From 4566791f2cea0518b9be1ac9b23d0bf94567a560 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 30 Jul 2023 21:25:01 -0400
Subject: [PATCH] Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...soc-fsl_spdif-silence-output-on-stop.patch |  38 ++
 ..._ns87415-mark-ns87560_tf_read-static.patch |  42 ++
 ...ce-code-comment-in-include-uapi-linu.patch |  50 +++
 ...-a-use-after-free-in-cxl_parse_cfmws.patch |  51 +++
 ...n-rc-instead-of-0-in-cxl_parse_cfmws.patch |  40 ++
 ...-four-equivalent-goto-tags-in-raid_c.patch |  97 +++++
 ...ing-reconfig_mutex-unlock-in-raid_ct.patch |  57 +++
 ...-protect-md_stop-with-reconfig_mutex.patch |  65 +++
 ...unlock-on-error-path-in-dm_handle_ms.patch |  37 ++
 ...rror-handling-mistake-in-psp_sw_init.patch |  44 ++
 ...error-handling-path-in-igt_write_hug.patch |  45 +++
 ...reno-fix-snapshot-bindless_data-size.patch |  38 ++
 ...-msm-disallow-submit-with-fence-id-0.patch |  37 ++
 ...-drop-enum-dpu_core_perf_data_bus_id.patch |  51 +++
 ...rr_or_null-vs-null-check-in-a5xx_sub.patch |  41 ++
 .../drm-msm-switch-idr_lock-to-spinlock.patch | 115 ++++++
 ...vent-handling-any-completions-after-.patch | 127 ++++++
 ...rdma-irdma-add-missing-read-barriers.patch | 101 +++++
 ...ix-data-race-on-cqp-completion-stats.patch | 217 ++++++++++
 ...ma-fix-data-race-on-cqp-request-done.patch | 127 ++++++
 ...-irdma-fix-op_type-reporting-in-cqes.patch |  43 ++
 .../rdma-irdma-report-correct-wc-error.patch  |  37 ++
 ...ake-check-for-invalid-flags-stricter.patch |  55 +++
 ...crash-when-polling-cq-for-shared-qps.patch |  40 ++
 ...er-fix-wrong-stat-of-cpu_buffer-read.patch | 130 ++++++
 queue-6.1/series                              |  31 ++
 ...ntlmssp_version-flag-for-negotiate-n.patch |  49 +++
 ...ning-in-trace_buffered_event_disable.patch | 119 ++++++
 ...over-device-if-queue-setup-is-interr.patch |  43 ++
 ...rt-device-if-queue-setup-is-interrup.patch |  43 ++
 ...lk_get_device_from_id-into-ublk_ctrl.patch | 378 ++++++++++++++++++
 ...-xen_domain-in-xenbus_probe_initcall.patch |  58 +++
 32 files changed, 2446 insertions(+)
 create mode 100644 queue-6.1/asoc-fsl_spdif-silence-output-on-stop.patch
 create mode 100644 queue-6.1/ata-pata_ns87415-mark-ns87560_tf_read-static.patch
 create mode 100644 queue-6.1/block-fix-a-source-code-comment-in-include-uapi-linu.patch
 create mode 100644 queue-6.1/cxl-acpi-fix-a-use-after-free-in-cxl_parse_cfmws.patch
 create mode 100644 queue-6.1/cxl-acpi-return-rc-instead-of-0-in-cxl_parse_cfmws.patch
 create mode 100644 queue-6.1/dm-raid-clean-up-four-equivalent-goto-tags-in-raid_c.patch
 create mode 100644 queue-6.1/dm-raid-fix-missing-reconfig_mutex-unlock-in-raid_ct.patch
 create mode 100644 queue-6.1/dm-raid-protect-md_stop-with-reconfig_mutex.patch
 create mode 100644 queue-6.1/drm-amd-display-unlock-on-error-path-in-dm_handle_ms.patch
 create mode 100644 queue-6.1/drm-amd-fix-an-error-handling-mistake-in-psp_sw_init.patch
 create mode 100644 queue-6.1/drm-i915-fix-an-error-handling-path-in-igt_write_hug.patch
 create mode 100644 queue-6.1/drm-msm-adreno-fix-snapshot-bindless_data-size.patch
 create mode 100644 queue-6.1/drm-msm-disallow-submit-with-fence-id-0.patch
 create mode 100644 queue-6.1/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
 create mode 100644 queue-6.1/drm-msm-fix-is_err_or_null-vs-null-check-in-a5xx_sub.patch
 create mode 100644 queue-6.1/drm-msm-switch-idr_lock-to-spinlock.patch
 create mode 100644 queue-6.1/rdma-bnxt_re-prevent-handling-any-completions-after-.patch
 create mode 100644 queue-6.1/rdma-irdma-add-missing-read-barriers.patch
 create mode 100644 queue-6.1/rdma-irdma-fix-data-race-on-cqp-completion-stats.patch
 create mode 100644 queue-6.1/rdma-irdma-fix-data-race-on-cqp-request-done.patch
 create mode 100644 queue-6.1/rdma-irdma-fix-op_type-reporting-in-cqes.patch
 create mode 100644 queue-6.1/rdma-irdma-report-correct-wc-error.patch
 create mode 100644 queue-6.1/rdma-mlx4-make-check-for-invalid-flags-stricter.patch
 create mode 100644 queue-6.1/rdma-mthca-fix-crash-when-polling-cq-for-shared-qps.patch
 create mode 100644 queue-6.1/ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch
 create mode 100644 queue-6.1/smb3-do-not-set-ntlmssp_version-flag-for-negotiate-n.patch
 create mode 100644 queue-6.1/tracing-fix-warning-in-trace_buffered_event_disable.patch
 create mode 100644 queue-6.1/ublk-fail-to-recover-device-if-queue-setup-is-interr.patch
 create mode 100644 queue-6.1/ublk-fail-to-start-device-if-queue-setup-is-interrup.patch
 create mode 100644 queue-6.1/ublk_drv-move-ublk_get_device_from_id-into-ublk_ctrl.patch
 create mode 100644 queue-6.1/xenbus-check-xen_domain-in-xenbus_probe_initcall.patch

diff --git a/queue-6.1/asoc-fsl_spdif-silence-output-on-stop.patch b/queue-6.1/asoc-fsl_spdif-silence-output-on-stop.patch
new file mode 100644
index 00000000000..cbd89baa34f
--- /dev/null
+++ b/queue-6.1/asoc-fsl_spdif-silence-output-on-stop.patch
@@ -0,0 +1,38 @@
+From c607e8cd275a078ee1a5662522638645aed96939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 18:47:29 +0200
+Subject: ASoC: fsl_spdif: Silence output on stop
+
+From: Matus Gajdos <matuszpd@gmail.com>
+
+[ Upstream commit 0e4c2b6b0c4a4b4014d9424c27e5e79d185229c5 ]
+
+Clear TX registers on stop to prevent the SPDIF interface from sending
+last written word over and over again.
+
+Fixes: a2388a498ad2 ("ASoC: fsl: Add S/PDIF CPU DAI driver")
+Signed-off-by: Matus Gajdos <matuszpd@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20230719164729.19969-1-matuszpd@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_spdif.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_spdif.c b/sound/soc/fsl/fsl_spdif.c
+index 275aba8e0c469..fb6806b2db859 100644
+--- a/sound/soc/fsl/fsl_spdif.c
++++ b/sound/soc/fsl/fsl_spdif.c
+@@ -751,6 +751,8 @@ static int fsl_spdif_trigger(struct snd_pcm_substream *substream,
+ 	case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
+ 		regmap_update_bits(regmap, REG_SPDIF_SCR, dmaen, 0);
+ 		regmap_update_bits(regmap, REG_SPDIF_SIE, intr, 0);
++		regmap_write(regmap, REG_SPDIF_STL, 0x0);
++		regmap_write(regmap, REG_SPDIF_STR, 0x0);
+ 		break;
+ 	default:
+ 		return -EINVAL;
+-- 
+2.40.1
+
diff --git a/queue-6.1/ata-pata_ns87415-mark-ns87560_tf_read-static.patch b/queue-6.1/ata-pata_ns87415-mark-ns87560_tf_read-static.patch
new file mode 100644
index 00000000000..2bd5091b31d
--- /dev/null
+++ b/queue-6.1/ata-pata_ns87415-mark-ns87560_tf_read-static.patch
@@ -0,0 +1,42 @@
+From eca1f13569daf34060be6f7f0c93dd6c082e4275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 22:33:22 +0200
+Subject: ata: pata_ns87415: mark ns87560_tf_read static
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3fc2febb0f8ffae354820c1772ec008733237cfa ]
+
+The global function triggers a warning because of the missing prototype
+
+drivers/ata/pata_ns87415.c:263:6: warning: no previous prototype for 'ns87560_tf_read' [-Wmissing-prototypes]
+  263 | void ns87560_tf_read(struct ata_port *ap, struct ata_taskfile *tf)
+
+There are no other references to this, so just make it static.
+
+Fixes: c4b5b7b6c4423 ("pata_ns87415: Initial cut at 87415/87560 IDE support")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_ns87415.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_ns87415.c b/drivers/ata/pata_ns87415.c
+index 9dd6bffefb485..602472d4e693e 100644
+--- a/drivers/ata/pata_ns87415.c
++++ b/drivers/ata/pata_ns87415.c
+@@ -260,7 +260,7 @@ static u8 ns87560_check_status(struct ata_port *ap)
+  *	LOCKING:
+  *	Inherited from caller.
