--- /dev/null
+From 26fb30cff9fc962bc4cf5192ed2c415a4c260532 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 15:24:05 +0300
+Subject: ALSA: hda: intel-nhlt: Correct the handling of fmt_config flexible
+ array
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 2e6481a3f3ee6234ce577454e1d88aca55f51d47 ]
+
+The struct nhlt_format's fmt_config is a flexible array, it must not be
+used as normal array.
+When moving to the next nhlt_fmt_cfg we need to take into account the data
+behind the ->config.caps (indicated by ->config.size).
+
+Fixes: a864e8f159b13 ("ALSA: hda: intel-nhlt: verify config type")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Jaska Uimonen <jaska.uimonen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220823122405.18464-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/intel-nhlt.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/hda/intel-nhlt.c b/sound/hda/intel-nhlt.c
+index 9db5ccd9aa2db..13bb0ccfb36c0 100644
+--- a/sound/hda/intel-nhlt.c
++++ b/sound/hda/intel-nhlt.c
+@@ -55,16 +55,22 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt)
+
+ /* find max number of channels based on format_configuration */
+ if (fmt_configs->fmt_count) {
++ struct nhlt_fmt_cfg *fmt_cfg = fmt_configs->fmt_config;
++
+ dev_dbg(dev, "found %d format definitions\n",
+ fmt_configs->fmt_count);
+
+ for (i = 0; i < fmt_configs->fmt_count; i++) {
+ struct wav_fmt_ext *fmt_ext;
+
+- fmt_ext = &fmt_configs->fmt_config[i].fmt_ext;
++ fmt_ext = &fmt_cfg->fmt_ext;
+
+ if (fmt_ext->fmt.channels > max_ch)
+ max_ch = fmt_ext->fmt.channels;
++
++ /* Move to the next nhlt_fmt_cfg */
++ fmt_cfg = (struct nhlt_fmt_cfg *)(fmt_cfg->config.caps +
++ fmt_cfg->config.size);
+ }
+ dev_dbg(dev, "max channels found %d\n", max_ch);
+ } else {
+--
+2.35.1
+
--- /dev/null
+From 970e90bfae2c7ba0abf9469f273ad22d3197d8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 12:39:22 +0800
+Subject: Bluetooth: hci_event: Fix checking conn for le_conn_complete_evt
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit f48735a9aaf8258f39918e13adf464ccd7dce33b ]
+
+To prevent multiple conn complete events, we shouldn't look up the
+conn with hci_lookup_le_connect, since it requires the state to be
+BT_CONNECT. By the time the duplicate event is processed, the state
+might have changed, so we end up processing the new event anyway.
+
+Change the lookup function to hci_conn_hash_lookup_ba.
+
+Fixes: d5ebaa7c5f6f6 ("Bluetooth: hci_event: Ignore multiple conn complete events")
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 67c61f5240596..2c320a8fe70d7 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5568,7 +5568,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+ */
+ hci_dev_clear_flag(hdev, HCI_LE_ADV);
+
+- conn = hci_lookup_le_connect(hdev);
++ conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
+ if (!conn) {
+ /* In case of error status and there is no connection pending
+ * just unlock as there is nothing to cleanup.
+--
+2.35.1
+
--- /dev/null
+From ffdbd7535888af8bf865b5db8d070057b7579aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Aug 2022 22:57:40 +0200
+Subject: Bluetooth: hci_event: Fix vendor (unknown) opcode status handling
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit b82a26d8633cc89367fac75beb3ec33061bea44a ]
+
+Commit c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to
+handle Command Complete") was (presumably) meant to only refactor things
+without any functional changes.
+
+But it does have one undesirable side-effect, before *status would always
+be set to skb->data[0] and it might be overridden by some of the opcode
+specific handling. While now it always set by the opcode specific handlers.
+This means that if the opcode is not known *status does not get set any
+more at all!
+
+This behavior change has broken bluetooth support for BCM4343A0 HCIs,
+the hci_bcm.c code tries to configure UART attached HCIs at a higher
+baudraute using vendor specific opcodes. The BCM4343A0 does not
+support this and this used to simply fail:
+
+[ 25.646442] Bluetooth: hci0: BCM: failed to write clock (-56)
+[ 25.646481] Bluetooth: hci0: Failed to set baudrate
+
+After which things would continue with the initial baudraute. But now
+that hci_cmd_complete_evt() no longer sets status for unknown opcodes
+*status is left at 0. This causes the hci_bcm.c code to think the baudraute
+has been changed on the HCI side and to also adjust the UART baudrate,
+after which communication with the HCI is broken, leading to:
+
+[ 28.579042] Bluetooth: hci0: command 0x0c03 tx timeout
+[ 36.961601] Bluetooth: hci0: BCM: Reset failed (-110)
+
+And non working bluetooth. Fix this by restoring the previous
+default "*status = skb->data[0]" handling for unknown opcodes.
+
+Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 7cb956d3abb26..67c61f5240596 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3998,6 +3998,17 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
+ }
+ }
+
++ if (i == ARRAY_SIZE(hci_cc_table)) {
++ /* Unknown opcode, assume byte 0 contains the status, so
++ * that e.g. __hci_cmd_sync() properly returns errors
++ * for vendor specific commands send by HCI drivers.
++ * If a vendor doesn't actually follow this convention we may
++ * need to introduce a vendor CC table in order to properly set
++ * the status.
++ */
++ *status = skb->data[0];
++ }
++
+ handle_cmd_cnt_and_timer(hdev, ev->ncmd);
+
+ hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
+--
+2.35.1
+
--- /dev/null
+From 211a156dbb5638ca8db3c06fc5103961d078ae41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 14:20:46 -0700
+Subject: Bluetooth: hci_sync: Fix suspend performance regression
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 1fd02d56dae35b08e4cba8e6bd2c2e7ccff68ecc ]
+
+This attempts to fix suspend performance when there is no connections by
+not updating the event mask.
+
+Fixes: ef61b6ea1544 ("Bluetooth: Always set event mask on suspend")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index b5e7d4b8ab24a..2012f23158839 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -4967,17 +4967,21 @@ int hci_suspend_sync(struct hci_dev *hdev)
+ /* Prevent disconnects from causing scanning to be re-enabled */
+ hci_pause_scan_sync(hdev);
+
+- /* Soft disconnect everything (power off) */
+- err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF);
+- if (err) {
+- /* Set state to BT_RUNNING so resume doesn't notify */
+- hdev->suspend_state = BT_RUNNING;
+- hci_resume_sync(hdev);
+- return err;
+- }
++ if (hci_conn_count(hdev)) {
++ /* Soft disconnect everything (power off) */
++ err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF);
++ if (err) {
++ /* Set state to BT_RUNNING so resume doesn't notify */
++ hdev->suspend_state = BT_RUNNING;
++ hci_resume_sync(hdev);
++ return err;
++ }
+
+- /* Update event mask so only the allowed event can wakeup the host */
+- hci_set_event_mask_sync(hdev);
++ /* Update event mask so only the allowed event can wakeup the
++ * host.
++ */
++ hci_set_event_mask_sync(hdev);
++ }
+
+ /* Only configure accept list if disconnect succeeded and wake
+ * isn't being prevented.
+--
+2.35.1
+
--- /dev/null
+From e16abccdeaae95c011c8f0b071165e2a13f28250 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 10:28:08 -0700
+Subject: Bluetooth: hci_sync: hold hdev->lock when cleanup hci_conn
+
+From: Zhengping Jiang <jiangzp@google.com>
+
+[ Upstream commit 2da8eb834b775a9d1acea6214d3e4a78ac841e6e ]
+
+When disconnecting all devices, hci_conn_failed is used to cleanup
+hci_conn object when the hci_conn object cannot be aborted.
+The function hci_conn_failed requires the caller holds hdev->lock.
+
+Fixes: 9b3628d79b46f ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted")
+Signed-off-by: Zhengping Jiang <jiangzp@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 2012f23158839..3b4cee67bbd60 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -4452,9 +4452,11 @@ static int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ /* Cleanup hci_conn object if it cannot be cancelled as it
+ * likelly means the controller and host stack are out of sync.
+ */
+- if (err)
++ if (err) {
++ hci_dev_lock(hdev);
+ hci_conn_failed(conn, err);
+-
++ hci_dev_unlock(hdev);
++ }
+ return err;
+ case BT_CONNECT2:
+ return hci_reject_conn_sync(hdev, conn, reason);
+--
+2.35.1
+
--- /dev/null
+From 44da356255c120c508d056f23bd426fb95a92f13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 16:48:43 +0300
+Subject: bpf: Allow helpers to accept pointers with a fixed size
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 508362ac66b0478affb4e52cb8da98478312d72d ]
+
+Before this commit, the BPF verifier required ARG_PTR_TO_MEM arguments
+to be followed by ARG_CONST_SIZE holding the size of the memory region.
+The helpers had to check that size in runtime.
+
+There are cases where the size expected by a helper is a compile-time
+constant. Checking it in runtime is an unnecessary overhead and waste of
+BPF registers.
+
+This commit allows helpers to accept pointers to memory without the
+corresponding ARG_CONST_SIZE, given that they define the memory region
+size in struct bpf_func_proto and use ARG_PTR_TO_FIXED_SIZE_MEM type.
+
+arg_size is unionized with arg_btf_id to reduce the kernel image size,
+and it's valid because they are used by different argument types.
+
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/20220615134847.3753567-3-maximmi@nvidia.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 13 +++++++++++++
+ kernel/bpf/verifier.c | 43 ++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 45 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 7424cf234ae03..ed352c00330cd 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -398,6 +398,9 @@ enum bpf_type_flag {
+ /* DYNPTR points to a ringbuf record. */
+ DYNPTR_TYPE_RINGBUF = BIT(9 + BPF_BASE_TYPE_BITS),
+
++ /* Size is known at compile time. */
++ MEM_FIXED_SIZE = BIT(10 + BPF_BASE_TYPE_BITS),
++
+ __BPF_TYPE_FLAG_MAX,
+ __BPF_TYPE_LAST_FLAG = __BPF_TYPE_FLAG_MAX - 1,
+ };
+@@ -461,6 +464,8 @@ enum bpf_arg_type {
+ * all bytes or clear them in error case.
+ */
+ ARG_PTR_TO_UNINIT_MEM = MEM_UNINIT | ARG_PTR_TO_MEM,
++ /* Pointer to valid memory of size known at compile time. */
++ ARG_PTR_TO_FIXED_SIZE_MEM = MEM_FIXED_SIZE | ARG_PTR_TO_MEM,
+
+ /* This must be the last entry. Its purpose is to ensure the enum is
+ * wide enough to hold the higher bits reserved for bpf_type_flag.
+@@ -526,6 +531,14 @@ struct bpf_func_proto {
+ u32 *arg5_btf_id;
+ };
+ u32 *arg_btf_id[5];
++ struct {
++ size_t arg1_size;
++ size_t arg2_size;
++ size_t arg3_size;
++ size_t arg4_size;
++ size_t arg5_size;
++ };
++ size_t arg_size[5];
+ };
+ int *ret_btf_id; /* return value btf_id */
+ bool (*allowed)(const struct bpf_prog *prog);
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 0e45d405f151c..f0dd73bf69ddf 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5847,6 +5847,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
+ enum bpf_arg_type arg_type = fn->arg_type[arg];
+ enum bpf_reg_type type = reg->type;
++ u32 *arg_btf_id = NULL;
+ int err = 0;
+
+ if (arg_type == ARG_DONTCARE)
+@@ -5883,7 +5884,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ */
+ goto skip_type_check;
+
+- err = check_reg_type(env, regno, arg_type, fn->arg_btf_id[arg], meta);
++ /* arg_btf_id and arg_size are in a union. */
++ if (base_type(arg_type) == ARG_PTR_TO_BTF_ID)
++ arg_btf_id = fn->arg_btf_id[arg];
++
++ err = check_reg_type(env, regno, arg_type, arg_btf_id, meta);
+ if (err)
+ return err;
+
+@@ -6010,6 +6015,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ * next is_mem_size argument below.
+ */
+ meta->raw_mode = arg_type & MEM_UNINIT;
++ if (arg_type & MEM_FIXED_SIZE) {
++ err = check_helper_mem_access(env, regno,
++ fn->arg_size[arg], false,
++ meta);
++ }
+ } else if (arg_type_is_mem_size(arg_type)) {
+ bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
+
+@@ -6400,11 +6410,19 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn)
+ return count <= 1;
+ }
+
+-static bool check_args_pair_invalid(enum bpf_arg_type arg_curr,
+- enum bpf_arg_type arg_next)
++static bool check_args_pair_invalid(const struct bpf_func_proto *fn, int arg)
+ {
+- return (base_type(arg_curr) == ARG_PTR_TO_MEM) !=
+- arg_type_is_mem_size(arg_next);
++ bool is_fixed = fn->arg_type[arg] & MEM_FIXED_SIZE;
++ bool has_size = fn->arg_size[arg] != 0;
++ bool is_next_size = false;
++
++ if (arg + 1 < ARRAY_SIZE(fn->arg_type))
++ is_next_size = arg_type_is_mem_size(fn->arg_type[arg + 1]);
++
++ if (base_type(fn->arg_type[arg]) != ARG_PTR_TO_MEM)
++ return is_next_size;
++
++ return has_size == is_next_size || is_next_size == is_fixed;
+ }
+
+ static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
+@@ -6415,11 +6433,11 @@ static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
+ * helper function specification.
+ */
+ if (arg_type_is_mem_size(fn->arg1_type) ||
+- base_type(fn->arg5_type) == ARG_PTR_TO_MEM ||
+- check_args_pair_invalid(fn->arg1_type, fn->arg2_type) ||
+- check_args_pair_invalid(fn->arg2_type, fn->arg3_type) ||
+- check_args_pair_invalid(fn->arg3_type, fn->arg4_type) ||
+- check_args_pair_invalid(fn->arg4_type, fn->arg5_type))
++ check_args_pair_invalid(fn, 0) ||
++ check_args_pair_invalid(fn, 1) ||
++ check_args_pair_invalid(fn, 2) ||
++ check_args_pair_invalid(fn, 3) ||
++ check_args_pair_invalid(fn, 4))
+ return false;
+
+ return true;
+@@ -6460,7 +6478,10 @@ static bool check_btf_id_ok(const struct bpf_func_proto *fn)
+ if (base_type(fn->arg_type[i]) == ARG_PTR_TO_BTF_ID && !fn->arg_btf_id[i])
+ return false;
+
+- if (base_type(fn->arg_type[i]) != ARG_PTR_TO_BTF_ID && fn->arg_btf_id[i])
++ if (base_type(fn->arg_type[i]) != ARG_PTR_TO_BTF_ID && fn->arg_btf_id[i] &&
++ /* arg_btf_id and arg_size are in a union. */
++ (base_type(fn->arg_type[i]) != ARG_PTR_TO_MEM ||
++ !(fn->arg_type[i] & MEM_FIXED_SIZE)))
+ return false;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d8cfa5e63a8533b53d4e5baf4c4c9e701a5e619b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Aug 2022 21:40:30 +0800
+Subject: bpf, cgroup: Fix kernel BUG in purge_effective_progs
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit 7d6620f107bae6ed687ff07668e8e8f855487aa9 ]
+
+Syzkaller reported a triggered kernel BUG as follows:
+
+ ------------[ cut here ]------------
+ kernel BUG at kernel/bpf/cgroup.c:925!
+ invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0
+ Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84
+ 28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48
+ 8b 0c5
+ RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246
+ RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578
+ RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000
+ R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00
+ FS: 00007f68213d2b80(0000) GS:ffff88813bc80000(0000)
+ knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0
+ Call Trace:
+ <TASK>
+ cgroup_bpf_prog_detach+0xcc/0x100
+ __sys_bpf+0x2273/0x2a00
+ __x64_sys_bpf+0x17/0x20
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0033:0x7f68214dbcb9
+ Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89
+ f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
+ f0 ff8
+ RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
+ RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9
+ RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009
+ RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003
+ R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20
+ R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0
+ </TASK>
+ Modules linked in:
+ ---[ end trace 0000000000000000 ]---
+
+Repetition steps:
+
+For the following cgroup tree,
+
+ root
+ |
+ cg1
+ |
+ cg2
+
+ 1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs
+ attach type is NONE or OVERRIDE.
+ 2. write 1 to /proc/thread-self/fail-nth for failslab.
+ 3. detach prog1 for cg1, and then kernel BUG occur.
+
+Failslab injection will cause kmalloc fail and fall back to
+purge_effective_progs. The problem is that cg2 have attached another prog,
+so when go through cg2 layer, iteration will add pos to 1, and subsequent
+operations will be skipped by the following condition, and cg will meet
+NULL in the end.
+
+ `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))`
+
+The NULL cg means no link or prog match, this is as expected, and it's not
+a bug. So here just skip the no match situation.
+
+Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220813134030.1972696-1-pulehui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/cgroup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
+index 7a394f7c205c4..34dfa45ef4f3b 100644
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -762,8 +762,10 @@ static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
+ pos++;
+ }
+ }
++
++ /* no link or prog match, skip the cgroup of this layer */
++ continue;
+ found:
+- BUG_ON(!cg);
+ progs = rcu_dereference_protected(
+ desc->bpf.effective[atype],
+ lockdep_is_held(&cgroup_mutex));
+--
+2.35.1
+
--- /dev/null
+From 242382d8f9a13324889ac2d1d347cff58fa295c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 20:52:59 +0200
+Subject: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit 2fc31465c5373b5ca4edf2e5238558cb62902311 ]
+
+Precision markers need to be propagated whenever we have an ARG_CONST_*
+style argument, as the verifier cannot consider imprecise scalars to be
+equivalent for the purposes of states_equal check when such arguments
+refine the return value (in this case, set mem_size for PTR_TO_MEM). The
+resultant mem_size for the R0 is derived from the constant value, and if
+the verifier incorrectly prunes states considering them equivalent where
+such arguments exist (by seeing that both registers have reg->precise as
+false in regsafe), we can end up with invalid programs passing the
+verifier which can do access beyond what should have been the correct
+mem_size in that explored state.
+
+To show a concrete example of the problem:
+
+0000000000000000 <prog>:
+ 0: r2 = *(u32 *)(r1 + 80)
+ 1: r1 = *(u32 *)(r1 + 76)
+ 2: r3 = r1
+ 3: r3 += 4
+ 4: if r3 > r2 goto +18 <LBB5_5>
+ 5: w2 = 0
+ 6: *(u32 *)(r1 + 0) = r2
+ 7: r1 = *(u32 *)(r1 + 0)
+ 8: r2 = 1
+ 9: if w1 == 0 goto +1 <LBB5_3>
+ 10: r2 = -1
+
+0000000000000058 <LBB5_3>:
+ 11: r1 = 0 ll
+ 13: r3 = 0
+ 14: call bpf_ringbuf_reserve
+ 15: if r0 == 0 goto +7 <LBB5_5>
+ 16: r1 = r0
+ 17: r1 += 16777215
+ 18: w2 = 0
+ 19: *(u8 *)(r1 + 0) = r2
+ 20: r1 = r0
+ 21: r2 = 0
+ 22: call bpf_ringbuf_submit
+
+00000000000000b8 <LBB5_5>:
+ 23: w0 = 0
+ 24: exit
+
+For the first case, the single line execution's exploration will prune
+the search at insn 14 for the branch insn 9's second leg as it will be
+verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will
+always be 0 so at runtime we don't get error for being greater than
+UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just
+sees reg->precise as false for both r2 registers in both states, hence
+considers them equal for purposes of states_equal.
