fits_capacity(task_util, prev))
++ asym_fits_cpu(task_util, util_min, util_max, prev))
+ return prev;
+
+ /*
+@@ -6687,7 +6692,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ in_task() &&
+ prev == smp_processor_id() &&
+ this_rq()->nr_running <= 1 &&
+- asym_fits_capacity(task_util, prev)) {
++ asym_fits_cpu(task_util, util_min, util_max, prev)) {
+ return prev;
+ }
+
+@@ -6699,7 +6704,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ cpus_share_cache(recent_used_cpu, target) &&
+ (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) &&
+ cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) &&
+- asym_fits_capacity(task_util, recent_used_cpu)) {
++ asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) {
+ return recent_used_cpu;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0f4475214a64d3eec5fa8d8cdc9db8bdb10705b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:06 +0100
+Subject: sched/uclamp: Make cpu_overutilized() use util_fits_cpu()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit c56ab1b3506ba0e7a872509964b100912bde165d ]
+
+So that it is now uclamp aware.
+
+This fixes a major problem of busy tasks capped with UCLAMP_MAX keeping
+the system in overutilized state which disables EAS and leads to wasting
+energy in the long run.
+
+Without this patch running a busy background activity like JIT
+compilation on Pixel 6 causes the system to be in overutilized state
+74.5% of the time.
+
+With this patch this goes down to 9.79%.
+
+It also fixes another problem when long running tasks that have their
+UCLAMP_MIN changed while running such that they need to upmigrate to
+honour the new UCLAMP_MIN value. The upmigration doesn't get triggered
+because overutilized state never gets set in this state, hence misfit
+migration never happens at tick in this case until the task wakes up
+again.
+
+Fixes: af24bde8df202 ("sched/uclamp: Add uclamp support to energy_compute()")
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-7-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index cb4d47441a41..2e782d79e80f 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -5807,7 +5807,10 @@ static inline void hrtick_update(struct rq *rq)
+ #ifdef CONFIG_SMP
+ static inline bool cpu_overutilized(int cpu)
+ {
+- return !fits_capacity(cpu_util_cfs(cpu), capacity_of(cpu));
++ unsigned long rq_util_min = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MIN);
++ unsigned long rq_util_max = uclamp_rq_get(cpu_rq(cpu), UCLAMP_MAX);
++
++ return !util_fits_cpu(cpu_util_cfs(cpu), rq_util_min, rq_util_max, cpu);
+ }
+
+ static inline void update_overutilized_status(struct rq *rq)
+--
+2.35.1
+
--- /dev/null
+From dcc34320f58af8c952af3ed21925ef1e62d8ab45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:04 +0100
+Subject: sched/uclamp: Make select_idle_capacity() use util_fits_cpu()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit b759caa1d9f667b94727b2ad12589cbc4ce13a82 ]
+
+Use the new util_fits_cpu() to ensure migration margin and capacity
+pressure are taken into account correctly when uclamp is being used
+otherwise we will fail to consider CPUs as fitting in scenarios where
+they should.
+
+Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path")
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-5-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index abe0e6baaa2e..892ea83864a7 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -6603,21 +6603,23 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, bool
+ static int
+ select_idle_capacity(struct task_struct *p, struct sched_domain *sd, int target)
+ {
+- unsigned long task_util, best_cap = 0;
++ unsigned long task_util, util_min, util_max, best_cap = 0;
+ int cpu, best_cpu = -1;
+ struct cpumask *cpus;
+
+ cpus = this_cpu_cpumask_var_ptr(select_rq_mask);
+ cpumask_and(cpus, sched_domain_span(sd), p->cpus_ptr);
+
+- task_util = uclamp_task_util(p);
++ task_util = task_util_est(p);
++ util_min = uclamp_eff_value(p, UCLAMP_MIN);
++ util_max = uclamp_eff_value(p, UCLAMP_MAX);
+
+ for_each_cpu_wrap(cpu, cpus, target) {
+ unsigned long cpu_cap = capacity_of(cpu);
+
+ if (!available_idle_cpu(cpu) && !sched_idle_cpu(cpu))
+ continue;
+- if (fits_capacity(task_util, cpu_cap))
++ if (util_fits_cpu(task_util, util_min, util_max, cpu))
+ return cpu;
+
+ if (cpu_cap > best_cap) {
+--
+2.35.1
+
--- /dev/null
+From a136d13e9ccaf8f3e4e2cb85a83716c776ef3ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 15:36:02 +0100
+Subject: sched/uclamp: Make task_fits_capacity() use util_fits_cpu()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit b48e16a69792b5dc4a09d6807369d11b2970cc36 ]
+
+So that the new uclamp rules in regard to migration margin and capacity
+pressure are taken into account correctly.
+
+Fixes: a7008c07a568 ("sched/fair: Make task_fits_capacity() consider uclamp restrictions")
+Co-developed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220804143609.515789-3-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 26 ++++++++++++++++----------
+ kernel/sched/sched.h | 9 +++++++++
+ 2 files changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 4ccd21e9a29f..fd0eb93e1bbb 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4377,10 +4377,12 @@ static inline int util_fits_cpu(unsigned long util,
+ return fits;
+ }
+
+-static inline int task_fits_capacity(struct task_struct *p,
+- unsigned long capacity)
++static inline int task_fits_cpu(struct task_struct *p, int cpu)
+ {
+- return fits_capacity(uclamp_task_util(p), capacity);
++ unsigned long uclamp_min = uclamp_eff_value(p, UCLAMP_MIN);
++ unsigned long uclamp_max = uclamp_eff_value(p, UCLAMP_MAX);
++ unsigned long util = task_util_est(p);
++ return util_fits_cpu(util, uclamp_min, uclamp_max, cpu);
+ }
+
+ static inline void update_misfit_status(struct task_struct *p, struct rq *rq)
+@@ -4393,7 +4395,7 @@ static inline void update_misfit_status(struct task_struct *p, struct rq *rq)
+ return;
+ }
+
+- if (task_fits_capacity(p, capacity_of(cpu_of(rq)))) {
++ if (task_fits_cpu(p, cpu_of(rq))) {
+ rq->misfit_task_load = 0;
+ return;
+ }
+@@ -8231,7 +8233,7 @@ static int detach_tasks(struct lb_env *env)
+
+ case migrate_misfit:
+ /* This is not a misfit task */
+- if (task_fits_capacity(p, capacity_of(env->src_cpu)))
++ if (task_fits_cpu(p, env->src_cpu))
+ goto next;
+
+ env->imbalance = 0;
+@@ -9236,6 +9238,10 @@ static inline void update_sg_wakeup_stats(struct sched_domain *sd,
+
+ memset(sgs, 0, sizeof(*sgs));
+
++ /* Assume that task can't fit any CPU of the group */
++ if (sd->flags & SD_ASYM_CPUCAPACITY)
++ sgs->group_misfit_task_load = 1;
++
+ for_each_cpu(i, sched_group_span(group)) {
+ struct rq *rq = cpu_rq(i);
+ unsigned int local;
+@@ -9255,12 +9261,12 @@ static inline void update_sg_wakeup_stats(struct sched_domain *sd,
+ if (!nr_running && idle_cpu_without(i, p))
+ sgs->idle_cpus++;
+
+- }
++ /* Check if task fits in the CPU */
++ if (sd->flags & SD_ASYM_CPUCAPACITY &&
++ sgs->group_misfit_task_load &&
++ task_fits_cpu(p, i))
++ sgs->group_misfit_task_load = 0;
+
+- /* Check if task fits in the group */
+- if (sd->flags & SD_ASYM_CPUCAPACITY &&
+- !task_fits_capacity(p, group->sgc->max_capacity)) {
+- sgs->group_misfit_task_load = 1;
+ }
+
+ sgs->group_capacity = group->sgc->capacity;
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index f34b489636ff..1b8a5d791907 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -3044,6 +3044,15 @@ static inline bool uclamp_is_used(void)
+ return static_branch_likely(&sched_uclamp_used);
+ }
+ #else /* CONFIG_UCLAMP_TASK */
++static inline unsigned long uclamp_eff_value(struct task_struct *p,
++ enum uclamp_id clamp_id)
++{
++ if (clamp_id == UCLAMP_MIN)
++ return 0;
++
++ return SCHED_CAPACITY_SCALE;
++}
++
+ static inline
+ unsigned long uclamp_rq_util_with(struct rq *rq, unsigned long util,
+ struct task_struct *p)
+--
+2.35.1
+
--- /dev/null
+From 6066b817225078422c680f9f77f93152abf3e029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 13:29:49 -0700
+Subject: scsi: core: Fix a race between scsi_done() and scsi_timeout()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 978b7922d3dca672b41bb4b8ce6c06ab77112741 ]
+
+If there is a race between scsi_done() and scsi_timeout() and if
+scsi_timeout() loses the race, scsi_timeout() should not reset the request
+timer. Hence change the return value for this case from BLK_EH_RESET_TIMER
+into BLK_EH_DONE.
+
+Although the block layer holds a reference on a request (req->ref) while
+calling a timeout handler, restarting the timer (blk_add_timer()) while a
+request is being completed is racy.
+
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Cc: Keith Busch <kbusch@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Reported-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20221018202958.1902564-2-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_error.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 448748e3fba5..f00212777f82 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -342,19 +342,11 @@ enum blk_eh_timer_return scsi_timeout(struct request *req)
+
+ if (rtn == BLK_EH_DONE) {
+ /*
+- * Set the command to complete first in order to prevent a real
+- * completion from releasing the command while error handling
+- * is using it. If the command was already completed, then the
+- * lower level driver beat the timeout handler, and it is safe
+- * to return without escalating error recovery.
+- *
+- * If timeout handling lost the race to a real completion, the
+- * block layer may ignore that due to a fake timeout injection,
+- * so return RESET_TIMER to allow error handling another shot
+- * at this command.
++ * If scsi_done() has already set SCMD_STATE_COMPLETE, do not
++ * modify *scmd.
+ */
+ if (test_and_set_bit(SCMD_STATE_COMPLETE, &scmd->state))
+- return BLK_EH_RESET_TIMER;
++ return BLK_EH_DONE;
+ if (scsi_abort_command(scmd) != SUCCESS) {
+ set_host_byte(scmd, DID_TIME_OUT);
+ scsi_eh_scmd_add(scmd);
+--
+2.35.1
+
--- /dev/null
+From 9cba95a82ce3236288632598849bc0f3189196e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 15:40:46 +0800
+Subject: scsi: efct: Fix possible memleak in efct_device_init()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit bb0cd225dd37df1f4a22e36dad59ff33178ecdfc ]
+
+In efct_device_init(), when efct_scsi_reg_fc_transport() fails,
+efct_scsi_tgt_driver_exit() is not called to release memory for
+efct_scsi_tgt_driver_init() and causes memleak:
+
+unreferenced object 0xffff8881020ce000 (size 2048):
+ comm "modprobe", pid 465, jiffies 4294928222 (age 55.872s)
+ backtrace:
+ [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110
+ [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod]
+ [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct]
+ [<00000000115de533>] 0xffffffffc0d90011
+ [<00000000d608f646>] do_one_initcall+0xd0/0x4e0
+ [<0000000067828cf1>] do_init_module+0x1cc/0x6a0
+ ...
+
+Fixes: 4df84e846624 ("scsi: elx: efct: Driver initialization routines")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221111074046.57061-1-chenzhongjin@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/efct/efct_driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/elx/efct/efct_driver.c b/drivers/scsi/elx/efct/efct_driver.c
+index b08fc8839808..49fd2cfed70c 100644
+--- a/drivers/scsi/elx/efct/efct_driver.c
++++ b/drivers/scsi/elx/efct/efct_driver.c
+@@ -42,6 +42,7 @@ efct_device_init(void)
+
+ rc = efct_scsi_reg_fc_transport();
+ if (rc) {
++ efct_scsi_tgt_driver_exit();
+ pr_err("failed to register to FC host\n");
+ return rc;
+ }
+--
+2.35.1
+
--- /dev/null
+From b67fc730b8cd163cf9e3eaf60fd61e868598d2f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 09:19:06 -0700
+Subject: scsi: elx: libefc: Fix second parameter type in state callbacks
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 3d75e766b58a7410d4e835c534e1b4664a8f62d0 ]
+
+With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
+indirect call targets are validated against the expected function pointer
+prototype to make sure the call target is valid to help mitigate ROP
+attacks. If they are not identical, there is a failure at run time, which
+manifests as either a kernel panic or thread getting killed. A proposed
+warning in clang aims to catch these at compile time, which reveals:
+
+ drivers/scsi/elx/libefc/efc_node.c:811:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ ctx->current_state = state;
+ ^ ~~~~~
+ drivers/scsi/elx/libefc/efc_node.c:878:21: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ node->nodedb_state = state;
+ ^ ~~~~~
+ drivers/scsi/elx/libefc/efc_node.c:905:6: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' from 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') [-Werror,-Wincompatible-function-pointer-types-strict]
+ pf = node->nodedb_state;
+ ^ ~~~~~~~~~~~~~~~~~~
+
+ drivers/scsi/elx/libefc/efc_device.c:455:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ node->nodedb_state = __efc_d_init;
+ ^ ~~~~~~~~~~~~
+
+ drivers/scsi/elx/libefc/efc_sm.c:41:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict]
+ ctx->current_state = state;
+ ^ ~~~~~
+
+The type of the second parameter in the prototypes of ->current_state() and
+->nodedb_state() ('u32') does not match the implementations, which have a
+second parameter type of 'enum efc_sm_event'. Update the prototypes to have
+the correct second parameter type, clearing up all the warnings and CFI
+failures.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1750
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20221102161906.2781508-1-nathan@kernel.org
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/libefc/efclib.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/elx/libefc/efclib.h b/drivers/scsi/elx/libefc/efclib.h
+index dde20891c2dd..57e338612812 100644
+--- a/drivers/scsi/elx/libefc/efclib.h
++++ b/drivers/scsi/elx/libefc/efclib.h
+@@ -58,10 +58,12 @@ enum efc_node_send_ls_acc {
+ #define EFC_LINK_STATUS_UP 0
+ #define EFC_LINK_STATUS_DOWN 1
+
++enum efc_sm_event;
++
+ /* State machine context header */
+ struct efc_sm_ctx {
+ void (*current_state)(struct efc_sm_ctx *ctx,
+- u32 evt, void *arg);
++ enum efc_sm_event evt, void *arg);
+
+ const char *description;
+ void *app;
+@@ -365,7 +367,7 @@ struct efc_node {
+ int prev_evt;
+
+ void (*nodedb_state)(struct efc_sm_ctx *ctx,
+- u32 evt, void *arg);
++ enum efc_sm_event evt, void *arg);
+ struct timer_list gidpt_delay_timer;
+ u64 time_last_gidpt_msec;
+
+--
+2.35.1
+
--- /dev/null
+From 3316062ee91dac060948b28155139723a7402324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 17:43:10 +0800
+Subject: scsi: fcoe: Fix possible name leak when device_register() fails
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ]
+
+If device_register() returns an error, the name allocated by dev_set_name()
+needs to be freed. As the comment of device_register() says, one should use
+put_device() to give up the reference in the error path. Fix this by
+calling put_device(), then the name can be freed in kobject_cleanup().
+
+The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the
+error path can be removed.
+
+The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error
+label, just return NULL after calling put_device().
+
+Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
+index af658aa38fed..6260aa5ea6af 100644
+--- a/drivers/scsi/fcoe/fcoe_sysfs.c
++++ b/drivers/scsi/fcoe/fcoe_sysfs.c
+@@ -830,14 +830,15 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
+
+ dev_set_name(&ctlr->dev, "ctlr_%d", ctlr->id);
+ error = device_register(&ctlr->dev);
+- if (error)
+- goto out_del_q2;
++ if (error) {
++ destroy_workqueue(ctlr->devloss_work_q);
++ destroy_workqueue(ctlr->work_q);
++ put_device(&ctlr->dev);
++ return NULL;
++ }
+
+ return ctlr;
+
+-out_del_q2:
+- destroy_workqueue(ctlr->devloss_work_q);
+- ctlr->devloss_work_q = NULL;
+ out_del_q:
+ destroy_workqueue(ctlr->work_q);
+ ctlr->work_q = NULL;
+@@ -1036,16 +1037,16 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
+ fcf->selected = new_fcf->selected;
+
+ error = device_register(&fcf->dev);
+- if (error)
+- goto out_del;
++ if (error) {
++ put_device(&fcf->dev);
++ goto out;
++ }
+
+ fcf->state = FCOE_FCF_STATE_CONNECTED;
+ list_add_tail(&fcf->peers, &ctlr->fcfs);
+
+ return fcf;
+
+-out_del:
+- kfree(fcf);
+ out:
+ return NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 28d08b2951c6359ff825e67c0908a9ae486e6788 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 17:24:42 +0800
+Subject: scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ]
+
+fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when
+fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed
+&fcoe_sw_transport on fcoe_transports list. This causes panic when
+reinserting module.
+
+ BUG: unable to handle page fault for address: fffffbfff82e2213
+ RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe]
+ Call Trace:
+ <TASK>
+ do_one_initcall+0xd0/0x4e0
+ load_module+0x5eee/0x7210
+ ...
+
+Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/fcoe/fcoe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c
+index 6ec296321ffc..38774a272e62 100644
+--- a/drivers/scsi/fcoe/fcoe.c
++++ b/drivers/scsi/fcoe/fcoe.c
+@@ -2491,6 +2491,7 @@ static int __init fcoe_init(void)
+
+ out_free:
+ mutex_unlock(&fcoe_config_mutex);
++ fcoe_transport_detach(&fcoe_sw_transport);
+ out_destroy:
+ destroy_workqueue(fcoe_wq);
+ return rc;
+--
+2.35.1
+
--- /dev/null
+From 5055db880d50e258a8c28860b1a76c62f34283dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:37:13 +0800
+Subject: scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset
+
+From: Jie Zhan <zhanjie9@hisilicon.com>
+
+[ Upstream commit 3c2673a09cf1181318c07b7dbc1bc532ba3d33e3 ]
+
+SATA devices on an expander may be removed and not be found again when I_T
+nexus reset and revalidation are processed simultaneously.
+
+The issue comes from:
+
+ - Revalidation can remove SATA devices in link reset, e.g. in
+ hisi_sas_clear_nexus_ha().
+
+ - However, hisi_sas_debug_I_T_nexus_reset() polls the state of a SATA
+ device on an expander after sending link_reset, where it calls:
+ hisi_sas_debug_I_T_nexus_reset
+ sas_ata_wait_after_reset
+ ata_wait_after_reset
+ ata_wait_ready
+ smp_ata_check_ready
+ sas_ex_phy_discover
+ sas_ex_phy_discover_helper
+ sas_set_ex_phy
+
+ The ex_phy's change count is updated in sas_set_ex_phy(), so SATA
+ devices after a link reset may not be found later through revalidation.
+
+A similar issue was reported in:
+commit 0f3fce5cc77e ("[SCSI] libsas: fix ata_eh clobbering ex_phys via
+smp_ata_check_ready")
+commit 87c8331fcf72 ("[SCSI] libsas: prevent domain rediscovery competing
+with ata error handling").
+
+To address this issue, in hisi_sas_debug_I_T_nexus_reset(), we now call
+smp_ata_check_ready_type() that only polls the device type while not
+updating the ex_phy's data of libsas.
+
+Fixes: 71453bd9d1bf ("scsi: hisi_sas: Use sas_ata_wait_after_reset() in IT nexus reset")
+Signed-off-by: Jie Zhan <zhanjie9@hisilicon.com>
+Link: https://lore.kernel.org/r/20221118083714.4034612-5-zhanjie9@hisilicon.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index 33af5b8dede2..f4f9e5abee76 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1701,13 +1701,15 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
+ return rc;
+ }
+
++ /* Remote phy */
+ if (rc)
+ return rc;
+
+- /* Remote phy */
+ if (dev_is_sata(device)) {
+- rc = sas_ata_wait_after_reset(device,
+- HISI_SAS_WAIT_PHYUP_TIMEOUT);
++ struct ata_link *link = &device->sata_dev.ap->link;
++
++ rc = ata_wait_after_reset(link, HISI_SAS_WAIT_PHYUP_TIMEOUT,
++ smp_ata_check_ready_type);
+ } else {
+ msleep(2000);
+ }
+--
+2.35.1
+
--- /dev/null
+From 514f361ec0c4f874bdd42459daf38f8a5d1c2569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:11:29 +0800
+Subject: scsi: hpsa: Fix error handling in hpsa_add_sas_host()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ]
+
+hpsa_sas_port_add_phy() does:
+ ...
+ sas_phy_add() -> may return error here
+ sas_port_add_phy()
+ ...
+
+Whereas hpsa_free_sas_phy() does:
+ ...
+ sas_port_delete_phy()
+ sas_phy_delete()
+ ...
+
+If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be
+called to free the memory because the port and the phy have not been added
+yet.
+
+Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel
+crash in this case.
+
+Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 99dbb48fc94f..0feb58fe73d2 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -9790,7 +9790,8 @@ static int hpsa_add_sas_host(struct ctlr_info *h)
+ return 0;
+
+ free_sas_phy:
+- hpsa_free_sas_phy(hpsa_sas_phy);
++ sas_phy_free(hpsa_sas_phy->phy);
++ kfree(hpsa_sas_phy);
+ free_sas_port:
+ hpsa_free_sas_port(hpsa_sas_port);
+ free_sas_node:
+--
+2.35.1
+
--- /dev/null
+From 76a08bf806863d7f1fc2cdba85bb9c1e285e61c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 12:30:12 +0800
+Subject: scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ]
+
+If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in
+sas_end_device_alloc() needs to be freed. Address this by calling
+sas_rphy_free() in the error path.
+
+Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 0feb58fe73d2..796bc7aa6c8e 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -9827,10 +9827,12 @@ static int hpsa_add_sas_device(struct hpsa_sas_node *hpsa_sas_node,
+
+ rc = hpsa_sas_port_add_rphy(hpsa_sas_port, rphy);
+ if (rc)
+- goto free_sas_port;
++ goto free_sas_rphy;
+
+ return 0;
+
++free_sas_rphy:
++ sas_rphy_free(rphy);
+ free_sas_port:
+ hpsa_free_sas_port(hpsa_sas_port);
+ device->sas_port = NULL;
+--
+2.35.1
+
--- /dev/null
+From 71eab0c4de2c725b3a3da4ec2bff924494053f39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 01:57:51 +0000
+Subject: scsi: hpsa: Fix possible memory leak in hpsa_init_one()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ]
+
+The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in
+hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to
+clean1 directly, which frees h and leaks the h->reply_map.
+
+Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead
+free h directly.
+
+Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a47bcce3c9c7..99dbb48fc94f 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -8929,7 +8929,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ destroy_workqueue(h->monitor_ctlr_wq);
+ h->monitor_ctlr_wq = NULL;
+ }
+- kfree(h);
++ hpda_free_ctlr_info(h);
+ return rc;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7152d31bbf21778828fdea4f55f51d70c8fbb6a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 14:45:13 +0800
+Subject: scsi: ipr: Fix WARNING in ipr_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ]
+
+ipr_init() will not call unregister_reboot_notifier() when
+pci_register_driver() fails, which causes a WARNING. Call
+unregister_reboot_notifier() when pci_register_driver() fails.
+
+notifier callback ipr_halt [ipr] already registered
+WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29
+notifier_chain_register+0x16d/0x230
+Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore
+led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm
+drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks
+agpgart cfbft
+CPU: 3 PID: 299 Comm: modprobe Tainted: G W
+6.1.0-rc1-00190-g39508d23b672-dirty #332
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
+RIP: 0010:notifier_chain_register+0x16d/0x230
+Call Trace:
+ <TASK>
+ __blocking_notifier_chain_register+0x73/0xb0
+ ipr_init+0x30/0x1000 [ipr]
+ do_one_initcall+0xdb/0x480
+ do_init_module+0x1cf/0x680
+ load_module+0x6a50/0x70a0
+ __do_sys_finit_module+0x12f/0x1c0
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ipr.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index 9d01a3e3c26a..2022ffb45041 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -10872,11 +10872,19 @@ static struct notifier_block ipr_notifier = {
+ **/
+ static int __init ipr_init(void)
+ {
++ int rc;
++
+ ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n",
+ IPR_DRIVER_VERSION, IPR_DRIVER_DATE);
+
+ register_reboot_notifier(&ipr_notifier);
+- return pci_register_driver(&ipr_driver);
++ rc = pci_register_driver(&ipr_driver);
++ if (rc) {
++ unregister_reboot_notifier(&ipr_notifier);
++ return rc;
++ }
++
++ return 0;
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From cb85f78d1c4dc44e0494bf472ba294db6f42a5bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:37:12 +0800
+Subject: scsi: libsas: Add smp_ata_check_ready_type()
+
+From: Jie Zhan <zhanjie9@hisilicon.com>
+
+[ Upstream commit 9181ce3cb5d96f0ee28246a857ca651830fa3746 ]
+
+Create function smp_ata_check_ready_type() for LLDDs to wait for SATA
+devices to come up after a link reset.
+
+Signed-off-by: Jie Zhan <zhanjie9@hisilicon.com>
+Link: https://lore.kernel.org/r/20221118083714.4034612-4-zhanjie9@hisilicon.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 3c2673a09cf1 ("scsi: hisi_sas: Fix SATA devices missing issue during I_T nexus reset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_ata.c | 25 +++++++++++++++++++++++++
+ drivers/scsi/libsas/sas_expander.c | 4 ++--
+ drivers/scsi/libsas/sas_internal.h | 2 ++
+ include/scsi/sas_ata.h | 6 ++++++
+ 4 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
+index d35c9296f738..2fd55ef9ffca 100644
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -287,6 +287,31 @@ static int sas_ata_clear_pending(struct domain_device *dev, struct ex_phy *phy)
+ return 1;
+ }
+
++int smp_ata_check_ready_type(struct ata_link *link)
++{
++ struct domain_device *dev = link->ap->private_data;
++ struct sas_phy *phy = sas_get_local_phy(dev);
++ struct domain_device *ex_dev = dev->parent;
++ enum sas_device_type type = SAS_PHY_UNUSED;
++ u8 sas_addr[SAS_ADDR_SIZE];
++ int res;
++
++ res = sas_get_phy_attached_dev(ex_dev, phy->number, sas_addr, &type);
++ sas_put_local_phy(phy);
++ if (res)
++ return res;
++
++ switch (type) {
++ case SAS_SATA_PENDING:
++ return 0;
++ case SAS_END_DEVICE:
++ return 1;
++ default:
++ return -ENODEV;
++ }
++}
++EXPORT_SYMBOL_GPL(smp_ata_check_ready_type);
++
+ static int smp_ata_check_ready(struct ata_link *link)
+ {
+ int res;
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 5ce251830104..63a23251fb1d 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -1693,8 +1693,8 @@ static int sas_get_phy_change_count(struct domain_device *dev,
+ return res;
+ }
+
+-static int sas_get_phy_attached_dev(struct domain_device *dev, int phy_id,
+- u8 *sas_addr, enum sas_device_type *type)
++int sas_get_phy_attached_dev(struct domain_device *dev, int phy_id,
++ u8 *sas_addr, enum sas_device_type *type)
+ {
+ int res;
+ struct smp_disc_resp *disc_resp;
+diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h
+index 8d0ad3abc7b5..a94bd0790b05 100644
+--- a/drivers/scsi/libsas/sas_internal.h
++++ b/drivers/scsi/libsas/sas_internal.h
+@@ -84,6 +84,8 @@ struct domain_device *sas_ex_to_ata(struct domain_device *ex_dev, int phy_id);
+ int sas_ex_phy_discover(struct domain_device *dev, int single);
+ int sas_get_report_phy_sata(struct domain_device *dev, int phy_id,
+ struct smp_rps_resp *rps_resp);
++int sas_get_phy_attached_dev(struct domain_device *dev, int phy_id,
++ u8 *sas_addr, enum sas_device_type *type);
+ int sas_try_ata_reset(struct asd_sas_phy *phy);
+ void sas_hae_reset(struct work_struct *work);
+
+diff --git a/include/scsi/sas_ata.h b/include/scsi/sas_ata.h
+index a1df4f9d57a3..ec646217e7f6 100644
+--- a/include/scsi/sas_ata.h
++++ b/include/scsi/sas_ata.h
+@@ -35,6 +35,7 @@ void sas_ata_end_eh(struct ata_port *ap);
+ int sas_execute_ata_cmd(struct domain_device *device, u8 *fis,
+ int force_phy_id);
+ int sas_ata_wait_after_reset(struct domain_device *dev, unsigned long deadline);
++int smp_ata_check_ready_type(struct ata_link *link);
+ #else
+
+
+@@ -98,6 +99,11 @@ static inline int sas_ata_wait_after_reset(struct domain_device *dev,
+ {
+ return -ETIMEDOUT;
+ }
++
++static inline int smp_ata_check_ready_type(struct ata_link *link)
++{
++ return 0;
++}
+ #endif
+
+ #endif /* _SAS_ATA_H_ */
+--
+2.35.1
+
--- /dev/null
+From b19c314c5776bbd982fe09a5a07ecefbc5d4d384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 09:43:20 -0700
+Subject: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e ]
+
+During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a
+hard lockup similar to the call trace below may occur.
+
+The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer
+interrupts as expected, so change the strength of the spin lock to _irq.
+
+Kernel panic - not syncing: Hard LOCKUP
+CPU: 3 PID: 110402 Comm: cat Kdump: loaded
+
+exception RIP: native_queued_spin_lock_slowpath+91
+
+[IRQ stack]
+ native_queued_spin_lock_slowpath at ffffffffb814e30b
+ _raw_spin_lock at ffffffffb89a667a
+ lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc]
+ lpfc_cmf_timer at ffffffffc0abbc67 [lpfc]
+ __hrtimer_run_queues at ffffffffb8184250
+ hrtimer_interrupt at ffffffffb8184ab0
+ smp_apic_timer_interrupt at ffffffffb8a026ba
+ apic_timer_interrupt at ffffffffb8a01c4f
+[End of IRQ stack]
+
+ apic_timer_interrupt at ffffffffb8a01c4f
+ lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc]
+ lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc]
+ full_proxy_read at ffffffffb83e7fc3
+ vfs_read at ffffffffb833fe71
+ ksys_read at ffffffffb83402af
+ do_syscall_64 at ffffffffb800430b
+ entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20221017164323.14536-2-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 03c21167fc85..c4960da4c1c4 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -8076,10 +8076,10 @@ u32 lpfc_rx_monitor_report(struct lpfc_hba *phba,
+ "IO_cnt", "Info", "BWutil(ms)");
+ }
+
+- /* Needs to be _bh because record is called from timer interrupt
++ /* Needs to be _irq because record is called from timer interrupt
+ * context
+ */
+- spin_lock_bh(ring_lock);
++ spin_lock_irq(ring_lock);
+ while (*head_idx != *tail_idx) {
+ entry = &ring[*head_idx];
+
+@@ -8123,7 +8123,7 @@ u32 lpfc_rx_monitor_report(struct lpfc_hba *phba,
+ if (cnt >= max_read_entries)
+ break;
+ }
+- spin_unlock_bh(ring_lock);
++ spin_unlock_irq(ring_lock);
+
+ return cnt;
+ }
+--
+2.35.1
+
--- /dev/null
+From 04219da5e1d625681267614abaacdfb529d4a8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 11:24:03 +0800
+Subject: scsi: mpt3sas: Fix possible resource leaks in
+ mpt3sas_transport_port_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 78316e9dfc24906dd474630928ed1d3c562b568e ]
+
+In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,
+sas_rphy_free() needs be called to free the resource allocated in
+sas_end_device_alloc(). Otherwise a kernel crash will happen:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108
+CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189
+pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : device_del+0x54/0x3d0
+lr : device_del+0x37c/0x3d0
+Call trace:
+ device_del+0x54/0x3d0
+ attribute_container_class_device_del+0x28/0x38
+ transport_remove_classdev+0x6c/0x80
+ attribute_container_device_trigger+0x108/0x110
+ transport_remove_device+0x28/0x38
+ sas_rphy_remove+0x50/0x78 [scsi_transport_sas]
+ sas_port_delete+0x30/0x148 [scsi_transport_sas]
+ do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
+ device_for_each_child+0x68/0xb0
+ sas_remove_children+0x30/0x50 [scsi_transport_sas]
+ sas_rphy_remove+0x38/0x78 [scsi_transport_sas]
+ sas_port_delete+0x30/0x148 [scsi_transport_sas]
+ do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
+ device_for_each_child+0x68/0xb0
+ sas_remove_children+0x30/0x50 [scsi_transport_sas]
+ sas_remove_host+0x20/0x38 [scsi_transport_sas]
+ scsih_remove+0xd8/0x420 [mpt3sas]
+
+Because transport_add_device() is not called when sas_rphy_add() fails, the
+device is not added. When sas_rphy_remove() is subsequently called to
+remove the device in the remove() path, a NULL pointer dereference happens.
+
+Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109032403.1636422-1-yangyingliang@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_transport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+index 0681daee6c14..e5ecd6ada6cd 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+@@ -829,6 +829,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+ if ((sas_rphy_add(rphy))) {
+ ioc_err(ioc, "failure at %s:%d/%s()!\n",
+ __FILE__, __LINE__, __func__);
++ sas_rphy_free(rphy);
++ rphy = NULL;
+ }
+
+ if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
+--
+2.35.1
+
--- /dev/null
+From 1a0ab4cdc96e111f969064d20db0050080983a6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 15:48:18 -0700
+Subject: scsi: qla2xxx: Fix set-but-not-used variable warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 4fb2169d66b837a2986f569f5d5b81f79e6e4a4c ]
+
+Fix the following two compiler warnings:
+
+drivers/scsi/qla2xxx/qla_init.c: In function ‘qla24xx_async_abort_cmd’:
+drivers/scsi/qla2xxx/qla_init.c:171:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable]
+ 171 | uint8_t bail;
+ | ^~~~
+drivers/scsi/qla2xxx/qla_init.c: In function ‘qla2x00_async_tm_cmd’:
+drivers/scsi/qla2xxx/qla_init.c:2023:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable]
+ 2023 | uint8_t bail;
+ | ^~~~
+
+Cc: Arun Easi <arun.easi@qlogic.com>
+Cc: Giridhar Malavali <giridhar.malavali@qlogic.com>
+Fixes: feafb7b1714c ("[SCSI] qla2xxx: Fix vport delete issues")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20221031224818.2607882-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 22 +++++++++++-----------
+ drivers/scsi/qla2xxx/qla_init.c | 6 ++----
+ drivers/scsi/qla2xxx/qla_inline.h | 4 +---
+ drivers/scsi/qla2xxx/qla_os.c | 4 +---
+ 4 files changed, 15 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index 3ec6a200942e..01ca440ce620 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -5129,17 +5129,17 @@ struct secure_flash_update_block_pk {
+ (test_bit(ISP_ABORT_NEEDED, &ha->dpc_flags) || \
+ test_bit(LOOP_RESYNC_NEEDED, &ha->dpc_flags))
+
+-#define QLA_VHA_MARK_BUSY(__vha, __bail) do { \
+- atomic_inc(&__vha->vref_count); \
+- mb(); \
+- if (__vha->flags.delete_progress) { \
+- atomic_dec(&__vha->vref_count); \
+- wake_up(&__vha->vref_waitq); \
+- __bail = 1; \
+- } else { \
+- __bail = 0; \
+- } \
+-} while (0)
++static inline bool qla_vha_mark_busy(scsi_qla_host_t *vha)
++{
++ atomic_inc(&vha->vref_count);
++ mb();
++ if (vha->flags.delete_progress) {
++ atomic_dec(&vha->vref_count);
++ wake_up(&vha->vref_waitq);
++ return true;
++ }
++ return false;
++}
+
+ #define QLA_VHA_MARK_NOT_BUSY(__vha) do { \
+ atomic_dec(&__vha->vref_count); \
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index e7fe0e52c11d..11598edfb39b 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -168,7 +168,6 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait)
+ struct srb_iocb *abt_iocb;
+ srb_t *sp;
+ int rval = QLA_FUNCTION_FAILED;
+- uint8_t bail;
+
+ /* ref: INIT for ABTS command */
+ sp = qla2xxx_get_qpair_sp(cmd_sp->vha, cmd_sp->qpair, cmd_sp->fcport,
+@@ -176,7 +175,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait)
+ if (!sp)
+ return QLA_MEMORY_ALLOC_FAILED;
+
+- QLA_VHA_MARK_BUSY(vha, bail);
++ qla_vha_mark_busy(vha);
+ abt_iocb = &sp->u.iocb_cmd;
+ sp->type = SRB_ABT_CMD;
+ sp->name = "abort";
+@@ -2020,14 +2019,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
+ struct srb_iocb *tm_iocb;
+ srb_t *sp;
+ int rval = QLA_FUNCTION_FAILED;
+- uint8_t bail;
+
+ /* ref: INIT */
+ sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL);
+ if (!sp)
+ goto done;
+
+- QLA_VHA_MARK_BUSY(vha, bail);
++ qla_vha_mark_busy(vha);
+ sp->type = SRB_TM_CMD;
+ sp->name = "tmf";
+ qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha),
+diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
+index db17f7f410cd..5185dc5daf80 100644
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -225,11 +225,9 @@ static inline srb_t *
+ qla2x00_get_sp(scsi_qla_host_t *vha, fc_port_t *fcport, gfp_t flag)
+ {
+ srb_t *sp = NULL;
+- uint8_t bail;
+ struct qla_qpair *qpair;
+
+- QLA_VHA_MARK_BUSY(vha, bail);
+- if (unlikely(bail))
++ if (unlikely(qla_vha_mark_busy(vha)))
+ return NULL;
+
+ qpair = vha->hw->base_qpair;
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 1c7fb6484db2..5e5d1a6c51d5 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -5039,13 +5039,11 @@ struct qla_work_evt *
+ qla2x00_alloc_work(struct scsi_qla_host *vha, enum qla_work_type type)
+ {
+ struct qla_work_evt *e;
+- uint8_t bail;
+
+ if (test_bit(UNLOADING, &vha->dpc_flags))
+ return NULL;
+
+- QLA_VHA_MARK_BUSY(vha, bail);
+- if (bail)
++ if (qla_vha_mark_busy(vha))
+ return NULL;
+
+ e = kzalloc(sizeof(struct qla_work_evt), GFP_ATOMIC);
+--
+2.35.1
+
--- /dev/null
+From a254789cd2e10d6e5d6a01c8262b954a67572893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 23:06:12 -0800
+Subject: scsi: scsi_debug: Fix a warning in resp_report_zones()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 07f2ca139d9a7a1ba71c4c03997c8de161db2346 ]
+
+As 'alloc_len' is user controlled data, if user tries to allocate memory
+larger than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack
+trace and messes up dmesg with a warning.
+
+Add __GFP_NOWARN in order to avoid too large allocation warning. This is
+detected by static analysis using smatch.
+
+Fixes: 7db0e0c8190a ("scsi: scsi_debug: Fix buffer size of REPORT ZONES command")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20221112070612.2121535-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 077782eb55e7..3452fef3f749 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -4504,7 +4504,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
+
+ rep_max_zones = (alloc_len - 64) >> ilog2(RZONES_DESC_HD);
+
+- arr = kzalloc(alloc_len, GFP_ATOMIC);
++ arr = kzalloc(alloc_len, GFP_ATOMIC | __GFP_NOWARN);
+ if (!arr) {
+ mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
+ INSUFF_RES_ASCQ);
+--
+2.35.1
+
--- /dev/null
+From ca1cae46e6a427dede9475011003c379f3a55ab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 23:00:31 -0800
+Subject: scsi: scsi_debug: Fix a warning in resp_verify()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit ed0f17b748b20271cb568c7ca0b23b120316a47d ]
+
+As 'vnum' is controlled by user, so if user tries to allocate memory larger
+than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack trace and
+messes up dmesg with a warning.
+
+Add __GFP_NOWARN in order to avoid too large allocation warning. This is
+detected by static analysis using smatch.
+
+Fixes: c3e2fe9222d4 ("scsi: scsi_debug: Implement VERIFY(10), add VERIFY(16)")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20221112070031.2121068-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 1355820b9733..077782eb55e7 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -4436,7 +4436,7 @@ static int resp_verify(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
+ if (ret)
+ return ret;
+
+- arr = kcalloc(lb_size, vnum, GFP_ATOMIC);
++ arr = kcalloc(lb_size, vnum, GFP_ATOMIC | __GFP_NOWARN);
+ if (!arr) {
+ mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
+ INSUFF_RES_ASCQ);
+--
+2.35.1
+
--- /dev/null
+From 855ffae1997fdc0d03179b45ba22f6ba2344ce3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 02:05:25 -0800
+Subject: scsi: scsi_debug: Fix a warning in resp_write_scat()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 216e179724c1d9f57a8ababf8bd7aaabef67f01b ]
+
+As 'lbdof_blen' is coming from user, if the size in kzalloc() is >=
+MAX_ORDER then we hit a warning.
+
+Call trace:
+
+sg_ioctl
+ sg_ioctl_common
+ scsi_ioctl
+ sg_scsi_ioctl
+ blk_execute_rq
+ blk_mq_sched_insert_request
+ blk_mq_run_hw_queue
+ __blk_mq_delay_run_hw_queue
+ __blk_mq_run_hw_queue
+ blk_mq_sched_dispatch_requests
+ __blk_mq_sched_dispatch_requests
+ blk_mq_dispatch_rq_list
+ scsi_queue_rq
+ scsi_dispatch_cmd
+ scsi_debug_queuecommand
+ schedule_resp
+ resp_write_scat
+
+If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc()
+will definitely fail. It creates a stack trace and messes up dmesg. The
+user controls the size here so if they specify a too large size it will
+fail.
+
+Add __GFP_NOWARN in order to avoid too large allocation warning. This is
+detected by static analysis using smatch.
+
+Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20221111100526.1790533-1-harshit.m.mogalapalli@oracle.com
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 7346098c1c68..1355820b9733 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -3785,7 +3785,7 @@ static int resp_write_scat(struct scsi_cmnd *scp,
+ mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
+ return illegal_condition_result;
+ }
+- lrdp = kzalloc(lbdof_blen, GFP_ATOMIC);
++ lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN);
+ if (lrdp == NULL)
+ return SCSI_MLQUEUE_HOST_BUSY;
+ if (sdebug_verbose)
+--
+2.35.1
+
--- /dev/null
+From 4255f2a862aec01e33953837adb7782cac12e126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 21:10:10 +0800
+Subject: scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e6d773f93a49e0eda88a903a2a6542ca83380eb1 ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id
+string array"), the name of device is allocated dynamically, it needs be
+freed when device_register() returns error.
+
+As comment of device_register() says, one should use put_device() to give
+up the reference in the error path. Fix this by calling put_device(), then
+the name can be freed in kobject_cleanup(), and sdbg_host is freed in
+sdebug_release_adapter().
+
+When the device release is not set, it means the device is not initialized.
+We can not call put_device() in this case. Use kfree() to free memory.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112131010.3757845-1-yangyingliang@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 3452fef3f749..34eb0a9355bc 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -7340,7 +7340,10 @@ static int sdebug_add_host_helper(int per_host_idx)
+ kfree(sdbg_devinfo->zstate);
+ kfree(sdbg_devinfo);
+ }
+- kfree(sdbg_host);
++ if (sdbg_host->dev.release)
++ put_device(&sdbg_host->dev);
++ else
++ kfree(sdbg_host);
+ pr_warn("%s: failed, errno=%d\n", __func__, -error);
+ return error;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8704a55e8f24656b94d9e0c74317f7b1e7c191c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 13:21:43 -0600
+Subject: scsi: smartpqi: Add new controller PCI IDs
+
+From: Mike McGowen <mike.mcgowen@microchip.com>
+
+[ Upstream commit 0b93cf2a9097b1c3d75642ef878ba87f15f03043 ]
+
+All PCI ID entries in Hex.
+Add PCI IDs for ByteDance controllers:
+ VID / DID / SVID / SDID
+ ---- ---- ---- ----
+ ByteHBA JGH43024-8 9005 / 028f / 1e93 / 1000
+ ByteHBA JGH43034-8 9005 / 028f / 1e93 / 1001
+ ByteHBA JGH44014-8 9005 / 028f / 1e93 / 1002
+
+Add PCI IDs for new Inspur controllers:
+ VID / DID / SVID / SDID
+ ---- ---- ---- ----
+ INSPUR RT0800M7E 9005 / 028f / 1bd4 / 0086
+ INSPUR RT0800M7H 9005 / 028f / 1bd4 / 0087
+ INSPUR RT0804M7R 9005 / 028f / 1bd4 / 0088
+ INSPUR RT0808M7R 9005 / 028f / 1bd4 / 0089
+
+Add PCI IDs for new FAB A controllers:
+ VID / DID / SVID / SDID
+ ---- ---- ---- ----
+ Adaptec SmartRAID 3254-16e /e 9005 / 028f / 9005 / 1475
+ Adaptec HBA 1200-16e 9005 / 028f / 9005 / 14c3
+ Adaptec HBA 1200-8e 9005 / 028f / 9005 / 14c4
+
+Add H3C controller PCI IDs:
+ VID / DID / SVID / SDID
+ ---- ---- ---- ----
+ H3C H4508-Mf-8i 9005 / 028f / 193d / 110b
+
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Signed-off-by: Mike McGowen <mike.mcgowen@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Link: https://lore.kernel.org/r/166793530327.322537.6056884426657539311.stgit@brunhilda
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 44 +++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 7a8c2c75acba..898b0054cfa1 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -9302,6 +9302,10 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x193d, 0x1109)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x193d, 0x110b)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x193d, 0x8460)
+@@ -9402,6 +9406,22 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x1bd4, 0x0072)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0086)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0087)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0088)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0089)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x19e5, 0xd227)
+@@ -9650,6 +9670,10 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADAPTEC2, 0x1474)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1475)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADAPTEC2, 0x1480)
+@@ -9706,6 +9730,14 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADAPTEC2, 0x14c2)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14c3)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14c4)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADAPTEC2, 0x14d0)
+@@ -9942,6 +9974,18 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_LENOVO, 0x0623)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1e93, 0x1000)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1e93, 0x1001)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1e93, 0x1002)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_ANY_ID, PCI_ANY_ID)
+--
+2.35.1
+
--- /dev/null
+From 69521cb457a616d9b14a70649bce394b1b72435a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 13:21:58 -0600
+Subject: scsi: smartpqi: Correct device removal for multi-actuator devices
+
+From: Kumar Meiyappan <Kumar.Meiyappan@microchip.com>
+
+[ Upstream commit cc9befcbbb5ebce77726f938508700d913530035 ]
+
+Correct device count for multi-actuator drives which can cause kernel
+panics.
+
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Reviewed-by: Mike Mcgowan <mike.mcgowan@microchip.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microchip.com>
+Signed-off-by: Kumar Meiyappan <Kumar.Meiyappan@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Link: https://lore.kernel.org/r/166793531872.322537.9003385780343419275.stgit@brunhilda
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi.h | 2 +-
+ drivers/scsi/smartpqi/smartpqi_init.c | 33 +++++++++++++++++++--------
+ 2 files changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi.h b/drivers/scsi/smartpqi/smartpqi.h
+index e550b12e525a..c8235f15728b 100644
+--- a/drivers/scsi/smartpqi/smartpqi.h
++++ b/drivers/scsi/smartpqi/smartpqi.h
+@@ -1130,7 +1130,7 @@ struct pqi_scsi_dev {
+ u8 phy_id;
+ u8 ncq_prio_enable;
+ u8 ncq_prio_support;
+- u8 multi_lun_device_lun_count;
++ u8 lun_count;
+ bool raid_bypass_configured; /* RAID bypass configured */
+ bool raid_bypass_enabled; /* RAID bypass enabled */
+ u32 next_bypass_group[RAID_MAP_MAX_DATA_DISKS_PER_ROW];
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 898b0054cfa1..e011d82172d5 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -1610,9 +1610,7 @@ static int pqi_get_physical_device_info(struct pqi_ctrl_info *ctrl_info,
+ &id_phys->alternate_paths_phys_connector,
+ sizeof(device->phys_connector));
+ device->bay = id_phys->phys_bay_in_box;
+- device->multi_lun_device_lun_count = id_phys->multi_lun_device_lun_count;
+- if (!device->multi_lun_device_lun_count)
+- device->multi_lun_device_lun_count = 1;
++ device->lun_count = id_phys->multi_lun_device_lun_count;
+ if ((id_phys->even_more_flags & PQI_DEVICE_PHY_MAP_SUPPORTED) &&
+ id_phys->phy_count)
+ device->phy_id =
+@@ -1746,7 +1744,7 @@ static bool pqi_keep_device_offline(struct pqi_ctrl_info *ctrl_info,
+ return offline;
+ }
+
+-static int pqi_get_device_info(struct pqi_ctrl_info *ctrl_info,
++static int pqi_get_device_info_phys_logical(struct pqi_ctrl_info *ctrl_info,
+ struct pqi_scsi_dev *device,
+ struct bmic_identify_physical_device *id_phys)
+ {
+@@ -1763,6 +1761,20 @@ static int pqi_get_device_info(struct pqi_ctrl_info *ctrl_info,
+ return rc;
+ }
+
++static int pqi_get_device_info(struct pqi_ctrl_info *ctrl_info,
++ struct pqi_scsi_dev *device,
++ struct bmic_identify_physical_device *id_phys)
++{
++ int rc;
++
++ rc = pqi_get_device_info_phys_logical(ctrl_info, device, id_phys);
++
++ if (rc == 0 && device->lun_count == 0)
++ device->lun_count = 1;
++
++ return rc;
++}
++
+ static void pqi_show_volume_status(struct pqi_ctrl_info *ctrl_info,
+ struct pqi_scsi_dev *device)
+ {
+@@ -1897,7 +1909,7 @@ static inline void pqi_remove_device(struct pqi_ctrl_info *ctrl_info, struct pqi
+ int rc;
+ int lun;
+
+- for (lun = 0; lun < device->multi_lun_device_lun_count; lun++) {
++ for (lun = 0; lun < device->lun_count; lun++) {
+ rc = pqi_device_wait_for_pending_io(ctrl_info, device, lun,
+ PQI_REMOVE_DEVICE_PENDING_IO_TIMEOUT_MSECS);
+ if (rc)
+@@ -2076,6 +2088,7 @@ static void pqi_scsi_update_device(struct pqi_ctrl_info *ctrl_info,
+ existing_device->sas_address = new_device->sas_address;
+ existing_device->queue_depth = new_device->queue_depth;
+ existing_device->device_offline = false;
++ existing_device->lun_count = new_device->lun_count;
+
+ if (pqi_is_logical_device(existing_device)) {
+ existing_device->is_external_raid_device = new_device->is_external_raid_device;
+@@ -2108,10 +2121,6 @@ static void pqi_scsi_update_device(struct pqi_ctrl_info *ctrl_info,
+ existing_device->phy_connected_dev_type = new_device->phy_connected_dev_type;
+ memcpy(existing_device->box, new_device->box, sizeof(existing_device->box));
+ memcpy(existing_device->phys_connector, new_device->phys_connector, sizeof(existing_device->phys_connector));
+-
+- existing_device->multi_lun_device_lun_count = new_device->multi_lun_device_lun_count;
+- if (existing_device->multi_lun_device_lun_count == 0)
+- existing_device->multi_lun_device_lun_count = 1;
+ }
+ }
+
+@@ -6484,6 +6493,12 @@ static void pqi_slave_destroy(struct scsi_device *sdev)
+ return;
+ }
+
++ device->lun_count--;
++ if (device->lun_count > 0) {
++ mutex_unlock(&ctrl_info->scan_mutex);
++ return;
++ }
++
+ spin_lock_irqsave(&ctrl_info->scsi_device_list_lock, flags);
+ list_del(&device->scsi_device_list_entry);
+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags);
+--
+2.35.1
+
--- /dev/null
+From 0d2f90611bb8be773c97db4d183b156938ff6495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:51:00 +0800
+Subject: scsi: snic: Fix possible UAF in snic_tgt_create()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e118df492320176af94deec000ae034cc92be754 ]
+
+Smatch reports a warning as follows:
+
+drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:
+ '&tgt->list' not removed from list
+
+If device_add() fails in snic_tgt_create(), tgt will be freed, but
+tgt->list will not be removed from snic->disc.tgt_list, then list traversal
+may cause UAF.
+
+Remove from snic->disc.tgt_list before free().
+
+Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com
+Acked-by: Narsimhulu Musini <nmusini@cisco.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/snic/snic_disc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
+index 9b2b5f8c23b9..8fbf3c1b1311 100644
+--- a/drivers/scsi/snic/snic_disc.c
++++ b/drivers/scsi/snic/snic_disc.c
+@@ -304,6 +304,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid)
+ ret);
+
+ put_device(&snic->shost->shost_gendev);
++ spin_lock_irqsave(snic->shost->host_lock, flags);
++ list_del(&tgt->list);
++ spin_unlock_irqrestore(snic->shost->host_lock, flags);
+ kfree(tgt);
+ tgt = NULL;
+
+--
+2.35.1
+
--- /dev/null
+From 5209e626d5f2411c820e4d6aa152452c8abfe9f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 13:56:38 +0100
+Subject: scsi: target: iscsi: Fix a race condition between login_work and the
+ login thread
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f ]
+
+In case a malicious initiator sends some random data immediately after a
+login PDU; the iscsi_target_sk_data_ready() callback will schedule the
+login_work and, at the same time, the negotiation may end without clearing
+the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are
+required to complete the login).
+
+The login has been completed but the login_work function will find the
+LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling
+itself; at this point, if the initiator drops the connection, the
+iscsit_conn structure will be freed, login_work will dereference a released
+socket structure and the kernel crashes.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000230
+PF: supervisor write access in kernel mode
+PF: error_code(0x0002) - not-present page
+Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
+RIP: 0010:_raw_read_lock_bh+0x15/0x30
+Call trace:
+ iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod]
+ process_one_work+0x1e8/0x3c0
+
+Fix this bug by forcing login_work to stop after the login has been
+completed and the socket callbacks have been restored.
+
+Add a comment to clearify the return values of iscsi_target_do_login()
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20221115125638.102517-1-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index f2919319ad38..ff49c8f3fe24 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -1018,6 +1018,13 @@ static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_lo
+ return 0;
+ }
+
++/*
++ * RETURN VALUE:
++ *
++ * 1 = Login successful
++ * -1 = Login failed
++ * 0 = More PDU exchanges required
++ */
+ static int iscsi_target_do_login(struct iscsit_conn *conn, struct iscsi_login *login)
+ {
+ int pdu_count = 0;
+@@ -1363,12 +1370,13 @@ int iscsi_target_start_negotiation(
+ ret = -1;
+
+ if (ret < 0) {
+- cancel_delayed_work_sync(&conn->login_work);
+ iscsi_target_restore_sock_callbacks(conn);
+ iscsi_remove_failed_auth_entry(conn);
+ }
+- if (ret != 0)
++ if (ret != 0) {
++ cancel_delayed_work_sync(&conn->login_work);
+ iscsi_target_nego_release(conn);
++ }
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From b0d314e68cc5c8bc92fe01ce8112358405d0f39d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 15:37:03 -0800
+Subject: scsi: ufs: core: Fix the polling implementation
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit ee8c88cab4afbd5ee10a127d6cbecd6b200185a5 ]
+
+Fix the following issues in ufshcd_poll():
+
+ - If polling succeeds, return a positive value.
+
+ - Do not complete polling requests from interrupt context because the
+ block layer expects these requests to be completed from thread
+ context. From block/bio.c:
+
+ If REQ_ALLOC_CACHE is set, the final put of the bio MUST be done from
+ process context, not hard/soft IRQ.
+
+Fixes: eaab9b573054 ("scsi: ufs: Implement polling support")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20221118233717.441298-1-bvanassche@acm.org
+Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index a202d7d5240d..9a7eae79d32d 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -5378,6 +5378,26 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
+ }
+ }
+
++/* Any value that is not an existing queue number is fine for this constant. */
++enum {
++ UFSHCD_POLL_FROM_INTERRUPT_CONTEXT = -1
++};
++
++static void ufshcd_clear_polled(struct ufs_hba *hba,
++ unsigned long *completed_reqs)
++{
++ int tag;
++
++ for_each_set_bit(tag, completed_reqs, hba->nutrs) {
++ struct scsi_cmnd *cmd = hba->lrb[tag].cmd;
++
++ if (!cmd)
++ continue;
++ if (scsi_cmd_to_rq(cmd)->cmd_flags & REQ_POLLED)
++ __clear_bit(tag, completed_reqs);
++ }
++}
++
+ /*
+ * Returns > 0 if one or more commands have been completed or 0 if no
+ * requests have been completed.
+@@ -5394,13 +5414,17 @@ static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
+ WARN_ONCE(completed_reqs & ~hba->outstanding_reqs,
+ "completed: %#lx; outstanding: %#lx\n", completed_reqs,
+ hba->outstanding_reqs);
++ if (queue_num == UFSHCD_POLL_FROM_INTERRUPT_CONTEXT) {
++ /* Do not complete polled requests from interrupt context. */
++ ufshcd_clear_polled(hba, &completed_reqs);
++ }
+ hba->outstanding_reqs &= ~completed_reqs;
+ spin_unlock_irqrestore(&hba->outstanding_lock, flags);
+
+ if (completed_reqs)
+ __ufshcd_transfer_req_compl(hba, completed_reqs);
+
+- return completed_reqs;
++ return completed_reqs != 0;
+ }
+
+ /**
+@@ -5431,7 +5455,7 @@ static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba)
+ * Ignore the ufshcd_poll() return value and return IRQ_HANDLED since we
+ * do not want polling to trigger spurious interrupt complaints.
+ */
+- ufshcd_poll(hba->host, 0);
++ ufshcd_poll(hba->host, UFSHCD_POLL_FROM_INTERRUPT_CONTEXT);
+
+ return IRQ_HANDLED;
+ }
+--
+2.35.1
+
--- /dev/null
+From 310a6c3f6f88f63b79d9e9329fac08e08b53c69e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 13:29:54 -0700
+Subject: scsi: ufs: Reduce the START STOP UNIT timeout
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit dcd5b7637c6d442d957f73780a03047413ed3a10 ]
+
+Reduce the START STOP UNIT command timeout to one second since on Android
+devices a kernel panic is triggered if an attempt to suspend the system
+takes more than 20 seconds. One second should be enough for the START STOP
+UNIT command since this command completes in less than a millisecond for
+the UFS devices I have access to.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20221018202958.1902564-7-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 9a7eae79d32d..bda89f988859 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -8765,8 +8765,6 @@ static int ufshcd_set_dev_pwr_mode(struct ufs_hba *hba,
+ struct scsi_device *sdp;
+ unsigned long flags;
+ int ret, retries;
+- unsigned long deadline;
+- int32_t remaining;
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
+ sdp = hba->ufs_device_wlun;
+@@ -8799,14 +8797,9 @@ static int ufshcd_set_dev_pwr_mode(struct ufs_hba *hba,
+ * callbacks hence set the RQF_PM flag so that it doesn't resume the
+ * already suspended childs.
+ */
+- deadline = jiffies + 10 * HZ;
+ for (retries = 3; retries > 0; --retries) {
+- ret = -ETIMEDOUT;
+- remaining = deadline - jiffies;
+- if (remaining <= 0)
+- break;
+ ret = scsi_execute(sdp, cmd, DMA_NONE, NULL, 0, NULL, &sshdr,
+- remaining / HZ, 0, 0, RQF_PM, NULL);
++ HZ, 0, 0, RQF_PM, NULL);
+ if (!scsi_status_is_check_condition(ret) ||
+ !scsi_sense_valid(&sshdr) ||
+ sshdr.sense_key != UNIT_ATTENTION)
+--
+2.35.1
+
--- /dev/null
+From 84481a9e69fdb13284335256844c4472dbd37a73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 13:48:54 +0800
+Subject: sctp: sysctl: make extra pointers netns aware
+
+From: Firo Yang <firo.yang@suse.com>
+
+[ Upstream commit da05cecc4939c0410d56c29e252998b192756318 ]
+
+Recently, a customer reported that from their container whose
+net namespace is different to the host's init_net, they can't set
+the container's net.sctp.rto_max to any value smaller than
+init_net.sctp.rto_min.
+
+For instance,
+Host:
+sudo sysctl net.sctp.rto_min
+net.sctp.rto_min = 1000
+
+Container:
+echo 100 > /mnt/proc-net/sctp/rto_min
+echo 400 > /mnt/proc-net/sctp/rto_max
+echo: write error: Invalid argument
+
+This is caused by the check made from this'commit 4f3fdf3bc59c
+("sctp: add check rto_min and rto_max in sysctl")'
+When validating the input value, it's always referring the boundary
+value set for the init_net namespace.
+
+Having container's rto_max smaller than host's init_net.sctp.rto_min
+does make sense. Consider that the rto between two containers on the
+same host is very likely smaller than it for two hosts.
+
+So to fix this problem, as suggested by Marcelo, this patch makes the
+extra pointers of rto_min, rto_max, pf_retrans, and ps_retrans point
+to the corresponding variables from the newly created net namespace while
+the new net namespace is being registered in sctp_sysctl_net_register.
+
+Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+Link: https://lore.kernel.org/r/20221209054854.23889-1-firo.yang@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sysctl.c | 73 ++++++++++++++++++++++++++++-------------------
+ 1 file changed, 44 insertions(+), 29 deletions(-)
+
+diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
+index b46a416787ec..43ebf090029d 100644
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -84,17 +84,18 @@ static struct ctl_table sctp_table[] = {
+ { /* sentinel */ }
+ };
+
++/* The following index defines are used in sctp_sysctl_net_register().
++ * If you add new items to the sctp_net_table, please ensure that
++ * the index values of these defines hold the same meaning indicated by
++ * their macro names when they appear in sctp_net_table.