+  */
+-void ns87560_tf_read(struct ata_port *ap, struct ata_taskfile *tf)
++static void ns87560_tf_read(struct ata_port *ap, struct ata_taskfile *tf)
+ {
+ 	struct ata_ioports *ioaddr = &ap->ioaddr;
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/block-fix-a-source-code-comment-in-include-uapi-linu.patch b/queue-6.1/block-fix-a-source-code-comment-in-include-uapi-linu.patch
new file mode 100644
index 00000000000..88511276449
--- /dev/null
+++ b/queue-6.1/block-fix-a-source-code-comment-in-include-uapi-linu.patch
@@ -0,0 +1,50 @@
+From 5f4feb88581d654fcfa33213c012a18f47ffffaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jul 2023 13:14:12 -0700
+Subject: block: Fix a source code comment in include/uapi/linux/blkzoned.h
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit e0933b526fbfd937c4a8f4e35fcdd49f0e22d411 ]
+
+Fix the symbolic names for zone conditions in the blkzoned.h header
+file.
+
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Damien Le Moal <dlemoal@kernel.org>
+Fixes: 6a0cb1bc106f ("block: Implement support for zoned block devices")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20230706201422.3987341-1-bvanassche@acm.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/blkzoned.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/uapi/linux/blkzoned.h b/include/uapi/linux/blkzoned.h
+index b80fcc9ea5257..f85743ef6e7d1 100644
+--- a/include/uapi/linux/blkzoned.h
++++ b/include/uapi/linux/blkzoned.h
+@@ -51,13 +51,13 @@ enum blk_zone_type {
+  *
+  * The Zone Condition state machine in the ZBC/ZAC standards maps the above
+  * deinitions as:
+- *   - ZC1: Empty         | BLK_ZONE_EMPTY
++ *   - ZC1: Empty         | BLK_ZONE_COND_EMPTY
+  *   - ZC2: Implicit Open | BLK_ZONE_COND_IMP_OPEN
+  *   - ZC3: Explicit Open | BLK_ZONE_COND_EXP_OPEN
+- *   - ZC4: Closed        | BLK_ZONE_CLOSED
+- *   - ZC5: Full          | BLK_ZONE_FULL
+- *   - ZC6: Read Only     | BLK_ZONE_READONLY
+- *   - ZC7: Offline       | BLK_ZONE_OFFLINE
++ *   - ZC4: Closed        | BLK_ZONE_COND_CLOSED
++ *   - ZC5: Full          | BLK_ZONE_COND_FULL
++ *   - ZC6: Read Only     | BLK_ZONE_COND_READONLY
++ *   - ZC7: Offline       | BLK_ZONE_COND_OFFLINE
+  *
+  * Conditions 0x5 to 0xC are reserved by the current ZBC/ZAC spec and should
+  * be considered invalid.
+-- 
+2.40.1
+
diff --git a/queue-6.1/cxl-acpi-fix-a-use-after-free-in-cxl_parse_cfmws.patch b/queue-6.1/cxl-acpi-fix-a-use-after-free-in-cxl_parse_cfmws.patch
new file mode 100644
index 00000000000..d56f7d80388
--- /dev/null
+++ b/queue-6.1/cxl-acpi-fix-a-use-after-free-in-cxl_parse_cfmws.patch
@@ -0,0 +1,51 @@
+From dc3135d39f72f727f6469b5124b63f9af596d76f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jul 2023 02:31:45 -0700
+Subject: cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 4cf67d3cc9994a59cf77bb9c0ccf9007fe916afe ]
+
+KASAN and KFENCE detected an user-after-free in the CXL driver. This
+happens in the cxl_decoder_add() fail path. KASAN prints the following
+error:
+
+   BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)
+
+This happens in cxl_parse_cfmws(), where put_device() is called,
+releasing cxld, which is accessed later.
+
+Use the local variables in the dev_err() instead of pointing to the
+released memory. Since the dev_err() is printing a resource, change the open
+coded print format to use the %pr format specifier.
+
+Fixes: e50fe01e1f2a ("cxl/core: Drop ->platform_res attribute for root decoders")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://lore.kernel.org/r/20230714093146.2253438-1-leitao@debian.org
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/acpi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/cxl/acpi.c b/drivers/cxl/acpi.c
+index fb649683dd3ac..55907a94cb388 100644
+--- a/drivers/cxl/acpi.c
++++ b/drivers/cxl/acpi.c
+@@ -154,8 +154,7 @@ static int cxl_parse_cfmws(union acpi_subtable_headers *header, void *arg,
+ 	else
+ 		rc = cxl_decoder_autoremove(dev, cxld);
+ 	if (rc) {
+-		dev_err(dev, "Failed to add decode range [%#llx - %#llx]\n",
+-			cxld->hpa_range.start, cxld->hpa_range.end);
++		dev_err(dev, "Failed to add decode range: %pr", res);
+ 		return 0;
+ 	}
+ 	dev_dbg(dev, "add: %s node: %d range [%#llx - %#llx]\n",
+-- 
+2.40.1
+
diff --git a/queue-6.1/cxl-acpi-return-rc-instead-of-0-in-cxl_parse_cfmws.patch b/queue-6.1/cxl-acpi-return-rc-instead-of-0-in-cxl_parse_cfmws.patch
new file mode 100644
index 00000000000..1ec5448a4c3
--- /dev/null
+++ b/queue-6.1/cxl-acpi-return-rc-instead-of-0-in-cxl_parse_cfmws.patch
@@ -0,0 +1,40 @@
+From 98e0430b52da7c682580ad126c64f665b0d7b4a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jul 2023 02:31:46 -0700
+Subject: cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws()
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 91019b5bc7c2c5e6f676cce80ee6d12b2753d018 ]
+
+Driver initialization returned success (return 0) even if the
+initialization (cxl_decoder_add() or acpi_table_parse_cedt()) failed.
+
+Return the error instead of swallowing it.
+
+Fixes: f4ce1f766f1e ("cxl/acpi: Convert CFMWS parsing to ACPI sub-table helpers")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://lore.kernel.org/r/20230714093146.2253438-2-leitao@debian.org
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cxl/acpi.c b/drivers/cxl/acpi.c
+index 55907a94cb388..07b184382707e 100644
+--- a/drivers/cxl/acpi.c
++++ b/drivers/cxl/acpi.c
+@@ -155,7 +155,7 @@ static int cxl_parse_cfmws(union acpi_subtable_headers *header, void *arg,
+ 		rc = cxl_decoder_autoremove(dev, cxld);
+ 	if (rc) {
+ 		dev_err(dev, "Failed to add decode range: %pr", res);
+-		return 0;
++		return rc;
+ 	}
+ 	dev_dbg(dev, "add: %s node: %d range [%#llx - %#llx]\n",
+ 		dev_name(&cxld->dev),
+-- 
+2.40.1
+
diff --git a/queue-6.1/dm-raid-clean-up-four-equivalent-goto-tags-in-raid_c.patch b/queue-6.1/dm-raid-clean-up-four-equivalent-goto-tags-in-raid_c.patch
new file mode 100644
index 00000000000..0fc2663f69f
--- /dev/null
+++ b/queue-6.1/dm-raid-clean-up-four-equivalent-goto-tags-in-raid_c.patch
@@ -0,0 +1,97 @@
+From c6be6491a6e7834b610917cb0fe282a6b69946ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 17:21:52 +0800
+Subject: dm raid: clean up four equivalent goto tags in raid_ctr()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit e74c874eabe2e9173a8fbdad616cd89c70eb8ffd ]
+
+There are four equivalent goto tags in raid_ctr(), clean them up to
+use just one.
+
+There is no functional change and this is preparation to fix
+raid_ctr()'s unprotected md_stop().
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Stable-dep-of: 7d5fff8982a2 ("dm raid: protect md_stop() with 'reconfig_mutex'")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index bd0da5bbd57b0..c3736d1f72310 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3254,8 +3254,7 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	r = md_start(&rs->md);
+ 	if (r) {
+ 		ti->error = "Failed to start raid array";
+-		mddev_unlock(&rs->md);
+-		goto bad_md_start;
++		goto bad_unlock;
+ 	}
+ 
+ 	/* If raid4/5/6 journal mode explicitly requested (only possible with journal dev) -> set it */
+@@ -3263,8 +3262,7 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 		r = r5c_journal_mode_set(&rs->md, rs->journal_dev.mode);
+ 		if (r) {
+ 			ti->error = "Failed to set raid4/5/6 journal mode";
+-			mddev_unlock(&rs->md);
+-			goto bad_journal_mode_set;
++			goto bad_unlock;
+ 		}
+ 	}
+ 
+@@ -3274,19 +3272,15 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	/* Try to adjust the raid4/5/6 stripe cache size to the stripe size */
+ 	if (rs_is_raid456(rs)) {
+ 		r = rs_set_raid456_stripe_cache(rs);
+-		if (r) {
+-			mddev_unlock(&rs->md);
+-			goto bad_stripe_cache;
+-		}
++		if (r)
++			goto bad_unlock;
+ 	}
+ 
+ 	/* Now do an early reshape check */
+ 	if (test_bit(RT_FLAG_RESHAPE_RS, &rs->runtime_flags)) {
+ 		r = rs_check_reshape(rs);
+-		if (r) {
+-			mddev_unlock(&rs->md);
+-			goto bad_check_reshape;
+-		}
++		if (r)
++			goto bad_unlock;
+ 
+ 		/* Restore new, ctr requested layout to perform check */
+ 		rs_config_restore(rs, &rs_layout);
+@@ -3295,8 +3289,7 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 			r = rs->md.pers->check_reshape(&rs->md);
+ 			if (r) {
+ 				ti->error = "Reshape check failed";
+-				mddev_unlock(&rs->md);
+-				goto bad_check_reshape;
++				goto bad_unlock;
+ 			}
+ 		}
+ 	}
+@@ -3307,10 +3300,8 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	mddev_unlock(&rs->md);
+ 	return 0;
+ 
+-bad_md_start:
+-bad_journal_mode_set:
+-bad_stripe_cache:
+-bad_check_reshape:
++bad_unlock:
++	mddev_unlock(&rs->md);
+ 	md_stop(&rs->md);
+ bad:
+ 	raid_set_free(rs);
+-- 
+2.40.1
+
diff --git a/queue-6.1/dm-raid-fix-missing-reconfig_mutex-unlock-in-raid_ct.patch b/queue-6.1/dm-raid-fix-missing-reconfig_mutex-unlock-in-raid_ct.patch
new file mode 100644
index 00000000000..ead3784769e
--- /dev/null
+++ b/queue-6.1/dm-raid-fix-missing-reconfig_mutex-unlock-in-raid_ct.patch
@@ -0,0 +1,57 @@
+From a0108338c070c2e8428e078665fd62f9b84221dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 17:21:51 +0800
+Subject: dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit bae3028799dc4f1109acc4df37c8ff06f2d8f1a0 ]
+
+In the error paths 'bad_stripe_cache' and 'bad_check_reshape',
+'reconfig_mutex' is still held after raid_ctr() returns.