+
+If we propagated precise markers using the backtracking support, we
+would use the precise marking to then ensure that old r2 (UINT_MAX) was
+within the new r2 (1) and this would never be true, so the verification
+would rightfully fail.
+
+The end result is that the out of bounds access at instruction 19 would
+be permitted without this fix.
+
+Note that reg->precise is always set to true when user does not have
+CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static
+or global functions)), hence this is only a problem when precision marks
+need to be explicitly propagated (i.e. privileged users with CAP_BPF).
+
+A simplified test case has been included in the next patch to prevent
+future regressions.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 20df58c351abf..339147061127a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6066,6 +6066,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ return -EACCES;
+ }
+ meta->mem_size = reg->var_off.value;
++ err = mark_chain_precision(env, regno);
++ if (err)
++ return err;
+ break;
+ case ARG_PTR_TO_INT:
+ case ARG_PTR_TO_LONG:
+--
+2.35.1
+
--- /dev/null
+From 1dfa4958fb37ffa974b5e15238d6a934fcb59c8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 14:58:04 -0700
+Subject: bpf: Fix a data-race around bpf_jit_limit.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0947ae1121083d363d522ff7518ee72b55bd8d29 ]
+
+While reading bpf_jit_limit, it can be changed concurrently via sysctl,
+WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit
+is long, so we need to add a paired READ_ONCE() to avoid load-tearing.
+
+Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220823215804.2177-1-kuniyu@amazon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index fb6bd57228a84..cf44ff50b1f23 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1005,7 +1005,7 @@ pure_initcall(bpf_jit_charge_init);
+
+ int bpf_jit_charge_modmem(u32 size)
+ {
+- if (atomic_long_add_return(size, &bpf_jit_current) > bpf_jit_limit) {
++ if (atomic_long_add_return(size, &bpf_jit_current) > READ_ONCE(bpf_jit_limit)) {
+ if (!bpf_capable()) {
+ atomic_long_sub(size, &bpf_jit_current);
+ return -EPERM;
+--
+2.35.1
+
--- /dev/null
+From 702b62a2eead72e41d0ea01a15165d756708d4cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 20:55:16 +0000
+Subject: bpf: Restrict bpf_sys_bpf to CAP_PERFMON
+
+From: YiFei Zhu <zhuyifei@google.com>
+
+[ Upstream commit 14b20b784f59bdd95f6f1cfb112c9818bcec4d84 ]
+
+The verifier cannot perform sufficient validation of any pointers passed
+into bpf_attr and treats them as integers rather than pointers. The helper
+will then read from arbitrary pointers passed into it. Restrict the helper
+to CAP_PERFMON since the security model in BPF of arbitrary kernel read is
+CAP_BPF + CAP_PERFMON.
+
+Fixes: af2ac3e13e45 ("bpf: Prepare bpf syscall to be used from kernel and user space.")
+Signed-off-by: YiFei Zhu <zhuyifei@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 82e83cfb4114a..dd0fc2a86ce17 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5153,7 +5153,7 @@ syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
+ {
+ switch (func_id) {
+ case BPF_FUNC_sys_bpf:
+- return &bpf_sys_bpf_proto;
++ return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto;
+ case BPF_FUNC_btf_find_by_name_kind:
+ return &bpf_btf_find_by_name_kind_proto;
+ case BPF_FUNC_sys_close:
+--
+2.35.1
+
--- /dev/null
+From 6e6a8741bc31447cde10a75a1e3e9b2d40a15aa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Jul 2022 14:06:03 -0700
+Subject: bpf: Tidy up verifier check_func_arg()
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+[ Upstream commit 8ab4cdcf03d0b060fbf73f76460f199bbd759ff7 ]
+
+This patch does two things:
+
+1. For matching against the arg type, the match should be against the
+base type of the arg type, since the arg type can have different
+bpf_type_flags set on it.
+
+2. Uses switch casing to improve readability + efficiency.
+
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Acked-by: Hao Luo <haoluo@google.com>
+Link: https://lore.kernel.org/r/20220712210603.123791-1-joannelkoong@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 66 +++++++++++++++++++++++++------------------
+ 1 file changed, 38 insertions(+), 28 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index f0dd73bf69ddf..20df58c351abf 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5533,17 +5533,6 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type)
+ type == ARG_CONST_SIZE_OR_ZERO;
+ }
+
+-static bool arg_type_is_alloc_size(enum bpf_arg_type type)
+-{
+- return type == ARG_CONST_ALLOC_SIZE_OR_ZERO;
+-}
+-
+-static bool arg_type_is_int_ptr(enum bpf_arg_type type)
+-{
+- return type == ARG_PTR_TO_INT ||
+- type == ARG_PTR_TO_LONG;
+-}
+-
+ static bool arg_type_is_release(enum bpf_arg_type type)
+ {
+ return type & OBJ_RELEASE;
+@@ -5929,7 +5918,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ meta->ref_obj_id = reg->ref_obj_id;
+ }
+
+- if (arg_type == ARG_CONST_MAP_PTR) {
++ switch (base_type(arg_type)) {
++ case ARG_CONST_MAP_PTR:
+ /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
+ if (meta->map_ptr) {
+ /* Use map_uid (which is unique id of inner map) to reject:
+@@ -5954,7 +5944,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ }
+ meta->map_ptr = reg->map_ptr;
+ meta->map_uid = reg->map_uid;
+- } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
++ break;
++ case ARG_PTR_TO_MAP_KEY:
+ /* bpf_map_xxx(..., map_ptr, ..., key) call:
+ * check that [key, key + map->key_size) are within
+ * stack limits and initialized
+@@ -5971,7 +5962,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ err = check_helper_mem_access(env, regno,
+ meta->map_ptr->key_size, false,
+ NULL);
+- } else if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE) {
++ break;
++ case ARG_PTR_TO_MAP_VALUE:
+ if (type_may_be_null(arg_type) && register_is_null(reg))
+ return 0;
+
+@@ -5987,14 +5979,16 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ err = check_helper_mem_access(env, regno,
+ meta->map_ptr->value_size, false,
+ meta);
+- } else if (arg_type == ARG_PTR_TO_PERCPU_BTF_ID) {
++ break;
++ case ARG_PTR_TO_PERCPU_BTF_ID:
+ if (!reg->btf_id) {
+ verbose(env, "Helper has invalid btf_id in R%d\n", regno);
+ return -EACCES;
+ }
+ meta->ret_btf = reg->btf;
+ meta->ret_btf_id = reg->btf_id;
+- } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
++ break;
++ case ARG_PTR_TO_SPIN_LOCK:
+ if (meta->func_id == BPF_FUNC_spin_lock) {
+ if (process_spin_lock(env, regno, true))
+ return -EACCES;
+@@ -6005,12 +5999,15 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ verbose(env, "verifier internal error\n");
+ return -EFAULT;
+ }
+- } else if (arg_type == ARG_PTR_TO_TIMER) {
++ break;
++ case ARG_PTR_TO_TIMER:
+ if (process_timer_func(env, regno, meta))
+ return -EACCES;
+- } else if (arg_type == ARG_PTR_TO_FUNC) {
++ break;
++ case ARG_PTR_TO_FUNC:
+ meta->subprogno = reg->subprogno;
+- } else if (base_type(arg_type) == ARG_PTR_TO_MEM) {
++ break;
++ case ARG_PTR_TO_MEM:
+ /* The access to this pointer is only checked when we hit the
+ * next is_mem_size argument below.
+ */
+@@ -6020,11 +6017,14 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ fn->arg_size[arg], false,
+ meta);
+ }
+- } else if (arg_type_is_mem_size(arg_type)) {
+- bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
+-
+- err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta);
+- } else if (arg_type_is_dynptr(arg_type)) {
++ break;
++ case ARG_CONST_SIZE:
++ err = check_mem_size_reg(env, reg, regno, false, meta);
++ break;
++ case ARG_CONST_SIZE_OR_ZERO:
++ err = check_mem_size_reg(env, reg, regno, true, meta);
++ break;
++ case ARG_PTR_TO_DYNPTR:
+ if (arg_type & MEM_UNINIT) {
+ if (!is_dynptr_reg_valid_uninit(env, reg)) {
+ verbose(env, "Dynptr has to be an uninitialized dynptr\n");
+@@ -6058,21 +6058,28 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ err_extra, arg + 1);
+ return -EINVAL;
+ }
+- } else if (arg_type_is_alloc_size(arg_type)) {
++ break;
++ case ARG_CONST_ALLOC_SIZE_OR_ZERO:
+ if (!tnum_is_const(reg->var_off)) {
+ verbose(env, "R%d is not a known constant'\n",
+ regno);
+ return -EACCES;
+ }
+ meta->mem_size = reg->var_off.value;
+- } else if (arg_type_is_int_ptr(arg_type)) {
++ break;
++ case ARG_PTR_TO_INT:
++ case ARG_PTR_TO_LONG:
++ {
+ int size = int_ptr_type_to_size(arg_type);
+
+ err = check_helper_mem_access(env, regno, size, false, meta);
+ if (err)
+ return err;
+ err = check_ptr_alignment(env, reg, 0, size, true);
+- } else if (arg_type == ARG_PTR_TO_CONST_STR) {
++ break;
++ }
++ case ARG_PTR_TO_CONST_STR:
++ {
+ struct bpf_map *map = reg->map_ptr;
+ int map_off;
+ u64 map_addr;
+@@ -6111,9 +6118,12 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ verbose(env, "string is not zero-terminated\n");
+ return -EINVAL;
+ }
+- } else if (arg_type == ARG_PTR_TO_KPTR) {
++ break;
++ }
++ case ARG_PTR_TO_KPTR:
+ if (process_kptr_func(env, regno, meta))
+ return -EACCES;
++ break;
+ }
+
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 11a0751b8641543b5ba684097ed53fc4a36f9b23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 10:35:15 +0800
+Subject: cachefiles: fix error return code in cachefiles_ondemand_copen()
+
+From: Sun Ke <sunke32@huawei.com>
+
+[ Upstream commit c93ccd63b18c8d108c57b2bb0e5f3b058b9d2029 ]
+
+The cache_size field of copen is specified by the user daemon.
+If cache_size < 0, then the OPEN request is expected to fail,
+while copen itself shall succeed. However, returning 0 is indeed
+unexpected when cache_size is an invalid error code.
+
+Fix this by returning error when cache_size is an invalid error code.
+
+Changes
+=======
+v4: update the code suggested by Dan
+v3: update the commit log suggested by Jingbo.
+
+Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
+Signed-off-by: Sun Ke <sunke32@huawei.com>
+Suggested-by: Jeffle Xu <jefflexu@linux.alibaba.com>
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20220818111935.1683062-1-sunke32@huawei.com/ # v2
+Link: https://lore.kernel.org/r/20220818125038.2247720-1-sunke32@huawei.com/ # v3
+Link: https://lore.kernel.org/r/20220826023515.3437469-1-sunke32@huawei.com/ # v4
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/ondemand.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c
+index 1fee702d55293..7e1586bd5cf34 100644
+--- a/fs/cachefiles/ondemand.c
++++ b/fs/cachefiles/ondemand.c
+@@ -158,9 +158,13 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args)
+
+ /* fail OPEN request if daemon reports an error */
+ if (size < 0) {
+- if (!IS_ERR_VALUE(size))
+- size = -EINVAL;
+- req->error = size;
++ if (!IS_ERR_VALUE(size)) {
++ req->error = -EINVAL;
++ ret = -EINVAL;
++ } else {
++ req->error = size;
++ ret = 0;
++ }
+ goto out;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6a7381482185c73c6b27ffc2838fbfa24ad9ca94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 10:09:45 +0800
+Subject: cachefiles: make on-demand request distribution fairer
+
+From: Xin Yin <yinxin.x@bytedance.com>
+
+[ Upstream commit 1122f40072731525c06b1371cfa30112b9b54d27 ]
+
+For now, enqueuing and dequeuing on-demand requests all start from
+idx 0, this makes request distribution unfair. In the weighty
+concurrent I/O scenario, the request stored in higher idx will starve.
+
+Searching requests cyclically in cachefiles_ondemand_daemon_read,
+makes distribution fairer.
+
+Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
+Reported-by: Yongqing Li <liyongqing@bytedance.com>
+Signed-off-by: Xin Yin <yinxin.x@bytedance.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffle Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20220817065200.11543-1-yinxin.x@bytedance.com/ # v1
+Link: https://lore.kernel.org/r/20220825020945.2293-1-yinxin.x@bytedance.com/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/internal.h | 1 +
+ fs/cachefiles/ondemand.c | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
+index 6cba2c6de2f96..2ad58c4652084 100644
+--- a/fs/cachefiles/internal.h
++++ b/fs/cachefiles/internal.h
+@@ -111,6 +111,7 @@ struct cachefiles_cache {
+ char *tag; /* cache binding tag */
+ refcount_t unbind_pincount;/* refcount to do daemon unbind */
+ struct xarray reqs; /* xarray of pending on-demand requests */
++ unsigned long req_id_next;
+ struct xarray ondemand_ids; /* xarray for ondemand_id allocation */
+ u32 ondemand_id_next;
+ };
+diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c
+index 7e1586bd5cf34..0254ed39f68ce 100644
+--- a/fs/cachefiles/ondemand.c
++++ b/fs/cachefiles/ondemand.c
+@@ -242,14 +242,19 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache,
+ unsigned long id = 0;
+ size_t n;
+ int ret = 0;
+- XA_STATE(xas, &cache->reqs, 0);
++ XA_STATE(xas, &cache->reqs, cache->req_id_next);
+
+ /*
+- * Search for a request that has not ever been processed, to prevent
+- * requests from being processed repeatedly.
++ * Cyclically search for a request that has not ever been processed,
++ * to prevent requests from being processed repeatedly, and make
++ * request distribution fair.
+ */
+ xa_lock(&cache->reqs);
+ req = xas_find_marked(&xas, UINT_MAX, CACHEFILES_REQ_NEW);
++ if (!req && cache->req_id_next > 0) {
++ xas_set(&xas, 0);
++ req = xas_find_marked(&xas, cache->req_id_next - 1, CACHEFILES_REQ_NEW);
++ }
+ if (!req) {
+ xa_unlock(&cache->reqs);
+ return 0;
+@@ -264,6 +269,7 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache,
+ }
+
+ xas_clear_mark(&xas, CACHEFILES_REQ_NEW);
++ cache->req_id_next = xas.xa_index + 1;
+ xa_unlock(&cache->reqs);
+
+ id = xas.xa_index;
+--
+2.35.1
+
--- /dev/null
+From 835b1daea701753c6df9f273d532e6ea949e5f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 09:27:50 +0530
+Subject: drm/i915/display: avoid warnings when registering dual panel
+ backlight
+
+From: Arun R Murthy <arun.r.murthy@intel.com>
+
+[ Upstream commit 868e8e5156a1f8d92ca83fdbac6fd52798650792 ]
+
+Commit 20f85ef89d94 ("drm/i915/backlight: use unique backlight device
+names") added support for multiple backlight devices on dual panel
+systems, but did so with error handling on -EEXIST from
+backlight_device_register(). Unfortunately, that triggered a warning in
+dmesg all the way down from sysfs_add_file_mode_ns() and
+sysfs_warn_dup().
+
+Instead of optimistically always attempting to register with the default
+name ("intel_backlight", which we have to retain for backward
+compatibility), check if a backlight device with the name exists first,
+and, if so, use the card and connector based name.
+
+v2: reworked on top of the patch commit 20f85ef89d94
+("drm/i915/backlight: use unique backlight device names")
+v3: fixed the ref count leak(Jani N)
+
+Fixes: 20f85ef89d94 ("drm/i915/backlight: use unique backlight device names")
+Signed-off-by: Arun R Murthy <arun.r.murthy@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220808035750.3111046-1-arun.r.murthy@intel.com
+(cherry picked from commit 4234ea30051200fc6016de10e4d58369e60b38f1)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/i915/display/intel_backlight.c | 26 +++++++++----------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_backlight.c b/drivers/gpu/drm/i915/display/intel_backlight.c
+index c8e1fc53a881f..79f8a586623dc 100644
+--- a/drivers/gpu/drm/i915/display/intel_backlight.c
++++ b/drivers/gpu/drm/i915/display/intel_backlight.c
+@@ -970,26 +970,24 @@ int intel_backlight_device_register(struct intel_connector *connector)
+ if (!name)
+ return -ENOMEM;
+
+- bd = backlight_device_register(name, connector->base.kdev, connector,
+- &intel_backlight_device_ops, &props);
+-
+- /*
+- * Using the same name independent of the drm device or connector
+- * prevents registration of multiple backlight devices in the
+- * driver. However, we need to use the default name for backward
+- * compatibility. Use unique names for subsequent backlight devices as a
+- * fallback when the default name already exists.
+- */
+- if (IS_ERR(bd) && PTR_ERR(bd) == -EEXIST) {
++ bd = backlight_device_get_by_name(name);
++ if (bd) {
++ put_device(&bd->dev);
++ /*
++ * Using the same name independent of the drm device or connector
++ * prevents registration of multiple backlight devices in the
++ * driver. However, we need to use the default name for backward
++ * compatibility. Use unique names for subsequent backlight devices as a
++ * fallback when the default name already exists.
++ */
+ kfree(name);
+ name = kasprintf(GFP_KERNEL, "card%d-%s-backlight",
+ i915->drm.primary->index, connector->base.name);
+ if (!name)
+ return -ENOMEM;
+-
+- bd = backlight_device_register(name, connector->base.kdev, connector,
+- &intel_backlight_device_ops, &props);
+ }
++ bd = backlight_device_register(name, connector->base.kdev, connector,
++ &intel_backlight_device_ops, &props);
+
+ if (IS_ERR(bd)) {
+ drm_err(&i915->drm,
+--
+2.35.1
+
--- /dev/null
+From 356bf27ff53cf4d590d593f6e0442875daa77b32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Feb 2022 16:33:54 +0100
+Subject: drm/i915: fix null pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Bartosik <lb@semihalf.com>
+
+[ Upstream commit 458ec0c8f35963626ccd51c3d50b752de5f1b9d4 ]
+
+Asus chromebook CX550 crashes during boot on v5.17-rc1 kernel.
+The root cause is null pointer defeference of bi_next
+in tgl_get_bw_info() in drivers/gpu/drm/i915/display/intel_bw.c.
+
+BUG: kernel NULL pointer dereference, address: 000000000000002e
+PGD 0 P4D 0
+Oops: 0002 [#1] PREEMPT SMP NOPTI
+CPU: 0 PID: 1 Comm: swapper/0 Tainted: G U 5.17.0-rc1
+Hardware name: Google Delbin/Delbin, BIOS Google_Delbin.13672.156.3 05/14/2021
+RIP: 0010:tgl_get_bw_info+0x2de/0x510
+...