++ */
++#define SCTP_RTO_MIN_IDX 0
++#define SCTP_RTO_MAX_IDX 1
++#define SCTP_PF_RETRANS_IDX 2
++#define SCTP_PS_RETRANS_IDX 3
++
+ static struct ctl_table sctp_net_table[] = {
+- {
+- .procname = "rto_initial",
+- .data = &init_net.sctp.rto_initial,
+- .maxlen = sizeof(unsigned int),
+- .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = SYSCTL_ONE,
+- .extra2 = &timer_max
+- },
+- {
++ [SCTP_RTO_MIN_IDX] = {
+ .procname = "rto_min",
+ .data = &init_net.sctp.rto_min,
+ .maxlen = sizeof(unsigned int),
+@@ -103,7 +104,7 @@ static struct ctl_table sctp_net_table[] = {
+ .extra1 = SYSCTL_ONE,
+ .extra2 = &init_net.sctp.rto_max
+ },
+- {
++ [SCTP_RTO_MAX_IDX] = {
+ .procname = "rto_max",
+ .data = &init_net.sctp.rto_max,
+ .maxlen = sizeof(unsigned int),
+@@ -112,6 +113,33 @@ static struct ctl_table sctp_net_table[] = {
+ .extra1 = &init_net.sctp.rto_min,
+ .extra2 = &timer_max
+ },
++ [SCTP_PF_RETRANS_IDX] = {
++ .procname = "pf_retrans",
++ .data = &init_net.sctp.pf_retrans,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = SYSCTL_ZERO,
++ .extra2 = &init_net.sctp.ps_retrans,
++ },
++ [SCTP_PS_RETRANS_IDX] = {
++ .procname = "ps_retrans",
++ .data = &init_net.sctp.ps_retrans,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &init_net.sctp.pf_retrans,
++ .extra2 = &ps_retrans_max,
++ },
++ {
++ .procname = "rto_initial",
++ .data = &init_net.sctp.rto_initial,
++ .maxlen = sizeof(unsigned int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = SYSCTL_ONE,
++ .extra2 = &timer_max
++ },
+ {
+ .procname = "rto_alpha_exp_divisor",
+ .data = &init_net.sctp.rto_alpha,
+@@ -207,24 +235,6 @@ static struct ctl_table sctp_net_table[] = {
+ .extra1 = SYSCTL_ONE,
+ .extra2 = SYSCTL_INT_MAX,
+ },
+- {
+- .procname = "pf_retrans",
+- .data = &init_net.sctp.pf_retrans,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = SYSCTL_ZERO,
+- .extra2 = &init_net.sctp.ps_retrans,
+- },
+- {
+- .procname = "ps_retrans",
+- .data = &init_net.sctp.ps_retrans,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = &init_net.sctp.pf_retrans,
+- .extra2 = &ps_retrans_max,
+- },
+ {
+ .procname = "sndbuf_policy",
+ .data = &init_net.sctp.sndbuf_policy,
+@@ -586,6 +596,11 @@ int sctp_sysctl_net_register(struct net *net)
+ for (i = 0; table[i].data; i++)
+ table[i].data += (char *)(&net->sctp) - (char *)&init_net.sctp;
+
++ table[SCTP_RTO_MIN_IDX].extra2 = &net->sctp.rto_max;
++ table[SCTP_RTO_MAX_IDX].extra1 = &net->sctp.rto_min;
++ table[SCTP_PF_RETRANS_IDX].extra2 = &net->sctp.ps_retrans;
++ table[SCTP_PS_RETRANS_IDX].extra1 = &net->sctp.pf_retrans;
++
+ net->sctp.sysctl_header = register_net_sysctl(net, "net/sctp", table);
+ if (net->sctp.sysctl_header == NULL) {
+ kfree(table);
+--
+2.35.1
+
--- /dev/null
+From 7a50ed5633473deb565ca7ea4e15c03395156941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 08:45:32 -0700
+Subject: seccomp: Move copy_seccomp() to no failure path.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a1140cb215fa13dcec06d12ba0c3ee105633b7c4 ]
+
+Our syzbot instance reported memory leaks in do_seccomp() [0], similar
+to the report [1]. It shows that we miss freeing struct seccomp_filter
+and some objects included in it.
+
+We can reproduce the issue with the program below [2] which calls one
+seccomp() and two clone() syscalls.
+
+The first clone()d child exits earlier than its parent and sends a
+signal to kill it during the second clone(), more precisely before the
+fatal_signal_pending() test in copy_process(). When the parent receives
+the signal, it has to destroy the embryonic process and return -EINTR to
+user space. In the failure path, we have to call seccomp_filter_release()
+to decrement the filter's refcount.
+
+Initially, we called it in free_task() called from the failure path, but
+the commit 3a15fb6ed92c ("seccomp: release filter after task is fully
+dead") moved it to release_task() to notify user space as early as possible
+that the filter is no longer used.
+
+To keep the change and current seccomp refcount semantics, let's move
+copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in
+free_task() for future debugging.
+
+[0]:
+unreferenced object 0xffff8880063add00 (size 256):
+ comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ backtrace:
+ do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+unreferenced object 0xffffc90000035000 (size 4096):
+ comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ __vmalloc_node_range (mm/vmalloc.c:3226)
+ __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))
+ bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)
+ bpf_prog_alloc (kernel/bpf/core.c:129)
+ bpf_prog_create_from_user (net/core/filter.c:1414)
+ do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+unreferenced object 0xffff888003fa1000 (size 1024):
+ comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)
+ bpf_prog_alloc (kernel/bpf/core.c:129)
+ bpf_prog_create_from_user (net/core/filter.c:1414)
+ do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+unreferenced object 0xffff888006360240 (size 16):
+ comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
+ hex dump (first 16 bytes):
+ 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........
+ backtrace:
+ bpf_prog_store_orig_filter (net/core/filter.c:1137)
+ bpf_prog_create_from_user (net/core/filter.c:1428)
+ do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+unreferenced object 0xffff8880060183e0 (size 8):
+ comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
+ hex dump (first 8 bytes):
+ 06 00 00 00 00 00 ff 7f ........
+ backtrace:
+ kmemdup (mm/util.c:129)
+ bpf_prog_store_orig_filter (net/core/filter.c:1144)
+ bpf_prog_create_from_user (net/core/filter.c:1428)
+ do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+[1]: https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987
+
+[2]:
+#define _GNU_SOURCE
+#include <sched.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+
+void main(void)
+{
+ struct sock_filter filter[] = {
+ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+ };
+ struct sock_fprog fprog = {
+ .len = sizeof(filter) / sizeof(filter[0]),
+ .filter = filter,
+ };
+ long i, pid;
+
+ syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &fprog);
+
+ for (i = 0; i < 2; i++) {
+ pid = syscall(__NR_clone, CLONE_NEWNET | SIGKILL, NULL, NULL, 0);
+ if (pid == 0)
+ return;
+ }
+}
+
+Fixes: 3a15fb6ed92c ("seccomp: release filter after task is fully dead")
+Reported-by: syzbot+ab17848fe269b573eb71@syzkaller.appspotmail.com
+Reported-by: Ayushman Dutta <ayudutta@amazon.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20220823154532.82913-1-kuniyu@amazon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/fork.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 2b6bd511c6ed..f925d2b96e0a 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -537,6 +537,9 @@ void put_task_stack(struct task_struct *tsk)
+
+ void free_task(struct task_struct *tsk)
+ {
++#ifdef CONFIG_SECCOMP
++ WARN_ON_ONCE(tsk->seccomp.filter);
++#endif
+ release_user_cpus_ptr(tsk);
+ scs_release(tsk);
+
+@@ -2407,12 +2410,6 @@ static __latent_entropy struct task_struct *copy_process(
+
+ spin_lock(¤t->sighand->siglock);
+
+- /*
+- * Copy seccomp details explicitly here, in case they were changed
+- * before holding sighand lock.
+- */
+- copy_seccomp(p);
+-
+ rv_task_fork(p);
+
+ rseq_fork(p, clone_flags);
+@@ -2429,6 +2426,14 @@ static __latent_entropy struct task_struct *copy_process(
+ goto bad_fork_cancel_cgroup;
+ }
+
++ /* No more failure paths after this point. */
++
++ /*
++ * Copy seccomp details explicitly here, in case they were changed
++ * before holding sighand lock.
++ */
++ copy_seccomp(p);
++
+ init_task_pid_links(p);
+ if (likely(p->pid)) {
+ ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
+--
+2.35.1
+
--- /dev/null
+From 1ce5b4b8b81b489974f603359902652bed150290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:08 -0400
+Subject: selftest/bpf: Fix error usage of ASSERT_OK in xdp_adjust_tail.c
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit cbc1c998da59687e8bbc4667154a72eead2daf2d ]
+
+xdp_adjust_tail.c calls ASSERT_OK() to check the return value of
+bpf_prog_test_load(), but the condition is not correct. Fix it.
+
+Fixes: 791cad025051 ("bpf: selftests: Get rid of CHECK macro in xdp_adjust_tail.c")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-7-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c b/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
+index 7efee9b047d9..8f2613267be2 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
+@@ -18,7 +18,7 @@ static void test_xdp_adjust_tail_shrink(void)
+ );
+
+ err = bpf_prog_test_load(file, BPF_PROG_TYPE_XDP, &obj, &prog_fd);
+- if (ASSERT_OK(err, "test_xdp_adjust_tail_shrink"))
++ if (!ASSERT_OK(err, "test_xdp_adjust_tail_shrink"))
+ return;
+
+ err = bpf_prog_test_run_opts(prog_fd, &topts);
+@@ -53,7 +53,7 @@ static void test_xdp_adjust_tail_grow(void)
+ );
+
+ err = bpf_prog_test_load(file, BPF_PROG_TYPE_XDP, &obj, &prog_fd);
+- if (ASSERT_OK(err, "test_xdp_adjust_tail_grow"))
++ if (!ASSERT_OK(err, "test_xdp_adjust_tail_grow"))
+ return;
+
+ err = bpf_prog_test_run_opts(prog_fd, &topts);
+@@ -90,7 +90,7 @@ static void test_xdp_adjust_tail_grow2(void)
+ );
+
+ err = bpf_prog_test_load(file, BPF_PROG_TYPE_XDP, &obj, &prog_fd);
+- if (ASSERT_OK(err, "test_xdp_adjust_tail_grow"))
++ if (!ASSERT_OK(err, "test_xdp_adjust_tail_grow"))
+ return;
+
+ /* Test case-64 */
+--
+2.35.1
+
--- /dev/null
+From c6bbbde791dec2df0ae02e63e74d628cb42ce27c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:06 -0400
+Subject: selftest/bpf: Fix memory leak in kprobe_multi_test
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 6d2e21dc4db3933db65293552ecc1ede26febeca ]
+
+The get_syms() function in kprobe_multi_test.c does not free the string
+memory allocated by sscanf correctly. Fix it.
+
+Fixes: 5b6c7e5c4434 ("selftests/bpf: Add attach bench test")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-5-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bpf/prog_tests/kprobe_multi_test.c | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
+index d457a55ff408..287b3ac40227 100644
+--- a/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
++++ b/tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c
+@@ -325,7 +325,7 @@ static bool symbol_equal(const void *key1, const void *key2, void *ctx __maybe_u
+ static int get_syms(char ***symsp, size_t *cntp)
+ {
+ size_t cap = 0, cnt = 0, i;
+- char *name, **syms = NULL;
++ char *name = NULL, **syms = NULL;
+ struct hashmap *map;
+ char buf[256];
+ FILE *f;
+@@ -352,6 +352,8 @@ static int get_syms(char ***symsp, size_t *cntp)
+ /* skip modules */
+ if (strchr(buf, '['))
+ continue;
++
++ free(name);
+ if (sscanf(buf, "%ms$*[^\n]\n", &name) != 1)
+ continue;
+ /*
+@@ -369,32 +371,32 @@ static int get_syms(char ***symsp, size_t *cntp)
+ if (!strncmp(name, "__ftrace_invalid_address__",
+ sizeof("__ftrace_invalid_address__") - 1))
+ continue;
++
+ err = hashmap__add(map, name, NULL);
+- if (err) {
+- free(name);
+- if (err == -EEXIST)
+- continue;
++ if (err == -EEXIST)
++ continue;
++ if (err)
+ goto error;
+- }
++
+ err = libbpf_ensure_mem((void **) &syms, &cap,
+ sizeof(*syms), cnt + 1);
+- if (err) {
+- free(name);
++ if (err)
+ goto error;
+- }
+- syms[cnt] = name;
+- cnt++;
++
++ syms[cnt++] = name;
++ name = NULL;
+ }
+
+ *symsp = syms;
+ *cntp = cnt;
+
+ error:
++ free(name);
+ fclose(f);
+ hashmap__free(map);
+ if (err) {
+ for (i = 0; i < cnt; i++)
+- free(syms[cnt]);
++ free(syms[i]);
+ free(syms);
+ }
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 24f684e6cd4fae0751478180006003770487aa00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 08:27:13 -0700
+Subject: selftests/bpf: Add struct argument tests with fentry/fexit programs.
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 1642a3945e223a922312fab2401ecdf58b3825b9 ]
+
+Add various struct argument tests with fentry/fexit programs.
+Also add one test with a kernel func which does not have any
+argument to test BPF_PROG2 macro in such situation.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220831152713.2080039-1-yhs@fb.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 6e8280b958c5 ("selftests/bpf: Fix memory leak caused by not destroying skeleton")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/bpf_testmod/bpf_testmod.c | 48 +++++++
+ .../selftests/bpf/prog_tests/tracing_struct.c | 63 +++++++++
+ .../selftests/bpf/progs/tracing_struct.c | 120 ++++++++++++++++++
+ 3 files changed, 231 insertions(+)
+ create mode 100644 tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+ create mode 100644 tools/testing/selftests/bpf/progs/tracing_struct.c
+
+diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
+index ac5d7c1396fb..5085fea3cac5 100644
+--- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
++++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
+@@ -18,6 +18,46 @@ typedef int (*func_proto_typedef_nested1)(func_proto_typedef);
+ typedef int (*func_proto_typedef_nested2)(func_proto_typedef_nested1);
+
+ DEFINE_PER_CPU(int, bpf_testmod_ksym_percpu) = 123;
++long bpf_testmod_test_struct_arg_result;
++
++struct bpf_testmod_struct_arg_1 {
++ int a;
++};
++struct bpf_testmod_struct_arg_2 {
++ long a;
++ long b;
++};
++
++noinline int
++bpf_testmod_test_struct_arg_1(struct bpf_testmod_struct_arg_2 a, int b, int c) {
++ bpf_testmod_test_struct_arg_result = a.a + a.b + b + c;
++ return bpf_testmod_test_struct_arg_result;
++}
++
++noinline int
++bpf_testmod_test_struct_arg_2(int a, struct bpf_testmod_struct_arg_2 b, int c) {
++ bpf_testmod_test_struct_arg_result = a + b.a + b.b + c;
++ return bpf_testmod_test_struct_arg_result;
++}
++
++noinline int
++bpf_testmod_test_struct_arg_3(int a, int b, struct bpf_testmod_struct_arg_2 c) {
++ bpf_testmod_test_struct_arg_result = a + b + c.a + c.b;
++ return bpf_testmod_test_struct_arg_result;
++}
++
++noinline int
++bpf_testmod_test_struct_arg_4(struct bpf_testmod_struct_arg_1 a, int b,
++ int c, int d, struct bpf_testmod_struct_arg_2 e) {
++ bpf_testmod_test_struct_arg_result = a.a + b + c + d + e.a + e.b;
++ return bpf_testmod_test_struct_arg_result;
++}
++
++noinline int
++bpf_testmod_test_struct_arg_5(void) {
++ bpf_testmod_test_struct_arg_result = 1;
++ return bpf_testmod_test_struct_arg_result;
++}
+
+ noinline void
+ bpf_testmod_test_mod_kfunc(int i)
+@@ -115,11 +155,19 @@ bpf_testmod_test_read(struct file *file, struct kobject *kobj,
+ .off = off,
+ .len = len,
+ };
++ struct bpf_testmod_struct_arg_1 struct_arg1 = {10};
++ struct bpf_testmod_struct_arg_2 struct_arg2 = {2, 3};
+ int i = 1;
+
+ while (bpf_testmod_return_ptr(i))
+ i++;
+
++ (void)bpf_testmod_test_struct_arg_1(struct_arg2, 1, 4);
++ (void)bpf_testmod_test_struct_arg_2(1, struct_arg2, 4);
++ (void)bpf_testmod_test_struct_arg_3(1, 4, struct_arg2);
++ (void)bpf_testmod_test_struct_arg_4(struct_arg1, 1, 2, 3, struct_arg2);
++ (void)bpf_testmod_test_struct_arg_5();
++
+ /* This is always true. Use the check to make sure the compiler
+ * doesn't remove bpf_testmod_loop_test.
+ */
+diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_struct.c b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+new file mode 100644
+index 000000000000..d5022b91d1e4
+--- /dev/null
++++ b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+@@ -0,0 +1,63 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
++
++#include <test_progs.h>
++#include "tracing_struct.skel.h"
++
++static void test_fentry(void)
++{
++ struct tracing_struct *skel;
++ int err;
++
++ skel = tracing_struct__open_and_load();
++ if (!ASSERT_OK_PTR(skel, "tracing_struct__open_and_load"))
++ return;
++
++ err = tracing_struct__attach(skel);
++ if (!ASSERT_OK(err, "tracing_struct__attach"))
++ return;
++
++ ASSERT_OK(trigger_module_test_read(256), "trigger_read");
++
++ ASSERT_EQ(skel->bss->t1_a_a, 2, "t1:a.a");
++ ASSERT_EQ(skel->bss->t1_a_b, 3, "t1:a.b");
++ ASSERT_EQ(skel->bss->t1_b, 1, "t1:b");
++ ASSERT_EQ(skel->bss->t1_c, 4, "t1:c");
++
++ ASSERT_EQ(skel->bss->t1_nregs, 4, "t1 nregs");
++ ASSERT_EQ(skel->bss->t1_reg0, 2, "t1 reg0");
++ ASSERT_EQ(skel->bss->t1_reg1, 3, "t1 reg1");
++ ASSERT_EQ(skel->bss->t1_reg2, 1, "t1 reg2");
++ ASSERT_EQ(skel->bss->t1_reg3, 4, "t1 reg3");
++ ASSERT_EQ(skel->bss->t1_ret, 10, "t1 ret");
++
++ ASSERT_EQ(skel->bss->t2_a, 1, "t2:a");
++ ASSERT_EQ(skel->bss->t2_b_a, 2, "t2:b.a");
++ ASSERT_EQ(skel->bss->t2_b_b, 3, "t2:b.b");
++ ASSERT_EQ(skel->bss->t2_c, 4, "t2:c");
++ ASSERT_EQ(skel->bss->t2_ret, 10, "t2 ret");
++
++ ASSERT_EQ(skel->bss->t3_a, 1, "t3:a");
++ ASSERT_EQ(skel->bss->t3_b, 4, "t3:b");
++ ASSERT_EQ(skel->bss->t3_c_a, 2, "t3:c.a");
++ ASSERT_EQ(skel->bss->t3_c_b, 3, "t3:c.b");
++ ASSERT_EQ(skel->bss->t3_ret, 10, "t3 ret");
++
++ ASSERT_EQ(skel->bss->t4_a_a, 10, "t4:a.a");
++ ASSERT_EQ(skel->bss->t4_b, 1, "t4:b");
++ ASSERT_EQ(skel->bss->t4_c, 2, "t4:c");
++ ASSERT_EQ(skel->bss->t4_d, 3, "t4:d");
++ ASSERT_EQ(skel->bss->t4_e_a, 2, "t4:e.a");
++ ASSERT_EQ(skel->bss->t4_e_b, 3, "t4:e.b");
++ ASSERT_EQ(skel->bss->t4_ret, 21, "t4 ret");
++
++ ASSERT_EQ(skel->bss->t5_ret, 1, "t5 ret");
++
++ tracing_struct__detach(skel);
++ tracing_struct__destroy(skel);
++}
++
++void test_tracing_struct(void)
++{
++ test_fentry();
++}
+diff --git a/tools/testing/selftests/bpf/progs/tracing_struct.c b/tools/testing/selftests/bpf/progs/tracing_struct.c
+new file mode 100644
+index 000000000000..e718f0ebee7d
+--- /dev/null
++++ b/tools/testing/selftests/bpf/progs/tracing_struct.c
+@@ -0,0 +1,120 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
++
++#include <vmlinux.h>
++#include <bpf/bpf_tracing.h>
++#include <bpf/bpf_helpers.h>
++
++struct bpf_testmod_struct_arg_1 {
++ int a;
++};
++struct bpf_testmod_struct_arg_2 {
++ long a;
++ long b;
++};
++
++long t1_a_a, t1_a_b, t1_b, t1_c, t1_ret, t1_nregs;
++__u64 t1_reg0, t1_reg1, t1_reg2, t1_reg3;
++long t2_a, t2_b_a, t2_b_b, t2_c, t2_ret;
++long t3_a, t3_b, t3_c_a, t3_c_b, t3_ret;
++long t4_a_a, t4_b, t4_c, t4_d, t4_e_a, t4_e_b, t4_ret;
++long t5_ret;
++
++SEC("fentry/bpf_testmod_test_struct_arg_1")
++int BPF_PROG2(test_struct_arg_1, struct bpf_testmod_struct_arg_2, a, int, b, int, c)
++{
++ t1_a_a = a.a;
++ t1_a_b = a.b;
++ t1_b = b;
++ t1_c = c;
++ return 0;
++}
++
++SEC("fexit/bpf_testmod_test_struct_arg_1")
++int BPF_PROG2(test_struct_arg_2, struct bpf_testmod_struct_arg_2, a, int, b, int, c, int, ret)
++{
++ t1_nregs = bpf_get_func_arg_cnt(ctx);
++ /* a.a */
++ bpf_get_func_arg(ctx, 0, &t1_reg0);
++ /* a.b */
++ bpf_get_func_arg(ctx, 1, &t1_reg1);
++ /* b */
++ bpf_get_func_arg(ctx, 2, &t1_reg2);
++ t1_reg2 = (int)t1_reg2;
++ /* c */
++ bpf_get_func_arg(ctx, 3, &t1_reg3);
++ t1_reg3 = (int)t1_reg3;
++
++ t1_ret = ret;
++ return 0;
++}
++
++SEC("fentry/bpf_testmod_test_struct_arg_2")
++int BPF_PROG2(test_struct_arg_3, int, a, struct bpf_testmod_struct_arg_2, b, int, c)
++{
++ t2_a = a;
++ t2_b_a = b.a;
++ t2_b_b = b.b;
++ t2_c = c;
++ return 0;
++}
++
++SEC("fexit/bpf_testmod_test_struct_arg_2")
++int BPF_PROG2(test_struct_arg_4, int, a, struct bpf_testmod_struct_arg_2, b, int, c, int, ret)
++{
++ t2_ret = ret;
++ return 0;
++}
++
++SEC("fentry/bpf_testmod_test_struct_arg_3")
++int BPF_PROG2(test_struct_arg_5, int, a, int, b, struct bpf_testmod_struct_arg_2, c)
++{
++ t3_a = a;
++ t3_b = b;
++ t3_c_a = c.a;
++ t3_c_b = c.b;
++ return 0;
++}
++
++SEC("fexit/bpf_testmod_test_struct_arg_3")
++int BPF_PROG2(test_struct_arg_6, int, a, int, b, struct bpf_testmod_struct_arg_2, c, int, ret)
++{
++ t3_ret = ret;
++ return 0;
++}
++
++SEC("fentry/bpf_testmod_test_struct_arg_4")
++int BPF_PROG2(test_struct_arg_7, struct bpf_testmod_struct_arg_1, a, int, b,
++ int, c, int, d, struct bpf_testmod_struct_arg_2, e)
++{
++ t4_a_a = a.a;
++ t4_b = b;
++ t4_c = c;
++ t4_d = d;
++ t4_e_a = e.a;
++ t4_e_b = e.b;
++ return 0;
++}
++
++SEC("fexit/bpf_testmod_test_struct_arg_4")
++int BPF_PROG2(test_struct_arg_8, struct bpf_testmod_struct_arg_1, a, int, b,
++ int, c, int, d, struct bpf_testmod_struct_arg_2, e, int, ret)
++{
++ t4_ret = ret;
++ return 0;
++}
++
++SEC("fentry/bpf_testmod_test_struct_arg_5")
++int BPF_PROG2(test_struct_arg_9)
++{
++ return 0;
++}
++
++SEC("fexit/bpf_testmod_test_struct_arg_5")
++int BPF_PROG2(test_struct_arg_10, int, ret)
++{
++ t5_ret = ret;
++ return 0;
++}
++
++char _license[] SEC("license") = "GPL";
+--
+2.35.1
+
--- /dev/null
+From fa4df82e7288d959054de6ad61997f90f4b5e010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 18:08:44 -0700
+Subject: selftests/bpf: Fix conflicts with built-in functions in bpf_iter_ksym
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit ab0350c743d5c93fd88742f02b3dff12168ab435 ]
+
+Both tolower and toupper are built in c functions, we should not
+redefine them as this can result in a build error.
+
+Fixes the following errors:
+progs/bpf_iter_ksym.c:10:20: error: conflicting types for built-in function 'tolower'; expected 'int(int)' [-Werror=builtin-declaration-mismatch]
+ 10 | static inline char tolower(char c)
+ | ^~~~~~~
+progs/bpf_iter_ksym.c:5:1: note: 'tolower' is declared in header '<ctype.h>'
+ 4 | #include <bpf/bpf_helpers.h>
+ +++ |+#include <ctype.h>
+ 5 |
+progs/bpf_iter_ksym.c:17:20: error: conflicting types for built-in function 'toupper'; expected 'int(int)' [-Werror=builtin-declaration-mismatch]
+ 17 | static inline char toupper(char c)
+ | ^~~~~~~
+progs/bpf_iter_ksym.c:17:20: note: 'toupper' is declared in header '<ctype.h>'
+
+See background on this sort of issue:
+https://stackoverflow.com/a/20582607
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=12213
+
+(C99, 7.1.3p1) "All identifiers with external linkage in any of the
+following subclauses (including the future library directions) are
+always reserved for use as identifiers with external linkage."
+
+This is documented behavior in GCC:
+https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html#index-std-2
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20221203010847.2191265-1-james.hilliard1@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_iter_ksym.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_ksym.c b/tools/testing/selftests/bpf/progs/bpf_iter_ksym.c
+index 285c008cbf9c..9ba14c37bbcc 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_iter_ksym.c
++++ b/tools/testing/selftests/bpf/progs/bpf_iter_ksym.c
+@@ -7,14 +7,14 @@ char _license[] SEC("license") = "GPL";
+
+ unsigned long last_sym_value = 0;
+
+-static inline char tolower(char c)
++static inline char to_lower(char c)
+ {
+ if (c >= 'A' && c <= 'Z')
+ c += ('a' - 'A');
+ return c;
+ }
+
+-static inline char toupper(char c)
++static inline char to_upper(char c)
+ {
+ if (c >= 'a' && c <= 'z')
+ c -= ('a' - 'A');
+@@ -54,7 +54,7 @@ int dump_ksym(struct bpf_iter__ksym *ctx)
+ type = iter->type;
+
+ if (iter->module_name[0]) {
+- type = iter->exported ? toupper(type) : tolower(type);
++ type = iter->exported ? to_upper(type) : to_lower(type);
+ BPF_SEQ_PRINTF(seq, "0x%llx %c %s [ %s ] ",
+ value, type, iter->name, iter->module_name);
+ } else {
+--
+2.35.1
+
--- /dev/null
+From b62a5d2869eba79d99b9e98ebe6c88fbf625ccaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:07 -0400
+Subject: selftests/bpf: Fix error failure of case test_xdp_adjust_tail_grow
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 4abdb1d5b250df4b5b3afd394d5e2fa516064c04 ]
+
+test_xdp_adjust_tail_grow failed with ipv6:
+ test_xdp_adjust_tail_grow:FAIL:ipv6 unexpected error: -28 (errno 28)
+
+The reason is that this test case tests ipv4 before ipv6, and when ipv4
+test finished, topts.data_size_out was set to 54, which is smaller than the
+ipv6 output data size 114, so ipv6 test fails with NOSPC error.
+
+Fix it by reset topts.data_size_out to sizeof(buf) before testing ipv6.
+
+Fixes: 04fcb5f9a104 ("selftests/bpf: Migrate from bpf_prog_test_run")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-6-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c b/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
+index 21ceac24e174..7efee9b047d9 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_adjust_tail.c
+@@ -63,6 +63,7 @@ static void test_xdp_adjust_tail_grow(void)
+ expect_sz = sizeof(pkt_v6) + 40; /* Test grow with 40 bytes */
+ topts.data_in = &pkt_v6;
+ topts.data_size_in = sizeof(pkt_v6);
++ topts.data_size_out = sizeof(buf);
+ err = bpf_prog_test_run_opts(prog_fd, &topts);
+ ASSERT_OK(err, "ipv6");
+ ASSERT_EQ(topts.retval, XDP_TX, "ipv6 retval");
+--
+2.35.1
+
--- /dev/null
+From da77ee0ec2eccd7a358b05314340feeec126abb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 08:01:05 -0400
+Subject: selftests/bpf: Fix memory leak caused by not destroying skeleton
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 6e8280b958c5d7edc514cf347a800b23b7732b2b ]
+
+Some test cases does not destroy skeleton object correctly, causing ASAN
+to report memory leak warning. Fix it.
+
+Fixes: 0ef6740e9777 ("selftests/bpf: Add tests for kptr_ref refcounting")
+Fixes: 1642a3945e22 ("selftests/bpf: Add struct argument tests with fentry/fexit programs.")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-4-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/map_kptr.c | 3 ++-
+ tools/testing/selftests/bpf/prog_tests/tracing_struct.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/map_kptr.c b/tools/testing/selftests/bpf/prog_tests/map_kptr.c
+index fdcea7a61491..0d66b1524208 100644
+--- a/tools/testing/selftests/bpf/prog_tests/map_kptr.c
++++ b/tools/testing/selftests/bpf/prog_tests/map_kptr.c
+@@ -105,7 +105,7 @@ static void test_map_kptr_success(bool test_run)
+ ASSERT_OK(opts.retval, "test_map_kptr_ref2 retval");
+
+ if (test_run)
+- return;
++ goto exit;
+
+ ret = bpf_map__update_elem(skel->maps.array_map,
+ &key, sizeof(key), buf, sizeof(buf), 0);
+@@ -132,6 +132,7 @@ static void test_map_kptr_success(bool test_run)
+ ret = bpf_map__delete_elem(skel->maps.lru_hash_map, &key, sizeof(key), 0);
+ ASSERT_OK(ret, "lru_hash_map delete");
+
++exit:
+ map_kptr__destroy(skel);
+ }
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_struct.c b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+index d5022b91d1e4..48dc9472e160 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
++++ b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+@@ -15,7 +15,7 @@ static void test_fentry(void)
+
+ err = tracing_struct__attach(skel);
+ if (!ASSERT_OK(err, "tracing_struct__attach"))
+- return;
++ goto destroy_skel;
+
+ ASSERT_OK(trigger_module_test_read(256), "trigger_read");
+
+@@ -54,6 +54,7 @@ static void test_fentry(void)
+ ASSERT_EQ(skel->bss->t5_ret, 1, "t5 ret");
+
+ tracing_struct__detach(skel);
++destroy_skel:
+ tracing_struct__destroy(skel);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From eb6c5b473abb786ffc02d42c06668fb4c1a760e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 11:29:40 +0800
+Subject: selftests/bpf: fix memory leak of lsm_cgroup
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit c453e64cbc9532c0c2edfa999c35d29dad16b8bb ]
+
+kmemleak reports this issue:
+
+unreferenced object 0xffff88810b7835c0 (size 32):
+ comm "test_progs", pid 270, jiffies 4294969007 (age 1621.315s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 03 00 00 00 03 00 00 00 0f 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000376cdeab>] kmalloc_trace+0x27/0x110
+ [<000000003bcdb3b6>] selinux_sk_alloc_security+0x66/0x110
+ [<000000003959008f>] security_sk_alloc+0x47/0x80
+ [<00000000e7bc6668>] sk_prot_alloc+0xbd/0x1a0
+ [<0000000002d6343a>] sk_alloc+0x3b/0x940
+ [<000000009812a46d>] unix_create1+0x8f/0x3d0
+ [<000000005ed0976b>] unix_create+0xa1/0x150
+ [<0000000086a1d27f>] __sock_create+0x233/0x4a0
+ [<00000000cffe3a73>] __sys_socket_create.part.0+0xaa/0x110
+ [<0000000007c63f20>] __sys_socket+0x49/0xf0
+ [<00000000b08753c8>] __x64_sys_socket+0x42/0x50
+ [<00000000b56e26b3>] do_syscall_64+0x3b/0x90
+ [<000000009b4871b8>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The issue occurs in the following scenarios:
+
+unix_create1()
+ sk_alloc()
+ sk_prot_alloc()
+ security_sk_alloc()
+ call_int_hook()
+ hlist_for_each_entry()
+ entry1->hook.sk_alloc_security
+ <-- selinux_sk_alloc_security() succeeded,
+ <-- sk->security alloced here.
+ entry2->hook.sk_alloc_security
+ <-- bpf_lsm_sk_alloc_security() failed
+ goto out_free;
+ ... <-- the sk->security not freed, memleak
+
+The core problem is that the LSM is not yet fully stacked (work is
+actively going on in this space) which means that some LSM hooks do
+not support multiple LSMs at the same time. To fix, skip the
+"EPERM" test when it runs in the environments that already have
+non-bpf lsms installed
+
+Fixes: dca85aac8895 ("selftests/bpf: lsm_cgroup functional test")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Cc: Stanislav Fomichev <sdf@google.com>
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/1668482980-16163-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/lsm_cgroup.c | 17 +++++++++++++----
+ tools/testing/selftests/bpf/progs/lsm_cgroup.c | 8 ++++++++
+ 2 files changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/lsm_cgroup.c b/tools/testing/selftests/bpf/prog_tests/lsm_cgroup.c
+index 1102e4f42d2d..f117bfef68a1 100644
+--- a/tools/testing/selftests/bpf/prog_tests/lsm_cgroup.c
++++ b/tools/testing/selftests/bpf/prog_tests/lsm_cgroup.c
+@@ -173,10 +173,12 @@ static void test_lsm_cgroup_functional(void)
+ ASSERT_EQ(query_prog_cnt(cgroup_fd, NULL), 4, "total prog count");
+ ASSERT_EQ(query_prog_cnt(cgroup_fd2, NULL), 1, "total prog count");
+
+- /* AF_UNIX is prohibited. */
+-
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
+- ASSERT_LT(fd, 0, "socket(AF_UNIX)");
++ if (!(skel->kconfig->CONFIG_SECURITY_APPARMOR
++ || skel->kconfig->CONFIG_SECURITY_SELINUX
++ || skel->kconfig->CONFIG_SECURITY_SMACK))
++ /* AF_UNIX is prohibited. */
++ ASSERT_LT(fd, 0, "socket(AF_UNIX)");
+ close(fd);
+
+ /* AF_INET6 gets default policy (sk_priority). */
+@@ -233,11 +235,18 @@ static void test_lsm_cgroup_functional(void)
+
+ /* AF_INET6+SOCK_STREAM
+ * AF_PACKET+SOCK_RAW
++ * AF_UNIX+SOCK_RAW if already have non-bpf lsms installed
+ * listen_fd
+ * client_fd
+ * accepted_fd
+ */
+- ASSERT_EQ(skel->bss->called_socket_post_create2, 5, "called_create2");
++ if (skel->kconfig->CONFIG_SECURITY_APPARMOR
++ || skel->kconfig->CONFIG_SECURITY_SELINUX
++ || skel->kconfig->CONFIG_SECURITY_SMACK)
++ /* AF_UNIX+SOCK_RAW if already have non-bpf lsms installed */
++ ASSERT_EQ(skel->bss->called_socket_post_create2, 6, "called_create2");
++ else
++ ASSERT_EQ(skel->bss->called_socket_post_create2, 5, "called_create2");
+
+ /* start_server
+ * bind(ETH_P_ALL)
+diff --git a/tools/testing/selftests/bpf/progs/lsm_cgroup.c b/tools/testing/selftests/bpf/progs/lsm_cgroup.c
+index 4f2d60b87b75..02c11d16b692 100644
+--- a/tools/testing/selftests/bpf/progs/lsm_cgroup.c
++++ b/tools/testing/selftests/bpf/progs/lsm_cgroup.c
+@@ -7,6 +7,10 @@
+
+ char _license[] SEC("license") = "GPL";
+
++extern bool CONFIG_SECURITY_SELINUX __kconfig __weak;
++extern bool CONFIG_SECURITY_SMACK __kconfig __weak;
++extern bool CONFIG_SECURITY_APPARMOR __kconfig __weak;
++
+ #ifndef AF_PACKET
+ #define AF_PACKET 17
+ #endif
+@@ -140,6 +144,10 @@ SEC("lsm_cgroup/sk_alloc_security")
+ int BPF_PROG(socket_alloc, struct sock *sk, int family, gfp_t priority)
+ {
+ called_socket_alloc++;
++ /* if already have non-bpf lsms installed, EPERM will cause memory leak of non-bpf lsms */
++ if (CONFIG_SECURITY_SELINUX || CONFIG_SECURITY_SMACK || CONFIG_SECURITY_APPARMOR)
++ return 1;
++
+ if (family == AF_UNIX)
+ return 0; /* EPERM */
+
+--
+2.35.1
+
--- /dev/null
+From bcad832f32a05e1eb4a0eb2b21344cc46b03b2ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 11:08:36 +0800
+Subject: selftests/bpf: Fix xdp_synproxy compilation failure in 32-bit arch
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit e4c9cf0ce8c413c2030e8fb215551d7e0582ee7b ]
+
+xdp_synproxy fails to be compiled in the 32-bit arch, log is as follows:
+
+ xdp_synproxy.c: In function 'parse_options':
+ xdp_synproxy.c:175:36: error: left shift count >= width of type [-Werror=shift-count-overflow]
+ 175 | *tcpipopts = (mss6 << 32) | (ttl << 24) | (wscale << 16) | mss4;
+ | ^~
+ xdp_synproxy.c: In function 'syncookie_open_bpf_maps':
+ xdp_synproxy.c:289:28: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
+ 289 | .map_ids = (__u64)map_ids,
+ | ^
+
+Fix it.
+
+Fixes: fb5cd0ce70d4 ("selftests/bpf: Add selftests for raw syncookie helpers")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20221111030836.37632-1-yangjihong1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/xdp_synproxy.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/xdp_synproxy.c b/tools/testing/selftests/bpf/xdp_synproxy.c
+index d874ddfb39c4..8432836f3be2 100644
+--- a/tools/testing/selftests/bpf/xdp_synproxy.c
++++ b/tools/testing/selftests/bpf/xdp_synproxy.c
+@@ -104,7 +104,8 @@ static void parse_options(int argc, char *argv[], unsigned int *ifindex, __u32 *
+ { "tc", no_argument, NULL, 'c' },
+ { NULL, 0, NULL, 0 },
+ };
+- unsigned long mss4, mss6, wscale, ttl;
++ unsigned long mss4, wscale, ttl;
++ unsigned long long mss6;
+ unsigned int tcpipopts_mask = 0;
+
+ if (argc < 2)
+@@ -286,7 +287,7 @@ static int syncookie_open_bpf_maps(__u32 prog_id, int *values_map_fd, int *ports
+
+ prog_info = (struct bpf_prog_info) {
+ .nr_map_ids = 8,
+- .map_ids = (__u64)map_ids,
++ .map_ids = (__u64)(unsigned long)map_ids,
+ };
+ info_len = sizeof(prog_info);
+
+--
+2.35.1
+
--- /dev/null
+From 149ad3445ae80e425e449d9c61810abedf938e58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:03:40 -0800
+Subject: selftests/bpf: Make sure zero-len skbs aren't redirectable
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 68f8e3d4b916531ea3bb8b83e35138cf78f2fce5 ]
+
+LWT_XMIT to test L3 case, TC to test L2 case.
+
+v2:
+- s/veth_ifindex/ipip_ifindex/ in two places (Martin)
+- add comment about which condition triggers the rejection (Martin)
+
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20221121180340.1983627-2-sdf@google.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Stable-dep-of: 8ac88eece800 ("selftests/bpf: Mount debugfs in setns_by_fd")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/empty_skb.c | 146 ++++++++++++++++++
+ tools/testing/selftests/bpf/progs/empty_skb.c | 37 +++++
+ 2 files changed, 183 insertions(+)
+ create mode 100644 tools/testing/selftests/bpf/prog_tests/empty_skb.c
+ create mode 100644 tools/testing/selftests/bpf/progs/empty_skb.c
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/empty_skb.c b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+new file mode 100644
+index 000000000000..32dd731e9070
+--- /dev/null
++++ b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+@@ -0,0 +1,146 @@
++// SPDX-License-Identifier: GPL-2.0
++#include <test_progs.h>
++#include <network_helpers.h>
++#include <net/if.h>
++#include "empty_skb.skel.h"
++
++#define SYS(cmd) ({ \
++ if (!ASSERT_OK(system(cmd), (cmd))) \
++ goto out; \
++})
++
++void test_empty_skb(void)
++{
++ LIBBPF_OPTS(bpf_test_run_opts, tattr);
++ struct empty_skb *bpf_obj = NULL;
++ struct nstoken *tok = NULL;
++ struct bpf_program *prog;
++ char eth_hlen_pp[15];
++ char eth_hlen[14];
++ int veth_ifindex;
++ int ipip_ifindex;
++ int err;
++ int i;
++
++ struct {
++ const char *msg;
++ const void *data_in;
++ __u32 data_size_in;
++ int *ifindex;
++ int err;
++ int ret;
++ bool success_on_tc;
++ } tests[] = {
++ /* Empty packets are always rejected. */
++
++ {
++ /* BPF_PROG_RUN ETH_HLEN size check */
++ .msg = "veth empty ingress packet",
++ .data_in = NULL,
++ .data_size_in = 0,
++ .ifindex = &veth_ifindex,
++ .err = -EINVAL,
++ },
++ {
++ /* BPF_PROG_RUN ETH_HLEN size check */
++ .msg = "ipip empty ingress packet",
++ .data_in = NULL,
++ .data_size_in = 0,
++ .ifindex = &ipip_ifindex,
++ .err = -EINVAL,
++ },
++
++ /* ETH_HLEN-sized packets:
++ * - can not be redirected at LWT_XMIT
++ * - can be redirected at TC to non-tunneling dest
++ */
++
++ {
++ /* __bpf_redirect_common */
++ .msg = "veth ETH_HLEN packet ingress",
++ .data_in = eth_hlen,
++ .data_size_in = sizeof(eth_hlen),
++ .ifindex = &veth_ifindex,
++ .ret = -ERANGE,
++ .success_on_tc = true,
++ },
++ {
++ /* __bpf_redirect_no_mac
++ *
++ * lwt: skb->len=0 <= skb_network_offset=0
++ * tc: skb->len=14 <= skb_network_offset=14
++ */
++ .msg = "ipip ETH_HLEN packet ingress",
++ .data_in = eth_hlen,
++ .data_size_in = sizeof(eth_hlen),
++ .ifindex = &ipip_ifindex,
++ .ret = -ERANGE,
++ },
++
++ /* ETH_HLEN+1-sized packet should be redirected. */
++
++ {
++ .msg = "veth ETH_HLEN+1 packet ingress",
++ .data_in = eth_hlen_pp,
++ .data_size_in = sizeof(eth_hlen_pp),
++ .ifindex = &veth_ifindex,
++ },
++ {
++ .msg = "ipip ETH_HLEN+1 packet ingress",
++ .data_in = eth_hlen_pp,
++ .data_size_in = sizeof(eth_hlen_pp),
++ .ifindex = &ipip_ifindex,
++ },
++ };
++
++ SYS("ip netns add empty_skb");
++ tok = open_netns("empty_skb");
++ SYS("ip link add veth0 type veth peer veth1");
++ SYS("ip link set dev veth0 up");
++ SYS("ip link set dev veth1 up");
++ SYS("ip addr add 10.0.0.1/8 dev veth0");
++ SYS("ip addr add 10.0.0.2/8 dev veth1");
++ veth_ifindex = if_nametoindex("veth0");
++
++ SYS("ip link add ipip0 type ipip local 10.0.0.1 remote 10.0.0.2");
++ SYS("ip link set ipip0 up");
++ SYS("ip addr add 192.168.1.1/16 dev ipip0");
++ ipip_ifindex = if_nametoindex("ipip0");
++
++ bpf_obj = empty_skb__open_and_load();
++ if (!ASSERT_OK_PTR(bpf_obj, "open skeleton"))
++ goto out;
++
++ for (i = 0; i < ARRAY_SIZE(tests); i++) {
++ bpf_object__for_each_program(prog, bpf_obj->obj) {
++ char buf[128];
++ bool at_tc = !strncmp(bpf_program__section_name(prog), "tc", 2);
++
++ tattr.data_in = tests[i].data_in;
++ tattr.data_size_in = tests[i].data_size_in;
++
++ tattr.data_size_out = 0;
++ bpf_obj->bss->ifindex = *tests[i].ifindex;
++ bpf_obj->bss->ret = 0;
++ err = bpf_prog_test_run_opts(bpf_program__fd(prog), &tattr);
++ sprintf(buf, "err: %s [%s]", tests[i].msg, bpf_program__name(prog));
++
++ if (at_tc && tests[i].success_on_tc)
++ ASSERT_GE(err, 0, buf);
++ else
++ ASSERT_EQ(err, tests[i].err, buf);
++ sprintf(buf, "ret: %s [%s]", tests[i].msg, bpf_program__name(prog));
++ if (at_tc && tests[i].success_on_tc)
++ ASSERT_GE(bpf_obj->bss->ret, 0, buf);
++ else
++ ASSERT_EQ(bpf_obj->bss->ret, tests[i].ret, buf);
++ }
++ }
++
++out:
++ if (bpf_obj)
++ empty_skb__destroy(bpf_obj);
++ if (tok)
++ close_netns(tok);
++ system("ip netns del empty_skb");
++}
+diff --git a/tools/testing/selftests/bpf/progs/empty_skb.c b/tools/testing/selftests/bpf/progs/empty_skb.c
+new file mode 100644
+index 000000000000..4b0cd6753251
+--- /dev/null
++++ b/tools/testing/selftests/bpf/progs/empty_skb.c
+@@ -0,0 +1,37 @@
++// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
++#include <linux/bpf.h>
++#include <bpf/bpf_helpers.h>
++#include <bpf/bpf_endian.h>
++
++char _license[] SEC("license") = "GPL";
++
++int ifindex;
++int ret;
++
++SEC("lwt_xmit")
++int redirect_ingress(struct __sk_buff *skb)
++{
++ ret = bpf_clone_redirect(skb, ifindex, BPF_F_INGRESS);
++ return 0;
++}
++
++SEC("lwt_xmit")
++int redirect_egress(struct __sk_buff *skb)
++{
++ ret = bpf_clone_redirect(skb, ifindex, 0);
++ return 0;
++}
++
++SEC("tc")
++int tc_redirect_ingress(struct __sk_buff *skb)
++{
++ ret = bpf_clone_redirect(skb, ifindex, BPF_F_INGRESS);
++ return 0;
++}
++
++SEC("tc")
++int tc_redirect_egress(struct __sk_buff *skb)
++{
++ ret = bpf_clone_redirect(skb, ifindex, 0);
++ return 0;
++}
+--
+2.35.1
+
--- /dev/null
+From 63caf45babaf433f66389264df0207e528cc4411 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 12:08:29 -0800
+Subject: selftests/bpf: Mount debugfs in setns_by_fd
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit 8ac88eece8009428e2577c345080a458e4507e2f ]
+
+Jiri reports broken test_progs after recent commit 68f8e3d4b916
+("selftests/bpf: Make sure zero-len skbs aren't redirectable").
+Apparently we don't remount debugfs when we switch back networking namespace.
+Let's explicitly mount /sys/kernel/debug.
+
+0: https://lore.kernel.org/bpf/63b85917-a2ea-8e35-620c-808560910819@meta.com/T/#ma66ca9c92e99eee0a25e40f422489b26ee0171c1
+
+Fixes: a30338840fa5 ("selftests/bpf: Move open_netns() and close_netns() into network_helpers.c")
+Reported-by: Jiri Olsa <olsajiri@gmail.com>
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20221123200829.2226254-1-sdf@google.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/network_helpers.c | 4 ++++
+ tools/testing/selftests/bpf/prog_tests/empty_skb.c | 2 +-
+ tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c | 2 +-
+ tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c | 2 +-
+ 4 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c
+index bec15558fd93..1f37adff7632 100644
+--- a/tools/testing/selftests/bpf/network_helpers.c
++++ b/tools/testing/selftests/bpf/network_helpers.c
+@@ -426,6 +426,10 @@ static int setns_by_fd(int nsfd)
+ if (!ASSERT_OK(err, "mount /sys/fs/bpf"))
+ return err;
+
++ err = mount("debugfs", "/sys/kernel/debug", "debugfs", 0, NULL);
++ if (!ASSERT_OK(err, "mount /sys/kernel/debug"))
++ return err;
++
+ return 0;
+ }
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/empty_skb.c b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+index 32dd731e9070..0613f3bb8b5e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/empty_skb.c
++++ b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
+@@ -9,7 +9,7 @@
+ goto out; \
+ })
+
+-void test_empty_skb(void)
++void serial_test_empty_skb(void)
+ {
+ LIBBPF_OPTS(bpf_test_run_opts, tattr);
+ struct empty_skb *bpf_obj = NULL;
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
+index a50971c6cf4a..9ac6f6a268db 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
+@@ -85,7 +85,7 @@ static void test_max_pkt_size(int fd)
+ }
+
+ #define NUM_PKTS 10000
+-void test_xdp_do_redirect(void)
++void serial_test_xdp_do_redirect(void)
+ {
+ int err, xdp_prog_fd, tc_prog_fd, ifindex_src, ifindex_dst;
+ char data[sizeof(pkt_udp) + sizeof(__u32)];
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
+index 874a846e298c..b49d14580e51 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
+@@ -174,7 +174,7 @@ static void test_synproxy(bool xdp)
+ system("ip netns del synproxy");
+ }
+
+-void test_xdp_synproxy(void)
++void serial_test_xdp_synproxy(void)
+ {
+ if (test__start_subtest("xdp"))
+ test_synproxy(true);
+--
+2.35.1
+
--- /dev/null
+From 2a4677a3709c36c8acb729d6526a4bdacb9c92c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 14:05:00 -0800
+Subject: selftests/bpf: Select CONFIG_FUNCTION_ERROR_INJECTION
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit a8dfde09c90109e3a98af54847e91bde7dc2d5c2 ]
+
+BPF selftests require CONFIG_FUNCTION_ERROR_INJECTION to work. However,
+CONFIG_FUNCTION_ERROR_INJECTION is no longer 'y' by default after recent
+changes. As a result, we are seeing errors like the following from BPF CI:
+
+ bpf_testmod_test_read() is not modifiable
+ __x64_sys_setdomainname is not sleepable
+ __x64_sys_getpgid is not sleepable
+
+Fix this by explicitly selecting CONFIG_FUNCTION_ERROR_INJECTION in the
+selftest config.
+
+Fixes: a4412fdd49dc ("error-injection: Add prompt for function error injection")
+Reported-by: Daniel Müller <deso@posteo.net>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Müller <deso@posteo.net>
+Link: https://lore.kernel.org/bpf/20221213220500.3427947-1-song@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/config | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
+index fabf0c014349..c5c5fc2a3ce7 100644
+--- a/tools/testing/selftests/bpf/config
++++ b/tools/testing/selftests/bpf/config
+@@ -13,6 +13,7 @@ CONFIG_CRYPTO_USER_API_HASH=m
+ CONFIG_DYNAMIC_FTRACE=y
+ CONFIG_FPROBE=y
+ CONFIG_FTRACE_SYSCALLS=y
++CONFIG_FUNCTION_ERROR_INJECTION=y
+ CONFIG_FUNCTION_TRACER=y
+ CONFIG_GENEVE=y
+ CONFIG_IKCONFIG=y
+--
+2.35.1
+
--- /dev/null
+From 7f388b1dbba6c70bab3ccedf1b5cbd9b5789f083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 19:06:11 +0800
+Subject: selftests: cgroup: fix unsigned comparison with less than zero
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 333d073dee3a6865171d43e3b0a9ff688bff5891 ]
+
+'size' is unsigned, it never less than zero.
+
+Link: https://lkml.kernel.org/r/20221105110611.28920-1-yuehaibing@huawei.com
+Fixes: 6c26df84e1f2 ("selftests: cgroup: return -errno from cg_read()/cg_write() on failure")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Yosry Ahmed <yosryahmed@google.com>
+Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
+Reviewed-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: zefan li <lizefan.x@bytedance.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/cgroup/cgroup_util.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/cgroup/cgroup_util.c b/tools/testing/selftests/cgroup/cgroup_util.c
+index 4c52cc6f2f9c..e8bbbdb77e0d 100644
+--- a/tools/testing/selftests/cgroup/cgroup_util.c
++++ b/tools/testing/selftests/cgroup/cgroup_util.c
+@@ -555,6 +555,7 @@ int proc_mount_contains(const char *option)
+ ssize_t proc_read_text(int pid, bool thread, const char *item, char *buf, size_t size)
+ {
+ char path[PATH_MAX];
++ ssize_t ret;
+
+ if (!pid)
+ snprintf(path, sizeof(path), "/proc/%s/%s",
+@@ -562,8 +563,8 @@ ssize_t proc_read_text(int pid, bool thread, const char *item, char *buf, size_t
+ else
+ snprintf(path, sizeof(path), "/proc/%d/%s", pid, item);
+
+- size = read_text(path, buf, size);
+- return size < 0 ? -1 : size;
++ ret = read_text(path, buf, size);
++ return ret < 0 ? -1 : ret;
+ }
+
+ int proc_read_strstr(int pid, bool thread, const char *item, const char *needle)
+--
+2.35.1
+
--- /dev/null
+From 1b8fad1aef0121c0fa67e574ffc582ddf1f72e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 18:01:01 -0800
+Subject: selftests: devlink: fix the fd redirect in dummy_reporter_test
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 2fc60e2ff972d3dca836bff0b08cbe503c4ca1ce ]
+
+$number + > bash means redirect FD $number, e.g. commonly
+used 2> redirects stderr (fd 2). The test uses 8192> to
+write the number 8192 to a file, this results in:
+
+ ./devlink.sh: line 499: 8192: Bad file descriptor
+
+Oddly the test also papers over this issue by checking
+for failure (expecting an error rather than success)
+so it passes, anyway.
+
+Fixes: ff18176ad806 ("selftests: Add a test of large binary to devlink health test")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/netdevsim/devlink.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/netdevsim/devlink.sh b/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
+index 9de1d123f4f5..a08c02abde12 100755
+--- a/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
++++ b/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
+@@ -496,8 +496,8 @@ dummy_reporter_test()
+
+ check_reporter_info dummy healthy 3 3 10 true
+
+- echo 8192> $DEBUGFS_DIR/health/binary_len
+- check_fail $? "Failed set dummy reporter binary len to 8192"
++ echo 8192 > $DEBUGFS_DIR/health/binary_len
++ check_err $? "Failed set dummy reporter binary len to 8192"
+
+ local dump=$(devlink health dump show $DL_HANDLE reporter dummy -j)
+ check_err $? "Failed show dump of dummy reporter"
+--
+2.35.1
+
--- /dev/null
+From 21288429b9387cda22d347b12191f37d86f057fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:26:26 +0800
+Subject: selftests/efivarfs: Add checking of the test return value
+
+From: Zhao Gongyi <zhaogongyi@huawei.com>
+
+[ Upstream commit c93924267fe6f2b44af1849f714ae9cd8117a9cd ]
+
+Add checking of the test return value, otherwise it will report success
+forever for test_create_read().
+
+Fixes: dff6d2ae56d0 ("selftests/efivarfs: clean up test files from test_create*()")
+Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/efivarfs/efivarfs.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh
+index a90f394f9aa9..d374878cc0ba 100755
+--- a/tools/testing/selftests/efivarfs/efivarfs.sh
++++ b/tools/testing/selftests/efivarfs/efivarfs.sh
+@@ -87,6 +87,11 @@ test_create_read()
+ {
+ local file=$efivarfs_mount/$FUNCNAME-$test_guid
+ ./create-read $file
++ if [ $? -ne 0 ]; then
++ echo "create and read $file failed"
++ file_cleanup $file
++ exit 1
++ fi
+ file_cleanup $file
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a6263b0b97e49101c1028b69c4d6c5cf4a1be228 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 10:09:31 +0800
+Subject: selftests/ftrace: event_triggers: wait longer for test_event_enable
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit a1d6cd88c8973cfb08ee85722488b1d6d5d16327 ]
+
+In some platform, the schedule event may came slowly, delay 100ms can't
+cover it.
+
+I was notice that on my board which running in low cpu_freq,and this
+selftests allways gose fail.
+
+So maybe we can check more times here to wait longer.
+
+Fixes: 43bb45da82f9 ("selftests: ftrace: Add a selftest to test event enable/disable func trigger")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_event_triggers.tc | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
+index 3145b0f1835c..27a68bbe778b 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
+@@ -38,11 +38,18 @@ cnt_trace() {
+
+ test_event_enabled() {
+ val=$1
++ check_times=10 # wait for 10 * SLEEP_TIME at most
+
+- e=`cat $EVENT_ENABLE`
+- if [ "$e" != $val ]; then
+- fail "Expected $val but found $e"
+- fi
++ while [ $check_times -ne 0 ]; do
++ e=`cat $EVENT_ENABLE`
++ if [ "$e" == $val ]; then
++ return 0
++ fi
++ sleep $SLEEP_TIME
++ check_times=$((check_times - 1))
++ done
++
++ fail "Expected $val but found $e"
+ }
+
+ run_enable_disable() {
+--
+2.35.1
+
--- /dev/null
+From e5f091a968a95403a4c7e215d425c324c50f4ca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 12:44:27 +0400
+Subject: selftests/powerpc: Fix resource leaks
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ]
+
+In check_all_cpu_dscr_defaults, opendir() opens the directory stream.
+Add missing closedir() in the error path to release it.
+
+In check_cpu_dscr_default, open() creates an open file descriptor.
+Add missing close() in the error path to release it.
+
+Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
+index fbbdffdb2e5d..f20d1c166d1e 100644
+--- a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
++++ b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
+@@ -24,6 +24,7 @@ static int check_cpu_dscr_default(char *file, unsigned long val)
+ rc = read(fd, buf, sizeof(buf));
+ if (rc == -1) {
+ perror("read() failed");
++ close(fd);
+ return 1;
+ }
+ close(fd);
+@@ -65,8 +66,10 @@ static int check_all_cpu_dscr_defaults(unsigned long val)
+ if (access(file, F_OK))
+ continue;
+
+- if (check_cpu_dscr_default(file, val))
++ if (check_cpu_dscr_default(file, val)) {
++ closedir(sysfs);
+ return 1;
++ }
+ }
+ closedir(sysfs);
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 1dcf33a7096e6b2ec7db6f23558fceeaea731dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 07:21:10 +0000
+Subject: serial: 8250_bcm7271: Fix error handling in brcmuart_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 6a3ff858915fa8ca36c7eb02c87c9181ae2fc333 ]
+
+A problem about 8250_bcm7271 create debugfs failed is triggered with the
+following log given:
+
+ [ 324.516635] debugfs: Directory 'bcm7271-uart' with parent '/' already present!
+
+The reason is that brcmuart_init() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+failed, it returns without destroy the newly created debugfs, resulting
+the debugfs of 8250_bcm7271 can never be created later.
+
+ brcmuart_init()
+ debugfs_create_dir() # create debugfs directory
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when platform_driver_register() returns error.
+
+Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221109072110.117291-2-yuancan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 8efdc271eb75..5e0ffd6c4789 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1212,9 +1212,17 @@ static struct platform_driver brcmuart_platform_driver = {
+
+ static int __init brcmuart_init(void)
+ {
++ int ret;
++
+ brcmuart_debugfs_root = debugfs_create_dir(
+ brcmuart_platform_driver.driver.name, NULL);
+- return platform_driver_register(&brcmuart_platform_driver);
++ ret = platform_driver_register(&brcmuart_platform_driver);
++ if (ret) {
++ debugfs_remove_recursive(brcmuart_debugfs_root);
++ return ret;
++ }
++
++ return 0;
+ }
+ module_init(brcmuart_init);
+
+--
+2.35.1
+
--- /dev/null
+From ff1729b44476c030a1e9a87a6830991004b62f65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 15:04:26 -0500
+Subject: serial: altera_uart: fix locking in polling mode
+
+From: Gabriel Somlo <gsomlo@gmail.com>
+
+[ Upstream commit 1307c5d33cce8a41dd77c2571e4df65a5b627feb ]
+
+Since altera_uart_interrupt() may also be called from
+a poll timer in "serving_softirq" context, use
+spin_[lock_irqsave|unlock_irqrestore] variants, which
+are appropriate for both softirq and hardware interrupt
+contexts.