+
+Fixes: 9dbd1aa3a81c ("dm raid: add reshaping support to the target")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index b26c12856b1db..bd0da5bbd57b0 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3274,15 +3274,19 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	/* Try to adjust the raid4/5/6 stripe cache size to the stripe size */
+ 	if (rs_is_raid456(rs)) {
+ 		r = rs_set_raid456_stripe_cache(rs);
+-		if (r)
++		if (r) {
++			mddev_unlock(&rs->md);
+ 			goto bad_stripe_cache;
++		}
+ 	}
+ 
+ 	/* Now do an early reshape check */
+ 	if (test_bit(RT_FLAG_RESHAPE_RS, &rs->runtime_flags)) {
+ 		r = rs_check_reshape(rs);
+-		if (r)
++		if (r) {
++			mddev_unlock(&rs->md);
+ 			goto bad_check_reshape;
++		}
+ 
+ 		/* Restore new, ctr requested layout to perform check */
+ 		rs_config_restore(rs, &rs_layout);
+@@ -3291,6 +3295,7 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 			r = rs->md.pers->check_reshape(&rs->md);
+ 			if (r) {
+ 				ti->error = "Reshape check failed";
++				mddev_unlock(&rs->md);
+ 				goto bad_check_reshape;
+ 			}
+ 		}
+-- 
+2.40.1
+
diff --git a/queue-6.1/dm-raid-protect-md_stop-with-reconfig_mutex.patch b/queue-6.1/dm-raid-protect-md_stop-with-reconfig_mutex.patch
new file mode 100644
index 00000000000..67dbcd04a95
--- /dev/null
+++ b/queue-6.1/dm-raid-protect-md_stop-with-reconfig_mutex.patch
@@ -0,0 +1,65 @@
+From a3ba1c6ff60afeadfd99ae71f470fb29671d6d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 17:21:53 +0800
+Subject: dm raid: protect md_stop() with 'reconfig_mutex'
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 7d5fff8982a2199d49ec067818af7d84d4f95ca0 ]
+
+__md_stop_writes() and __md_stop() will modify many fields that are
+protected by 'reconfig_mutex', and all the callers will grab
+'reconfig_mutex' except for md_stop().
+
+Also, update md_stop() to make certain 'reconfig_mutex' is held using
+lockdep_assert_held().
+
+Fixes: 9d09e663d550 ("dm: raid456 basic support")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 4 +++-
+ drivers/md/md.c      | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index c3736d1f72310..4b7528dc2fd08 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3301,8 +3301,8 @@ static int raid_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	return 0;
+ 
+ bad_unlock:
+-	mddev_unlock(&rs->md);
+ 	md_stop(&rs->md);
++	mddev_unlock(&rs->md);
+ bad:
+ 	raid_set_free(rs);
+ 
+@@ -3313,7 +3313,9 @@ static void raid_dtr(struct dm_target *ti)
+ {
+ 	struct raid_set *rs = ti->private;
+ 
++	mddev_lock_nointr(&rs->md);
+ 	md_stop(&rs->md);
++	mddev_unlock(&rs->md);
+ 	raid_set_free(rs);
+ }
+ 
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 829e1bd9bcbf9..45daba0eb9310 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6269,6 +6269,8 @@ static void __md_stop(struct mddev *mddev)
+ 
+ void md_stop(struct mddev *mddev)
+ {
++	lockdep_assert_held(&mddev->reconfig_mutex);
++
+ 	/* stop the array and free an attached data structures.
+ 	 * This is called from dm-raid
+ 	 */
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-amd-display-unlock-on-error-path-in-dm_handle_ms.patch b/queue-6.1/drm-amd-display-unlock-on-error-path-in-dm_handle_ms.patch
new file mode 100644
index 00000000000..da9b6ebc158
--- /dev/null
+++ b/queue-6.1/drm-amd-display-unlock-on-error-path-in-dm_handle_ms.patch
@@ -0,0 +1,37 @@
+From a1b89c4940bd9b872104cbcbe94170e2bbdcf026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 17:55:49 +0300
+Subject: drm/amd/display: Unlock on error path in
+ dm_handle_mst_sideband_msg_ready_event()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 38ac4e8385ffb275b1837986ca6c16f26ea028c5 ]
+
+This error path needs to unlock the "aconnector->handle_mst_msg_ready"
+mutex before returning.
+
+Fixes: 4f6d9e38c4d2 ("drm/amd/display: Add polling method to handle MST reply packet")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+index 05708684c9f58..d07e1053b36b3 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -677,7 +677,7 @@ void dm_handle_mst_sideband_msg_ready_event(
+ 
+ 			if (retry == 3) {
+ 				DRM_ERROR("Failed to ack MST event.\n");
+-				return;
++				break;
+ 			}
+ 
+ 			drm_dp_mst_hpd_irq_send_new_request(&aconnector->mst_mgr);
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-amd-fix-an-error-handling-mistake-in-psp_sw_init.patch b/queue-6.1/drm-amd-fix-an-error-handling-mistake-in-psp_sw_init.patch
new file mode 100644
index 00000000000..4d318b4508a
--- /dev/null
+++ b/queue-6.1/drm-amd-fix-an-error-handling-mistake-in-psp_sw_init.patch
@@ -0,0 +1,44 @@
+From 7a4b6540f5ebe8eebdbeaec304944847f03fa738 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jul 2023 00:14:59 -0500
+Subject: drm/amd: Fix an error handling mistake in psp_sw_init()
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit c01aebeef3ce45f696ffa0a1303cea9b34babb45 ]
+
+If the second call to amdgpu_bo_create_kernel() fails, the memory
+allocated from the first call should be cleared.  If the third call
+fails, the memory from the second call should be cleared.
+
+Fixes: b95b5391684b ("drm/amdgpu/psp: move PSP memory alloc from hw_init to sw_init")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+index 0af9fb4098e8a..eecbd8eeb1f5a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -472,11 +472,11 @@ static int psp_sw_init(void *handle)
+ 	return 0;
+ 
+ failed2:
+-	amdgpu_bo_free_kernel(&psp->fw_pri_bo,
+-			      &psp->fw_pri_mc_addr, &psp->fw_pri_buf);
+-failed1:
+ 	amdgpu_bo_free_kernel(&psp->fence_buf_bo,
+ 			      &psp->fence_buf_mc_addr, &psp->fence_buf);
++failed1:
++	amdgpu_bo_free_kernel(&psp->fw_pri_bo,
++			      &psp->fw_pri_mc_addr, &psp->fw_pri_buf);
+ 	return ret;
+ }
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-i915-fix-an-error-handling-path-in-igt_write_hug.patch b/queue-6.1/drm-i915-fix-an-error-handling-path-in-igt_write_hug.patch
new file mode 100644
index 00000000000..849c4e1fe9f
--- /dev/null
+++ b/queue-6.1/drm-i915-fix-an-error-handling-path-in-igt_write_hug.patch
@@ -0,0 +1,45 @@
+From f41021c6a31f4d2a6ea25ff5351b36d6a4eddea7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 20:49:31 +0200
+Subject: drm/i915: Fix an error handling path in igt_write_huge()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e354f67733115b4453268f61e6e072e9b1ea7a2f ]
+
+All error handling paths go to 'out', except this one. Be consistent and
+also branch to 'out' here.
+
+Fixes: c10a652e239e ("drm/i915/selftests: Rework context handling in hugepages selftests")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/7a036b88671312ee9adc01c74ef5b3376f690b76.1689619758.git.christophe.jaillet@wanadoo.fr
+(cherry picked from commit 361ecaadb1ce3c5312c7c4c419271326d43899eb)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/selftests/huge_pages.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/selftests/huge_pages.c b/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
+index 436598f19522c..02fe7ea8c5df8 100644
+--- a/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
++++ b/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
+@@ -1185,8 +1185,10 @@ static int igt_write_huge(struct drm_i915_private *i915,
+ 	 * times in succession a possibility by enlarging the permutation array.
+ 	 */
+ 	order = i915_random_order(count * count, &prng);
+-	if (!order)
+-		return -ENOMEM;
++	if (!order) {
++		err = -ENOMEM;
++		goto out;
++	}
+ 
+ 	max_page_size = rounddown_pow_of_two(obj->mm.page_sizes.sg);
+ 	max = div_u64(max - size, max_page_size);
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-msm-adreno-fix-snapshot-bindless_data-size.patch b/queue-6.1/drm-msm-adreno-fix-snapshot-bindless_data-size.patch
new file mode 100644
index 00000000000..e457c972021
--- /dev/null
+++ b/queue-6.1/drm-msm-adreno-fix-snapshot-bindless_data-size.patch
@@ -0,0 +1,38 @@
+From dced1e671773db3cb1d3e8bcbd71ae0b5514c486 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 10:54:07 -0700
+Subject: drm/msm/adreno: Fix snapshot BINDLESS_DATA size
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit bd846ceee9c478d0397428f02696602ba5eb264a ]
+
+The incorrect size was causing "CP | AHB bus error" when snapshotting
+the GPU state on a6xx gen4 (a660 family).