+[ 2.554467] Call Trace:
+[ 2.554467] <TASK>
+[ 2.554467] intel_bw_init_hw+0x14a/0x434
+[ 2.554467] ? _printk+0x59/0x73
+[ 2.554467] ? _dev_err+0x77/0x91
+[ 2.554467] i915_driver_hw_probe+0x329/0x33e
+[ 2.554467] i915_driver_probe+0x4c8/0x638
+[ 2.554467] i915_pci_probe+0xf8/0x14e
+[ 2.554467] ? _raw_spin_unlock_irqrestore+0x12/0x2c
+[ 2.554467] pci_device_probe+0xaa/0x142
+[ 2.554467] really_probe+0x13f/0x2f4
+[ 2.554467] __driver_probe_device+0x9e/0xd3
+[ 2.554467] driver_probe_device+0x24/0x7c
+[ 2.554467] __driver_attach+0xba/0xcf
+[ 2.554467] ? driver_attach+0x1f/0x1f
+[ 2.554467] bus_for_each_dev+0x8c/0xc0
+[ 2.554467] bus_add_driver+0x11b/0x1f7
+[ 2.554467] driver_register+0x60/0xea
+[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16
+[ 2.554467] i915_init+0x2c/0xb9
+[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16
+[ 2.554467] do_one_initcall+0x12e/0x2b3
+[ 2.554467] do_initcall_level+0xd6/0xf3
+[ 2.554467] do_initcalls+0x4e/0x79
+[ 2.554467] kernel_init_freeable+0xed/0x14d
+[ 2.554467] ? rest_init+0xc1/0xc1
+[ 2.554467] kernel_init+0x1a/0x120
+[ 2.554467] ret_from_fork+0x1f/0x30
+[ 2.554467] </TASK>
+...
+Kernel panic - not syncing: Fatal exception
+
+Fixes: c64a9a7c05be ("drm/i915: Update memory bandwidth formulae")
+Signed-off-by: Łukasz Bartosik <lb@semihalf.com>
+Reviewed-by: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220201153354.11971-1-lukasz.bartosik@semihalf.com
+(cherry picked from commit c247cd03898c4c43c3bce6d4014730403bc13032)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_bw.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_bw.c b/drivers/gpu/drm/i915/display/intel_bw.c
+index 37bd7b17f3d0b..f2fad199e2e0b 100644
+--- a/drivers/gpu/drm/i915/display/intel_bw.c
++++ b/drivers/gpu/drm/i915/display/intel_bw.c
+@@ -404,15 +404,17 @@ static int tgl_get_bw_info(struct drm_i915_private *dev_priv, const struct intel
+ int clpchgroup;
+ int j;
+
+- if (i < num_groups - 1)
+- bi_next = &dev_priv->max_bw[i + 1];
+-
+ clpchgroup = (sa->deburst * qi.deinterleave / num_channels) << i;
+
+- if (i < num_groups - 1 && clpchgroup < clperchgroup)
+- bi_next->num_planes = (ipqdepth - clpchgroup) / clpchgroup + 1;
+- else
+- bi_next->num_planes = 0;
++ if (i < num_groups - 1) {
++ bi_next = &dev_priv->max_bw[i + 1];
++
++ if (clpchgroup < clperchgroup)
++ bi_next->num_planes = (ipqdepth - clpchgroup) /
++ clpchgroup + 1;
++ else
++ bi_next->num_planes = 0;
++ }
+
+ bi->num_qgv_points = qi.num_points;
+ bi->num_psf_gv_points = qi.num_psf_points;
+--
+2.35.1
+
--- /dev/null
+From 0c148529f08cb98f1d4677664667f8ae42e55bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 15:55:48 -0600
+Subject: drm/i915/gvt: Fix Comet Lake
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit b75ef35bb57791a5d675699ed4a40c870d1da12f ]
+
+Prior to the commit below the GAMT_CHKN_BIT_REG address was setup for
+devices matching (D_KBL | D_CFL), where intel_gvt_get_device_type()
+returns D_CFL for either Coffee Lake or Comet Lake. Include the missed
+platform.`
+
+Link: https://lore.kernel.org/all/20220808142711.02d16782.alex.williamson@redhat.com
+Fixes: e0f74ed4634d ("i915/gvt: Separate the MMIO tracking table from GVT-g")
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/166016852965.780835.10366587502693016900.stgit@omen
+Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/intel_gvt_mmio_table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_gvt_mmio_table.c b/drivers/gpu/drm/i915/intel_gvt_mmio_table.c
+index 72dac1718f3e7..6163aeaee9b98 100644
+--- a/drivers/gpu/drm/i915/intel_gvt_mmio_table.c
++++ b/drivers/gpu/drm/i915/intel_gvt_mmio_table.c
+@@ -1074,7 +1074,8 @@ static int iterate_skl_plus_mmio(struct intel_gvt_mmio_table_iter *iter)
+ MMIO_D(GEN8_HDC_CHICKEN1);
+ MMIO_D(GEN9_WM_CHICKEN3);
+
+- if (IS_KABYLAKE(dev_priv) || IS_COFFEELAKE(dev_priv))
++ if (IS_KABYLAKE(dev_priv) ||
++ IS_COFFEELAKE(dev_priv) || IS_COMETLAKE(dev_priv))
+ MMIO_D(GAMT_CHKN_BIT_REG);
+ if (!IS_BROXTON(dev_priv))
+ MMIO_D(GEN9_CTX_PREEMPT_REG);
+--
+2.35.1
+
--- /dev/null
+From b7379f1f635ab0e8422782fdd5ec43826f040945 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Aug 2022 14:22:40 +0100
+Subject: drm/i915/ttm: fix CCS handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+[ Upstream commit 8d905254162965c8e6be697d82c7dbf5d08f574d ]
+
+Crucible + recent Mesa seems to sometimes hit:
+
+GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER)
+
+And it looks like we can also trigger this with gem_lmem_swapping, if we
+modify the test to use slightly larger object sizes.
+
+Looking closer it looks like we have the following issues in
+migrate_copy():
+
+ - We are using plain integer in various places, which we can easily
+ overflow with a large object.
+
+ - We pass the entire object size (when the src is lmem) into
+ emit_pte() and then try to copy it, which doesn't work, since we
+ only have a few fixed sized windows in which to map the pages and
+ perform the copy. With an object > 8M we therefore aren't properly
+ copying the pages. And then with an object > 64M we trigger the
+ GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER).
+
+So it looks like our copy handling for any object > 8M (which is our
+CHUNK_SZ) is currently broken on DG2.
+
+Fixes: da0595ae91da ("drm/i915/migrate: Evict and restore the flatccs capable lmem obj")
+Testcase: igt@gem_lmem_swapping
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Ramalingam C <ramalingam.c@intel.com>
+Reviewed-by: Ramalingam C<ramalingam.c@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220805132240.442747-2-matthew.auld@intel.com
+(cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_migrate.c | 44 ++++++++++++-------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_migrate.c b/drivers/gpu/drm/i915/gt/intel_migrate.c
+index 2b10b96b17b5b..933648cc90ff9 100644
+--- a/drivers/gpu/drm/i915/gt/intel_migrate.c
++++ b/drivers/gpu/drm/i915/gt/intel_migrate.c
+@@ -638,9 +638,9 @@ static int emit_copy(struct i915_request *rq,
+ return 0;
+ }
+
+-static int scatter_list_length(struct scatterlist *sg)
++static u64 scatter_list_length(struct scatterlist *sg)
+ {
+- int len = 0;
++ u64 len = 0;
+
+ while (sg && sg_dma_len(sg)) {
+ len += sg_dma_len(sg);
+@@ -650,28 +650,26 @@ static int scatter_list_length(struct scatterlist *sg)
+ return len;
+ }
+
+-static void
++static int
+ calculate_chunk_sz(struct drm_i915_private *i915, bool src_is_lmem,
+- int *src_sz, u32 bytes_to_cpy, u32 ccs_bytes_to_cpy)
++ u64 bytes_to_cpy, u64 ccs_bytes_to_cpy)
+ {
+- if (ccs_bytes_to_cpy) {
+- if (!src_is_lmem)
+- /*
+- * When CHUNK_SZ is passed all the pages upto CHUNK_SZ
+- * will be taken for the blt. in Flat-ccs supported
+- * platform Smem obj will have more pages than required
+- * for main meory hence limit it to the required size
+- * for main memory
+- */
+- *src_sz = min_t(int, bytes_to_cpy, CHUNK_SZ);
+- } else { /* ccs handling is not required */
+- *src_sz = CHUNK_SZ;
+- }
++ if (ccs_bytes_to_cpy && !src_is_lmem)
++ /*
++ * When CHUNK_SZ is passed all the pages upto CHUNK_SZ
++ * will be taken for the blt. in Flat-ccs supported
++ * platform Smem obj will have more pages than required
++ * for main meory hence limit it to the required size
++ * for main memory
++ */
++ return min_t(u64, bytes_to_cpy, CHUNK_SZ);
++ else
++ return CHUNK_SZ;
+ }
+
+-static void get_ccs_sg_sgt(struct sgt_dma *it, u32 bytes_to_cpy)
++static void get_ccs_sg_sgt(struct sgt_dma *it, u64 bytes_to_cpy)
+ {
+- u32 len;
++ u64 len;
+
+ do {
+ GEM_BUG_ON(!it->sg || !sg_dma_len(it->sg));
+@@ -702,12 +700,12 @@ intel_context_migrate_copy(struct intel_context *ce,
+ {
+ struct sgt_dma it_src = sg_sgt(src), it_dst = sg_sgt(dst), it_ccs;
+ struct drm_i915_private *i915 = ce->engine->i915;
+- u32 ccs_bytes_to_cpy = 0, bytes_to_cpy;
++ u64 ccs_bytes_to_cpy = 0, bytes_to_cpy;
+ enum i915_cache_level ccs_cache_level;
+ u32 src_offset, dst_offset;
+ u8 src_access, dst_access;
+ struct i915_request *rq;
+- int src_sz, dst_sz;
++ u64 src_sz, dst_sz;
+ bool ccs_is_src, overwrite_ccs;
+ int err;
+
+@@ -790,8 +788,8 @@ intel_context_migrate_copy(struct intel_context *ce,
+ if (err)
+ goto out_rq;
+
+- calculate_chunk_sz(i915, src_is_lmem, &src_sz,
+- bytes_to_cpy, ccs_bytes_to_cpy);
++ src_sz = calculate_chunk_sz(i915, src_is_lmem,
++ bytes_to_cpy, ccs_bytes_to_cpy);
+
+ len = emit_pte(rq, &it_src, src_cache_level, src_is_lmem,
+ src_offset, src_sz);
+--
+2.35.1
+
--- /dev/null
+From 0d393f579bf6986ee27cb815bc7ca082f4492309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 15:57:50 -0700
+Subject: drm/msm/dp: delete DP_RECOVERED_CLOCK_OUT_EN to fix tps4
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit 032d57960176ac01cc5adff5bcc5eb51317f8781 ]
+
+Data Symbols scrambled is required for tps4 at link training 2.
+Therefore SCRAMBLING_DISABLE bit should not be set for tps4 to
+work.
+
+RECOVERED_CLOCK_OUT_EN is for enable simple EYE test for jitter
+measurement with minimal equipment for embedded applications purpose
+and is not required to be set during normal operation. Current
+implementation always have RECOVERED_CLOCK_OUT_EN bit set which
+cause SCRAMBLING_DISABLE bit wrongly set at tps4 which prevent
+tps4 from working.
+
+This patch delete setting RECOVERED_CLOCK_OUT_EN to fix
+SCRAMBLING_DISABLE be wrongly set at tps4.
+
+Changes in v2:
+-- fix Fixes tag
+
+Changes in v3:
+-- revise commit text
+
+Changes in v4:
+-- fix commit text newline
+
+Changes in v5:
+-- fix commit text line over 75 chars
+
+Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/497194/
+Link: https://lore.kernel.org/r/1660258670-4200-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+index 703249384e7c7..45aa06a31a9fd 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+@@ -1214,7 +1214,7 @@ static int dp_ctrl_link_train_2(struct dp_ctrl_private *ctrl,
+ if (ret)
+ return ret;
+
+- dp_ctrl_train_pattern_set(ctrl, pattern | DP_RECOVERED_CLOCK_OUT_EN);
++ dp_ctrl_train_pattern_set(ctrl, pattern);
+
+ for (tries = 0; tries <= maximum_retries; tries++) {
+ drm_dp_link_train_channel_eq_delay(ctrl->aux, ctrl->panel->dpcd);
+--
+2.35.1
+
--- /dev/null
+From dac8d04f6b390bed8b8cd0301fbc5df7c332b3b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Jul 2022 12:32:08 -0700
+Subject: drm/msm/dp: make eDP panel as the first connected connector
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit deffa2d75db7e7a9a1fe3dad4f99310bff7b6449 ]
+
+Some userspace presumes that the first connected connector is the main
+display, where it's supposed to display e.g. the login screen. For
+laptops, this should be the main panel.
+
+This patch call drm_helper_move_panel_connectors_to_head() after
+drm_bridge_connector_init() to make sure eDP stay at head of
+connected connector list. This fixes unexpected corruption happen
+at eDP panel if eDP is not placed at head of connected connector
+list.
+
+Changes in v2:
+-- move drm_helper_move_panel_connectors_to_head() to
+ dpu_kms_drm_obj_init()
+
+Changes in v4:
+-- move drm_helper_move_panel_connectors_to_head() to msm_drm_init()
+
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Fixes: ef7837ff091c ("drm/msm/dp: Add DP controllers for sc7280")
+Patchwork: https://patchwork.freedesktop.org/patch/492581/
+Link: https://lore.kernel.org/r/1657135928-31195-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index 14ab9a627d8b0..7c0314d6566af 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -424,6 +424,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv)
+ }
+ }
+
++ drm_helper_move_panel_connectors_to_head(ddev);
++
+ ddev->mode_config.funcs = &mode_config_funcs;
+ ddev->mode_config.helper_private = &mode_config_helper_funcs;
+
+--
+2.35.1
+
--- /dev/null
+From 7678eecfd938dc3a4387ebf8dec73a4e93cec14b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 12:14:28 -0700
+Subject: drm/msm/dpu: populate wb or intf before reset_intf_cfg
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit ef3ac3ae147c6ab370875727791e9b3eaf176cea ]
+
+dpu_encoder_helper_phys_cleanup() was not populating neither
+wb or intf to the intf_cfg before calling the reset_intf_cfg().
+
+This causes the reset of the active bits of wb/intf to be
+skipped which is incorrect.
+
+Fix this by populating the relevant wb or intf indices correctly.
+
+Fixes: ae4d721ce100 ("drm/msm/dpu: add an API to reset the encoder related hw blocks")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Tested-by: Jessica Zhang <quic_jesszhan@quicinc.com> # Trogdor (SC8170)
+Patchwork: https://patchwork.freedesktop.org/patch/494298/
+Link: https://lore.kernel.org/r/1657912468-17254-1-git-send-email-quic_abhinavk@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index 9b4df3084366b..d98c7f7da7c08 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -1998,6 +1998,12 @@ void dpu_encoder_helper_phys_cleanup(struct dpu_encoder_phys *phys_enc)
+
+ intf_cfg.stream_sel = 0; /* Don't care value for video mode */
+ intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc);
++
++ if (phys_enc->hw_intf)
++ intf_cfg.intf = phys_enc->hw_intf->idx;
++ if (phys_enc->hw_wb)
++ intf_cfg.wb = phys_enc->hw_wb->idx;
++
+ if (phys_enc->hw_pp->merge_3d)
+ intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx;
+
+--
+2.35.1
+
--- /dev/null
+From 5f9ba8d318eb5c62c414d7ff13b55c1572e8b870 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 07:38:48 -0700
+Subject: drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 1e00d6ac8a3422765bae37aeac2002dfd3c0bda6 ]
+
+3 regulators are listed but the number 2 is specified. Fix it.
+
+Fixes: 3a3ff88a0fc1 ("drm/msm/dsi: Add 8x96 info in dsi_cfg")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/496318/
+Link: https://lore.kernel.org/r/20220804073608.v4.1.I1056ee3f77f71287f333279efe4c85f88d403f65@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+index 2c23324a2296b..02000a7b7a18c 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+@@ -109,7 +109,7 @@ static const char * const dsi_8996_bus_clk_names[] = {
+ static const struct msm_dsi_config msm8996_dsi_cfg = {
+ .io_offset = DSI_6G_REG_SHIFT,
+ .reg_cfg = {
+- .num = 2,
++ .num = 3,
+ .regs = {
+ {"vdda", 18160, 1 }, /* 1.25 V */
+ {"vcca", 17000, 32 }, /* 0.925 V */
+--
+2.35.1
+
--- /dev/null
+From 1226df9d344879aca775d3bf313c51eb7b4f4075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 07:38:49 -0700
+Subject: drm/msm/dsi: Fix number of regulators for SDM660
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a1653a75987749ba6dba94fa2e62f0f36b387d1a ]
+
+1 regulator is listed but the number 2 is specified. This presumably
+means we try to get a regulator with no name. Fix it.
+
+Fixes: 462f7017a691 ("drm/msm/dsi: Fix DSI and DSI PHY regulator config from SDM660")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/496323/
+Link: https://lore.kernel.org/r/20220804073608.v4.2.I94b3c3e412b7c208061349f05659e126483171b1@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+index 02000a7b7a18c..72c018e26f47f 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+@@ -148,7 +148,7 @@ static const char * const dsi_sdm660_bus_clk_names[] = {
+ static const struct msm_dsi_config sdm660_dsi_cfg = {
+ .io_offset = DSI_6G_REG_SHIFT,
+ .reg_cfg = {
+- .num = 2,
++ .num = 1,
+ .regs = {
+ {"vdda", 12560, 4 }, /* 1.2 V */
+ },
+--
+2.35.1
+
--- /dev/null
+From 859073e0c8fbe478fef96fbd26a0d1aa1d67ab50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 09:56:22 +0800
+Subject: drm/msm/dsi: fix the inconsistent indenting
+
+From: sunliming <sunliming@kylinos.cn>
+
+[ Upstream commit 2f25a1fb4ec516c5ad67afd754334b491b9f09a5 ]
+
+Fix the inconsistent indenting in function msm_dsi_dphy_timing_calc_v3().
+
+Fix the following smatch warnings:
+
+drivers/gpu/drm/msm/dsi/phy/dsi_phy.c:350 msm_dsi_dphy_timing_calc_v3() warn: inconsistent indenting
+
+Fixes: f1fa7ff44056 ("drm/msm/dsi: implement auto PHY timing calculator for 10nm PHY")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: sunliming <sunliming@kylinos.cn>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/494662/
+Link: https://lore.kernel.org/r/20220719015622.646718-1-sunliming@kylinos.cn
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+index a39de3bdc7faf..56dfa2d24be1f 100644
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+@@ -347,7 +347,7 @@ int msm_dsi_dphy_timing_calc_v3(struct msm_dsi_dphy_timing *timing,
+ } else {
+ timing->shared_timings.clk_pre =
+ linear_inter(tmax, tmin, pcnt2, 0, false);
+- timing->shared_timings.clk_pre_inc_by_2 = 0;
++ timing->shared_timings.clk_pre_inc_by_2 = 0;
+ }
+
+ timing->ta_go = 3;
+--
+2.35.1
+
--- /dev/null
+From 77d318b2082a0b67ab3e776842227f0f62698995 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 09:26:32 -0700
+Subject: drm/msm/gpu: Drop qos request if devm_devfreq_add_device() fails
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 02b9f2636209beb843ca501d47f7fddc8792b2d7 ]
+
+In the event that devm_devfreq_add_device() fails the device's qos freq
+list is left referencing df->idle_freq and df->boost_freq. Attempting to
+initialize devfreq again after a probe deferral will then cause invalid
+memory accesses in dev_pm_qos_add_request().
+
+Fix this by dropping the requests in the error path.