+
+Fixes: 2f8b9c15cd88 ("altera_uart: Add support for polling mode (IRQ-less)")
+Signed-off-by: Gabriel Somlo <gsomlo@gmail.com>
+Link: https://lore.kernel.org/r/20221122200426.888349-1-gsomlo@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/altera_uart.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
+index ab08c4050a84..191d737ea563 100644
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -278,16 +278,17 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data)
+ {
+ struct uart_port *port = data;
+ struct altera_uart *pp = container_of(port, struct altera_uart, port);
++ unsigned long flags;
+ unsigned int isr;
+
+ isr = altera_uart_readl(port, ALTERA_UART_STATUS_REG) & pp->imr;
+
+- spin_lock(&port->lock);
++ spin_lock_irqsave(&port->lock, flags);
+ if (isr & ALTERA_UART_STATUS_RRDY_MSK)
+ altera_uart_rx_chars(port);
+ if (isr & ALTERA_UART_STATUS_TRDY_MSK)
+ altera_uart_tx_chars(port);
+- spin_unlock(&port->lock);
++ spin_unlock_irqrestore(&port->lock, flags);
+
+ return IRQ_RETVAL(isr);
+ }
+--
+2.35.1
+
--- /dev/null
+From bffa41f185ab920b9d4286742b90715c2ba54bf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 18:32:37 +0800
+Subject: serial: amba-pl011: avoid SBSA UART accessing DMACR register
+
+From: Jiamei Xie <jiamei.xie@arm.com>
+
+[ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ]
+
+Chapter "B Generic UART" in "ARM Server Base System Architecture" [1]
+documentation describes a generic UART interface. Such generic UART
+does not support DMA. In current code, sbsa_uart_pops and
+amba_pl011_pops share the same stop_rx operation, which will invoke
+pl011_dma_rx_stop, leading to an access of the DMACR register. This
+commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the
+access to DMACR register for SBSA UARTs which does not support DMA.
+
+When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux
+SBSA PL011 driver will access PL011 DMACR register in some functions.
+For most real SBSA Pl011 hardware implementations, the DMACR write
+behaviour will be ignored. So these DMACR operations will not cause
+obvious problems. But for some virtual SBSA PL011 hardware, like Xen
+virtual SBSA PL011 (vpl011) device, the behaviour might be different.
+Xen vpl011 emulation will inject a data abort to guest, when guest is
+accessing an unimplemented UART register. As Xen VPL011 is SBSA
+compatible, it will not implement DMACR register. So when Linux SBSA
+PL011 driver access DMACR register, it will get an unhandled data abort
+fault and the application will get a segmentation fault:
+Unhandled fault at 0xffffffc00944d048
+Mem abort info:
+ ESR = 0x96000000
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x00: ttbr address size fault
+Data abort info:
+ ISV = 0, ISS = 0x00000000
+ CM = 0, WnR = 0
+swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000
+[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13
+Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP
+...
+Call trace:
+ pl011_stop_rx+0x70/0x80
+ tty_port_shutdown+0x7c/0xb4
+ tty_port_close+0x60/0xcc
+ uart_close+0x34/0x8c
+ tty_release+0x144/0x4c0
+ __fput+0x78/0x220
+ ____fput+0x1c/0x30
+ task_work_run+0x88/0xc0
+ do_notify_resume+0x8d0/0x123c
+ el0_svc+0xa8/0xc0
+ el0t_64_sync_handler+0xa4/0x130
+ el0t_64_sync+0x1a0/0x1a4
+Code: b9000083 b901f001 794038a0 8b000042 (b9000041)
+---[ end trace 83dd93df15c3216f ]---
+note: bootlogd[132] exited with preempt_count 1
+/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon
+
+This has been discussed in the Xen community, and we think it should fix
+this in Linux. See [2] for more information.
+
+[1] https://developer.arm.com/documentation/den0094/c/?lang=en
+[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html
+
+Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART)
+Signed-off-by: Jiamei Xie <jiamei.xie@arm.com>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl011.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index 15f0e4d88c5a..72c2a978cf61 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1045,6 +1045,9 @@ static void pl011_dma_rx_callback(void *data)
+ */
+ static inline void pl011_dma_rx_stop(struct uart_amba_port *uap)
+ {
++ if (!uap->using_rx_dma)
++ return;
++
+ /* FIXME. Just disable the DMA enable */
+ uap->dmacr &= ~UART011_RXDMAE;
+ pl011_write(uap->dmacr, uap, REG_DMACR);
+--
+2.35.1
+
--- /dev/null
+From 0125f79b3faa8ce17f35a4ebf814e813b522e4fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:45:59 +0800
+Subject: serial: pch: Fix PCI device refcount leak in pch_request_dma()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ]
+
+As comment of pci_get_slot() says, it returns a pci_device with its
+refcount increased. The caller must decrement the reference count by
+calling pci_dev_put().
+
+Since 'dma_dev' is only used to filter the channel in filter(), we can
+call pci_dev_put() before exiting from pch_request_dma(). Add the
+missing pci_dev_put() for the normal and error path.
+
+Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/pch_uart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index 8a9065e4a903..ec501c3ce033 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -694,6 +694,7 @@ static void pch_request_dma(struct uart_port *port)
+ if (!chan) {
+ dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
+ __func__);
++ pci_dev_put(dma_dev);
+ return;
+ }
+ priv->chan_tx = chan;
+@@ -710,6 +711,7 @@ static void pch_request_dma(struct uart_port *port)
+ __func__);
+ dma_release_channel(priv->chan_tx);
+ priv->chan_tx = NULL;
++ pci_dev_put(dma_dev);
+ return;
+ }
+
+@@ -717,6 +719,8 @@ static void pch_request_dma(struct uart_port *port)
+ priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
+ &priv->rx_buf_dma, GFP_KERNEL);
+ priv->chan_rx = chan;
++
++ pci_dev_put(dma_dev);
+ }
+
+ static void pch_dma_rx_complete(void *arg)
+--
+2.35.1
+
--- /dev/null
+From 32814ba5886fefcef2b086f1b17cefc986902fb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 10:01:08 +0800
+Subject: serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: delisun <delisun@pateo.com.cn>
+
+[ Upstream commit 032d5a71ed378ffc6a2d41a187d8488a4f9fe415 ]
+
+Clearing the RX FIFO will cause data loss.
+Copy the pl011_enabl_interrupts implementation, and remove the clear
+interrupt and FIFO part of the code.
+
+Fixes: 211565b10099 ("serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle")
+Signed-off-by: delisun <delisun@pateo.com.cn>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110020108.7700-1-delisun@pateo.com.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl011.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index 72c2a978cf61..c211a1e92db7 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1831,8 +1831,17 @@ static void pl011_enable_interrupts(struct uart_amba_port *uap)
+ static void pl011_unthrottle_rx(struct uart_port *port)
+ {
+ struct uart_amba_port *uap = container_of(port, struct uart_amba_port, port);
++ unsigned long flags;
+
+- pl011_enable_interrupts(uap);
++ spin_lock_irqsave(&uap->port.lock, flags);
++
++ uap->im = UART011_RTIM;
++ if (!pl011_dma_rx_running(uap))
++ uap->im |= UART011_RXIM;
++
++ pl011_write(uap->im, uap, REG_IMSC);
++
++ spin_unlock_irqrestore(&uap->port.lock, flags);
+ }
+
+ static int pl011_startup(struct uart_port *port)
+--
+2.35.1
+
--- /dev/null
+From 58c6e48725a9e7154d8cdc85c0fd3dc260275c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 18:06:02 +0100
+Subject: serial: stm32: move dma_request_chan() before clk_prepare_enable()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Valentin Caron <valentin.caron@foss.st.com>
+
+[ Upstream commit 0d114e9ff940ebad8e88267013bf96c605a6b336 ]
+
+If dma_request_chan() returns a PROBE_DEFER error, clk_disable_unprepare()
+will be called and USART clock will be disabled. But early console can be
+still active on the same USART.
+
+While moving dma_request_chan() before clk_prepare_enable(), the clock
+won't be taken in case of a DMA PROBE_DEFER error, and so it doesn't need
+to be disabled. Then USART is still clocked for early console.
+
+Fixes: a7770a4bfcf4 ("serial: stm32: defer probe for dma devices")
+Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Valentin Caron <valentin.caron@foss.st.com>
+Link: https://lore.kernel.org/r/20221118170602.1057863-1-valentin.caron@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 47 ++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index 9a875558f5ef..1f8aad186908 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -1681,22 +1681,10 @@ static int stm32_usart_serial_probe(struct platform_device *pdev)
+ if (!stm32port->info)
+ return -EINVAL;
+
+- ret = stm32_usart_init_port(stm32port, pdev);
+- if (ret)
+- return ret;
+-
+- if (stm32port->wakeup_src) {
+- device_set_wakeup_capable(&pdev->dev, true);
+- ret = dev_pm_set_wake_irq(&pdev->dev, stm32port->port.irq);
+- if (ret)
+- goto err_deinit_port;
+- }
+-
+ stm32port->rx_ch = dma_request_chan(&pdev->dev, "rx");
+- if (PTR_ERR(stm32port->rx_ch) == -EPROBE_DEFER) {
+- ret = -EPROBE_DEFER;
+- goto err_wakeirq;
+- }
++ if (PTR_ERR(stm32port->rx_ch) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
++
+ /* Fall back in interrupt mode for any non-deferral error */
+ if (IS_ERR(stm32port->rx_ch))
+ stm32port->rx_ch = NULL;
+@@ -1710,6 +1698,17 @@ static int stm32_usart_serial_probe(struct platform_device *pdev)
+ if (IS_ERR(stm32port->tx_ch))
+ stm32port->tx_ch = NULL;
+
++ ret = stm32_usart_init_port(stm32port, pdev);
++ if (ret)
++ goto err_dma_tx;
++
++ if (stm32port->wakeup_src) {
++ device_set_wakeup_capable(&pdev->dev, true);
++ ret = dev_pm_set_wake_irq(&pdev->dev, stm32port->port.irq);
++ if (ret)
++ goto err_deinit_port;
++ }
++
+ if (stm32port->rx_ch && stm32_usart_of_dma_rx_probe(stm32port, pdev)) {
+ /* Fall back in interrupt mode */
+ dma_release_channel(stm32port->rx_ch);
+@@ -1746,19 +1745,11 @@ static int stm32_usart_serial_probe(struct platform_device *pdev)
+ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+
+- if (stm32port->tx_ch) {
++ if (stm32port->tx_ch)
+ stm32_usart_of_dma_tx_remove(stm32port, pdev);
+- dma_release_channel(stm32port->tx_ch);
+- }
+-
+ if (stm32port->rx_ch)
+ stm32_usart_of_dma_rx_remove(stm32port, pdev);
+
+-err_dma_rx:
+- if (stm32port->rx_ch)
+- dma_release_channel(stm32port->rx_ch);
+-
+-err_wakeirq:
+ if (stm32port->wakeup_src)
+ dev_pm_clear_wake_irq(&pdev->dev);
+
+@@ -1768,6 +1759,14 @@ static int stm32_usart_serial_probe(struct platform_device *pdev)
+
+ stm32_usart_deinit_port(stm32port);
+
++err_dma_tx:
++ if (stm32port->tx_ch)
++ dma_release_channel(stm32port->tx_ch);
++
++err_dma_rx:
++ if (stm32port->rx_ch)
++ dma_release_channel(stm32port->rx_ch);
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fecb3b4305934d56db29696f306066093a4a0ddd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 06:12:12 +0000
+Subject: serial: sunsab: Fix error handling in sunsab_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ]
+
+The sunsab_init() returns the platform_driver_register() directly without
+checking its return value, if platform_driver_register() failed, the
+allocated sunsab_ports is leaked.
+Fix by free sunsab_ports and set it to NULL when platform_driver_register()
+failed.
+
+Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sunsab.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sunsab.c b/drivers/tty/serial/sunsab.c
+index 6ea52293d9f3..7c10715dace8 100644
+--- a/drivers/tty/serial/sunsab.c
++++ b/drivers/tty/serial/sunsab.c
+@@ -1137,7 +1137,13 @@ static int __init sunsab_init(void)
+ }
+ }
+
+- return platform_driver_register(&sab_driver);
++ err = platform_driver_register(&sab_driver);
++ if (err) {
++ kfree(sunsab_ports);
++ sunsab_ports = NULL;
++ }
++
++ return err;
+ }
+
+ static void __exit sunsab_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 1c45abf00f8322922bcc9a3c593873f45b4963f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 20:28:06 +0530
+Subject: serial: tegra: Read DMA status before terminating
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kartik <kkartik@nvidia.com>
+
+[ Upstream commit 109a951a9f1fd8a34ebd1896cbbd5d5cede880a7 ]
+
+Read the DMA status before terminating the DMA, as doing so deletes
+the DMA desc.
+
+Also, to get the correct transfer status information, pause the DMA
+using dmaengine_pause() before reading the DMA status.
+
+Fixes: e9ea096dd225 ("serial: tegra: add serial driver")
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
+Signed-off-by: Kartik <kkartik@nvidia.com>
+Link: https://lore.kernel.org/r/1666105086-17326-1-git-send-email-kkartik@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial-tegra.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c
+index a5748e41483b..ab549b79fde9 100644
+--- a/drivers/tty/serial/serial-tegra.c
++++ b/drivers/tty/serial/serial-tegra.c
+@@ -619,8 +619,9 @@ static void tegra_uart_stop_tx(struct uart_port *u)
+ if (tup->tx_in_progress != TEGRA_UART_TX_DMA)
+ return;
+
+- dmaengine_terminate_all(tup->tx_dma_chan);
++ dmaengine_pause(tup->tx_dma_chan);
+ dmaengine_tx_status(tup->tx_dma_chan, tup->tx_cookie, &state);
++ dmaengine_terminate_all(tup->tx_dma_chan);
+ count = tup->tx_bytes_requested - state.residue;
+ async_tx_ack(tup->tx_dma_desc);
+ uart_xmit_advance(&tup->uport, count);
+@@ -763,8 +764,9 @@ static void tegra_uart_terminate_rx_dma(struct tegra_uart_port *tup)
+ return;
+ }
+
+- dmaengine_terminate_all(tup->rx_dma_chan);
++ dmaengine_pause(tup->rx_dma_chan);
+ dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state);
++ dmaengine_terminate_all(tup->rx_dma_chan);
+
+ tegra_uart_rx_buffer_push(tup, state.residue);
+ tup->rx_dma_active = false;
+--
+2.35.1
+
--- /dev/null
+staging-r8188eu-remove-duplicate-bsurpriseremoved-ch.patch
+staging-r8188eu-don-t-check-bsurpriseremoved-in-swle.patch
+staging-r8188eu-fix-led-register-settings.patch
+usb-musb-remove-extra-check-in-musb_gadget_vbus_draw.patch
+cifs-replace-kfree-with-kfree_sensitive-for-sensitiv.patch
+cifs-improve-symlink-handling-for-smb2.patch
+cifs-fix-oops-during-encryption.patch
+arm64-dts-renesas-r8a779g0-fix-hscif0-brg_int-clock.patch
+arm64-dts-qcom-ipq6018-cp01-c1-use-blspi1-pins.patch
+arm64-dts-qcom-sm8250-sony-xperia-edo-fix-touchscree.patch
+arm64-dts-qcom-sdm845-xiaomi-polaris-fix-codec-pin-c.patch
+arm64-dts-qcom-msm8996-add-msm8996-pro-support.patch
+arm64-dts-qcom-msm8996-fix-supported-hw-in-cpufreq-o.patch
+arm64-dts-qcom-msm8996-fix-gpu-opp-table.patch
+arm-dts-qcom-apq8064-fix-coresight-compatible.patch
+arm64-dts-qcom-sdm630-fix-uart1-pin-bias.patch
+arm64-dts-qcom-sdm845-cheza-fix-ap-suspend-pin-bias.patch
+arm64-dts-qcom-msm8916-drop-mss-fallback-compatible.patch
+arm64-dts-fsd-fix-drive-strength-macros-as-per-fsd-h.patch
+arm64-dts-fsd-fix-drive-strength-values-as-per-fsd-h.patch
+memory-renesas-rpc-if-clear-hs-bit-during-hardware-i.patch
+objtool-kcsan-add-volatile-read-write-instrumentatio.patch
+arm-dts-stm32-drop-stm32mp15xc.dtsi-from-avenger96.patch
+arm-dts-stm32-fix-av96-wlan-regulator-gpio-property.patch
+drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch
+firmware-ti_sci-fix-polled-mode-during-system-suspen.patch
+arm64-dts-qcom-pm660-use-unique-adc5_vcoin-address-i.patch
+arm64-dts-qcom-sm8250-correct-lpass-pin-pull-down.patch
+arm64-dts-qcom-sc7180-trogdor-homestar-fully-configu.patch
+soc-qcom-llcc-make-irq-truly-optional.patch
+arm64-dts-qcom-sm8150-fix-ufs-phy-registers.patch
+arm64-dts-qcom-sm8250-fix-ufs-phy-registers.patch
+arm64-dts-qcom-sm8350-fix-ufs-phy-registers.patch
+arm64-dts-qcom-sm8450-fix-ufs-phy-registers.patch
+arm64-dts-qcom-use-gpio-flags-for-tlmm.patch
+arm64-dts-qcom-msm8996-fix-sound-card-reset-line-pol.patch
+arm64-dts-qcom-sm8250-mtp-fix-reset-line-polarity.patch
+arm64-dts-qcom-sm8250-drop-bogus-dp-phy-clock.patch
+arm64-dts-qcom-sm6350-drop-bogus-dp-phy-clock.patch
+soc-qcom-apr-add-check-for-idr_alloc-and-of_property.patch
+arm64-dts-qcom-pm6350-include-header-for-key_power.patch
+arm64-dts-qcom-sm6125-fix-sdhci-cqe-reg-names.patch
+arm64-dts-renesas-r8a779f0-fix-hscif-brg_int-clock.patch
+arm64-dts-renesas-r8a779f0-fix-scif-brg_int-clock.patch
+arm64-dts-renesas-r9a09g011-fix-unit-address-format-.patch
+dt-bindings-pwm-fix-microchip-corepwm-s-pwm-cells.patch
+arm64-dts-mt7986-fix-trng-node-name.patch
+arm-dts-spear600-fix-clcd-interrupt.patch
+soc-ti-knav_qmss_queue-fix-pm-disable-depth-imbalanc.patch
+soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch
+arm64-mm-kfence-only-handle-translation-faults.patch
+perf-arm_dsu-fix-hotplug-callback-leak-in-dsu_pmu_in.patch
+drivers-perf-marvell_cn10k-fix-hotplug-callback-leak.patch
+perf-arm_dmc620-fix-hotplug-callback-leak-in-dmc620_.patch
+perf-smmuv3-fix-hotplug-callback-leak-in-arm_smmu_pm.patch
+arm64-dts-ti-k3-am65-main-drop-dma-coherent-in-crypt.patch
+arm64-dts-ti-k3-j721e-main-drop-dma-coherent-in-cryp.patch
+arm64-dts-ti-k3-j721s2-fix-the-interrupt-ranges-prop.patch
+arm-dts-nuvoton-remove-bogus-unit-addresses-from-fix.patch
+arm64-dts-mediatek-mt8195-fix-cpus-capacity-dmips-mh.patch
+arm64-dts-mt7896a-fix-unit_address_vs_reg-warning-fo.patch
+arm64-dts-mt6779-fix-devicetree-build-warnings.patch
+arm64-dts-mt2712e-fix-unit_address_vs_reg-warning-fo.patch
+arm64-dts-mt2712e-fix-unit-address-for-pinctrl-node.patch
+arm64-dts-mt2712-evb-fix-vproc-fixed-regulators-unit.patch
+arm64-dts-mt2712-evb-fix-usb-vbus-regulators-unit-na.patch
+arm64-dts-mediatek-pumpkin-common-fix-devicetree-war.patch
+arm64-dts-mediatek-mt6797-fix-26m-oscillator-unit-na.patch
+arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch
+arm-dts-armada-370-fix-assigned-addresses-for-every-.patch
+arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch
+arm-dts-armada-375-fix-assigned-addresses-for-every-.patch
+arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch
+arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch
+arm-dts-turris-omnia-add-ethernet-aliases.patch
+arm-dts-turris-omnia-add-switch-port-6-node.patch
+arm-dts-armada-38x-fix-compatible-string-for-gpios.patch
+arm-dts-armada-39x-fix-compatible-string-for-gpios.patch
+arm64-dts-armada-3720-turris-mox-add-missing-interru.patch
+soc-apple-sart-stop-casting-function-pointer-signatu.patch
+soc-apple-rtkit-stop-casting-function-pointer-signat.patch
+drivers-perf-hisi-fix-some-event-id-for-hisi-pcie-pm.patch
+seccomp-move-copy_seccomp-to-no-failure-path.patch
+pstore-ram-fix-error-return-code-in-ramoops_probe.patch
+arm-mmp-fix-timer_read-delay.patch
+pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch
+arch-arm64-apple-t8103-use-standard-iommu-node-name.patch
+tpm-tis_i2c-fix-sanity-check-interrupt-enable-mask.patch
+tpm-add-flag-to-use-default-cancellation-policy.patch
+tpm-tpm_ftpm_tee-fix-error-handling-in-ftpm_mod_init.patch
+tpm-tpm_crb-fix-error-message-in-__crb_relinquish_lo.patch
+ovl-remove-privs-in-ovl_copyfile.patch
+ovl-remove-privs-in-ovl_fallocate.patch
+sched-uclamp-fix-relationship-between-uclamp-and-mig.patch
+sched-uclamp-make-task_fits_capacity-use-util_fits_c.patch
+sched-uclamp-fix-fits_capacity-check-in-feec.patch
+sched-uclamp-make-select_idle_capacity-use-util_fits.patch
+sched-core-introduce-sched_asym_cpucap_active.patch
+sched-uclamp-make-asym_fits_capacity-use-util_fits_c.patch
+sched-uclamp-make-cpu_overutilized-use-util_fits_cpu.patch
+sched-uclamp-cater-for-uclamp-in-find_energy_efficie.patch
+cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch
+alpha-fix-tif_notify_signal-handling.patch
+alpha-fix-syscall-entry-in-audut_syscall-case.patch
+sched-psi-fix-possible-missing-or-delayed-pending-ev.patch
+x86-sgx-reduce-delay-and-interference-of-enclave-rel.patch
+pm-hibernate-fix-mistake-in-kerneldoc-comment.patch
+fs-don-t-audit-the-capability-check-in-simple_xattr_.patch
+cpufreq-qcom-hw-fix-memory-leak-in-qcom_cpufreq_hw_r.patch
+x86-split_lock-add-sysctl-to-control-the-misery-mode.patch
+acpi-irq-fix-some-kernel-doc-issues.patch
+selftests-ftrace-event_triggers-wait-longer-for-test.patch
+perf-fix-possible-memleak-in-pmu_dev_alloc.patch
+lib-debugobjects-fix-stat-count-and-optimize-debug_o.patch
+platform-x86-huawei-wmi-fix-return-value-calculation.patch
+timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch
+proc-fixup-uptime-selftest.patch
+lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch
+ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch
+selftests-cgroup-fix-unsigned-comparison-with-less-t.patch
+cpufreq-qcom-hw-fix-the-frequency-returned-by-cpufre.patch
+mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch
+mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch
+selftests-efivarfs-add-checking-of-the-test-return-v.patch
+pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch
+mailbox-pcc-reset-pcc_chan_count-to-zero-in-case-of-.patch
+acpi-pfr_telemetry-use-acpi_free-to-free-acpi_object.patch
+acpi-pfr_update-use-acpi_free-to-free-acpi_object.patch
+perf-x86-intel-uncore-fix-reference-count-leak-in-sa.patch
+perf-x86-intel-uncore-fix-reference-count-leak-in-hs.patch
+perf-x86-intel-uncore-fix-reference-count-leak-in-sn.patch
+perf-x86-intel-uncore-fix-reference-count-leak-in-__.patch
+platform-chrome-cros_usbpd_notify-fix-error-handling.patch
+thermal-core-fix-some-possible-name-leaks-in-error-p.patch
+irqchip-loongson-pch-pic-fix-translate-callback-for-.patch
+irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch
+irqchip-wpcm450-fix-memory-leak-in-wpcm450_aic_of_in.patch
+irqchip-loongson-liointc-fix-improper-error-handling.patch
+edac-i10nm-fix-refcount-leak-in-pci_get_dev_wrapper.patch
+nfsd-finish-converting-the-nfsv2-getacl-result-encod.patch
+nfsd-finish-converting-the-nfsv3-getacl-result-encod.patch
+nfsd-don-t-call-nfsd_file_put-from-client-states-seq.patch
+genirq-irqdesc-don-t-try-to-remove-non-existing-sysf.patch
+cpufreq-amd_freq_sensitivity-add-missing-pci_dev_put.patch
+libfs-add-define_simple_attribute_signed-for-signed-.patch
+lib-notifier-error-inject-fix-error-when-writing-err.patch
+debugfs-fix-error-when-writing-negative-value-to-ato.patch
+ocfs2-fix-memory-leak-in-ocfs2_mount_volume.patch
+rapidio-fix-possible-name-leaks-when-rio_add_device-.patch
+rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch
+clocksource-drivers-sh_cmt-access-registers-accordin.patch
+mips-ralink-mt7621-define-mt7621_sysc_base-with-__io.patch
+mips-ralink-mt7621-soc-queries-and-tests-as-function.patch
+mips-ralink-mt7621-do-not-use-kzalloc-too-early.patch
+futex-resend-potentially-swallowed-owner-death-notif.patch
+cpu-hotplug-make-target_store-a-nop-when-target-stat.patch
+cpu-hotplug-do-not-bail-out-in-dying-starting-sectio.patch
+clocksource-drivers-timer-ti-dm-fix-warning-for-omap.patch
+clocksource-drivers-timer-ti-dm-fix-missing-clk_disa.patch
+acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch
+uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch
+x86-xen-fix-memory-leak-in-xen_smp_intr_init-_pv.patch
+x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch
+xen-privcmd-fix-a-possible-warning-in-privcmd_ioctl_.patch
+pm-runtime-do-not-call-__rpm_callback-from-rpm_idle.patch
+erofs-fix-pcluster-memleak-when-its-block-address-is.patch
+erofs-fix-missing-unmap-if-z_erofs_get_extent_compre.patch
+erofs-support-interlaced-uncompressed-data-for-compr.patch
+erofs-validate-the-extent-length-for-uncompressed-pc.patch
+platform-chrome-cros_ec_typec-cleanup-switch-handle-.patch
+platform-chrome-cros_ec_typec-get-retimer-handle.patch
+platform-chrome-cros_ec_typec-zero-out-stale-pointer.patch
+platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch
+platform-x86-intel_scu_ipc-fix-possible-name-leak-in.patch
+mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch
+mips-octeon-warn-only-once-if-deprecated-link-status.patch
+lockd-set-other-missing-fields-when-unlocking-files.patch
+nfsd-return-error-if-nfs4_setacl-fails.patch
+nfsd-pass-range-end-to-vfs_fsync_range-instead-of-co.patch
+fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch
+rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch
+eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch
+relay-fix-type-mismatch-when-allocating-memory-in-re.patch
+hfs-fix-oob-write-in-hfs_asc2mac.patch
+rapidio-devices-fix-missing-put_device-in-mport_cdev.patch
+ipc-fix-memory-leak-in-init_mqueue_fs.patch
+platform-mellanox-mlxbf-pmc-fix-event-typo.patch
+wifi-fix-multi-link-element-subelement-iteration.patch
+wifi-mac80211-mlme-fix-null-ptr-deref-on-failed-asso.patch
+wifi-mac80211-check-link-id-in-auth-assoc-continuati.patch
+wifi-mac80211-fix-ifdef-symbol-name.patch
+drm-atomic-helper-don-t-allocate-new-plane-state-in-.patch
+wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch
+wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch
+wifi-rtl8xxxu-fix-reading-the-vendor-of-combo-chips.patch
+wifi-ath11k-move-firmware-stats-out-of-debugfs.patch
+wifi-ath11k-fix-firmware-assert-during-bandwidth-cha.patch
+drm-bridge-adv7533-remove-dynamic-lane-switching-fro.patch
+libbpf-fix-use-after-free-in-btf_dump_name_dups.patch
+libbpf-fix-memory-leak-in-parse_usdt_arg.patch
+selftests-bpf-add-struct-argument-tests-with-fentry-.patch
+selftests-bpf-fix-memory-leak-caused-by-not-destroyi.patch
+selftest-bpf-fix-memory-leak-in-kprobe_multi_test.patch
+selftests-bpf-fix-error-failure-of-case-test_xdp_adj.patch
+selftest-bpf-fix-error-usage-of-assert_ok-in-xdp_adj.patch
+libbpf-reject-legacy-maps-elf-section.patch
+libbpf-use-elf_getshdrnum-instead-of-e_shnum.patch
+libbpf-deal-with-section-with-no-data-gracefully.patch
+libbpf-fix-null-pointer-dereference-in-find_prog_by_.patch
+drm-lcdif-switch-to-limited-range-for-rgb-to-yuv-con.patch
+ata-libata-fix-ncq-autosense-logic.patch
+pinctrl-ocelot-add-missing-destroy_workqueue-in-erro.patch
+asoc-intel-avs-fix-dma-mask-assignment.patch
+asoc-intel-avs-fix-potential-rx-buffer-overflow.patch
+ipmi-kcs-poll-obf-briefly-to-reduce-obe-latency.patch
+drm-amdgpu-powerplay-psm-fix-memory-leak-in-power-st.patch
+powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch
+samples-bpf-fix-map-iteration-in-xdp1_user.patch
+samples-bpf-fix-mac-address-swapping-in-xdp2_kern.patch
+drm-bridge-it6505-initialize-aux-channel-in-it6505_i.patch
+input-iqs7222-set-all-ulp-entry-masks-by-default.patch
+input-iqs7222-drop-unused-device-node-references.patch
+input-iqs7222-report-malformed-properties.patch
+input-iqs7222-protect-against-undefined-slider-size.patch
+media-v4l2-ctrls-fix-off-by-one-error-in-integer-men.patch
+media-coda-jpeg-add-check-for-kmalloc.patch
+media-amphion-reset-instance-if-it-s-aborted-before-.patch
+media-adv748x-afe-select-input-port-when-initializin.patch
+media-v4l2-ioctl.c-unify-ycbcr-yuv-terms-in-format-d.patch
+media-cedrus-hevc-fix-offset-adjustments.patch
+media-mediatek-vcodec-fix-h264-cavlc-bitstream-fail.patch
+drm-i915-guc-limit-scheduling-properties-to-avoid-ov.patch
+drm-i915-fix-compute-pre-emption-w-a-to-apply-to-com.patch
+media-i2c-hi846-fix-memory-leak-in-hi846_parse_dt.patch
+media-i2c-ad5820-fix-error-path.patch
+venus-pm_helpers-fix-error-check-in-vcodec_domains_g.patch
+soreuseport-fix-socket-selection-for-so_incoming_cpu.patch
+media-i2c-ov5648-free-v4l2-fwnode-data-on-unbind.patch
+media-exynos4-is-don-t-rely-on-the-v4l2_async_subdev.patch
+libbpf-btf-dedup-identical-struct-test-needs-check-f.patch
+can-kvaser_usb-kvaser_usb_leaf-get-capabilities-from.patch
+can-kvaser_usb-kvaser_usb_leaf-rename-leaf-usbcan-_c.patch
+can-kvaser_usb-kvaser_usb_leaf-handle-cmd_error_even.patch
+can-kvaser_usb_leaf-set-warning-state-even-without-b.patch
+can-kvaser_usb_leaf-fix-improved-state-not-being-rep.patch
+can-kvaser_usb_leaf-fix-wrong-can-state-after-stoppi.patch
+can-kvaser_usb_leaf-fix-bogus-restart-events.patch
+can-kvaser_usb-add-struct-kvaser_usb_busparams.patch
+can-kvaser_usb-compare-requested-bittiming-parameter.patch
+clk-renesas-r8a779a0-fix-sd0h-clock-name.patch
+asoc-dt-bindings-rt5682-set-sound-dai-cells-to-1.patch
+drm-i915-guc-add-a-helper-for-log-buffer-size.patch
+drm-i915-guc-fix-capture-size-warning-and-bump-the-s.patch
+drm-i915-guc-make-guc-log-sizes-runtime-configurable.patch
+drm-i915-guc-add-error-capture-init-warnings-when-ne.patch
+drm-i915-guc-fix-guc-error-capture-sizing-estimation.patch
+dw9768-enable-low-power-probe-on-acpi.patch
+drm-amd-display-wait-for-vblank-during-pipe-programm.patch
+drm-rockchip-lvds-fix-pm-usage-counter-unbalance-in-.patch
+clk-renesas-r9a06g032-repair-grave-increment-error.patch
+drm-lcdif-change-burst-size-to-256b.patch
+spi-update-reference-to-struct-spi_controller.patch
+drm-panel-panel-sitronix-st7701-remove-panel-on-dsi-.patch
+drm-ttm-fix-undefined-behavior-in-bit-shift-for-ttm_.patch
+drm-msm-mdp5-stop-overriding-drvdata.patch
+ima-handle-estale-returned-by-ima_filter_rule_match.patch
+drm-msm-hdmi-use-devres-helper-for-runtime-pm-manage.patch
+bpf-clobber-stack-slot-when-writing-over-spilled-ptr.patch
+bpf-fix-slot-type-check-in-check_stack_write_var_off.patch
+drm-msm-dpu-use-drm_dsc_config-instead-of-msm_displa.patch
+drm-msm-dpu1-account-for-dsc-s-bits_per_pixel-having.patch
+drm-msm-dsi-use-drm_dsc_config-instead-of-msm_displa.patch
+drm-msm-dsi-remove-useless-math-in-dsc-calculations.patch
+drm-msm-dsi-remove-repeated-calculation-of-slice_per.patch
+drm-msm-dsi-use-div_round_up-instead-of-conditional-.patch
+drm-msm-dsi-reuse-earlier-computed-dsc-slice_chunk_s.patch
+drm-msm-dsi-appropriately-set-dsc-mux_word_size-base.patch
+drm-msm-dsi-migrate-to-drm_dsc_compute_rc_parameters.patch
+drm-msm-dsi-account-for-dsc-s-bits_per_pixel-having-.patch
+drm-msm-dsi-disallow-8-bpc-dsc-configuration-for-alt.patch
+drm-msm-dsi-prevent-signed-bpg-offsets-from-bleeding.patch
+media-rkvdec-add-required-padding.patch
+media-vivid-fix-compose-size-exceed-boundary.patch
+media-platform-exynos4-is-fix-return-value-check-in-.patch
+bpf-propagate-precision-in-alu-alu64-operations.patch
+bpf-propagate-precision-across-all-frames-not-just-t.patch
+clk-qcom-gcc-ipq806x-use-parent_data-for-the-last-re.patch
+clk-qcom-dispcc-sm6350-add-clk_ops_parent_enable-to-.patch
+clk-qcom-gcc-sm8250-use-retention-mode-for-usb-gdscs.patch
+mtd-fix-device-name-leak-when-register-device-failed.patch
+mtd-core-fix-possible-resource-leak-in-init_mtd.patch
+input-joystick-fix-kconfig-warning-for-joystick_adc.patch
+wifi-rsi-fix-handling-of-802.3-eapol-frames-sent-via.patch
+media-camss-clean-up-received-buffers-on-failed-star.patch
+media-camss-do-not-attach-an-already-attached-power-.patch
+clk-renesas-r8a779f0-fix-hscif-parent-clocks.patch
+clk-renesas-r8a779f0-fix-scif-parent-clocks.patch
+virt-sev-guest-add-a-module_alias.patch
+net-proc-provide-proc_fs-n-fallback-for-proc_create_.patch
+rxrpc-fix-ack.buffersize-to-be-0-when-generating-an-.patch
+drm-lcdif-set-and-enable-fifo-panic-threshold.patch
+wifi-rtw89-use-u32_encode_bits-to-fill-mac-quota-val.patch
+drm-rcar-du-drop-leftovers-dependencies-from-kconfig.patch
+regmap-irq-use-the-new-num_config_regs-property-in-r.patch
+drbd-use-blk_queue_max_discard_sectors-helper.patch
+bfq-fix-waker_bfqq-inconsistency-crash.patch
+drm-radeon-add-the-missed-acpi_put_table-to-fix-memo.patch
+dt-bindings-pinctrl-update-uart-mmc-bindings-for-mt7.patch
+pinctrl-mediatek-fix-the-pinconf-register-offset-of-.patch
+wifi-iwlwifi-mei-make-sure-ownership-confirmed-messa.patch
+wifi-iwlwifi-mei-don-t-send-sap-commands-if-amt-is-d.patch
+wifi-iwlwifi-mei-fix-tx-dhcp-packet-for-devices-with.patch
+wifi-iwlwifi-mei-avoid-blocking-sap-messages-handlin.patch
+wifi-iwlwifi-mei-fix-potential-null-ptr-deref-after-.patch
+module-fix-null-vs-is_err-checking-for-module_get_ne.patch
+asoc-codecs-wsa883x-use-proper-shutdown-gpio-polarit.patch
+asoc-codecs-wsa883x-use-correct-header-file.patch
+selftests-bpf-fix-xdp_synproxy-compilation-failure-i.patch
+drm-mediatek-modify-dpi-power-on-off-sequence.patch
+asoc-pxa-fix-null-pointer-dereference-in-filter.patch
+nvmet-only-allocate-a-single-slab-for-bvecs.patch
+regulator-core-fix-unbalanced-of-node-refcount-in-re.patch
+amdgpu-pm-prevent-array-underflow-in-vega20_odn_edit.patch
+nvme-return-err-on-nvme_init_non_mdts_limits-fail.patch
+wifi-rtw89-fix-some-error-handling-path-in-rtw89_cor.patch
+regulator-qcom-rpmh-fix-pmr735a-s3-regulator-spec.patch
+drm-fourcc-fix-vsub-hsub-for-q410-and-q401.patch
+integrity-fix-memory-leakage-in-keyring-allocation-e.patch
+ima-fix-misuse-of-dereference-of-pointer-in-template.patch
+block-clear-slave_dir-when-dropping-the-main-slave_d.patch
+dm-cleanup-open_table_device.patch
+dm-cleanup-close_table_device.patch
+dm-make-sure-create-and-remove-dm-device-won-t-race-.patch
+dm-track-per-add_disk-holder-relations-in-dm.patch
+selftests-bpf-fix-memory-leak-of-lsm_cgroup.patch
+wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch
+drm-msm-a6xx-fix-speed-bin-detection-vs-probe-defer.patch
+mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch
+input-elants_i2c-properly-handle-the-reset-gpio-when.patch
+net-ethernet-mtk_eth_soc-do-not-overwrite-mtu-config.patch
+media-amphion-add-lock-around-vdec_g_fmt.patch
+media-amphion-apply-vb2_queue_error-instead-of-setti.patch
+media-vidtv-fix-use-after-free-in-vidtv_bridge_dvb_i.patch
+media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch
+media-platform-exynos4-is-fix-error-handling-in-fimc.patch
+media-amphion-fix-error-handling-in-vpu_driver_init.patch
+media-videobuf-dma-contig-use-dma_mmap_coherent.patch
+net-ethernet-mtk_eth_soc-fix-rstctrl_ppe-0-1-definit.patch
+udp-clean-up-some-functions.patch
+net-return-errno-in-sk-sk_prot-get_port.patch
+mtd-spi-nor-hide-jedec_id-sysfs-attribute-if-not-pre.patch
+mtd-spi-nor-fix-the-number-of-bytes-for-the-dummy-cy.patch
+clk-imx93-correct-the-flexspi1-clock-setting.patch
+hid-i2c-let-rmi-devices-decide-what-constitutes-wake.patch
+clk-imx93-unmap-anatop-base-in-error-handling-path.patch
+clk-imx93-correct-enet-clock.patch
+bpf-move-skb-len-0-checks-into-__bpf_redirect.patch
+hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch
+clk-imx-imxrt1050-fix-imxrt1050_clk_lcdif_apb-offset.patch
+pinctrl-k210-call-of_node_put.patch
+wifi-rtw89-fix-physts-ie-page-check.patch
+asoc-intel-avs-lock-substream-before-snd_pcm_stop.patch
+alsa-pcm-fix-undefined-behavior-in-bit-shift-for-snd.patch
+alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch
+regulator-core-use-kfree_const-to-free-space-conditi.patch
+clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch
+drm-amdgpu-fix-pci-device-refcount-leak.patch
+drm-i915-guc-make-default_lists-const-data.patch
+selftests-bpf-make-sure-zero-len-skbs-aren-t-redirec.patch
+selftests-bpf-mount-debugfs-in-setns_by_fd.patch
+bonding-fix-link-recovery-in-mode-2-when-updelay-is-.patch
+mtd-core-fix-refcount-error-in-del_mtd_device.patch
+mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch
+drbd-remove-call-to-memset-before-free-device-resour.patch
+drbd-destroy-workqueue-when-drbd-device-was-freed.patch
+asoc-qcom-add-checks-for-devm_kcalloc.patch
+media-vimc-fix-wrong-function-called-when-vimc_init-.patch
+media-imon-fix-a-race-condition-in-send_packet.patch
+media-imx-imx7-media-csi-clear-bit_mipi_double_cmpnt.patch
+media-mt9p031-drop-bogus-v4l2_subdev_get_try_crop-ca.patch
+clk-imx8mn-rename-vpu_pll-to-m7_alt_pll.patch
+clk-imx-replace-osc_hdmi-with-dummy.patch
+clk-imx-rename-video_pll1-to-video_pll.patch
+clk-imx8mn-fix-imx8mn_sai2_sels-clocks-list.patch
+clk-imx8mn-fix-imx8mn_enet_phy_sels-clocks-list.patch
+pinctrl-pinconf-generic-add-missing-of_node_put.patch
+media-dvb-core-fix-ignored-return-value-in-dvb_regis.patch
+media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch
+x86-boot-skip-realmode-init-code-when-running-as-xen.patch
+media-sun6i-mipi-csi2-require-both-pads-to-be-connec.patch
+media-sun8i-a83t-mipi-csi2-require-both-pads-to-be-c.patch
+media-sun6i-mipi-csi2-register-async-subdev-with-no-.patch
+media-sun8i-a83t-mipi-csi2-register-async-subdev-wit.patch
+media-amphion-try-to-wakeup-vpu-core-to-avoid-failur.patch
+media-amphion-cancel-vpu-before-release-instance.patch
+media-amphion-lock-and-check-m2m_ctx-in-event-handle.patch
+media-mediatek-vcodec-fix-getting-null-pointer-for-d.patch
+media-mediatek-vcodec-fix-h264-set-lat-buffer-error.patch
+media-mediatek-vcodec-setting-lat-buf-to-lat_list-wh.patch
+media-mediatek-vcodec-core-thread-depends-on-core_li.patch
+media-s5p-mfc-add-variant-data-for-mfc-v7-hardware-f.patch
+drm-tegra-add-missing-clk_disable_unprepare-in-tegra.patch
+asoc-dt-bindings-wcd9335-fix-reset-line-polarity-in-.patch
+asoc-mediatek-mtk-btcvsd-add-checks-for-write-and-re.patch
+drm-msm-mdp5-fix-reading-hw-revision-on-db410c-platf.patch
+nfsv4.2-clear-fattr4_word2_security_label-when-done-.patch
+nfsv4.2-always-decode-the-security-label.patch
+nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch
+nfsv4.2-fix-initialisation-of-struct-nfs4_label.patch
+nfsv4-fix-a-credential-leak-in-_nfs4_discover_trunki.patch
+nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch
+nfs-fix-an-oops-in-nfs_d_automount.patch
+alsa-asihpi-fix-missing-pci_disable_device.patch
+wifi-plfxlc-fix-potential-memory-leak-in-__lf_x_usb_.patch
+wifi-rtl8xxxu-fix-use-after-rcu_read_unlock-in-rtl8x.patch
+wifi-iwlwifi-mvm-fix-double-free-on-tx-path.patch
+spi-mt65xx-add-dma-max-segment-size-declaration.patch
+spi-mediatek-enable-irq-when-pdata-is-ready.patch
+asoc-mediatek-mt8173-enable-irq-when-pdata-is-ready.patch
+clk-mediatek-fix-dependency-of-mt7986-adc-clocks.patch
+drm-amd-pm-smu11-baco-is-supported-when-it-s-in-baco.patch
+amdgpu-nv.c-corrected-typo-in-the-video-capabilities.patch
+drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch
+drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch
+drm-amdkfd-fix-memory-leakage.patch
+drm-i915-bios-fix-a-memory-leak-in-generate_lfp_data.patch
+asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch
+clk-visconti-fix-memory-leak-in-visconti_register_pl.patch
+netfilter-conntrack-set-icmpv6-redirects-as-related.patch
+input-wistron_btns-disable-on-uml.patch
+bpf-sockmap-fix-repeated-calls-to-sock_put-when-msg-.patch
+bpf-sockmap-fix-missing-bpf_f_ingress-flag-when-usin.patch
+bpf-sockmap-fix-data-loss-caused-by-using-apply_byte.patch
+bonding-uninitialized-variable-in-bond_miimon_inspec.patch
+spi-spidev-mask-spi_cs_high-in-spi_ioc_rd_mode.patch
+wifi-nl80211-add-checks-for-nla_nest_start-in-nl8021.patch
+wifi-mac80211-fix-memory-leak-in-ieee80211_if_add.patch
+wifi-mac80211-fix-maybe-unused-warning.patch
+wifi-cfg80211-fix-not-unregister-reg_pdev-when-load_.patch
+wifi-mt76-mt7921-fix-antenna-signal-are-way-off-in-m.patch
+wifi-mt76-mt7915-fix-mt7915_mac_set_timing.patch
+wifi-mt76-mt7915-fix-reporting-of-tx-aggr-histogram.patch
+wifi-mt76-mt7921-fix-reporting-of-tx-aggr-histogram.patch
+wifi-mt76-mt7915-rework-eeprom-tx-paths-and-streams-.patch
+wifi-mt76-mt7915-fix-chainmask-calculation-on-mt7915.patch
+wifi-mt76-fix-coverity-overrun-call-in-mt76_get_txpo.patch
+mt76-mt7915-fix-pci-device-refcount-leak-in-mt7915_p.patch
+regulator-core-fix-module-refcount-leak-in-set_suppl.patch
+dt-bindings-clock-add-resets-for-lpass-audio-clock-c.patch
+dt-bindings-clock-add-support-for-external-mclks-for.patch
+clk-qcom-lpass-handle-the-regmap-overlap-of-lpasscc-.patch
+clk-qcom-lpass-add-support-for-resets-external-mclk-.patch
+clk-qcom-lpass-sc7280-fix-pm_runtime-usage.patch
+clk-qcom-lpass-sc7180-fix-pm_runtime-usage.patch
+clk-qcom-clk-krait-fix-wrong-div2-functions.patch
+revert-net-hsr-use-hlist_head-instead-of-list_head-f.patch
+hsr-add-a-rcu-read-lock-to-hsr_forward_skb.patch
+hsr-avoid-double-remove-of-a-node.patch
+hsr-disable-netpoll.patch
+hsr-synchronize-sending-frames-to-have-always-increm.patch
+hsr-synchronize-sequence-number-updates.patch
+configfs-fix-possible-memory-leak-in-configfs_create.patch
+regulator-core-fix-resource-leak-in-regulator_regist.patch
+hwmon-jc42-convert-register-access-and-caching-to-re.patch
+hwmon-jc42-restore-the-min-max-critical-temperatures.patch
+bpf-sockmap-fix-race-in-sock_map_free.patch
+alsa-pcm-set-missing-stop_operating-flag-at-undoing-.patch
+media-saa7164-fix-missing-pci_disable_device.patch
+media-ov5640-set-correct-default-link-frequency.patch
+alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch
+pinctrl-thunderbay-fix-possible-memory-leak-in-thund.patch
+xprtrdma-fix-regbuf-data-not-freed-in-rpcrdma_req_cr.patch
+sunrpc-fix-missing-release-socket-in-rpc_sockname.patch
+nfsv4.2-set-the-correct-size-scratch-buffer-for-deco.patch
+nfs-allow-very-small-rsize-wsize-again.patch
+nfsv4.x-fail-client-initialisation-if-state-manager-.patch
+riscv-bpf-emit-fixed-length-instructions-for-bpf_pse.patch
+bpftool-fix-memory-leak-in-do_build_table_cb.patch
+mmc-alcor-fix-return-value-check-of-mmc_add_host.patch
+mmc-moxart-fix-return-value-check-of-mmc_add_host.patch
+mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch
+mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch
+mmc-rtsx_pci-fix-return-value-check-of-mmc_add_host.patch
+mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch
+mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch
+mmc-vub300-fix-return-value-check-of-mmc_add_host.patch
+mmc-wmt-sdmmc-fix-return-value-check-of-mmc_add_host.patch
+mmc-litex_mmc-ensure-host-irq-0-if-polling.patch
+mmc-atmel-mci-fix-return-value-check-of-mmc_add_host.patch
+mmc-omap_hsmmc-fix-return-value-check-of-mmc_add_hos.patch
+mmc-meson-gx-fix-return-value-check-of-mmc_add_host.patch
+mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch
+mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch
+mmc-mmci-fix-return-value-check-of-mmc_add_host.patch
+mmc-renesas_sdhi-alway-populate-scc-pointer.patch
+memstick-ms_block-add-check-for-alloc_ordered_workqu.patch
+mmc-core-normalize-the-error-handling-branch-in-sd_r.patch
+regulator-qcom-labibb-fix-missing-of_node_put-in-qco.patch
+media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch
+media-coda-add-check-for-dcoda_iram_alloc.patch
+media-coda-add-check-for-kmalloc.patch
+media-staging-stkwebcam-restore-media_-usb-camera-_s.patch
+clk-samsung-fix-memory-leak-in-_samsung_clk_register.patch
+spi-spi-gpio-don-t-set-mosi-as-an-input-if-not-3wire.patch
+wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch
+wifi-rtl8xxxu-fix-the-channel-width-reporting.patch
+wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch
+blktrace-fix-output-non-blktrace-event-when-blk_clas.patch
+bpf-do-not-zero-extend-kfunc-return-values.patch
+clk-socfpga-fix-memory-leak-in-socfpga_gate_init.patch
+net-vmw_vsock-vmci-check-memcpy_from_msg.patch
+net-defxx-fix-missing-err-handling-in-dfx_init.patch
+net-stmmac-selftests-fix-potential-memleak-in-stmmac.patch
+net-stmmac-fix-possible-memory-leak-in-stmmac_dvr_pr.patch
+drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch
+net-remove-the-obsolte-u64_stats_fetch_-_irq-users-n.patch
+ipvs-use-u64_stats_t-for-the-per-cpu-counters.patch
+of-overlay-fix-null-pointer-dereferencing-in-find_du.patch
+ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch
+net-farsync-fix-kmemleak-when-rmmods-farsync.patch
+net-tunnel-wait-until-all-sk_user_data-reader-finish.patch
+net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch
+net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch
+net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch
+net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch
+hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch
+net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch
+net-setsockopt-fix-ipv6_unicast_if-option-for-connec.patch
+af_unix-call-proto_unregister-in-the-error-path-in-a.patch
+net-amd-xgbe-fix-logic-around-active-and-passive-cab.patch
+net-amd-xgbe-check-only-the-minimum-speed-for-active.patch
+can-tcan4x5x-remove-invalid-write-in-clear_interrupt.patch
+can-m_can-call-the-ram-init-directly-from-m_can_chip.patch
+can-tcan4x5x-fix-use-of-register-error-status-mask.patch
+net-ethernet-ti-am65-cpsw-fix-pm-runtime-leakage-in-.patch
+net-lan9303-fix-read-error-execution-path.patch
+ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch
+sctp-sysctl-make-extra-pointers-netns-aware.patch
+bluetooth-hci_core-fix-error-handling-in-hci_registe.patch
+bluetooth-mgmt-fix-error-report-for-add_ext_adv_para.patch
+bluetooth-fix-ealready-and-eloop-cases-in-bt_status.patch
+bluetooth-hci_conn-fix-crash-on-hci_create_cis_sync.patch
+bluetooth-btintel-fix-missing-free-skb-in-btintel_se.patch
+bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch
+bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch
+bluetooth-hci_ll-don-t-call-kfree_skb-under-spin_loc.patch
+bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch
+bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch
+bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch
+bluetooth-rfcomm-don-t-call-kfree_skb-under-spin_loc.patch
+stmmac-fix-potential-division-by-0.patch
+i40e-fix-the-inability-to-attach-xdp-program-on-down.patch
+net-dsa-tag_8021q-avoid-leaking-ctx-on-dsa_tag_8021q.patch
+apparmor-fix-a-memleak-in-multi_transaction_new.patch
+apparmor-fix-lockdep-warning-when-removing-a-namespa.patch
+apparmor-fix-abi-check-to-include-v8-abi.patch
+apparmor-fix-regression-in-stacking-due-to-label-fla.patch
+crypto-hisilicon-qm-fix-missing-destroy-qp_idr.patch
+crypto-hisilicon-qm-get-hardware-features-from-hardw.patch
+crypto-hisilicon-qm-re-enable-communicate-interrupt-.patch
+crypto-sun8i-ss-use-dma_addr-instead-u32.patch
+crypto-nitrox-avoid-double-free-on-error-path-in-nit.patch
+crypto-tcrypt-fix-return-value-for-multiple-subtests.patch
+scsi-core-fix-a-race-between-scsi_done-and-scsi_time.patch
+apparmor-use-pointer-to-struct-aa_label-for-lbs_cred.patch
+pci-dwc-fix-n_fts-array-overrun.patch
+rdma-core-fix-order-of-nldev_exit-call.patch
+pci-pci-epf-test-register-notifier-if-only-core_init.patch
+f2fs-fix-the-race-condition-of-resize-flag-between-r.patch
+crypto-rockchip-do-not-do-custom-power-management.patch
+crypto-rockchip-do-not-store-mode-globally.patch
+crypto-rockchip-add-fallback-for-cipher.patch
+crypto-rockchip-add-fallback-for-ahash.patch
+crypto-rockchip-better-handle-cipher-key.patch
+crypto-rockchip-remove-non-aligned-handling.patch
+crypto-rockchip-rework-by-using-crypto_engine.patch
+apparmor-fix-memleak-in-alloc_ns.patch
+fortify-use-size_max-instead-of-size_t-1.patch
+fortify-do-not-cast-to-unsigned-char.patch
+f2fs-fix-to-invalidate-dcc-f2fs_issue_discard-in-err.patch
+f2fs-fix-normal-discard-process.patch
+f2fs-allow-to-set-compression-for-inlined-file.patch
+f2fs-fix-the-assign-logic-of-iocb.patch
+f2fs-fix-to-destroy-sbi-post_read_wq-in-error-path-o.patch
+rdma-irdma-report-the-correct-link-speed.patch
+scsi-qla2xxx-fix-set-but-not-used-variable-warnings.patch
+rdma-siw-fix-immediate-work-request-flush-to-complet.patch
+ib-mad-don-t-call-to-function-that-might-sleep-while.patch
+pci-vmd-disable-msi-remapping-after-suspend.patch
+pci-imx6-initialize-phy-before-deasserting-core-rese.patch
+rdma-restrack-release-mr-restrack-when-delete.patch
+rdma-core-make-sure-ib_port-is-valid-when-access-sys.patch
+rdma-nldev-return-eagain-if-the-cm_id-isn-t-from-exp.patch
+rdma-siw-set-defined-status-for-work-completion-with.patch
+rdma-irdma-fix-inline-for-multiple-sge-s.patch
+rdma-irdma-fix-rq-completion-opcode.patch
+rdma-irdma-do-not-request-2-level-pbles-for-cq-alloc.patch
+scsi-scsi_debug-fix-a-warning-in-resp_write_scat.patch
+crypto-ccree-remove-debugfs-when-platform_driver_reg.patch
+crypto-cryptd-use-request-context-instead-of-stack-f.patch
+crypto-hisilicon-qm-add-missing-pci_dev_put-in-q_num.patch
+rdma-rxe-fix-mr-map-double-free.patch
+rdma-hns-repacing-dseg_len-by-macros-in-fill_ext_sge.patch
+rdma-hns-fix-ext_sge-num-error-when-post-send.patch
+rdma-hns-fix-incorrect-sge-nums-calculation.patch
+pci-check-for-alloc-failure-in-pci_request_irq.patch
+rdma-hfi-decrease-pci-device-reference-count-in-erro.patch
+crypto-ccree-make-cc_debugfs_global_fini-available-f.patch
+rdma-irdma-initialize-net_type-before-checking-it.patch
+rdma-hns-fix-memory-leak-in-hns_roce_alloc_mr.patch
+rdma-rxe-fix-null-ptr-deref-in-rxe_qp_do_cleanup-whe.patch
+dt-bindings-imx6q-pcie-fix-clock-names-for-imx6sx-an.patch
+dt-bindings-visconti-pcie-fix-interrupts-array-max-c.patch
+pci-endpoint-pci-epf-vntb-fix-call-pci_epc_mem_free_.patch
+scsi-hpsa-fix-possible-memory-leak-in-hpsa_init_one.patch
+crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch
+padata-always-leave-bhs-disabled-when-running-parall.patch
+padata-fix-list-iterator-in-padata_do_serial.patch
+scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch
+scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch
+scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch
+scsi-efct-fix-possible-memleak-in-efct_device_init.patch
+scsi-scsi_debug-fix-a-warning-in-resp_verify.patch
+scsi-scsi_debug-fix-a-warning-in-resp_report_zones.patch
+scsi-fcoe-fix-possible-name-leak-when-device_registe.patch
+scsi-scsi_debug-fix-possible-name-leak-in-sdebug_add.patch
+scsi-ipr-fix-warning-in-ipr_init.patch
+scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch
+scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch
+scsi-libsas-add-smp_ata_check_ready_type.patch
+scsi-hisi_sas-fix-sata-devices-missing-issue-during-.patch
+scsi-ufs-core-fix-the-polling-implementation.patch
+rdma-nldev-add-checks-for-nla_nest_start-in-fill_sta.patch
+f2fs-set-zstd-compress-level-correctly.patch
+f2fs-fix-to-enable-compress-for-newly-created-file-i.patch
+f2fs-avoid-victim-selection-from-previous-victim-sec.patch
+rdma-nldev-fix-failure-to-send-large-messages.patch
+crypto-qat-fix-error-return-code-in-adf_probe.patch
+crypto-amlogic-remove-kcalloc-without-check.patch
+crypto-omap-sham-use-pm_runtime_resume_and_get-in-om.patch
+riscv-mm-add-arch-hook-arch_clear_hugepage_flags.patch
+rdma-disable-ib-hw-for-uml.patch
+rdma-hfi1-fix-error-return-code-in-parse_platform_co.patch
+rdma-srp-fix-error-return-code-in-srp_parse_options.patch
+pci-vmd-fix-secondary-bus-reset-for-intel-bridges.patch
+orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch
+rdma-hns-remove-redundant-dfx-file-and-dfx-ops-struc.patch
+rdma-hns-fix-the-gid-problem-caused-by-free-mr.patch
+rdma-hns-fix-ah-attr-queried-by-query_qp.patch
+rdma-hns-fix-pbl-page-mtr-find.patch
+rdma-hns-fix-page-size-cap-from-firmware.patch
+rdma-hns-fix-error-code-of-cmd.patch
+rdma-hns-fix-xrc-caps-on-hip08.patch
+risc-v-fix-unannoted-hardirqs-on-in-return-to-usersp.patch
+risc-v-fix-memremap_wb-for-systems-with-svpbmt.patch
+riscv-fix-crash-during-early-errata-patching.patch
+crypto-img-hash-fix-variable-dereferenced-before-che.patch
+hwrng-amd-fix-pci-device-refcount-leak.patch
+hwrng-geode-fix-pci-device-refcount-leak.patch
+ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch
+risc-v-align-the-shadow-stack.patch
+f2fs-fix-iostat-parameter-for-discard.patch
+riscv-fix-p4d_shift-definition-for-3-level-page-tabl.patch
+drivers-dio-fix-possible-memory-leak-in-dio_init.patch
+serial-tegra-read-dma-status-before-terminating.patch
+serial-8250_bcm7271-fix-error-handling-in-brcmuart_i.patch
+drivers-staging-r8188eu-fix-sleep-in-atomic-context-.patch
+class-fix-possible-memory-leak-in-__class_register.patch
+vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch
+uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch
+uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch
+usb-fotg210-udc-fix-ages-old-endianness-issues.patch
+interconnect-qcom-sc7180-fix-dropped-const-of-qcom_i.patch
+staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch
+usb-typec-check-for-ops-exit-instead-of-ops-enter-in.patch
+usb-typec-tcpci-fix-of-node-refcount-leak-in-tcpci_r.patch
+usb-typec-tipd-cleanup-resources-if-devm_tps6598_psy.patch
+usb-typec-tipd-fix-spurious-fwnode_handle_put-in-err.patch
+usb-typec-tipd-fix-typec_unregister_port-error-paths.patch
+usb-musb-omap2430-fix-probe-regression-for-missing-r.patch
+extcon-usbc-tusb320-factor-out-extcon-into-dedicated.patch
+extcon-usbc-tusb320-add-usb-type-c-support.patch
+extcon-usbc-tusb320-update-state-on-probe-even-if-no.patch
+usb-gadget-fix-use-after-free-during-usb-config-swit.patch
+serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch
+serial-pl011-do-not-clear-rx-fifo-rx-interrupt-in-un.patch
+serial-stm32-move-dma_request_chan-before-clk_prepar.patch
+serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch
+tty-serial-clean-up-stop-tx-part-in-altera_uart_tx_c.patch
+tty-serial-altera_uart_-r-t-x_chars-need-only-uart_p.patch
+serial-altera_uart-fix-locking-in-polling-mode.patch
+serial-sunsab-fix-error-handling-in-sunsab_init.patch
+test_firmware-fix-memory-leak-in-test_firmware_init.patch
+misc-ocxl-fix-possible-name-leak-in-ocxl_file_regist.patch
+ocxl-fix-pci-device-refcount-leak-when-calling-get_f.patch
+misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch
+misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch
+firmware-raspberrypi-fix-possible-memory-leak-in-rpi.patch
+cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch
+cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch
+iio-temperature-ltc2983-make-bulk-write-buffer-dma-s.patch
+iio-adis-add-__adis_enable_irq-implementation.patch
+counter-stm32-lptimer-cnt-fix-the-check-on-arr-and-c.patch
+coresight-trbe-remove-cpuhp-instance-node-before-rem.patch
+tracing-user_events-fix-call-print_fmt-leak.patch
+usb-roles-fix-of-node-refcount-leak-in-usb_role_swit.patch
+usb-core-hcd-fix-return-value-check-in-usb_hcd_setup.patch
+usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch
+usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch
+drivers-mcb-fix-resource-leak-in-mcb_probe.patch
+mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch
+chardev-fix-error-handling-in-cdev_device_add.patch
+i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch
+staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch
+staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch
+vme-fix-error-not-catched-in-fake_init.patch
+gpiolib-cdev-fix-null-pointer-dereferences.patch
+gpiolib-protect-the-gpio-device-against-being-droppe.patch
+i2c-mux-reg-check-return-value-after-calling-platfor.patch