+
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/26
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
+Patchwork: https://patchwork.freedesktop.org/patch/546763/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h
+index 2fb58b7098e4b..3bd2065a9d30e 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.h
+@@ -200,7 +200,7 @@ static const struct a6xx_shader_block {
+ 	SHADER(A6XX_SP_LB_3_DATA, 0x800),
+ 	SHADER(A6XX_SP_LB_4_DATA, 0x800),
+ 	SHADER(A6XX_SP_LB_5_DATA, 0x200),
+-	SHADER(A6XX_SP_CB_BINDLESS_DATA, 0x2000),
++	SHADER(A6XX_SP_CB_BINDLESS_DATA, 0x800),
+ 	SHADER(A6XX_SP_CB_LEGACY_DATA, 0x280),
+ 	SHADER(A6XX_SP_UAV_DATA, 0x80),
+ 	SHADER(A6XX_SP_INST_TAG, 0x80),
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-msm-disallow-submit-with-fence-id-0.patch b/queue-6.1/drm-msm-disallow-submit-with-fence-id-0.patch
new file mode 100644
index 00000000000..f63c3c12581
--- /dev/null
+++ b/queue-6.1/drm-msm-disallow-submit-with-fence-id-0.patch
@@ -0,0 +1,37 @@
+From 2b2360b2defa768b785544bc1a12c56e5d84b9a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 13:30:21 -0700
+Subject: drm/msm: Disallow submit with fence id 0
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 1b5d0ddcb34a605835051ae2950d5cfed0373dd8 ]
+
+A fence id of zero is expected to be invalid, and is not removed from
+the fence_idr table.  If userspace is requesting to specify the fence
+id with the FENCE_SN_IN flag, we need to reject a zero fence id value.
+
+Fixes: 17154addc5c1 ("drm/msm: Add MSM_SUBMIT_FENCE_SN_IN")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/549180/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 5668860f01827..c12a6ac2d3840 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -875,7 +875,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ 	 * after the job is armed
+ 	 */
+ 	if ((args->flags & MSM_SUBMIT_FENCE_SN_IN) &&
+-			idr_find(&queue->fence_idr, args->fence)) {
++			(!args->fence || idr_find(&queue->fence_idr, args->fence))) {
+ 		spin_unlock(&queue->idr_lock);
+ 		ret = -EINVAL;
+ 		goto out;
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch b/queue-6.1/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
new file mode 100644
index 00000000000..804610e3243
--- /dev/null
+++ b/queue-6.1/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
@@ -0,0 +1,51 @@
+From 4647a5d32f2e6dc4387d7a943c500127c62c3ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jul 2023 22:39:32 +0300
+Subject: drm/msm/dpu: drop enum dpu_core_perf_data_bus_id
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit e8383f5cf1b3573ce140a80bfbfd809278ab16d6 ]
+
+Drop the leftover of bus-client -> interconnect conversion, the enum
+dpu_core_perf_data_bus_id.
+
+Fixes: cb88482e2570 ("drm/msm/dpu: clean up references of DPU custom bus scaling")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/546048/
+Link: https://lore.kernel.org/r/20230707193942.3806526-2-dmitry.baryshkov@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h
+index e3795995e1454..29bb8ee2bc266 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.h
+@@ -14,19 +14,6 @@
+ 
+ #define	DPU_PERF_DEFAULT_MAX_CORE_CLK_RATE	412500000
+ 
+-/**
+- * enum dpu_core_perf_data_bus_id - data bus identifier
+- * @DPU_CORE_PERF_DATA_BUS_ID_MNOC: DPU/MNOC data bus
+- * @DPU_CORE_PERF_DATA_BUS_ID_LLCC: MNOC/LLCC data bus
+- * @DPU_CORE_PERF_DATA_BUS_ID_EBI: LLCC/EBI data bus
+- */
+-enum dpu_core_perf_data_bus_id {
+-	DPU_CORE_PERF_DATA_BUS_ID_MNOC,
+-	DPU_CORE_PERF_DATA_BUS_ID_LLCC,
+-	DPU_CORE_PERF_DATA_BUS_ID_EBI,
+-	DPU_CORE_PERF_DATA_BUS_ID_MAX,
+-};
+-
+ /**
+  * struct dpu_core_perf_params - definition of performance parameters
+  * @max_per_pipe_ib: maximum instantaneous bandwidth request
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-msm-fix-is_err_or_null-vs-null-check-in-a5xx_sub.patch b/queue-6.1/drm-msm-fix-is_err_or_null-vs-null-check-in-a5xx_sub.patch
new file mode 100644
index 00000000000..aa978558d8f
--- /dev/null
+++ b/queue-6.1/drm-msm-fix-is_err_or_null-vs-null-check-in-a5xx_sub.patch
@@ -0,0 +1,41 @@
+From 0568c05b610c3f99fb4fc76e74704225c1d8a748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 09:47:38 +0800
+Subject: drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 6e8a996563ecbe68e49c49abd4aaeef69f11f2dc ]
+
+The msm_gem_get_vaddr() returns an ERR_PTR() on failure, and a null
+is catastrophic here, so we should use IS_ERR_OR_NULL() to check
+the return value.
+
+Fixes: 6a8bd08d0465 ("drm/msm: add sudo flag to submit ioctl")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/547712/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index 0829eaf2cd4e8..895a0e9db1f09 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -89,7 +89,7 @@ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit
+ 			 * since we've already mapped it once in
+ 			 * submit_reloc()
+ 			 */
+-			if (WARN_ON(!ptr))
++			if (WARN_ON(IS_ERR_OR_NULL(ptr)))
+ 				return;
+ 
+ 			for (i = 0; i < dwords; i++) {
+-- 
+2.40.1
+
diff --git a/queue-6.1/drm-msm-switch-idr_lock-to-spinlock.patch b/queue-6.1/drm-msm-switch-idr_lock-to-spinlock.patch
new file mode 100644
index 00000000000..28aa9ec616d
--- /dev/null
+++ b/queue-6.1/drm-msm-switch-idr_lock-to-spinlock.patch
@@ -0,0 +1,115 @@
+From 66db90f9b8d8868e9ba640f86c290cc7a826b70a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 07:43:32 -0700
+Subject: drm/msm: Switch idr_lock to spinlock
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit e4f020c6a05db73eac49b7c3b3650251be374200 ]
+
+Needed to idr_preload() which returns with preemption disabled.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/527846/
+Link: https://lore.kernel.org/r/20230320144356.803762-11-robdclark@gmail.com
+Stable-dep-of: 1b5d0ddcb34a ("drm/msm: Disallow submit with fence id 0")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c         |  6 ++----
+ drivers/gpu/drm/msm/msm_gem_submit.c  | 10 +++++-----
+ drivers/gpu/drm/msm/msm_gpu.h         |  2 +-
+ drivers/gpu/drm/msm/msm_submitqueue.c |  2 +-
+ 4 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index ac3d1d492a48c..f982a827be7ca 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -932,13 +932,11 @@ static int wait_fence(struct msm_gpu_submitqueue *queue, uint32_t fence_id,
+ 	 * retired, so if the fence is not found it means there is nothing
+ 	 * to wait for
+ 	 */
+-	ret = mutex_lock_interruptible(&queue->idr_lock);
+-	if (ret)
+-		return ret;
++	spin_lock(&queue->idr_lock);
+ 	fence = idr_find(&queue->fence_idr, fence_id);
+ 	if (fence)
+ 		fence = dma_fence_get_rcu(fence);
+-	mutex_unlock(&queue->idr_lock);
++	spin_unlock(&queue->idr_lock);
+ 
+ 	if (!fence)
+ 		return 0;
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index d6162561141c5..5668860f01827 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -72,9 +72,9 @@ void __msm_gem_submit_destroy(struct kref *kref)
+ 	unsigned i;
+ 
+ 	if (submit->fence_id) {
+-		mutex_lock(&submit->queue->idr_lock);
++		spin_lock(&submit->queue->idr_lock);
+ 		idr_remove(&submit->queue->fence_idr, submit->fence_id);
+-		mutex_unlock(&submit->queue->idr_lock);
++		spin_unlock(&submit->queue->idr_lock);
+ 	}
+ 
+ 	dma_fence_put(submit->user_fence);
+@@ -866,7 +866,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ 
+ 	submit->nr_cmds = i;
+ 
+-	mutex_lock(&queue->idr_lock);
++	spin_lock(&queue->idr_lock);
+ 
+ 	/*
+ 	 * If using userspace provided seqno fence, validate that the id
+@@ -876,7 +876,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ 	 */
+ 	if ((args->flags & MSM_SUBMIT_FENCE_SN_IN) &&
+ 			idr_find(&queue->fence_idr, args->fence)) {
+-		mutex_unlock(&queue->idr_lock);
++		spin_unlock(&queue->idr_lock);
+ 		ret = -EINVAL;
+ 		goto out;
+ 	}
+@@ -910,7 +910,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ 						    INT_MAX, GFP_KERNEL);
+ 	}
+ 
+-	mutex_unlock(&queue->idr_lock);
++	spin_unlock(&queue->idr_lock);
+ 
+ 	if (submit->fence_id < 0) {
+ 		ret = submit->fence_id;
+diff --git a/drivers/gpu/drm/msm/msm_gpu.h b/drivers/gpu/drm/msm/msm_gpu.h
+index 732295e256834..b39cd332751dc 100644
+--- a/drivers/gpu/drm/msm/msm_gpu.h
++++ b/drivers/gpu/drm/msm/msm_gpu.h
+@@ -500,7 +500,7 @@ struct msm_gpu_submitqueue {
+ 	struct msm_file_private *ctx;
+ 	struct list_head node;
+ 	struct idr fence_idr;
+-	struct mutex idr_lock;
++	struct spinlock idr_lock;
+ 	struct mutex lock;
+ 	struct kref ref;
+ 	struct drm_sched_entity *entity;
+diff --git a/drivers/gpu/drm/msm/msm_submitqueue.c b/drivers/gpu/drm/msm/msm_submitqueue.c
+index c6929e205b511..0e803125a325a 100644
+--- a/drivers/gpu/drm/msm/msm_submitqueue.c
++++ b/drivers/gpu/drm/msm/msm_submitqueue.c
+@@ -200,7 +200,7 @@ int msm_submitqueue_create(struct drm_device *drm, struct msm_file_private *ctx,
+ 		*id = queue->id;
+ 
+ 	idr_init(&queue->fence_idr);
+-	mutex_init(&queue->idr_lock);
++	spin_lock_init(&queue->idr_lock);
+ 	mutex_init(&queue->lock);
+ 
+ 	list_add_tail(&queue->node, &ctx->submitqueues);
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-bnxt_re-prevent-handling-any-completions-after-.patch b/queue-6.1/rdma-bnxt_re-prevent-handling-any-completions-after-.patch
new file mode 100644
index 00000000000..058b2a7dac0
--- /dev/null
+++ b/queue-6.1/rdma-bnxt_re-prevent-handling-any-completions-after-.patch
@@ -0,0 +1,127 @@
+From 82dd6044fd40f5b3cb7416766757720f3b0d44d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jul 2023 01:22:48 -0700
+Subject: RDMA/bnxt_re: Prevent handling any completions after qp destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kashyap Desai <kashyap.desai@broadcom.com>
+
+[ Upstream commit b5bbc6551297447d3cca55cf907079e206e9cd82 ]
+
+HW may generate completions that indicates QP is destroyed.