+
+Fixes: 7c0ffcd40b16 ("drm/msm/gpu: Respect PM QoS constraints")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/493001/
+Link: https://lore.kernel.org/r/20220708162632.3529864-1-bjorn.andersson@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gpu_devfreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu_devfreq.c b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+index ea94bc18e72eb..89cc93eb67557 100644
+--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c
++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+@@ -213,6 +213,8 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+
+ if (IS_ERR(df->devfreq)) {
+ DRM_DEV_ERROR(&gpu->pdev->dev, "Couldn't initialize GPU devfreq\n");
++ dev_pm_qos_remove_request(&df->idle_freq);
++ dev_pm_qos_remove_request(&df->boost_freq);
+ df->devfreq = NULL;
+ return;
+ }
+--
+2.35.1
+
--- /dev/null
+From 28ca108b75cabf1d40dc76ab2f7751ac75961e0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 23:38:15 +0800
+Subject: ethernet: rocker: fix sleep in atomic context bug in
+ neigh_timer_handler
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit c0955bf957be4bead01fae1d791476260da7325d ]
+
+The function neigh_timer_handler() is a timer handler that runs in an
+atomic context. When used by rocker, neigh_timer_handler() calls
+"kzalloc(.., GFP_KERNEL)" that may sleep. As a result, the sleep in
+atomic context bug will happen. One of the processes is shown below:
+
+ofdpa_fib4_add()
+ ...
+ neigh_add_timer()
+
+(wait a timer)
+
+neigh_timer_handler()
+ neigh_release()
+ neigh_destroy()
+ rocker_port_neigh_destroy()
+ rocker_world_port_neigh_destroy()
+ ofdpa_port_neigh_destroy()
+ ofdpa_port_ipv4_neigh()
+ kzalloc(sizeof(.., GFP_KERNEL) //may sleep
+
+This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to
+GFP_ATOMIC in order to mitigate the bug.
+
+Fixes: 00fc0c51e35b ("rocker: Change world_ops API and implementation to be switchdev independant")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_ofdpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c
+index bc70c6abd6a5b..58cf7cc54f408 100644
+--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
+@@ -1273,7 +1273,7 @@ static int ofdpa_port_ipv4_neigh(struct ofdpa_port *ofdpa_port,
+ bool removing;
+ int err = 0;
+
+- entry = kzalloc(sizeof(*entry), GFP_KERNEL);
++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+ if (!entry)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From 66071bfe9243c2077bb27e412c90babea827fcbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 11:42:24 +0800
+Subject: ieee802154/adf7242: defer destroy_workqueue call
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit afe7116f6d3b888778ed6d95e3cf724767b9aedf ]
+
+There is a possible race condition (use-after-free) like below
+
+ (FREE) | (USE)
+ adf7242_remove | adf7242_channel
+ cancel_delayed_work_sync |
+ destroy_workqueue (1) | adf7242_cmd_rx
+ | mod_delayed_work (2)
+ |
+
+The root cause for this race is that the upper layer (ieee802154) is
+unaware of this detaching event and the function adf7242_channel can
+be called without any checks.
+
+To fix this, we can add a flag write at the beginning of adf7242_remove
+and add flag check in adf7242_channel. Or we can just defer the
+destructive operation like other commit 3e0588c291d6 ("hamradio: defer
+ax25 kfree after unregister_netdev") which let the
+ieee802154_unregister_hw() to handle the synchronization. This patch
+takes the second option.
+
+Fixes: 58e9683d1475 ("net: ieee802154: adf7242: Fix OCL calibration
+runs")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Link: https://lore.kernel.org/r/20220808034224.12642-1-linma@zju.edu.cn
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index 6afdf1622944e..5cf218c674a5a 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -1310,10 +1310,11 @@ static void adf7242_remove(struct spi_device *spi)
+
+ debugfs_remove_recursive(lp->debugfs_root);
+
++ ieee802154_unregister_hw(lp->hw);
++
+ cancel_delayed_work_sync(&lp->work);
+ destroy_workqueue(lp->wqueue);
+
+- ieee802154_unregister_hw(lp->hw);
+ mutex_destroy(&lp->bmux);
+ ieee802154_free_hw(lp->hw);
+ }
+--
+2.35.1
+
--- /dev/null
+From 2eadc1f283728b6f4068aadccd95709404fa621c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 15:07:18 +0200
+Subject: iio: adc: mcp3911: make use of the sign bit
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+[ Upstream commit 8f89e33bf040bbef66386c426198622180233178 ]
+
+The device supports negative values as well.
+
+Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220722130726.7627-2-marcus.folkesson@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/mcp3911.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/adc/mcp3911.c b/drivers/iio/adc/mcp3911.c
+index 1cb4590fe4125..f581cefb67195 100644
+--- a/drivers/iio/adc/mcp3911.c
++++ b/drivers/iio/adc/mcp3911.c
+@@ -113,6 +113,8 @@ static int mcp3911_read_raw(struct iio_dev *indio_dev,
+ if (ret)
+ goto out;
+
++ *val = sign_extend32(*val, 23);
++
+ ret = IIO_VAL_INT;
+ break;
+
+--
+2.35.1
+
--- /dev/null
+From 6862afd1ad0f919e26e88a46213e49e0c2c91db0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 10:41:18 +0300
+Subject: ip_tunnel: Respect tunnel key's "flow_flags" in IP tunnels
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit 7ec9fce4b31604f8415136a4c07f7dc8ad431aec ]
+
+Commit 451ef36bd229 ("ip_tunnels: Add new flow flags field to ip_tunnel_key")
+added a "flow_flags" member to struct ip_tunnel_key which was later used by
+the commit in the fixes tag to avoid dropping packets with sources that
+aren't locally configured when set in bpf_set_tunnel_key().
+
+VXLAN and GENEVE were made to respect this flag, ip tunnels like IPIP and GRE
+were not.
+
+This commit fixes this omission by making ip_tunnel_init_flow() receive
+the flow flags from the tunnel key in the relevant collect_md paths.
+
+Fixes: b8fff748521c ("bpf: Set flow flag to allow any source IP in bpf_tunnel_key")
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Paul Chaignon <paul@isovalent.com>
+Link: https://lore.kernel.org/bpf/20220818074118.726639-1-eyal.birger@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 ++-
+ include/net/ip_tunnels.h | 4 +++-
+ net/ipv4/ip_gre.c | 2 +-
+ net/ipv4/ip_tunnel.c | 7 ++++---
+ 4 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c
+index fe663b0ab7086..68d87e61bdc05 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c
+@@ -423,7 +423,8 @@ mlxsw_sp_span_gretap4_route(const struct net_device *to_dev,
+
+ parms = mlxsw_sp_ipip_netdev_parms4(to_dev);
+ ip_tunnel_init_flow(&fl4, parms.iph.protocol, *daddrp, *saddrp,
+- 0, 0, dev_net(to_dev), parms.link, tun->fwmark, 0);
++ 0, 0, dev_net(to_dev), parms.link, tun->fwmark, 0,
++ 0);
+
+ rt = ip_route_output_key(tun->net, &fl4);
+ if (IS_ERR(rt))
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 20f60d9da7418..cf1f22c01ed3d 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -246,7 +246,8 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4,
+ __be32 daddr, __be32 saddr,
+ __be32 key, __u8 tos,
+ struct net *net, int oif,
+- __u32 mark, __u32 tun_inner_hash)
++ __u32 mark, __u32 tun_inner_hash,
++ __u8 flow_flags)
+ {
+ memset(fl4, 0, sizeof(*fl4));
+
+@@ -263,6 +264,7 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4,
+ fl4->fl4_gre_key = key;
+ fl4->flowi4_mark = mark;
+ fl4->flowi4_multipath_hash = tun_inner_hash;
++ fl4->flowi4_flags = flow_flags;
+ }
+
+ int ip_tunnel_init(struct net_device *dev);
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 5c58e21f724e9..f866d6282b2b3 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -609,7 +609,7 @@ static int gre_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
+ ip_tunnel_init_flow(&fl4, IPPROTO_GRE, key->u.ipv4.dst, key->u.ipv4.src,
+ tunnel_id_to_key32(key->tun_id),
+ key->tos & ~INET_ECN_MASK, dev_net(dev), 0,
+- skb->mark, skb_get_hash(skb));
++ skb->mark, skb_get_hash(skb), key->flow_flags);
+ rt = ip_route_output_key(dev_net(dev), &fl4);
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 94017a8c39945..1ad8809fc2e3b 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -295,7 +295,7 @@ static int ip_tunnel_bind_dev(struct net_device *dev)
+ ip_tunnel_init_flow(&fl4, iph->protocol, iph->daddr,
+ iph->saddr, tunnel->parms.o_key,
+ RT_TOS(iph->tos), dev_net(dev),
+- tunnel->parms.link, tunnel->fwmark, 0);
++ tunnel->parms.link, tunnel->fwmark, 0, 0);
+ rt = ip_route_output_key(tunnel->net, &fl4);
+
+ if (!IS_ERR(rt)) {
+@@ -570,7 +570,8 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+ }
+ ip_tunnel_init_flow(&fl4, proto, key->u.ipv4.dst, key->u.ipv4.src,
+ tunnel_id_to_key32(key->tun_id), RT_TOS(tos),
+- dev_net(dev), 0, skb->mark, skb_get_hash(skb));
++ dev_net(dev), 0, skb->mark, skb_get_hash(skb),
++ key->flow_flags);
+ if (tunnel->encap.type != TUNNEL_ENCAP_NONE)
+ goto tx_error;
+
+@@ -728,7 +729,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+ ip_tunnel_init_flow(&fl4, protocol, dst, tnl_params->saddr,
+ tunnel->parms.o_key, RT_TOS(tos),
+ dev_net(dev), tunnel->parms.link,
+- tunnel->fwmark, skb_get_hash(skb));
++ tunnel->fwmark, skb_get_hash(skb), 0);
+
+ if (ip_tunnel_encap(skb, tunnel, &protocol, &fl4) < 0)
+ goto tx_error;
+--
+2.35.1
+
--- /dev/null
+From 24f0a9d904818a2c912d3ce6a9e6bc73f620af7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 11:13:14 -0700
+Subject: kcm: fix strp_init() order and cleanup
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 8fc29ff3910f3af08a7c40a75d436b5720efe2bf ]
+
+strp_init() is called just a few lines above this csk->sk_user_data
+check, it also initializes strp->work etc., therefore, it is
+unnecessary to call strp_done() to cancel the freshly initialized
+work.
+
+And if sk_user_data is already used by KCM, psock->strp should not be
+touched, particularly strp->work state, so we need to move strp_init()
+after the csk->sk_user_data check.
+
+This also makes a lockdep warning reported by syzbot go away.
+
+Reported-and-tested-by: syzbot+9fc084a4348493ef65d2@syzkaller.appspotmail.com
+Reported-by: syzbot+e696806ef96cdd2d87cd@syzkaller.appspotmail.com
+Fixes: e5571240236c ("kcm: Check if sk_user_data already set in kcm_attach")
+Fixes: dff8baa26117 ("kcm: Call strp_stop before strp_done in kcm_attach")
+Cc: Tom Herbert <tom@herbertland.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/r/20220827181314.193710-1-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 71899e5a5a111..1215c863e1c41 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1412,12 +1412,6 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
+ psock->sk = csk;
+ psock->bpf_prog = prog;
+
+- err = strp_init(&psock->strp, csk, &cb);
+- if (err) {
+- kmem_cache_free(kcm_psockp, psock);
+- goto out;
+- }
+-
+ write_lock_bh(&csk->sk_callback_lock);
+
+ /* Check if sk_user_data is already by KCM or someone else.
+@@ -1425,13 +1419,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
+ */
+ if (csk->sk_user_data) {
+ write_unlock_bh(&csk->sk_callback_lock);
+- strp_stop(&psock->strp);
+- strp_done(&psock->strp);
+ kmem_cache_free(kcm_psockp, psock);
+ err = -EALREADY;
+ goto out;
+ }
+
++ err = strp_init(&psock->strp, csk, &cb);
++ if (err) {
++ write_unlock_bh(&csk->sk_callback_lock);
++ kmem_cache_free(kcm_psockp, psock);
++ goto out;
++ }
++
+ psock->save_data_ready = csk->sk_data_ready;
+ psock->save_write_space = csk->sk_write_space;
+ psock->save_state_change = csk->sk_state_change;
+--
+2.35.1
+
--- /dev/null
+From d75b1364ed90cec79ce3d0278beb58e0f2379168 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 11:59:16 -0400
+Subject: mlxbf_gige: compute MDIO period based on i1clk
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 3a1a274e933fca73fdc960cb1f60636cd285a265 ]
+
+This patch adds logic to compute the MDIO period based on
+the i1clk, and thereafter write the MDIO period into the YU
+MDIO config register. The i1clk resource from the ACPI table
+is used to provide addressing to YU bootrecord PLL registers.
+The values in these registers are used to compute MDIO period.
+If the i1clk resource is not present in the ACPI table, then
+the current default hardcorded value of 430Mhz is used.
+The i1clk clock value of 430MHz is only accurate for boards
+with BF2 mid bin and main bin SoCs. The BF2 high bin SoCs
+have i1clk = 500MHz, but can support a slower MDIO period.
+
+Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver")
+Reviewed-by: Asmaa Mnebhi <asmaa@nvidia.com>
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20220826155916.12491-1-davthompson@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 4 +-
+ .../mellanox/mlxbf_gige/mlxbf_gige_mdio.c | 122 +++++++++++++++---
+ .../mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 +
+ 3 files changed, 110 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
+index 5fdf9b7179f55..5a1027b072155 100644
+--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h
+@@ -75,6 +75,7 @@ struct mlxbf_gige {
+ struct net_device *netdev;
+ struct platform_device *pdev;
+ void __iomem *mdio_io;
++ void __iomem *clk_io;
+ struct mii_bus *mdiobus;
+ spinlock_t lock; /* for packet processing indices */
+ u16 rx_q_entries;
+@@ -137,7 +138,8 @@ enum mlxbf_gige_res {
+ MLXBF_GIGE_RES_MDIO9,
+ MLXBF_GIGE_RES_GPIO0,
+ MLXBF_GIGE_RES_LLU,
+- MLXBF_GIGE_RES_PLU
++ MLXBF_GIGE_RES_PLU,
++ MLXBF_GIGE_RES_CLK
+ };
+
+ /* Version of register data returned by mlxbf_gige_get_regs() */
+diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c
+index 2e6c1b7af0964..85155cd9405c5 100644
+--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c
++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c
+@@ -22,10 +22,23 @@
+ #include <linux/property.h>
+
+ #include "mlxbf_gige.h"
++#include "mlxbf_gige_regs.h"
+
+ #define MLXBF_GIGE_MDIO_GW_OFFSET 0x0
+ #define MLXBF_GIGE_MDIO_CFG_OFFSET 0x4
+
++#define MLXBF_GIGE_MDIO_FREQ_REFERENCE 156250000ULL
++#define MLXBF_GIGE_MDIO_COREPLL_CONST 16384ULL
++#define MLXBF_GIGE_MDC_CLK_NS 400
++#define MLXBF_GIGE_MDIO_PLL_I1CLK_REG1 0x4
++#define MLXBF_GIGE_MDIO_PLL_I1CLK_REG2 0x8
++#define MLXBF_GIGE_MDIO_CORE_F_SHIFT 0
++#define MLXBF_GIGE_MDIO_CORE_F_MASK GENMASK(25, 0)
++#define MLXBF_GIGE_MDIO_CORE_R_SHIFT 26
++#define MLXBF_GIGE_MDIO_CORE_R_MASK GENMASK(31, 26)
++#define MLXBF_GIGE_MDIO_CORE_OD_SHIFT 0
++#define MLXBF_GIGE_MDIO_CORE_OD_MASK GENMASK(3, 0)
++
+ /* Support clause 22 */
+ #define MLXBF_GIGE_MDIO_CL22_ST1 0x1
+ #define MLXBF_GIGE_MDIO_CL22_WRITE 0x1
+@@ -50,27 +63,76 @@
+ #define MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK GENMASK(23, 16)
+ #define MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK GENMASK(31, 24)
+
++#define MLXBF_GIGE_MDIO_CFG_VAL (FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_MODE_MASK, 1) | \
++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO3_3_MASK, 1) | \
++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_FULL_DRIVE_MASK, 1) | \
++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK, 6) | \
++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK, 13))
++
++#define MLXBF_GIGE_BF2_COREPLL_ADDR 0x02800c30
++#define MLXBF_GIGE_BF2_COREPLL_SIZE 0x0000000c
++
++static struct resource corepll_params[] = {
++ [MLXBF_GIGE_VERSION_BF2] = {
++ .start = MLXBF_GIGE_BF2_COREPLL_ADDR,
++ .end = MLXBF_GIGE_BF2_COREPLL_ADDR + MLXBF_GIGE_BF2_COREPLL_SIZE - 1,
++ .name = "COREPLL_RES"
++ },
++};
++
++/* Returns core clock i1clk in Hz */
++static u64 calculate_i1clk(struct mlxbf_gige *priv)
++{
++ u8 core_od, core_r;
++ u64 freq_output;
++ u32 reg1, reg2;
++ u32 core_f;
++
++ reg1 = readl(priv->clk_io + MLXBF_GIGE_MDIO_PLL_I1CLK_REG1);
++ reg2 = readl(priv->clk_io + MLXBF_GIGE_MDIO_PLL_I1CLK_REG2);
++
++ core_f = (reg1 & MLXBF_GIGE_MDIO_CORE_F_MASK) >>
++ MLXBF_GIGE_MDIO_CORE_F_SHIFT;
++ core_r = (reg1 & MLXBF_GIGE_MDIO_CORE_R_MASK) >>
++ MLXBF_GIGE_MDIO_CORE_R_SHIFT;
++ core_od = (reg2 & MLXBF_GIGE_MDIO_CORE_OD_MASK) >>
++ MLXBF_GIGE_MDIO_CORE_OD_SHIFT;
++
++ /* Compute PLL output frequency as follow:
++ *
++ * CORE_F / 16384
++ * freq_output = freq_reference * ----------------------------
++ * (CORE_R + 1) * (CORE_OD + 1)
++ */
++ freq_output = div_u64((MLXBF_GIGE_MDIO_FREQ_REFERENCE * core_f),
++ MLXBF_GIGE_MDIO_COREPLL_CONST);
++ freq_output = div_u64(freq_output, (core_r + 1) * (core_od + 1));
++
++ return freq_output;
++}
++
+ /* Formula for encoding the MDIO period. The encoded value is
+ * passed to the MDIO config register.