+i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch
+usb-storage-add-check-for-kcalloc.patch
+usb-typec-wusb3801-fix-fwnode-refcount-leak-in-wusb3.patch
+tracing-hist-fix-issue-of-losting-command-info-in-er.patch
+ksmbd-fix-resource-leak-in-ksmbd_session_rpc_open.patch
+samples-vfio-mdev-fix-missing-pci_disable_device-in-.patch
+thermal-drivers-imx8mm_thermal-validate-temperature-.patch
+thermal-drivers-k3_j72xx_bandgap-fix-the-debug-print.patch
+thermal-drivers-qcom-temp-alarm-fix-inaccurate-warni.patch
+thermal-drivers-qcom-lmh-fix-irq-handler-return-valu.patch
+fbdev-ssd1307fb-drop-optional-dependency.patch
+fbdev-pm2fb-fix-missing-pci_disable_device.patch
+fbdev-via-fix-error-in-via_core_init.patch
+fbdev-vermilion-decrease-reference-count-in-error-pa.patch
+fbdev-ep93xx-fb-add-missing-clk_disable_unprepare-in.patch
+fbdev-geode-don-t-build-on-uml.patch
+fbdev-uvesafb-don-t-build-on-uml.patch
+fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch
+led-qcom-lpg-fix-sleeping-in-atomic.patch
+hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch
+hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch
+power-supply-fix-residue-sysfs-file-in-error-handle-.patch
+watchdog-itco_wdt-set-no_reboot-if-the-watchdog-is-n.patch
+perf-trace-return-error-if-a-system-call-doesn-t-exi.patch
+perf-trace-use-macro-raw_syscall_args_num-to-replace.patch
+perf-trace-handle-failure-when-trace-point-folder-is.patch
+perf-symbol-correction-while-adjusting-symbol.patch
+power-supply-z2_battery-fix-possible-memleak-in-z2_b.patch
+power-supply-cw2015-use-device-managed-api-to-simpli.patch
+power-supply-cw2015-fix-potential-null-ptr-deref-in-.patch
+hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch
+power-supply-ab8500-fix-error-handling-in-ab8500_cha.patch
+power-supply-bq25890-factor-out-regulator-registrati.patch
+power-supply-bq25890-convert-to-i2c-s-.probe_new.patch
+power-supply-bq25890-ensure-pump_express_work-is-can.patch
+power-supply-fix-null-pointer-dereferencing-in-power.patch
+leds-is31fl319x-fix-setting-current-limit-for-is31fl.patch
+perf-off_cpu-fix-a-typo-in-btf-tracepoint-name-it-sh.patch
+ftrace-allow-with_args-flavour-of-graph-tracer-with-.patch
+perf-stat-do-not-delay-the-workload-with-delay.patch
+rdma-siw-fix-pointer-cast-warning.patch
+fs-ntfs3-avoid-ubsan-error-on-true_sectors_per_clst.patch
+fs-ntfs3-harden-against-integer-overflows.patch
+phy-marvell-phy-mvebu-a3700-comphy-reset-comphy-regi.patch
+phy-qcom-qmp-pcie-drop-bogus-register-update.patch
+dmaengine-apple-admac-do-not-use-devres-for-irqs.patch
+dmaengine-apple-admac-allocate-cache-sram-to-channel.patch
+phy-qcom-qmp-pcie-fix-ipq8074-gen3-initialisation.patch
+iommu-s390-fix-duplicate-domain-attachments.patch
+iommu-sun50i-fix-reset-release.patch
+iommu-sun50i-consider-all-fault-sources-for-reset.patch
+iommu-sun50i-fix-r-w-permission-check.patch
+iommu-sun50i-fix-flush-size.patch
+iommu-sun50i-implement-.iotlb_sync_map.patch
+iommu-rockchip-fix-permission-bits-in-page-table-ent.patch
+phy-usb-s2-wol-wakeup_count-not-incremented-for-usb-.patch
+phy-usb-use-slow-clock-for-wake-enabled-suspend.patch
+phy-usb-fix-clock-imbalance-for-suspend-resume.patch
+include-uapi-linux-swab-fix-potentially-missing-__al.patch
+pwm-tegra-improve-required-rate-calculation.patch
+pwm-tegra-ensure-the-clock-rate-is-not-less-than-nee.patch
+phy-qcom-qmp-pcie-fix-sm8450_qmp_gen4x2_pcie_pcs_tbl.patch
+fs-ntfs3-fix-slab-out-of-bounds-read-in-ntfs_trim_fs.patch
+dmaengine-idxd-fix-crc_val-field-for-completion-reco.patch
+rtc-rzn1-check-return-value-in-rzn1_rtc_probe.patch
+rtc-class-fix-potential-memleak-in-devm_rtc_allocate.patch
+rtc-cmos-call-cmos_wake_setup-from-cmos_do_probe.patch
+rtc-cmos-call-rtc_wake_setup-from-cmos_do_probe.patch
+rtc-cmos-eliminate-forward-declarations-of-some-func.patch
+rtc-cmos-rename-acpi-related-functions.patch
+rtc-cmos-disable-acpi-rtc-event-on-removal.patch
+rtc-snvs-allow-a-time-difference-on-clock-register-r.patch
+rtc-pcf85063-fix-reading-alarm.patch
+iommu-mediatek-check-return-value-after-calling-plat.patch
+iommu-amd-fix-pci-device-refcount-leak-in-ppr_notifi.patch
+iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch
+macintosh-fix-possible-memory-leak-in-macio_add_one_.patch
+macintosh-macio-adb-check-the-return-value-of-iorema.patch
+powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch
+cxl-fix-refcount-leak-in-cxl_calc_capp_routing.patch
+powerpc-xmon-fix-wswitch-unreachable-warning-in-bpt_.patch
+powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch
+powerpc-pseries-fix-the-object-owners-enum-value-in-.patch
+powerpc-pseries-fix-the-h_call-error-code-in-plpks-d.patch
+powerpc-pseries-return-eio-instead-of-eintr-for-h_ab.patch
+powerpc-pseries-fix-plpks_read_var-code-for-differen.patch
+kprobes-fix-check-for-probe-enabled-in-kill_kprobe.patch
+powerpc-dts-turris1x.dts-add-channel-labels-for-temp.patch
+powerpc-perf-callchain-validate-kernel-stack-pointer.patch
+powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch
+powerpc-hv-gpci-fix-hv_gpci-event-list.patch
+selftests-powerpc-fix-resource-leaks.patch
+iommu-mediatek-add-platform_device_put-for-recoverin.patch
+iommu-mediatek-use-component_match_add.patch
+iommu-mediatek-add-error-path-for-loop-of-mm_dts_par.patch
+iommu-mediatek-validate-number-of-phandles-associate.patch
+iommu-sun50i-remove-iommu_domain_identity.patch
+pwm-sifive-call-pwm_sifive_update_clock-while-mutex-.patch
+pwm-mtk-disp-fix-the-parameters-calculated-by-the-en.patch
+pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch
+risc-v-kvm-fix-reg_val-check-in-kvm_riscv_vcpu_set_r.patch
+remoteproc-sysmon-fix-memory-leak-in-qcom_add_sysmon.patch
+remoteproc-qcom-q6v5-fix-potential-null-ptr-deref-in.patch
+remoteproc-qcom_q6v5_pas-disable-wakeup-on-probe-fai.patch
+remoteproc-qcom_q6v5_pas-detach-power-domains-on-rem.patch
+remoteproc-qcom_q6v5_pas-fix-missing-of_node_put-in-.patch
+remoteproc-qcom-q6v5-fix-missing-clk_disable_unprepa.patch
+powerpc-pseries-eeh-use-correct-api-for-error-log-si.patch
+dt-bindings-mfd-qcom-spmi-pmic-drop-pwm-reg-dependen.patch
+mfd-axp20x-do-not-sleep-in-the-power-off-handler.patch
+mfd-bd957x-fix-kconfig-dependency-on-regmap_irq.patch
+mfd-qcom_rpm-fix-an-error-handling-path-in-qcom_rpm_.patch
+mfd-pm8008-fix-return-value-check-in-pm8008_probe.patch
+netfilter-flowtable-really-fix-nat-ipv6-offload.patch
+rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch
+rtc-pic32-move-devm_rtc_allocate_device-earlier-in-p.patch
+rtc-pcf85063-fix-pcf85063_clkout_control.patch
+iommu-mediatek-fix-forever-loop-in-error-handling.patch
+nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch
+net-macsec-fix-net-device-access-prior-to-holding-a-.patch
+bonding-add-missed-__rcu-annotation-for-curr_active_.patch
+bonding-do-failover-when-high-prio-link-up.patch
+misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch
+misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch
+misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic.patch
+selftests-bpf-select-config_function_error_injection.patch
+bpf-prevent-leak-of-lsm-program-after-failed-attach.patch
+media-v4l2-ctrls-api.c-add-back-dropped-ctrl-is_new-.patch
+net-enetc-avoid-buffer-leaks-on-xdp_do_redirect-fail.patch
+nfc-pn533-clear-nfc_target-before-being-used.patch
+bpf-resolve-fext-program-type-when-checking-map-comp.patch
+unix-fix-race-in-sock_seqpacket-s-unix_dgram_sendmsg.patch
+r6040-fix-kmemleak-in-probe-and-remove.patch
+blk-iocost-simplify-ioc_name.patch
+blk-mq-move-the-srcu_struct-used-for-quiescing-to-th.patch
+blk-crypto-pass-a-gendisk-to-blk_crypto_sysfs_-un-re.patch
+block-factor-out-a-blk_debugfs_remove-helper.patch
+block-fix-error-unwinding-in-blk_register_queue.patch
+block-untangle-request_queue-refcounting-from-sysfs.patch
+block-mark-blk_put_queue-as-potentially-blocking.patch
+block-fix-use-after-free-of-q-q_usage_counter.patch
+net-dsa-mv88e6xxx-avoid-reg_lock-deadlock-in-mv88e6x.patch
+igc-enhance-qbv-scheduling-by-using-first-flag-bit.patch
+igc-use-strict-cycles-for-qbv-scheduling.patch
+igc-add-checking-for-basetime-less-than-zero.patch
+igc-allow-basetime-0-enrollment-for-qbv.patch
+igc-recalculate-qbv-end_time-by-considering-cycle-ti.patch
+igc-set-qbv-start_time-and-end_time-to-end_time-if-n.patch
+rtc-mxc_v2-add-missing-clk_disable_unprepare.patch
+devlink-hold-region-lock-when-flushing-snapshots.patch
+selftests-devlink-fix-the-fd-redirect-in-dummy_repor.patch
+openvswitch-fix-flow-lookup-to-use-unmasked-key.patch
+soc-mediatek-pm-domains-fix-the-power-glitch-issue.patch
+arm64-dts-mt8183-fix-mali-gpu-clock.patch
+devlink-protect-devlink-dump-by-the-instance-lock.patch
+skbuff-account-for-tail-adjustment-during-pull-opera.patch
+mailbox-mpfs-read-the-system-controller-s-status.patch
+mailbox-arm_mhuv2-fix-return-value-check-in-mhuv2_pr.patch
+mailbox-zynq-ipi-fix-error-handling-while-device_reg.patch
+net_sched-reject-tcf_em_simple-case-for-complex-emat.patch
+rxrpc-fix-missing-unlock-in-rxrpc_do_sendmsg.patch
+myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch
+net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch
+mctp-serial-fix-starting-value-for-frame-check-seque.patch
+mctp-remove-device-type-check-at-unregister.patch
+hid-amd_sfh-add-missing-check-for-dma_alloc_coherent.patch
+rcu-fix-__this_cpu_read-lockdep-warning-in-rcu_force.patch
+arm64-make-is_ttbrx_addr-noinstr-safe.patch
+arm-dts-aspeed-rainier-everest-move-reserved-memory-.patch
+video-hyperv_fb-avoid-taking-busy-spinlock-on-panic-.patch
+x86-hyperv-remove-unregister-syscore-call-from-hyper.patch
+binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch
+arm64-dts-qcom-sm6350-add-apps_smmu-with-streamid-to.patch
+fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch
+udf-avoid-double-brelse-in-udf_rename.patch
+jfs-fix-fortify-moan-in-symlink.patch
+fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch
+acpi-processor-idle-check-acpi_fetch_acpi_dev-return.patch
+acpi-ec-add-quirk-for-the-hp-pavilion-gaming-15-cx00.patch
+acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch
+nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch
+nilfs2-fix-shift-out-of-bounds-due-to-too-large-expo.patch
+acct-fix-potential-integer-overflow-in-encode_comp_t.patch
+x86-apic-handle-no-config_x86_x2apic-on-systems-with.patch
+acpi-x86-add-skip-i2c-clients-quirk-for-lenovo-yoga-.patch
+acpi-x86-add-skip-i2c-clients-quirk-for-medion-lifet.patch
+hfs-fix-oob-read-in-__hfs_brec_find.patch
+drm-etnaviv-add-missing-quirks-for-gc300.patch
+media-imx-jpeg-disable-useless-interrupt-to-avoid-ke.patch
+brcmfmac-return-error-when-getting-invalid-max_flowr.patch
+wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch
+wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch
+asoc-codecs-rt298-add-quirk-for-kbl-r-rvp-platform.patch
+asoc-intel-avs-add-quirk-for-kbl-r-rvp-platform.patch
+ipmi-fix-memleak-when-unload-ipmi-driver.patch
+wifi-ath10k-delay-the-unmapping-of-the-buffer.patch
+drm-amd-display-prevent-memory-leak.patch
+drm-edid-add-a-quirk-for-two-lg-monitors-to-get-them.patch
+revert-drm-amd-display-limit-max-dsc-target-bpp-for-.patch
+drm-rockchip-use-pm_runtime_resume_and_get-instead-o.patch
+blk-mq-avoid-double-queue_rq-because-of-early-timeou.patch
+hid-apple-fix-key-translations-where-multiple-quirks.patch
+hid-apple-enable-apple_iso_tilde_quirk-for-the-keybo.patch
+wifi-ath11k-fix-qmi_msg_handler-data-structure-initi.patch
+qed-gcc13-use-u16-for-fid-to-be-big-enough.patch
+drm-meson-fix-return-type-of-meson_encoder_cvbs_mode.patch
+bpf-make-sure-skb-len-0-when-redirecting-to-a-tunnel.patch
+net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch
+hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch
+wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch
+hid-input-do-not-query-xp-pen-deco-lw-battery.patch
+igb-do-not-free-q_vector-unless-new-one-was-allocate.patch
+drm-amdgpu-fix-type-of-second-parameter-in-trans_msg.patch
+drm-amdgpu-fix-type-of-second-parameter-in-odn_edit_.patch
+s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch
+s390-netiucv-fix-return-type-of-netiucv_tx.patch
+s390-lcs-fix-return-type-of-lcs_start_xmit.patch
+drm-amd-display-disable-drr-actions-during-state-com.patch
+drm-msm-use-drm_mode_copy.patch
+drm-rockchip-use-drm_mode_copy.patch
+drm-sti-use-drm_mode_copy.patch
+drm-mediatek-fix-return-type-of-mtk_hdmi_bridge_mode.patch
+drivers-md-md-bitmap-check-the-return-value-of-md_bi.patch
+md-raid0-raid10-don-t-set-discard-sectors-for-reques.patch
+md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch
+drm-amd-display-workaround-to-increase-phantom-pipe-.patch
+drm-amd-display-fix-array-index-out-of-bound-error-i.patch
+nvme-auth-don-t-override-ctrl-keys-before-validation.patch
+net-add-atomic_long_t-to-net_device_stats-fields.patch
+ipv6-sit-use-dev_stats_inc-to-avoid-data-races.patch
+mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch
+net-ethernet-mtk_eth_soc-drop-packets-to-wdma-if-the.patch
+ppp-associate-skb-with-a-device-at-tx.patch
+bpf-fix-a-btf_id_list-bug-with-config_debug_info_btf.patch
+bpf-prevent-decl_tag-from-being-referenced-in-func_p.patch
+ethtool-avoiding-integer-overflow-in-ethtool_phys_id.patch
+media-dvb-frontends-fix-leak-of-memory-fw.patch
+media-dvbdev-adopts-refcnt-to-avoid-uaf.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-mediatek-vcodec-can-t-set-dst-buffer-to-done-w.patch
+blk-mq-fix-possible-memleak-when-register-hctx-faile.patch
+drm-amd-display-use-the-largest-vready_offset-in-pip.patch
+drm-amd-display-fix-dtbclk-disable-requests-and-src_.patch
+asoc-amd-yc-add-xiaomi-redmi-book-pro-14-2022-into-d.patch
+libbpf-avoid-enum-forward-declarations-in-public-api.patch
+regulator-core-fix-use_count-leakage-when-handling-b.patch
+net-dpaa2-publish-mac-stringset-to-ethtool-s-even-if.patch
+wifi-mt76-do-not-run-mt76u_status_worker-if-the-devi.patch
+hwmon-nct6775-add-asus-crosshair-viii-tuf-proart-b55.patch
+selftests-bpf-fix-conflicts-with-built-in-functions-.patch
+nfs-fix-possible-null-ptr-deref-when-parsing-param.patch
+mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch
+mmc-renesas_sdhi-add-quirk-for-broken-register-layou.patch
+mmc-renesas_sdhi-better-reset-from-hs400-mode.patch
+media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch
+clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch
+regulator-core-use-different-devices-for-resource-al.patch
+bluetooth-hci_bcm-add-cyw4373a0-support.patch
+bluetooth-add-quirk-to-disable-extended-scanning.patch
+bluetooth-add-quirk-to-disable-mws-transport-configu.patch
+regulator-core-fix-resolve-supply-lookup-issue.patch
+crypto-hisilicon-hpre-fix-resource-leak-in-remove-pr.patch
+scsi-lpfc-fix-hard-lockup-when-reading-the-rx_monito.patch
+scsi-ufs-reduce-the-start-stop-unit-timeout.patch
+crypto-hisilicon-qm-increase-the-memory-of-local-var.patch
+revert-pci-clear-pci_status-when-setting-up-device.patch
+scsi-elx-libefc-fix-second-parameter-type-in-state-c.patch
+hugetlbfs-fix-null-ptr-deref-in-hugetlbfs_parse_para.patch
+scsi-smartpqi-add-new-controller-pci-ids.patch
+scsi-smartpqi-correct-device-removal-for-multi-actua.patch
+drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch
+drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch
+scsi-target-iscsi-fix-a-race-condition-between-login.patch
+orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch
+orangefs-fix-kmemleak-in-orangefs_sysfs_init.patch
+orangefs-fix-kmemleak-in-orangefs_-kernel-client-_de.patch
--- /dev/null
+From 675a2318508081976fac73be0c7989124f96efa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 23:11:58 -0700
+Subject: skbuff: Account for tail adjustment during pull operations
+
+From: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
+
+[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ]
+
+Extending the tail can have some unexpected side effects if a program uses
+a helper like BPF_FUNC_skb_pull_data to read partial content beyond the
+head skb headlen when all the skbs in the gso frag_list are linear with no
+head_frag -
+
+ kernel BUG at net/core/skbuff.c:4219!
+ pc : skb_segment+0xcf4/0xd2c
+ lr : skb_segment+0x63c/0xd2c
+ Call trace:
+ skb_segment+0xcf4/0xd2c
+ __udp_gso_segment+0xa4/0x544
+ udp4_ufo_fragment+0x184/0x1c0
+ inet_gso_segment+0x16c/0x3a4
+ skb_mac_gso_segment+0xd4/0x1b0
+ __skb_gso_segment+0xcc/0x12c
+ udp_rcv_segment+0x54/0x16c
+ udp_queue_rcv_skb+0x78/0x144
+ udp_unicast_rcv_skb+0x8c/0xa4
+ __udp4_lib_rcv+0x490/0x68c
+ udp_rcv+0x20/0x30
+ ip_protocol_deliver_rcu+0x1b0/0x33c
+ ip_local_deliver+0xd8/0x1f0
+ ip_rcv+0x98/0x1a4
+ deliver_ptype_list_skb+0x98/0x1ec
+ __netif_receive_skb_core+0x978/0xc60
+
+Fix this by marking these skbs as GSO_DODGY so segmentation can handle
+the tail updates accordingly.
+
+Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
+Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com>
+Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index d9c19ae05fe6..9460998ac6d1 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2313,6 +2313,9 @@ void *__pskb_pull_tail(struct sk_buff *skb, int delta)
+ insp = list;
+ } else {
+ /* Eaten partially. */
++ if (skb_is_gso(skb) && !list->head_frag &&
++ skb_headlen(list))
++ skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+
+ if (skb_shared(list)) {
+ /* Sucks! We need to fork list. :-( */
+--
+2.35.1
+
--- /dev/null
+From bb99eb5dde7735c13445233d084a48bc629ce9fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:41:53 +0100
+Subject: soc: apple: rtkit: Stop casting function pointer signatures
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 5acf07ff25f0c1c44105e6b8ebf88c55a0a04d2f ]
+
+Fixes: 9bd1d9a0d8bb ("soc: apple: Add RTKit IPC library")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/apple/rtkit.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/apple/rtkit.c b/drivers/soc/apple/rtkit.c
+index cf1129e9f76b..d9329b4d8e1b 100644
+--- a/drivers/soc/apple/rtkit.c
++++ b/drivers/soc/apple/rtkit.c
+@@ -920,8 +920,10 @@ int apple_rtkit_wake(struct apple_rtkit *rtk)
+ }
+ EXPORT_SYMBOL_GPL(apple_rtkit_wake);
+
+-static void apple_rtkit_free(struct apple_rtkit *rtk)
++static void apple_rtkit_free(void *data)
+ {
++ struct apple_rtkit *rtk = data;
++
+ mbox_free_channel(rtk->mbox_chan);
+ destroy_workqueue(rtk->wq);
+
+@@ -944,8 +946,7 @@ struct apple_rtkit *devm_apple_rtkit_init(struct device *dev, void *cookie,
+ if (IS_ERR(rtk))
+ return rtk;
+
+- ret = devm_add_action_or_reset(dev, (void (*)(void *))apple_rtkit_free,
+- rtk);
++ ret = devm_add_action_or_reset(dev, apple_rtkit_free, rtk);
+ if (ret)
+ return ERR_PTR(ret);
+
+--
+2.35.1
+
--- /dev/null
+From 2314fee696e7d1986e09517b1d7486edb22bf0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:39:02 +0100
+Subject: soc: apple: sart: Stop casting function pointer signatures
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 422d0b860dc223b5dfc6d083697cae258bb5a4a1 ]
+
+Fixes: b170143ae111 ("soc: apple: Add SART driver")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/apple/sart.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/apple/sart.c b/drivers/soc/apple/sart.c
+index 83804b16ad03..afa111736899 100644
+--- a/drivers/soc/apple/sart.c
++++ b/drivers/soc/apple/sart.c
+@@ -164,6 +164,11 @@ static int apple_sart_probe(struct platform_device *pdev)
+ return 0;
+ }
+
++static void apple_sart_put_device(void *dev)
++{
++ put_device(dev);
++}
++
+ struct apple_sart *devm_apple_sart_get(struct device *dev)
+ {
+ struct device_node *sart_node;
+@@ -187,7 +192,7 @@ struct apple_sart *devm_apple_sart_get(struct device *dev)
+ return ERR_PTR(-EPROBE_DEFER);
+ }
+
+- ret = devm_add_action_or_reset(dev, (void (*)(void *))put_device,
++ ret = devm_add_action_or_reset(dev, apple_sart_put_device,
+ &sart_pdev->dev);
+ if (ret)
+ return ERR_PTR(ret);
+--
+2.35.1
+
--- /dev/null
+From 99f257a07f1a8366469f0f884f59a8cbf273de90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 18:20:29 +0800
+Subject: soc: mediatek: pm-domains: Fix the power glitch issue
+
+From: Chun-Jie Chen <chun-jie.chen@mediatek.com>
+
+[ Upstream commit dba8eb83af9dd757ef645b52200775e86883d858 ]
+
+Power reset maybe generate unexpected signal. In order to avoid
+the glitch issue, we need to enable isolation first to guarantee the
+stable signal when power reset is triggered.
+
+Fixes: 59b644b01cf4 ("soc: mediatek: Add MediaTek SCPSYS power domains")
+Signed-off-by: Chun-Jie Chen <chun-jie.chen@mediatek.com>
+Signed-off-by: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Miles Chen <miles.chen@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221014102029.1162-1-allen-kh.cheng@mediatek.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/mediatek/mtk-pm-domains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/mediatek/mtk-pm-domains.c b/drivers/soc/mediatek/mtk-pm-domains.c
+index 9734f1091c69..4b2046c37e6f 100644
+--- a/drivers/soc/mediatek/mtk-pm-domains.c
++++ b/drivers/soc/mediatek/mtk-pm-domains.c
+@@ -275,9 +275,9 @@ static int scpsys_power_off(struct generic_pm_domain *genpd)
+ clk_bulk_disable_unprepare(pd->num_subsys_clks, pd->subsys_clks);
+
+ /* subsys power off */
+- regmap_clear_bits(scpsys->base, pd->data->ctl_offs, PWR_RST_B_BIT);
+ regmap_set_bits(scpsys->base, pd->data->ctl_offs, PWR_ISO_BIT);
+ regmap_set_bits(scpsys->base, pd->data->ctl_offs, PWR_CLK_DIS_BIT);
++ regmap_clear_bits(scpsys->base, pd->data->ctl_offs, PWR_RST_B_BIT);
+ regmap_clear_bits(scpsys->base, pd->data->ctl_offs, PWR_ON_2ND_BIT);
+ regmap_clear_bits(scpsys->base, pd->data->ctl_offs, PWR_ON_BIT);
+
+--
+2.35.1
+
--- /dev/null
+From 4e6d177eda2e751407d283b71b794bfacedf3ff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 09:44:03 +0800
+Subject: soc: qcom: apr: Add check for idr_alloc and
+ of_property_read_string_index
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 6d7860f5750d73da2fa1a1f6c9405058a593fa32 ]
+
+As idr_alloc() and of_property_read_string_index() can return negative
+numbers, it should be better to check the return value and deal with
+the exception.
+Therefore, it should be better to use goto statement to stop and return
+error.
+
+Fixes: 6adba21eb434 ("soc: qcom: Add APR bus driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221107014403.3606-1-jiasheng@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/apr.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
+index b4046f393575..cd44f17dad3d 100644
+--- a/drivers/soc/qcom/apr.c
++++ b/drivers/soc/qcom/apr.c
+@@ -454,11 +454,19 @@ static int apr_add_device(struct device *dev, struct device_node *np,
+ adev->dev.driver = NULL;
+
+ spin_lock(&apr->svcs_lock);
+- idr_alloc(&apr->svcs_idr, svc, svc_id, svc_id + 1, GFP_ATOMIC);
++ ret = idr_alloc(&apr->svcs_idr, svc, svc_id, svc_id + 1, GFP_ATOMIC);
+ spin_unlock(&apr->svcs_lock);
++ if (ret < 0) {
++ dev_err(dev, "idr_alloc failed: %d\n", ret);
++ goto out;
++ }
+
+- of_property_read_string_index(np, "qcom,protection-domain",
+- 1, &adev->service_path);
++ ret = of_property_read_string_index(np, "qcom,protection-domain",
++ 1, &adev->service_path);
++ if (ret < 0) {
++ dev_err(dev, "Failed to read second value of qcom,protection-domain\n");
++ goto out;
++ }
+
+ dev_info(dev, "Adding APR/GPR dev: %s\n", dev_name(&adev->dev));
+
+@@ -468,6 +476,7 @@ static int apr_add_device(struct device *dev, struct device_node *np,
+ put_device(&adev->dev);
+ }
+
++out:
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5a77d42e33530a25c7f1ff0b5c1cc1afed960278 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:30:41 +0100
+Subject: soc: qcom: llcc: make irq truly optional
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit c882c899ead3545102a4d71b5fbe73b9e4bc2657 ]
+
+The function platform_get_irq prints an error message into the kernel
+log when the irq isn't found.
+
+Since the interrupt is actually optional and not provided by some SoCs,
+use platform_get_irq_optional which does not print an error message.
+
+Fixes: c081f3060fab ("soc: qcom: Add support to register LLCC EDAC driver")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20221104153041.412020-1-luca.weiss@fairphone.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/llcc-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c
+index 38d7296315a2..5942417c7c20 100644
+--- a/drivers/soc/qcom/llcc-qcom.c
++++ b/drivers/soc/qcom/llcc-qcom.c
+@@ -781,7 +781,7 @@ static int qcom_llcc_probe(struct platform_device *pdev)
+ if (ret)
+ goto err;
+
+- drv_data->ecc_irq = platform_get_irq(pdev, 0);
++ drv_data->ecc_irq = platform_get_irq_optional(pdev, 0);
+ if (drv_data->ecc_irq >= 0) {
+ llcc_edac = platform_device_register_data(&pdev->dev,
+ "qcom_llcc_edac", -1, drv_data,
+--
+2.35.1
+
--- /dev/null
+From 0080e56b0cf85203af858315c49a66e5c97e7a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:03:21 +0800
+Subject: soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in
+ knav_queue_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit e961c0f19450fd4a26bd043dd2979990bf12caf6 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes: 41f93af900a2 ("soc: ti: add Keystone Navigator QMSS driver")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20221108080322.52268-2-zhangqilong3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/knav_qmss_queue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
+index 16a6d530a0d4..8fb76908be70 100644
+--- a/drivers/soc/ti/knav_qmss_queue.c
++++ b/drivers/soc/ti/knav_qmss_queue.c
+@@ -1785,6 +1785,7 @@ static int knav_queue_probe(struct platform_device *pdev)
+ pm_runtime_enable(&pdev->dev);
+ ret = pm_runtime_resume_and_get(&pdev->dev);
+ if (ret < 0) {
++ pm_runtime_disable(&pdev->dev);
+ dev_err(dev, "Failed to enable QMSS\n");
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 6de94265195fffbbdd838ca1b805eac5b052f790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:03:22 +0800
+Subject: soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/smartreflex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/ti/smartreflex.c b/drivers/soc/ti/smartreflex.c
+index ad2bb72e640c..6a389a6444f3 100644
+--- a/drivers/soc/ti/smartreflex.c
++++ b/drivers/soc/ti/smartreflex.c
+@@ -932,6 +932,7 @@ static int omap_sr_probe(struct platform_device *pdev)
+ err_debugfs:
+ debugfs_remove_recursive(sr_info->dbg_dir);
+ err_list_del:
++ pm_runtime_disable(&pdev->dev);
+ list_del(&sr_info->node);
+ clk_unprepare(sr_info->fck);
+
+--
+2.35.1
+
--- /dev/null
+From 9b2b05c1a02b95558df2a616242cb0890c1bcb80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 13:44:34 -0700
+Subject: soreuseport: Fix socket selection for SO_INCOMING_CPU.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b261eda84ec136240a9ca753389853a3a1bccca2 ]
+
+Kazuho Oku reported that setsockopt(SO_INCOMING_CPU) does not work
+with setsockopt(SO_REUSEPORT) since v4.6.
+
+With the combination of SO_REUSEPORT and SO_INCOMING_CPU, we could
+build a highly efficient server application.
+
+setsockopt(SO_INCOMING_CPU) associates a CPU with a TCP listener
+or UDP socket, and then incoming packets processed on the CPU will
+likely be distributed to the socket. Technically, a socket could
+even receive packets handled on another CPU if no sockets in the
+reuseport group have the same CPU receiving the flow.
+
+The logic exists in compute_score() so that a socket will get a higher
+score if it has the same CPU with the flow. However, the score gets
+ignored after the blamed two commits, which introduced a faster socket
+selection algorithm for SO_REUSEPORT.
+
+This patch introduces a counter of sockets with SO_INCOMING_CPU in
+a reuseport group to check if we should iterate all sockets to find
+a proper one. We increment the counter when
+
+ * calling listen() if the socket has SO_INCOMING_CPU and SO_REUSEPORT
+
+ * enabling SO_INCOMING_CPU if the socket is in a reuseport group
+
+Also, we decrement it when
+
+ * detaching a socket out of the group to apply SO_INCOMING_CPU to
+ migrated TCP requests
+
+ * disabling SO_INCOMING_CPU if the socket is in a reuseport group
+
+When the counter reaches 0, we can get back to the O(1) selection
+algorithm.
+
+The overall changes are negligible for the non-SO_INCOMING_CPU case,
+and the only notable thing is that we have to update sk_incomnig_cpu
+under reuseport_lock. Otherwise, the race prevents transitioning to
+the O(n) algorithm and results in the wrong socket selection.
+
+ cpu1 (setsockopt) cpu2 (listen)
++-----------------+ +-------------+
+
+lock_sock(sk1) lock_sock(sk2)
+
+reuseport_update_incoming_cpu(sk1, val)
+.
+| /* set CPU as 0 */
+|- WRITE_ONCE(sk1->incoming_cpu, val)
+|
+| spin_lock_bh(&reuseport_lock)
+| reuseport_grow(sk2, reuse)
+| .
+| |- more_socks_size = reuse->max_socks * 2U;
+| |- if (more_socks_size > U16_MAX &&
+| | reuse->num_closed_socks)
+| | .
+| | |- RCU_INIT_POINTER(sk1->sk_reuseport_cb, NULL);
+| | `- __reuseport_detach_closed_sock(sk1, reuse)
+| | .
+| | `- reuseport_put_incoming_cpu(sk1, reuse)
+| | .
+| | | /* Read shutdown()ed sk1's sk_incoming_cpu
+| | | * without lock_sock().
+| | | */
+| | `- if (sk1->sk_incoming_cpu >= 0)
+| | .
+| | | /* decrement not-yet-incremented
+| | | * count, which is never incremented.
+| | | */
+| | `- __reuseport_put_incoming_cpu(reuse);
+| |
+| `- spin_lock_bh(&reuseport_lock)
+|
+|- spin_lock_bh(&reuseport_lock)
+|
+|- reuse = rcu_dereference_protected(sk1->sk_reuseport_cb, ...)
+|- if (!reuse)
+| .
+| | /* Cannot increment reuse->incoming_cpu. */
+| `- goto out;
+|
+`- spin_unlock_bh(&reuseport_lock)
+
+Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection")
+Fixes: c125e80b8868 ("soreuseport: fast reuseport TCP socket selection")
+Reported-by: Kazuho Oku <kazuhooku@gmail.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock_reuseport.h | 2 +
+ net/core/sock.c | 2 +-
+ net/core/sock_reuseport.c | 94 ++++++++++++++++++++++++++++++++++--
+ 3 files changed, 92 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sock_reuseport.h b/include/net/sock_reuseport.h
+index efc9085c6892..6ec140b0a61b 100644
+--- a/include/net/sock_reuseport.h
++++ b/include/net/sock_reuseport.h
+@@ -16,6 +16,7 @@ struct sock_reuseport {
+ u16 max_socks; /* length of socks */
+ u16 num_socks; /* elements in socks */
+ u16 num_closed_socks; /* closed elements in socks */
++ u16 incoming_cpu;
+ /* The last synq overflow event timestamp of this
+ * reuse->socks[] group.
+ */
+@@ -58,5 +59,6 @@ static inline bool reuseport_has_conns(struct sock *sk)
+ }
+
+ void reuseport_has_conns_set(struct sock *sk);
++void reuseport_update_incoming_cpu(struct sock *sk, int val);
+
+ #endif /* _SOCK_REUSEPORT_H */
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 788c1372663c..f0eaa5d406b3 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1400,7 +1400,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+ case SO_INCOMING_CPU:
+- WRITE_ONCE(sk->sk_incoming_cpu, val);
++ reuseport_update_incoming_cpu(sk, val);
+ break;
+
+ case SO_CNX_ADVICE:
+diff --git a/net/core/sock_reuseport.c b/net/core/sock_reuseport.c
+index fb90e1e00773..5a165286e4d8 100644
+--- a/net/core/sock_reuseport.c
++++ b/net/core/sock_reuseport.c
+@@ -37,6 +37,70 @@ void reuseport_has_conns_set(struct sock *sk)
+ }
+ EXPORT_SYMBOL(reuseport_has_conns_set);
+
++static void __reuseport_get_incoming_cpu(struct sock_reuseport *reuse)
++{
++ /* Paired with READ_ONCE() in reuseport_select_sock_by_hash(). */
++ WRITE_ONCE(reuse->incoming_cpu, reuse->incoming_cpu + 1);
++}
++
++static void __reuseport_put_incoming_cpu(struct sock_reuseport *reuse)
++{
++ /* Paired with READ_ONCE() in reuseport_select_sock_by_hash(). */
++ WRITE_ONCE(reuse->incoming_cpu, reuse->incoming_cpu - 1);
++}
++
++static void reuseport_get_incoming_cpu(struct sock *sk, struct sock_reuseport *reuse)
++{
++ if (sk->sk_incoming_cpu >= 0)
++ __reuseport_get_incoming_cpu(reuse);
++}
++
++static void reuseport_put_incoming_cpu(struct sock *sk, struct sock_reuseport *reuse)
++{
++ if (sk->sk_incoming_cpu >= 0)
++ __reuseport_put_incoming_cpu(reuse);
++}
++
++void reuseport_update_incoming_cpu(struct sock *sk, int val)
++{
++ struct sock_reuseport *reuse;
++ int old_sk_incoming_cpu;
++
++ if (unlikely(!rcu_access_pointer(sk->sk_reuseport_cb))) {
++ /* Paired with REAE_ONCE() in sk_incoming_cpu_update()
++ * and compute_score().
++ */
++ WRITE_ONCE(sk->sk_incoming_cpu, val);
++ return;
++ }
++
++ spin_lock_bh(&reuseport_lock);
++
++ /* This must be done under reuseport_lock to avoid a race with
++ * reuseport_grow(), which accesses sk->sk_incoming_cpu without
++ * lock_sock() when detaching a shutdown()ed sk.
++ *
++ * Paired with READ_ONCE() in reuseport_select_sock_by_hash().
++ */
++ old_sk_incoming_cpu = sk->sk_incoming_cpu;
++ WRITE_ONCE(sk->sk_incoming_cpu, val);
++
++ reuse = rcu_dereference_protected(sk->sk_reuseport_cb,
++ lockdep_is_held(&reuseport_lock));
++
++ /* reuseport_grow() has detached a closed sk. */
++ if (!reuse)
++ goto out;
++
++ if (old_sk_incoming_cpu < 0 && val >= 0)
++ __reuseport_get_incoming_cpu(reuse);
++ else if (old_sk_incoming_cpu >= 0 && val < 0)
++ __reuseport_put_incoming_cpu(reuse);
++
++out:
++ spin_unlock_bh(&reuseport_lock);
++}
++
+ static int reuseport_sock_index(struct sock *sk,
+ const struct sock_reuseport *reuse,
+ bool closed)
+@@ -64,6 +128,7 @@ static void __reuseport_add_sock(struct sock *sk,
+ /* paired with smp_rmb() in reuseport_(select|migrate)_sock() */
+ smp_wmb();
+ reuse->num_socks++;
++ reuseport_get_incoming_cpu(sk, reuse);
+ }
+
+ static bool __reuseport_detach_sock(struct sock *sk,
+@@ -76,6 +141,7 @@ static bool __reuseport_detach_sock(struct sock *sk,
+
+ reuse->socks[i] = reuse->socks[reuse->num_socks - 1];
+ reuse->num_socks--;
++ reuseport_put_incoming_cpu(sk, reuse);
+
+ return true;
+ }
+@@ -86,6 +152,7 @@ static void __reuseport_add_closed_sock(struct sock *sk,
+ reuse->socks[reuse->max_socks - reuse->num_closed_socks - 1] = sk;
+ /* paired with READ_ONCE() in inet_csk_bind_conflict() */
+ WRITE_ONCE(reuse->num_closed_socks, reuse->num_closed_socks + 1);
++ reuseport_get_incoming_cpu(sk, reuse);
+ }
+
+ static bool __reuseport_detach_closed_sock(struct sock *sk,
+@@ -99,6 +166,7 @@ static bool __reuseport_detach_closed_sock(struct sock *sk,
+ reuse->socks[i] = reuse->socks[reuse->max_socks - reuse->num_closed_socks];
+ /* paired with READ_ONCE() in inet_csk_bind_conflict() */
+ WRITE_ONCE(reuse->num_closed_socks, reuse->num_closed_socks - 1);
++ reuseport_put_incoming_cpu(sk, reuse);
+
+ return true;
+ }
+@@ -166,6 +234,7 @@ int reuseport_alloc(struct sock *sk, bool bind_inany)
+ reuse->bind_inany = bind_inany;
+ reuse->socks[0] = sk;
+ reuse->num_socks = 1;
++ reuseport_get_incoming_cpu(sk, reuse);
+ rcu_assign_pointer(sk->sk_reuseport_cb, reuse);
+
+ out:
+@@ -209,6 +278,7 @@ static struct sock_reuseport *reuseport_grow(struct sock_reuseport *reuse)
+ more_reuse->reuseport_id = reuse->reuseport_id;
+ more_reuse->bind_inany = reuse->bind_inany;
+ more_reuse->has_conns = reuse->has_conns;
++ more_reuse->incoming_cpu = reuse->incoming_cpu;
+
+ memcpy(more_reuse->socks, reuse->socks,
+ reuse->num_socks * sizeof(struct sock *));
+@@ -458,18 +528,32 @@ static struct sock *run_bpf_filter(struct sock_reuseport *reuse, u16 socks,
+ static struct sock *reuseport_select_sock_by_hash(struct sock_reuseport *reuse,
+ u32 hash, u16 num_socks)
+ {
++ struct sock *first_valid_sk = NULL;
+ int i, j;
+
+ i = j = reciprocal_scale(hash, num_socks);
+- while (reuse->socks[i]->sk_state == TCP_ESTABLISHED) {
++ do {
++ struct sock *sk = reuse->socks[i];
++
++ if (sk->sk_state != TCP_ESTABLISHED) {
++ /* Paired with WRITE_ONCE() in __reuseport_(get|put)_incoming_cpu(). */
++ if (!READ_ONCE(reuse->incoming_cpu))
++ return sk;
++
++ /* Paired with WRITE_ONCE() in reuseport_update_incoming_cpu(). */
++ if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id())
++ return sk;
++
++ if (!first_valid_sk)
++ first_valid_sk = sk;
++ }
++
+ i++;
+ if (i >= num_socks)
+ i = 0;
+- if (i == j)
+- return NULL;
+- }
++ } while (i != j);
+
+- return reuse->socks[i];
++ return first_valid_sk;
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From a1fa8e2ce87195e5d8d8941eecda98ab5ea0af10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 12:00:01 +0100
+Subject: spi: mediatek: Enable irq when pdata is ready
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit c6f7874687f7027d7c4b2f53ff6e4d22850f915d ]
+
+If the device does not come straight from reset, we might receive an IRQ
+before we are ready to handle it.
+
+Fixes:
+
+[ 0.832328] Unable to handle kernel read from unreadable memory at virtual address 0000000000000010
+[ 1.040343] Call trace:
+[ 1.040347] mtk_spi_can_dma+0xc/0x40
+...
+[ 1.262265] start_kernel+0x338/0x42c
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20221128-spi-mt65xx-v1-0-509266830665@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index d6aff909fc36..6de8360e5c2a 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -1192,11 +1192,6 @@ static int mtk_spi_probe(struct platform_device *pdev)
+ else
+ dma_set_max_seg_size(dev, SZ_256K);
+
+- ret = devm_request_irq(dev, irq, mtk_spi_interrupt,
+- IRQF_TRIGGER_NONE, dev_name(dev), master);
+- if (ret)
+- return dev_err_probe(dev, ret, "failed to register irq\n");
+-
+ mdata->parent_clk = devm_clk_get(dev, "parent-clk");
+ if (IS_ERR(mdata->parent_clk))
+ return dev_err_probe(dev, PTR_ERR(mdata->parent_clk),
+@@ -1266,6 +1261,13 @@ static int mtk_spi_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, ret, "failed to register master\n");
+ }
+
++ ret = devm_request_irq(dev, irq, mtk_spi_interrupt,
++ IRQF_TRIGGER_NONE, dev_name(dev), master);
++ if (ret) {
++ pm_runtime_disable(dev);
++ return dev_err_probe(dev, ret, "failed to register irq\n");
++ }
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f94f99e49ab4259af47e84ec9f348bff4003c7fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 16:32:48 +0800
+Subject: spi: mt65xx: Add dma max segment size declaration
+
+From: zhichao.liu <zhichao.liu@mediatek.com>
+
+[ Upstream commit 309e98548c2b144512d0a212f2d786ae9694f5e4 ]
+
+Add spi dma max segment size declaration according to spi
+hardware capability, instead of 64KB by system default
+setting, to improve bus bandwidth for mass data transmission.
+
+Signed-off-by: zhichao.liu <zhichao.liu@mediatek.com>
+Link: https://lore.kernel.org/r/20220927083248.25404-1-zhichao.liu@mediatek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: c6f7874687f7 ("spi: mediatek: Enable irq when pdata is ready")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index a7cc96aeb590..d6aff909fc36 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -1187,6 +1187,11 @@ static int mtk_spi_probe(struct platform_device *pdev)
+ if (!dev->dma_mask)
+ dev->dma_mask = &dev->coherent_dma_mask;
+
++ if (mdata->dev_comp->ipm_design)
++ dma_set_max_seg_size(dev, SZ_16M);
++ else
++ dma_set_max_seg_size(dev, SZ_256K);
++
+ ret = devm_request_irq(dev, irq, mtk_spi_interrupt,
+ IRQF_TRIGGER_NONE, dev_name(dev), master);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 3d5ab60a0470d6dd89cd73e6094422aa995b1784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 15:08:53 -0800
+Subject: spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
+
+From: Kris Bahnsen <kris@embeddedTS.com>
+
+[ Upstream commit 3a6f994f848a69deb2bf3cd9d130dd0c09730e55 ]
+
+The addition of 3WIRE support would affect MOSI direction even
+when still in standard (4 wire) mode. This can lead to MOSI being
+at an invalid logic level when a device driver sets an SPI
+message with a NULL tx_buf.
+
+spi.h states that if tx_buf is NULL then "zeros will be shifted
+out ... " If MOSI is tristated then the data shifted out is subject
+to pull resistors, keepers, or in the absence of those, noise.
+
+This issue came to light when using spi-gpio connected to an
+ADS7843 touchscreen controller. MOSI pulled high when clocking
+MISO data in caused the SPI device to interpret this as a command
+which would put the device in an unexpected and non-functional
+state.
+
+Fixes: 4b859db2c606 ("spi: spi-gpio: add SPI_3WIRE support")
+Fixes: 5132b3d28371 ("spi: gpio: Support 3WIRE high-impedance turn-around")
+Signed-off-by: Kris Bahnsen <kris@embeddedTS.com>
+Link: https://lore.kernel.org/r/20221207230853.6174-1-kris@embeddedTS.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-gpio.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-gpio.c b/drivers/spi/spi-gpio.c
+index 4b12c4964a66..9c8c7948044e 100644
+--- a/drivers/spi/spi-gpio.c
++++ b/drivers/spi/spi-gpio.c
+@@ -268,9 +268,19 @@ static int spi_gpio_set_direction(struct spi_device *spi, bool output)
+ if (output)
+ return gpiod_direction_output(spi_gpio->mosi, 1);
+
+- ret = gpiod_direction_input(spi_gpio->mosi);
+- if (ret)
+- return ret;
++ /*
++ * Only change MOSI to an input if using 3WIRE mode.
++ * Otherwise, MOSI could be left floating if there is
++ * no pull resistor connected to the I/O pin, or could
++ * be left logic high if there is a pull-up. Transmitting
++ * logic high when only clocking MISO data in can put some
++ * SPI devices in to a bad state.
++ */
++ if (spi->mode & SPI_3WIRE) {
++ ret = gpiod_direction_input(spi_gpio->mosi);
++ if (ret)
++ return ret;
++ }
+ /*
+ * Send a turnaround high impedance cycle when switching
+ * from output to input. Theoretically there should be
+--
+2.35.1
+
--- /dev/null
+From 3b1b724c62a67594004d34460ab3e0dcf18d8131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 17:29:27 +0100
+Subject: spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+[ Upstream commit 7dbfa445ff7393d1c4c066c1727c9e0af1251958 ]
+
+Commit f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
+has changed the user-space interface so that bogus SPI_CS_HIGH started
+to appear in the mask returned by SPI_IOC_RD_MODE even for active-low CS
+pins. Commit 138c9c32f090
+("spi: spidev: Fix CS polarity if GPIO descriptors are used") fixed only
+SPI_IOC_WR_MODE part of the problem. Let's fix SPI_IOC_RD_MODE
+symmetrically.
+
+Test case:
+
+ #include <sys/ioctl.h>
+ #include <fcntl.h>
+ #include <linux/spi/spidev.h>
+
+ int main(int argc, char **argv)
+ {
+ char modew = SPI_CPHA;
+ char moder;
+ int f = open("/dev/spidev0.0", O_RDWR);
+
+ if (f < 0)
+ return 1;
+
+ ioctl(f, SPI_IOC_WR_MODE, &modew);
+ ioctl(f, SPI_IOC_RD_MODE, &moder);
+
+ return moder == modew ? 0 : 2;
+ }
+
+Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://lore.kernel.org/r/20221130162927.539512-1-alexander.sverdlin@siemens.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index b2775d82d2d7..6313e7d0cdf8 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -377,12 +377,23 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ switch (cmd) {
+ /* read requests */
+ case SPI_IOC_RD_MODE:
+- retval = put_user(spi->mode & SPI_MODE_MASK,
+- (__u8 __user *)arg);
+- break;
+ case SPI_IOC_RD_MODE32:
+- retval = put_user(spi->mode & SPI_MODE_MASK,
+- (__u32 __user *)arg);
++ tmp = spi->mode;
++
++ {
++ struct spi_controller *ctlr = spi->controller;
++
++ if (ctlr->use_gpio_descriptors && ctlr->cs_gpiods &&
++ ctlr->cs_gpiods[spi->chip_select])
++ tmp &= ~SPI_CS_HIGH;
++ }
++
++ if (cmd == SPI_IOC_RD_MODE)
++ retval = put_user(tmp & SPI_MODE_MASK,
++ (__u8 __user *)arg);
++ else
++ retval = put_user(tmp & SPI_MODE_MASK,
++ (__u32 __user *)arg);
+ break;
+ case SPI_IOC_RD_LSB_FIRST:
+ retval = put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0,
+--
+2.35.1
+
--- /dev/null
+From 8fe034be15a301a1d82713e5fccb0d21f442803d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 18:32:51 +0100
+Subject: spi: Update reference to struct spi_controller
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+[ Upstream commit bf585ccee22faf469d82727cf375868105b362f7 ]
+
+struct spi_master has been renamed to struct spi_controller. Update the
+reference in spi.rst to make it clickable again.
+
+Fixes: 8caab75fd2c2 ("spi: Generalize SPI "master" to "controller"")
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Link: https://lore.kernel.org/r/20221101173252.1069294-1-j.neuschaefer@gmx.net
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/driver-api/spi.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/driver-api/spi.rst b/Documentation/driver-api/spi.rst
+index f64cb666498a..f28887045049 100644
+--- a/Documentation/driver-api/spi.rst
++++ b/Documentation/driver-api/spi.rst
+@@ -25,8 +25,8 @@ hardware, which may be as simple as a set of GPIO pins or as complex as
+ a pair of FIFOs connected to dual DMA engines on the other side of the
+ SPI shift register (maximizing throughput). Such drivers bridge between
+ whatever bus they sit on (often the platform bus) and SPI, and expose
+-the SPI side of their device as a :c:type:`struct spi_master
+-<spi_master>`. SPI devices are children of that master,
++the SPI side of their device as a :c:type:`struct spi_controller
++<spi_controller>`. SPI devices are children of that master,
+ represented as a :c:type:`struct spi_device <spi_device>` and
+ manufactured from :c:type:`struct spi_board_info
+ <spi_board_info>` descriptors which are usually provided by
+--
+2.35.1
+
--- /dev/null
+From 492d755ea3d13e5ff318957e039b7a3cdd44df86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Sep 2022 16:04:05 +0200
+Subject: staging: r8188eu: don't check bSurpriseRemoved in SwLedOff
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit 647085006beb2cc41bef27a24f249f4dec3c1e15 ]
+
+The SwLedOff function calls rtw_read8 which in turn calls usb_read.
+
+bSurpriseRemoved is checked in usb_read. We don't have to check it again
+in SwLedOff.
+
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Edimax N150
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Link: https://lore.kernel.org/r/20220925140406.112991-2-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 12c6223fc180 ("staging: r8188eu: fix led register settings")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/r8188eu/core/rtw_led.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/r8188eu/core/rtw_led.c b/drivers/staging/r8188eu/core/rtw_led.c
+index e889e7861706..42e35953fd7b 100644
+--- a/drivers/staging/r8188eu/core/rtw_led.c
++++ b/drivers/staging/r8188eu/core/rtw_led.c
+@@ -53,7 +53,7 @@ static void SwLedOff(struct adapter *padapter, struct led_priv *pLed)
+ u8 LedCfg;
+ int res;
+
+- if (padapter->bSurpriseRemoved || padapter->bDriverStopped)
++ if (padapter->bDriverStopped)
+ goto exit;
+
+ res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);/* 0x4E */
+--
+2.35.1
+
--- /dev/null
+From 6790995f2913d059f09e2abda5fb8540402b4407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Oct 2022 17:11:06 +0200
+Subject: staging: r8188eu: fix led register settings
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit 12c6223fc1804fd9295dc50d358294539b4a4184 ]
+
+Using an InterTech DMG-02 dongle, the led remains on when the system goes
+into standby mode. After wakeup, it's no longer possible to control the
+led.
+
+It turned out that the register settings to enable or disable the led were
+not correct. They worked for some dongles like the Edimax V2 but not for
+others like the InterTech DMG-02.
+
+This patch fixes the register settings. Bit 3 in the led_cfg2 register
+controls the led status, bit 5 must always be set to be able to control
+the led, bit 6 has no influence on the led. Setting the mac_pinmux_cfg
+register is not necessary.
+
+These settings were tested with Edimax V2 and InterTech DMG-02.
+
+Cc: stable@vger.kernel.org
+Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver")
+Suggested-by: Michael Straube <straube.linux@gmail.com>
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Tested-by: Michael Straube <straube.linux@gmail.com> # InterTech DMG-02,
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Edimax N150
+Link: https://lore.kernel.org/r/20221015151115.232095-2-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/r8188eu/core/rtw_led.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/staging/r8188eu/core/rtw_led.c b/drivers/staging/r8188eu/core/rtw_led.c
+index 42e35953fd7b..1993c3993b3d 100644
+--- a/drivers/staging/r8188eu/core/rtw_led.c
++++ b/drivers/staging/r8188eu/core/rtw_led.c
+@@ -34,40 +34,19 @@ static void ResetLedStatus(struct led_priv *pLed)
+
+ static void SwLedOn(struct adapter *padapter, struct led_priv *pLed)
+ {
+- u8 LedCfg;
+- int res;
+-
+ if (padapter->bDriverStopped)
+ return;
+
+- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);
+- if (res)
+- return;
+-
+- rtw_write8(padapter, REG_LEDCFG2, (LedCfg & 0xf0) | BIT(5) | BIT(6)); /* SW control led0 on. */
++ rtw_write8(padapter, REG_LEDCFG2, BIT(5)); /* SW control led0 on. */
+ pLed->bLedOn = true;
+ }
+
+ static void SwLedOff(struct adapter *padapter, struct led_priv *pLed)
+ {
+- u8 LedCfg;
+- int res;
+-
+ if (padapter->bDriverStopped)
+ goto exit;
+
+- res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);/* 0x4E */
+- if (res)
+- goto exit;
+-
+- LedCfg &= 0x90; /* Set to software control. */
+- rtw_write8(padapter, REG_LEDCFG2, (LedCfg | BIT(3)));
+- res = rtw_read8(padapter, REG_MAC_PINMUX_CFG, &LedCfg);
+- if (res)
+- goto exit;
+-
+- LedCfg &= 0xFE;
+- rtw_write8(padapter, REG_MAC_PINMUX_CFG, LedCfg);
++ rtw_write8(padapter, REG_LEDCFG2, BIT(5) | BIT(3));
+ exit:
+ pLed->bLedOn = false;
+ }
+--
+2.35.1
+
--- /dev/null
+From a6a3d1be20741f50cb4ef684efa44f8695c9b147 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 19:56:59 +0200
+Subject: staging: r8188eu: remove duplicate bSurpriseRemoved check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit 8f60cb9534e459d66f6888038951ffd74351ef25 ]
+
+We don't have to check bSurpriseRemoved in the SwLedOn function.
+
+SwLedOn calls rtw_read8 which in turn calls usb_read. This function checks
+bSurpriseRemoved for us.
+
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Edimax N150
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Link: https://lore.kernel.org/r/20220918175700.215170-6-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 12c6223fc180 ("staging: r8188eu: fix led register settings")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/r8188eu/core/rtw_led.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/r8188eu/core/rtw_led.c b/drivers/staging/r8188eu/core/rtw_led.c
+index d5c6c5e29621..e889e7861706 100644
+--- a/drivers/staging/r8188eu/core/rtw_led.c
++++ b/drivers/staging/r8188eu/core/rtw_led.c
+@@ -37,7 +37,7 @@ static void SwLedOn(struct adapter *padapter, struct led_priv *pLed)
+ u8 LedCfg;
+ int res;
+
+- if (padapter->bSurpriseRemoved || padapter->bDriverStopped)
++ if (padapter->bDriverStopped)
+ return;
+
+ res = rtw_read8(padapter, REG_LEDCFG2, &LedCfg);
+--
+2.35.1
+
--- /dev/null
+From b944f5481fcd2ee31c7cccf55670a733847eb561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 16:12:53 +0800
+Subject: staging: rtl8192e: Fix potential use-after-free in
+ rtllib_rx_Monitor()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ]
+
+The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it,
+after calling this, dereferencing skb may trigger use-after-free.
+Found by Smatch.
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c
+index abe5c153f74e..b0ef9da43bc4 100644
+--- a/drivers/staging/rtl8192e/rtllib_rx.c
++++ b/drivers/staging/rtl8192e/rtllib_rx.c
+@@ -1489,9 +1489,9 @@ static int rtllib_rx_Monitor(struct rtllib_device *ieee, struct sk_buff *skb,
+ hdrlen += 4;
+ }
+
+- rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
+ ieee->stats.rx_packets++;
+ ieee->stats.rx_bytes += skb->len;
++ rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
+
+ return 1;
+ }
+--
+2.35.1
+
--- /dev/null
+From 2d097c75dee0531c12047d483cc2468a57d3fbf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 09:43:14 +0300
+Subject: staging: rtl8192u: Fix use after free in ieee80211_rx()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ]
+
+We cannot dereference the "skb" pointer after calling
+ieee80211_monitor_rx(), because it is a use after free.
+
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+index b58e75932ecd..3686b3c599ce 100644
+--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+@@ -951,9 +951,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
+ #endif
+
+ if (ieee->iw_mode == IW_MODE_MONITOR) {
++ unsigned int len = skb->len;
++
+ ieee80211_monitor_rx(ieee, skb, rx_stats);
+ stats->rx_packets++;
+- stats->rx_bytes += skb->len;
++ stats->rx_bytes += len;
+ return 1;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ca8b9ab83ca57dbddcf952dd9147c190317cd3cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:59:14 +0800
+Subject: staging: vme_user: Fix possible UAF in tsi148_dma_list_add
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]
+
+Smatch report warning as follows:
+
+drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
+ '&entry->list' not removed from list
+
+In tsi148_dma_list_add(), the error path "goto err_dma" will not
+remove entry->list from list->entries, but entry will be freed,
+then list traversal may cause UAF.
+
+Fix by removeing it from list->entries before free().
+
+Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vme_user/vme_tsi148.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
+index 956476213241..b741514e938b 100644
+--- a/drivers/staging/vme_user/vme_tsi148.c
++++ b/drivers/staging/vme_user/vme_tsi148.c
+@@ -1765,6 +1765,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
+ return 0;
+
+ err_dma:
++ list_del(&entry->list);
+ err_dest:
+ err_source:
+ err_align:
+--
+2.35.1
+
--- /dev/null
+From 87d905b39f68fa80d65b65226d4907647eb33f4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Dec 2022 23:37:22 +0100
+Subject: stmmac: fix potential division by 0
+
+From: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
+
+[ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ]
+
+When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived
+from the MAC reference clock (default), the clk_ptp_rate becomes too
+small and the calculated sub second increment becomes 0 when computed by
+the stmmac_config_sub_second_increment() function within
+stmmac_init_tstamp_counter().