+Driver should not be scheduling any more completion handlers
+for this QP, after the QP is destroyed. Since CQs are active
+during the QP destroy, driver may still schedule completion
+handlers. This can cause a race where the destroy_cq and poll_cq
+running simultaneously.
+
+Snippet of kernel panic while doing bnxt_re driver load unload in loop.
+This indicates a poll after the CQ is freed. 
+
+[77786.481636] Call Trace:
+[77786.481640]  <TASK>
+[77786.481644]  bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]
+[77786.481658]  ? kvm_clock_read+0x14/0x30
+[77786.481693]  __ib_process_cq+0x57/0x190 [ib_core]
+[77786.481728]  ib_cq_poll_work+0x26/0x80 [ib_core]
+[77786.481761]  process_one_work+0x1e5/0x3f0
+[77786.481768]  worker_thread+0x50/0x3a0
+[77786.481785]  ? __pfx_worker_thread+0x10/0x10
+[77786.481790]  kthread+0xe2/0x110
+[77786.481794]  ? __pfx_kthread+0x10/0x10
+[77786.481797]  ret_from_fork+0x2c/0x50
+
+To avoid this, complete all completion handlers before returning the
+destroy QP. If free_cq is called soon after destroy_qp,  IB stack
+will cancel the CQ work before invoking the destroy_cq verb and
+this will prevent any race mentioned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1689322969-25402-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 12 ++++++++++++
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 18 ++++++++++++++++++
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h |  1 +
+ 3 files changed, 31 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 94222de1d3719..4ed8814efde6f 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -796,7 +796,10 @@ static int bnxt_re_destroy_gsi_sqp(struct bnxt_re_qp *qp)
+ int bnxt_re_destroy_qp(struct ib_qp *ib_qp, struct ib_udata *udata)
+ {
+ 	struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp);
++	struct bnxt_qplib_qp *qplib_qp = &qp->qplib_qp;
+ 	struct bnxt_re_dev *rdev = qp->rdev;
++	struct bnxt_qplib_nq *scq_nq = NULL;
++	struct bnxt_qplib_nq *rcq_nq = NULL;
+ 	unsigned int flags;
+ 	int rc;
+ 
+@@ -830,6 +833,15 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp, struct ib_udata *udata)
+ 	ib_umem_release(qp->rumem);
+ 	ib_umem_release(qp->sumem);
+ 
++	/* Flush all the entries of notification queue associated with
++	 * given qp.
++	 */
++	scq_nq = qplib_qp->scq->nq;
++	rcq_nq = qplib_qp->rcq->nq;
++	bnxt_re_synchronize_nq(scq_nq);
++	if (scq_nq != rcq_nq)
++		bnxt_re_synchronize_nq(rcq_nq);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 74d56900387a1..1011293547ef7 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -387,6 +387,24 @@ static void bnxt_qplib_service_nq(struct tasklet_struct *t)
+ 	spin_unlock_bh(&hwq->lock);
+ }
+ 
++/* bnxt_re_synchronize_nq - self polling notification queue.
++ * @nq      -     notification queue pointer
++ *
++ * This function will start polling entries of a given notification queue
++ * for all pending  entries.
++ * This function is useful to synchronize notification entries while resources
++ * are going away.
++ */
++
++void bnxt_re_synchronize_nq(struct bnxt_qplib_nq *nq)
++{
++	int budget = nq->budget;
++
++	nq->budget = nq->hwq.max_elements;
++	bnxt_qplib_service_nq(&nq->nq_tasklet);
++	nq->budget = budget;
++}
++
+ static irqreturn_t bnxt_qplib_nq_irq(int irq, void *dev_instance)
+ {
+ 	struct bnxt_qplib_nq *nq = dev_instance;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index f859710f9a7f4..49d89c0808275 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -548,6 +548,7 @@ int bnxt_qplib_process_flush_list(struct bnxt_qplib_cq *cq,
+ 				  struct bnxt_qplib_cqe *cqe,
+ 				  int num_cqes);
+ void bnxt_qplib_flush_cqn_wq(struct bnxt_qplib_qp *qp);
++void bnxt_re_synchronize_nq(struct bnxt_qplib_nq *nq);
+ 
+ static inline void *bnxt_qplib_get_swqe(struct bnxt_qplib_q *que, u32 *swq_idx)
+ {
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-irdma-add-missing-read-barriers.patch b/queue-6.1/rdma-irdma-add-missing-read-barriers.patch
new file mode 100644
index 00000000000..0057e87599c
--- /dev/null
+++ b/queue-6.1/rdma-irdma-add-missing-read-barriers.patch
@@ -0,0 +1,101 @@
+From f355453702b6b1dcb78f8ccfbde39c08f87f981f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 12:52:51 -0500
+Subject: RDMA/irdma: Add missing read barriers
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit 4984eb51453ff7eddee9e5ce816145be39c0ec5c ]
+
+On code inspection, there are many instances in the driver where
+CEQE and AEQE fields written to by HW are read without guaranteeing
+that the polarity bit has been read and checked first.
+
+Add a read barrier to avoid reordering of loads on the CEQE/AEQE fields
+prior to checking the polarity bit.
+
+Fixes: 3f49d6842569 ("RDMA/irdma: Implement HW Admin Queue OPs")
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230711175253.1289-2-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/ctrl.c | 9 ++++++++-
+ drivers/infiniband/hw/irdma/puda.c | 6 ++++++
+ drivers/infiniband/hw/irdma/uk.c   | 3 +++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/ctrl.c b/drivers/infiniband/hw/irdma/ctrl.c
+index a41e0d21143ae..d86d7ca9cee4a 100644
+--- a/drivers/infiniband/hw/irdma/ctrl.c
++++ b/drivers/infiniband/hw/irdma/ctrl.c
+@@ -3344,6 +3344,9 @@ int irdma_sc_ccq_get_cqe_info(struct irdma_sc_cq *ccq,
+ 	if (polarity != ccq->cq_uk.polarity)
+ 		return -ENOENT;
+ 
++	/* Ensure CEQE contents are read after valid bit is checked */
++	dma_rmb();
++
+ 	get_64bit_val(cqe, 8, &qp_ctx);
+ 	cqp = (struct irdma_sc_cqp *)(unsigned long)qp_ctx;
+ 	info->error = (bool)FIELD_GET(IRDMA_CQ_ERROR, temp);
+@@ -3990,13 +3993,17 @@ int irdma_sc_get_next_aeqe(struct irdma_sc_aeq *aeq,
+ 	u8 polarity;
+ 
+ 	aeqe = IRDMA_GET_CURRENT_AEQ_ELEM(aeq);
+-	get_64bit_val(aeqe, 0, &compl_ctx);
+ 	get_64bit_val(aeqe, 8, &temp);
+ 	polarity = (u8)FIELD_GET(IRDMA_AEQE_VALID, temp);
+ 
+ 	if (aeq->polarity != polarity)
+ 		return -ENOENT;
+ 
++	/* Ensure AEQE contents are read after valid bit is checked */
++	dma_rmb();
++
++	get_64bit_val(aeqe, 0, &compl_ctx);
++
+ 	print_hex_dump_debug("WQE: AEQ_ENTRY WQE", DUMP_PREFIX_OFFSET, 16, 8,
+ 			     aeqe, 16, false);
+ 
+diff --git a/drivers/infiniband/hw/irdma/puda.c b/drivers/infiniband/hw/irdma/puda.c
+index 4ec9639f1bdbf..562531712ea44 100644
+--- a/drivers/infiniband/hw/irdma/puda.c
++++ b/drivers/infiniband/hw/irdma/puda.c
+@@ -230,6 +230,9 @@ static int irdma_puda_poll_info(struct irdma_sc_cq *cq,
+ 	if (valid_bit != cq_uk->polarity)
+ 		return -ENOENT;
+ 
++	/* Ensure CQE contents are read after valid bit is checked */
++	dma_rmb();
++
+ 	if (cq->dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2)
+ 		ext_valid = (bool)FIELD_GET(IRDMA_CQ_EXTCQE, qword3);
+ 
+@@ -243,6 +246,9 @@ static int irdma_puda_poll_info(struct irdma_sc_cq *cq,
+ 		if (polarity != cq_uk->polarity)
+ 			return -ENOENT;
+ 
++		/* Ensure ext CQE contents are read after ext valid bit is checked */
++		dma_rmb();
++
+ 		IRDMA_RING_MOVE_HEAD_NOCHECK(cq_uk->cq_ring);
+ 		if (!IRDMA_RING_CURRENT_HEAD(cq_uk->cq_ring))
+ 			cq_uk->polarity = !cq_uk->polarity;
+diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
+index dd428d915c175..ea2c07751245a 100644
+--- a/drivers/infiniband/hw/irdma/uk.c
++++ b/drivers/infiniband/hw/irdma/uk.c
+@@ -1527,6 +1527,9 @@ void irdma_uk_clean_cq(void *q, struct irdma_cq_uk *cq)
+ 		if (polarity != temp)
+ 			break;
+ 
++		/* Ensure CQE contents are read after valid bit is checked */
++		dma_rmb();
++
+ 		get_64bit_val(cqe, 8, &comp_ctx);
+ 		if ((void *)(unsigned long)comp_ctx == q)
+ 			set_64bit_val(cqe, 8, 0);
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-irdma-fix-data-race-on-cqp-completion-stats.patch b/queue-6.1/rdma-irdma-fix-data-race-on-cqp-completion-stats.patch
new file mode 100644
index 00000000000..f3cd18e3cd4
--- /dev/null
+++ b/queue-6.1/rdma-irdma-fix-data-race-on-cqp-completion-stats.patch
@@ -0,0 +1,217 @@
+From 6adb82e0fe0dfcad9f7bcd3fdd334edf49bab544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 12:52:52 -0500
+Subject: RDMA/irdma: Fix data race on CQP completion stats
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit f2c3037811381f9149243828c7eb9a1631df9f9c ]
+
+CQP completion statistics is read lockesly in irdma_wait_event and
+irdma_check_cqp_progress while it can be updated in the completion
+thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports.