+ *
+- * mdc_clk = 2*(val + 1)*i1clk
++ * mdc_clk = 2*(val + 1)*(core clock in sec)
+ *
+- * 400 ns = 2*(val + 1)*(((1/430)*1000) ns)
++ * i1clk is in Hz:
++ * 400 ns = 2*(val + 1)*(1/i1clk)
+ *
+- * val = (((400 * 430 / 1000) / 2) - 1)
++ * val = (((400/10^9) / (1/i1clk) / 2) - 1)
++ * val = (400/2 * i1clk)/10^9 - 1
+ */
+-#define MLXBF_GIGE_I1CLK_MHZ 430
+-#define MLXBF_GIGE_MDC_CLK_NS 400
++static u8 mdio_period_map(struct mlxbf_gige *priv)
++{
++ u8 mdio_period;
++ u64 i1clk;
+
+-#define MLXBF_GIGE_MDIO_PERIOD (((MLXBF_GIGE_MDC_CLK_NS * MLXBF_GIGE_I1CLK_MHZ / 1000) / 2) - 1)
++ i1clk = calculate_i1clk(priv);
+
+-#define MLXBF_GIGE_MDIO_CFG_VAL (FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_MODE_MASK, 1) | \
+- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO3_3_MASK, 1) | \
+- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_FULL_DRIVE_MASK, 1) | \
+- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDC_PERIOD_MASK, \
+- MLXBF_GIGE_MDIO_PERIOD) | \
+- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK, 6) | \
+- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK, 13))
++ mdio_period = div_u64((MLXBF_GIGE_MDC_CLK_NS >> 1) * i1clk, 1000000000) - 1;
++
++ return mdio_period;
++}
+
+ static u32 mlxbf_gige_mdio_create_cmd(u16 data, int phy_add,
+ int phy_reg, u32 opcode)
+@@ -124,9 +186,9 @@ static int mlxbf_gige_mdio_write(struct mii_bus *bus, int phy_add,
+ int phy_reg, u16 val)
+ {
+ struct mlxbf_gige *priv = bus->priv;
++ u32 temp;
+ u32 cmd;
+ int ret;
+- u32 temp;
+
+ if (phy_reg & MII_ADDR_C45)
+ return -EOPNOTSUPP;
+@@ -144,18 +206,44 @@ static int mlxbf_gige_mdio_write(struct mii_bus *bus, int phy_add,
+ return ret;
+ }
+
++static void mlxbf_gige_mdio_cfg(struct mlxbf_gige *priv)
++{
++ u8 mdio_period;
++ u32 val;
++
++ mdio_period = mdio_period_map(priv);
++
++ val = MLXBF_GIGE_MDIO_CFG_VAL;
++ val |= FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDC_PERIOD_MASK, mdio_period);
++ writel(val, priv->mdio_io + MLXBF_GIGE_MDIO_CFG_OFFSET);
++}
++
+ int mlxbf_gige_mdio_probe(struct platform_device *pdev, struct mlxbf_gige *priv)
+ {
+ struct device *dev = &pdev->dev;
++ struct resource *res;
+ int ret;
+
+ priv->mdio_io = devm_platform_ioremap_resource(pdev, MLXBF_GIGE_RES_MDIO9);
+ if (IS_ERR(priv->mdio_io))
+ return PTR_ERR(priv->mdio_io);
+
+- /* Configure mdio parameters */
+- writel(MLXBF_GIGE_MDIO_CFG_VAL,
+- priv->mdio_io + MLXBF_GIGE_MDIO_CFG_OFFSET);
++ /* clk resource shared with other drivers so cannot use
++ * devm_platform_ioremap_resource
++ */
++ res = platform_get_resource(pdev, IORESOURCE_MEM, MLXBF_GIGE_RES_CLK);
++ if (!res) {
++ /* For backward compatibility with older ACPI tables, also keep
++ * CLK resource internal to the driver.
++ */
++ res = &corepll_params[MLXBF_GIGE_VERSION_BF2];
++ }
++
++ priv->clk_io = devm_ioremap(dev, res->start, resource_size(res));
++ if (IS_ERR(priv->clk_io))
++ return PTR_ERR(priv->clk_io);
++
++ mlxbf_gige_mdio_cfg(priv);
+
+ priv->mdiobus = devm_mdiobus_alloc(dev);
+ if (!priv->mdiobus) {
+diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
+index 5fb33c9294bf9..7be3a793984d5 100644
+--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h
+@@ -8,6 +8,8 @@
+ #ifndef __MLXBF_GIGE_REGS_H__
+ #define __MLXBF_GIGE_REGS_H__
+
++#define MLXBF_GIGE_VERSION 0x0000
++#define MLXBF_GIGE_VERSION_BF2 0x0
+ #define MLXBF_GIGE_STATUS 0x0010
+ #define MLXBF_GIGE_STATUS_READY BIT(0)
+ #define MLXBF_GIGE_INT_STATUS 0x0028
+--
+2.35.1
+
--- /dev/null
+From b3c4b534f017194df30f9fa3a993d134f54f5119 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 14:30:33 -0400
+Subject: mm/slab_common: Deleting kobject in kmem_cache_destroy() without
+ holding slab_mutex/cpu_hotplug_lock
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 0495e337b7039191dfce6e03f5f830454b1fae6b ]
+
+A circular locking problem is reported by lockdep due to the following
+circular locking dependency.
+
+ +--> cpu_hotplug_lock --> slab_mutex --> kn->active --+
+ | |
+ +-----------------------------------------------------+
+
+The forward cpu_hotplug_lock ==> slab_mutex ==> kn->active dependency
+happens in
+
+ kmem_cache_destroy(): cpus_read_lock(); mutex_lock(&slab_mutex);
+ ==> sysfs_slab_unlink()
+ ==> kobject_del()
+ ==> kernfs_remove()
+ ==> __kernfs_remove()
+ ==> kernfs_drain(): rwsem_acquire(&kn->dep_map, ...);
+
+The backward kn->active ==> cpu_hotplug_lock dependency happens in
+
+ kernfs_fop_write_iter(): kernfs_get_active();
+ ==> slab_attr_store()
+ ==> cpu_partial_store()
+ ==> flush_all(): cpus_read_lock()
+
+One way to break this circular locking chain is to avoid holding
+cpu_hotplug_lock and slab_mutex while deleting the kobject in
+sysfs_slab_unlink() which should be equivalent to doing a write_lock
+and write_unlock pair of the kn->active virtual lock.
+
+Since the kobject structures are not protected by slab_mutex or the
+cpu_hotplug_lock, we can certainly release those locks before doing
+the delete operation.
+
+Move sysfs_slab_unlink() and sysfs_slab_release() to the newly
+created kmem_cache_release() and call it outside the slab_mutex &
+cpu_hotplug_lock critical sections. There will be a slight delay
+in the deletion of sysfs files if kmem_cache_release() is called
+indirectly from a work function.
+
+Fixes: 5a836bf6b09f ("mm: slub: move flush_cpu_slab() invocations __free_slab() invocations out of IRQ context")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Reviewed-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: David Rientjes <rientjes@google.com>
+Link: https://lore.kernel.org/all/YwOImVd+nRUsSAga@hyeyoo/
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slab_common.c | 45 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/mm/slab_common.c b/mm/slab_common.c
+index 77c3adf40e504..dbd4b6f9b0e79 100644
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -420,6 +420,28 @@ kmem_cache_create(const char *name, unsigned int size, unsigned int align,
+ }
+ EXPORT_SYMBOL(kmem_cache_create);
+
++#ifdef SLAB_SUPPORTS_SYSFS
++/*
++ * For a given kmem_cache, kmem_cache_destroy() should only be called
++ * once or there will be a use-after-free problem. The actual deletion
++ * and release of the kobject does not need slab_mutex or cpu_hotplug_lock
++ * protection. So they are now done without holding those locks.
++ *
++ * Note that there will be a slight delay in the deletion of sysfs files
++ * if kmem_cache_release() is called indrectly from a work function.
++ */
++static void kmem_cache_release(struct kmem_cache *s)
++{
++ sysfs_slab_unlink(s);
++ sysfs_slab_release(s);
++}
++#else
++static void kmem_cache_release(struct kmem_cache *s)
++{
++ slab_kmem_cache_release(s);
++}
++#endif
++
+ static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work)
+ {
+ LIST_HEAD(to_destroy);
+@@ -446,11 +468,7 @@ static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work)
+ list_for_each_entry_safe(s, s2, &to_destroy, list) {
+ debugfs_slab_release(s);
+ kfence_shutdown_cache(s);
+-#ifdef SLAB_SUPPORTS_SYSFS
+- sysfs_slab_release(s);
+-#else
+- slab_kmem_cache_release(s);
+-#endif
++ kmem_cache_release(s);
+ }
+ }
+
+@@ -465,20 +483,11 @@ static int shutdown_cache(struct kmem_cache *s)
+ list_del(&s->list);
+
+ if (s->flags & SLAB_TYPESAFE_BY_RCU) {
+-#ifdef SLAB_SUPPORTS_SYSFS
+- sysfs_slab_unlink(s);
+-#endif
+ list_add_tail(&s->list, &slab_caches_to_rcu_destroy);
+ schedule_work(&slab_caches_to_rcu_destroy_work);
+ } else {
+ kfence_shutdown_cache(s);
+ debugfs_slab_release(s);
+-#ifdef SLAB_SUPPORTS_SYSFS
+- sysfs_slab_unlink(s);
+- sysfs_slab_release(s);
+-#else
+- slab_kmem_cache_release(s);
+-#endif
+ }
+
+ return 0;
+@@ -493,14 +502,16 @@ void slab_kmem_cache_release(struct kmem_cache *s)
+
+ void kmem_cache_destroy(struct kmem_cache *s)
+ {
++ int refcnt;
++
+ if (unlikely(!s) || !kasan_check_byte(s))
+ return;
+
+ cpus_read_lock();
+ mutex_lock(&slab_mutex);
+
+- s->refcount--;
+- if (s->refcount)
++ refcnt = --s->refcount;
++ if (refcnt)
+ goto out_unlock;
+
+ WARN(shutdown_cache(s),
+@@ -509,6 +520,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
+ out_unlock:
+ mutex_unlock(&slab_mutex);
+ cpus_read_unlock();
++ if (!refcnt && !(s->flags & SLAB_TYPESAFE_BY_RCU))
++ kmem_cache_release(s);
+ }
+ EXPORT_SYMBOL(kmem_cache_destroy);
+
+--
+2.35.1
+
--- /dev/null
+From b86d51b3e5e922801c30e5193c424aef95815fc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 13:36:44 +0200
+Subject: net: dsa: xrs700x: Use irqsave variant for u64 stats update
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 3f8ae9fe0409698799e173f698b714f34570b64b ]
+
+xrs700x_read_port_counters() updates the stats from a worker using the
+u64_stats_update_begin() version. This is okay on 32-UP since on the
+reader side preemption is disabled.
+On 32bit-SMP the writer can be preempted by the reader at which point
+the reader will spin on the seqcount until writer continues and
+completes the update.
+
+Assigning the mib_mutex mutex to the underlying seqcount would ensure
+proper synchronisation. The API for that on the u64_stats_init() side
+isn't available. Since it is the only user, just use disable interrupts
+during the update.
+
+Use u64_stats_update_begin_irqsave() on the writer side to ensure an
+uninterrupted update.
+
+Fixes: ee00b24f32eb8 ("net: dsa: add Arrow SpeedChips XRS700x driver")
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: George McCollister <george.mccollister@gmail.com>
+Cc: Vivien Didelot <vivien.didelot@gmail.com>
+Cc: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/xrs700x/xrs700x.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/xrs700x/xrs700x.c b/drivers/net/dsa/xrs700x/xrs700x.c
+index 3887ed33c5fe2..fa622639d6401 100644
+--- a/drivers/net/dsa/xrs700x/xrs700x.c
++++ b/drivers/net/dsa/xrs700x/xrs700x.c
+@@ -109,6 +109,7 @@ static void xrs700x_read_port_counters(struct xrs700x *priv, int port)
+ {
+ struct xrs700x_port *p = &priv->ports[port];
+ struct rtnl_link_stats64 stats;
++ unsigned long flags;
+ int i;
+
+ memset(&stats, 0, sizeof(stats));
+@@ -138,9 +139,9 @@ static void xrs700x_read_port_counters(struct xrs700x *priv, int port)
+ */
+ stats.rx_packets += stats.multicast;
+
+- u64_stats_update_begin(&p->syncp);
++ flags = u64_stats_update_begin_irqsave(&p->syncp);
+ p->stats64 = stats;
+- u64_stats_update_end(&p->syncp);
++ u64_stats_update_end_irqrestore(&p->syncp, flags);
+
+ mutex_unlock(&p->mib_mutex);
+ }
+--
+2.35.1
+
--- /dev/null
+From 5ababbafdb2e63a951d9880e9ac7d7135cf7b14a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 18:00:30 +0300
+Subject: net: lan966x: improve error handle in lan966x_fdma_rx_get_frame()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 13a9d08c296228d18289de60b83792c586e1d073 ]
+
+Don't just print a warning. Clean up and return an error as well.
+
+Fixes: c8349639324a ("net: lan966x: Add FDMA functionality")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://lore.kernel.org/r/YwjgDm/SVd5c1tQU@kili
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
+index 6dea7f8c14814..51f8a08163777 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
+@@ -425,7 +425,8 @@ static struct sk_buff *lan966x_fdma_rx_get_frame(struct lan966x_rx *rx)
+ lan966x_ifh_get_src_port(skb->data, &src_port);
+ lan966x_ifh_get_timestamp(skb->data, ×tamp);
+
+- WARN_ON(src_port >= lan966x->num_phys_ports);
++ if (WARN_ON(src_port >= lan966x->num_phys_ports))
++ goto free_skb;
+
+ skb->dev = lan966x->ports[src_port]->dev;
+ skb_pull(skb, IFH_LEN * sizeof(u32));
+@@ -449,6 +450,8 @@ static struct sk_buff *lan966x_fdma_rx_get_frame(struct lan966x_rx *rx)
+
+ return skb;
+
++free_skb:
++ kfree_skb(skb);
+ unmap_page:
+ dma_unmap_page(lan966x->dev, (dma_addr_t)db->dataptr,
+ FDMA_DCB_STATUS_BLOCKL(db->status),
+--
+2.35.1
+
--- /dev/null
+From 7de532302be7d476c6f8a0ca69cb2f4765ea65b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 08:40:55 +0200
+Subject: net: phy: micrel: Make the GPIO to be non-exclusive
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 4a4ce82212ef014d70f486a427005b2b5bab8e34 ]
+
+The same GPIO line can be shared by multiple phys for the coma mode pin.
+If that is the case then, all the other phys that share the same line
+will failed to be probed because the access to the gpio line is not
+non-exclusive.
+Fix this by making access to the gpio line to be nonexclusive using flag
+GPIOD_FLAGS_BIT_NONEXCLUSIVE. This allows all the other PHYs to be
+probed.
+
+Fixes: 738871b09250ee ("net: phy: micrel: add coma mode GPIO")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://lore.kernel.org/r/20220830064055.2340403-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 22139901f01c7..34483a4bd688a 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -2838,12 +2838,18 @@ static int lan8814_config_init(struct phy_device *phydev)
+ return 0;
+ }
+
++/* It is expected that there will not be any 'lan8814_take_coma_mode'
++ * function called in suspend. Because the GPIO line can be shared, so if one of
++ * the phys goes back in coma mode, then all the other PHYs will go, which is
++ * wrong.
++ */
+ static int lan8814_release_coma_mode(struct phy_device *phydev)
+ {
+ struct gpio_desc *gpiod;
+
+ gpiod = devm_gpiod_get_optional(&phydev->mdio.dev, "coma-mode",
+- GPIOD_OUT_HIGH_OPEN_DRAIN);
++ GPIOD_OUT_HIGH_OPEN_DRAIN |
++ GPIOD_FLAGS_BIT_NONEXCLUSIVE);
+ if (IS_ERR(gpiod))
+ return PTR_ERR(gpiod);
+
+--
+2.35.1
+
--- /dev/null
+From 1d3faf28cd4308ab222cea752f10fb2449308c1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 17:00:55 +0800
+Subject: net/sched: fix netdevice reference leaks in attach_default_qdiscs()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit f612466ebecb12a00d9152344ddda6f6345f04dc ]
+
+In attach_default_qdiscs(), if a dev has multiple queues and queue 0 fails
+to attach qdisc because there is no memory in attach_one_default_qdisc().
+Then dev->qdisc will be noop_qdisc by default. But the other queues may be
+able to successfully attach to default qdisc.
+
+In this case, the fallback to noqueue process will be triggered. If the
+original attached qdisc is not released and a new one is directly
+attached, this will cause netdevice reference leaks.
+
+The following is the bug log:
+
+veth0: default qdisc (fq_codel) fail, fallback to noqueue
+unregister_netdevice: waiting for veth0 to become free. Usage count = 32
+leaked reference.
+ qdisc_alloc+0x12e/0x210
+ qdisc_create_dflt+0x62/0x140
+ attach_one_default_qdisc.constprop.41+0x44/0x70
+ dev_activate+0x128/0x290
+ __dev_open+0x12a/0x190
+ __dev_change_flags+0x1a2/0x1f0
+ dev_change_flags+0x23/0x60
+ do_setlink+0x332/0x1150
+ __rtnl_newlink+0x52f/0x8e0
+ rtnl_newlink+0x43/0x70
+ rtnetlink_rcv_msg+0x140/0x3b0
+ netlink_rcv_skb+0x50/0x100
+ netlink_unicast+0x1bb/0x290
+ netlink_sendmsg+0x37c/0x4e0
+ sock_sendmsg+0x5f/0x70
+ ____sys_sendmsg+0x208/0x280
+
+Fix this bug by clearing any non-noop qdiscs that may have been assigned
+before trying to re-attach.
+
+Fixes: bf6dba76d278 ("net: sched: fallback to qdisc noqueue if default qdisc setup fail")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20220826090055.24424-1-wanghai38@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_generic.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index a64c3c1541118..b3596d4bd14a2 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1125,6 +1125,21 @@ struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue,
+ }
+ EXPORT_SYMBOL(dev_graft_qdisc);
+
++static void shutdown_scheduler_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_qdisc_default)
++{
++ struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
++ struct Qdisc *qdisc_default = _qdisc_default;
++
++ if (qdisc) {
++ rcu_assign_pointer(dev_queue->qdisc, qdisc_default);
++ dev_queue->qdisc_sleeping = qdisc_default;
++
++ qdisc_put(qdisc);
++ }
++}
++
+ static void attach_one_default_qdisc(struct net_device *dev,
+ struct netdev_queue *dev_queue,
+ void *_unused)
+@@ -1172,6 +1187,7 @@ static void attach_default_qdiscs(struct net_device *dev)
+ if (qdisc == &noop_qdisc) {
+ netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n",
+ default_qdisc_ops->id, noqueue_qdisc_ops.id);
++ netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc);
+ dev->priv_flags |= IFF_NO_QUEUE;
+ netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL);
+ qdisc = txq->qdisc_sleeping;
+@@ -1450,21 +1466,6 @@ void dev_init_scheduler(struct net_device *dev)
+ timer_setup(&dev->watchdog_timer, dev_watchdog, 0);
+ }
+
+-static void shutdown_scheduler_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_qdisc_default)
+-{
+- struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
+- struct Qdisc *qdisc_default = _qdisc_default;
+-
+- if (qdisc) {
+- rcu_assign_pointer(dev_queue->qdisc, qdisc_default);
+- dev_queue->qdisc_sleeping = qdisc_default;
+-
+- qdisc_put(qdisc);
+- }
+-}
+-
+ void dev_shutdown(struct net_device *dev)
+ {
+ netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc);
+--
+2.35.1
+
--- /dev/null
+From 7cba19da54c3420bf850b7d7ba098d2a63bdae85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 09:39:30 +0800
+Subject: net: sched: tbf: don't call qdisc_put() while holding tree lock
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit b05972f01e7d30419987a1f221b5593668fd6448 ]
+
+The issue is the same to commit c2999f7fb05b ("net: sched: multiq: don't
+call qdisc_put() while holding tree lock"). Qdiscs call qdisc_put() while
+holding sch tree spinlock, which results sleeping-while-atomic BUG.