+
+Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter()
+operation triggers a divide by 0 exception as shown below.
+
+[ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0
+[ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49)
+[ 95.095964] dwmac1000: Master AXI performs any burst length
+[ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found
+[ 95.109428] Division by zero in kernel.
+[ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77
+[ 95.123686] Hardware name: Altera SOCFPGA
+[ 95.127695] unwind_backtrace from show_stack+0x10/0x14
+[ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c
+[ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10
+[ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18
+[ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40
+[ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164
+[ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00
+[ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4
+[ 95.171117] __stmmac_open from stmmac_open+0x30/0x44
+[ 95.176182] stmmac_open from __dev_open+0x11c/0x134
+[ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c
+[ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50
+[ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604
+[ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214
+[ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4
+[ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38
+[ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844
+[ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c
+[ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0)
+[ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50
+[ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000
+[ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74
+
+Signed-off-by: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
+Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 ++-
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+index 764832f4dae1..8b50f03056b7 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+@@ -47,7 +47,8 @@ static void config_sub_second_increment(void __iomem *ioaddr,
+ if (!(value & PTP_TCR_TSCTRLSSR))
+ data = (data * 1000) / 465;
+
+- data &= PTP_SSIR_SSINC_MASK;
++ if (data > PTP_SSIR_SSINC_MAX)
++ data = PTP_SSIR_SSINC_MAX;
+
+ reg_value = data;
+ if (gmac4)
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
+index 53172a439810..bf619295d079 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
+@@ -64,7 +64,7 @@
+ #define PTP_TCR_TSENMACADDR BIT(18)
+
+ /* SSIR defines */
+-#define PTP_SSIR_SSINC_MASK 0xff
++#define PTP_SSIR_SSINC_MAX 0xff
+ #define GMAC4_PTP_SSIR_SSINC_SHIFT 16
+
+ /* Auxiliary Control defines */
+--
+2.35.1
+
--- /dev/null
+From 84cd3d3006200a7b9acb95b83c2aff4b819138dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 17:23:42 +0800
+Subject: SUNRPC: Fix missing release socket in rpc_sockname()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ]
+
+socket dynamically created is not released when getting an unintended
+address family type in rpc_sockname(), direct to out_release for calling
+sock_release().
+
+Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index c284efa3d1ef..0918fa4cc933 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1391,7 +1391,7 @@ static int rpc_sockname(struct net *net, struct sockaddr *sap, size_t salen,
+ break;
+ default:
+ err = -EAFNOSUPPORT;
+- goto out;
++ goto out_release;
+ }
+ if (err < 0) {
+ dprintk("RPC: can't bind UDP socket (%d)\n", err);
+--
+2.35.1
+
--- /dev/null
+From 3fecd3f6d3551d9f8aba38474b6f98f114985509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 11:57:21 +0800
+Subject: test_firmware: fix memory leak in test_firmware_init()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e ]
+
+When misc_register() failed in test_firmware_init(), the memory pointed
+by test_fw_config->name is not released. The memory leak information is
+as follows:
+unreferenced object 0xffff88810a34cb00 (size 32):
+ comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)
+ hex dump (first 32 bytes):
+ 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi
+ 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
+ backtrace:
+ [<ffffffff81b21fcb>] __kmalloc_node_track_caller+0x4b/0xc0
+ [<ffffffff81affb96>] kstrndup+0x46/0xc0
+ [<ffffffffa0403a49>] __test_firmware_config_init+0x29/0x380 [test_firmware]
+ [<ffffffffa040f068>] 0xffffffffa040f068
+ [<ffffffff81002c41>] do_one_initcall+0x141/0x780
+ [<ffffffff816a72c3>] do_init_module+0x1c3/0x630
+ [<ffffffff816adb9e>] load_module+0x623e/0x76a0
+ [<ffffffff816af471>] __do_sys_finit_module+0x181/0x240
+ [<ffffffff89978f99>] do_syscall_64+0x39/0xb0
+ [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Link: https://lore.kernel.org/r/20221119035721.18268-1-shaozhengchao@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_firmware.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/test_firmware.c b/lib/test_firmware.c
+index c82b65947ce6..1c5a2adb16ef 100644
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -1491,6 +1491,7 @@ static int __init test_firmware_init(void)
+
+ rc = misc_register(&test_fw_misc_device);
+ if (rc) {
++ __test_firmware_config_free();
+ kfree(test_fw_config);
+ pr_err("could not register misc device: %d\n", rc);
+ return rc;
+--
+2.35.1
+
--- /dev/null
+From aca6f585ff4d93cb9df4464d0c0da1106427fd3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 17:19:45 +0800
+Subject: thermal: core: fix some possible name leaks in error paths
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4748f9687caaeefab8578285b97b2f30789fc4b4 ]
+
+In some error paths before device_register(), the names allocated
+by dev_set_name() are not freed. Move dev_set_name() front to
+device_register(), so the name can be freed while calling
+put_device().
+
+Fixes: 1dd7128b839f ("thermal/core: Fix null pointer dereference in thermal_release()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 50d50cec7774..15fb5fa1b0f2 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -903,10 +903,6 @@ __thermal_cooling_device_register(struct device_node *np,
+ cdev->id = ret;
+ id = ret;
+
+- ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id);
+- if (ret)
+- goto out_ida_remove;
+-
+ cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
+ if (!cdev->type) {
+ ret = -ENOMEM;
+@@ -921,6 +917,11 @@ __thermal_cooling_device_register(struct device_node *np,
+ cdev->device.class = &thermal_class;
+ cdev->devdata = devdata;
+ thermal_cooling_device_setup_sysfs(cdev);
++ ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id);
++ if (ret) {
++ thermal_cooling_device_destroy_sysfs(cdev);
++ goto out_kfree_type;
++ }
+ ret = device_register(&cdev->device);
+ if (ret)
+ goto out_kfree_type;
+@@ -1241,10 +1242,6 @@ thermal_zone_device_register_with_trips(const char *type, struct thermal_trip *t
+ tz->id = id;
+ strlcpy(tz->type, type, sizeof(tz->type));
+
+- result = dev_set_name(&tz->device, "thermal_zone%d", tz->id);
+- if (result)
+- goto remove_id;
+-
+ if (!ops->critical)
+ ops->critical = thermal_zone_device_critical;
+
+@@ -1267,6 +1264,11 @@ thermal_zone_device_register_with_trips(const char *type, struct thermal_trip *t
+ /* A new thermal zone needs to be updated anyway. */
+ atomic_set(&tz->need_update, 1);
+
++ result = dev_set_name(&tz->device, "thermal_zone%d", tz->id);
++ if (result) {
++ thermal_zone_destroy_device_groups(tz);
++ goto remove_id;
++ }
+ result = device_register(&tz->device);
+ if (result)
+ goto release_device;
+--
+2.35.1
+
--- /dev/null
+From 82f78ee3c4a51430f4e452d18f05801b49e336c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 09:35:07 +0200
+Subject: thermal/drivers/imx8mm_thermal: Validate temperature range
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+[ Upstream commit d37edc7370273306d8747097fafa62436c1cfe16 ]
+
+Check against the upper temperature limit (125 degrees C) before
+consider the temperature valid.
+
+Fixes: 5eed800a6811 ("thermal: imx8mm: Add support for i.MX8MM thermal monitoring unit")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Link: https://lore.kernel.org/r/20221014073507.1594844-1-marcus.folkesson@gmail.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/imx8mm_thermal.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/imx8mm_thermal.c b/drivers/thermal/imx8mm_thermal.c
+index af666bd9e8d4..c5cd873c6e01 100644
+--- a/drivers/thermal/imx8mm_thermal.c
++++ b/drivers/thermal/imx8mm_thermal.c
+@@ -65,8 +65,14 @@ static int imx8mm_tmu_get_temp(void *data, int *temp)
+ u32 val;
+
+ val = readl_relaxed(tmu->base + TRITSR) & TRITSR_TEMP0_VAL_MASK;
++
++ /*
++ * Do not validate against the V bit (bit 31) due to errata
++ * ERR051272: TMU: Bit 31 of registers TMU_TSCR/TMU_TRITSR/TMU_TRATSR invalid
++ */
++
+ *temp = val * 1000;
+- if (*temp < VER1_TEMP_LOW_LIMIT)
++ if (*temp < VER1_TEMP_LOW_LIMIT || *temp > VER2_TEMP_HIGH_LIMIT)
+ return -EAGAIN;
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 5de818cb713a0c1766a5dc2845798471e5cda9c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 09:11:26 +0530
+Subject: thermal/drivers/k3_j72xx_bandgap: Fix the debug print message
+
+From: Keerthy <j-keerthy@ti.com>
+
+[ Upstream commit a7c42af78b19a11e98a5555a664c343e3a672632 ]
+
+The debug print message to check the workaround applicability is inverted.
+Fix the same.
+
+Fixes: ffcb2fc86eb7 ("thermal: k3_j72xx_bandgap: Add the bandgap driver support")
+Reported-by: Bryan Brattlof <bb@ti.com>
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Link: https://lore.kernel.org/r/20221010034126.3550-1-j-keerthy@ti.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/k3_j72xx_bandgap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/k3_j72xx_bandgap.c b/drivers/thermal/k3_j72xx_bandgap.c
+index 115a44eb4fbf..4eb4926bbdc7 100644
+--- a/drivers/thermal/k3_j72xx_bandgap.c
++++ b/drivers/thermal/k3_j72xx_bandgap.c
+@@ -439,7 +439,7 @@ static int k3_j72xx_bandgap_probe(struct platform_device *pdev)
+ workaround_needed = false;
+
+ dev_dbg(bgp->dev, "Work around %sneeded\n",
+- workaround_needed ? "not " : "");
++ workaround_needed ? "" : "not ");
+
+ if (!workaround_needed)
+ init_table(5, ref_table, golden_factors);
+--
+2.35.1
+
--- /dev/null
+From a4f38dcd238b2c3e3a584c2b03ee3ef1a8b723a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 11:03:22 -0700
+Subject: thermal/drivers/qcom/lmh: Fix irq handler return value
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 46a891e45be97c6781ac34f5ec777d69370e252b ]
+
+After enough invocations the LMh irq is eventually reported as bad, because the
+handler doesn't return IRQ_HANDLED, fix this.
+
+Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver")
+Reported-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220316180322.88132-1-bjorn.andersson@linaro.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/lmh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/qcom/lmh.c b/drivers/thermal/qcom/lmh.c
+index d3d9b9fa49e8..4122a51e9874 100644
+--- a/drivers/thermal/qcom/lmh.c
++++ b/drivers/thermal/qcom/lmh.c
+@@ -45,7 +45,7 @@ static irqreturn_t lmh_handle_irq(int hw_irq, void *data)
+ if (irq)
+ generic_handle_irq(irq);
+
+- return 0;
++ return IRQ_HANDLED;
+ }
+
+ static void lmh_enable_interrupt(struct irq_data *d)
+--
+2.35.1
+
--- /dev/null
+From ee64c4c946b888363d9dd4b3e61605eac5aceb44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 16:52:37 +0200
+Subject: thermal/drivers/qcom/temp-alarm: Fix inaccurate warning for gen2
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 8763f8acbf8aef22a2321d4c978cd078aa3b8f64 ]
+
+On gen2 chips the stage2 threshold is not 140 degC but 125 degC.
+
+Make the warning message clearer by using this variable and also by
+including the temperature that was checked for.
+
+Fixes: aa92b3310c55 ("thermal/drivers/qcom-spmi-temp-alarm: Add support for GEN2 rev 1 PMIC peripherals")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Amit Kucheria <amitk@kernel.org>
+Link: https://lore.kernel.org/r/20221020145237.942146-1-luca.weiss@fairphone.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+index 770f82cc9bca..247b39d57fa7 100644
+--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+@@ -252,7 +252,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+ disable_s2_shutdown = true;
+ else
+ dev_warn(chip->dev,
+- "No ADC is configured and critical temperature is above the maximum stage 2 threshold of 140 C! Configuring stage 2 shutdown at 140 C.\n");
++ "No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n",
++ temp, stage2_threshold_max, stage2_threshold_max);
+ }
+
+ skip:
+--
+2.35.1
+
--- /dev/null
+From 22a623ce88b4c467473f083fc922f4ad16c31058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:54:23 +0000
+Subject: timerqueue: Use rb_entry_safe() in timerqueue_getnext()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ]
+
+When `timerqueue_getnext()` is called on an empty timer queue, it will
+use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using
+`rb_entry_safe()` which handles NULL pointers.
+
+This has not caused any issues so far because the offset of the `rb_node`
+member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op.
+
+Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer")
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/timerqueue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
+index 93884086f392..adc80e29168e 100644
+--- a/include/linux/timerqueue.h
++++ b/include/linux/timerqueue.h
+@@ -35,7 +35,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
+ {
+ struct rb_node *leftmost = rb_first_cached(&head->rb_root);
+
+- return rb_entry(leftmost, struct timerqueue_node, node);
++ return rb_entry_safe(leftmost, struct timerqueue_node, node);
+ }
+
+ static inline void timerqueue_init(struct timerqueue_node *node)
+--
+2.35.1
+
--- /dev/null
+From 78be4b4b0b42e38bdd54199ec18383c6b9dfdd57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 11:14:23 -0600
+Subject: tpm: Add flag to use default cancellation policy
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 7bfda9c73fa9710a842a7d6f89b024351c80c19c ]
+
+The check for cancelled request depends on the VID of the chip, but
+some chips share VID which shouldn't share their cancellation
+behavior. This is the case for the Nuvoton NPCT75X, which should use
+the default cancellation check, not the Winbond one.
+To avoid changing the existing behavior, add a new flag to indicate
+that the chip should use the default cancellation check and set it
+for the I2C TPM2 TIS driver.
+
+Fixes: bbc23a07b072 ("tpm: Add tpm_tis_i2c backend for tpm_tis_core")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Tested-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 20 ++++++++++++--------
+ drivers/char/tpm/tpm_tis_core.h | 1 +
+ drivers/char/tpm/tpm_tis_i2c.c | 1 +
+ 3 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index 757623bacfd5..3f98e587b3e8 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -682,15 +682,19 @@ static bool tpm_tis_req_canceled(struct tpm_chip *chip, u8 status)
+ {
+ struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
+
+- switch (priv->manufacturer_id) {
+- case TPM_VID_WINBOND:
+- return ((status == TPM_STS_VALID) ||
+- (status == (TPM_STS_VALID | TPM_STS_COMMAND_READY)));
+- case TPM_VID_STM:
+- return (status == (TPM_STS_VALID | TPM_STS_COMMAND_READY));
+- default:
+- return (status == TPM_STS_COMMAND_READY);
++ if (!test_bit(TPM_TIS_DEFAULT_CANCELLATION, &priv->flags)) {
++ switch (priv->manufacturer_id) {
++ case TPM_VID_WINBOND:
++ return ((status == TPM_STS_VALID) ||
++ (status == (TPM_STS_VALID | TPM_STS_COMMAND_READY)));
++ case TPM_VID_STM:
++ return (status == (TPM_STS_VALID | TPM_STS_COMMAND_READY));
++ default:
++ break;
++ }
+ }
++
++ return status == TPM_STS_COMMAND_READY;
+ }
+
+ static irqreturn_t tis_int_handler(int dummy, void *dev_id)
+diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
+index 66a5a13cd1df..b68479e0de10 100644
+--- a/drivers/char/tpm/tpm_tis_core.h
++++ b/drivers/char/tpm/tpm_tis_core.h
+@@ -86,6 +86,7 @@ enum tis_defaults {
+ enum tpm_tis_flags {
+ TPM_TIS_ITPM_WORKAROUND = BIT(0),
+ TPM_TIS_INVALID_STATUS = BIT(1),
++ TPM_TIS_DEFAULT_CANCELLATION = BIT(2),
+ };
+
+ struct tpm_tis_data {
+diff --git a/drivers/char/tpm/tpm_tis_i2c.c b/drivers/char/tpm/tpm_tis_i2c.c
+index 29f0db41c0b7..e728a61659f8 100644
+--- a/drivers/char/tpm/tpm_tis_i2c.c
++++ b/drivers/char/tpm/tpm_tis_i2c.c
+@@ -329,6 +329,7 @@ static int tpm_tis_i2c_probe(struct i2c_client *dev,
+ if (!phy->io_buf)
+ return -ENOMEM;
+
++ set_bit(TPM_TIS_DEFAULT_CANCELLATION, &phy->priv.flags);
+ phy->i2c_client = dev;
+
+ /* must precede all communication with the tpm */
+--
+2.35.1
+
--- /dev/null
+From 090246397b529bbcb68589b71a5eea13d140d014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 15:03:33 -0500
+Subject: tpm: tis_i2c: Fix sanity check interrupt enable mask
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 561d6ef75628db9cce433e573aa3cdb6b3bba903 ]
+
+The sanity check mask for TPM_INT_ENABLE register was off by 8 bits,
+resulting in failure to probe if the TPM_INT_ENABLE register was a
+valid value.
+
+Fixes: bbc23a07b072 ("tpm: Add tpm_tis_i2c backend for tpm_tis_core")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Tested-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_i2c.c b/drivers/char/tpm/tpm_tis_i2c.c
+index ba0911b1d1ff..29f0db41c0b7 100644
+--- a/drivers/char/tpm/tpm_tis_i2c.c
++++ b/drivers/char/tpm/tpm_tis_i2c.c
+@@ -49,7 +49,7 @@
+
+ /* Masks with bits that must be read zero */
+ #define TPM_ACCESS_READ_ZERO 0x48
+-#define TPM_INT_ENABLE_ZERO 0x7FFFFF6
++#define TPM_INT_ENABLE_ZERO 0x7FFFFF60
+ #define TPM_STS_READ_ZERO 0x23
+ #define TPM_INTF_CAPABILITY_ZERO 0x0FFFF000
+ #define TPM_I2C_INTERFACE_CAPABILITY_ZERO 0x80000000
+--
+2.35.1
+
--- /dev/null
+From 95a551937eb1a4755350c4258d1b3a976b7fb549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 11:38:53 -0800
+Subject: tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit f5264068071964b56dc02c9dab3d11574aaca6ff ]
+
+The error message in __crb_relinquish_locality() mentions requestAccess
+instead of Relinquish. Fix it.
+
+Fixes: 888d867df441 ("tpm: cmd_ready command can be issued only after granting locality")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Acked-by: Tomas Winkler <tomas.winkler@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_crb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index 18606651d1aa..65f8f179a27f 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -252,7 +252,7 @@ static int __crb_relinquish_locality(struct device *dev,
+ iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl);
+ if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value,
+ TPM2_TIMEOUT_C)) {
+- dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
++ dev_warn(dev, "TPM_LOC_STATE_x.Relinquish timed out\n");
+ return -ETIME;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f0956639e1ade7de078eb0f505fa4e0c43b6b6fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 03:19:26 +0000
+Subject: tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 2b7d07f7acaac2c7750e420dcf4414588ede6d03 ]
+
+The ftpm_mod_init() returns the driver_register() directly without checking
+its return value, if driver_register() failed, the ftpm_tee_plat_driver is
+not unregistered.
+
+Fix by unregister ftpm_tee_plat_driver when driver_register() failed.
+
+Fixes: 9f1944c23c8c ("tpm_ftpm_tee: register driver on TEE bus")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_ftpm_tee.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm_ftpm_tee.c b/drivers/char/tpm/tpm_ftpm_tee.c
+index 5c233423c56f..deff23bb54bf 100644
+--- a/drivers/char/tpm/tpm_ftpm_tee.c
++++ b/drivers/char/tpm/tpm_ftpm_tee.c
+@@ -397,7 +397,13 @@ static int __init ftpm_mod_init(void)
+ if (rc)
+ return rc;
+
+- return driver_register(&ftpm_tee_driver.driver);
++ rc = driver_register(&ftpm_tee_driver.driver);
++ if (rc) {
++ platform_driver_unregister(&ftpm_tee_plat_driver);
++ return rc;
++ }
++
++ return 0;
+ }
+
+ static void __exit ftpm_mod_exit(void)
+--
+2.35.1
+
--- /dev/null
+From d270e2024a48254ab9dd6c9740114292679bacb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 21:53:26 +0800
+Subject: tracing/hist: Fix issue of losting command info in error_log
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit 608c6ed3337850c767ab0dd6c583477922233e29 ]
+
+When input some constructed invalid 'trigger' command, command info
+in 'error_log' are lost [1].
+
+The root cause is that there is a path that event_hist_trigger_parse()
+is recursely called once and 'last_cmd' which save origin command is
+cleared, then later calling of hist_err() will no longer record origin
+command info:
+
+ event_hist_trigger_parse() {
+ last_cmd_set() // <1> 'last_cmd' save origin command here at first
+ create_actions() {
+ onmatch_create() {
+ action_create() {
+ trace_action_create() {
+ trace_action_create_field_var() {
+ create_field_var_hist() {
+ event_hist_trigger_parse() { // <2> recursely called once
+ hist_err_clear() // <3> 'last_cmd' is cleared here
+ }
+ hist_err() // <4> No longer find origin command!!!
+
+Since 'glob' is empty string while running into the recurse call, we
+can trickly check it and bypass the call of hist_err_clear() to solve it.
+
+[1]
+ # cd /sys/kernel/tracing
+ # echo "my_synth_event int v1; int v2; int v3;" >> synthetic_events
+ # echo 'hist:keys=pid' >> events/sched/sched_waking/trigger
+ # echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
+pid,pid1)" >> events/sched/sched_switch/trigger
+ # cat error_log
+[ 8.405018] hist:sched:sched_switch: error: Couldn't find synthetic event
+ Command:
+hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
+ ^
+[ 8.816902] hist:sched:sched_switch: error: Couldn't find field
+ Command:
+hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
+ ^
+[ 8.816902] hist:sched:sched_switch: error: Couldn't parse field variable
+ Command:
+hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
+ ^
+[ 8.999880] : error: Couldn't find field
+ Command:
+ ^
+[ 8.999880] : error: Couldn't parse field variable
+ Command:
+ ^
+[ 8.999880] : error: Couldn't find field
+ Command:
+ ^
+[ 8.999880] : error: Couldn't create histogram for field
+ Command:
+ ^
+
+Link: https://lore.kernel.org/linux-trace-kernel/20221207135326.3483216-1-zhengyejian1@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <zanussi@kernel.org>
+Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_hist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index 49243e861714..d8406f6f5d39 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -6346,7 +6346,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops,
+ if (se)
+ se->ref++;
+ out:
+- if (ret == 0)
++ if (ret == 0 && glob[0])
+ hist_err_clear();
+
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 695b6fcbd9565c8dd4221c9b8c370b438f6561eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 10:32:48 -0800
+Subject: tracing/user_events: Fix call print_fmt leak
+
+From: Beau Belgrave <beaub@linux.microsoft.com>
+
+[ Upstream commit 4bded7af8b9af6e97514b0521004f90267905aef ]
+
+If user_event_trace_register() fails within user_event_parse() the
+call's print_fmt member is not freed. Add kfree call to fix this.
+
+Link: https://lkml.kernel.org/r/20221123183248.554-1-beaub@linux.microsoft.com
+
+Fixes: aa3b2b4c6692 ("user_events: Add print_fmt generation support for basic types")
+Signed-off-by: Beau Belgrave <beaub@linux.microsoft.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c
+index a6621c52ce45..b885b6934893 100644
+--- a/kernel/trace/trace_events_user.c
++++ b/kernel/trace/trace_events_user.c
+@@ -1127,6 +1127,7 @@ static int user_event_parse(char *name, char *args, char *flags,
+ put_user:
+ user_event_destroy_fields(user);
+ user_event_destroy_validators(user);
++ kfree(user->call.print_fmt);
+ kfree(user);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From dffac2693a76a0c2fef8f7e87b2daa6a136610a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 07:20:43 +0200
+Subject: tty: serial: altera_uart_{r,t}x_chars() need only uart_port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 3af44d9bb0539d5fa27d6159d696fda5f3747bff ]
+
+Both altera_uart_{r,t}x_chars() need only uart_port, not altera_uart. So
+pass the former from altera_uart_interrupt() directly.
+
+Apart it maybe saves a dereference, this makes the transition of
+altera_uart_tx_chars() easier to follow in the next patch.
+
+Cc: Tobias Klauser <tklauser@distanz.ch>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Acked-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20220920052049.20507-4-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/altera_uart.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
+index 71478d098c13..ab08c4050a84 100644
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -199,9 +199,8 @@ static void altera_uart_set_termios(struct uart_port *port,
+ */
+ }
+
+-static void altera_uart_rx_chars(struct altera_uart *pp)
++static void altera_uart_rx_chars(struct uart_port *port)
+ {
+- struct uart_port *port = &pp->port;
+ unsigned char ch, flag;
+ unsigned short status;
+
+@@ -246,9 +245,8 @@ static void altera_uart_rx_chars(struct altera_uart *pp)
+ tty_flip_buffer_push(&port->state->port);
+ }
+
+-static void altera_uart_tx_chars(struct altera_uart *pp)
++static void altera_uart_tx_chars(struct uart_port *port)
+ {
+- struct uart_port *port = &pp->port;
+ struct circ_buf *xmit = &port->state->xmit;
+
+ if (port->x_char) {
+@@ -286,9 +284,9 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data)
+
+ spin_lock(&port->lock);
+ if (isr & ALTERA_UART_STATUS_RRDY_MSK)
+- altera_uart_rx_chars(pp);
++ altera_uart_rx_chars(port);
+ if (isr & ALTERA_UART_STATUS_TRDY_MSK)
+- altera_uart_tx_chars(pp);
++ altera_uart_tx_chars(port);
+ spin_unlock(&port->lock);
+
+ return IRQ_RETVAL(isr);
+--
+2.35.1
+
--- /dev/null
+From ce4770b800e1af49ce5697ea3f3fbb302a98994b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 07:20:42 +0200
+Subject: tty: serial: clean up stop-tx part in altera_uart_tx_chars()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit d9c128117da41cf4cb0e80ae565b5d3ac79dffac ]
+
+The "stop TX" path in altera_uart_tx_chars() is open-coded, so:
+* use uart_circ_empty() to check if the buffer is empty, and
+* when true, call altera_uart_stop_tx().
+
+Cc: Tobias Klauser <tklauser@distanz.ch>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Acked-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20220920052049.20507-3-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/altera_uart.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
+index 8b749ed557c6..71478d098c13 100644
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -272,10 +272,8 @@ static void altera_uart_tx_chars(struct altera_uart *pp)
+ if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+ uart_write_wakeup(port);
+
+- if (xmit->head == xmit->tail) {
+- pp->imr &= ~ALTERA_UART_CONTROL_TRDY_MSK;
+- altera_uart_update_ctrl_reg(pp);
+- }
++ if (uart_circ_empty(xmit))
++ altera_uart_stop_tx(port);
+ }
+
+ static irqreturn_t altera_uart_interrupt(int irq, void *data)
+--
+2.35.1
+
--- /dev/null
+From 50376aa160ccce7bec97ef2687684f7418375471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Oct 2022 18:57:41 +0900
+Subject: udf: Avoid double brelse() in udf_rename()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ]
+
+syzbot reported a warning like below [1]:
+
+VFS: brelse: Trying to free free buffer
+WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
+...
+Call Trace:
+ <TASK>
+ invalidate_bh_lru+0x99/0x150
+ smp_call_function_many_cond+0xe2a/0x10c0
+ ? generic_remap_file_range_prep+0x50/0x50
+ ? __brelse+0xa0/0xa0
+ ? __mutex_lock+0x21c/0x12d0
+ ? smp_call_on_cpu+0x250/0x250
+ ? rcu_read_lock_sched_held+0xb/0x60
+ ? lock_release+0x587/0x810
+ ? __brelse+0xa0/0xa0
+ ? generic_remap_file_range_prep+0x50/0x50
+ on_each_cpu_cond_mask+0x3c/0x80
+ blkdev_flush_mapping+0x13a/0x2f0
+ blkdev_put_whole+0xd3/0xf0
+ blkdev_put+0x222/0x760
+ deactivate_locked_super+0x96/0x160
+ deactivate_super+0xda/0x100
+ cleanup_mnt+0x222/0x3d0
+ task_work_run+0x149/0x240
+ ? task_work_cancel+0x30/0x30
+ do_exit+0xb29/0x2a40
+ ? reacquire_held_locks+0x4a0/0x4a0
+ ? do_raw_spin_lock+0x12a/0x2b0
+ ? mm_update_next_owner+0x7c0/0x7c0
+ ? rwlock_bug.part.0+0x90/0x90
+ ? zap_other_threads+0x234/0x2d0
+ do_group_exit+0xd0/0x2a0
+ __x64_sys_exit_group+0x3a/0x50
+ do_syscall_64+0x34/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The cause of the issue is that brelse() is called on both ofibh.sbh
+and ofibh.ebh by udf_find_entry() when it returns NULL. However,
+brelse() is called by udf_rename(), too. So, b_count on buffer_head
+becomes unbalanced.
+
+This patch fixes the issue by not calling brelse() by udf_rename()
+when udf_find_entry() returns NULL.
+
+Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1]
+Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/namei.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 865e658535b1..0e30a50060d9 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1091,8 +1091,9 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
+ return -EINVAL;
+
+ ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
+- if (IS_ERR(ofi)) {
+- retval = PTR_ERR(ofi);
++ if (!ofi || IS_ERR(ofi)) {
++ if (IS_ERR(ofi))
++ retval = PTR_ERR(ofi);
+ goto end_rename;
+ }
+
+@@ -1101,8 +1102,7 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
+
+ brelse(ofibh.sbh);
+ tloc = lelb_to_cpu(ocfi.icb.extLocation);
+- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0)
+- != old_inode->i_ino)
++ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
+ goto end_rename;
+
+ nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
+--
+2.35.1
+
--- /dev/null
+From 18a801e9c75d6d856c32018b74e30cedf23b3ee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 13:57:53 -0800
+Subject: udp: Clean up some functions.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 919dfa0b20ae56060dce0436eb710717f8987d18 ]
+
+This patch adds no functional change and cleans up some functions
+that the following patches touch around so that we make them tidy
+and easy to review/revert. The change is mainly to keep reverse
+christmas tree order.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7a7160edf1bf ("net: Return errno in sk->sk_prot->get_port().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 39 +++++++++++++++++++++++----------------
+ net/ipv6/udp.c | 12 ++++++++----
+ 2 files changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index d9099754ac69..c04a26339bd1 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -232,16 +232,16 @@ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot)
+ int udp_lib_get_port(struct sock *sk, unsigned short snum,
+ unsigned int hash2_nulladdr)
+ {
+- struct udp_hslot *hslot, *hslot2;
+ struct udp_table *udptable = sk->sk_prot->h.udp_table;
+- int error = 1;
++ struct udp_hslot *hslot, *hslot2;
+ struct net *net = sock_net(sk);
++ int error = 1;
+
+ if (!snum) {
++ DECLARE_BITMAP(bitmap, PORTS_PER_CHAIN);
++ unsigned short first, last;
+ int low, high, remaining;
+ unsigned int rand;
+- unsigned short first, last;
+- DECLARE_BITMAP(bitmap, PORTS_PER_CHAIN);
+
+ inet_get_local_port_range(net, &low, &high);
+ remaining = (high - low) + 1;
+@@ -2527,10 +2527,13 @@ static struct sock *__udp4_lib_mcast_demux_lookup(struct net *net,
+ __be16 rmt_port, __be32 rmt_addr,
+ int dif, int sdif)
+ {
+- struct sock *sk, *result;
+ unsigned short hnum = ntohs(loc_port);
+- unsigned int slot = udp_hashfn(net, hnum, udp_table.mask);
+- struct udp_hslot *hslot = &udp_table.hash[slot];
++ struct sock *sk, *result;
++ struct udp_hslot *hslot;
++ unsigned int slot;
++
++ slot = udp_hashfn(net, hnum, udp_table.mask);
++ hslot = &udp_table.hash[slot];
+
+ /* Do not bother scanning a too big list */
+ if (hslot->count > 10)
+@@ -2558,14 +2561,18 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
+ __be16 rmt_port, __be32 rmt_addr,
+ int dif, int sdif)
+ {
+- unsigned short hnum = ntohs(loc_port);
+- unsigned int hash2 = ipv4_portaddr_hash(net, loc_addr, hnum);
+- unsigned int slot2 = hash2 & udp_table.mask;
+- struct udp_hslot *hslot2 = &udp_table.hash2[slot2];
+ INET_ADDR_COOKIE(acookie, rmt_addr, loc_addr);
+- const __portpair ports = INET_COMBINED_PORTS(rmt_port, hnum);
++ unsigned short hnum = ntohs(loc_port);
++ unsigned int hash2, slot2;
++ struct udp_hslot *hslot2;
++ __portpair ports;
+ struct sock *sk;
+
++ hash2 = ipv4_portaddr_hash(net, loc_addr, hnum);
++ slot2 = hash2 & udp_table.mask;
++ hslot2 = &udp_table.hash2[slot2];
++ ports = INET_COMBINED_PORTS(rmt_port, hnum);
++
+ udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) {
+ if (inet_match(net, sk, acookie, ports, dif, sdif))
+ return sk;
+@@ -2966,10 +2973,10 @@ EXPORT_SYMBOL(udp_prot);
+
+ static struct sock *udp_get_first(struct seq_file *seq, int start)
+ {
+- struct sock *sk;
+- struct udp_seq_afinfo *afinfo;
+ struct udp_iter_state *state = seq->private;
+ struct net *net = seq_file_net(seq);
++ struct udp_seq_afinfo *afinfo;
++ struct sock *sk;
+
+ if (state->bpf_seq_afinfo)
+ afinfo = state->bpf_seq_afinfo;
+@@ -3000,9 +3007,9 @@ static struct sock *udp_get_first(struct seq_file *seq, int start)
+
+ static struct sock *udp_get_next(struct seq_file *seq, struct sock *sk)
+ {
+- struct udp_seq_afinfo *afinfo;
+ struct udp_iter_state *state = seq->private;
+ struct net *net = seq_file_net(seq);
++ struct udp_seq_afinfo *afinfo;
+
+ if (state->bpf_seq_afinfo)
+ afinfo = state->bpf_seq_afinfo;
+@@ -3058,8 +3065,8 @@ EXPORT_SYMBOL(udp_seq_next);
+
+ void udp_seq_stop(struct seq_file *seq, void *v)
+ {
+- struct udp_seq_afinfo *afinfo;
+ struct udp_iter_state *state = seq->private;
++ struct udp_seq_afinfo *afinfo;
+
+ if (state->bpf_seq_afinfo)
+ afinfo = state->bpf_seq_afinfo;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index fb667e02e976..d917d62e662d 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1039,12 +1039,16 @@ static struct sock *__udp6_lib_demux_lookup(struct net *net,
+ int dif, int sdif)
+ {
+ unsigned short hnum = ntohs(loc_port);
+- unsigned int hash2 = ipv6_portaddr_hash(net, loc_addr, hnum);
+- unsigned int slot2 = hash2 & udp_table.mask;
+- struct udp_hslot *hslot2 = &udp_table.hash2[slot2];
+- const __portpair ports = INET_COMBINED_PORTS(rmt_port, hnum);
++ unsigned int hash2, slot2;
++ struct udp_hslot *hslot2;
++ __portpair ports;
+ struct sock *sk;
+
++ hash2 = ipv6_portaddr_hash(net, loc_addr, hnum);
++ slot2 = hash2 & udp_table.mask;
++ hslot2 = &udp_table.hash2[slot2];
++ ports = INET_COMBINED_PORTS(rmt_port, hnum);
++
+ udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) {
+ if (sk->sk_state == TCP_ESTABLISHED &&
+ inet6_match(net, sk, rmt_addr, loc_addr, ports, dif, sdif))
+--
+2.35.1
+
--- /dev/null
+From 39173686a6209f15c123a17011345c02ca29722f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 19:40:58 -0300
+Subject: uio: uio_dmem_genirq: Fix deadlock between irq config and handling
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ]
+
+This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix
+concurrency issue"):
+
+ "In a SMP case there was a race condition issue between
+ Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on
+ another CPU. Fix it by spin_locking shared resources access inside irq
+ handler."
+
+The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
+it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
+to interrupt configuration and handling. At the time "uio_dmem_genirq" was
+merged, both had the same implementation of the 'uio_info' handlers
+irqcontrol() and handler(), thus, both had the same concurrency issue
+mentioned by the above commit. However, the above patch was only applied to
+the "uio_pdrv_genirq" driver.
+
+Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
+
+Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio_dmem_genirq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
+index cb283ee36eaa..792c3e9c9ce5 100644
+--- a/drivers/uio/uio_dmem_genirq.c
++++ b/drivers/uio/uio_dmem_genirq.c
+@@ -110,8 +110,10 @@ static irqreturn_t uio_dmem_genirq_handler(int irq, struct uio_info *dev_info)
+ * remember the state so we can allow user space to enable it later.
+ */
+
++ spin_lock(&priv->lock);
+ if (!test_and_set_bit(0, &priv->flags))
+ disable_irq_nosync(irq);
++ spin_unlock(&priv->lock);
+
+ return IRQ_HANDLED;
+ }
+@@ -125,7 +127,8 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
+ * in the interrupt controller, but keep track of the
+ * state to prevent per-irq depth damage.
+ *
+- * Serialize this operation to support multiple tasks.
++ * Serialize this operation to support multiple tasks and concurrency
++ * with irq handler on SMP systems.
+ */
+
+ spin_lock_irqsave(&priv->lock, flags);
+--
+2.35.1
+
--- /dev/null
+From 8392dd04ef340fc705b3981df2ea06302a7fcfcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 19:40:57 -0300
+Subject: uio: uio_dmem_genirq: Fix missing unlock in irq configuration
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ]
+
+Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in
+uio_dmem_genirq_irqcontrol()") started calling disable_irq() without
+holding the spinlock because it can sleep. However, that fix introduced
+another bug: if interrupt is already disabled and a new disable request
+comes in, then the spinlock is not unlocked:
+
+root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
+root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
+root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002
+[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]
+[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21
+[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 14.855664] Call Trace:
+[ 14.855861] <TASK>
+[ 14.856025] dump_stack_lvl+0x4d/0x67
+[ 14.856325] dump_stack+0x14/0x1a
+[ 14.856583] __schedule_bug.cold+0x4b/0x5c
+[ 14.856915] __schedule+0xe81/0x13d0
+[ 14.857199] ? idr_find+0x13/0x20
+[ 14.857456] ? get_work_pool+0x2d/0x50
+[ 14.857756] ? __flush_work+0x233/0x280
+[ 14.858068] ? __schedule+0xa95/0x13d0
+[ 14.858307] ? idr_find+0x13/0x20
+[ 14.858519] ? get_work_pool+0x2d/0x50
+[ 14.858798] schedule+0x6c/0x100
+[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110
+[ 14.859335] ? tty_write_room+0x1f/0x30
+[ 14.859598] ? n_tty_poll+0x1ec/0x220
+[ 14.859830] ? tty_ldisc_deref+0x1a/0x20
+[ 14.860090] schedule_hrtimeout_range+0x17/0x20
+[ 14.860373] do_select+0x596/0x840
+[ 14.860627] ? __kernel_text_address+0x16/0x50
+[ 14.860954] ? poll_freewait+0xb0/0xb0
+[ 14.861235] ? poll_freewait+0xb0/0xb0
+[ 14.861517] ? rpm_resume+0x49d/0x780
+[ 14.861798] ? common_interrupt+0x59/0xa0
+[ 14.862127] ? asm_common_interrupt+0x2b/0x40
+[ 14.862511] ? __uart_start.isra.0+0x61/0x70
+[ 14.862902] ? __check_object_size+0x61/0x280
+[ 14.863255] core_sys_select+0x1c6/0x400
+[ 14.863575] ? vfs_write+0x1c9/0x3d0
+[ 14.863853] ? vfs_write+0x1c9/0x3d0
+[ 14.864121] ? _copy_from_user+0x45/0x70
+[ 14.864526] do_pselect.constprop.0+0xb3/0xf0
+[ 14.864893] ? do_syscall_64+0x6d/0x90
+[ 14.865228] ? do_syscall_64+0x6d/0x90
+[ 14.865556] __x64_sys_pselect6+0x76/0xa0
+[ 14.865906] do_syscall_64+0x60/0x90
+[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50
+[ 14.866640] ? do_syscall_64+0x6d/0x90
+[ 14.866972] ? do_syscall_64+0x6d/0x90
+[ 14.867286] ? do_syscall_64+0x6d/0x90
+[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[...] stripped
+[ 14.872959] </TASK>
+
+('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)
+
+The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
+it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
+to interrupt configuration and handling. At the time "uio_dmem_genirq" was
+introduced, both had the same implementation of the 'uio_info' handlers
+irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency
+issue"), which was only applied to "uio_pdrv_genirq", ended up making them
+a little different. That commit, among other things, changed disable_irq()
+to disable_irq_nosync() in the implementation of irqcontrol(). The
+motivation there was to avoid a deadlock between irqcontrol() and
+handler(), since it added a spinlock in the irq handler, and disable_irq()
+waits for the completion of the irq handler.
+
+By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also
+avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a
+sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to
+fix. Thus, this fixes the missing unlock in irqcontrol() by importing the
+implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver.
+In the end, it reverts commit b74351287d4b ("uio: fix a
+sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change
+disable_irq() to disable_irq_nosync().
+
+It is worth noting that this still does not address the concurrency issue
+fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be
+addressed separately in the next commits.
+
+Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
+
+Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio_dmem_genirq.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
+index 1106f3376404..cb283ee36eaa 100644
+--- a/drivers/uio/uio_dmem_genirq.c
++++ b/drivers/uio/uio_dmem_genirq.c
+@@ -132,13 +132,11 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
+ if (irq_on) {
+ if (test_and_clear_bit(0, &priv->flags))
+ enable_irq(dev_info->irq);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ } else {
+- if (!test_and_set_bit(0, &priv->flags)) {
+- spin_unlock_irqrestore(&priv->lock, flags);
+- disable_irq(dev_info->irq);
+- }
++ if (!test_and_set_bit(0, &priv->flags))
++ disable_irq_nosync(dev_info->irq);
+ }
++ spin_unlock_irqrestore(&priv->lock, flags);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From f0a3198e8160bccec7acfe4b0e665bd9db878797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Dec 2022 00:05:53 +0300
+Subject: unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()
+
+From: Kirill Tkhai <tkhai@ya.ru>
+
+[ Upstream commit 3ff8bff704f4de125dca2262e5b5b963a3da1d87 ]
+
+There is a race resulting in alive SOCK_SEQPACKET socket
+may change its state from TCP_ESTABLISHED to TCP_CLOSE:
+
+unix_release_sock(peer) unix_dgram_sendmsg(sk)
+ sock_orphan(peer)
+ sock_set_flag(peer, SOCK_DEAD)
+ sock_alloc_send_pskb()
+ if !(sk->sk_shutdown & SEND_SHUTDOWN)
+ OK
+ if sock_flag(peer, SOCK_DEAD)
+ sk->sk_state = TCP_CLOSE
+ sk->sk_shutdown = SHUTDOWN_MASK
+
+After that socket sk remains almost normal: it is able to connect, listen, accept
+and recvmsg, while it can't sendmsg.
+
+Since this is the only possibility for alive SOCK_SEQPACKET to change
+the state in such way, we should better fix this strange and potentially
+danger corner case.
+
+Note, that we will return EPIPE here like this is normally done in sock_alloc_send_pskb().
+Originally used ECONNREFUSED looks strange, since it's strange to return
+a specific retval in dependence of race in kernel, when user can't affect on this.
+
+Also, move TCP_CLOSE assignment for SOCK_DGRAM sockets under state lock
+to fix race with unix_dgram_connect():
+
+unix_dgram_connect(other) unix_dgram_sendmsg(sk)
+ unix_peer(sk) = NULL
+ unix_state_unlock(sk)
+ unix_state_double_lock(sk, other)
+ sk->sk_state = TCP_ESTABLISHED
+ unix_peer(sk) = other
+ unix_state_double_unlock(sk, other)
+ sk->sk_state = TCP_CLOSED
+
+This patch fixes both of these races.
+
+Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
+Signed-off-by: Kirill Tkhai <tkhai@ya.ru>
+Link: https://lore.kernel.org/r/135fda25-22d5-837a-782b-ceee50e19844@ya.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 02fad8e8f4cd..48cc8223b06b 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1969,13 +1969,20 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ unix_state_lock(sk);
+
+ err = 0;
+- if (unix_peer(sk) == other) {
++ if (sk->sk_type == SOCK_SEQPACKET) {
++ /* We are here only when racing with unix_release_sock()
++ * is clearing @other. Never change state to TCP_CLOSE
++ * unlike SOCK_DGRAM wants.
++ */
++ unix_state_unlock(sk);
++ err = -EPIPE;
++ } else if (unix_peer(sk) == other) {
+ unix_peer(sk) = NULL;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
+
++ sk->sk_state = TCP_CLOSE;
+ unix_state_unlock(sk);
+
+- sk->sk_state = TCP_CLOSE;
+ unix_dgram_disconnected(sk, other);
+ sock_put(other);
+ err = -ECONNREFUSED;
+--
+2.35.1
+
--- /dev/null
+From 53bdfb692635d038e8bbebde95914efb4f310907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 18:39:33 +0100
+Subject: uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+[ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ]
+
+Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each
+function to reserve extra space for hot-patching, and currently it is not
+possible to probe these functions because branch_setup_xol_ops() wrongly
+rejects NOP with REP prefix as it treats them like word-sized branch
+instructions.
+
+Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns")
+Reported-by: Seiji Nishikawa <snishika@redhat.com>
+Suggested-by: Denys Vlasenko <dvlasenk@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/uprobes.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
+index b63cf8f7745e..6c07f6daaa22 100644
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -722,8 +722,9 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
+ switch (opc1) {
+ case 0xeb: /* jmp 8 */
+ case 0xe9: /* jmp 32 */
+- case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
+ break;
++ case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
++ goto setup;
+
+ case 0xe8: /* call relative */
+ branch_clear_offset(auprobe, insn);
+@@ -753,6 +754,7 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
+ return -ENOTSUPP;
+ }
+
++setup:
+ auprobe->branch.opc1 = opc1;
+ auprobe->branch.ilen = insn->length;
+ auprobe->branch.offs = insn->immediate.value;
+--
+2.35.1
+
--- /dev/null
+From 648629df7cbfe8fe19d59d04f59e8c6ff065a5b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 14:41:20 +0800
+Subject: usb: core: hcd: Fix return value check in usb_hcd_setup_local_mem()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3c347cdafa3db43337870006e5c2d7b78a8dae20 ]
+
+If dmam_alloc_attrs() fails, it returns NULL pointer and never
+return ERR_PTR(), so repleace IS_ERR() with IS_ERR_OR_NULL()
+and if it's NULL, returns -ENOMEM.
+
+Fixes: 9ba26f5cecd8 ("ARM: sa1100/assabet: move dmabounce hack to ohci driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221125064120.2842452-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hcd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 94b305bbd621..4bd9d799f1b9 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -3140,8 +3140,12 @@ int usb_hcd_setup_local_mem(struct usb_hcd *hcd, phys_addr_t phys_addr,
+ GFP_KERNEL,
+ DMA_ATTR_WRITE_COMBINE);
+
+- if (IS_ERR(local_mem))
++ if (IS_ERR_OR_NULL(local_mem)) {
++ if (!local_mem)
++ return -ENOMEM;
++
+ return PTR_ERR(local_mem);
++ }
+
+ /*
+ * Here we pass a dma_addr_t but the arg type is a phys_addr_t.
+--
+2.35.1
+
--- /dev/null
+From 3d002b2e1396c20288752cbb20a70528ea448115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 10:03:17 +0100
+Subject: usb: fotg210-udc: Fix ages old endianness issues
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ]
+
+The code in the FOTG210 driver isn't entirely endianness-agnostic
+as reported by the kernel robot sparse testing. This came to
+the surface while moving the files around.
+
+The driver is only used on little-endian systems, so this causes
+no real-world regression, but it is nice to be strict and have
+some compile coverage also on big endian machines, so fix it
+up with the right LE accessors.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index fdca28e72a3b..d0e051beb3af 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -629,10 +629,10 @@ static void fotg210_request_error(struct fotg210_udc *fotg210)
+ static void fotg210_set_address(struct fotg210_udc *fotg210,
+ struct usb_ctrlrequest *ctrl)
+ {
+- if (ctrl->wValue >= 0x0100) {
++ if (le16_to_cpu(ctrl->wValue) >= 0x0100) {
+ fotg210_request_error(fotg210);
+ } else {
+- fotg210_set_dev_addr(fotg210, ctrl->wValue);
++ fotg210_set_dev_addr(fotg210, le16_to_cpu(ctrl->wValue));
+ fotg210_set_cxdone(fotg210);
+ }
+ }
+@@ -713,17 +713,17 @@ static void fotg210_get_status(struct fotg210_udc *fotg210,
+
+ switch (ctrl->bRequestType & USB_RECIP_MASK) {
+ case USB_RECIP_DEVICE:
+- fotg210->ep0_data = 1 << USB_DEVICE_SELF_POWERED;
++ fotg210->ep0_data = cpu_to_le16(1 << USB_DEVICE_SELF_POWERED);
+ break;
+ case USB_RECIP_INTERFACE:
+- fotg210->ep0_data = 0;
++ fotg210->ep0_data = cpu_to_le16(0);
+ break;
+ case USB_RECIP_ENDPOINT:
+ epnum = ctrl->wIndex & USB_ENDPOINT_NUMBER_MASK;
+ if (epnum)
+ fotg210->ep0_data =
+- fotg210_is_epnstall(fotg210->ep[epnum])
+- << USB_ENDPOINT_HALT;
++ cpu_to_le16(fotg210_is_epnstall(fotg210->ep[epnum])
++ << USB_ENDPOINT_HALT);
+ else
+ fotg210_request_error(fotg210);
+ break;
+--
+2.35.1
+
--- /dev/null
+From 495207cf85aeaa531ccd1583881e0c5cafcedee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 12:35:21 +0000
+Subject: usb: gadget: f_hid: fix f_hidg lifetime vs cdev
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]
+
+The embedded struct cdev does not have its lifetime correctly tied to
+the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
+is held open while the gadget is deleted.
+
+This can readily be replicated with libusbgx's example programs (for
+conciseness - operating directly via configfs is equivalent):
+
+ gadget-hid
+ exec 3<> /dev/hidg0
+ gadget-vid-pid-remove
+ exec 3<&-
+
+Pull the existing device up in to struct f_hidg and make use of the
+cdev_device_{add,del}() helpers. This changes the lifetime of the
+device object to match struct f_hidg, but note that it is still added
+and deleted at the same time.
+
+Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver")
+Tested-by: Lee Jones <lee@kernel.org>
+Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Signed-off-by: John Keeping <john@metanate.com>
+Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 52 ++++++++++++++++-------------
+ 1 file changed, 28 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
+index ca0a7d9eaa34..8b8bbeaa27cb 100644
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -71,7 +71,7 @@ struct f_hidg {
+ wait_queue_head_t write_queue;
+ struct usb_request *req;
+
+- int minor;
++ struct device dev;
+ struct cdev cdev;
+ struct usb_function func;
+
+@@ -84,6 +84,14 @@ static inline struct f_hidg *func_to_hidg(struct usb_function *f)
+ return container_of(f, struct f_hidg, func);
+ }
+
++static void hidg_release(struct device *dev)
++{
++ struct f_hidg *hidg = container_of(dev, struct f_hidg, dev);
++
++ kfree(hidg->set_report_buf);
++ kfree(hidg);
++}
++
+ /*-------------------------------------------------------------------------*/
+ /* Static descriptors */
+
+@@ -904,9 +912,7 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
+ struct usb_ep *ep;
+ struct f_hidg *hidg = func_to_hidg(f);
+ struct usb_string *us;
+- struct device *device;
+ int status;
+- dev_t dev;
+
+ /* maybe allocate device-global string IDs, and patch descriptors */
+ us = usb_gstrings_attach(c->cdev, ct_func_strings,
+@@ -999,21 +1005,11 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
+
+ /* create char device */
+ cdev_init(&hidg->cdev, &f_hidg_fops);
+- dev = MKDEV(major, hidg->minor);
+- status = cdev_add(&hidg->cdev, dev, 1);
++ status = cdev_device_add(&hidg->cdev, &hidg->dev);
+ if (status)
+ goto fail_free_descs;
+
+- device = device_create(hidg_class, NULL, dev, NULL,
+- "%s%d", "hidg", hidg->minor);
+- if (IS_ERR(device)) {
+- status = PTR_ERR(device);
+- goto del;
+- }
+-
+ return 0;
+-del:
+- cdev_del(&hidg->cdev);
+ fail_free_descs:
+ usb_free_all_descriptors(f);
+ fail:
+@@ -1244,9 +1240,7 @@ static void hidg_free(struct usb_function *f)
+
+ hidg = func_to_hidg(f);
+ opts = container_of(f->fi, struct f_hid_opts, func_inst);
+- kfree(hidg->report_desc);
+- kfree(hidg->set_report_buf);
+- kfree(hidg);
++ put_device(&hidg->dev);
+ mutex_lock(&opts->lock);
+ --opts->refcnt;
+ mutex_unlock(&opts->lock);
+@@ -1256,8 +1250,7 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f)
+ {
+ struct f_hidg *hidg = func_to_hidg(f);
+
+- device_destroy(hidg_class, MKDEV(major, hidg->minor));
+- cdev_del(&hidg->cdev);
++ cdev_device_del(&hidg->cdev, &hidg->dev);
+
+ usb_free_all_descriptors(f);
+ }
+@@ -1266,6 +1259,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
+ {
+ struct f_hidg *hidg;
+ struct f_hid_opts *opts;
++ int ret;
+
+ /* allocate and initialize one new instance */
+ hidg = kzalloc(sizeof(*hidg), GFP_KERNEL);
+@@ -1277,17 +1271,27 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
+ mutex_lock(&opts->lock);
+ ++opts->refcnt;
+
+- hidg->minor = opts->minor;
++ device_initialize(&hidg->dev);
++ hidg->dev.release = hidg_release;
++ hidg->dev.class = hidg_class;
++ hidg->dev.devt = MKDEV(major, opts->minor);
++ ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
++ if (ret) {
++ --opts->refcnt;
++ mutex_unlock(&opts->lock);
++ return ERR_PTR(ret);
++ }
++
+ hidg->bInterfaceSubClass = opts->subclass;
+ hidg->bInterfaceProtocol = opts->protocol;
+ hidg->report_length = opts->report_length;
+ hidg->report_desc_length = opts->report_desc_length;
+ if (opts->report_desc) {
+- hidg->report_desc = kmemdup(opts->report_desc,
+- opts->report_desc_length,
+- GFP_KERNEL);
++ hidg->report_desc = devm_kmemdup(&hidg->dev, opts->report_desc,
++ opts->report_desc_length,
++ GFP_KERNEL);
+ if (!hidg->report_desc) {
+- kfree(hidg);
++ put_device(&hidg->dev);
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(-ENOMEM);
+ }
+--
+2.35.1
+
--- /dev/null
+From 4463a36f1e4d070b15955a994be24a8c4d78180e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 12:35:22 +0000
+Subject: usb: gadget: f_hid: fix refcount leak on error path
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit 70a3288a7586526315105c699b687d78cd32559a ]
+
+When failing to allocate report_desc, opts->refcnt has already been
+incremented so it needs to be decremented to avoid leaving the options
+structure permanently locked.
+
+Fixes: 21a9476a7ba8 ("usb: gadget: hid: add configfs support")
+Tested-by: Lee Jones <lee@kernel.org>
+Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Signed-off-by: John Keeping <john@metanate.com>
+Link: https://lore.kernel.org/r/20221122123523.3068034-3-john@metanate.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
+index 8b8bbeaa27cb..6be6009f911e 100644
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -1292,6 +1292,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
+ GFP_KERNEL);
+ if (!hidg->report_desc) {
+ put_device(&hidg->dev);
++ --opts->refcnt;
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(-ENOMEM);
+ }
+--
+2.35.1
+
--- /dev/null
+From 8a22a0454c5da4f9012d25903e461605c36f7ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 13:08:05 +0000
+Subject: USB: gadget: Fix use-after-free during usb config switch
+
+From: Jiantao Zhang <water.zhangjiantao@huawei.com>
+
+[ Upstream commit afdc12887f2b2ecf20d065a7d81ad29824155083 ]
+
+In the process of switching USB config from rndis to other config,
+if the hardware does not support the ->pullup callback, or the
+hardware encounters a low probability fault, both of them may cause
+the ->pullup callback to fail, which will then cause a system panic
+(use after free).
+
+The gadget drivers sometimes need to be unloaded regardless of the
+hardware's behavior.
+
+Analysis as follows:
+=======================================================================
+(1) write /config/usb_gadget/g1/UDC "none"
+
+gether_disconnect+0x2c/0x1f8
+rndis_disable+0x4c/0x74
+composite_disconnect+0x74/0xb0
+configfs_composite_disconnect+0x60/0x7c
+usb_gadget_disconnect+0x70/0x124
+usb_gadget_unregister_driver+0xc8/0x1d8
+gadget_dev_desc_UDC_store+0xec/0x1e4
+
+(2) rm /config/usb_gadget/g1/configs/b.1/f1
+
+rndis_deregister+0x28/0x54
+rndis_free+0x44/0x7c
+usb_put_function+0x14/0x1c
+config_usb_cfg_unlink+0xc4/0xe0
+configfs_unlink+0x124/0x1c8
+vfs_unlink+0x114/0x1dc
+
+(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
+
+panic+0x1fc/0x3d0
+do_page_fault+0xa8/0x46c
+do_mem_abort+0x3c/0xac
+el1_sync_handler+0x40/0x78
+0xffffff801138f880
+rndis_close+0x28/0x34
+eth_stop+0x74/0x110
+dev_close_many+0x48/0x194
+rollback_registered_many+0x118/0x814
+unregister_netdev+0x20/0x30
+gether_cleanup+0x1c/0x38
+rndis_attr_release+0xc/0x14
+kref_put+0x74/0xb8
+configfs_rmdir+0x314/0x374
+
+If gadget->ops->pullup() return an error, function rndis_close() will be
+called, then it will causes a use-after-free problem.
+=======================================================================
+
+Fixes: 0a55187a1ec8 ("USB: gadget core: Issue ->disconnect() callback from usb_gadget_disconnect()")
+Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
+Signed-off-by: TaoXue <xuetao09@huawei.com>
+Link: https://lore.kernel.org/r/20221121130805.10735-1-water.zhangjiantao@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
+index c63c0c2cf649..bf9878e1a72a 100644
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -734,13 +734,13 @@ int usb_gadget_disconnect(struct usb_gadget *gadget)
+ }
+
+ ret = gadget->ops->pullup(gadget, 0);
+- if (!ret) {
++ if (!ret)
+ gadget->connected = 0;
+- mutex_lock(&udc_lock);
+- if (gadget->udc->driver)
+- gadget->udc->driver->disconnect(gadget);
+- mutex_unlock(&udc_lock);
+- }
++
++ mutex_lock(&udc_lock);
++ if (gadget->udc->driver)
++ gadget->udc->driver->disconnect(gadget);
++ mutex_unlock(&udc_lock);
+
+ out:
+ trace_usb_gadget_disconnect(gadget, ret);
+--
+2.35.1
+
--- /dev/null
+From f9c5809142ba6f48171fe5d55108f90f2e6aa528 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 12:25:32 +0200
+Subject: usb: musb: omap2430: Fix probe regression for missing resources
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit ffbe2feac59b37c8dc536727552b4f375e1b9aec ]
+
+Probe for omap2430 glue layer is now broken for interrupt resources in
+all cases.
+
+Commit 239071064732 ("partially Revert "usb: musb: Set the DT node on the
+child device"") broke probing for SoCs using ti-sysc interconnect target
+module as the dt node is not found.
+
+Commit a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from
+DT core") caused omap3 to fail with error "-ENXIO: IRQ mc not found" as
+the IRQ resources are no longer automatically populated from devicetree.
+
+Let's fix the issues by calling device_set_of_node_from_dev() only if the
+SoC has been updated to probe with ti-sysc. And for legacy SoCs, let's
+populate the resources manually as needed.
+
+Note that once we have updated the SoCs to probe with proper devicetree
+data in all cases, this is no longer needed. But doing that requires
+patching both devicetree and SoC code, so let's fix the probe issues first.
+
+Fixes: a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core")
+Fixes: 239071064732 ("partially Revert "usb: musb: Set the DT node on the child device"")
+Cc: H. Nikolaus Schaller <hns@goldelico.com>
+Reported-by: Sicelo Mhlongo <absicsz@gmail.com>
+Tested-by: Sicelo Mhlongo <absicsz@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221118102532.34458-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/omap2430.c | 54 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c
+index f571a65ae6ee..476f55d1fec3 100644
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -15,6 +15,7 @@
+ #include <linux/list.h>
+ #include <linux/io.h>
+ #include <linux/of.h>
++#include <linux/of_irq.h>
+ #include <linux/platform_device.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/pm_runtime.h>
+@@ -310,6 +311,7 @@ static int omap2430_probe(struct platform_device *pdev)
+ struct device_node *control_node;
+ struct platform_device *control_pdev;
+ int ret = -ENOMEM, val;
++ bool populate_irqs = false;
+
+ if (!np)
+ return -ENODEV;
+@@ -328,6 +330,18 @@ static int omap2430_probe(struct platform_device *pdev)
+ musb->dev.dma_mask = &omap2430_dmamask;
+ musb->dev.coherent_dma_mask = omap2430_dmamask;
+
++ /*
++ * Legacy SoCs using omap_device get confused if node is moved
++ * because of interconnect properties mixed into the node.