+
+Make completion statistics an atomic variable to reflect coherent updates
+to it. This will also avoid load/store tearing logic bug potentially
+possible by compiler optimizations.
+
+[77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma]
+
+[77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4:
+[77346.171483]  irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma]
+[77346.171658]  irdma_cqp_ce_handler+0x164/0x270 [irdma]
+[77346.171835]  cqp_compl_worker+0x1b/0x20 [irdma]
+[77346.172009]  process_one_work+0x4d1/0xa40
+[77346.172024]  worker_thread+0x319/0x700
+[77346.172037]  kthread+0x180/0x1b0
+[77346.172054]  ret_from_fork+0x22/0x30
+
+[77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2:
+[77346.172234]  irdma_handle_cqp_op+0xf4/0x4b0 [irdma]
+[77346.172413]  irdma_cqp_aeq_cmd+0x75/0xa0 [irdma]
+[77346.172592]  irdma_create_aeq+0x390/0x45a [irdma]
+[77346.172769]  irdma_rt_init_hw.cold+0x212/0x85d [irdma]
+[77346.172944]  irdma_probe+0x54f/0x620 [irdma]
+[77346.173122]  auxiliary_bus_probe+0x66/0xa0
+[77346.173137]  really_probe+0x140/0x540
+[77346.173154]  __driver_probe_device+0xc7/0x220
+[77346.173173]  driver_probe_device+0x5f/0x140
+[77346.173190]  __driver_attach+0xf0/0x2c0
+[77346.173208]  bus_for_each_dev+0xa8/0xf0
+[77346.173225]  driver_attach+0x29/0x30
+[77346.173240]  bus_add_driver+0x29c/0x2f0
+[77346.173255]  driver_register+0x10f/0x1a0
+[77346.173272]  __auxiliary_driver_register+0xbc/0x140
+[77346.173287]  irdma_init_module+0x55/0x1000 [irdma]
+[77346.173460]  do_one_initcall+0x7d/0x410
+[77346.173475]  do_init_module+0x81/0x2c0
+[77346.173491]  load_module+0x1232/0x12c0
+[77346.173506]  __do_sys_finit_module+0x101/0x180
+[77346.173522]  __x64_sys_finit_module+0x3c/0x50
+[77346.173538]  do_syscall_64+0x39/0x90
+[77346.173553]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+[77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230711175253.1289-3-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/ctrl.c  | 22 +++++++-------
+ drivers/infiniband/hw/irdma/defs.h  | 46 ++++++++++++++---------------
+ drivers/infiniband/hw/irdma/type.h  |  2 ++
+ drivers/infiniband/hw/irdma/utils.c |  2 +-
+ 4 files changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/ctrl.c b/drivers/infiniband/hw/irdma/ctrl.c
+index d86d7ca9cee4a..6544c9c60b7db 100644
+--- a/drivers/infiniband/hw/irdma/ctrl.c
++++ b/drivers/infiniband/hw/irdma/ctrl.c
+@@ -2693,13 +2693,13 @@ static int irdma_sc_cq_modify(struct irdma_sc_cq *cq,
+  */
+ void irdma_check_cqp_progress(struct irdma_cqp_timeout *timeout, struct irdma_sc_dev *dev)
+ {
+-	if (timeout->compl_cqp_cmds != dev->cqp_cmd_stats[IRDMA_OP_CMPL_CMDS]) {
+-		timeout->compl_cqp_cmds = dev->cqp_cmd_stats[IRDMA_OP_CMPL_CMDS];
++	u64 completed_ops = atomic64_read(&dev->cqp->completed_ops);
++
++	if (timeout->compl_cqp_cmds != completed_ops) {
++		timeout->compl_cqp_cmds = completed_ops;
+ 		timeout->count = 0;
+-	} else {
+-		if (dev->cqp_cmd_stats[IRDMA_OP_REQ_CMDS] !=
+-		    timeout->compl_cqp_cmds)
+-			timeout->count++;
++	} else if (timeout->compl_cqp_cmds != dev->cqp->requested_ops) {
++		timeout->count++;
+ 	}
+ }
+ 
+@@ -2742,7 +2742,7 @@ static int irdma_cqp_poll_registers(struct irdma_sc_cqp *cqp, u32 tail,
+ 		if (newtail != tail) {
+ 			/* SUCCESS */
+ 			IRDMA_RING_MOVE_TAIL(cqp->sq_ring);
+-			cqp->dev->cqp_cmd_stats[IRDMA_OP_CMPL_CMDS]++;
++			atomic64_inc(&cqp->completed_ops);
+ 			return 0;
+ 		}
+ 		udelay(cqp->dev->hw_attrs.max_sleep_count);
+@@ -3102,8 +3102,8 @@ int irdma_sc_cqp_init(struct irdma_sc_cqp *cqp,
+ 	info->dev->cqp = cqp;
+ 
+ 	IRDMA_RING_INIT(cqp->sq_ring, cqp->sq_size);
+-	cqp->dev->cqp_cmd_stats[IRDMA_OP_REQ_CMDS] = 0;
+-	cqp->dev->cqp_cmd_stats[IRDMA_OP_CMPL_CMDS] = 0;
++	cqp->requested_ops = 0;
++	atomic64_set(&cqp->completed_ops, 0);
+ 	/* for the cqp commands backlog. */
+ 	INIT_LIST_HEAD(&cqp->dev->cqp_cmd_head);
+ 
+@@ -3255,7 +3255,7 @@ __le64 *irdma_sc_cqp_get_next_send_wqe_idx(struct irdma_sc_cqp *cqp, u64 scratch
+ 	if (ret_code)
+ 		return NULL;
+ 
+-	cqp->dev->cqp_cmd_stats[IRDMA_OP_REQ_CMDS]++;
++	cqp->requested_ops++;
+ 	if (!*wqe_idx)
+ 		cqp->polarity = !cqp->polarity;
+ 	wqe = cqp->sq_base[*wqe_idx].elem;
+@@ -3381,7 +3381,7 @@ int irdma_sc_ccq_get_cqe_info(struct irdma_sc_cq *ccq,
+ 	dma_wmb(); /* make sure shadow area is updated before moving tail */
+ 
+ 	IRDMA_RING_MOVE_TAIL(cqp->sq_ring);
+-	ccq->dev->cqp_cmd_stats[IRDMA_OP_CMPL_CMDS]++;
++	atomic64_inc(&cqp->completed_ops);
+ 
+ 	return ret_code;
+ }
+diff --git a/drivers/infiniband/hw/irdma/defs.h b/drivers/infiniband/hw/irdma/defs.h
+index c1906cab5c8ad..ad54260cb58c9 100644
+--- a/drivers/infiniband/hw/irdma/defs.h
++++ b/drivers/infiniband/hw/irdma/defs.h
+@@ -190,32 +190,30 @@ enum irdma_cqp_op_type {
+ 	IRDMA_OP_MANAGE_VF_PBLE_BP		= 25,
+ 	IRDMA_OP_QUERY_FPM_VAL			= 26,
+ 	IRDMA_OP_COMMIT_FPM_VAL			= 27,
+-	IRDMA_OP_REQ_CMDS			= 28,
+-	IRDMA_OP_CMPL_CMDS			= 29,
+-	IRDMA_OP_AH_CREATE			= 30,
+-	IRDMA_OP_AH_MODIFY			= 31,
+-	IRDMA_OP_AH_DESTROY			= 32,
+-	IRDMA_OP_MC_CREATE			= 33,
+-	IRDMA_OP_MC_DESTROY			= 34,
+-	IRDMA_OP_MC_MODIFY			= 35,
+-	IRDMA_OP_STATS_ALLOCATE			= 36,
+-	IRDMA_OP_STATS_FREE			= 37,
+-	IRDMA_OP_STATS_GATHER			= 38,
+-	IRDMA_OP_WS_ADD_NODE			= 39,
+-	IRDMA_OP_WS_MODIFY_NODE			= 40,
+-	IRDMA_OP_WS_DELETE_NODE			= 41,
+-	IRDMA_OP_WS_FAILOVER_START		= 42,
+-	IRDMA_OP_WS_FAILOVER_COMPLETE		= 43,
+-	IRDMA_OP_SET_UP_MAP			= 44,
+-	IRDMA_OP_GEN_AE				= 45,
+-	IRDMA_OP_QUERY_RDMA_FEATURES		= 46,
+-	IRDMA_OP_ALLOC_LOCAL_MAC_ENTRY		= 47,
+-	IRDMA_OP_ADD_LOCAL_MAC_ENTRY		= 48,
+-	IRDMA_OP_DELETE_LOCAL_MAC_ENTRY		= 49,
+-	IRDMA_OP_CQ_MODIFY			= 50,
++	IRDMA_OP_AH_CREATE			= 28,
++	IRDMA_OP_AH_MODIFY			= 29,
++	IRDMA_OP_AH_DESTROY			= 30,
++	IRDMA_OP_MC_CREATE			= 31,
++	IRDMA_OP_MC_DESTROY			= 32,
++	IRDMA_OP_MC_MODIFY			= 33,
++	IRDMA_OP_STATS_ALLOCATE			= 34,
++	IRDMA_OP_STATS_FREE			= 35,
++	IRDMA_OP_STATS_GATHER			= 36,
++	IRDMA_OP_WS_ADD_NODE			= 37,
++	IRDMA_OP_WS_MODIFY_NODE			= 38,
++	IRDMA_OP_WS_DELETE_NODE			= 39,
++	IRDMA_OP_WS_FAILOVER_START		= 40,
++	IRDMA_OP_WS_FAILOVER_COMPLETE		= 41,
++	IRDMA_OP_SET_UP_MAP			= 42,
++	IRDMA_OP_GEN_AE				= 43,
++	IRDMA_OP_QUERY_RDMA_FEATURES		= 44,
++	IRDMA_OP_ALLOC_LOCAL_MAC_ENTRY		= 45,
++	IRDMA_OP_ADD_LOCAL_MAC_ENTRY		= 46,
++	IRDMA_OP_DELETE_LOCAL_MAC_ENTRY		= 47,
++	IRDMA_OP_CQ_MODIFY			= 48,
+ 
+ 	/* Must be last entry*/
+-	IRDMA_MAX_CQP_OPS			= 51,
++	IRDMA_MAX_CQP_OPS			= 49,
+ };
+ 
+ /* CQP SQ WQES */
+diff --git a/drivers/infiniband/hw/irdma/type.h b/drivers/infiniband/hw/irdma/type.h
+index 517d41a1c2894..d6cb94dc744c5 100644
+--- a/drivers/infiniband/hw/irdma/type.h
++++ b/drivers/infiniband/hw/irdma/type.h