+
+Fixes: c266f64dbfa2 ("net: sched: protect block state with mutex")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20220826013930.340121-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_tbf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
+index 72102277449e1..36079fdde2cb5 100644
+--- a/net/sched/sch_tbf.c
++++ b/net/sched/sch_tbf.c
+@@ -356,6 +356,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
+ struct nlattr *tb[TCA_TBF_MAX + 1];
+ struct tc_tbf_qopt *qopt;
+ struct Qdisc *child = NULL;
++ struct Qdisc *old = NULL;
+ struct psched_ratecfg rate;
+ struct psched_ratecfg peak;
+ u64 max_size;
+@@ -447,7 +448,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
+ sch_tree_lock(sch);
+ if (child) {
+ qdisc_tree_flush_backlog(q->qdisc);
+- qdisc_put(q->qdisc);
++ old = q->qdisc;
+ q->qdisc = child;
+ }
+ q->limit = qopt->limit;
+@@ -467,6 +468,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
+ memcpy(&q->peak, &peak, sizeof(struct psched_ratecfg));
+
+ sch_tree_unlock(sch);
++ qdisc_put(old);
+ err = 0;
+
+ tbf_offload_change(sch);
+--
+2.35.1
+
--- /dev/null
+From 2c41abd07e52b8f318e623d371c09bb6f1e35b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:23:14 +0800
+Subject: net/smc: Remove redundant refcount increase
+
+From: Yacan Liu <liuyacan@corp.netease.com>
+
+[ Upstream commit a8424a9b4522a3ab9f32175ad6d848739079071f ]
+
+For passive connections, the refcount increment has been done in
+smc_clcsock_accept()-->smc_sock_alloc().
+
+Fixes: 3b2dec2603d5 ("net/smc: restructure client and server code in af_smc")
+Signed-off-by: Yacan Liu <liuyacan@corp.netease.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20220830152314.838736-1-liuyacan@corp.netease.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 433bb5a7df31e..a51d5ed2ad764 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1812,7 +1812,6 @@ static void smc_listen_out_connected(struct smc_sock *new_smc)
+ {
+ struct sock *newsmcsk = &new_smc->sk;
+
+- sk_refcnt_debug_inc(newsmcsk);
+ if (newsmcsk->sk_state == SMC_INIT)
+ newsmcsk->sk_state = SMC_ACTIVE;
+
+--
+2.35.1
+
--- /dev/null
+From 6e908586368a0f577c18244e32b6d1a0a94261b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 19:39:51 -0700
+Subject: net: smsc911x: Stop and start PHY during suspend and resume
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 3ce9f2bef75528936c78a7053301f5725f622f3a ]
+
+Commit 744d23c71af3 ("net: phy: Warn about incorrect
+mdio_bus_phy_resume() state") unveiled that the smsc911x driver was not
+properly stopping and restarting the PHY during suspend/resume. Correct
+that by indicating that the MAC is in charge of PHY PM operations and
+ensure that all MDIO bus activity is quiescent during suspend.
+
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
+Fixes: 2aa70f864955 ("net: smsc911x: Quieten netif during suspend")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220825023951.3220-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smsc911x.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c
+index 3bf20211cceb4..3829c2805b16c 100644
+--- a/drivers/net/ethernet/smsc/smsc911x.c
++++ b/drivers/net/ethernet/smsc/smsc911x.c
+@@ -1037,6 +1037,8 @@ static int smsc911x_mii_probe(struct net_device *dev)
+ return ret;
+ }
+
++ /* Indicate that the MAC is responsible for managing PHY PM */
++ phydev->mac_managed_pm = true;
+ phy_attached_info(phydev);
+
+ phy_set_max_speed(phydev, SPEED_100);
+@@ -2587,6 +2589,8 @@ static int smsc911x_suspend(struct device *dev)
+ if (netif_running(ndev)) {
+ netif_stop_queue(ndev);
+ netif_device_detach(ndev);
++ if (!device_may_wakeup(dev))
++ phy_stop(ndev->phydev);
+ }
+
+ /* enable wake on LAN, energy detection and the external PME
+@@ -2628,6 +2632,8 @@ static int smsc911x_resume(struct device *dev)
+ if (netif_running(ndev)) {
+ netif_device_attach(ndev);
+ netif_start_queue(ndev);
++ if (!device_may_wakeup(dev))
++ phy_start(ndev->phydev);
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From fd2d872a5cf920792caf3dc47cd808b0c8918a67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 10:49:55 +0200
+Subject: net: sparx5: fix handling uneven length packets in manual extraction
+
+From: Casper Andersson <casper.casan@gmail.com>
+
+[ Upstream commit 7498a457ecf7ff2c4d379360aa8f24566bb1543e ]
+
+Packets that are not of length divisible by 4 (e.g. 77, 78, 79) would
+have the checksum included up to next multiple of 4 (a 77 bytes packet
+would have 3 bytes of ethernet checksum included). The check for the
+value expects it in host (Little) endian.
+
+Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support")
+Signed-off-by: Casper Andersson <casper.casan@gmail.com>
+Reviewed-by: Steen Hegelund <Steen.Hegelund@microchip.com>
+Link: https://lore.kernel.org/r/20220825084955.684637-1-casper.casan@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+index 304f84aadc36b..21844beba72df 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+@@ -113,6 +113,8 @@ static void sparx5_xtr_grp(struct sparx5 *sparx5, u8 grp, bool byte_swap)
+ /* This assumes STATUS_WORD_POS == 1, Status
+ * just after last data
+ */
++ if (!byte_swap)
++ val = ntohl((__force __be32)val);
+ byte_cnt -= (4 - XTR_VALID_BYTES(val));
+ eof_flag = true;
+ break;
+--
+2.35.1
+
--- /dev/null
+From 75448971929345be70297d426835b997db7200e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 10:08:45 +0200
+Subject: nfp: flower: fix ingress police using matchall filter
+
+From: Tianyu Yuan <tianyu.yuan@corigine.com>
+
+[ Upstream commit ebe5555c2f34505cdb1ae5c3de8b24e33740b3e0 ]
+
+Referenced commit introduced nfp_policer_validate in the progress
+installing rate limiter. This validate check the action id and will
+reject police with CONTINUE, which is required to support ingress
+police offload.
+
+Fix this issue by allowing FLOW_ACTION_CONTINUE as notexceed action
+id in nfp_policer_validate
+
+Fixes: d97b4b105ce7 ("flow_offload: reject offload for all drivers with invalid police parameters")
+Signed-off-by: Tianyu Yuan <tianyu.yuan@corigine.com>
+Reviewed-by: Baowen Zheng <baowen.zheng@corigine.com>
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20220825080845.507534-1-simon.horman@corigine.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/qos_conf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c b/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c
+index 3206ba83b1aaa..de2ef5bf8c694 100644
+--- a/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c
+@@ -127,10 +127,11 @@ static int nfp_policer_validate(const struct flow_action *action,
+ return -EOPNOTSUPP;
+ }
+
+- if (act->police.notexceed.act_id != FLOW_ACTION_PIPE &&
++ if (act->police.notexceed.act_id != FLOW_ACTION_CONTINUE &&
++ act->police.notexceed.act_id != FLOW_ACTION_PIPE &&
+ act->police.notexceed.act_id != FLOW_ACTION_ACCEPT) {
+ NL_SET_ERR_MSG_MOD(extack,
+- "Offload not supported when conform action is not pipe or ok");
++ "Offload not supported when conform action is not continue, pipe or ok");
+ return -EOPNOTSUPP;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e758f887f41680d299c71fe47e77a7f1dbf65ea7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 05:03:26 +0300
+Subject: openvswitch: fix memory leak at failed datapath creation
+
+From: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
+
+[ Upstream commit a87406f4adee9c53b311d8a1ba2849c69e29a6d0 ]
+
+ovs_dp_cmd_new()->ovs_dp_change()->ovs_dp_set_upcall_portids()
+allocates array via kmalloc.
+If for some reason new_vport() fails during ovs_dp_cmd_new()
+dp->upcall_portids must be freed.
+Add missing kfree.
+
+Kmemleak example:
+unreferenced object 0xffff88800c382500 (size 64):
+ comm "dump_state", pid 323, jiffies 4294955418 (age 104.347s)
+ hex dump (first 32 bytes):
+ 5e c2 79 e4 1f 7a 38 c7 09 21 38 0c 80 88 ff ff ^.y..z8..!8.....
+ 03 00 00 00 0a 00 00 00 14 00 00 00 28 00 00 00 ............(...
+ backtrace:
+ [<0000000071bebc9f>] ovs_dp_set_upcall_portids+0x38/0xa0
+ [<000000000187d8bd>] ovs_dp_change+0x63/0xe0
+ [<000000002397e446>] ovs_dp_cmd_new+0x1f0/0x380
+ [<00000000aa06f36e>] genl_family_rcv_msg_doit+0xea/0x150
+ [<000000008f583bc4>] genl_rcv_msg+0xdc/0x1e0
+ [<00000000fa10e377>] netlink_rcv_skb+0x50/0x100
+ [<000000004959cece>] genl_rcv+0x24/0x40
+ [<000000004699ac7f>] netlink_unicast+0x23e/0x360
+ [<00000000c153573e>] netlink_sendmsg+0x24e/0x4b0
+ [<000000006f4aa380>] sock_sendmsg+0x62/0x70
+ [<00000000d0068654>] ____sys_sendmsg+0x230/0x270
+ [<0000000012dacf7d>] ___sys_sendmsg+0x88/0xd0
+ [<0000000011776020>] __sys_sendmsg+0x59/0xa0
+ [<000000002e8f2dc1>] do_syscall_64+0x3b/0x90
+ [<000000003243e7cb>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: b83d23a2a38b ("openvswitch: Introduce per-cpu upcall dispatch")
+Acked-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
+Link: https://lore.kernel.org/r/20220825020326.664073-1-andrey.zhadchenko@virtuozzo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 7e8a39a356271..6c9d153afbeee 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1802,7 +1802,7 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ ovs_dp_reset_user_features(skb, info);
+ }
+
+- goto err_unlock_and_destroy_meters;
++ goto err_destroy_portids;
+ }
+
+ err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid,
+@@ -1817,6 +1817,8 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ ovs_notify(&dp_datapath_genl_family, reply, info);
+ return 0;
+
++err_destroy_portids:
++ kfree(rcu_dereference_raw(dp->upcall_portids));
+ err_unlock_and_destroy_meters:
+ ovs_unlock();
+ ovs_meters_exit(dp);
+--
+2.35.1
+
--- /dev/null
+From 2b6962f6d466c0165cf5fb904a88d36af2900806 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 01:04:25 +0000
+Subject: peci: aspeed: fix error check return value of platform_get_irq()
+
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+
+[ Upstream commit e79b548b7202bb3accdfe64f113129a4340bc2f9 ]
+
+platform_get_irq() return negative value on failure, so null check of
+priv->irq is incorrect. Fix it by comparing whether it is less than zero.
+
+Fixes: a85e4c52086c ("peci: Add peci-aspeed controller driver")
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Link: https://lore.kernel.org/r/20220413010425.2534887-1-lv.ruyi@zte.com.cn
+Reviewed-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/peci/controller/peci-aspeed.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/peci/controller/peci-aspeed.c b/drivers/peci/controller/peci-aspeed.c
+index 1925ddc13f002..731c5d8f75c66 100644
+--- a/drivers/peci/controller/peci-aspeed.c
++++ b/drivers/peci/controller/peci-aspeed.c
+@@ -523,7 +523,7 @@ static int aspeed_peci_probe(struct platform_device *pdev)
+ return PTR_ERR(priv->base);
+
+ priv->irq = platform_get_irq(pdev, 0);
+- if (!priv->irq)
++ if (priv->irq < 0)
+ return priv->irq;
+
+ ret = devm_request_irq(&pdev->dev, priv->irq, aspeed_peci_irq_handler,
+--
+2.35.1
+
--- /dev/null
+From ee877ecd8389a7e22893ccfda2be995b4b30849a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 23:19:34 +0300
+Subject: platform/mellanox: mlxreg-lc: Fix coverity warning
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+[ Upstream commit 17c2bd6bea4c32fe691c1f9ebcc20fd48d77454a ]
+
+Fix smatch warning:
+drivers/platform/mellanox/mlxreg-lc.c:866 mlxreg_lc_probe() warn: passing zero to 'PTR_ERR'
+by removing 'err = PTR_ERR(regmap)'.
+
+Fixes: b4b830a34d80 ("platform/mellanox: mlxreg-lc: Fix error flow and extend verbosity")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20220823201937.46855-2-vadimp@nvidia.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxreg-lc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c
+index 55834ccb4ac7c..9a1bfcd24317d 100644
+--- a/drivers/platform/mellanox/mlxreg-lc.c
++++ b/drivers/platform/mellanox/mlxreg-lc.c
+@@ -863,7 +863,6 @@ static int mlxreg_lc_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev, "Failed to sync regmap for client %s at bus %d at addr 0x%02x\n",
+ data->hpdev.brdinfo->type, data->hpdev.nr, data->hpdev.brdinfo->addr);
+- err = PTR_ERR(regmap);
+ goto regcache_sync_fail;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fbc47b523eb83cbfc706ecc59f7eac899754d28d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 23:19:35 +0300
+Subject: platform/mellanox: mlxreg-lc: Fix locking issue
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+[ Upstream commit 1e092b7faa6b507125b69c92a51bb22c2d549d37 ]
+
+Fix locking issues:
+- mlxreg_lc_state_update() takes a lock when set or clear
+ "MLXREG_LC_POWERED".
+- All the devices can be deleted before MLXREG_LC_POWERED flag is cleared.
+
+To fix it:
+- Add lock() / unlock() at the beginning / end of
+ mlxreg_lc_event_handler() and remove locking from
+ mlxreg_lc_power_on_off() and mlxreg_lc_enable_disable()
+- Add locked version of mlxreg_lc_state_update() -
+ mlxreg_lc_state_update_locked() for using outside
+ mlxreg_lc_event_handler().
+
+(2) Remove redundant NULL check for of if 'data->notifier'.
+
+Fixes: 62f9529b8d5c87b ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20220823201937.46855-3-vadimp@nvidia.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxreg-lc.c | 37 ++++++++++++++++++---------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c
+index 9a1bfcd24317d..e578c7bc060bb 100644
+--- a/drivers/platform/mellanox/mlxreg-lc.c
++++ b/drivers/platform/mellanox/mlxreg-lc.c
+@@ -460,8 +460,6 @@ static int mlxreg_lc_power_on_off(struct mlxreg_lc *mlxreg_lc, u8 action)
+ u32 regval;
+ int err;
+
+- mutex_lock(&mlxreg_lc->lock);
+-
+ err = regmap_read(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_pwr, ®val);
+ if (err)
+ goto regmap_read_fail;
+@@ -474,7 +472,6 @@ static int mlxreg_lc_power_on_off(struct mlxreg_lc *mlxreg_lc, u8 action)
+ err = regmap_write(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_pwr, regval);
+
+ regmap_read_fail:
+- mutex_unlock(&mlxreg_lc->lock);
+ return err;
+ }
+
+@@ -491,8 +488,6 @@ static int mlxreg_lc_enable_disable(struct mlxreg_lc *mlxreg_lc, bool action)
+ * line card which is already has been enabled. Disabling does not affect the disabled line
+ * card.
+ */
+- mutex_lock(&mlxreg_lc->lock);
+-
+ err = regmap_read(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_ena, ®val);
+ if (err)
+ goto regmap_read_fail;
+@@ -505,7 +500,6 @@ static int mlxreg_lc_enable_disable(struct mlxreg_lc *mlxreg_lc, bool action)
+ err = regmap_write(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_ena, regval);
+
+ regmap_read_fail:
+- mutex_unlock(&mlxreg_lc->lock);
+ return err;
+ }
+
+@@ -537,6 +531,15 @@ mlxreg_lc_sn4800_c16_config_init(struct mlxreg_lc *mlxreg_lc, void *regmap,
+
+ static void
+ mlxreg_lc_state_update(struct mlxreg_lc *mlxreg_lc, enum mlxreg_lc_state state, u8 action)
++{
++ if (action)
++ mlxreg_lc->state |= state;
++ else
++ mlxreg_lc->state &= ~state;
++}
++
++static void
++mlxreg_lc_state_update_locked(struct mlxreg_lc *mlxreg_lc, enum mlxreg_lc_state state, u8 action)
+ {
+ mutex_lock(&mlxreg_lc->lock);
+
+@@ -560,8 +563,11 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind,
+ dev_info(mlxreg_lc->dev, "linecard#%d state %d event kind %d action %d\n",
+ mlxreg_lc->data->slot, mlxreg_lc->state, kind, action);
+
+- if (!(mlxreg_lc->state & MLXREG_LC_INITIALIZED))
++ mutex_lock(&mlxreg_lc->lock);
++ if (!(mlxreg_lc->state & MLXREG_LC_INITIALIZED)) {
++ mutex_unlock(&mlxreg_lc->lock);
+ return 0;
++ }
+
+ switch (kind) {
+ case MLXREG_HOTPLUG_LC_SYNCED:
+@@ -574,7 +580,7 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind,
+ if (!(mlxreg_lc->state & MLXREG_LC_POWERED) && action) {
+ err = mlxreg_lc_power_on_off(mlxreg_lc, 1);
+ if (err)
+- return err;
++ goto mlxreg_lc_power_on_off_fail;
+ }
+ /* In case line card is configured - enable it. */
+ if (mlxreg_lc->state & MLXREG_LC_CONFIGURED && action)
+@@ -588,12 +594,13 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind,
+ /* In case line card is configured - enable it. */
+ if (mlxreg_lc->state & MLXREG_LC_CONFIGURED)
+ err = mlxreg_lc_enable_disable(mlxreg_lc, 1);
++ mutex_unlock(&mlxreg_lc->lock);
+ return err;
+ }
+ err = mlxreg_lc_create_static_devices(mlxreg_lc, mlxreg_lc->main_devs,
+ mlxreg_lc->main_devs_num);
+ if (err)
+- return err;
++ goto mlxreg_lc_create_static_devices_fail;
+
+ /* In case line card is already in ready state - enable it. */
+ if (mlxreg_lc->state & MLXREG_LC_CONFIGURED)
+@@ -620,6 +627,10 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind,
+ break;
+ }
+
++mlxreg_lc_power_on_off_fail:
++mlxreg_lc_create_static_devices_fail:
++ mutex_unlock(&mlxreg_lc->lock);
++
+ return err;
+ }
+
+@@ -665,7 +676,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+ if (err)
+ goto mlxreg_lc_create_static_devices_failed;
+
+- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_POWERED, 1);
++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_POWERED, 1);
+ }
+
+ /* Verify if line card is synchronized. */
+@@ -676,7 +687,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+ /* Power on line card if necessary. */
+ if (regval & mlxreg_lc->data->mask) {
+ mlxreg_lc->state |= MLXREG_LC_SYNCED;
+- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_SYNCED, 1);
++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1);
+ if (mlxreg_lc->state & ~MLXREG_LC_POWERED) {
+ err = mlxreg_lc_power_on_off(mlxreg_lc, 1);
+ if (err)
+@@ -684,7 +695,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+ }
+ }
+
+- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_INITIALIZED, 1);
++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_INITIALIZED, 1);
+
+ return 0;
+
+@@ -904,6 +915,8 @@ static int mlxreg_lc_remove(struct platform_device *pdev)
+ struct mlxreg_core_data *data = dev_get_platdata(&pdev->dev);
+ struct mlxreg_lc *mlxreg_lc = platform_get_drvdata(pdev);
+
++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_INITIALIZED, 0);
++
+ /*
+ * Probing and removing are invoked by hotplug events raised upon line card insertion and
+ * removing. If probing procedure fails all data is cleared. However, hotplug event still
+--
+2.35.1
+
--- /dev/null
+From b2a4cb004e3ba752a0efd40f58608946d87c2edb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 14:37:31 +0300
+Subject: platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 0a90ed8d0cfa29735a221eba14d9cb6c735d35b6 ]
+
+On Intel hardware the SLP_TYPx bitfield occupies bits 10-12 as per ACPI
+specification (see Table 4.13 "PM1 Control Registers Fixed Hardware
+Feature Control Bits" for the details).