++ */
++ if (of_get_property(np, "ti,hwmods", NULL)) {
++ dev_warn(&pdev->dev, "please update to probe with ti-sysc\n");
++ populate_irqs = true;
++ } else {
++ device_set_of_node_from_dev(&musb->dev, &pdev->dev);
++ }
++ of_node_put(np);
++
+ glue->dev = &pdev->dev;
+ glue->musb = musb;
+ glue->status = MUSB_UNKNOWN;
+@@ -389,6 +403,46 @@ static int omap2430_probe(struct platform_device *pdev)
+ goto err2;
+ }
+
++ if (populate_irqs) {
++ struct resource musb_res[3];
++ struct resource *res;
++ int i = 0;
++
++ memset(musb_res, 0, sizeof(*musb_res) * ARRAY_SIZE(musb_res));
++
++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res)
++ goto err2;
++
++ musb_res[i].start = res->start;
++ musb_res[i].end = res->end;
++ musb_res[i].flags = res->flags;
++ musb_res[i].name = res->name;
++ i++;
++
++ ret = of_irq_get_byname(np, "mc");
++ if (ret > 0) {
++ musb_res[i].start = ret;
++ musb_res[i].flags = IORESOURCE_IRQ;
++ musb_res[i].name = "mc";
++ i++;
++ }
++
++ ret = of_irq_get_byname(np, "dma");
++ if (ret > 0) {
++ musb_res[i].start = ret;
++ musb_res[i].flags = IORESOURCE_IRQ;
++ musb_res[i].name = "dma";
++ i++;
++ }
++
++ ret = platform_device_add_resources(musb, musb_res, i);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to add IRQ resources\n");
++ goto err2;
++ }
++ }
++
+ ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add platform_data\n");
+--
+2.35.1
+
--- /dev/null
+From 44ec80c72fcabbc2060541838f8bbf1f9a01c0b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 20:21:15 +0200
+Subject: usb: musb: remove extra check in musb_gadget_vbus_draw
+
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+
+[ Upstream commit ecec4b20d29c3d6922dafe7d2555254a454272d2 ]
+
+The checks for musb->xceiv and musb->xceiv->set_power duplicate those in
+usb_phy_set_power(), so there is no need of them. Moreover, not calling
+usb_phy_set_power() results in usb_phy_set_charger_current() not being
+called, so current USB config max current is not propagated through USB
+charger framework and charger drivers may try to draw more current than
+allowed or possible.
+
+Fix that by removing those extra checks and calling usb_phy_set_power()
+directly.
+
+Tested on Motorola Droid4 and Nokia N900
+
+Fixes: a9081a008f84 ("usb: phy: Add USB charger support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Link: https://lore.kernel.org/r/1669400475-4762-1-git-send-email-ivo.g.dimitrov.75@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_gadget.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
+index 6704a62a1665..ba20272d2221 100644
+--- a/drivers/usb/musb/musb_gadget.c
++++ b/drivers/usb/musb/musb_gadget.c
+@@ -1628,8 +1628,6 @@ static int musb_gadget_vbus_draw(struct usb_gadget *gadget, unsigned mA)
+ {
+ struct musb *musb = gadget_to_musb(gadget);
+
+- if (!musb->xceiv->set_power)
+- return -EOPNOTSUPP;
+ return usb_phy_set_power(musb->xceiv, mA);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5d0bc4a7791832022d9986d734495fa1c748f8f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:12:26 +0800
+Subject: usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1ab30c610630da5391a373cddb8a065bf4c4bc01 ]
+
+I got the following report while doing device(mt6370-tcpc) load
+test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 2,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /i2c/pmic@34
+
+The 'parent' returned by fwnode_get_parent() with refcount incremented.
+it needs be put after using.
+
+Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221122111226.251588-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/roles/class.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
+index dfaed7eee94f..32e6d19f7011 100644
+--- a/drivers/usb/roles/class.c
++++ b/drivers/usb/roles/class.c
+@@ -106,10 +106,13 @@ usb_role_switch_is_parent(struct fwnode_handle *fwnode)
+ struct fwnode_handle *parent = fwnode_get_parent(fwnode);
+ struct device *dev;
+
+- if (!parent || !fwnode_property_present(parent, "usb-role-switch"))
++ if (!fwnode_property_present(parent, "usb-role-switch")) {
++ fwnode_handle_put(parent);
+ return NULL;
++ }
+
+ dev = class_find_device_by_fwnode(role_class, parent);
++ fwnode_handle_put(parent);
+ return dev ? to_role_switch(dev) : ERR_PTR(-EPROBE_DEFER);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b28c0e87396dc63de447933cf14df398ee772c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 19:00:58 +0800
+Subject: usb: storage: Add check for kcalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ]
+
+As kcalloc may return NULL pointer, the return value should
+be checked and return error if fails as same as the ones in
+alauda_read_map.
+
+Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/alauda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
+index 747be69e5e69..5e912dd29b4c 100644
+--- a/drivers/usb/storage/alauda.c
++++ b/drivers/usb/storage/alauda.c
+@@ -438,6 +438,8 @@ static int alauda_init_media(struct us_data *us)
+ + MEDIA_INFO(us).blockshift + MEDIA_INFO(us).pageshift);
+ MEDIA_INFO(us).pba_to_lba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
+ MEDIA_INFO(us).lba_to_pba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
++ if (MEDIA_INFO(us).pba_to_lba == NULL || MEDIA_INFO(us).lba_to_pba == NULL)
++ return USB_STOR_TRANSPORT_ERROR;
+
+ if (alauda_reset_media(us) != USB_STOR_XFER_GOOD)
+ return USB_STOR_TRANSPORT_ERROR;
+--
+2.35.1
+
--- /dev/null
+From 4c3b64f2640f03c8120afbcf06a95b2bea258668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:59:24 +0100
+Subject: usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit b6ddd180e3d9f92c1e482b3cdeec7dda086b1341 ]
+
+typec_altmode_exit checks if ops->enter is not NULL but then calls
+ops->exit a few lines below. Fix that and check for the function
+pointer it's about to call instead.
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221114165924.33487-1-sven@svenpeter.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c
+index 26ea2fdec17d..31c2a3130cad 100644
+--- a/drivers/usb/typec/bus.c
++++ b/drivers/usb/typec/bus.c
+@@ -134,7 +134,7 @@ int typec_altmode_exit(struct typec_altmode *adev)
+ if (!adev || !adev->active)
+ return 0;
+
+- if (!pdev->ops || !pdev->ops->enter)
++ if (!pdev->ops || !pdev->ops->exit)
+ return -EOPNOTSUPP;
+
+ /* Moving to USB Safe State */
+--
+2.35.1
+
--- /dev/null
+From 4be3276e64032485bd3594dafe6b279b6d2a842c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 14:24:16 +0800
+Subject: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0384e87e3fec735e47f1c133c796f32ef7a72a9b ]
+
+I got the following report while doing device(mt6370-tcpc) load
+test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 2,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /i2c/pmic@34/tcpc/connector
+
+The 'fwnode' set in tcpci_parse_config() which is called
+in tcpci_register_port(), its node refcount is increased
+in device_get_named_child_node(). It needs be put while
+exiting, so call fwnode_handle_put() in the error path of
+tcpci_register_port() and in tcpci_unregister_port() to
+avoid leak.
+
+Fixes: 5e85a04c8c0d ("usb: typec: add fwnode to tcpc")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221121062416.1026192-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm/tcpci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c
+index 812784702d53..592bd4c85482 100644
+--- a/drivers/usb/typec/tcpm/tcpci.c
++++ b/drivers/usb/typec/tcpm/tcpci.c
+@@ -816,8 +816,10 @@ struct tcpci *tcpci_register_port(struct device *dev, struct tcpci_data *data)
+ return ERR_PTR(err);
+
+ tcpci->port = tcpm_register_port(tcpci->dev, &tcpci->tcpc);
+- if (IS_ERR(tcpci->port))
++ if (IS_ERR(tcpci->port)) {
++ fwnode_handle_put(tcpci->tcpc.fwnode);
+ return ERR_CAST(tcpci->port);
++ }
+
+ return tcpci;
+ }
+@@ -826,6 +828,7 @@ EXPORT_SYMBOL_GPL(tcpci_register_port);
+ void tcpci_unregister_port(struct tcpci *tcpci)
+ {
+ tcpm_unregister_port(tcpci->port);
++ fwnode_handle_put(tcpci->tcpc.fwnode);
+ }
+ EXPORT_SYMBOL_GPL(tcpci_unregister_port);
+
+--
+2.35.1
+
--- /dev/null
+From 3e3a359113c7d6eab4552489652007d8de4118d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:44:46 +0100
+Subject: usb: typec: tipd: Cleanup resources if devm_tps6598_psy_register
+ fails
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 19c220e9ab00f50edefb9667e3101e84a5112df2 ]
+
+We can't just return if devm_tps6598_psy_register fails since previous
+resources are not devres managed and have yet to be cleaned up.
+
+Fixes: 10eb0b6ac63a ("usb: typec: tps6598x: Export some power supply properties")
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221114174449.34634-1-sven@svenpeter.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tipd/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
+index 92e35e62e78c..28dd5c3b175b 100644
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -814,7 +814,7 @@ static int tps6598x_probe(struct i2c_client *client)
+
+ ret = devm_tps6598_psy_register(tps);
+ if (ret)
+- return ret;
++ goto err_role_put;
+
+ tps->port = typec_register_port(&client->dev, &typec_cap);
+ if (IS_ERR(tps->port)) {
+--
+2.35.1
+
--- /dev/null
+From 3848e5fde77b424dc2d8653e86f6dfa4b5ff8ad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:44:47 +0100
+Subject: usb: typec: tipd: Fix spurious fwnode_handle_put in error path
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 782c70edc4852a5d39be12377a85501546236212 ]
+
+The err_role_put error path always calls fwnode_handle_put to release
+the fwnode. This path can be reached after probe itself has already
+released that fwnode though. Fix that by moving fwnode_handle_put in the
+happy path to the very end.
+
+Fixes: 18a6c866bb19 ("usb: typec: tps6598x: Add USB role switching logic")
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221114174449.34634-2-sven@svenpeter.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tipd/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
+index 28dd5c3b175b..a5fbbae52525 100644
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -821,7 +821,6 @@ static int tps6598x_probe(struct i2c_client *client)
+ ret = PTR_ERR(tps->port);
+ goto err_role_put;
+ }
+- fwnode_handle_put(fwnode);
+
+ if (status & TPS_STATUS_PLUG_PRESENT) {
+ ret = tps6598x_read16(tps, TPS_REG_POWER_STATUS, &tps->pwr_status);
+@@ -845,6 +844,7 @@ static int tps6598x_probe(struct i2c_client *client)
+ }
+
+ i2c_set_clientdata(client, tps);
++ fwnode_handle_put(fwnode);
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From 3981bf7a4e6f3cb2f6fe157269bf580f8cabf748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:44:48 +0100
+Subject: usb: typec: tipd: Fix typec_unregister_port error paths
+
+From: Sven Peter <sven@svenpeter.dev>
+
+[ Upstream commit 4c8f27ba9ede0118cac9d775204f9b0ecdb877b0 ]
+
+typec_unregister_port is only called for some error paths after
+typec_register_port was successful. Ensure it's called in all
+cases.
+
+Fixes: 92440202a880 ("usb: typec: tipd: Only update power status on IRQ")
+Signed-off-by: Sven Peter <sven@svenpeter.dev>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20221114174449.34634-3-sven@svenpeter.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tipd/core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
+index a5fbbae52525..513ac7e141a4 100644
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -826,7 +826,7 @@ static int tps6598x_probe(struct i2c_client *client)
+ ret = tps6598x_read16(tps, TPS_REG_POWER_STATUS, &tps->pwr_status);
+ if (ret < 0) {
+ dev_err(tps->dev, "failed to read power status: %d\n", ret);
+- goto err_role_put;
++ goto err_unregister_port;
+ }
+ ret = tps6598x_connect(tps, status);
+ if (ret)
+@@ -839,8 +839,7 @@ static int tps6598x_probe(struct i2c_client *client)
+ dev_name(&client->dev), tps);
+ if (ret) {
+ tps6598x_disconnect(tps, 0);
+- typec_unregister_port(tps->port);
+- goto err_role_put;
++ goto err_unregister_port;
+ }
+
+ i2c_set_clientdata(client, tps);
+@@ -848,6 +847,8 @@ static int tps6598x_probe(struct i2c_client *client)
+
+ return 0;
+
++err_unregister_port:
++ typec_unregister_port(tps->port);
+ err_role_put:
+ usb_role_switch_put(tps->role_sw);
+ err_fwnode_put:
+--
+2.35.1
+
--- /dev/null
+From bf4459b5ae001b14fccf9dba133994aef4f6c465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 15:10:27 +0800
+Subject: usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit dc18a4c7b3bd447cef2395deeb1f6ac16dfaca0e ]
+
+I got the following report while doing fault injection test:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 4,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /i2c/tcpc@60/connector
+
+If wusb3801_hw_init() fails, fwnode_handle_put() needs be called to
+avoid refcount leak.
+
+Fixes: d016cbe4d7ac ("usb: typec: Support the WUSB3801 port controller")
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221203071027.3808308-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/wusb3801.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/wusb3801.c b/drivers/usb/typec/wusb3801.c
+index e63509f8b01e..8e38f5d2ec89 100644
+--- a/drivers/usb/typec/wusb3801.c
++++ b/drivers/usb/typec/wusb3801.c
+@@ -364,7 +364,7 @@ static int wusb3801_probe(struct i2c_client *client)
+ /* Initialize the hardware with the devicetree settings. */
+ ret = wusb3801_hw_init(wusb3801);
+ if (ret)
+- return ret;
++ goto err_put_connector;
+
+ wusb3801->cap.revision = USB_TYPEC_REV_1_2;
+ wusb3801->cap.accessory[0] = TYPEC_ACCESSORY_AUDIO;
+--
+2.35.1
+
--- /dev/null
+From b897305573dd156919bd98e05307a10958588f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 14:37:00 +0800
+Subject: venus: pm_helpers: Fix error check in vcodec_domains_get()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit 0f6e8d8c94a82e85e1b9b62a7671990740dc6f70 ]
+
+In the function vcodec_domains_get(), dev_pm_domain_attach_by_name()
+may return NULL in some cases, so IS_ERR() doesn't meet the
+requirements. Thus fix it.
+
+Fixes: 7482a983dea3 ("media: venus: redesign clocks and pm domains control")
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/pm_helpers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
+index c93d2906e4c7..48c9084bb4db 100644
+--- a/drivers/media/platform/qcom/venus/pm_helpers.c
++++ b/drivers/media/platform/qcom/venus/pm_helpers.c
+@@ -869,8 +869,8 @@ static int vcodec_domains_get(struct venus_core *core)
+ for (i = 0; i < res->vcodec_pmdomains_num; i++) {
+ pd = dev_pm_domain_attach_by_name(dev,
+ res->vcodec_pmdomains[i]);
+- if (IS_ERR(pd))
+- return PTR_ERR(pd);
++ if (IS_ERR_OR_NULL(pd))
++ return PTR_ERR(pd) ? : -ENODATA;
+ core->pmdomains[i] = pd;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 41897f08142e36334b86e13f9d776c862668fcbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 12:28:25 -0300
+Subject: vfio: platform: Do not pass return buffer to ACPI _RST method
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ]
+
+The ACPI _RST method has no return value, there's no need to pass a return
+buffer to acpi_evaluate_object().
+
+Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
+index 256f55b84e70..a8d374205a0e 100644
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -72,12 +72,11 @@ static int vfio_platform_acpi_call_reset(struct vfio_platform_device *vdev,
+ const char **extra_dbg)
+ {
+ #ifdef CONFIG_ACPI
+- struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
+ struct device *dev = vdev->device;
+ acpi_handle handle = ACPI_HANDLE(dev);
+ acpi_status acpi_ret;
+
+- acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, &buffer);
++ acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, NULL);
+ if (ACPI_FAILURE(acpi_ret)) {
+ if (extra_dbg)
+ *extra_dbg = acpi_format_exception(acpi_ret);
+--
+2.35.1
+
--- /dev/null
+From 7190b11e50fc210063b48c6be37ae085a6554cee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 19:17:29 -0300
+Subject: video: hyperv_fb: Avoid taking busy spinlock on panic path
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+[ Upstream commit 1d044ca035dc22df0d3b39e56f2881071d9118bd ]
+
+The Hyper-V framebuffer code registers a panic notifier in order
+to try updating its fbdev if the kernel crashed. The notifier
+callback is straightforward, but it calls the vmbus_sendpacket()
+routine eventually, and such function takes a spinlock for the
+ring buffer operations.
+
+Panic path runs in atomic context, with local interrupts and
+preemption disabled, and all secondary CPUs shutdown. That said,
+taking a spinlock might cause a lockup if a secondary CPU was
+disabled with such lock taken. Fix it here by checking if the
+ring buffer spinlock is busy on Hyper-V framebuffer panic notifier;
+if so, bail-out avoiding the potential lockup scenario.
+
+Cc: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
+Cc: Dexuan Cui <decui@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Michael Kelley <mikelley@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Tianyu Lan <Tianyu.Lan@microsoft.com>
+Cc: Wei Liu <wei.liu@kernel.org>
+Tested-by: Fabio A M Martins <fabiomirmar@gmail.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20220819221731.480795-10-gpiccoli@igalia.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/ring_buffer.c | 13 +++++++++++++
+ drivers/video/fbdev/hyperv_fb.c | 8 +++++++-
+ include/linux/hyperv.h | 2 ++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
+index 59a4aa86d1f3..c6692fd5ab15 100644
+--- a/drivers/hv/ring_buffer.c
++++ b/drivers/hv/ring_buffer.c
+@@ -280,6 +280,19 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
+ ring_info->pkt_buffer_size = 0;
+ }
+
++/*
++ * Check if the ring buffer spinlock is available to take or not; used on
++ * atomic contexts, like panic path (see the Hyper-V framebuffer driver).
++ */
++
++bool hv_ringbuffer_spinlock_busy(struct vmbus_channel *channel)
++{
++ struct hv_ring_buffer_info *rinfo = &channel->outbound;
++
++ return spin_is_locked(&rinfo->ring_lock);
++}
++EXPORT_SYMBOL_GPL(hv_ringbuffer_spinlock_busy);
++
+ /* Write to the ring buffer. */
+ int hv_ringbuffer_write(struct vmbus_channel *channel,
+ const struct kvec *kv_list, u32 kv_count,
+diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
+index b58b445bb529..0839ba7d3a34 100644
+--- a/drivers/video/fbdev/hyperv_fb.c
++++ b/drivers/video/fbdev/hyperv_fb.c
+@@ -779,12 +779,18 @@ static void hvfb_ondemand_refresh_throttle(struct hvfb_par *par,
+ static int hvfb_on_panic(struct notifier_block *nb,
+ unsigned long e, void *p)
+ {
++ struct hv_device *hdev;
+ struct hvfb_par *par;
+ struct fb_info *info;
+
+ par = container_of(nb, struct hvfb_par, hvfb_panic_nb);
+- par->synchronous_fb = true;
+ info = par->info;
++ hdev = device_to_hv_device(info->device);
++
++ if (hv_ringbuffer_spinlock_busy(hdev->channel))
++ return NOTIFY_DONE;
++
++ par->synchronous_fb = true;
+ if (par->need_docopy)
+ hvfb_docopy(par, 0, dio_fb_size);
+ synthvid_update(info, 0, 0, INT_MAX, INT_MAX);
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index 3b42264333ef..646f1da9f27e 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -1341,6 +1341,8 @@ struct hv_ring_buffer_debug_info {
+ int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
+ struct hv_ring_buffer_debug_info *debug_info);
+
++bool hv_ringbuffer_spinlock_busy(struct vmbus_channel *channel);
++
+ /* Vmbus interface */
+ #define vmbus_driver_register(driver) \
+ __vmbus_driver_register(driver, THIS_MODULE, KBUILD_MODNAME)
+--
+2.35.1
+
--- /dev/null
+From 0c1787e5c2e94539445bc0a7beb8e6ee67f37552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:42:45 -0400
+Subject: virt/sev-guest: Add a MODULE_ALIAS
+
+From: Cole Robinson <crobinso@redhat.com>
+
+[ Upstream commit 2874529b3513bdc90299c90f40713602da685e35 ]
+
+Autoload the driver when, for example, SNP init code creates the
+corresponding platform device.
+
+ [ bp: Rewrite commit message. ]
+
+Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver")
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lore.kernel.org/r/ff480c5e688eb0a72a4db0a29c7b1bb54c45bfd4.1667594253.git.crobinso@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virt/coco/sev-guest/sev-guest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
+index 1ea6d2e5b218..99d6062afe72 100644
+--- a/drivers/virt/coco/sev-guest/sev-guest.c
++++ b/drivers/virt/coco/sev-guest/sev-guest.c
+@@ -800,3 +800,4 @@ MODULE_AUTHOR("Brijesh Singh <brijesh.singh@amd.com>");
+ MODULE_LICENSE("GPL");
+ MODULE_VERSION("1.0.0");
+ MODULE_DESCRIPTION("AMD SEV Guest Driver");
++MODULE_ALIAS("platform:sev-guest");
+--
+2.35.1
+
--- /dev/null
+From 0787d6f742943b96a80bc62cd01482830c00b66b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 16:48:05 +0800
+Subject: vme: Fix error not catched in fake_init()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ]
+
+In fake_init(), __root_device_register() is possible to fail but it's
+ignored, which can cause unregistering vme_root fail when exit.
+
+ general protection fault,
+ probably for non-canonical address 0xdffffc000000008c
+ KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]
+ RIP: 0010:root_device_unregister+0x26/0x60
+ Call Trace:
+ <TASK>
+ __x64_sys_delete_module+0x34f/0x540
+ do_syscall_64+0x38/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Return error when __root_device_register() fails.
+
+Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vme_user/vme_fake.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/vme_user/vme_fake.c b/drivers/staging/vme_user/vme_fake.c
+index dd646b0c531d..1ee432c223e2 100644
+--- a/drivers/staging/vme_user/vme_fake.c
++++ b/drivers/staging/vme_user/vme_fake.c
+@@ -1073,6 +1073,8 @@ static int __init fake_init(void)
+
+ /* We need a fake parent device */
+ vme_root = __root_device_register("vme", THIS_MODULE);
++ if (IS_ERR(vme_root))
++ return PTR_ERR(vme_root);
+
+ /* If we want to support more than one bridge at some point, we need to
+ * dynamically allocate this so we get one per device.
+--
+2.35.1
+
--- /dev/null
+From 24be16517819d69b9f991a3baef15c85187928d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 09:27:50 +0300
+Subject: watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already
+ running
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit ef9b7bf52c2f47f0a9bf988543c577b92c92d15e ]
+
+Daniel reported that the commit 1ae3e78c0820 ("watchdog: iTCO_wdt: No
+need to stop the timer in probe") makes QEMU implementation of the iTCO
+watchdog not to trigger reboot anymore when NO_REBOOT flag is initially
+cleared using this option (in QEMU command line):
+
+ -global ICH9-LPC.noreboot=false
+
+The problem with the commit is that it left the unconditional setting of
+NO_REBOOT that is not cleared anymore when the kernel keeps pinging the
+watchdog (as opposed to the previous code that called iTCO_wdt_stop()
+that cleared it).
+
+Fix this so that we only set NO_REBOOT if the watchdog was not initially
+running.
+
+Fixes: 1ae3e78c0820 ("watchdog: iTCO_wdt: No need to stop the timer in probe")
+Reported-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221028062750.45451-1-mika.westerberg@linux.intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/iTCO_wdt.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
+index 34693f11385f..e937b4dd28be 100644
+--- a/drivers/watchdog/iTCO_wdt.c
++++ b/drivers/watchdog/iTCO_wdt.c
+@@ -423,14 +423,18 @@ static unsigned int iTCO_wdt_get_timeleft(struct watchdog_device *wd_dev)
+ return time_left;
+ }
+
+-static void iTCO_wdt_set_running(struct iTCO_wdt_private *p)
++/* Returns true if the watchdog was running */
++static bool iTCO_wdt_set_running(struct iTCO_wdt_private *p)
+ {
+ u16 val;
+
+- /* Bit 11: TCO Timer Halt -> 0 = The TCO timer is * enabled */
++ /* Bit 11: TCO Timer Halt -> 0 = The TCO timer is enabled */
+ val = inw(TCO1_CNT(p));
+- if (!(val & BIT(11)))
++ if (!(val & BIT(11))) {
+ set_bit(WDOG_HW_RUNNING, &p->wddev.status);
++ return true;
++ }
++ return false;
+ }
+
+ /*
+@@ -518,9 +522,6 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
+ return -ENODEV; /* Cannot reset NO_REBOOT bit */
+ }
+
+- /* Set the NO_REBOOT bit to prevent later reboots, just for sure */
+- p->update_no_reboot_bit(p->no_reboot_priv, true);
+-
+ if (turn_SMI_watchdog_clear_off >= p->iTCO_version) {
+ /*
+ * Bit 13: TCO_EN -> 0
+@@ -572,7 +573,13 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
+ watchdog_set_drvdata(&p->wddev, p);
+ platform_set_drvdata(pdev, p);
+
+- iTCO_wdt_set_running(p);
++ if (!iTCO_wdt_set_running(p)) {
++ /*
++ * If the watchdog was not running set NO_REBOOT now to
++ * prevent later reboots.
++ */
++ p->update_no_reboot_bit(p->no_reboot_priv, true);
++ }
+
+ /* Check that the heartbeat value is within it's range;
+ if not reset to the default */
+--
+2.35.1
+
--- /dev/null
+From a6dfd66ca9fc8dbdad1affe44802cfcd135ed125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Oct 2022 03:32:23 +0900
+Subject: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ]
+
+syzkaller reported use-after-free with the stack trace like below [1]:
+
+[ 38.960489][ C3] ==================================================================
+[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
+[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
+[ 38.966363][ C3]
+[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
+[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
+[ 38.969959][ C3] Call Trace:
+[ 38.970841][ C3] <IRQ>
+[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174
+[ 38.972620][ C3] print_report.cold+0x2c3/0x752
+[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
+[ 38.974644][ C3] kasan_report+0xb1/0x1d0
+[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
+[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240
+[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0
+[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430
+[ 38.981266][ C3] dummy_timer+0x140c/0x34e0
+[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0
+[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60
+[ 38.986242][ C3] ? lock_release+0x51c/0x790
+[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70
+[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130
+[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0
+[ 38.990777][ C3] ? lock_acquire+0x472/0x550
+[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60
+[ 38.993138][ C3] ? lock_acquire+0x472/0x550
+[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860
+[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230
+[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860
+[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0
+[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0
+[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0
+[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0
+[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0
+[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860
+[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0
+[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10
+[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40
+[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0
+[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0
+[ 39.016196][ C3] __do_softirq+0x1d2/0x9be
+[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190
+[ 39.019004][ C3] irq_exit_rcu+0x5/0x20
+[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0
+[ 39.021965][ C3] </IRQ>
+[ 39.023237][ C3] <TASK>
+
+In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below
+(there are other functions which finally call ar5523_cmd()):
+
+ar5523_probe()
+-> ar5523_host_available()
+ -> ar5523_cmd_read()
+ -> ar5523_cmd()
+
+If ar5523_cmd() timed out, then ar5523_host_available() failed and
+ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()
+might touch the freed structure.
+
+This patch fixes this issue by canceling in-flight tx cmd if submitted
+urb timed out.
+
+Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1]
+Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
+index 6f937d2cc126..ce3d613fa36c 100644
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -241,6 +241,11 @@ static void ar5523_cmd_tx_cb(struct urb *urb)
+ }
+ }
+
++static void ar5523_cancel_tx_cmd(struct ar5523 *ar)
++{
++ usb_kill_urb(ar->tx_cmd.urb_tx);
++}
++
+ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
+ int ilen, void *odata, int olen, int flags)
+ {
+@@ -280,6 +285,7 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
+ }
+
+ if (!wait_for_completion_timeout(&cmd->done, 2 * HZ)) {
++ ar5523_cancel_tx_cmd(ar);
+ cmd->odata = NULL;
+ ar5523_err(ar, "timeout waiting for command %02x reply\n",
+ code);
+--
+2.35.1
+
--- /dev/null
+From 35781b1dc847269fbb1c34adab6c2c597dc2b058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 09:34:59 +0300
+Subject: wifi: ath10k: Delay the unmapping of the buffer
+
+From: Youghandhar Chintala <quic_youghand@quicinc.com>
+
+[ Upstream commit acd4324e5f1f11351630234297f95076f0ac9a2f ]
+
+On WCN3990, we are seeing a rare scenario where copy engine hardware is
+sending a copy complete interrupt to the host driver while still
+processing the buffer that the driver has sent, this is leading into an
+SMMU fault triggering kernel panic. This is happening on copy engine
+channel 3 (CE3) where the driver normally enqueues WMI commands to the
+firmware. Upon receiving a copy complete interrupt, host driver will
+immediately unmap and frees the buffer presuming that hardware has
+processed the buffer. In the issue case, upon receiving copy complete
+interrupt, host driver will unmap and free the buffer but since hardware
+is still accessing the buffer (which in this case got unmapped in
+parallel), SMMU hardware will trigger an SMMU fault resulting in a
+kernel panic.
+
+In order to avoid this, as a work around, add a delay before unmapping
+the copy engine source DMA buffer. This is conditionally done for
+WCN3990 and only for the CE3 channel where issue is seen.
+
+Below is the crash signature:
+
+wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled
+context fault: fsr=0x402, iova=0x7fdfd8ac0,
+fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled
+context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,
+cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error
+received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:
+cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149
+remoteproc remoteproc0: crash detected in
+4080000.remoteproc: type fatal error <3> remoteproc remoteproc0:
+handling crash #1 in 4080000.remoteproc
+
+pc : __arm_lpae_unmap+0x500/0x514
+lr : __arm_lpae_unmap+0x4bc/0x514
+sp : ffffffc011ffb530
+x29: ffffffc011ffb590 x28: 0000000000000000
+x27: 0000000000000000 x26: 0000000000000004
+x25: 0000000000000003 x24: ffffffc011ffb890
+x23: ffffffa762ef9be0 x22: ffffffa77244ef00
+x21: 0000000000000009 x20: 00000007fff7c000
+x19: 0000000000000003 x18: 0000000000000000
+x17: 0000000000000004 x16: ffffffd7a357d9f0
+x15: 0000000000000000 x14: 00fd5d4fa7ffffff
+x13: 000000000000000e x12: 0000000000000000
+x11: 00000000ffffffff x10: 00000000fffffe00
+x9 : 000000000000017c x8 : 000000000000000c
+x7 : 0000000000000000 x6 : ffffffa762ef9000
+x5 : 0000000000000003 x4 : 0000000000000004
+x3 : 0000000000001000 x2 : 00000007fff7c000
+x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:
+__arm_lpae_unmap+0x500/0x514
+__arm_lpae_unmap+0x4bc/0x514
+__arm_lpae_unmap+0x4bc/0x514
+arm_lpae_unmap_pages+0x78/0xa4
+arm_smmu_unmap_pages+0x78/0x104
+__iommu_unmap+0xc8/0x1e4
+iommu_unmap_fast+0x38/0x48
+__iommu_dma_unmap+0x84/0x104
+iommu_dma_free+0x34/0x50
+dma_free_attrs+0xa4/0xd0
+ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c
+[ath10k_core]
+ath10k_halt+0x11c/0x180 [ath10k_core]
+ath10k_stop+0x54/0x94 [ath10k_core]
+drv_stop+0x48/0x1c8 [mac80211]
+ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c
+[mac80211]
+__dev_open+0xb4/0x174
+__dev_change_flags+0xc4/0x1dc
+dev_change_flags+0x3c/0x7c
+devinet_ioctl+0x2b4/0x580
+inet_ioctl+0xb0/0x1b4
+sock_do_ioctl+0x4c/0x16c
+compat_ifreq_ioctl+0x1cc/0x35c
+compat_sock_ioctl+0x110/0x2ac
+__arm64_compat_sys_ioctl+0xf4/0x3e0
+el0_svc_common+0xb4/0x17c
+el0_svc_compat_handler+0x2c/0x58
+el0_svc_compat+0x8/0x2c
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
+
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Youghandhar Chintala <quic_youghand@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221012142733.32420-1-quic_youghand@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 16 ++++++++++++++++
+ drivers/net/wireless/ath/ath10k/htc.c | 9 +++++++++
+ drivers/net/wireless/ath/ath10k/hw.h | 2 ++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index d1ac64026cb3..9a8ea7231a9e 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -99,6 +99,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA988X_HW_2_0_VERSION,
+@@ -138,6 +139,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9887_HW_1_0_VERSION,
+@@ -178,6 +180,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA6174_HW_3_2_VERSION,
+@@ -213,6 +216,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA6174_HW_2_1_VERSION,
+@@ -252,6 +256,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA6174_HW_2_1_VERSION,
+@@ -291,6 +296,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA6174_HW_3_0_VERSION,
+@@ -330,6 +336,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA6174_HW_3_2_VERSION,
+@@ -373,6 +380,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA99X0_HW_2_0_DEV_VERSION,
+@@ -418,6 +426,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9984_HW_1_0_DEV_VERSION,
+@@ -470,6 +479,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9888_HW_2_0_DEV_VERSION,
+@@ -519,6 +529,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9377_HW_1_0_DEV_VERSION,
+@@ -558,6 +569,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9377_HW_1_1_DEV_VERSION,
+@@ -599,6 +611,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA9377_HW_1_1_DEV_VERSION,
+@@ -631,6 +644,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = QCA4019_HW_1_0_DEV_VERSION,
+@@ -677,6 +691,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
+ .use_fw_tx_credits = true,
++ .delay_unmap_buffer = false,
+ },
+ {
+ .id = WCN3990_HW_1_0_DEV_VERSION,
+@@ -709,6 +724,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = true,
+ .use_fw_tx_credits = false,
++ .delay_unmap_buffer = true,
+ },
+ };
+
+diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
+index 6d1784f74bea..5bfeecb95fca 100644
+--- a/drivers/net/wireless/ath/ath10k/htc.c
++++ b/drivers/net/wireless/ath/ath10k/htc.c
+@@ -56,6 +56,15 @@ void ath10k_htc_notify_tx_completion(struct ath10k_htc_ep *ep,
+ ath10k_dbg(ar, ATH10K_DBG_HTC, "%s: ep %d skb %pK\n", __func__,
+ ep->eid, skb);
+
++ /* A corner case where the copy completion is reaching to host but still
++ * copy engine is processing it due to which host unmaps corresponding
++ * memory and causes SMMU fault, hence as workaround adding delay
++ * the unmapping memory to avoid SMMU faults.
++ */
++ if (ar->hw_params.delay_unmap_buffer &&
++ ep->ul_pipe_id == 3)
++ mdelay(2);
++
+ hdr = (struct ath10k_htc_hdr *)skb->data;
+ ath10k_htc_restore_tx_skb(ep->htc, skb);
+
+diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h
+index 1b99f3a39a11..9643031a4427 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.h
++++ b/drivers/net/wireless/ath/ath10k/hw.h
+@@ -637,6 +637,8 @@ struct ath10k_hw_params {
+ bool hw_restart_disconnect;
+
+ bool use_fw_tx_credits;
++
++ bool delay_unmap_buffer;
+ };
+
+ struct htt_resp;
+--
+2.35.1
+
--- /dev/null
+From c208232872401ee84e0b40d001831c455013b025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 14:19:26 +0800
+Subject: wifi: ath10k: Fix return value in ath10k_pci_init()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ]
+
+This driver is attempting to register to support two different buses.
+if either of these is successful then ath10k_pci_init() should return 0
+so that hardware attached to the successful bus can be probed and
+supported. only if both of these are unsuccessful should ath10k_pci_init()
+return an errno.
+
+Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index bf1c938be7d0..8015b457a870 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -3793,18 +3793,22 @@ static struct pci_driver ath10k_pci_driver = {
+
+ static int __init ath10k_pci_init(void)
+ {
+- int ret;
++ int ret1, ret2;
+
+- ret = pci_register_driver(&ath10k_pci_driver);
+- if (ret)
++ ret1 = pci_register_driver(&ath10k_pci_driver);
++ if (ret1)
+ printk(KERN_ERR "failed to register ath10k pci driver: %d\n",
+- ret);
++ ret1);
+
+- ret = ath10k_ahb_init();
+- if (ret)
+- printk(KERN_ERR "ahb init failed: %d\n", ret);
++ ret2 = ath10k_ahb_init();
++ if (ret2)
++ printk(KERN_ERR "ahb init failed: %d\n", ret2);
+
+- return ret;
++ if (ret1 && ret2)
++ return ret1;
++
++ /* registered to at least one bus */
++ return 0;
+ }
+ module_init(ath10k_pci_init);
+
+--
+2.35.1
+
--- /dev/null
+From 0f505a756fad2dbb3a4c05defc2e830e8ca46f6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 15:24:30 +0530
+Subject: wifi: ath11k: fix firmware assert during bandwidth change for peer
+ sta
+
+From: Aditya Kumar Singh <quic_adisi@quicinc.com>
+
+[ Upstream commit 3ff51d7416ee1ea2d771051a0ffa1ec8be054768 ]
+
+Currently, ath11k sends peer assoc command for each peer to
+firmware when bandwidth changes. Peer assoc command is a
+bulky command and if many clients are connected, this could
+lead to firmware buffer getting overflowed leading to a firmware
+assert.
+
+However, during bandwidth change, only phymode and bandwidth
+also can be updated by WMI set peer param command. This makes
+the overall command light when compared to peer assoc and for
+multi-client cases, firmware buffer overflow also does not
+occur.
+
+Remove sending peer assoc command during sta bandwidth change
+and instead add sending WMI set peer param command for phymode
+and bandwidth.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+
+Fixes: f187fe8e3bc65 ("ath11k: fix firmware crash during channel switch")
+Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221005095430.19890-1-quic_adisi@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 2 +
+ drivers/net/wireless/ath/ath11k/mac.c | 122 +++++++++++++++++--------
+ 2 files changed, 87 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index b4aac98497cb..8edc1f4e5694 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -498,6 +498,8 @@ struct ath11k_sta {
+
+ bool use_4addr_set;
+ u16 tcl_metadata;
++
++ u32 bw_prev;
+ };
+
+ #define ATH11K_MIN_5G_FREQ 4150
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 7f6521314b2d..475ed20b495d 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4209,10 +4209,11 @@ static void ath11k_sta_rc_update_wk(struct work_struct *wk)
+ const u8 *ht_mcs_mask;
+ const u16 *vht_mcs_mask;
+ const u16 *he_mcs_mask;
+- u32 changed, bw, nss, smps;
++ u32 changed, bw, nss, smps, bw_prev;
+ int err, num_vht_rates, num_he_rates;
+ const struct cfg80211_bitrate_mask *mask;
+ struct peer_assoc_params peer_arg;
++ enum wmi_phy_mode peer_phymode;
+
+ arsta = container_of(wk, struct ath11k_sta, update_wk);
+ sta = container_of((void *)arsta, struct ieee80211_sta, drv_priv);
+@@ -4233,6 +4234,7 @@ static void ath11k_sta_rc_update_wk(struct work_struct *wk)
+ arsta->changed = 0;
+
+ bw = arsta->bw;
++ bw_prev = arsta->bw_prev;
+ nss = arsta->nss;
+ smps = arsta->smps;
+
+@@ -4246,26 +4248,57 @@ static void ath11k_sta_rc_update_wk(struct work_struct *wk)
+ ath11k_mac_max_he_nss(he_mcs_mask)));
+
+ if (changed & IEEE80211_RC_BW_CHANGED) {
+- /* Send peer assoc command before set peer bandwidth param to
+- * avoid the mismatch between the peer phymode and the peer
+- * bandwidth.
+- */
+- ath11k_peer_assoc_prepare(ar, arvif->vif, sta, &peer_arg, true);
+-
+- peer_arg.is_assoc = false;
+- err = ath11k_wmi_send_peer_assoc_cmd(ar, &peer_arg);
+- if (err) {
+- ath11k_warn(ar->ab, "failed to send peer assoc for STA %pM vdev %i: %d\n",
+- sta->addr, arvif->vdev_id, err);
+- } else if (wait_for_completion_timeout(&ar->peer_assoc_done, 1 * HZ)) {
++ /* Get the peer phymode */
++ ath11k_peer_assoc_h_phymode(ar, arvif->vif, sta, &peer_arg);
++ peer_phymode = peer_arg.peer_phymode;
++
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, "mac update sta %pM peer bw %d phymode %d\n",
++ sta->addr, bw, peer_phymode);
++
++ if (bw > bw_prev) {
++ /* BW is upgraded. In this case we send WMI_PEER_PHYMODE
++ * followed by WMI_PEER_CHWIDTH
++ */
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, "mac BW upgrade for sta %pM new BW %d, old BW %d\n",
++ sta->addr, bw, bw_prev);
++
++ err = ath11k_wmi_set_peer_param(ar, sta->addr, arvif->vdev_id,
++ WMI_PEER_PHYMODE, peer_phymode);
++
++ if (err) {
++ ath11k_warn(ar->ab, "failed to update STA %pM peer phymode %d: %d\n",
++ sta->addr, peer_phymode, err);
++ goto err_rc_bw_changed;
++ }
++
+ err = ath11k_wmi_set_peer_param(ar, sta->addr, arvif->vdev_id,
+ WMI_PEER_CHWIDTH, bw);
++
+ if (err)
+ ath11k_warn(ar->ab, "failed to update STA %pM peer bw %d: %d\n",
+ sta->addr, bw, err);
+ } else {
+- ath11k_warn(ar->ab, "failed to get peer assoc conf event for %pM vdev %i\n",
+- sta->addr, arvif->vdev_id);
++ /* BW is downgraded. In this case we send WMI_PEER_CHWIDTH
++ * followed by WMI_PEER_PHYMODE
++ */
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, "mac BW downgrade for sta %pM new BW %d,old BW %d\n",
++ sta->addr, bw, bw_prev);
++
++ err = ath11k_wmi_set_peer_param(ar, sta->addr, arvif->vdev_id,
++ WMI_PEER_CHWIDTH, bw);
++
++ if (err) {
++ ath11k_warn(ar->ab, "failed to update STA %pM peer bw %d: %d\n",
++ sta->addr, bw, err);
++ goto err_rc_bw_changed;
++ }
++
++ err = ath11k_wmi_set_peer_param(ar, sta->addr, arvif->vdev_id,
++ WMI_PEER_PHYMODE, peer_phymode);
++
++ if (err)
++ ath11k_warn(ar->ab, "failed to update STA %pM peer phymode %d: %d\n",
++ sta->addr, peer_phymode, err);
+ }
+ }
+
+@@ -4346,6 +4379,7 @@ static void ath11k_sta_rc_update_wk(struct work_struct *wk)
+ }
+ }
+
++err_rc_bw_changed:
+ mutex_unlock(&ar->conf_mutex);
+ }
+
+@@ -4499,6 +4533,34 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ return ret;
+ }
+
++static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
++ struct ieee80211_sta *sta)
++{
++ u32 bw = WMI_PEER_CHWIDTH_20MHZ;
++
++ switch (sta->deflink.bandwidth) {
++ case IEEE80211_STA_RX_BW_20:
++ bw = WMI_PEER_CHWIDTH_20MHZ;
++ break;
++ case IEEE80211_STA_RX_BW_40:
++ bw = WMI_PEER_CHWIDTH_40MHZ;
++ break;
++ case IEEE80211_STA_RX_BW_80:
++ bw = WMI_PEER_CHWIDTH_80MHZ;
++ break;
++ case IEEE80211_STA_RX_BW_160:
++ bw = WMI_PEER_CHWIDTH_160MHZ;
++ break;
++ default:
++ ath11k_warn(ar->ab, "Invalid bandwidth %d for %pM\n",
++ sta->deflink.bandwidth, sta->addr);
++ bw = WMI_PEER_CHWIDTH_20MHZ;
++ break;
++ }
++
++ return bw;
++}
++
+ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ struct ieee80211_sta *sta,
+@@ -4583,6 +4645,12 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+ if (ret)
+ ath11k_warn(ar->ab, "Failed to associate station: %pM\n",
+ sta->addr);
++
++ spin_lock_bh(&ar->data_lock);
++ /* Set arsta bw and prev bw */
++ arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta);
++ arsta->bw_prev = arsta->bw;
++ spin_unlock_bh(&ar->data_lock);
+ } else if (old_state == IEEE80211_STA_ASSOC &&
+ new_state == IEEE80211_STA_AUTHORIZED) {
+ spin_lock_bh(&ar->ab->base_lock);
+@@ -4706,28 +4774,8 @@ static void ath11k_mac_op_sta_rc_update(struct ieee80211_hw *hw,
+ spin_lock_bh(&ar->data_lock);
+
+ if (changed & IEEE80211_RC_BW_CHANGED) {
+- bw = WMI_PEER_CHWIDTH_20MHZ;
+-
+- switch (sta->deflink.bandwidth) {
+- case IEEE80211_STA_RX_BW_20:
+- bw = WMI_PEER_CHWIDTH_20MHZ;
+- break;
+- case IEEE80211_STA_RX_BW_40:
+- bw = WMI_PEER_CHWIDTH_40MHZ;
+- break;
+- case IEEE80211_STA_RX_BW_80:
+- bw = WMI_PEER_CHWIDTH_80MHZ;
+- break;
+- case IEEE80211_STA_RX_BW_160:
+- bw = WMI_PEER_CHWIDTH_160MHZ;
+- break;
+- default:
+- ath11k_warn(ar->ab, "Invalid bandwidth %d in rc update for %pM\n",
+- sta->deflink.bandwidth, sta->addr);
+- bw = WMI_PEER_CHWIDTH_20MHZ;
+- break;
+- }
+-
++ bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta);
++ arsta->bw_prev = arsta->bw;
+ arsta->bw = bw;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From bc388c183e60b6b0165b60556b7ce3cddb575332 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 14:31:26 +0530
+Subject: wifi: ath11k: Fix qmi_msg_handler data structure initialization
+
+From: Rahul Bhattacharjee <quic_rbhattac@quicinc.com>
+
+[ Upstream commit ed3725e15a154ebebf44e0c34806c57525483f92 ]
+
+qmi_msg_handler is required to be null terminated by QMI module.
+There might be a case where a handler for a msg id is not present in the
+handlers array which can lead to infinite loop while searching the handler
+and therefore out of bound access in qmi_invoke_handler().
+Hence update the initialization in qmi_msg_handler data structure.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Rahul Bhattacharjee <quic_rbhattac@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221021090126.28626-1-quic_rbhattac@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
+index e6ced8597e1d..539134a6e9d9 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.c
++++ b/drivers/net/wireless/ath/ath11k/qmi.c
+@@ -3083,6 +3083,9 @@ static const struct qmi_msg_handler ath11k_qmi_msg_handlers[] = {
+ sizeof(struct qmi_wlfw_fw_init_done_ind_msg_v01),
+ .fn = ath11k_qmi_msg_fw_init_done_cb,
+ },
++
++ /* end of list */
++ {},
+ };
+
+ static int ath11k_qmi_ops_new_server(struct qmi_handle *qmi_hdl,
+--
+2.35.1
+
--- /dev/null
+From 0188fa6d5b7617c6ae24a3c79d61e3cea4d969b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 18:24:12 +0300
+Subject: wifi: ath11k: move firmware stats out of debugfs
+
+From: Aditya Kumar Singh <quic_adisi@quicinc.com>
+
+[ Upstream commit ec8918f922b8a40a12cb86793245026f08b79812 ]
+
+Currently, firmware stats, comprising pdev, vdev and beacon stats are
+part of debugfs. In firmware pdev stats, firmware reports the final
+Tx power used to transmit each packet. If driver wants to know the
+final Tx power being used at firmware level, it can leverage from
+firmware pdev stats.
+
+Move firmware stats out of debugfs context in order to leverage
+the final Tx power reported in it even when debugfs is disabled.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
+
+Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220603082814.31466-2-quic_adisi@quicinc.com
+Stable-dep-of: 3ff51d7416ee ("wifi: ath11k: fix firmware assert during bandwidth change for peer sta")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 46 +++++++
+ drivers/net/wireless/ath/ath11k/core.h | 12 +-
+ drivers/net/wireless/ath/ath11k/debugfs.c | 139 +++++-----------------
+ drivers/net/wireless/ath/ath11k/debugfs.h | 6 +-
+ drivers/net/wireless/ath/ath11k/wmi.c | 48 +++++++-
+ 5 files changed, 137 insertions(+), 114 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 9df6aaae8a44..1e9e4eae7a1e 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -535,6 +535,52 @@ static inline struct ath11k_pdev *ath11k_core_get_single_pdev(struct ath11k_base
+ return &ab->pdevs[0];
+ }
+
++void ath11k_fw_stats_pdevs_free(struct list_head *head)
++{
++ struct ath11k_fw_stats_pdev *i, *tmp;
++
++ list_for_each_entry_safe(i, tmp, head, list) {
++ list_del(&i->list);
++ kfree(i);
++ }
++}
++
++void ath11k_fw_stats_vdevs_free(struct list_head *head)
++{
++ struct ath11k_fw_stats_vdev *i, *tmp;
++
++ list_for_each_entry_safe(i, tmp, head, list) {
++ list_del(&i->list);
++ kfree(i);
++ }
++}
++
++void ath11k_fw_stats_bcn_free(struct list_head *head)
++{
++ struct ath11k_fw_stats_bcn *i, *tmp;
++
++ list_for_each_entry_safe(i, tmp, head, list) {
++ list_del(&i->list);
++ kfree(i);
++ }
++}
++
++void ath11k_fw_stats_init(struct ath11k *ar)
++{
++ INIT_LIST_HEAD(&ar->fw_stats.pdevs);
++ INIT_LIST_HEAD(&ar->fw_stats.vdevs);
++ INIT_LIST_HEAD(&ar->fw_stats.bcn);
++
++ init_completion(&ar->fw_stats_complete);
++}
++
++void ath11k_fw_stats_free(struct ath11k_fw_stats *stats)
++{
++ ath11k_fw_stats_pdevs_free(&stats->pdevs);
++ ath11k_fw_stats_vdevs_free(&stats->vdevs);
++ ath11k_fw_stats_bcn_free(&stats->bcn);
++}
++
+ int ath11k_core_suspend(struct ath11k_base *ab)
+ {
+ int ret;
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index afad8f55e433..b4aac98497cb 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -545,9 +545,6 @@ struct ath11k_debug {
+ struct dentry *debugfs_pdev;
+ struct ath11k_dbg_htt_stats htt_stats;
+ u32 extd_tx_stats;
+- struct ath11k_fw_stats fw_stats;
+- struct completion fw_stats_complete;
+- bool fw_stats_done;
+ u32 extd_rx_stats;
+ u32 pktlog_filter;
+ u32 pktlog_mode;
+@@ -710,6 +707,9 @@ struct ath11k {
+ u8 twt_enabled;
+ bool nlo_enabled;
+ u8 alpha2[REG_ALPHA2_LEN + 1];
++ struct ath11k_fw_stats fw_stats;
++ struct completion fw_stats_complete;
++ bool fw_stats_done;
+ };
+
+ struct ath11k_band_cap {
+@@ -1112,6 +1112,12 @@ struct ath11k_fw_stats_bcn {
+ u32 tx_bcn_outage_cnt;
+ };
+
++void ath11k_fw_stats_init(struct ath11k *ar);
++void ath11k_fw_stats_pdevs_free(struct list_head *head);
++void ath11k_fw_stats_vdevs_free(struct list_head *head);
++void ath11k_fw_stats_bcn_free(struct list_head *head);
++void ath11k_fw_stats_free(struct ath11k_fw_stats *stats);
++
+ extern const struct ce_pipe_config ath11k_target_ce_config_wlan_ipq8074[];
+ extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq8074[];
+ extern const struct service_to_pipe ath11k_target_service_to_ce_map_wlan_ipq6018[];
+diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
+index 9648e0017393..649bf4495e4a 100644
+--- a/drivers/net/wireless/ath/ath11k/debugfs.c
++++ b/drivers/net/wireless/ath/ath11k/debugfs.c
+@@ -91,91 +91,35 @@ void ath11k_debugfs_add_dbring_entry(struct ath11k *ar,
+ spin_unlock_bh(&dbr_data->lock);
+ }
+
+-static void ath11k_fw_stats_pdevs_free(struct list_head *head)
+-{
+- struct ath11k_fw_stats_pdev *i, *tmp;
+-
+- list_for_each_entry_safe(i, tmp, head, list) {
+- list_del(&i->list);
+- kfree(i);
+- }
+-}
+-
+-static void ath11k_fw_stats_vdevs_free(struct list_head *head)
+-{
+- struct ath11k_fw_stats_vdev *i, *tmp;
+-
+- list_for_each_entry_safe(i, tmp, head, list) {
+- list_del(&i->list);
+- kfree(i);
+- }
+-}
+-
+-static void ath11k_fw_stats_bcn_free(struct list_head *head)
+-{
+- struct ath11k_fw_stats_bcn *i, *tmp;
+-
+- list_for_each_entry_safe(i, tmp, head, list) {
+- list_del(&i->list);
+- kfree(i);
+- }
+-}
+-
+ static void ath11k_debugfs_fw_stats_reset(struct ath11k *ar)
+ {
+ spin_lock_bh(&ar->data_lock);
+- ar->debug.fw_stats_done = false;
+- ath11k_fw_stats_pdevs_free(&ar->debug.fw_stats.pdevs);
+- ath11k_fw_stats_vdevs_free(&ar->debug.fw_stats.vdevs);
++ ar->fw_stats_done = false;
++ ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
++ ath11k_fw_stats_vdevs_free(&ar->fw_stats.vdevs);
+ spin_unlock_bh(&ar->data_lock);
+ }
+
+-void ath11k_debugfs_fw_stats_process(struct ath11k_base *ab, struct sk_buff *skb)
++void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *stats)
+ {
+- struct ath11k_fw_stats stats = {};
+- struct ath11k *ar;
++ struct ath11k_base *ab = ar->ab;
+ struct ath11k_pdev *pdev;
+ bool is_end;
+ static unsigned int num_vdev, num_bcn;
+ size_t total_vdevs_started = 0;
+- int i, ret;
+-
+- INIT_LIST_HEAD(&stats.pdevs);
+- INIT_LIST_HEAD(&stats.vdevs);
+- INIT_LIST_HEAD(&stats.bcn);
+-
+- ret = ath11k_wmi_pull_fw_stats(ab, skb, &stats);
+- if (ret) {
+- ath11k_warn(ab, "failed to pull fw stats: %d\n", ret);
+- goto free;
+- }
+-
+- rcu_read_lock();
+- ar = ath11k_mac_get_ar_by_pdev_id(ab, stats.pdev_id);
+- if (!ar) {
+- rcu_read_unlock();
+- ath11k_warn(ab, "failed to get ar for pdev_id %d: %d\n",
+- stats.pdev_id, ret);
+- goto free;
+- }
++ int i;
+
+- spin_lock_bh(&ar->data_lock);
++ /* WMI_REQUEST_PDEV_STAT request has been already processed */
+
+- if (stats.stats_id == WMI_REQUEST_PDEV_STAT) {
+- list_splice_tail_init(&stats.pdevs, &ar->debug.fw_stats.pdevs);
+- ar->debug.fw_stats_done = true;
+- goto complete;
+- }
+-
+- if (stats.stats_id == WMI_REQUEST_RSSI_PER_CHAIN_STAT) {
+- ar->debug.fw_stats_done = true;
+- goto complete;
++ if (stats->stats_id == WMI_REQUEST_RSSI_PER_CHAIN_STAT) {
++ ar->fw_stats_done = true;
++ return;
+ }
+
+- if (stats.stats_id == WMI_REQUEST_VDEV_STAT) {
+- if (list_empty(&stats.vdevs)) {
++ if (stats->stats_id == WMI_REQUEST_VDEV_STAT) {
++ if (list_empty(&stats->vdevs)) {
+ ath11k_warn(ab, "empty vdev stats");
+- goto complete;
++ return;
+ }
+ /* FW sends all the active VDEV stats irrespective of PDEV,
+ * hence limit until the count of all VDEVs started
+@@ -188,43 +132,34 @@ void ath11k_debugfs_fw_stats_process(struct ath11k_base *ab, struct sk_buff *skb
+
+ is_end = ((++num_vdev) == total_vdevs_started);
+
+- list_splice_tail_init(&stats.vdevs,
+- &ar->debug.fw_stats.vdevs);
++ list_splice_tail_init(&stats->vdevs,
++ &ar->fw_stats.vdevs);
+
+ if (is_end) {
+- ar->debug.fw_stats_done = true;
++ ar->fw_stats_done = true;
+ num_vdev = 0;
+ }
+- goto complete;
++ return;
+ }
+
+- if (stats.stats_id == WMI_REQUEST_BCN_STAT) {
+- if (list_empty(&stats.bcn)) {
++ if (stats->stats_id == WMI_REQUEST_BCN_STAT) {
++ if (list_empty(&stats->bcn)) {
+ ath11k_warn(ab, "empty bcn stats");
+- goto complete;
++ return;
+ }
+ /* Mark end until we reached the count of all started VDEVs
+ * within the PDEV
+ */
+ is_end = ((++num_bcn) == ar->num_started_vdevs);
+
+- list_splice_tail_init(&stats.bcn,
+- &ar->debug.fw_stats.bcn);
++ list_splice_tail_init(&stats->bcn,
++ &ar->fw_stats.bcn);
+
+ if (is_end) {
+- ar->debug.fw_stats_done = true;
++ ar->fw_stats_done = true;
+ num_bcn = 0;
+ }
+ }
+-complete:
+- complete(&ar->debug.fw_stats_complete);
+- rcu_read_unlock();
+- spin_unlock_bh(&ar->data_lock);
+-
+-free:
+- ath11k_fw_stats_pdevs_free(&stats.pdevs);
+- ath11k_fw_stats_vdevs_free(&stats.vdevs);
+- ath11k_fw_stats_bcn_free(&stats.bcn);
+ }
+
+ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
+@@ -245,7 +180,7 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
+
+ ath11k_debugfs_fw_stats_reset(ar);
+
+- reinit_completion(&ar->debug.fw_stats_complete);
++ reinit_completion(&ar->fw_stats_complete);
+
+ ret = ath11k_wmi_send_stats_request_cmd(ar, req_param);
+
+@@ -255,9 +190,8 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
+ return ret;
+ }
+
+- time_left =
+- wait_for_completion_timeout(&ar->debug.fw_stats_complete,
+- 1 * HZ);
++ time_left = wait_for_completion_timeout(&ar->fw_stats_complete, 1 * HZ);
++
+ if (!time_left)
+ return -ETIMEDOUT;
+
+@@ -266,7 +200,7 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
+ break;
+
+ spin_lock_bh(&ar->data_lock);
+- if (ar->debug.fw_stats_done) {
++ if (ar->fw_stats_done) {
+ spin_unlock_bh(&ar->data_lock);
+ break;
+ }
+@@ -338,8 +272,7 @@ static int ath11k_open_pdev_stats(struct inode *inode, struct file *file)
+ goto err_free;
+ }
+
+- ath11k_wmi_fw_stats_fill(ar, &ar->debug.fw_stats, req_param.stats_id,
+- buf);
++ ath11k_wmi_fw_stats_fill(ar, &ar->fw_stats, req_param.stats_id, buf);
+
+ file->private_data = buf;
+
+@@ -410,8 +343,7 @@ static int ath11k_open_vdev_stats(struct inode *inode, struct file *file)
+ goto err_free;
+ }
+
+- ath11k_wmi_fw_stats_fill(ar, &ar->debug.fw_stats, req_param.stats_id,
+- buf);
++ ath11k_wmi_fw_stats_fill(ar, &ar->fw_stats, req_param.stats_id, buf);
+
+ file->private_data = buf;
+
+@@ -488,14 +420,13 @@ static int ath11k_open_bcn_stats(struct inode *inode, struct file *file)
+ }
+ }
+
+- ath11k_wmi_fw_stats_fill(ar, &ar->debug.fw_stats, req_param.stats_id,
+- buf);
++ ath11k_wmi_fw_stats_fill(ar, &ar->fw_stats, req_param.stats_id, buf);
+
+ /* since beacon stats request is looped for all active VDEVs, saved fw
+ * stats is not freed for each request until done for all active VDEVs
+ */
+ spin_lock_bh(&ar->data_lock);
+- ath11k_fw_stats_bcn_free(&ar->debug.fw_stats.bcn);
++ ath11k_fw_stats_bcn_free(&ar->fw_stats.bcn);
+ spin_unlock_bh(&ar->data_lock);
+
+ file->private_data = buf;
+@@ -1025,7 +956,7 @@ void ath11k_debugfs_fw_stats_init(struct ath11k *ar)
+ struct dentry *fwstats_dir = debugfs_create_dir("fw_stats",
+ ar->debug.debugfs_pdev);
+
+- ar->debug.fw_stats.debugfs_fwstats = fwstats_dir;
++ ar->fw_stats.debugfs_fwstats = fwstats_dir;
+
+ /* all stats debugfs files created are under "fw_stats" directory
+ * created per PDEV
+@@ -1036,12 +967,6 @@ void ath11k_debugfs_fw_stats_init(struct ath11k *ar)
+ &fops_vdev_stats);
+ debugfs_create_file("beacon_stats", 0600, fwstats_dir, ar,
+ &fops_bcn_stats);
+-
+- INIT_LIST_HEAD(&ar->debug.fw_stats.pdevs);
+- INIT_LIST_HEAD(&ar->debug.fw_stats.vdevs);
+- INIT_LIST_HEAD(&ar->debug.fw_stats.bcn);
+-
+- init_completion(&ar->debug.fw_stats_complete);
+ }
+
+ static ssize_t ath11k_write_pktlog_filter(struct file *file,
+diff --git a/drivers/net/wireless/ath/ath11k/debugfs.h b/drivers/net/wireless/ath/ath11k/debugfs.h
+index 30c00cb28311..0a84645e2e06 100644
+--- a/drivers/net/wireless/ath/ath11k/debugfs.h
++++ b/drivers/net/wireless/ath/ath11k/debugfs.h
+@@ -269,7 +269,7 @@ int ath11k_debugfs_pdev_create(struct ath11k_base *ab);
+ void ath11k_debugfs_pdev_destroy(struct ath11k_base *ab);
+ int ath11k_debugfs_register(struct ath11k *ar);
+ void ath11k_debugfs_unregister(struct ath11k *ar);
+-void ath11k_debugfs_fw_stats_process(struct ath11k_base *ab, struct sk_buff *skb);
++void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *stats);
+
+ void ath11k_debugfs_fw_stats_init(struct ath11k *ar);
+ int ath11k_debugfs_get_fw_stats(struct ath11k *ar, u32 pdev_id,
+@@ -341,8 +341,8 @@ static inline void ath11k_debugfs_unregister(struct ath11k *ar)
+ {
+ }
+
+-static inline void ath11k_debugfs_fw_stats_process(struct ath11k_base *ab,
+- struct sk_buff *skb)
++static inline void ath11k_debugfs_fw_stats_process(struct ath11k *ar,
++ struct ath11k_fw_stats *stats)
+ {
+ }
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index b658ea60dcf7..ec9b7e954dfc 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -7409,7 +7409,53 @@ static void ath11k_peer_assoc_conf_event(struct ath11k_base *ab, struct sk_buff
+
+ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *skb)
+ {
+- ath11k_debugfs_fw_stats_process(ab, skb);
++ struct ath11k_fw_stats stats = {};
++ struct ath11k *ar;
++ int ret;
++
++ INIT_LIST_HEAD(&stats.pdevs);
++ INIT_LIST_HEAD(&stats.vdevs);
++ INIT_LIST_HEAD(&stats.bcn);
++
++ ret = ath11k_wmi_pull_fw_stats(ab, skb, &stats);
++ if (ret) {
++ ath11k_warn(ab, "failed to pull fw stats: %d\n", ret);
++ goto free;
++ }
++
++ rcu_read_lock();
++ ar = ath11k_mac_get_ar_by_pdev_id(ab, stats.pdev_id);
++ if (!ar) {
++ rcu_read_unlock();
++ ath11k_warn(ab, "failed to get ar for pdev_id %d: %d\n",
++ stats.pdev_id, ret);
++ goto free;
++ }
++
++ spin_lock_bh(&ar->data_lock);
++
++ /* WMI_REQUEST_PDEV_STAT can be requested via .get_txpower mac ops or via
++ * debugfs fw stats. Therefore, processing it separately.