+@@ -410,6 +410,8 @@ struct irdma_sc_cqp {
+ 	struct irdma_dcqcn_cc_params dcqcn_params;
+ 	__le64 *host_ctx;
+ 	u64 *scratch_array;
++	u64 requested_ops;
++	atomic64_t completed_ops;
+ 	u32 cqp_id;
+ 	u32 sq_size;
+ 	u32 hw_sq_size;
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 7887230c867b1..90ca4a1b60c21 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -567,7 +567,7 @@ static int irdma_wait_event(struct irdma_pci_f *rf,
+ 	bool cqp_error = false;
+ 	int err_code = 0;
+ 
+-	cqp_timeout.compl_cqp_cmds = rf->sc_dev.cqp_cmd_stats[IRDMA_OP_CMPL_CMDS];
++	cqp_timeout.compl_cqp_cmds = atomic64_read(&rf->sc_dev.cqp->completed_ops);
+ 	do {
+ 		irdma_cqp_ce_handler(rf, &rf->ccq.sc_cq);
+ 		if (wait_event_timeout(cqp_request->waitq,
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-irdma-fix-data-race-on-cqp-request-done.patch b/queue-6.1/rdma-irdma-fix-data-race-on-cqp-request-done.patch
new file mode 100644
index 00000000000..98e4f5b17a4
--- /dev/null
+++ b/queue-6.1/rdma-irdma-fix-data-race-on-cqp-request-done.patch
@@ -0,0 +1,127 @@
+From e9397bf7e8eb75047f210179194e55687b75c511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 12:52:53 -0500
+Subject: RDMA/irdma: Fix data race on CQP request done
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit f0842bb3d38863777e3454da5653d80b5fde6321 ]
+
+KCSAN detects a data race on cqp_request->request_done memory location
+which is accessed locklessly in irdma_handle_cqp_op while being
+updated in irdma_cqp_ce_handler.
+
+Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any
+compiler optimizations like load fusing and/or KCSAN warning.
+
+[222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma]
+
+[222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5:
+[222808.417610]  irdma_cqp_ce_handler+0x21e/0x270 [irdma]
+[222808.417725]  cqp_compl_worker+0x1b/0x20 [irdma]
+[222808.417827]  process_one_work+0x4d1/0xa40
+[222808.417835]  worker_thread+0x319/0x700
+[222808.417842]  kthread+0x180/0x1b0
+[222808.417852]  ret_from_fork+0x22/0x30
+
+[222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1:
+[222808.417995]  irdma_wait_event+0x1e2/0x2c0 [irdma]
+[222808.418099]  irdma_handle_cqp_op+0xae/0x170 [irdma]
+[222808.418202]  irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma]
+[222808.418308]  irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma]
+[222808.418411]  irdma_rt_deinit_hw+0x179/0x1d0 [irdma]
+[222808.418514]  irdma_ib_dealloc_device+0x11/0x40 [irdma]
+[222808.418618]  ib_dealloc_device+0x2a/0x120 [ib_core]
+[222808.418823]  __ib_unregister_device+0xde/0x100 [ib_core]
+[222808.418981]  ib_unregister_device+0x22/0x40 [ib_core]
+[222808.419142]  irdma_ib_unregister_device+0x70/0x90 [irdma]
+[222808.419248]  i40iw_close+0x6f/0xc0 [irdma]
+[222808.419352]  i40e_client_device_unregister+0x14a/0x180 [i40e]
+[222808.419450]  i40iw_remove+0x21/0x30 [irdma]
+[222808.419554]  auxiliary_bus_remove+0x31/0x50
+[222808.419563]  device_remove+0x69/0xb0
+[222808.419572]  device_release_driver_internal+0x293/0x360
+[222808.419582]  driver_detach+0x7c/0xf0
+[222808.419592]  bus_remove_driver+0x8c/0x150
+[222808.419600]  driver_unregister+0x45/0x70
+[222808.419610]  auxiliary_driver_unregister+0x16/0x30
+[222808.419618]  irdma_exit_module+0x18/0x1e [irdma]
+[222808.419733]  __do_sys_delete_module.constprop.0+0x1e2/0x310
+[222808.419745]  __x64_sys_delete_module+0x1b/0x30
+[222808.419755]  do_syscall_64+0x39/0x90
+[222808.419763]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+[222808.419829] value changed: 0x01 -> 0x03
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230711175253.1289-4-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/hw.c    | 2 +-
+ drivers/infiniband/hw/irdma/main.h  | 2 +-
+ drivers/infiniband/hw/irdma/utils.c | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index 43dfa4761f069..05a403f3ffd40 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -2068,7 +2068,7 @@ void irdma_cqp_ce_handler(struct irdma_pci_f *rf, struct irdma_sc_cq *cq)
+ 			cqp_request->compl_info.error = info.error;
+ 
+ 			if (cqp_request->waiting) {
+-				cqp_request->request_done = true;
++				WRITE_ONCE(cqp_request->request_done, true);
+ 				wake_up(&cqp_request->waitq);
+ 				irdma_put_cqp_request(&rf->cqp, cqp_request);
+ 			} else {
+diff --git a/drivers/infiniband/hw/irdma/main.h b/drivers/infiniband/hw/irdma/main.h
+index 65e966ad34530..e64205839d039 100644
+--- a/drivers/infiniband/hw/irdma/main.h
++++ b/drivers/infiniband/hw/irdma/main.h
+@@ -159,8 +159,8 @@ struct irdma_cqp_request {
+ 	void (*callback_fcn)(struct irdma_cqp_request *cqp_request);
+ 	void *param;
+ 	struct irdma_cqp_compl_info compl_info;
++	bool request_done; /* READ/WRITE_ONCE macros operate on it */
+ 	bool waiting:1;
+-	bool request_done:1;
+ 	bool dynamic:1;
+ };
+ 
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 90ca4a1b60c21..8c7617776e58b 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -481,7 +481,7 @@ void irdma_free_cqp_request(struct irdma_cqp *cqp,
+ 	if (cqp_request->dynamic) {
+ 		kfree(cqp_request);
+ 	} else {
+-		cqp_request->request_done = false;
++		WRITE_ONCE(cqp_request->request_done, false);
+ 		cqp_request->callback_fcn = NULL;
+ 		cqp_request->waiting = false;
+ 
+@@ -515,7 +515,7 @@ irdma_free_pending_cqp_request(struct irdma_cqp *cqp,
+ {
+ 	if (cqp_request->waiting) {
+ 		cqp_request->compl_info.error = true;
+-		cqp_request->request_done = true;
++		WRITE_ONCE(cqp_request->request_done, true);
+ 		wake_up(&cqp_request->waitq);
+ 	}
+ 	wait_event_timeout(cqp->remove_wq,
+@@ -571,7 +571,7 @@ static int irdma_wait_event(struct irdma_pci_f *rf,
+ 	do {
+ 		irdma_cqp_ce_handler(rf, &rf->ccq.sc_cq);
+ 		if (wait_event_timeout(cqp_request->waitq,
+-				       cqp_request->request_done,
++				       READ_ONCE(cqp_request->request_done),
+ 				       msecs_to_jiffies(CQP_COMPL_WAIT_TIME_MS)))
+ 			break;
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-irdma-fix-op_type-reporting-in-cqes.patch b/queue-6.1/rdma-irdma-fix-op_type-reporting-in-cqes.patch
new file mode 100644
index 00000000000..b51a0535180
--- /dev/null
+++ b/queue-6.1/rdma-irdma-fix-op_type-reporting-in-cqes.patch
@@ -0,0 +1,43 @@
+From 795467f2419778b603ebabde8ed52e5565df2586 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:54:37 -0500
+Subject: RDMA/irdma: Fix op_type reporting in CQEs
+
+From: Sindhu Devale <sindhu.devale@intel.com>
+
+[ Upstream commit 3bfb25fa2b5bb9c29681e6ac861808f4be1331a9 ]
+
+The op_type field CQ poll info structure is incorrectly
+filled in with the queue type as opposed to the op_type
+received in the CQEs. The wrong opcode could be decoded
+and returned to the ULP.