+
+Fix the mask and other related definitions accordingly.
+
+Fixes: 93e5eadd1f6e ("x86/platform: New Intel Atom SOC power management controller driver")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20220801113734.36131-1-andriy.shevchenko@linux.intel.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 2 +-
+ include/linux/platform_data/x86/pmc_atom.h | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index 154317e9910d2..5c757c7f64dee 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -232,7 +232,7 @@ static void pmc_power_off(void)
+ pm1_cnt_port = acpi_base_addr + PM1_CNT;
+
+ pm1_cnt_value = inl(pm1_cnt_port);
+- pm1_cnt_value &= SLEEP_TYPE_MASK;
++ pm1_cnt_value &= ~SLEEP_TYPE_MASK;
+ pm1_cnt_value |= SLEEP_TYPE_S5;
+ pm1_cnt_value |= SLEEP_ENABLE;
+
+diff --git a/include/linux/platform_data/x86/pmc_atom.h b/include/linux/platform_data/x86/pmc_atom.h
+index 6807839c718bd..ea01dd80153b3 100644
+--- a/include/linux/platform_data/x86/pmc_atom.h
++++ b/include/linux/platform_data/x86/pmc_atom.h
+@@ -7,6 +7,8 @@
+ #ifndef PMC_ATOM_H
+ #define PMC_ATOM_H
+
++#include <linux/bits.h>
++
+ /* ValleyView Power Control Unit PCI Device ID */
+ #define PCI_DEVICE_ID_VLV_PMC 0x0F1C
+ /* CherryTrail Power Control Unit PCI Device ID */
+@@ -139,9 +141,9 @@
+ #define ACPI_MMIO_REG_LEN 0x100
+
+ #define PM1_CNT 0x4
+-#define SLEEP_TYPE_MASK 0xFFFFECFF
++#define SLEEP_TYPE_MASK GENMASK(12, 10)
+ #define SLEEP_TYPE_S5 0x1C00
+-#define SLEEP_ENABLE 0x2000
++#define SLEEP_ENABLE BIT(13)
+
+ extern int pmc_atom_read(int offset, u32 *value);
+
+--
+2.35.1
+
--- /dev/null
+From 09be5c25e94275e818474e1eb2e158ec84434750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 16:19:34 +0200
+Subject: platform/x86: x86-android-tablets: Fix broken touchscreen on Chuwi
+ Hi8 with Windows BIOS
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2986c51540ed50ac654ffb5a772e546c02628c91 ]
+
+The x86-android-tablets handling for the Chuwi Hi8 is only necessary with
+the Android BIOS and it is causing problems with the Windows BIOS version.
+
+Specifically when trying to register the already present touchscreen
+x86_acpi_irq_helper_get() calls acpi_unregister_gsi(), this breaks
+the working of the touchscreen and also leads to an oops:
+
+[ 14.248946] ------------[ cut here ]------------
+[ 14.248954] remove_proc_entry: removing non-empty directory 'irq/75', leaking at least 'MSSL0001:00'
+[ 14.248983] WARNING: CPU: 3 PID: 440 at fs/proc/generic.c:718 remove_proc_entry
+...
+[ 14.249293] unregister_irq_proc+0xe0/0x100
+[ 14.249305] free_desc+0x29/0x70
+[ 14.249312] irq_free_descs+0x4b/0x80
+[ 14.249320] mp_unmap_irq+0x5c/0x60
+[ 14.249329] acpi_unregister_gsi_ioapic+0x2a/0x40
+[ 14.249338] x86_acpi_irq_helper_get+0x4b/0x190 [x86_android_tablets]
+[ 14.249355] x86_android_tablet_init+0x178/0xe34 [x86_android_tablets]
+
+Add an init callback for the Chuwi Hi8, which detects when the Windows BIOS
+is in use and exits with -ENODEV in that case, fixing this.
+
+Fixes: 84c2dcdd475f ("platform/x86: x86-android-tablets: Add an init() callback to struct x86_dev_info")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220810141934.140771-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/x86-android-tablets.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c
+index 4803759774358..4acd6fa8d43b8 100644
+--- a/drivers/platform/x86/x86-android-tablets.c
++++ b/drivers/platform/x86/x86-android-tablets.c
+@@ -663,9 +663,23 @@ static const struct x86_i2c_client_info chuwi_hi8_i2c_clients[] __initconst = {
+ },
+ };
+
++static int __init chuwi_hi8_init(void)
++{
++ /*
++ * Avoid the acpi_unregister_gsi() call in x86_acpi_irq_helper_get()
++ * breaking the touchscreen + logging various errors when the Windows
++ * BIOS is used.
++ */
++ if (acpi_dev_present("MSSL0001", NULL, 1))
++ return -ENODEV;
++
++ return 0;
++}
++
+ static const struct x86_dev_info chuwi_hi8_info __initconst = {
+ .i2c_client_info = chuwi_hi8_i2c_clients,
+ .i2c_client_count = ARRAY_SIZE(chuwi_hi8_i2c_clients),
++ .init = chuwi_hi8_init,
+ };
+
+ #define CZC_EC_EXTRA_PORT 0x68
+--
+2.35.1
+
--- /dev/null
+From 9811c1d1b3fd897ef4d6adc328031bf8457eff30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 20:01:32 -0700
+Subject: Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued
+ skb"
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 0b4f688d53fdc2a731b9d9cdf0c96255bc024ea6 ]
+
+This reverts commit 90fabae8a2c225c4e4936723c38857887edde5cc.
+
+Patch was applied hastily, revert and let the v2 be reviewed.
+
+Fixes: 90fabae8a2c2 ("sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb")
+Link: https://lore.kernel.org/all/87wnao2ha3.fsf@toke.dk/
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cake.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
+index a04928082e4ab..a43a58a73d096 100644
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1713,7 +1713,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ }
+ idx--;
+ flow = &b->flows[idx];
+- ret = NET_XMIT_SUCCESS;
+
+ /* ensure shaper state isn't stale */
+ if (!b->tin_backlog) {
+@@ -1772,7 +1771,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+
+ qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);
+ consume_skb(skb);
+- ret |= __NET_XMIT_STOLEN;
+ } else {
+ /* not splitting */
+ cobalt_set_enqueue_time(skb, now);
+@@ -1906,7 +1904,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ }
+ b->drop_overlimit += dropped;
+ }
+- return ret;
++ return NET_XMIT_SUCCESS;
+ }
+
+ static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)
+--
+2.35.1
+
--- /dev/null
+From 671b9674313e10f01ce9ab509c41f6e5a855a699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 18:08:40 +0300
+Subject: Revert "xhci: turn off port power in shutdown"
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 8531aa1659f7278d4f2ec7408cc000eaa8d85217 ]
+
+This reverts commit 83810f84ecf11dfc5a9414a8b762c3501b328185.
+
+Turning off port power in shutdown did cause issues such as a laptop not
+proprly powering off, and some specific usb devies failing to enumerate the
+subsequent boot after a warm reset.
+
+So revert this.
+
+Fixes: 83810f84ecf1 ("xhci: turn off port power in shutdown")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220825150840.132216-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-hub.c | 2 +-
+ drivers/usb/host/xhci.c | 15 ++-------------
+ drivers/usb/host/xhci.h | 2 --
+ 3 files changed, 3 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
+index 0fdc014c94011..c54f2bc23d3f8 100644
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -652,7 +652,7 @@ struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd)
+ * It will release and re-aquire the lock while calling ACPI
+ * method.
+ */
+-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd,
++static void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd,
+ u16 index, bool on, unsigned long *flags)
+ __must_hold(&xhci->lock)
+ {
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 65858f6074377..cb99bed5f755e 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -791,8 +791,6 @@ static void xhci_stop(struct usb_hcd *hcd)
+ void xhci_shutdown(struct usb_hcd *hcd)
+ {
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+- unsigned long flags;
+- int i;
+
+ if (xhci->quirks & XHCI_SPURIOUS_REBOOT)
+ usb_disable_xhci_ports(to_pci_dev(hcd->self.sysdev));
+@@ -808,21 +806,12 @@ void xhci_shutdown(struct usb_hcd *hcd)
+ del_timer_sync(&xhci->shared_hcd->rh_timer);
+ }
+
+- spin_lock_irqsave(&xhci->lock, flags);
++ spin_lock_irq(&xhci->lock);
+ xhci_halt(xhci);
+-
+- /* Power off USB2 ports*/
+- for (i = 0; i < xhci->usb2_rhub.num_ports; i++)
+- xhci_set_port_power(xhci, xhci->main_hcd, i, false, &flags);
+-
+- /* Power off USB3 ports*/
+- for (i = 0; i < xhci->usb3_rhub.num_ports; i++)
+- xhci_set_port_power(xhci, xhci->shared_hcd, i, false, &flags);
+-
+ /* Workaround for spurious wakeups at shutdown with HSW */
+ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+ xhci_reset(xhci, XHCI_RESET_SHORT_USEC);
+- spin_unlock_irqrestore(&xhci->lock, flags);
++ spin_unlock_irq(&xhci->lock);
+
+ xhci_cleanup_msix(xhci);
+
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 1960b47acfb28..da51ad90a7006 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -2196,8 +2196,6 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex,
+ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf);
+ int xhci_find_raw_port_number(struct usb_hcd *hcd, int port1);
+ struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd);
+-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, u16 index,
+- bool on, unsigned long *flags);
+
+ void xhci_hc_died(struct xhci_hcd *xhci);
+
+--
+2.35.1
+
--- /dev/null
+From 899c0746fedad2362139b35099d19001f8a1cc4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 11:21:03 +0200
+Subject: sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@toke.dk>
+
+[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ]
+
+When the GSO splitting feature of sch_cake is enabled, GSO superpackets
+will be broken up and the resulting segments enqueued in place of the
+original skb. In this case, CAKE calls consume_skb() on the original skb,
+but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into
+assuming the original skb still exists, when it really has been freed. Fix
+this by adding the __NET_XMIT_STOLEN flag to the return value in this case.
+
+Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments")
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231
+Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cake.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
+index a43a58a73d096..a04928082e4ab 100644
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1713,6 +1713,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ }
+ idx--;
+ flow = &b->flows[idx];
++ ret = NET_XMIT_SUCCESS;
+
+ /* ensure shaper state isn't stale */
+ if (!b->tin_backlog) {
+@@ -1771,6 +1772,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+
+ qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);
+ consume_skb(skb);
++ ret |= __NET_XMIT_STOLEN;
+ } else {
+ /* not splitting */
+ cobalt_set_enqueue_time(skb, now);
+@@ -1904,7 +1906,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ }
+ b->drop_overlimit += dropped;
+ }
+- return NET_XMIT_SUCCESS;
++ return ret;
+ }
+
+ static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)
+--
+2.35.1
+
--- /dev/null
+drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch
+drm-msm-dsi-fix-the-inconsistent-indenting.patch
+drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch
+drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch
+drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch
+drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch
+platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch
+platform-x86-x86-android-tablets-fix-broken-touchscr.patch
+xsk-fix-corrupted-packets-for-xdp_shared_umem.patch
+drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch
+peci-aspeed-fix-error-check-return-value-of-platform.patch
+iio-adc-mcp3911-make-use-of-the-sign-bit.patch
+skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch
+bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch
+usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch
+usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch
+usb-dwc3-qcom-fix-runtime-pm-wakeup.patch
+usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch
+usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch
+ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch
+bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch
+drm-i915-gvt-fix-comet-lake.patch
+ieee802154-adf7242-defer-destroy_workqueue-call.patch
+bpf-fix-a-data-race-around-bpf_jit_limit.patch
+drm-i915-ttm-fix-ccs-handling.patch
+drm-i915-display-avoid-warnings-when-registering-dua.patch
+alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch
+wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch
+xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch
+revert-xhci-turn-off-port-power-in-shutdown.patch
+bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch
+bpf-tidy-up-verifier-check_func_arg.patch
+bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch
+bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch
+bluetooth-hci_sync-fix-suspend-performance-regressio.patch
+bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch
+bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch
+net-sparx5-fix-handling-uneven-length-packets-in-man.patch
+net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch
+openvswitch-fix-memory-leak-at-failed-datapath-creat.patch
+nfp-flower-fix-ingress-police-using-matchall-filter.patch
+net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch
+drm-i915-fix-null-pointer-dereference.patch
+net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch
+net-sched-fix-netdevice-reference-leaks-in-attach_de.patch
+net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch
+net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch
+ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch
+cachefiles-fix-error-return-code-in-cachefiles_ondem.patch
+cachefiles-make-on-demand-request-distribution-faire.patch
+mlxbf_gige-compute-mdio-period-based-on-i1clk.patch
+kcm-fix-strp_init-order-and-cleanup.patch
+sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch
+tcp-annotate-data-race-around-challenge_timestamp.patch
+revert-sch_cake-return-__net_xmit_stolen-when-consum.patch
+net-smc-remove-redundant-refcount-increase.patch
+soundwire-qcom-fix-device-status-array-range.patch
+mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch
+platform-mellanox-mlxreg-lc-fix-coverity-warning.patch
+platform-mellanox-mlxreg-lc-fix-locking-issue.patch
--- /dev/null
+From fe2c12806707683b535e77a60a4f9237950b2c45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Aug 2022 17:49:15 +0800
+Subject: skmsg: Fix wrong last sg check in sk_msg_recvmsg()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 583585e48d965338e73e1eb383768d16e0922d73 ]
+
+Fix one kernel NULL pointer dereference as below:
+
+[ 224.462334] Call Trace:
+[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380
+[ 224.462441] ? sock_has_perm+0x78/0xa0
+[ 224.462463] tcp_bpf_recvmsg+0x12e/0x220
+[ 224.462494] inet_recvmsg+0x5b/0xd0
+[ 224.462534] __sys_recvfrom+0xc8/0x130
+[ 224.462574] ? syscall_trace_enter+0x1df/0x2e0
+[ 224.462606] ? __do_page_fault+0x2de/0x500
+[ 224.462635] __x64_sys_recvfrom+0x24/0x30
+[ 224.462660] do_syscall_64+0x5d/0x1d0
+[ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in
+sk_msg_recvmsg()"), we change last sg check to sg_is_last(),
+but in sockmap redirection case (without stream_parser/stream_verdict/
+skb_verdict), we did not mark the end of the scatterlist. Check the
+sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all
+do not mark the end of sg. They are expected to use sg.end for end
+judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.
+
+Fixes: 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20220809094915.150391-1-liujian56@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 84209e661171e..69ac686c7cae3 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -462,7 +462,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+
+ if (copied == len)
+ break;
+- } while (!sg_is_last(sge));
++ } while ((i != msg_rx->sg.end) && !sg_is_last(sge));
+
+ if (unlikely(peek)) {
+ msg_rx = sk_psock_next_msg(psock, msg_rx);
+@@ -472,7 +472,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ }
+
+ msg_rx->sg.start = i;
+- if (!sge->length && sg_is_last(sge)) {
++ if (!sge->length && (i == msg_rx->sg.end || sg_is_last(sge))) {
+ msg_rx = sk_psock_dequeue_msg(psock);
+ kfree_sk_msg(msg_rx);
+ }
+--
+2.35.1
+
--- /dev/null
+From b099e44e7c2b0d7114414b9d47fde3ce3a8fb1cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 11:47:47 +0100
+Subject: soundwire: qcom: fix device status array range
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 4ef3f2aff1267bfa6d5a90c42a30b927b8aa239b ]
+
+This patch updates device status array range from 11 to 12 as we will
+be reading status from device number 0 to device number 11 inclusive.
+
+Without this patch we can potentially access status array out of range
+during auto-enumeration.
+
+Fixes: aa1262ca6695 ("soundwire: qcom: Check device status before reading devid")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20220708104747.8722-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/qcom.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
+index b5ec7726592c8..71d2931cb885c 100644
+--- a/drivers/soundwire/qcom.c
++++ b/drivers/soundwire/qcom.c
+@@ -167,7 +167,7 @@ struct qcom_swrm_ctrl {
+ u8 wcmd_id;
+ struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS];
+ struct sdw_stream_runtime *sruntime[SWRM_MAX_DAIS];
+- enum sdw_slave_status status[SDW_MAX_DEVICES];
++ enum sdw_slave_status status[SDW_MAX_DEVICES + 1];
+ int (*reg_read)(struct qcom_swrm_ctrl *ctrl, int reg, u32 *val);
+ int (*reg_write)(struct qcom_swrm_ctrl *ctrl, int reg, int val);
+ u32 slave_status;
+@@ -411,7 +411,7 @@ static int qcom_swrm_get_alert_slave_dev_num(struct qcom_swrm_ctrl *ctrl)
+
+ ctrl->reg_read(ctrl, SWRM_MCP_SLV_STATUS, &val);
+
+- for (dev_num = 0; dev_num < SDW_MAX_DEVICES; dev_num++) {
++ for (dev_num = 0; dev_num <= SDW_MAX_DEVICES; dev_num++) {
+ status = (val >> (dev_num * SWRM_MCP_SLV_STATUS_SZ));
+
+ if ((status & SWRM_MCP_SLV_STATUS_MASK) == SDW_SLAVE_ALERT) {
+@@ -431,7 +431,7 @@ static void qcom_swrm_get_device_status(struct qcom_swrm_ctrl *ctrl)
+ ctrl->reg_read(ctrl, SWRM_MCP_SLV_STATUS, &val);
+ ctrl->slave_status = val;
+
+- for (i = 0; i < SDW_MAX_DEVICES; i++) {
++ for (i = 0; i <= SDW_MAX_DEVICES; i++) {
+ u32 s;
+
+ s = (val >> (i * 2));
+--
+2.35.1
+
--- /dev/null
+From 837f367e4465cbe98c61781c1a6d31f26ef4b3a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 11:56:55 -0700
+Subject: tcp: annotate data-race around challenge_timestamp
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8c70521238b7863c2af607e20bcba20f974c969b ]
+
+challenge_timestamp can be read an written by concurrent threads.
+
+This was expected, but we need to annotate the race to avoid potential issues.
+
+Following patch moves challenge_timestamp and challenge_count
+to per-netns storage to provide better isolation.
+
+Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index b1637990d5708..e5435156e545d 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3630,11 +3630,11 @@ static void tcp_send_challenge_ack(struct sock *sk)
+
+ /* Then check host-wide RFC 5961 rate limit. */
+ now = jiffies / HZ;
+- if (now != challenge_timestamp) {
++ if (now != READ_ONCE(challenge_timestamp)) {
+ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit);
+ u32 half = (ack_limit + 1) >> 1;
+
+- challenge_timestamp = now;
++ WRITE_ONCE(challenge_timestamp, now);
+ WRITE_ONCE(challenge_count, half + prandom_u32_max(ack_limit));
+ }
+ count = READ_ONCE(challenge_count);
+--
+2.35.1
+
--- /dev/null
+From 47eede1934128173679d2079830cb4187e7ea525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 10:00:52 +0530
+Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs
+
+From: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+
+[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ]
+
+Adding helper functions to enable,disable wake irqs to make
+the code simple and readable.