++ */
++ if (stats.stats_id == WMI_REQUEST_PDEV_STAT) {
++ list_splice_tail_init(&stats.pdevs, &ar->fw_stats.pdevs);
++ ar->fw_stats_done = true;
++ goto complete;
++ }
++
++ /* WMI_REQUEST_VDEV_STAT, WMI_REQUEST_BCN_STAT and WMI_REQUEST_RSSI_PER_CHAIN_STAT
++ * are currently requested only via debugfs fw stats. Hence, processing these
++ * in debugfs context
++ */
++ ath11k_debugfs_fw_stats_process(ar, &stats);
++
++complete:
++ complete(&ar->fw_stats_complete);
++ rcu_read_unlock();
++ spin_unlock_bh(&ar->data_lock);
++
++free:
++ ath11k_fw_stats_free(&stats);
+ }
+
+ /* PDEV_CTL_FAILSAFE_CHECK_EVENT is received from FW when the frequency scanned
+--
+2.35.1
+
--- /dev/null
+From 52ea78ce9462b81cb63696a160f645b0343fff32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 18:13:59 +0300
+Subject: wifi: ath9k: hif_usb: fix memory leak of urbs in
+ ath9k_hif_usb_dealloc_tx_urbs()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ]
+
+Syzkaller reports a long-known leak of urbs in
+ath9k_hif_usb_dealloc_tx_urbs().
+
+The cause of the leak is that usb_get_urb() is called but usb_free_urb()
+(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or
+urb->ep fields have not been initialized and usb_kill_urb() returns
+immediately.
+
+The patch removes trying to kill urbs located in hif_dev->tx.tx_buf
+because hif_dev->tx.tx_buf is not supposed to contain urbs which are in
+pending state (the pending urbs are stored in hif_dev->tx.tx_pending).
+The tx.tx_lock is acquired so there should not be any changes in the list.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index 4d9002a9d082..b6b5ce9b9b68 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -780,14 +780,10 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_buf, list) {
+- usb_get_urb(tx_buf->urb);
+- spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+- usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
+- spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+--
+2.35.1
+
--- /dev/null
+From f3f274873b53b8aa959c6f102fd4b8156fd8f3be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Oct 2022 14:49:17 +0300
+Subject: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ]
+
+It is possible that skb is freed in ath9k_htc_rx_msg(), then
+usb_submit_urb() fails and we try to free skb again. It causes
+use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes
+NULL but rx_buf is not freed and there can be a memory leak.
+
+The patch removes unnecessary nskb and makes skb processing more clear: it
+is supposed that ath9k_htc_rx_msg() either frees old skb or passes its
+managing to another callback function.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 28 +++++++++++++-----------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index b6b5ce9b9b68..6c653d46136e 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -708,14 +708,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
+ struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
+ struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+ struct sk_buff *skb = rx_buf->skb;
+- struct sk_buff *nskb;
+ int ret;
+
+ if (!skb)
+ return;
+
+ if (!hif_dev)
+- goto free;
++ goto free_skb;
+
+ switch (urb->status) {
+ case 0:
+@@ -724,7 +723,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
+ case -ECONNRESET:
+ case -ENODEV:
+ case -ESHUTDOWN:
+- goto free;
++ goto free_skb;
+ default:
+ skb_reset_tail_pointer(skb);
+ skb_trim(skb, 0);
+@@ -735,25 +734,27 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
+ if (likely(urb->actual_length != 0)) {
+ skb_put(skb, urb->actual_length);
+
+- /* Process the command first */
++ /*
++ * Process the command first.
++ * skb is either freed here or passed to be
++ * managed to another callback function.
++ */
+ ath9k_htc_rx_msg(hif_dev->htc_handle, skb,
+ skb->len, USB_REG_IN_PIPE);
+
+-
+- nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
+- if (!nskb) {
++ skb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
++ if (!skb) {
+ dev_err(&hif_dev->udev->dev,
+ "ath9k_htc: REG_IN memory allocation failure\n");
+- urb->context = NULL;
+- return;
++ goto free_rx_buf;
+ }
+
+- rx_buf->skb = nskb;
++ rx_buf->skb = skb;
+
+ usb_fill_int_urb(urb, hif_dev->udev,
+ usb_rcvintpipe(hif_dev->udev,
+ USB_REG_IN_PIPE),
+- nskb->data, MAX_REG_IN_BUF_SIZE,
++ skb->data, MAX_REG_IN_BUF_SIZE,
+ ath9k_hif_usb_reg_in_cb, rx_buf, 1);
+ }
+
+@@ -762,12 +763,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
+ ret = usb_submit_urb(urb, GFP_ATOMIC);
+ if (ret) {
+ usb_unanchor_urb(urb);
+- goto free;
++ goto free_skb;
+ }
+
+ return;
+-free:
++free_skb:
+ kfree_skb(skb);
++free_rx_buf:
+ kfree(rx_buf);
+ urb->context = NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From f11d13d89f936fad993ab6db3c250edfdb06c885 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Oct 2022 00:15:32 +0300
+Subject: wifi: ath9k: verify the expected usb_endpoints are present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ]
+
+The bug arises when a USB device claims to be an ATH9K but doesn't
+have the expected endpoints. (In this case there was an interrupt
+endpoint where the driver expected a bulk endpoint.) The kernel
+needs to be able to handle such devices without getting an internal error.
+
+usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
+Modules linked in:
+CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+Workqueue: events request_firmware_work_func
+RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
+Call Trace:
+ ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]
+ ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019
+ ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]
+ ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242
+ request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097
+ process_one_work+0x9af/0x1600 kernel/workqueue.c:2279
+ worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425
+ kthread+0x3b4/0x4a0 kernel/kthread.c:313
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index 6c653d46136e..1a2e0c7eeb02 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1327,10 +1327,24 @@ static int send_eject_command(struct usb_interface *interface)
+ static int ath9k_hif_usb_probe(struct usb_interface *interface,
+ const struct usb_device_id *id)
+ {
++ struct usb_endpoint_descriptor *bulk_in, *bulk_out, *int_in, *int_out;
+ struct usb_device *udev = interface_to_usbdev(interface);
++ struct usb_host_interface *alt;
+ struct hif_device_usb *hif_dev;
+ int ret = 0;
+
++ /* Verify the expected endpoints are present */
++ alt = interface->cur_altsetting;
++ if (usb_find_common_endpoints(alt, &bulk_in, &bulk_out, &int_in, &int_out) < 0 ||
++ usb_endpoint_num(bulk_in) != USB_WLAN_RX_PIPE ||
++ usb_endpoint_num(bulk_out) != USB_WLAN_TX_PIPE ||
++ usb_endpoint_num(int_in) != USB_REG_IN_PIPE ||
++ usb_endpoint_num(int_out) != USB_REG_OUT_PIPE) {
++ dev_err(&udev->dev,
++ "ath9k_htc: Device endpoint numbers are not the expected ones\n");
++ return -ENODEV;
++ }
++
+ if (id->driver_info == STORAGE_DEVICE)
+ return send_eject_command(interface);
+
+--
+2.35.1
+
--- /dev/null
+From 9ae40e72e5489df42f8ff6a9b419e5981880aadc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:35:42 +0800
+Subject: wifi: brcmfmac: Fix error return code in
+ brcmf_sdio_download_firmware()
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ]
+
+Fix to return a negative error code instead of 0 when
+brcmf_chip_set_active() fails. In addition, change the return
+value for brcmf_pcie_exit_download_state() to keep consistent.
+
+Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +-
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+index 97f0f13dfe50..7fc8d47f2281 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -626,7 +626,7 @@ static int brcmf_pcie_exit_download_state(struct brcmf_pciedev_info *devinfo,
+ }
+
+ if (!brcmf_chip_set_active(devinfo->ci, resetintr))
+- return -EINVAL;
++ return -EIO;
+ return 0;
+ }
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index 8968809399c7..2e4cd8096f03 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -3412,6 +3412,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
+ /* Take arm out of reset */
+ if (!brcmf_chip_set_active(bus->ci, rstvec)) {
+ brcmf_err("error getting out of ARM core reset\n");
++ bcmerror = -EIO;
+ goto err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a6e0382ad664b201199c78b34e63b952a42dc36f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 16:13:29 +0900
+Subject: wifi: brcmfmac: Fix potential shift-out-of-bounds in
+ brcmf_fw_alloc_request()
+
+From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+
+[ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ]
+
+This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
+BIT(chiprev) when a 'chiprev' provided by the device is too large.
+It should also not be equal to or greater than BITS_PER_TYPE(u32)
+as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
+adds a check that makes the function return NULL if that is the case.
+Note that the NULL case is later handled by the bus-specific caller,
+brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
+
+Found by a modified version of syzkaller.
+
+UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
+CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ dump_stack_lvl+0x57/0x7d
+ ubsan_epilogue+0x5/0x40
+ __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
+ ? lock_chain_count+0x20/0x20
+ brcmf_fw_alloc_request.cold+0x19/0x3ea
+ ? brcmf_fw_get_firmwares+0x250/0x250
+ ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
+ brcmf_usb_get_fwname+0x114/0x1a0
+ ? brcmf_usb_reset_resume+0x120/0x120
+ ? number+0x6c4/0x9a0
+ brcmf_c_process_clm_blob+0x168/0x590
+ ? put_dec+0x90/0x90
+ ? enable_ptr_key_workfn+0x20/0x20
+ ? brcmf_common_pd_remove+0x50/0x50
+ ? rcu_read_lock_sched_held+0xa1/0xd0
+ brcmf_c_preinit_dcmds+0x673/0xc40
+ ? brcmf_c_set_joinpref_default+0x100/0x100
+ ? rcu_read_lock_sched_held+0xa1/0xd0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? lock_acquire+0x19d/0x4e0
+ ? find_held_lock+0x2d/0x110
+ ? brcmf_usb_deq+0x1cc/0x260
+ ? mark_held_locks+0x9f/0xe0
+ ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+ ? _raw_spin_unlock_irqrestore+0x47/0x50
+ ? trace_hardirqs_on+0x1c/0x120
+ ? brcmf_usb_deq+0x1a7/0x260
+ ? brcmf_usb_rx_fill_all+0x5a/0xf0
+ brcmf_attach+0x246/0xd40
+ ? wiphy_new_nm+0x1476/0x1d50
+ ? kmemdup+0x30/0x40
+ brcmf_usb_probe+0x12de/0x1690
+ ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
+ usb_probe_interface+0x25f/0x710
+ really_probe+0x1be/0xa90
+ __driver_probe_device+0x2ab/0x460
+ ? usb_match_id.part.0+0x88/0xc0
+ driver_probe_device+0x49/0x120
+ __device_attach_driver+0x18a/0x250
+ ? driver_allows_async_probing+0x120/0x120
+ bus_for_each_drv+0x123/0x1a0
+ ? bus_rescan_devices+0x20/0x20
+ ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+ ? trace_hardirqs_on+0x1c/0x120
+ __device_attach+0x207/0x330
+ ? device_bind_driver+0xb0/0xb0
+ ? kobject_uevent_env+0x230/0x12c0
+ bus_probe_device+0x1a2/0x260
+ device_add+0xa61/0x1ce0
+ ? __mutex_unlock_slowpath+0xe7/0x660
+ ? __fw_devlink_link_to_suppliers+0x550/0x550
+ usb_set_configuration+0x984/0x1770
+ ? kernfs_create_link+0x175/0x230
+ usb_generic_driver_probe+0x69/0x90
+ usb_probe_device+0x9c/0x220
+ really_probe+0x1be/0xa90
+ __driver_probe_device+0x2ab/0x460
+ driver_probe_device+0x49/0x120
+ __device_attach_driver+0x18a/0x250
+ ? driver_allows_async_probing+0x120/0x120
+ bus_for_each_drv+0x123/0x1a0
+ ? bus_rescan_devices+0x20/0x20
+ ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+ ? trace_hardirqs_on+0x1c/0x120
+ __device_attach+0x207/0x330
+ ? device_bind_driver+0xb0/0xb0
+ ? kobject_uevent_env+0x230/0x12c0
+ bus_probe_device+0x1a2/0x260
+ device_add+0xa61/0x1ce0
+ ? __fw_devlink_link_to_suppliers+0x550/0x550
+ usb_new_device.cold+0x463/0xf66
+ ? hub_disconnect+0x400/0x400
+ ? _raw_spin_unlock_irq+0x24/0x30
+ hub_event+0x10d5/0x3330
+ ? hub_port_debounce+0x280/0x280
+ ? __lock_acquire+0x1671/0x5790
+ ? wq_calc_node_cpumask+0x170/0x2a0
+ ? lock_release+0x640/0x640
+ ? rcu_read_lock_sched_held+0xa1/0xd0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+ process_one_work+0x873/0x13e0
+ ? lock_release+0x640/0x640
+ ? pwq_dec_nr_in_flight+0x320/0x320
+ ? rwlock_bug.part.0+0x90/0x90
+ worker_thread+0x8b/0xd10
+ ? __kthread_parkme+0xd9/0x1d0
+ ? process_one_work+0x13e0/0x13e0
+ kthread+0x379/0x450
+ ? _raw_spin_unlock_irq+0x24/0x30
+ ? set_kthread_struct+0x100/0x100
+ ret_from_fork+0x1f/0x30
+
+Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
+Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+index b8379e4034a4..55d538978e9c 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -737,6 +737,11 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev,
+ u32 i, j;
+ char end = '\0';
+
++ if (chiprev >= BITS_PER_TYPE(u32)) {
++ brcmf_err("Invalid chip revision %u\n", chiprev);
++ return NULL;
++ }
++
+ for (i = 0; i < table_size; i++) {
+ if (mapping_table[i].chipid == chip &&
+ mapping_table[i].revmask & BIT(chiprev))
+--
+2.35.1
+
--- /dev/null
+From 92c2e26ff93e7eaababa4eeaeadf638d122872b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:02:37 +0800
+Subject: wifi: cfg80211: Fix not unregister reg_pdev when
+ load_builtin_regdb_keys() fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 833a9fd28c9b7ccb39a334721379e992dc1c0c89 ]
+
+In regulatory_init_db(), when it's going to return a error, reg_pdev
+should be unregistered. When load_builtin_regdb_keys() fails it doesn't
+do it and makes cfg80211 can't be reload with report:
+
+sysfs: cannot create duplicate filename '/devices/platform/regulatory.0'
+ ...
+ <TASK>
+ dump_stack_lvl+0x79/0x9b
+ sysfs_warn_dup.cold+0x1c/0x29
+ sysfs_create_dir_ns+0x22d/0x290
+ kobject_add_internal+0x247/0x800
+ kobject_add+0x135/0x1b0
+ device_add+0x389/0x1be0
+ platform_device_add+0x28f/0x790
+ platform_device_register_full+0x376/0x4b0
+ regulatory_init+0x9a/0x4b2 [cfg80211]
+ cfg80211_init+0x84/0x113 [cfg80211]
+ ...
+
+Fixes: 90a53e4432b1 ("cfg80211: implement regdb signature checking")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221109090237.214127-1-chenzhongjin@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index c3d950d29432..4f3f31244e8b 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -4311,8 +4311,10 @@ static int __init regulatory_init_db(void)
+ return -EINVAL;
+
+ err = load_builtin_regdb_keys();
+- if (err)
++ if (err) {
++ platform_device_unregister(reg_pdev);
+ return err;
++ }
+
+ /* We always try to get an update for the static regdomain */
+ err = regulatory_hint_core(cfg80211_world_regdom->alpha2);
+--
+2.35.1
+
--- /dev/null
+From c10d8920d5f4e990003262202eec13e72d37178c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 03:14:53 +0200
+Subject: wifi: fix multi-link element subelement iteration
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 1177aaa7fe9373c762cd5bf5f5de8517bac989d5 ]
+
+The subelements obviously start after the common data, including
+the common multi-link element structure definition itself. This
+bug was possibly just hidden by the higher bits of the control
+being set to 0, so the iteration just found one bogus element
+and most of the code could continue anyway.
+
+Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ieee80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
+index b6e6d5b40774..181e758c70c1 100644
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -4588,7 +4588,7 @@ static inline u8 ieee80211_mle_common_size(const u8 *data)
+ return 0;
+ }
+
+- return common + mle->variable[0];
++ return sizeof(*mle) + common + mle->variable[0];
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From 9dff66aa1ff371c9cb0763edfbc5f405807c9f44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 19:17:44 +0200
+Subject: wifi: iwlwifi: mei: avoid blocking sap messages handling due to rtnl
+ lock
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit d288067ede4b375e72daf7f9a98d937ede11a311 ]
+
+The AMT_STATE sap message handler tries to take the rtnl lock.
+This means that in case the rtnl lock is already taken, sap messages
+will not be processed.
+When an interface is brought up, the host requests ownership from
+csme. However, since the rtnl lock is already held, if there is a
+pending amt state message, the host will not be able to read the
+ownership confirm message because the amt state message handler
+is pending. As a result, the host fails to get ownership although
+csme granted it.
+Fix it by moving the part that needs the rtnl lock into a dedicated
+worker, so handling sap messages can continue.
+
+Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20221030191011.8599f2b4e9dd.I518f79e9099bf815c5f8d90235b4ce3250f59970@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mei/main.c | 57 ++++++++++++-------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mei/main.c b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+index 64a637ef199c..c0142093c768 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mei/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+@@ -152,6 +152,8 @@ struct iwl_mei_filters {
+ * @csa_throttle_end_wk: used when &csa_throttled is true
+ * @data_q_lock: protects the access to the data queues which are
+ * accessed without the mutex.
++ * @netdev_work: used to defer registering and unregistering of the netdev to
++ * avoid taking the rtnl lock in the SAP messages handlers.
+ * @sap_seq_no: the sequence number for the SAP messages
+ * @seq_no: the sequence number for the SAP messages
+ * @dbgfs_dir: the debugfs dir entry
+@@ -172,6 +174,7 @@ struct iwl_mei {
+ bool device_down;
+ struct delayed_work csa_throttle_end_wk;
+ spinlock_t data_q_lock;
++ struct work_struct netdev_work;
+
+ atomic_t sap_seq_no;
+ atomic_t seq_no;
+@@ -591,6 +594,33 @@ static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb)
+ return res;
+ }
+
++static void iwl_mei_netdev_work(struct work_struct *wk)
++{
++ struct iwl_mei *mei =
++ container_of(wk, struct iwl_mei, netdev_work);
++ struct net_device *netdev;
++
++ /*
++ * First take rtnl and only then the mutex to avoid an ABBA
++ * with iwl_mei_set_netdev()
++ */
++ rtnl_lock();
++ mutex_lock(&iwl_mei_mutex);
++
++ netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
++ lockdep_is_held(&iwl_mei_mutex));
++ if (netdev) {
++ if (mei->amt_enabled)
++ netdev_rx_handler_register(netdev, iwl_mei_rx_handler,
++ mei);
++ else
++ netdev_rx_handler_unregister(netdev);
++ }
++
++ mutex_unlock(&iwl_mei_mutex);
++ rtnl_unlock();
++}
++
+ static void
+ iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
+ const struct iwl_sap_me_msg_start_ok *rsp,
+@@ -743,38 +773,23 @@ static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev,
+ const struct iwl_sap_msg_dw *dw)
+ {
+ struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
+- struct net_device *netdev;
+
+- /*
+- * First take rtnl and only then the mutex to avoid an ABBA
+- * with iwl_mei_set_netdev()
+- */
+- rtnl_lock();
+ mutex_lock(&iwl_mei_mutex);
+
+- netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
+- lockdep_is_held(&iwl_mei_mutex));
+-
+ if (mei->amt_enabled == !!le32_to_cpu(dw->val))
+ goto out;
+
+ mei->amt_enabled = dw->val;
+
+- if (mei->amt_enabled) {
+- if (netdev)
+- netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
+-
++ if (mei->amt_enabled)
+ iwl_mei_set_init_conf(mei);
+- } else {
+- if (iwl_mei_cache.ops)
+- iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false);
+- if (netdev)
+- netdev_rx_handler_unregister(netdev);
+- }
++ else if (iwl_mei_cache.ops)
++ iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
++
++ schedule_work(&mei->netdev_work);
+
+ out:
+ mutex_unlock(&iwl_mei_mutex);
+- rtnl_unlock();
+ }
+
+ static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev,
+@@ -1827,6 +1842,7 @@ static int iwl_mei_probe(struct mei_cl_device *cldev,
+ iwl_mei_csa_throttle_end_wk);
+ init_waitqueue_head(&mei->get_ownership_wq);
+ spin_lock_init(&mei->data_q_lock);
++ INIT_WORK(&mei->netdev_work, iwl_mei_netdev_work);
+
+ mei_cldev_set_drvdata(cldev, mei);
+ mei->cldev = cldev;
+@@ -1989,6 +2005,7 @@ static void iwl_mei_remove(struct mei_cl_device *cldev)
+ */
+ cancel_work_sync(&mei->send_csa_msg_wk);
+ cancel_delayed_work_sync(&mei->csa_throttle_end_wk);
++ cancel_work_sync(&mei->netdev_work);
+
+ /*
+ * If someone waits for the ownership, let him know that we are going
+--
+2.35.1
+
--- /dev/null
+From 6bba252b1d8f7a31befcf798d2091a12da01ae87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 19:17:42 +0200
+Subject: wifi: iwlwifi: mei: don't send SAP commands if AMT is disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 95170a46b7dddbc3ac31b20ef2e8fa9d556d783d ]
+
+We should not send any SAP command to CSME if AMT is disabled.
+
+Reported-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20221030191011.ea222d41c781.Ifc90ddc3e35187683ff7f59371d792b61c8854c8@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mei/main.c | 85 ++++++++++---------
+ 1 file changed, 44 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mei/main.c b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+index 90646c54a3c5..64a637ef199c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mei/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+@@ -596,8 +596,6 @@ iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
+ const struct iwl_sap_me_msg_start_ok *rsp,
+ ssize_t len)
+ {
+- struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
+-
+ if (len != sizeof(*rsp)) {
+ dev_err(&cldev->dev,
+ "got invalid SAP_ME_MSG_START_OK from CSME firmware\n");
+@@ -616,13 +614,10 @@ iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
+
+ mutex_lock(&iwl_mei_mutex);
+ set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
+- /* wifi driver has registered already */
+- if (iwl_mei_cache.ops) {
+- iwl_mei_send_sap_msg(mei->cldev,
+- SAP_MSG_NOTIF_WIFIDR_UP);
+- iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
+- }
+-
++ /*
++ * We'll receive AMT_STATE SAP message in a bit and
++ * that will continue the flow
++ */
+ mutex_unlock(&iwl_mei_mutex);
+ }
+
+@@ -715,6 +710,13 @@ static void iwl_mei_set_init_conf(struct iwl_mei *mei)
+ .val = cpu_to_le32(iwl_mei_cache.rf_kill),
+ };
+
++ /* wifi driver has registered already */
++ if (iwl_mei_cache.ops) {
++ iwl_mei_send_sap_msg(mei->cldev,
++ SAP_MSG_NOTIF_WIFIDR_UP);
++ iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
++ }
++
+ iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC);
+
+ if (iwl_mei_cache.conn_info) {
+@@ -1420,10 +1422,7 @@ void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
+- goto out;
+-
+- if (!mei->amt_enabled)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
+@@ -1452,7 +1451,7 @@ void iwl_mei_host_disassociated(void)
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
+@@ -1488,7 +1487,7 @@ void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill)
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
+@@ -1517,7 +1516,7 @@ void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address)
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
+@@ -1545,7 +1544,7 @@ void iwl_mei_set_country_code(u16 mcc)
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
+@@ -1571,7 +1570,7 @@ void iwl_mei_set_power_limit(const __le16 *power_limit)
+
+ mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
+
+- if (!mei)
++ if (!mei && !mei->amt_enabled)
+ goto out;
+
+ memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table));
+@@ -1678,9 +1677,10 @@ int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
+
+ /* we have already a SAP connection */
+ if (iwl_mei_is_connected()) {
+- iwl_mei_send_sap_msg(mei->cldev,
+- SAP_MSG_NOTIF_WIFIDR_UP);
+- ops->rfkill(priv, mei->link_prot_state);
++ if (mei->amt_enabled)
++ iwl_mei_send_sap_msg(mei->cldev,
++ SAP_MSG_NOTIF_WIFIDR_UP);
++ ops->rfkill(priv, mei->link_prot_state, false);
+ }
+ }
+ ret = 0;
+@@ -1931,29 +1931,32 @@ static void iwl_mei_remove(struct mei_cl_device *cldev)
+
+ mutex_lock(&iwl_mei_mutex);
+
+- /*
+- * Tell CSME that we are going down so that it won't access the
+- * memory anymore, make sure this message goes through immediately.
+- */
+- mei->csa_throttled = false;
+- iwl_mei_send_sap_msg(mei->cldev,
+- SAP_MSG_NOTIF_HOST_GOES_DOWN);
++ if (mei->amt_enabled) {
++ /*
++ * Tell CSME that we are going down so that it won't access the
++ * memory anymore, make sure this message goes through immediately.
++ */
++ mei->csa_throttled = false;
++ iwl_mei_send_sap_msg(mei->cldev,
++ SAP_MSG_NOTIF_HOST_GOES_DOWN);
+
+- for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
+- if (!iwl_mei_host_to_me_data_pending(mei))
+- break;
++ for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
++ if (!iwl_mei_host_to_me_data_pending(mei))
++ break;
+
+- msleep(5);
+- }
++ msleep(20);
++ }
+
+- /*
+- * If we couldn't make sure that CSME saw the HOST_GOES_DOWN message,
+- * it means that it will probably keep reading memory that we are going
+- * to unmap and free, expect IOMMU error messages.
+- */
+- if (i == SEND_SAP_MAX_WAIT_ITERATION)
+- dev_err(&mei->cldev->dev,
+- "Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
++ /*
++ * If we couldn't make sure that CSME saw the HOST_GOES_DOWN
++ * message, it means that it will probably keep reading memory
++ * that we are going to unmap and free, expect IOMMU error
++ * messages.
++ */
++ if (i == SEND_SAP_MAX_WAIT_ITERATION)
++ dev_err(&mei->cldev->dev,
++ "Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
++ }
+
+ mutex_unlock(&iwl_mei_mutex);
+
+--
+2.35.1
+
--- /dev/null
+From a59931f4b33b18381f3486590e19b91d02cdee3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 19:17:45 +0200
+Subject: wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d3df49dda431f7ae4132a9a0ac25a5134c04e812 ]
+
+If cloning the SKB fails, don't try to use it, but rather return
+as if we should pass it.
+
+Coverity CID: 1503456
+
+Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20221030191011.0ce03ba99601.I87960b7cb0a3d16b9fd8d9144027e7e2587f5a58@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mei/net.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mei/net.c b/drivers/net/wireless/intel/iwlwifi/mei/net.c
+index 3472167c8370..eac46d1a397a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mei/net.c
++++ b/drivers/net/wireless/intel/iwlwifi/mei/net.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (C) 2021 Intel Corporation
++ * Copyright (C) 2021-2022 Intel Corporation
+ */
+
+ #include <uapi/linux/if_ether.h>
+@@ -337,10 +337,14 @@ rx_handler_result_t iwl_mei_rx_filter(struct sk_buff *orig_skb,
+ if (!*pass_to_csme)
+ return RX_HANDLER_PASS;
+
+- if (ret == RX_HANDLER_PASS)
++ if (ret == RX_HANDLER_PASS) {
+ skb = skb_copy(orig_skb, GFP_ATOMIC);
+- else
++
++ if (!skb)
++ return RX_HANDLER_PASS;
++ } else {
+ skb = orig_skb;
++ }
+
+ /* CSME wants the MAC header as well, push it back */
+ skb_push(skb, skb->data - skb_mac_header(skb));
+--
+2.35.1
+
--- /dev/null
+From d022e8bc1135753375484ce7459d7a9234f51aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 19:17:43 +0200
+Subject: wifi: iwlwifi: mei: fix tx DHCP packet for devices with new Tx API
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit bcd68b3dbe78b7b0f7b6b55162cf1eff1e7fff9e ]
+
+Devices with new Tx API have the IV introduced by the HW and it is not
+present in the skb at all. Hence we don't need to tell
+iwl_mvm_mei_tx_copy_to_csme to jump over 8 bytes to get to the ethernet
+header.
+
+Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20221030191011.12dc42133502.Idd744ffeeb84b880eb497963ee02563cbb959a42@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index f9e08b339e0c..6fa8d9e6b186 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1171,9 +1171,15 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
+ /* From now on, we cannot access info->control */
+ iwl_mvm_skb_prepare_status(skb, dev_cmd);
+
++ /*
++ * The IV is introduced by the HW for new tx api, and it is not present
++ * in the skb, hence, don't tell iwl_mvm_mei_tx_copy_to_csme about the
++ * IV for those devices.
++ */
+ if (ieee80211_is_data(fc))
+ iwl_mvm_mei_tx_copy_to_csme(mvm, skb,
+- info->control.hw_key ?
++ info->control.hw_key &&
++ !iwl_mvm_has_new_tx_api(mvm) ?
+ info->control.hw_key->iv_len : 0);
+
+ if (iwl_trans_tx(mvm->trans, skb, dev_cmd, txq_id))
+--
+2.35.1
+
--- /dev/null
+From d31d97d6256a4640262be843c918926e7d426211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 19:17:41 +0200
+Subject: wifi: iwlwifi: mei: make sure ownership confirmed message is sent
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 5aa7ce31bd84c2f4f059200f06c537c920cbb458 ]
+
+It is possible that CSME will try to take ownership while the driver
+is stopping. In this case, if the CSME takes ownership message arrives
+after the driver started unregistering, the iwl_mei_cache->ops is
+already invalid, so the host will not answer with the ownership
+confirmed message.
+Similarly, if the take ownership message arrived after the mac was
+stopped or when iwl_mvm_up() failed, setting rfkill will not trigger
+sending the confirm message. As a result, CSME will not take
+ownership, which will result in a disconnection.
+
+Fix it by sending the ownership confirmed message immediately in such
+cases.
+
+Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20221030191011.b2a4c009e3e6.I7f931b7ee8b168e8ac88b11f23bff98b7ed3cb19@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mei/iwl-mei.h | 7 +++--
+ drivers/net/wireless/intel/iwlwifi/mei/main.c | 30 ++++++++++++-------
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 ++
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +--
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 2 +-
+ 5 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mei/iwl-mei.h b/drivers/net/wireless/intel/iwlwifi/mei/iwl-mei.h
+index 67122cfa2292..5409699c9a1f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mei/iwl-mei.h
++++ b/drivers/net/wireless/intel/iwlwifi/mei/iwl-mei.h
+@@ -446,9 +446,10 @@ void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
+ void iwl_mei_host_disassociated(void);
+
+ /**
+- * iwl_mei_device_down() - must be called when the device is down
++ * iwl_mei_device_state() - must be called when the device changes up/down state
++ * @up: true if the device is up, false otherwise.
+ */
+-void iwl_mei_device_down(void);
++void iwl_mei_device_state(bool up);
+
+ #else
+
+@@ -497,7 +498,7 @@ static inline void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_
+ static inline void iwl_mei_host_disassociated(void)
+ {}
+
+-static inline void iwl_mei_device_down(void)
++static inline void iwl_mei_device_state(bool up)
+ {}
+
+ #endif /* CONFIG_IWLMEI */
+diff --git a/drivers/net/wireless/intel/iwlwifi/mei/main.c b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+index 357f14626cf4..90646c54a3c5 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mei/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/mei/main.c
+@@ -147,6 +147,8 @@ struct iwl_mei_filters {
+ * to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down
+ * flow.
+ * @link_prot_state: true when we are in link protection PASSIVE
++ * @device_down: true if the device is down. Used to remember to send
++ * CSME_OWNERSHIP_CONFIRMED when the driver is already down.
+ * @csa_throttle_end_wk: used when &csa_throttled is true
+ * @data_q_lock: protects the access to the data queues which are
+ * accessed without the mutex.
+@@ -167,6 +169,7 @@ struct iwl_mei {
+ bool csa_throttled;
+ bool csme_taking_ownership;
+ bool link_prot_state;
++ bool device_down;
+ struct delayed_work csa_throttle_end_wk;
+ spinlock_t data_q_lock;
+
+@@ -798,14 +801,18 @@ static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev,
+
+ mei->got_ownership = false;
+
+- /*
+- * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi driver
+- * is finished taking the device down.
+- */
+- mei->csme_taking_ownership = true;
++ if (iwl_mei_cache.ops && !mei->device_down) {
++ /*
++ * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi
++ * driver is finished taking the device down.
++ */
++ mei->csme_taking_ownership = true;
+
+- if (iwl_mei_cache.ops)
+- iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true);
++ iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true, true);
++ } else {
++ iwl_mei_send_sap_msg(cldev,
++ SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
++ }
+ }
+
+ static void iwl_mei_handle_nvm(struct mei_cl_device *cldev,
+@@ -1616,7 +1623,7 @@ void iwl_mei_set_netdev(struct net_device *netdev)
+ }
+ EXPORT_SYMBOL_GPL(iwl_mei_set_netdev);
+
+-void iwl_mei_device_down(void)
++void iwl_mei_device_state(bool up)
+ {
+ struct iwl_mei *mei;
+
+@@ -1630,7 +1637,9 @@ void iwl_mei_device_down(void)
+ if (!mei)
+ goto out;
+
+- if (!mei->csme_taking_ownership)
++ mei->device_down = !up;
++
++ if (up || !mei->csme_taking_ownership)
+ goto out;
+
+ iwl_mei_send_sap_msg(mei->cldev,
+@@ -1639,7 +1648,7 @@ void iwl_mei_device_down(void)
+ out:
+ mutex_unlock(&iwl_mei_mutex);
+ }
+-EXPORT_SYMBOL_GPL(iwl_mei_device_down);
++EXPORT_SYMBOL_GPL(iwl_mei_device_state);
+
+ int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
+ {
+@@ -1821,6 +1830,7 @@ static int iwl_mei_probe(struct mei_cl_device *cldev,
+
+ mei_cldev_set_drvdata(cldev, mei);
+ mei->cldev = cldev;
++ mei->device_down = true;
+
+ do {
+ ret = iwl_mei_alloc_shared_mem(cldev);
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index f041e77af059..5de34edc51fe 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1665,6 +1665,8 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
+ iwl_rfi_send_config_cmd(mvm, NULL);
+ }
+
++ iwl_mvm_mei_device_state(mvm, true);
++
+ IWL_DEBUG_INFO(mvm, "RT uCode started.\n");
+ return 0;
+ error:
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index bf35e130c876..cc71049bd9b3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -2201,10 +2201,10 @@ static inline void iwl_mvm_mei_host_disassociated(struct iwl_mvm *mvm)
+ iwl_mei_host_disassociated();
+ }
+
+-static inline void iwl_mvm_mei_device_down(struct iwl_mvm *mvm)
++static inline void iwl_mvm_mei_device_state(struct iwl_mvm *mvm, bool up)
+ {
+ if (mvm->mei_registered)
+- iwl_mei_device_down();
++ iwl_mei_device_state(up);
+ }
+
+ static inline void iwl_mvm_mei_set_sw_rfkill_state(struct iwl_mvm *mvm)
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index db43c8a83a31..3fec87fb6b7b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1370,7 +1370,7 @@ void iwl_mvm_stop_device(struct iwl_mvm *mvm)
+ iwl_trans_stop_device(mvm->trans);
+ iwl_free_fw_paging(&mvm->fwrt);
+ iwl_fw_dump_conf_clear(&mvm->fwrt);
+- iwl_mvm_mei_device_down(mvm);
++ iwl_mvm_mei_device_state(mvm, false);
+ }
+
+ static void iwl_op_mode_mvm_stop(struct iwl_op_mode *op_mode)
+--
+2.35.1
+
--- /dev/null
+From bad6a7d7d9a1e91595b03d20f6fe755c23bfee33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 23:02:06 +0200
+Subject: wifi: iwlwifi: mvm: fix double free on tx path.
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit 0473cbae2137b963bd0eaa74336131cb1d3bc6c3 ]
+
+We see kernel crashes and lockups and KASAN errors related to ax210
+firmware crashes. One of the KASAN dumps pointed at the tx path,
+and it appears there is indeed a way to double-free an skb.
+
+If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the
+method will be freed. But, in case where we build TSO skb buffer,
+the skb may also be freed in error case. So, return 0 in that particular
+error case and do cleanup manually.
+
+BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90
+iwlwifi 0000:06:00.0: 0x00000000 | tsf hi
+Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650
+
+CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5
+iwlwifi 0000:06:00.0: 0x00000000 | time gp1
+Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x55/0x6d
+ print_report.cold.12+0xf2/0x684
+iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2
+ ? __list_del_entry_valid+0x12/0x90
+ kasan_report+0x8b/0x180
+iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type
+ ? __list_del_entry_valid+0x12/0x90
+ __list_del_entry_valid+0x12/0x90
+iwlwifi 0000:06:00.0: 0x00000048 | uCode version major
+ tcp_update_skb_after_send+0x5d/0x170
+ __tcp_transmit_skb+0xb61/0x15c0
+iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor
+ ? __tcp_select_window+0x490/0x490
+iwlwifi 0000:06:00.0: 0x00000420 | hw version
+ ? trace_kmalloc_node+0x29/0xd0
+ ? __kmalloc_node_track_caller+0x12a/0x260
+ ? memset+0x1f/0x40
+ ? __build_skb_around+0x125/0x150
+ ? __alloc_skb+0x1d4/0x220
+ ? skb_zerocopy_clone+0x55/0x230
+iwlwifi 0000:06:00.0: 0x00489002 | board version
+ ? kmalloc_reserve+0x80/0x80
+ ? rcu_read_lock_bh_held+0x60/0xb0
+ tcp_write_xmit+0x3f1/0x24d0
+iwlwifi 0000:06:00.0: 0x034E001C | hcmd
+ ? __check_object_size+0x180/0x350
+iwlwifi 0000:06:00.0: 0x24020000 | isr0
+ tcp_sendmsg_locked+0x8a9/0x1520
+iwlwifi 0000:06:00.0: 0x01400000 | isr1
+ ? tcp_sendpage+0x50/0x50
+iwlwifi 0000:06:00.0: 0x48F0000A | isr2
+ ? lock_release+0xb9/0x400
+ ? tcp_sendmsg+0x14/0x40
+iwlwifi 0000:06:00.0: 0x00C3080C | isr3
+ ? lock_downgrade+0x390/0x390
+ ? do_raw_spin_lock+0x114/0x1d0
+iwlwifi 0000:06:00.0: 0x00200000 | isr4
+ ? rwlock_bug.part.2+0x50/0x50
+iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id
+ ? rwlock_bug.part.2+0x50/0x50
+ ? lockdep_hardirqs_on_prepare+0xe/0x200
+iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event
+ ? __local_bh_enable_ip+0x87/0xe0
+ ? inet_send_prepare+0x220/0x220
+iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control
+ tcp_sendmsg+0x22/0x40
+ sock_sendmsg+0x5f/0x70
+iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration
+ __sys_sendto+0x19d/0x250
+iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid
+ ? __ia32_sys_getpeername+0x40/0x40
+iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match
+ ? rcu_read_lock_held_common+0x12/0x50
+ ? rcu_read_lock_sched_held+0x5a/0xd0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? rcu_read_lock_sched_held+0x5a/0xd0
+ ? rcu_read_lock_sched_held+0x5a/0xd0
+ ? lock_release+0xb9/0x400
+ ? lock_downgrade+0x390/0x390
+ ? ktime_get+0x64/0x130
+ ? ktime_get+0x8d/0x130
+ ? rcu_read_lock_held_common+0x12/0x50
+ ? rcu_read_lock_sched_held+0x5a/0xd0
+ ? rcu_read_lock_held_common+0x12/0x50
+ ? rcu_read_lock_sched_held+0x5a/0xd0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ ? rcu_read_lock_bh_held+0xb0/0xb0
+ __x64_sys_sendto+0x6f/0x80
+ do_syscall_64+0x34/0xb0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+RIP: 0033:0x7f1d126e4531
+Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89
+RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531
+RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014
+RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010
+R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 9650:
+ kasan_save_stack+0x1c/0x40
+ __kasan_slab_alloc+0x6d/0x90
+ kmem_cache_alloc_node+0xf3/0x2b0
+ __alloc_skb+0x191/0x220
+ tcp_stream_alloc_skb+0x3f/0x330
+ tcp_sendmsg_locked+0x67c/0x1520
+ tcp_sendmsg+0x22/0x40
+ sock_sendmsg+0x5f/0x70
+ __sys_sendto+0x19d/0x250
+ __x64_sys_sendto+0x6f/0x80
+ do_syscall_64+0x34/0xb0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Freed by task 9650:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ kasan_set_free_info+0x20/0x30
+ __kasan_slab_free+0x102/0x170
+ kmem_cache_free+0xc8/0x3e0
+ iwl_mvm_mac_itxq_xmit+0x124/0x270 [iwlmvm]
+ ieee80211_queue_skb+0x874/0xd10 [mac80211]
+ ieee80211_xmit_fast+0xf80/0x1180 [mac80211]
+ __ieee80211_subif_start_xmit+0x287/0x680 [mac80211]
+ ieee80211_subif_start_xmit+0xcd/0x730 [mac80211]
+ dev_hard_start_xmit+0xf6/0x420
+ __dev_queue_xmit+0x165b/0x1b50
+ ip_finish_output2+0x66e/0xfb0
+ __ip_finish_output+0x487/0x6d0
+ ip_output+0x11c/0x350
+ __ip_queue_xmit+0x36b/0x9d0
+ __tcp_transmit_skb+0xb35/0x15c0
+ tcp_write_xmit+0x3f1/0x24d0
+ tcp_sendmsg_locked+0x8a9/0x1520
+ tcp_sendmsg+0x22/0x40
+ sock_sendmsg+0x5f/0x70
+ __sys_sendto+0x19d/0x250
+ __x64_sys_sendto+0x6f/0x80
+ do_syscall_64+0x34/0xb0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+The buggy address belongs to the object at ffff88813cfa4b40
+ which belongs to the cache skbuff_fclone_cache of size 472
+The buggy address is located 96 bytes inside of
+ 472-byte region [ffff88813cfa4b40, ffff88813cfa4d18)
+
+The buggy address belongs to the physical page:
+page:ffffea0004f3e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813cfa6c40 pfn:0x13cfa4
+head:ffffea0004f3e900 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x5fff8000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
+raw: 005fff8000010200 ffffea0004656b08 ffffea0008e8cf08 ffff8881081a5240
+raw: ffff88813cfa6c40 0000000000170015 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88813cfa4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88813cfa4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+>ffff88813cfa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88813cfa4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88813cfa4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
+Link: https://lore.kernel.org/linux-wireless/20220928193057.16132-1-greearb@candelatech.com/
+Tested-by: Amol Jawale <amol.jawale@candelatech.com>
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Link: https://lore.kernel.org/r/20221123225313.21b1ee31d666.I3b3ba184433dd2a544d91eeeda29b467021824ae@changeid
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 6fa8d9e6b186..0dd35344e64a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1212,6 +1212,7 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
+ struct sk_buff_head mpdus_skbs;
+ unsigned int payload_len;
+ int ret;
++ struct sk_buff *orig_skb = skb;
+
+ if (WARN_ON_ONCE(!mvmsta))
+ return -1;
+@@ -1244,8 +1245,17 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
+
+ ret = iwl_mvm_tx_mpdu(mvm, skb, &info, sta);
+ if (ret) {
++ /* Free skbs created as part of TSO logic that have not yet been dequeued */
+ __skb_queue_purge(&mpdus_skbs);
+- return ret;
++ /* skb here is not necessarily same as skb that entered this method,
++ * so free it explicitly.
++ */
++ if (skb == orig_skb)
++ ieee80211_free_txskb(mvm->hw, skb);
++ else
++ kfree_skb(skb);
++ /* there was error, but we consumed skb one way or another, so return 0 */
++ return 0;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 3a0dfed6f1370485e14c1a925aecde2917d5a8f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 23:01:46 +0200
+Subject: wifi: mac80211: check link ID in auth/assoc continuation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 85176a3fcd9748558cff72d4cdff5465b8732282 ]
+
+Ensure that the link ID matches in auth/assoc continuation,
+otherwise we need to reset all the data.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/mlme.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 9583643b7033..c7dd1f49bb35 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -389,6 +389,7 @@ struct ieee80211_mgd_auth_data {
+ bool done, waiting;
+ bool peer_confirmed;
+ bool timeout_started;
++ int link_id;
+
+ u8 ap_addr[ETH_ALEN] __aligned(2);
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index a21571eb02ec..0a9710747b80 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -6582,6 +6582,7 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
+ req->ap_mld_addr ?: req->bss->bssid,
+ ETH_ALEN);
+ auth_data->bss = req->bss;
++ auth_data->link_id = req->link_id;
+
+ if (req->auth_data_len >= 4) {
+ if (req->auth_type == NL80211_AUTHTYPE_SAE) {
+@@ -6600,7 +6601,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
+ * removal and re-addition of the STA entry in
+ * ieee80211_prep_connection().
+ */
+- cont_auth = ifmgd->auth_data && req->bss == ifmgd->auth_data->bss;
++ cont_auth = ifmgd->auth_data && req->bss == ifmgd->auth_data->bss &&
++ ifmgd->auth_data->link_id == req->link_id;
+
+ if (req->ie && req->ie_len) {
+ memcpy(&auth_data->data[auth_data->data_len],
+@@ -6937,7 +6939,8 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
+
+ /* keep sta info, bssid if matching */
+ match = ether_addr_equal(ifmgd->auth_data->ap_addr,
+- assoc_data->ap_addr);
++ assoc_data->ap_addr) &&
++ ifmgd->auth_data->link_id == req->link_id;
+ ieee80211_destroy_auth_data(sdata, match);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a5301aa4dae50e5bbe0309940f22091cc0ca6669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Oct 2022 14:08:41 +0200
+Subject: wifi: mac80211: fix ifdef symbol name
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 9d13aff91ecd3f077b432df35291c945bde585be ]
+
+This should of course be CONFIG_, not CPTCFG_, which is an
+artifact from working with backports.
+
+Fixes: 9dd1953846c7 ("wifi: nl80211/mac80211: clarify link ID in control port TX")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index d2c4f9226f94..dafd3a480f02 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -2934,7 +2934,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
+
+ if (pre_conf_link_id != link_id &&
+ link_id != IEEE80211_LINK_UNSPECIFIED) {
+-#ifdef CPTCFG_MAC80211_VERBOSE_DEBUG
++#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
+ net_info_ratelimited("%s: dropped frame to %pM with bad link ID request (%d vs. %d)\n",
+ sdata->name, hdr.addr1,
+ pre_conf_link_id, link_id);
+--
+2.35.1
+
--- /dev/null
+From 34c55b3e0f1eeffc51eb4c130dd5c9c702b87f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 16:36:22 +0100
+Subject: wifi: mac80211: fix maybe-unused warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 09d838a457a89883a926b8b0104d575158fd4b92 ]
+
+In ieee80211_lookup_key, the variable named `local` is unused if
+compiled without lockdep, getting this warning:
+
+net/mac80211/cfg.c: In function ‘ieee80211_lookup_key’:
+net/mac80211/cfg.c:542:26: error: unused variable ‘local’ [-Werror=unused-variable]
+ struct ieee80211_local *local = sdata->local;
+ ^~~~~
+
+Fix it with __maybe_unused.
+
+Fixes: 8cbf0c2ab6df ("wifi: mac80211: refactor some key code")
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Link: https://lore.kernel.org/r/20221111153622.29016-1-ihuguet@redhat.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 65f34945a767..538f8c0dbb2b 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -539,7 +539,7 @@ static struct ieee80211_key *
+ ieee80211_lookup_key(struct ieee80211_sub_if_data *sdata,
+ u8 key_idx, bool pairwise, const u8 *mac_addr)
+ {
+- struct ieee80211_local *local = sdata->local;
++ struct ieee80211_local *local __maybe_unused = sdata->local;
+ struct ieee80211_key *key;
+ struct sta_info *sta;
+
+--
+2.35.1
+
--- /dev/null
+From 9a62848fd01184303389e8a81ddaeef8e82c1780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 14:45:00 +0800
+Subject: wifi: mac80211: fix memory leak in ieee80211_if_add()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293 ]
+
+When register_netdevice() failed in ieee80211_if_add(), ndev->tstats
+isn't released. Fix it.
+
+Fixes: 5a490510ba5f ("mac80211: use per-CPU TX/RX statistics")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221117064500.319983-1-shaozhengchao@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 95b58c5cac07..c3eb08b5a47e 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -2414,6 +2414,7 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
+
+ ret = cfg80211_register_netdevice(ndev);
+ if (ret) {
++ ieee80211_if_free(ndev);
+ free_netdev(ndev);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From c7f8032a812f28e98c69c367306e7e8f91d6fb23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 02:44:58 +0200
+Subject: wifi: mac80211: mlme: fix null-ptr deref on failed assoc
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 78a6a43aaf87180ec7425a2a90468e1b4d09a1ec ]
+
+If association to an AP without a link 0 fails, then we crash in
+tracing because it assumes that either ap_mld_addr or link 0 BSS
+is valid, since we clear sdata->vif.valid_links and then don't
+add the ap_mld_addr to the struct.
+
+Since we clear also sdata->vif.cfg.ap_addr, keep a local copy of
+it and assign it earlier, before clearing valid_links, to fix
+this.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 654414caeb71..a21571eb02ec 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4955,6 +4955,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
+ struct cfg80211_rx_assoc_resp resp = {
+ .uapsd_queues = -1,
+ };
++ u8 ap_mld_addr[ETH_ALEN] __aligned(2);
+ unsigned int link_id;
+
+ sdata_assert_lock(sdata);
+@@ -5119,6 +5120,11 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
+ resp.uapsd_queues |= ieee80211_ac_to_qos_mask[ac];
+ }
+
++ if (sdata->vif.valid_links) {
++ ether_addr_copy(ap_mld_addr, sdata->vif.cfg.ap_addr);
++ resp.ap_mld_addr = ap_mld_addr;
++ }
++
+ ieee80211_destroy_assoc_data(sdata,
+ status_code == WLAN_STATUS_SUCCESS ?
+ ASSOC_SUCCESS :
+@@ -5128,8 +5134,6 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
+ resp.len = len;
+ resp.req_ies = ifmgd->assoc_req_ies;
+ resp.req_ies_len = ifmgd->assoc_req_ies_len;
+- if (sdata->vif.valid_links)
+- resp.ap_mld_addr = sdata->vif.cfg.ap_addr;
+ cfg80211_rx_assoc_resp(sdata->dev, &resp);
+ notify_driver:
+ drv_mgd_complete_tx(sdata->local, sdata, &info);
+--
+2.35.1
+
--- /dev/null
+From d4bb52f7da5e817ad7d083ea3b4a8007c868672d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 21:07:37 +0200
+Subject: wifi: mt76: do not run mt76u_status_worker if the device is not
+ running
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit bd5dac7ced5a7c9faa4dc468ac9560c3256df845 ]
+
+Fix the following NULL pointer dereference avoiding to run
+mt76u_status_worker thread if the device is not running yet.
+
+KASAN: null-ptr-deref in range
+[0x0000000000000000-0x0000000000000007]
+CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware
+name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Workqueue: mt76 mt76u_tx_status_data
+RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0
+Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00
+48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>
+b6
+04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7
+RSP: 0018:ffffc900005af988 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a
+RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c
+R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8
+R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28
+FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ mt76x02_send_tx_status+0x1d2/0xeb0
+ mt76x02_tx_status_data+0x8e/0xd0
+ mt76u_tx_status_data+0xe1/0x240
+ process_one_work+0x92b/0x1460
+ worker_thread+0x95/0xe00
+ kthread+0x3a1/0x480
+ ret_from_fork+0x1f/0x30
+Modules linked in:
+--[ end trace 8df5d20fc5040f65 ]--
+RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0
+Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00
+48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>
+b6
+04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7
+RSP: 0018:ffffc900005af988 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a
+RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c
+R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8
+R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28
+FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0
+PKRU: 55555554
+
+Moreover move stat_work schedule out of the for loop.
+
+Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
+Co-developed-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/usb.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
+index 6b8964c19f50..446429f4d944 100644
+--- a/drivers/net/wireless/mediatek/mt76/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/usb.c
+@@ -761,6 +761,9 @@ static void mt76u_status_worker(struct mt76_worker *w)
+ struct mt76_queue *q;
+ int i;
+
++ if (!test_bit(MT76_STATE_RUNNING, &dev->phy.state))
++ return;
++
+ for (i = 0; i < IEEE80211_NUM_ACS; i++) {
+ q = dev->phy.q_tx[i];
+ if (!q)
+@@ -780,11 +783,11 @@ static void mt76u_status_worker(struct mt76_worker *w)
+ wake_up(&dev->tx_wait);
+
+ mt76_worker_schedule(&dev->tx_worker);
+-
+- if (dev->drv->tx_status_data &&
+- !test_and_set_bit(MT76_READING_STATS, &dev->phy.state))
+- queue_work(dev->wq, &dev->usb.stat_work);
+ }
++
++ if (dev->drv->tx_status_data &&
++ !test_and_set_bit(MT76_READING_STATS, &dev->phy.state))
++ queue_work(dev->wq, &dev->usb.stat_work);
+ }
+
+ static void mt76u_tx_status_data(struct work_struct *work)
+--
+2.35.1
+
--- /dev/null
+From a60848adf00a684d1fcabea0d8a4b1263a615b5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Nov 2022 10:35:37 +0800
+Subject: wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+[ Upstream commit 03dd0d49de7db680a856fa566963bb8421f46368 ]
+
+Make sure the nss is valid for nss_delta array. Return zero
+if the index is invalid.
+
+Coverity message:
+Event overrun-call: Overrunning callee's array of size 4 by passing
+argument "n_chains" (which evaluates to 15) in call to
+"mt76_tx_power_nss_delta".
+int delta = mt76_tx_power_nss_delta(n_chains);
+
+Fixes: 07cda406308b ("mt76: fix rounding issues on converting per-chain and combined txpower")
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
+index 4da77d47b0a6..1f8da524a305 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -1101,8 +1101,9 @@ static inline bool mt76_is_skb_pktid(u8 pktid)
+ static inline u8 mt76_tx_power_nss_delta(u8 nss)
+ {
+ static const u8 nss_delta[4] = { 0, 6, 9, 12 };
++ u8 idx = nss - 1;
+
+- return nss_delta[nss - 1];
++ return (idx < ARRAY_SIZE(nss_delta)) ? nss_delta[idx] : 0;
+ }
+
+ static inline bool mt76_testmode_enabled(struct mt76_phy *phy)
+--
+2.35.1
+
--- /dev/null
+From 551f9039cfb50a892e15495a286b2b5cc76e76db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:39:51 +0100
+Subject: wifi: mt76: mt7915: Fix chainmask calculation on mt7915 DBDC
+
+From: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+
+[ Upstream commit de147cc28985a2a09e5d6d179fc5ef59b22fc058 ]
+
+mt7915 does not have a per-band number of chains unlike the other chips,
+it only has a total number of chains. Yet the current code would
+consider the total number as a per-band number.
+
+For example, it would report that a 2x2 + 2x2 DBDC card have 4 chains on
+each band and set chainmask to 0b1111 for the first interface and
+0b11110000 for the second.
+
+Fixes: 99ad32a4ca3a ("mt76: mt7915: add support for MT7986")
+Co-developed-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+index 83bced0c0785..0bce0ce51be0 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+@@ -194,6 +194,7 @@ void mt7915_eeprom_parse_hw_cap(struct mt7915_dev *dev,
+ nss = path;
+ if (dev->dbdc_support) {
+ if (is_mt7915(&dev->mt76)) {
++ path = min_t(u8, path, 2);
+ nss = FIELD_GET(MT_EE_WIFI_CONF3_TX_PATH_B0,
+ eeprom[MT_EE_WIFI_CONF + 3]);
+ if (phy->band_idx)
+--
+2.35.1
+
--- /dev/null
+From 6d81927fd5f6c556825930266afc8bbf817bbc7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 09:42:44 +0800
+Subject: wifi: mt76: mt7915: fix mt7915_mac_set_timing()
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 0c881dc08fd71ca2673f31a64989fbb28eac26f4 ]
+
+Correct mac timiing settings for different hardware generations.
+This improves 40-60Mbps performance.
+
+Fixes: 9aac2969fe5f ("mt76: mt7915: update mac timing settings")
+Reported-By: Carson Vandegriffe <carson.vandegriffe@candelatech.com>
+Tested-by: Chad Monroe <chad.monroe@smartrg.com>
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7915/mac.c | 21 +++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 49aa5c056063..68e1cf5a1044 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -1146,7 +1146,7 @@ void mt7915_mac_set_timing(struct mt7915_phy *phy)
+ FIELD_PREP(MT_TIMEOUT_VAL_CCA, 48);
+ u32 ofdm = FIELD_PREP(MT_TIMEOUT_VAL_PLCP, 60) |
+ FIELD_PREP(MT_TIMEOUT_VAL_CCA, 28);
+- int offset;
++ int eifs_ofdm = 360, sifs = 10, offset;
+ bool a_band = !(phy->mt76->chandef.chan->band == NL80211_BAND_2GHZ);
+
+ if (!test_bit(MT76_STATE_RUNNING, &phy->mt76->state))
+@@ -1164,17 +1164,26 @@ void mt7915_mac_set_timing(struct mt7915_phy *phy)
+ reg_offset = FIELD_PREP(MT_TIMEOUT_VAL_PLCP, offset) |
+ FIELD_PREP(MT_TIMEOUT_VAL_CCA, offset);
+
++ if (!is_mt7915(&dev->mt76)) {
++ if (!a_band) {
++ mt76_wr(dev, MT_TMAC_ICR1(phy->band_idx),
++ FIELD_PREP(MT_IFS_EIFS_CCK, 314));
++ eifs_ofdm = 78;
++ } else {
++ eifs_ofdm = 84;
++ }
++ } else if (a_band) {
++ sifs = 16;
++ }
++
+ mt76_wr(dev, MT_TMAC_CDTR(phy->band_idx), cck + reg_offset);
+ mt76_wr(dev, MT_TMAC_ODTR(phy->band_idx), ofdm + reg_offset);
+ mt76_wr(dev, MT_TMAC_ICR0(phy->band_idx),
+- FIELD_PREP(MT_IFS_EIFS_OFDM, a_band ? 84 : 78) |
++ FIELD_PREP(MT_IFS_EIFS_OFDM, eifs_ofdm) |
+ FIELD_PREP(MT_IFS_RIFS, 2) |
+- FIELD_PREP(MT_IFS_SIFS, 10) |
++ FIELD_PREP(MT_IFS_SIFS, sifs) |
+ FIELD_PREP(MT_IFS_SLOT, phy->slottime));
+
+- mt76_wr(dev, MT_TMAC_ICR1(phy->band_idx),
+- FIELD_PREP(MT_IFS_EIFS_CCK, 314));
+-
+ if (phy->slottime < 20 || a_band)
+ val = MT7915_CFEND_RATE_DEFAULT;
+ else
+--
+2.35.1
+
--- /dev/null
+From e6124a086ccbd2bab0ba55810415d0cad58e1238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 13:35:01 +0100
+Subject: wifi: mt76: mt7915: fix reporting of TX AGGR histogram
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 528d13e7f033b54d50e0077922dd52f005d648cf ]
+
+Fix stats clash between bins [4-7] in 802.11 tx aggregation histogram.
+
+Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 68e1cf5a1044..853d857b1757 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -1604,7 +1604,7 @@ void mt7915_mac_update_stats(struct mt7915_phy *phy)
+
+ aggr0 = phy->band_idx ? ARRAY_SIZE(dev->mt76.aggr_stats) / 2 : 0;
+ if (is_mt7915(&dev->mt76)) {
+- for (i = 0, aggr1 = aggr0 + 4; i < 4; i++) {
++ for (i = 0, aggr1 = aggr0 + 8; i < 4; i++) {
+ val = mt76_rr(dev, MT_MIB_MB_SDR1(phy->band_idx, (i << 4)));
+ mib->ba_miss_cnt +=
+ FIELD_GET(MT_MIB_BA_MISS_COUNT_MASK, val);
+--
+2.35.1
+
--- /dev/null
+From ae247e1c90e6dc47f7c58be2d7daaefe818e3b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 23:13:10 +0800
+Subject: wifi: mt76: mt7915: rework eeprom tx paths and streams init
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+[ Upstream commit a7ec8bcf00034ce84d4c9a15dffd7577fbed4db2 ]
+
+Rework tx paths and streams init part to improve readability, and make
+sure that the available tx streams should be smaller than or equal to
+the available tx paths.
+
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Stable-dep-of: de147cc28985 ("wifi: mt76: mt7915: Fix chainmask calculation on mt7915 DBDC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/mediatek/mt76/mt7915/eeprom.c | 57 ++++++++-----------
+ .../wireless/mediatek/mt76/mt7915/eeprom.h | 5 --
+ 2 files changed, 23 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+index 4b1a9811646f..83bced0c0785 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+@@ -173,60 +173,49 @@ static void mt7915_eeprom_parse_band_config(struct mt7915_phy *phy)
+ void mt7915_eeprom_parse_hw_cap(struct mt7915_dev *dev,
+ struct mt7915_phy *phy)
+ {
+- u8 nss, nss_band, nss_band_max, *eeprom = dev->mt76.eeprom.data;
++ u8 path, nss, nss_max = 4, *eeprom = dev->mt76.eeprom.data;
+ struct mt76_phy *mphy = phy->mt76;
+- bool ext_phy = phy != &dev->phy;
+
+ mt7915_eeprom_parse_band_config(phy);
+
+- /* read tx/rx mask from eeprom */
++ /* read tx/rx path from eeprom */
+ if (is_mt7915(&dev->mt76)) {
+- nss = FIELD_GET(MT_EE_WIFI_CONF0_TX_PATH,
+- eeprom[MT_EE_WIFI_CONF]);
++ path = FIELD_GET(MT_EE_WIFI_CONF0_TX_PATH,
++ eeprom[MT_EE_WIFI_CONF]);
+ } else {
+- nss = FIELD_GET(MT_EE_WIFI_CONF0_TX_PATH,
+- eeprom[MT_EE_WIFI_CONF + phy->band_idx]);
++ path = FIELD_GET(MT_EE_WIFI_CONF0_TX_PATH,
++ eeprom[MT_EE_WIFI_CONF + phy->band_idx]);
+ }
+
+- if (!nss || nss > 4)
+- nss = 4;
++ if (!path || path > 4)
++ path = 4;
+
+ /* read tx/rx stream */
+- nss_band = nss;
+-
++ nss = path;
+ if (dev->dbdc_support) {
+ if (is_mt7915(&dev->mt76)) {
+- nss_band = FIELD_GET(MT_EE_WIFI_CONF3_TX_PATH_B0,
+- eeprom[MT_EE_WIFI_CONF + 3]);
++ nss = FIELD_GET(MT_EE_WIFI_CONF3_TX_PATH_B0,
++ eeprom[MT_EE_WIFI_CONF + 3]);
+ if (phy->band_idx)
+- nss_band = FIELD_GET(MT_EE_WIFI_CONF3_TX_PATH_B1,
+- eeprom[MT_EE_WIFI_CONF + 3]);
++ nss = FIELD_GET(MT_EE_WIFI_CONF3_TX_PATH_B1,
++ eeprom[MT_EE_WIFI_CONF + 3]);
+ } else {
+- nss_band = FIELD_GET(MT_EE_WIFI_CONF_STREAM_NUM,
+- eeprom[MT_EE_WIFI_CONF + 2 + phy->band_idx]);
++ nss = FIELD_GET(MT_EE_WIFI_CONF_STREAM_NUM,
++ eeprom[MT_EE_WIFI_CONF + 2 + phy->band_idx]);
+ }
+
+- nss_band_max = is_mt7986(&dev->mt76) ?
+- MT_EE_NSS_MAX_DBDC_MA7986 : MT_EE_NSS_MAX_DBDC_MA7915;
+- } else {
+- nss_band_max = is_mt7986(&dev->mt76) ?
+- MT_EE_NSS_MAX_MA7986 : MT_EE_NSS_MAX_MA7915;
++ if (!is_mt7986(&dev->mt76))
++ nss_max = 2;
+ }
+
+- if (!nss_band || nss_band > nss_band_max)
+- nss_band = nss_band_max;
+-
+- if (nss_band > nss) {
+- dev_warn(dev->mt76.dev,
+- "nss mismatch, nss(%d) nss_band(%d) band(%d) ext_phy(%d)\n",
+- nss, nss_band, phy->band_idx, ext_phy);
+- nss = nss_band;
+- }
++ if (!nss)
++ nss = nss_max;
++ nss = min_t(u8, min_t(u8, nss_max, nss), path);
+
+- mphy->chainmask = BIT(nss) - 1;
+- if (ext_phy)
++ mphy->chainmask = BIT(path) - 1;
++ if (phy->band_idx)
+ mphy->chainmask <<= dev->chainshift;
+- mphy->antenna_mask = BIT(nss_band) - 1;
++ mphy->antenna_mask = BIT(nss) - 1;
+ dev->chainmask |= mphy->chainmask;
+ dev->chainshift = hweight8(dev->mphy.chainmask);
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h
+index 7578ac6d0be6..f3e56817d36e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h
+@@ -58,11 +58,6 @@ enum mt7915_eeprom_field {
+ #define MT_EE_RATE_DELTA_SIGN BIT(6)
+ #define MT_EE_RATE_DELTA_EN BIT(7)
+
+-#define MT_EE_NSS_MAX_MA7915 4
+-#define MT_EE_NSS_MAX_DBDC_MA7915 2
+-#define MT_EE_NSS_MAX_MA7986 4
+-#define MT_EE_NSS_MAX_DBDC_MA7986 4
+-
+ enum mt7915_adie_sku {
+ MT7976_ONE_ADIE_DBDC = 0x7,
+ MT7975_ONE_ADIE = 0x8,
+--
+2.35.1
+
--- /dev/null
+From 76cae6f44783ba32900ff1fb33c7b06a19d28b47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 06:46:45 +0800
+Subject: wifi: mt76: mt7921: fix antenna signal are way off in monitor mode
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit c256ba6b1909f28b517274282b6845567e974143 ]
+
+Group 3 in RxD is disabled in monitor mode. We should use the group 5 in
+RxD instead to fix antenna signal way off issue, e.g we would see the
+incorrect antenna signal value in wireshark. On the other hand, Group 5
+wouldn't be used in STA or AP mode, so the patch shouldn't cause any
+harm to those modes.
+
+Fixes: cbaa0a404f8d ("mt76: mt7921: fix up the monitor mode")
+Reported-by: Adrian Granados <agranados@gmail.com>
+Co-developed-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7921/mac.c | 32 ++++++++++++-------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index e8a7a5831782..dd8479adbcc9 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -394,6 +394,27 @@ mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb)
+ if (v0 & MT_PRXV_HT_AD_CODE)
+ status->enc_flags |= RX_ENC_FLAG_LDPC;
+
++ ret = mt76_connac2_mac_fill_rx_rate(&dev->mt76, status, sband,
++ rxv, &mode);
++ if (ret < 0)
++ return ret;
++
++ if (rxd1 & MT_RXD1_NORMAL_GROUP_5) {
++ rxd += 6;
++ if ((u8 *)rxd - skb->data >= skb->len)
++ return -EINVAL;
++
++ rxv = rxd;
++ /* Monitor mode would use RCPI described in GROUP 5
++ * instead.
++ */
++ v1 = le32_to_cpu(rxv[0]);
++
++ rxd += 12;
++ if ((u8 *)rxd - skb->data >= skb->len)
++ return -EINVAL;
++ }
++
+ status->chains = mphy->antenna_mask;
+ status->chain_signal[0] = to_rssi(MT_PRXV_RCPI0, v1);
+ status->chain_signal[1] = to_rssi(MT_PRXV_RCPI1, v1);
+@@ -408,17 +429,6 @@ mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb)
+ status->signal = max(status->signal,
+ status->chain_signal[i]);
+ }
+-
+- ret = mt76_connac2_mac_fill_rx_rate(&dev->mt76, status, sband,
+- rxv, &mode);
+- if (ret < 0)
+- return ret;
+-
+- if (rxd1 & MT_RXD1_NORMAL_GROUP_5) {
+- rxd += 18;
+- if ((u8 *)rxd - skb->data >= skb->len)
+- return -EINVAL;
+- }
+ }
+
+ amsdu_info = FIELD_GET(MT_RXD4_NORMAL_PAYLOAD_FORMAT, rxd4);
+--
+2.35.1
+
--- /dev/null
+From 20e246209676aedbba31af438ff332cecb263f18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 13:46:50 +0100
+Subject: wifi: mt76: mt7921: fix reporting of TX AGGR histogram
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 028b4f22b37b88821fd87b56ce47b180583c774e ]
+
+Similar to mt7915, fix stats clash between bins [4-7] in 802.11 tx
+aggregation histogram.
+
+Fixes: 163f4d22c118d ("mt76: mt7921: add MAC support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index dd8479adbcc9..5b0eba4cb421 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -852,7 +852,7 @@ void mt7921_mac_update_mib_stats(struct mt7921_phy *phy)
+ mib->tx_amsdu_cnt += val;
+ }
+
+- for (i = 0, aggr1 = aggr0 + 4; i < 4; i++) {
++ for (i = 0, aggr1 = aggr0 + 8; i < 4; i++) {
+ u32 val2;
+
+ val = mt76_rr(dev, MT_TX_AGG_CNT(0, i));
+--
+2.35.1
+
--- /dev/null
+From 2f8c0a800b3195f7799d6256f02dcfccac882c8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 01:42:11 +0000
+Subject: wifi: nl80211: Add checks for nla_nest_start() in
+ nl80211_send_iface()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 5cc58b376675981386c6192405fe887cd29c527a ]
+
+As the nla_nest_start() may fail with NULL returned, the return value needs
+to be checked.
+
+Fixes: ce08cd344a00 ("wifi: nl80211: expose link information for interfaces")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221129014211.56558-1-yuancan@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 2705e3ee8fc4..3e41edace1ba 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3849,6 +3849,9 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
+ for_each_valid_link(wdev, link_id) {
+ struct nlattr *link = nla_nest_start(msg, link_id + 1);
+
++ if (!link)
++ goto nla_put_failure;
++
+ if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
+ goto nla_put_failure;
+ if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
+--
+2.35.1
+
--- /dev/null
+From f9938aaaa6c9594d53037b072c08f3f2efe414c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 13:19:00 +0800
+Subject: wifi: plfxlc: fix potential memory leak in __lf_x_usb_enable_rx()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 895b3b06efc285c1245242e9638b9ae251dc13ec ]
+
+urbs does not be freed in exception paths in __lf_x_usb_enable_rx().
+That will trigger memory leak. To fix it, add kfree() for urbs within
+"error" label. Compile tested only.
+
+Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221119051900.1192401-1-william.xuanziyang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/purelifi/plfxlc/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c
+index 39e54b3787d6..76d0a778636a 100644
+--- a/drivers/net/wireless/purelifi/plfxlc/usb.c
++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c
+@@ -247,6 +247,7 @@ static int __lf_x_usb_enable_rx(struct plfxlc_usb *usb)
+ for (i = 0; i < RX_URBS_COUNT; i++)
+ free_rx_urb(urbs[i]);
+ }
++ kfree(urbs);
+ return r;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 925058d6c389d75275aa51d73233719f9311fc86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 17:33:39 +0100
+Subject: wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit b8f6efccbb9dc0ff5dee7e20d69a4747298ee603 ]
+
+When using wpa_supplicant v2.10, this driver is no longer able to
+associate with any AP and fails in the EAPOL 4-way handshake while
+sending the 2/4 message to the AP. The problem is not present in
+wpa_supplicant v2.9 or older. The problem stems from HostAP commit
+144314eaa ("wpa_supplicant: Send EAPOL frames over nl80211 where available")
+which changes the way EAPOL frames are sent, from them being send
+at L2 frames to them being sent via nl80211 control port.
+
+An EAPOL frame sent as L2 frame is passed to the WiFi driver with
+skb->protocol ETH_P_PAE, while EAPOL frame sent via nl80211 control
+port has skb->protocol set to ETH_P_802_3 . The later happens in
+ieee80211_tx_control_port(), where the EAPOL frame is encapsulated
+into 802.3 frame.
+
+The rsi_91x driver handles ETH_P_PAE EAPOL frames as high-priority
+frames and sends them via highest-priority transmit queue, while
+the ETH_P_802_3 frames are sent as regular frames. The EAPOL 4-way
+handshake frames must be sent as highest-priority, otherwise the
+4-way handshake times out.
+
+Therefore, to fix this problem, inspect the skb control flags and
+if flag IEEE80211_TX_CTRL_PORT_CTRL_PROTO is set, assume this is
+an EAPOL frame and transmit the frame via high-priority queue just
+like other ETH_P_PAE frames.
+
+Fixes: 0eb42586cf87 ("rsi: data packet descriptor enhancements")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221104163339.227432-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_core.c | 4 +++-
+ drivers/net/wireless/rsi/rsi_91x_hal.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_core.c b/drivers/net/wireless/rsi/rsi_91x_core.c
+index 0f3a80f66b61..ead4d4e04328 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_core.c
++++ b/drivers/net/wireless/rsi/rsi_91x_core.c
+@@ -466,7 +466,9 @@ void rsi_core_xmit(struct rsi_common *common, struct sk_buff *skb)
+ tid, 0);
+ }
+ }
+- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) {
++
++ if (IEEE80211_SKB_CB(skb)->control.flags &
++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) {
+ q_num = MGMT_SOFT_Q;
+ skb->priority = q_num;
+ }
+diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c
+index c61f83a7333b..c7460fbba014 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
+@@ -162,12 +162,16 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb)
+ u8 header_size;
+ u8 vap_id = 0;
+ u8 dword_align_bytes;
++ bool tx_eapol;
+ u16 seq_num;
+
+ info = IEEE80211_SKB_CB(skb);
+ vif = info->control.vif;
+ tx_params = (struct skb_info *)info->driver_data;
+
++ tx_eapol = IEEE80211_SKB_CB(skb)->control.flags &
++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
++
+ header_size = FRAME_DESC_SZ + sizeof(struct rsi_xtended_desc);
+ if (header_size > skb_headroom(skb)) {
+ rsi_dbg(ERR_ZONE, "%s: Unable to send pkt\n", __func__);
+@@ -231,7 +235,7 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb)
+ }
+ }
+
+- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) {
++ if (tx_eapol) {
+ rsi_dbg(INFO_ZONE, "*** Tx EAPOL ***\n");
+
+ data_desc->frame_info = cpu_to_le16(RATE_INFO_ENABLE);
+--
+2.35.1
+
--- /dev/null
+From 8c7ec074d85d07ede5d35b601b2d94c0675079bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 16:13:57 +0200
+Subject: wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ]
+
+This struct is used to access a sequence of bytes received from the
+wifi chip. It must not have any padding bytes between the members.
+
+This doesn't change anything on my system, possibly because currently
+none of the members need more than byte alignment.
+
+Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index 782b089a2e1b..1ba66b8f70c9 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -1190,7 +1190,7 @@ struct rtl8723bu_c2h {
+ u8 bw;
+ } __packed ra_report;
+ };
+-};
++} __packed;
+
+ struct rtl8xxxu_fileops;
+
+--
+2.35.1
+
--- /dev/null
+From d7140ee93ed85b25f94f18d478e46ae9cf6824da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Oct 2022 13:56:09 +0300
+Subject: wifi: rtl8xxxu: Fix reading the vendor of combo chips
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 6f103aeb5e985ac08f3a4a049a2c17294f40cff9 ]
+
+The wifi + bluetooth combo chips (RTL8723AU and RTL8723BU) read the
+chip vendor from the wrong register because the val32 variable gets
+overwritten. Add one more variable to avoid this.
+
+This had no real effect on RTL8723BU. It may have had an effect on
+RTL8723AU.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/24af8024-2f07-552b-93d8-38823d8e3cb0@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 08f9d17dce12..2286119ba3d5 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -1608,18 +1608,18 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
+ {
+ struct device *dev = &priv->udev->dev;
+ struct ieee80211_hw *hw = priv->hw;
+- u32 val32, bonding;
++ u32 val32, bonding, sys_cfg;
+ u16 val16;
+
+- val32 = rtl8xxxu_read32(priv, REG_SYS_CFG);
+- priv->chip_cut = (val32 & SYS_CFG_CHIP_VERSION_MASK) >>
++ sys_cfg = rtl8xxxu_read32(priv, REG_SYS_CFG);
++ priv->chip_cut = (sys_cfg & SYS_CFG_CHIP_VERSION_MASK) >>
+ SYS_CFG_CHIP_VERSION_SHIFT;
+- if (val32 & SYS_CFG_TRP_VAUX_EN) {
++ if (sys_cfg & SYS_CFG_TRP_VAUX_EN) {
+ dev_info(dev, "Unsupported test chip\n");
+ return -ENOTSUPP;
+ }
+
+- if (val32 & SYS_CFG_BT_FUNC) {
++ if (sys_cfg & SYS_CFG_BT_FUNC) {
+ if (priv->chip_cut >= 3) {
+ sprintf(priv->chip_name, "8723BU");
+ priv->rtl_chip = RTL8723B;
+@@ -1641,7 +1641,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
+ if (val32 & MULTI_GPS_FUNC_EN)
+ priv->has_gps = 1;
+ priv->is_multi_func = 1;
+- } else if (val32 & SYS_CFG_TYPE_ID) {
++ } else if (sys_cfg & SYS_CFG_TYPE_ID) {
+ bonding = rtl8xxxu_read32(priv, REG_HPON_FSM);
+ bonding &= HPON_FSM_BONDING_MASK;
+ if (priv->fops->tx_desc_size ==
+@@ -1692,7 +1692,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
+ case RTL8188E:
+ case RTL8192E:
+ case RTL8723B:
+- switch (val32 & SYS_CFG_VENDOR_EXT_MASK) {
++ switch (sys_cfg & SYS_CFG_VENDOR_EXT_MASK) {
+ case SYS_CFG_VENDOR_ID_TSMC:
+ sprintf(priv->chip_vendor, "TSMC");
+ break;
+@@ -1709,7 +1709,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
+ }
+ break;
+ default:
+- if (val32 & SYS_CFG_VENDOR_ID) {
++ if (sys_cfg & SYS_CFG_VENDOR_ID) {
+ sprintf(priv->chip_vendor, "UMC");
+ priv->vendor_umc = 1;
+ } else {
+--
+2.35.1
+
--- /dev/null
+From e0bc04611f08541333c6a587c1619f185c058b16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 16:15:08 +0200
+Subject: wifi: rtl8xxxu: Fix the channel width reporting
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 76c16af2cb10282274596e21add2c9f0b95c941b ]
+
+The gen 2 chips RTL8192EU and RTL8188FU periodically send the driver
+reports about the TX rate, and the driver passes these reports to
+sta_statistics. The reports from RTL8192EU may or may not include the
+channel width. The reports from RTL8188FU do not include it.
+
+Only access the c2h->ra_report.bw field if the report (skb) is big
+enough.
+
+The other problem fixed here is that the code was actually never
+changing the channel width initially reported by
+rtl8xxxu_bss_info_changed because the value of RATE_INFO_BW_20 is 0.
+
+Fixes: 0985d3a410ac ("rtl8xxxu: Feed current txrate information for mac80211")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/5b41f1ae-72e7-6b7a-2459-b736399a1c40@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index e85c6325199b..955fcf97b9dc 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5575,7 +5575,6 @@ static void rtl8xxxu_c2hcmd_callback(struct work_struct *work)
+ rarpt->txrate.flags = 0;
+ rate = c2h->ra_report.rate;
+ sgi = c2h->ra_report.sgi;
+- bw = c2h->ra_report.bw;
+
+ if (rate < DESC_RATE_MCS0) {
+ rarpt->txrate.legacy =
+@@ -5592,8 +5591,13 @@ static void rtl8xxxu_c2hcmd_callback(struct work_struct *work)
+ RATE_INFO_FLAGS_SHORT_GI;
+ }
+
+- if (bw == RATE_INFO_BW_20)
+- rarpt->txrate.bw |= RATE_INFO_BW_20;
++ if (skb->len >= offsetofend(typeof(*c2h), ra_report.bw)) {
++ if (c2h->ra_report.bw == RTL8XXXU_CHANNEL_WIDTH_40)
++ bw = RATE_INFO_BW_40;
++ else
++ bw = RATE_INFO_BW_20;
++ rarpt->txrate.bw = bw;
++ }
+ }
+ bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
+ rarpt->bit_rate = bit_rate;
+--
+2.35.1
+
--- /dev/null
+From b1cda16e13c012ab3a3acf6a96a544d6d8b19a1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 22:56:58 +0200
+Subject: wifi: rtl8xxxu: Fix use after rcu_read_unlock in
+ rtl8xxxu_bss_info_changed
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 7927afb5e27baac694f585b59c436ba323528dc2 ]
+
+Commit a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
+introduced a line where the pointer returned by ieee80211_find_sta() is
+used after rcu_read_unlock().
+
+Move rcu_read_unlock() a bit lower to fix this.
+
+Fixes: a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/3c82ad09-7593-3be1-1d2c-e58505fb43cb@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 2286119ba3d5..e85c6325199b 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4654,7 +4654,6 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ if (sta->deflink.ht_cap.cap &
+ (IEEE80211_HT_CAP_SGI_40 | IEEE80211_HT_CAP_SGI_20))
+ sgi = 1;
+- rcu_read_unlock();
+
+ highest_rate = fls(ramask) - 1;
+ if (highest_rate < DESC_RATE_MCS0) {
+@@ -4679,6 +4678,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ else
+ rarpt->txrate.bw = RATE_INFO_BW_20;
+ }
++ rcu_read_unlock();
+ bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
+ rarpt->bit_rate = bit_rate;
+ rarpt->desc_rate = highest_rate;
+--
+2.35.1
+
--- /dev/null
+From eec1ce81adcb14f7253f8a94a62fd798a3e1c5bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 12:23:22 +0800
+Subject: wifi: rtw89: fix physts IE page check
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 9e2f177de1bfb7d891bf38140bda54831ecef30d ]
+
+The index RTW89_PHYSTS_BITMAP_NUM is not a valid physts IE page.
+So, fix the check condition.
+
+Fixes: eb4e52b3f38d ("rtw89: fix incorrect channel info during scan")
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221118042322.26794-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
+index 1532c0a6bbc4..2925179f508c 100644
+--- a/drivers/net/wireless/realtek/rtw89/phy.c
++++ b/drivers/net/wireless/realtek/rtw89/phy.c
+@@ -3045,7 +3045,7 @@ void rtw89_phy_env_monitor_track(struct rtw89_dev *rtwdev)
+
+ static bool rtw89_physts_ie_page_valid(enum rtw89_phy_status_bitmap *ie_page)
+ {
+- if (*ie_page > RTW89_PHYSTS_BITMAP_NUM ||
++ if (*ie_page >= RTW89_PHYSTS_BITMAP_NUM ||
+ *ie_page == RTW89_RSVD_9)
+ return false;
+ else if (*ie_page > RTW89_RSVD_9)
+--
+2.35.1
+
--- /dev/null
+From 48af2252465d592512943129d6eee5baec300a4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 16:49:18 +0100
+Subject: wifi: rtw89: Fix some error handling path in rtw89_core_sta_assoc()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 81c0b8928437ddfe87b0024c5bd817bc331d8524 ]
+
+'ret' is not updated after a function call in rtw89_core_sta_assoc().
+This prevent error handling from working.
+
+Add the missing assignment.
+
+Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7b1d82594635e4406d3438f33d8da29eaa056c5a.1668354547.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index 8b338e5ce364..732015228bd3 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -2500,7 +2500,7 @@ int rtw89_core_sta_assoc(struct rtw89_dev *rtwdev,
+ }
+
+ /* update cam aid mac_id net_type */
+- rtw89_fw_h2c_cam(rtwdev, rtwvif, rtwsta, NULL);
++ ret = rtw89_fw_h2c_cam(rtwdev, rtwvif, rtwsta, NULL);
+ if (ret) {
+ rtw89_warn(rtwdev, "failed to send h2c cam\n");
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 5010aae393c50a28dc6d80ae4e24013e047c25bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 09:38:58 +0800
+Subject: wifi: rtw89: use u32_encode_bits() to fill MAC quota value
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 525c06c81d75690a9b795cc62a758838c1a6b6fe ]
+
+Coverity reported shift 16 bits could cause sign extension and might get
+an unexpected value. Since the input values are predefined and no this
+kind of case, original code is safe so far. But, still changing them to
+use u32_encode_bits() will be more clear and prevent mistakes in the
+future.
+
+The original message of Coverity is:
+ Suspicious implicit sign extension: "max_cfg->cma0_dma" with type "u16"
+ (16 bits, unsigned) is promoted in "max_cfg->cma0_dma << 16" to type
+ "int" (32 bits, signed), then sign-extended to type "unsigned long"
+ (64 bits, unsigned). If "max_cfg->cma0_dma << 16" is greater than
+ 0x7FFFFFFF, the upper bits of the result will all be 1."
+
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Addresses-Coverity-ID: 1527095 ("Integer handling issues")
+Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221108013858.10806-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
+index 93124b815825..1afc14531194 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.c
++++ b/drivers/net/wireless/realtek/rtw89/mac.c
+@@ -1387,10 +1387,8 @@ static int dle_mix_cfg(struct rtw89_dev *rtwdev, const struct rtw89_dle_mem *cfg
+ #define INVALID_QT_WCPU U16_MAX
+ #define SET_QUOTA_VAL(_min_x, _max_x, _module, _idx) \
+ do { \
+- val = ((_min_x) & \
+- B_AX_ ## _module ## _MIN_SIZE_MASK) | \
+- (((_max_x) << 16) & \
+- B_AX_ ## _module ## _MAX_SIZE_MASK); \
++ val = u32_encode_bits(_min_x, B_AX_ ## _module ## _MIN_SIZE_MASK) | \
++ u32_encode_bits(_max_x, B_AX_ ## _module ## _MAX_SIZE_MASK); \
+ rtw89_write32(rtwdev, \
+ R_AX_ ## _module ## _QTA ## _idx ## _CFG, \
+ val); \
+--
+2.35.1
+
--- /dev/null
+From 34c48e8f66b1a8e26a485f6f2bb0cd8d0b75fbb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 22:50:08 +0100
+Subject: x86/apic: Handle no CONFIG_X86_X2APIC on systems with x2APIC enabled
+ by BIOS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Jończyk <mat.jonczyk@o2.pl>
+
+[ Upstream commit e3998434da4f5b1f57f8d6a8a9f8502ee3723bae ]
+
+A kernel that was compiled without CONFIG_X86_X2APIC was unable to boot on
+platforms that have x2APIC already enabled in the BIOS before starting the
+kernel.
+
+The kernel was supposed to panic with an approprite error message in
+validate_x2apic() due to the missing X2APIC support.
+
+However, validate_x2apic() was run too late in the boot cycle, and the
+kernel tried to initialize the APIC nonetheless. This resulted in an
+earlier panic in setup_local_APIC() because the APIC was not registered.
+
+In my experiments, a panic message in setup_local_APIC() was not visible
+in the graphical console, which resulted in a hang with no indication
+what has gone wrong.
+
+Instead of calling panic(), disable the APIC, which results in a somewhat
+working system with the PIC only (and no SMP). This way the user is able to
+diagnose the problem more easily.
+
+Disabling X2APIC mode is not an option because it's impossible on systems
+with locked x2APIC.
+
+The proper place to disable the APIC in this case is in check_x2apic(),
+which is called early from setup_arch(). Doing this in
+__apic_intr_mode_select() is too late.
+
+Make check_x2apic() unconditionally available and remove the empty stub.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reported-by: Robert Elliott (Servers) <elliott@hpe.com>
+Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/lkml/d573ba1c-0dc4-3016-712a-cc23a8a33d42@molgen.mpg.de
+Link: https://lore.kernel.org/lkml/20220911084711.13694-3-mat.jonczyk@o2.pl
+Link: https://lore.kernel.org/all/20221129215008.7247-1-mat.jonczyk@o2.pl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 4 ++--
+ arch/x86/include/asm/apic.h | 3 +--
+ arch/x86/kernel/apic/apic.c | 13 ++++++++-----
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 4728d3f5d5c4..3fec0e9d9241 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -450,8 +450,8 @@ config X86_X2APIC
+
+ Some Intel systems circa 2022 and later are locked into x2APIC mode
+ and can not fall back to the legacy APIC modes if SGX or TDX are
+- enabled in the BIOS. They will be unable to boot without enabling
+- this option.
++ enabled in the BIOS. They will boot with very reduced functionality
++ without enabling this option.
+
+ If you don't know what to do here, say N.
+
+diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
+index 3415321c8240..3216da7074ba 100644
+--- a/arch/x86/include/asm/apic.h
++++ b/arch/x86/include/asm/apic.h
+@@ -249,7 +249,6 @@ static inline u64 native_x2apic_icr_read(void)
+ extern int x2apic_mode;
+ extern int x2apic_phys;
+ extern void __init x2apic_set_max_apicid(u32 apicid);
+-extern void __init check_x2apic(void);
+ extern void x2apic_setup(void);
+ static inline int x2apic_enabled(void)
+ {
+@@ -258,13 +257,13 @@ static inline int x2apic_enabled(void)
+
+ #define x2apic_supported() (boot_cpu_has(X86_FEATURE_X2APIC))
+ #else /* !CONFIG_X86_X2APIC */
+-static inline void check_x2apic(void) { }
+ static inline void x2apic_setup(void) { }
+ static inline int x2apic_enabled(void) { return 0; }
+
+ #define x2apic_mode (0)
+ #define x2apic_supported() (0)
+ #endif /* !CONFIG_X86_X2APIC */
++extern void __init check_x2apic(void);
+
+ struct irq_data;
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index c6876d3ea4b1..20d9a604da7c 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1931,16 +1931,19 @@ void __init check_x2apic(void)
+ }
+ }
+ #else /* CONFIG_X86_X2APIC */
+-static int __init validate_x2apic(void)
++void __init check_x2apic(void)
+ {
+ if (!apic_is_x2apic_enabled())
+- return 0;
++ return;
+ /*
+- * Checkme: Can we simply turn off x2apic here instead of panic?
++ * Checkme: Can we simply turn off x2APIC here instead of disabling the APIC?
+ */
+- panic("BIOS has enabled x2apic but kernel doesn't support x2apic, please disable x2apic in BIOS.\n");
++ pr_err("Kernel does not support x2APIC, please recompile with CONFIG_X86_X2APIC.\n");
++ pr_err("Disabling APIC, expect reduced performance and functionality.\n");
++
++ disable_apic = 1;
++ setup_clear_cpu_cap(X86_FEATURE_APIC);
+ }
+-early_initcall(validate_x2apic);
+
+ static inline void try_to_enable_x2apic(int remap_mode) { }
+ static inline void __x2apic_enable(void) { }
+--
+2.35.1
+
--- /dev/null
+From 650d84cb718af6845a3d7fe214ced81776fdbcbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 12:45:23 +0100
+Subject: x86/boot: Skip realmode init code when running as Xen PV guest
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit f1e525009493cbd569e7c8dd7d58157855f8658d ]
+
+When running as a Xen PV guest there is no need for setting up the
+realmode trampoline, as realmode isn't supported in this environment.
+
+Trying to setup the trampoline has been proven to be problematic in
+some cases, especially when trying to debug early boot problems with
+Xen requiring to keep the EFI boot-services memory mapped (some
+firmware variants seem to claim basically all memory below 1Mb for boot
+services).
+
+Introduce new x86_platform_ops operations for that purpose, which can
+be set to a NOP by the Xen PV specific kernel boot code.
+
+ [ bp: s/call_init_real_mode/do_init_real_mode/ ]
+
+Fixes: 084ee1c641a0 ("x86, realmode: Relocator for realmode code")
+Suggested-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20221123114523.3467-1-jgross@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/realmode.h | 1 +
+ arch/x86/include/asm/x86_init.h | 4 ++++
+ arch/x86/kernel/setup.c | 2 +-
+ arch/x86/kernel/x86_init.c | 3 +++
+ arch/x86/realmode/init.c | 8 ++++++--
+ arch/x86/xen/enlighten_pv.c | 2 ++
+ 6 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
+index fd6f6e5b755a..a336feef0af1 100644
+--- a/arch/x86/include/asm/realmode.h
++++ b/arch/x86/include/asm/realmode.h
+@@ -91,6 +91,7 @@ static inline void set_real_mode_mem(phys_addr_t mem)
+
+ void reserve_real_mode(void);
+ void load_trampoline_pgtable(void);
++void init_real_mode(void);
+
+ #endif /* __ASSEMBLY__ */
+
+diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
+index e9170457697e..c1c8c581759d 100644
+--- a/arch/x86/include/asm/x86_init.h
++++ b/arch/x86/include/asm/x86_init.h
+@@ -285,6 +285,8 @@ struct x86_hyper_runtime {
+ * possible in x86_early_init_platform_quirks() by
+ * only using the current x86_hardware_subarch
+ * semantics.
++ * @realmode_reserve: reserve memory for realmode trampoline
++ * @realmode_init: initialize realmode trampoline
+ * @hyper: x86 hypervisor specific runtime callbacks
+ */
+ struct x86_platform_ops {
+@@ -301,6 +303,8 @@ struct x86_platform_ops {
+ void (*apic_post_init)(void);
+ struct x86_legacy_features legacy;
+ void (*set_legacy_features)(void);
++ void (*realmode_reserve)(void);
++ void (*realmode_init)(void);
+ struct x86_hyper_runtime hyper;
+ struct x86_guest guest;
+ };
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 216fee7144ee..892609cde4a2 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1175,7 +1175,7 @@ void __init setup_arch(char **cmdline_p)
+ * Moreover, on machines with SandyBridge graphics or in setups that use
+ * crashkernel the entire 1M is reserved anyway.
+ */
+- reserve_real_mode();
++ x86_platform.realmode_reserve();
+
+ init_mem_mapping();
+
+diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
+index e84ee5cdbd8c..3a164fb0d4c3 100644
+--- a/arch/x86/kernel/x86_init.c
++++ b/arch/x86/kernel/x86_init.c
+@@ -25,6 +25,7 @@
+ #include <asm/iommu.h>
+ #include <asm/mach_traps.h>
+ #include <asm/irqdomain.h>
++#include <asm/realmode.h>
+
+ void x86_init_noop(void) { }
+ void __init x86_init_uint_noop(unsigned int unused) { }
+@@ -145,6 +146,8 @@ struct x86_platform_ops x86_platform __ro_after_init = {
+ .get_nmi_reason = default_get_nmi_reason,
+ .save_sched_clock_state = tsc_save_sched_clock_state,
+ .restore_sched_clock_state = tsc_restore_sched_clock_state,
++ .realmode_reserve = reserve_real_mode,
++ .realmode_init = init_real_mode,
+ .hyper.pin_vcpu = x86_op_int_noop,
+
+ .guest = {
+diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
+index 41d7669a97ad..af565816d2ba 100644
+--- a/arch/x86/realmode/init.c
++++ b/arch/x86/realmode/init.c
+@@ -200,14 +200,18 @@ static void __init set_real_mode_permissions(void)
+ set_memory_x((unsigned long) text_start, text_size >> PAGE_SHIFT);
+ }
+
+-static int __init init_real_mode(void)
++void __init init_real_mode(void)
+ {
+ if (!real_mode_header)
+ panic("Real mode trampoline was not allocated");
+
+ setup_real_mode();
+ set_real_mode_permissions();
++}
+
++static int __init do_init_real_mode(void)
++{
++ x86_platform.realmode_init();
+ return 0;
+ }
+-early_initcall(init_real_mode);
++early_initcall(do_init_real_mode);
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 9b1a58dda935..807ab4fbe2c4 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1224,6 +1224,8 @@ asmlinkage __visible void __init xen_start_kernel(struct start_info *si)
+ xen_vcpu_info_reset(0);
+
+ x86_platform.get_nmi_reason = xen_get_nmi_reason;
++ x86_platform.realmode_reserve = x86_init_noop;
++ x86_platform.realmode_init = x86_init_noop;
+
+ x86_init.resources.memory_setup = xen_memory_setup;
+ x86_init.irqs.intr_mode_select = x86_init_noop;
+--
+2.35.1
+
--- /dev/null
+From 4c3298611582de925329c7f971efae9f957d2fa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 22:14:51 -0800
+Subject: x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
+
+From: Gaurav Kohli <gauravkohli@linux.microsoft.com>
+
+[ Upstream commit 32c97d980e2eef25465d453f2956a9ca68926a3c ]
+
+Hyper-V cleanup code comes under panic path where preemption and irq
+is already disabled. So calling of unregister_syscore_ops might schedule
+out the thread even for the case where mutex lock is free.
+hyperv_cleanup
+ unregister_syscore_ops
+ mutex_lock(&syscore_ops_lock)
+ might_sleep
+Here might_sleep might schedule out this thread, where voluntary preemption
+config is on and this thread will never comes back. And also this was added
+earlier to maintain the symmetry which is not required as this can comes
+during crash shutdown path only.
+
+To prevent the same, removing unregister_syscore_ops function call.
+
+Signed-off-by: Gaurav Kohli <gauravkohli@linux.microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/1669443291-2575-1-git-send-email-gauravkohli@linux.microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/hv_init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
+index a0165df3c4d8..d03561b2fffe 100644
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -536,8 +536,6 @@ void hyperv_cleanup(void)
+ {
+ union hv_x64_msr_hypercall_contents hypercall_msr;
+
+- unregister_syscore_ops(&hv_syscore_ops);
+-
+ /* Reset our OS id */
+ wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0);
+ hv_ghcb_msr_write(HV_X64_MSR_GUEST_OS_ID, 0);
+--
+2.35.1
+
--- /dev/null
+From 52641adb239e02247b2492ff8377b079efae9ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 10:29:58 -0700
+Subject: x86/sgx: Reduce delay and interference of enclave release
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+[ Upstream commit 7b72c823ddf8aaaec4e9fb28e6fbe4d511e7dad1 ]
+
+commit 8795359e35bc ("x86/sgx: Silence softlockup detection when
+releasing large enclaves") introduced a cond_resched() during enclave
+release where the EREMOVE instruction is applied to every 4k enclave
+page. Giving other tasks an opportunity to run while tearing down a
+large enclave placates the soft lockup detector but Iqbal found
+that the fix causes a 25% performance degradation of a workload
+run using Gramine.
+
+Gramine maintains a 1:1 mapping between processes and SGX enclaves.
+That means if a workload in an enclave creates a subprocess then
+Gramine creates a duplicate enclave for that subprocess to run in.
+The consequence is that the release of the enclave used to run
+the subprocess can impact the performance of the workload that is
+run in the original enclave, especially in large enclaves when
+SGX2 is not in use.
+
+The workload run by Iqbal behaves as follows:
+Create enclave (enclave "A")
+/* Initialize workload in enclave "A" */
+Create enclave (enclave "B")
+/* Run subprocess in enclave "B" and send result to enclave "A" */
+Release enclave (enclave "B")
+/* Run workload in enclave "A" */
+Release enclave (enclave "A")
+
+The performance impact of releasing enclave "B" in the above scenario
+is amplified when there is a lot of SGX memory and the enclave size
+matches the SGX memory. When there is 128GB SGX memory and an enclave
+size of 128GB, from the time enclave "B" starts the 128GB SGX memory
+is oversubscribed with a combined demand for 256GB from the two
+enclaves.
+
+Before commit 8795359e35bc ("x86/sgx: Silence softlockup detection when
+releasing large enclaves") enclave release was done in a tight loop
+without giving other tasks a chance to run. Even though the system
+experienced soft lockups the workload (run in enclave "A") obtained
+good performance numbers because when the workload started running
+there was no interference.
+
+Commit 8795359e35bc ("x86/sgx: Silence softlockup detection when
+releasing large enclaves") gave other tasks opportunity to run while an
+enclave is released. The impact of this in this scenario is that while
+enclave "B" is released and needing to access each page that belongs
+to it in order to run the SGX EREMOVE instruction on it, enclave "A"
+is attempting to run the workload needing to access the enclave
+pages that belong to it. This causes a lot of swapping due to the
+demand for the oversubscribed SGX memory. Longer latencies are
+experienced by the workload in enclave "A" while enclave "B" is
+released.
+
+Improve the performance of enclave release while still avoiding the
+soft lockup detector with two enhancements:
+- Only call cond_resched() after XA_CHECK_SCHED iterations.
+- Use the xarray advanced API to keep the xarray locked for
+ XA_CHECK_SCHED iterations instead of locking and unlocking
+ at every iteration.
+
+This batching solution is copied from sgx_encl_may_map() that
+also iterates through all enclave pages using this technique.
+
+With this enhancement the workload experiences a 5%
+performance degradation when compared to a kernel without
+commit 8795359e35bc ("x86/sgx: Silence softlockup detection when
+releasing large enclaves"), an improvement to the reported 25%
+degradation, while still placating the soft lockup detector.
+
+Scenarios with poor performance are still possible even with these
+enhancements. For example, short workloads creating sub processes
+while running in large enclaves. Further performance improvements
+are pursued in user space through avoiding to create duplicate enclaves
+for certain sub processes, and using SGX2 that will do lazy allocation
+of pages as needed so enclaves created for sub processes start quickly
+and release quickly.
+
+Fixes: 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves")
+Reported-by: Md Iqbal Hossain <md.iqbal.hossain@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Md Iqbal Hossain <md.iqbal.hossain@intel.com>
+Link: https://lore.kernel.org/all/00efa80dd9e35dc85753e1c5edb0344ac07bb1f0.1667236485.git.reinette.chatre%40intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/sgx/encl.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
+index 8bdeae2fc309..6942a3d8b578 100644
+--- a/arch/x86/kernel/cpu/sgx/encl.c
++++ b/arch/x86/kernel/cpu/sgx/encl.c
+@@ -677,11 +677,15 @@ const struct vm_operations_struct sgx_vm_ops = {
+ void sgx_encl_release(struct kref *ref)
+ {
+ struct sgx_encl *encl = container_of(ref, struct sgx_encl, refcount);
++ unsigned long max_page_index = PFN_DOWN(encl->base + encl->size - 1);
+ struct sgx_va_page *va_page;
+ struct sgx_encl_page *entry;
+- unsigned long index;
++ unsigned long count = 0;
++
++ XA_STATE(xas, &encl->page_array, PFN_DOWN(encl->base));
+
+- xa_for_each(&encl->page_array, index, entry) {
++ xas_lock(&xas);
++ xas_for_each(&xas, entry, max_page_index) {
+ if (entry->epc_page) {
+ /*
+ * The page and its radix tree entry cannot be freed
+@@ -696,9 +700,20 @@ void sgx_encl_release(struct kref *ref)
+ }
+
+ kfree(entry);
+- /* Invoke scheduler to prevent soft lockups. */
+- cond_resched();
++ /*
++ * Invoke scheduler on every XA_CHECK_SCHED iteration
++ * to prevent soft lockups.
++ */
++ if (!(++count % XA_CHECK_SCHED)) {
++ xas_pause(&xas);
++ xas_unlock(&xas);
++
++ cond_resched();
++
++ xas_lock(&xas);
++ }
+ }
++ xas_unlock(&xas);
+
+ xa_destroy(&encl->page_array);
+
+--
+2.35.1
+
--- /dev/null
+From 242ea5bd5a29f3969db64884e9d71ae51a6810da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 17:02:54 -0300
+Subject: x86/split_lock: Add sysctl to control the misery mode
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+[ Upstream commit 727209376f4998bc84db1d5d8af15afea846a92b ]
+
+Commit b041b525dab9 ("x86/split_lock: Make life miserable for split lockers")
+changed the way the split lock detector works when in "warn" mode;
+basically, it not only shows the warn message, but also intentionally
+introduces a slowdown through sleeping plus serialization mechanism
+on such task. Based on discussions in [0], seems the warning alone
+wasn't enough motivation for userspace developers to fix their
+applications.
+
+This slowdown is enough to totally break some proprietary (aka.
+unfixable) userspace[1].
+
+Happens that originally the proposal in [0] was to add a new mode
+which would warns + slowdown the "split locking" task, keeping the
+old warn mode untouched. In the end, that idea was discarded and
+the regular/default "warn" mode now slows down the applications. This
+is quite aggressive with regards proprietary/legacy programs that
+basically are unable to properly run in kernel with this change.
+While it is understandable that a malicious application could DoS
+by split locking, it seems unacceptable to regress old/proprietary
+userspace programs through a default configuration that previously
+worked. An example of such breakage was reported in [1].
+
+Add a sysctl to allow controlling the "misery mode" behavior, as per
+Thomas suggestion on [2]. This way, users running legacy and/or
+proprietary software are allowed to still execute them with a decent
+performance while still observing the warning messages on kernel log.
+
+[0] https://lore.kernel.org/lkml/20220217012721.9694-1-tony.luck@intel.com/
+[1] https://github.com/doitsujin/dxvk/issues/2938
+[2] https://lore.kernel.org/lkml/87pmf4bter.ffs@tglx/
+
+[ dhansen: minor changelog tweaks, including clarifying the actual
+ problem ]
+
+Fixes: b041b525dab9 ("x86/split_lock: Make life miserable for split lockers")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Andre Almeida <andrealmeid@igalia.com>
+Link: https://lore.kernel.org/all/20221024200254.635256-1-gpiccoli%40igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/admin-guide/sysctl/kernel.rst | 23 ++++++++
+ arch/x86/kernel/cpu/intel.c | 63 +++++++++++++++++----
+ 2 files changed, 76 insertions(+), 10 deletions(-)
+
+diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
+index ee6572b1edad..66d1b23ca64f 100644
+--- a/Documentation/admin-guide/sysctl/kernel.rst
++++ b/Documentation/admin-guide/sysctl/kernel.rst
+@@ -1298,6 +1298,29 @@ watchdog work to be queued by the watchdog timer function, otherwise the NMI
+ watchdog — if enabled — can detect a hard lockup condition.
+
+
++split_lock_mitigate (x86 only)
++==============================
++
++On x86, each "split lock" imposes a system-wide performance penalty. On larger
++systems, large numbers of split locks from unprivileged users can result in
++denials of service to well-behaved and potentially more important users.
++
++The kernel mitigates these bad users by detecting split locks and imposing
++penalties: forcing them to wait and only allowing one core to execute split
++locks at a time.
++
++These mitigations can make those bad applications unbearably slow. Setting
++split_lock_mitigate=0 may restore some application performance, but will also
++increase system exposure to denial of service attacks from split lock users.
++
++= ===================================================================
++0 Disable the mitigation mode - just warns the split lock on kernel log
++ and exposes the system to denials of service from the split lockers.
++1 Enable the mitigation mode (this is the default) - penalizes the split
++ lockers with intentional performance degradation.
++= ===================================================================
++
++
+ stack_erasing
+ =============
+
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
+index 2d7ea5480ec3..427899650483 100644
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -1034,8 +1034,32 @@ static const struct {
+
+ static struct ratelimit_state bld_ratelimit;
+
++static unsigned int sysctl_sld_mitigate = 1;
+ static DEFINE_SEMAPHORE(buslock_sem);
+
++#ifdef CONFIG_PROC_SYSCTL
++static struct ctl_table sld_sysctls[] = {
++ {
++ .procname = "split_lock_mitigate",
++ .data = &sysctl_sld_mitigate,
++ .maxlen = sizeof(unsigned int),
++ .mode = 0644,
++ .proc_handler = proc_douintvec_minmax,
++ .extra1 = SYSCTL_ZERO,
++ .extra2 = SYSCTL_ONE,
++ },
++ {}
++};
++
++static int __init sld_mitigate_sysctl_init(void)
++{
++ register_sysctl_init("kernel", sld_sysctls);
++ return 0;
++}
++
++late_initcall(sld_mitigate_sysctl_init);
++#endif
++
+ static inline bool match_option(const char *arg, int arglen, const char *opt)
+ {
+ int len = strlen(opt), ratelimit;
+@@ -1146,12 +1170,20 @@ static void split_lock_init(void)
+ split_lock_verify_msr(sld_state != sld_off);
+ }
+
+-static void __split_lock_reenable(struct work_struct *work)
++static void __split_lock_reenable_unlock(struct work_struct *work)
+ {
+ sld_update_msr(true);
+ up(&buslock_sem);
+ }
+
++static DECLARE_DELAYED_WORK(sl_reenable_unlock, __split_lock_reenable_unlock);
++
++static void __split_lock_reenable(struct work_struct *work)
++{
++ sld_update_msr(true);
++}
++static DECLARE_DELAYED_WORK(sl_reenable, __split_lock_reenable);
++
+ /*
+ * If a CPU goes offline with pending delayed work to re-enable split lock
+ * detection then the delayed work will be executed on some other CPU. That
+@@ -1169,10 +1201,9 @@ static int splitlock_cpu_offline(unsigned int cpu)
+ return 0;
+ }
+
+-static DECLARE_DELAYED_WORK(split_lock_reenable, __split_lock_reenable);
+-
+ static void split_lock_warn(unsigned long ip)
+ {
++ struct delayed_work *work;
+ int cpu;
+
+ if (!current->reported_split_lock)
+@@ -1180,14 +1211,26 @@ static void split_lock_warn(unsigned long ip)
+ current->comm, current->pid, ip);
+ current->reported_split_lock = 1;
+
+- /* misery factor #1, sleep 10ms before trying to execute split lock */
+- if (msleep_interruptible(10) > 0)
+- return;
+- /* Misery factor #2, only allow one buslocked disabled core at a time */
+- if (down_interruptible(&buslock_sem) == -EINTR)
+- return;
++ if (sysctl_sld_mitigate) {
++ /*
++ * misery factor #1:
++ * sleep 10ms before trying to execute split lock.
++ */
++ if (msleep_interruptible(10) > 0)
++ return;
++ /*
++ * Misery factor #2:
++ * only allow one buslocked disabled core at a time.
++ */
++ if (down_interruptible(&buslock_sem) == -EINTR)
++ return;
++ work = &sl_reenable_unlock;
++ } else {
++ work = &sl_reenable;
++ }
++
+ cpu = get_cpu();
+- schedule_delayed_work_on(cpu, &split_lock_reenable, 2);
++ schedule_delayed_work_on(cpu, work, 2);
+
+ /* Disable split lock detection on this CPU to make progress */
+ sld_update_msr(false);
+--
+2.35.1
+
--- /dev/null
+From 335b4661e056c461bb77df701a5e441599b1b421 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 23:58:58 +0800
+Subject: x86/xen: Fix memory leak in xen_init_lock_cpu()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ]
+
+In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),
+if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead
+to a memory leak issue, fix it.
+
+Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/spinlock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
+index 043c73dfd2c9..5c6fc16e4b92 100644
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -75,6 +75,7 @@ void xen_init_lock_cpu(int cpu)
+ cpu, per_cpu(lock_kicker_irq, cpu));
+
+ name = kasprintf(GFP_KERNEL, "spinlock%d", cpu);
++ per_cpu(irq_name, cpu) = name;
+ irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR,
+ cpu,
+ dummy_handler,
+@@ -85,7 +86,6 @@ void xen_init_lock_cpu(int cpu)
+ if (irq >= 0) {
+ disable_irq(irq); /* make sure it's never delivered */
+ per_cpu(lock_kicker_irq, cpu) = irq;
+- per_cpu(irq_name, cpu) = name;
+ }
+
+ printk("cpu %d spinlock event irq %d\n", cpu, irq);
+@@ -98,6 +98,8 @@ void xen_uninit_lock_cpu(int cpu)
+ if (!xen_pvspin)
+ return;
+
++ kfree(per_cpu(irq_name, cpu));
++ per_cpu(irq_name, cpu) = NULL;
+ /*
+ * When booting the kernel with 'mitigations=auto,nosmt', the secondary
+ * CPUs are not activated, and lock_kicker_irq is not initialized.
+@@ -108,8 +110,6 @@ void xen_uninit_lock_cpu(int cpu)
+
+ unbind_from_irqhandler(irq, NULL);
+ per_cpu(lock_kicker_irq, cpu) = -1;
+- kfree(per_cpu(irq_name, cpu));
+- per_cpu(irq_name, cpu) = NULL;
+ }
+
+ PV_CALLEE_SAVE_REGS_THUNK(xen_vcpu_stolen);
+--
+2.35.1
+
--- /dev/null
+From 3614ac26ce3619833cc97bb8fa033a188c2eddc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 23:58:57 +0800
+Subject: x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 69143f60868b3939ddc89289b29db593b647295e ]
+
+These local variables @{resched|pmu|callfunc...}_name saves the new
+string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler()
+fails, it goes to the @fail tag, and calls xen_smp_intr_free{_pv}() to
+free resource, however the new string is not saved, which cause a memory
+leak issue. fix it.
+
+Fixes: 9702785a747a ("i386: move xen")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221123155858.11382-2-xiujianfeng@huawei.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/smp.c | 24 ++++++++++++------------
+ arch/x86/xen/smp_pv.c | 12 ++++++------
+ 2 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
+index c3e1f9a7d43a..4b0d6fff88de 100644
+--- a/arch/x86/xen/smp.c
++++ b/arch/x86/xen/smp.c
+@@ -32,30 +32,30 @@ static irqreturn_t xen_reschedule_interrupt(int irq, void *dev_id)
+
+ void xen_smp_intr_free(unsigned int cpu)
+ {
++ kfree(per_cpu(xen_resched_irq, cpu).name);
++ per_cpu(xen_resched_irq, cpu).name = NULL;
+ if (per_cpu(xen_resched_irq, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_resched_irq, cpu).irq, NULL);
+ per_cpu(xen_resched_irq, cpu).irq = -1;
+- kfree(per_cpu(xen_resched_irq, cpu).name);
+- per_cpu(xen_resched_irq, cpu).name = NULL;
+ }
++ kfree(per_cpu(xen_callfunc_irq, cpu).name);
++ per_cpu(xen_callfunc_irq, cpu).name = NULL;
+ if (per_cpu(xen_callfunc_irq, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_callfunc_irq, cpu).irq, NULL);
+ per_cpu(xen_callfunc_irq, cpu).irq = -1;
+- kfree(per_cpu(xen_callfunc_irq, cpu).name);
+- per_cpu(xen_callfunc_irq, cpu).name = NULL;
+ }
++ kfree(per_cpu(xen_debug_irq, cpu).name);
++ per_cpu(xen_debug_irq, cpu).name = NULL;
+ if (per_cpu(xen_debug_irq, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_debug_irq, cpu).irq, NULL);
+ per_cpu(xen_debug_irq, cpu).irq = -1;
+- kfree(per_cpu(xen_debug_irq, cpu).name);
+- per_cpu(xen_debug_irq, cpu).name = NULL;
+ }
++ kfree(per_cpu(xen_callfuncsingle_irq, cpu).name);
++ per_cpu(xen_callfuncsingle_irq, cpu).name = NULL;
+ if (per_cpu(xen_callfuncsingle_irq, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_callfuncsingle_irq, cpu).irq,
+ NULL);
+ per_cpu(xen_callfuncsingle_irq, cpu).irq = -1;
+- kfree(per_cpu(xen_callfuncsingle_irq, cpu).name);
+- per_cpu(xen_callfuncsingle_irq, cpu).name = NULL;
+ }
+ }
+
+@@ -65,6 +65,7 @@ int xen_smp_intr_init(unsigned int cpu)
+ char *resched_name, *callfunc_name, *debug_name;
+
+ resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
++ per_cpu(xen_resched_irq, cpu).name = resched_name;
+ rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
+ cpu,
+ xen_reschedule_interrupt,
+@@ -74,9 +75,9 @@ int xen_smp_intr_init(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_resched_irq, cpu).irq = rc;
+- per_cpu(xen_resched_irq, cpu).name = resched_name;
+
+ callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu);
++ per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
+ rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR,
+ cpu,
+ xen_call_function_interrupt,
+@@ -86,10 +87,10 @@ int xen_smp_intr_init(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_callfunc_irq, cpu).irq = rc;
+- per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
+
+ if (!xen_fifo_events) {
+ debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu);
++ per_cpu(xen_debug_irq, cpu).name = debug_name;
+ rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu,
+ xen_debug_interrupt,
+ IRQF_PERCPU | IRQF_NOBALANCING,
+@@ -97,10 +98,10 @@ int xen_smp_intr_init(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_debug_irq, cpu).irq = rc;
+- per_cpu(xen_debug_irq, cpu).name = debug_name;
+ }
+
+ callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu);
++ per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
+ rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR,
+ cpu,
+ xen_call_function_single_interrupt,
+@@ -110,7 +111,6 @@ int xen_smp_intr_init(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_callfuncsingle_irq, cpu).irq = rc;
+- per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
+
+ return 0;
+
+diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c
+index ba7af2eca755..cd80f8422e17 100644
+--- a/arch/x86/xen/smp_pv.c
++++ b/arch/x86/xen/smp_pv.c
+@@ -97,18 +97,18 @@ asmlinkage __visible void cpu_bringup_and_idle(void)
+
+ void xen_smp_intr_free_pv(unsigned int cpu)
+ {
++ kfree(per_cpu(xen_irq_work, cpu).name);
++ per_cpu(xen_irq_work, cpu).name = NULL;
+ if (per_cpu(xen_irq_work, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_irq_work, cpu).irq, NULL);
+ per_cpu(xen_irq_work, cpu).irq = -1;
+- kfree(per_cpu(xen_irq_work, cpu).name);
+- per_cpu(xen_irq_work, cpu).name = NULL;
+ }
+
++ kfree(per_cpu(xen_pmu_irq, cpu).name);
++ per_cpu(xen_pmu_irq, cpu).name = NULL;
+ if (per_cpu(xen_pmu_irq, cpu).irq >= 0) {
+ unbind_from_irqhandler(per_cpu(xen_pmu_irq, cpu).irq, NULL);
+ per_cpu(xen_pmu_irq, cpu).irq = -1;
+- kfree(per_cpu(xen_pmu_irq, cpu).name);
+- per_cpu(xen_pmu_irq, cpu).name = NULL;
+ }
+ }
+
+@@ -118,6 +118,7 @@ int xen_smp_intr_init_pv(unsigned int cpu)
+ char *callfunc_name, *pmu_name;
+
+ callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu);
++ per_cpu(xen_irq_work, cpu).name = callfunc_name;
+ rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR,
+ cpu,
+ xen_irq_work_interrupt,
+@@ -127,10 +128,10 @@ int xen_smp_intr_init_pv(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_irq_work, cpu).irq = rc;
+- per_cpu(xen_irq_work, cpu).name = callfunc_name;
+
+ if (is_xen_pmu) {
+ pmu_name = kasprintf(GFP_KERNEL, "pmu%d", cpu);
++ per_cpu(xen_pmu_irq, cpu).name = pmu_name;
+ rc = bind_virq_to_irqhandler(VIRQ_XENPMU, cpu,
+ xen_pmu_irq_handler,
+ IRQF_PERCPU|IRQF_NOBALANCING,
+@@ -138,7 +139,6 @@ int xen_smp_intr_init_pv(unsigned int cpu)
+ if (rc < 0)
+ goto fail;
+ per_cpu(xen_pmu_irq, cpu).irq = rc;
+- per_cpu(xen_pmu_irq, cpu).name = pmu_name;
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From f20a3f0c0f978cad252e28601ec7d80b457aad3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 21:07:45 -0800
+Subject: xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79 ]
+
+As 'kdata.num' is user-controlled data, if user tries to allocate
+memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
+creates a stack trace and messes up dmesg with a warning.
+
+Call trace:
+-> privcmd_ioctl
+--> privcmd_ioctl_mmap_resource
+
+Add __GFP_NOWARN in order to avoid too large allocation warning.
+This is detected by static analysis using smatch.
+
+Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221126050745.778967-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/privcmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
+index e88e8f6f0a33..719c5d1dda27 100644
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -760,7 +760,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file,
+ goto out;
+ }
+
+- pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL);
++ pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL | __GFP_NOWARN);
+ if (!pfns) {
+ rc = -ENOMEM;
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From 78eac0efe67e6f4207d67051ae1541ee83a9b34d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:34:29 +0800
+Subject: xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 9181f40fb2952fd59ecb75e7158620c9c669eee3 ]
+
+If rdma receive buffer allocate failed, should call rpcrdma_regbuf_free()
+to free the send buffer, otherwise, the buffer data will be leaked.
+
+Fixes: bb93a1ae2bf4 ("xprtrdma: Allocate req's regbufs at xprt create time")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
+index 2fbe9aaeec34..efa7bcdf6b28 100644
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -834,7 +834,7 @@ struct rpcrdma_req *rpcrdma_req_create(struct rpcrdma_xprt *r_xprt, size_t size,
+ return req;
+
+ out3:
+- kfree(req->rl_sendbuf);
++ rpcrdma_regbuf_free(req->rl_sendbuf);
+ out2:
+ kfree(req);
+ out1:
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