+
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Signed-off-by: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++--------------------
+ 1 file changed, 26 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 3582fd6dfa141..27ff18aeea266 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom)
+ icc_put(qcom->icc_path_apps);
+ }
+
++static void dwc3_qcom_enable_wakeup_irq(int irq)
++{
++ if (!irq)
++ return;
++
++ enable_irq(irq);
++ enable_irq_wake(irq);
++}
++
++static void dwc3_qcom_disable_wakeup_irq(int irq)
++{
++ if (!irq)
++ return;
++
++ disable_irq_wake(irq);
++ disable_irq_nosync(irq);
++}
++
+ static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom)
+ {
+- if (qcom->hs_phy_irq) {
+- disable_irq_wake(qcom->hs_phy_irq);
+- disable_irq_nosync(qcom->hs_phy_irq);
+- }
++ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq);
+
+- if (qcom->dp_hs_phy_irq) {
+- disable_irq_wake(qcom->dp_hs_phy_irq);
+- disable_irq_nosync(qcom->dp_hs_phy_irq);
+- }
++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq);
+
+- if (qcom->dm_hs_phy_irq) {
+- disable_irq_wake(qcom->dm_hs_phy_irq);
+- disable_irq_nosync(qcom->dm_hs_phy_irq);
+- }
++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq);
+
+- if (qcom->ss_phy_irq) {
+- disable_irq_wake(qcom->ss_phy_irq);
+- disable_irq_nosync(qcom->ss_phy_irq);
+- }
++ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq);
+ }
+
+ static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom)
+ {
+- if (qcom->hs_phy_irq) {
+- enable_irq(qcom->hs_phy_irq);
+- enable_irq_wake(qcom->hs_phy_irq);
+- }
++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq);
+
+- if (qcom->dp_hs_phy_irq) {
+- enable_irq(qcom->dp_hs_phy_irq);
+- enable_irq_wake(qcom->dp_hs_phy_irq);
+- }
++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq);
+
+- if (qcom->dm_hs_phy_irq) {
+- enable_irq(qcom->dm_hs_phy_irq);
+- enable_irq_wake(qcom->dm_hs_phy_irq);
+- }
++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq);
+
+- if (qcom->ss_phy_irq) {
+- enable_irq(qcom->ss_phy_irq);
+- enable_irq_wake(qcom->ss_phy_irq);
+- }
++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq);
+ }
+
+ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
+--
+2.35.1
+
--- /dev/null
+From 49a0d326a917eb97f00db955cc50118bac59be96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 10:00:53 +0530
+Subject: usb: dwc3: qcom: Configure wakeup interrupts during suspend
+
+From: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+
+[ Upstream commit 6895ea55c385c9afdd2aec1eef27ec24917a112f ]
+
+Configure DP/DM line interrupts based on the USB2 device attached to
+the root hub port. When HS/FS device is connected, configure the DP line
+as falling edge to detect both disconnect and remote wakeup scenarios. When
+LS device is connected, configure DM line as falling edge to detect both
+disconnect and remote wakeup. When no device is connected, configure both
+DP and DM lines as rising edge to detect HS/HS/LS device connect scenario.
+
+Reviewed-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/1655094654-24052-5-git-send-email-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 72 +++++++++++++++++++++++++++++++-----
+ 1 file changed, 62 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 27ff18aeea266..be2e3dd364408 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -20,7 +20,8 @@
+ #include <linux/usb/of.h>
+ #include <linux/reset.h>
+ #include <linux/iopoll.h>
+-
++#include <linux/usb/hcd.h>
++#include <linux/usb.h>
+ #include "core.h"
+
+ /* USB QSCRATCH Hardware registers */
+@@ -76,6 +77,7 @@ struct dwc3_qcom {
+ int dp_hs_phy_irq;
+ int dm_hs_phy_irq;
+ int ss_phy_irq;
++ enum usb_device_speed usb2_speed;
+
+ struct extcon_dev *edev;
+ struct extcon_dev *host_edev;
+@@ -296,11 +298,34 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom)
+ icc_put(qcom->icc_path_apps);
+ }
+
+-static void dwc3_qcom_enable_wakeup_irq(int irq)
++static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom)
++{
++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3);
++ struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci);
++ struct usb_device *udev;
++
++ /*
++ * It is possible to query the speed of all children of
++ * USB2.0 root hub via usb_hub_for_each_child(). DWC3 code
++ * currently supports only 1 port per controller. So
++ * this is sufficient.
++ */
++ udev = usb_hub_find_child(hcd->self.root_hub, 1);
++
++ if (!udev)
++ return USB_SPEED_UNKNOWN;
++
++ return udev->speed;
++}
++
++static void dwc3_qcom_enable_wakeup_irq(int irq, unsigned int polarity)
+ {
+ if (!irq)
+ return;
+
++ if (polarity)
++ irq_set_irq_type(irq, polarity);
++
+ enable_irq(irq);
+ enable_irq_wake(irq);
+ }
+@@ -318,22 +343,47 @@ static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom)
+ {
+ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq);
+
+- dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq);
+-
+- dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq);
++ if (qcom->usb2_speed == USB_SPEED_LOW) {
++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq);
++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) ||
++ (qcom->usb2_speed == USB_SPEED_FULL)) {
++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq);
++ } else {
++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq);
++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq);
++ }
+
+ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq);
+ }
+
+ static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom)
+ {
+- dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq);
++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq, 0);
+
+- dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq);
++ /*
++ * Configure DP/DM line interrupts based on the USB2 device attached to
++ * the root hub port. When HS/FS device is connected, configure the DP line
++ * as falling edge to detect both disconnect and remote wakeup scenarios. When
++ * LS device is connected, configure DM line as falling edge to detect both
++ * disconnect and remote wakeup. When no device is connected, configure both
++ * DP and DM lines as rising edge to detect HS/HS/LS device connect scenario.
++ */
+
+- dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq);
++ if (qcom->usb2_speed == USB_SPEED_LOW) {
++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq,
++ IRQ_TYPE_EDGE_FALLING);
++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) ||
++ (qcom->usb2_speed == USB_SPEED_FULL)) {
++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq,
++ IRQ_TYPE_EDGE_FALLING);
++ } else {
++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq,
++ IRQ_TYPE_EDGE_RISING);
++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq,
++ IRQ_TYPE_EDGE_RISING);
++ }
+
+- dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq);
++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0);
+ }
+
+ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
+@@ -355,8 +405,10 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
+ if (ret)
+ dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret);
+
+- if (device_may_wakeup(qcom->dev))
++ if (device_may_wakeup(qcom->dev)) {
++ qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom);
+ dwc3_qcom_enable_interrupts(qcom);
++ }
+
+ qcom->is_suspended = true;
+
+--
+2.35.1
+
--- /dev/null
+From 24c8db3a3963ef8c711e4309701faea9223c090a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:09:58 +0200
+Subject: usb: dwc3: qcom: fix peripheral and OTG suspend
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit c5f14abeb52b0177b940fd734133d383da3521d8 ]
+
+A recent commit implementing wakeup support in host mode instead broke
+suspend for peripheral and OTG mode.
+
+The hack that was added in the suspend path to determine the speed of
+any device connected to the USB2 bus not only accesses internal driver
+data for a child device, but also dereferences a NULL pointer or
+accesses freed data when the controller is not acting as host.
+
+There's no quick fix to the layering violation, but since reverting
+would leave us with broken suspend in host mode with wakeup triggering
+immediately, let's keep the hack for now.
+
+Fix the immediate issues by only checking the host bus speed and
+enabling wakeup interrupts when acting as host.
+
+Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220804151001.23612-7-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 25ae37b1a39df..436264db6afe9 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -309,8 +309,13 @@ static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom)
+ static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom)
+ {
+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3);
+- struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci);
+ struct usb_device *udev;
++ struct usb_hcd *hcd;
++
++ /*
++ * FIXME: Fix this layering violation.
++ */
++ hcd = platform_get_drvdata(dwc->xhci);
+
+ /*
+ * It is possible to query the speed of all children of
+@@ -413,7 +418,11 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup)
+ if (ret)
+ dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret);
+
+- if (wakeup) {
++ /*
++ * The role is stable during suspend as role switching is done from a
++ * freezable workqueue.
++ */
++ if (dwc3_qcom_is_host(qcom) && wakeup) {
+ qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom);
+ dwc3_qcom_enable_interrupts(qcom);
+ }
+@@ -431,7 +440,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup)
+ if (!qcom->is_suspended)
+ return 0;
+
+- if (wakeup)
++ if (dwc3_qcom_is_host(qcom) && wakeup)
+ dwc3_qcom_disable_interrupts(qcom);
+
+ for (i = 0; i < qcom->num_clocks; i++) {
+--
+2.35.1
+
--- /dev/null
+From 456ac35d57d38f91c559bcac202e6676455ca38a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:09:57 +0200
+Subject: usb: dwc3: qcom: fix runtime PM wakeup
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 6498a96c8c9ce8ae4078e586a607851491e29a33 ]
+
+A device must enable wakeups during runtime suspend regardless of
+whether it is capable and allowed to wake the system up from system
+suspend.
+
+Fixes: 2664deb09306 ("usb: dwc3: qcom: Honor wakeup enabled/disabled state")
+Tested-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220804151001.23612-6-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index be2e3dd364408..19642d0df419c 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -386,7 +386,7 @@ static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom)
+ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0);
+ }
+
+-static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
++static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup)
+ {
+ u32 val;
+ int i, ret;
+@@ -405,7 +405,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
+ if (ret)
+ dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret);
+
+- if (device_may_wakeup(qcom->dev)) {
++ if (wakeup) {
+ qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom);
+ dwc3_qcom_enable_interrupts(qcom);
+ }
+@@ -415,7 +415,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom)
+ return 0;
+ }
+
+-static int dwc3_qcom_resume(struct dwc3_qcom *qcom)
++static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup)
+ {
+ int ret;
+ int i;
+@@ -423,7 +423,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom)
+ if (!qcom->is_suspended)
+ return 0;
+
+- if (device_may_wakeup(qcom->dev))
++ if (wakeup)
+ dwc3_qcom_disable_interrupts(qcom);
+
+ for (i = 0; i < qcom->num_clocks; i++) {
+@@ -930,9 +930,11 @@ static int dwc3_qcom_remove(struct platform_device *pdev)
+ static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev)
+ {
+ struct dwc3_qcom *qcom = dev_get_drvdata(dev);
++ bool wakeup = device_may_wakeup(dev);
+ int ret = 0;
+
+- ret = dwc3_qcom_suspend(qcom);
++
++ ret = dwc3_qcom_suspend(qcom, wakeup);
+ if (!ret)
+ qcom->pm_suspended = true;
+
+@@ -942,9 +944,10 @@ static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev)
+ static int __maybe_unused dwc3_qcom_pm_resume(struct device *dev)
+ {
+ struct dwc3_qcom *qcom = dev_get_drvdata(dev);
++ bool wakeup = device_may_wakeup(dev);
+ int ret;
+
+- ret = dwc3_qcom_resume(qcom);
++ ret = dwc3_qcom_resume(qcom, wakeup);
+ if (!ret)
+ qcom->pm_suspended = false;
+
+@@ -955,14 +958,14 @@ static int __maybe_unused dwc3_qcom_runtime_suspend(struct device *dev)
+ {
+ struct dwc3_qcom *qcom = dev_get_drvdata(dev);
+
+- return dwc3_qcom_suspend(qcom);
++ return dwc3_qcom_suspend(qcom, true);
+ }
+
+ static int __maybe_unused dwc3_qcom_runtime_resume(struct device *dev)
+ {
+ struct dwc3_qcom *qcom = dev_get_drvdata(dev);
+
+- return dwc3_qcom_resume(qcom);
++ return dwc3_qcom_resume(qcom, true);
+ }
+
+ static const struct dev_pm_ops dwc3_qcom_dev_pm_ops = {
+--
+2.35.1
+
--- /dev/null
+From f2bcee907ea77917cf12fd034566f10318ce72c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:09:56 +0200
+Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ]
+
+The Qualcomm dwc3 runtime-PM implementation checks the xhci
+platform-device pointer in the wakeup-interrupt handler to determine
+whether the controller is in host mode and if so triggers a resume.
+
+After a role switch in OTG mode the xhci platform-device would have been
+freed and the next wakeup from runtime suspend would access the freed
+memory.
+
+Note that role switching is executed from a freezable workqueue, which
+guarantees that the pointer is stable during suspend.
+
+Also note that runtime PM has been broken since commit 2664deb09306
+("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which
+incidentally also prevents this issue from being triggered.
+
+Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver")
+Cc: stable@vger.kernel.org # 4.18
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++-
+ drivers/usb/dwc3/host.c | 1 +
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 19642d0df419c..25ae37b1a39df 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom)
+ icc_put(qcom->icc_path_apps);
+ }
+
++/* Only usable in contexts where the role can not change. */
++static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom)
++{
++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3);
++
++ return dwc->xhci;
++}
++
+ static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom)
+ {
+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3);
+@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data)
+ if (qcom->pm_suspended)
+ return IRQ_HANDLED;
+
+- if (dwc->xhci)
++ /*
++ * This is safe as role switching is done from a freezable workqueue
++ * and the wakeup interrupts are disabled as part of resume.
++ */
++ if (dwc3_qcom_is_host(qcom))
+ pm_runtime_resume(&dwc->xhci->dev);
+
+ return IRQ_HANDLED;
+diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c
+index f56c30cf151e4..f6f13e7f1ba14 100644
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -135,4 +135,5 @@ int dwc3_host_init(struct dwc3 *dwc)
+ void dwc3_host_exit(struct dwc3 *dwc)
+ {
+ platform_device_unregister(dwc->xhci);
++ dwc->xhci = NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 767c744722e6cd8d49d356c14c0ab8821a90e4ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 10:03:21 +0300
+Subject: wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d776763f48084926b5d9e25507a3ddb7c9243d5e ]
+
+The return type is supposed to be ssize_t, which is signed long,
+but "r" was declared as unsigned int. This means that on 64 bit systems
+we return positive values instead of negative error codes.
+
+Fixes: 80a3511d70e8 ("cfg80211: add debugfs HT40 allow map")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YutvOQeJm0UjLhwU@kili
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/debugfs.c b/net/wireless/debugfs.c
+index aab43469a2f04..0878b162890af 100644
+--- a/net/wireless/debugfs.c
++++ b/net/wireless/debugfs.c
+@@ -65,9 +65,10 @@ static ssize_t ht40allow_map_read(struct file *file,
+ {
+ struct wiphy *wiphy = file->private_data;
+ char *buf;
+- unsigned int offset = 0, buf_size = PAGE_SIZE, i, r;
++ unsigned int offset = 0, buf_size = PAGE_SIZE, i;
+ enum nl80211_band band;
+ struct ieee80211_supported_band *sband;
++ ssize_t r;
+
+ buf = kzalloc(buf_size, GFP_KERNEL);
+ if (!buf)
+--
+2.35.1
+
--- /dev/null
+From d2d457e0df90659f0ae37945abfeb80a078971cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 18:08:38 +0300
+Subject: xhci: Fix null pointer dereference in remove if xHC has only one
+ roothub
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 4a593a62a9e3a25ab4bc37f612e4edec144f7f43 ]
+
+The remove path in xhci platform driver tries to remove and put both main
+and shared hcds even if only a main hcd exists (one roothub)
+
+This causes a null pointer dereference in reboot for those controllers.
+
+Check that the shared_hcd exists before trying to remove it.
+
+Fixes: e0fe986972f5 ("usb: host: xhci-plat: prepare operation w/o shared hcd")
+Reported-by: Alexey Sheplyakov <asheplyakov@basealt.ru>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220825150840.132216-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index 044855818cb11..a8641b6536eea 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -398,12 +398,17 @@ static int xhci_plat_remove(struct platform_device *dev)
+ pm_runtime_get_sync(&dev->dev);
+ xhci->xhc_state |= XHCI_STATE_REMOVING;
+
+- usb_remove_hcd(shared_hcd);
+- xhci->shared_hcd = NULL;
++ if (shared_hcd) {
++ usb_remove_hcd(shared_hcd);
++ xhci->shared_hcd = NULL;
++ }
++
+ usb_phy_shutdown(hcd->usb_phy);
+
+ usb_remove_hcd(hcd);
+- usb_put_hcd(shared_hcd);
++
++ if (shared_hcd)
++ usb_put_hcd(shared_hcd);
+
+ clk_disable_unprepare(clk);
+ clk_disable_unprepare(reg_clk);
+--
+2.35.1
+
--- /dev/null
+From 9b1e85488975d6a7905ca6b7e9c1fbf91bdeabd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 13:32:59 +0200
+Subject: xsk: Fix corrupted packets for XDP_SHARED_UMEM
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 58ca14ed98c87cfe0d1408cc65a9745d9e9b7a56 ]
+
+Fix an issue in XDP_SHARED_UMEM mode together with aligned mode where
+packets are corrupted for the second and any further sockets bound to
+the same umem. In other words, this does not affect the first socket
+bound to the umem. The culprit for this bug is that the initialization
+of the DMA addresses for the pre-populated xsk buffer pool entries was
+not performed for any socket but the first one bound to the umem. Only
+the linear array of DMA addresses was populated. Fix this by populating
+the DMA addresses in the xsk buffer pool for every socket bound to the
+same umem.
+
+Fixes: 94033cd8e73b8 ("xsk: Optimize for aligned case")
+Reported-by: Alasdair McWilliam <alasdair.mcwilliam@outlook.com>
+Reported-by: Intrusion Shield Team <dnevil@intrusion.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Alasdair McWilliam <alasdair.mcwilliam@outlook.com>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/xdp-newbies/6205E10C-292E-4995-9D10-409649354226@outlook.com/
+Link: https://lore.kernel.org/bpf/20220812113259.531-1-magnus.karlsson@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index f70112176b7c1..a71a8c6edf553 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -379,6 +379,16 @@ static void xp_check_dma_contiguity(struct xsk_dma_map *dma_map)
+
+ static int xp_init_dma_info(struct xsk_buff_pool *pool, struct xsk_dma_map *dma_map)
+ {
++ if (!pool->unaligned) {
++ u32 i;
++
++ for (i = 0; i < pool->heads_cnt; i++) {
++ struct xdp_buff_xsk *xskb = &pool->heads[i];
++
++ xp_init_xskb_dma(xskb, pool, dma_map->dma_pages, xskb->orig_addr);
++ }
++ }
++
+ pool->dma_pages = kvcalloc(dma_map->dma_pages_cnt, sizeof(*pool->dma_pages), GFP_KERNEL);
+ if (!pool->dma_pages)
+ return -ENOMEM;
+@@ -428,12 +438,6 @@ int xp_dma_map(struct xsk_buff_pool *pool, struct device *dev,
+
+ if (pool->unaligned)
+ xp_check_dma_contiguity(dma_map);
+- else
+- for (i = 0; i < pool->heads_cnt; i++) {
+- struct xdp_buff_xsk *xskb = &pool->heads[i];
+-
+- xp_init_xskb_dma(xskb, pool, dma_map->dma_pages, xskb->orig_addr);
+- }
+
+ err = xp_init_dma_info(pool, dma_map);
+ if (err) {
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