+
+Copy the op_type field received in the CQE in the CQ poll
+info structure.
+
+Fixes: 24419777e943 ("RDMA/irdma: Fix RQ completion opcode")
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230725155439.1057-1-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/uk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
+index ea2c07751245a..280d633d4ec4f 100644
+--- a/drivers/infiniband/hw/irdma/uk.c
++++ b/drivers/infiniband/hw/irdma/uk.c
+@@ -1161,7 +1161,7 @@ int irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq,
+ 	}
+ 	wqe_idx = (u32)FIELD_GET(IRDMA_CQ_WQEIDX, qword3);
+ 	info->qp_handle = (irdma_qp_handle)(unsigned long)qp;
+-	info->op_type = (u8)FIELD_GET(IRDMA_CQ_SQ, qword3);
++	info->op_type = (u8)FIELD_GET(IRDMACQ_OP, qword3);
+ 
+ 	if (info->q_type == IRDMA_CQE_QTYPE_RQ) {
+ 		u32 array_idx;
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-irdma-report-correct-wc-error.patch b/queue-6.1/rdma-irdma-report-correct-wc-error.patch
new file mode 100644
index 00000000000..af9bdae016e
--- /dev/null
+++ b/queue-6.1/rdma-irdma-report-correct-wc-error.patch
@@ -0,0 +1,37 @@
+From c360ad210e7ca6372730be92414c49353687c391 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:54:38 -0500
+Subject: RDMA/irdma: Report correct WC error
+
+From: Sindhu Devale <sindhu.devale@intel.com>
+
+[ Upstream commit ae463563b7a1b7d4a3d0b065b09d37a76b693937 ]
+
+Report the correct WC error if a MW bind is performed
+on an already valid/bound window.
+
+Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions")
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230725155439.1057-2-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index 05a403f3ffd40..c07ce85d243f1 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -191,6 +191,7 @@ static void irdma_set_flush_fields(struct irdma_sc_qp *qp,
+ 	case IRDMA_AE_AMP_MWBIND_INVALID_RIGHTS:
+ 	case IRDMA_AE_AMP_MWBIND_BIND_DISABLED:
+ 	case IRDMA_AE_AMP_MWBIND_INVALID_BOUNDS:
++	case IRDMA_AE_AMP_MWBIND_VALID_STAG:
+ 		qp->flush_code = FLUSH_MW_BIND_ERR;
+ 		qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR;
+ 		break;
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-mlx4-make-check-for-invalid-flags-stricter.patch b/queue-6.1/rdma-mlx4-make-check-for-invalid-flags-stricter.patch
new file mode 100644
index 00000000000..647bf7afad2
--- /dev/null
+++ b/queue-6.1/rdma-mlx4-make-check-for-invalid-flags-stricter.patch
@@ -0,0 +1,55 @@
+From 2d8e192769d5ddb084ccd7095ccf1a8d76ec052c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 09:07:37 +0300
+Subject: RDMA/mlx4: Make check for invalid flags stricter
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit d64b1ee12a168030fbb3e0aebf7bce49e9a07589 ]
+
+This code is trying to ensure that only the flags specified in the list
+are allowed.  The problem is that ucmd->rx_hash_fields_mask is a u64 and
+the flags are an enum which is treated as a u32 in this context.  That
+means the test doesn't check whether the highest 32 bits are zero.
+
+Fixes: 4d02ebd9bbbd ("IB/mlx4: Fix RSS hash fields restrictions")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/233ed975-982d-422a-b498-410f71d8a101@moroto.mountain
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index 488c906c0432c..ac479e81ddee8 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -530,15 +530,15 @@ static int set_qp_rss(struct mlx4_ib_dev *dev, struct mlx4_ib_rss *rss_ctx,
+ 		return (-EOPNOTSUPP);
+ 	}
+ 
+-	if (ucmd->rx_hash_fields_mask & ~(MLX4_IB_RX_HASH_SRC_IPV4	|
+-					  MLX4_IB_RX_HASH_DST_IPV4	|
+-					  MLX4_IB_RX_HASH_SRC_IPV6	|
+-					  MLX4_IB_RX_HASH_DST_IPV6	|
+-					  MLX4_IB_RX_HASH_SRC_PORT_TCP	|
+-					  MLX4_IB_RX_HASH_DST_PORT_TCP	|
+-					  MLX4_IB_RX_HASH_SRC_PORT_UDP	|
+-					  MLX4_IB_RX_HASH_DST_PORT_UDP  |
+-					  MLX4_IB_RX_HASH_INNER)) {
++	if (ucmd->rx_hash_fields_mask & ~(u64)(MLX4_IB_RX_HASH_SRC_IPV4	|
++					       MLX4_IB_RX_HASH_DST_IPV4	|
++					       MLX4_IB_RX_HASH_SRC_IPV6	|
++					       MLX4_IB_RX_HASH_DST_IPV6	|
++					       MLX4_IB_RX_HASH_SRC_PORT_TCP |
++					       MLX4_IB_RX_HASH_DST_PORT_TCP |
++					       MLX4_IB_RX_HASH_SRC_PORT_UDP |
++					       MLX4_IB_RX_HASH_DST_PORT_UDP |
++					       MLX4_IB_RX_HASH_INNER)) {
+ 		pr_debug("RX Hash fields_mask has unsupported mask (0x%llx)\n",
+ 			 ucmd->rx_hash_fields_mask);
+ 		return (-EOPNOTSUPP);
+-- 
+2.40.1
+
diff --git a/queue-6.1/rdma-mthca-fix-crash-when-polling-cq-for-shared-qps.patch b/queue-6.1/rdma-mthca-fix-crash-when-polling-cq-for-shared-qps.patch
new file mode 100644
index 00000000000..fed21f5d90e
--- /dev/null
+++ b/queue-6.1/rdma-mthca-fix-crash-when-polling-cq-for-shared-qps.patch
@@ -0,0 +1,40 @@
+From 4792e943982dfa2306f05a122a1ac30f9fcb3628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jul 2023 16:16:58 +0200
+Subject: RDMA/mthca: Fix crash when polling CQ for shared QPs
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit dc52aadbc1849cbe3fcf6bc54d35f6baa396e0a1 ]
+
+Commit 21c2fe94abb2 ("RDMA/mthca: Combine special QP struct with mthca QP")
+introduced a new struct mthca_sqp which doesn't contain struct mthca_qp
+any longer. Placing a pointer of this new struct into qptable leads
+to crashes, because mthca_poll_one() expects a qp pointer. Fix this
+by putting the correct pointer into qptable.
+
+Fixes: 21c2fe94abb2 ("RDMA/mthca: Combine special QP struct with mthca QP")
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Link: https://lore.kernel.org/r/20230713141658.9426-1-tbogendoerfer@suse.de
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mthca/mthca_qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mthca/mthca_qp.c b/drivers/infiniband/hw/mthca/mthca_qp.c
+index 69bba0ef4a5df..53f43649f7d08 100644
+--- a/drivers/infiniband/hw/mthca/mthca_qp.c
++++ b/drivers/infiniband/hw/mthca/mthca_qp.c
+@@ -1393,7 +1393,7 @@ int mthca_alloc_sqp(struct mthca_dev *dev,
+ 	if (mthca_array_get(&dev->qp_table.qp, mqpn))
+ 		err = -EBUSY;
+ 	else
+-		mthca_array_set(&dev->qp_table.qp, mqpn, qp->sqp);
++		mthca_array_set(&dev->qp_table.qp, mqpn, qp);
+ 	spin_unlock_irq(&dev->qp_table.lock);
+ 
+ 	if (err)
+-- 
+2.40.1
+
diff --git a/queue-6.1/ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch b/queue-6.1/ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch
new file mode 100644
index 00000000000..eb2924c89b3
--- /dev/null
+++ b/queue-6.1/ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch
@@ -0,0 +1,130 @@
+From 91b00aa4efe372cc49bfcb4239cb38f24bd93306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 13:40:40 +0800
+Subject: ring-buffer: Fix wrong stat of cpu_buffer->read
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit 2d093282b0d4357373497f65db6a05eb0c28b7c8 ]
+
+When pages are removed in rb_remove_pages(), 'cpu_buffer->read' is set
+to 0 in order to make sure any read iterators reset themselves. However,
+this will mess 'entries' stating, see following steps:
+
+  # cd /sys/kernel/tracing/
+  # 1. Enlarge ring buffer prepare for later reducing:
+  # echo 20 > per_cpu/cpu0/buffer_size_kb
+  # 2. Write a log into ring buffer of cpu0:
+  # taskset -c 0 echo "hello1" > trace_marker
+  # 3. Read the log:
+  # cat per_cpu/cpu0/trace_pipe
+       <...>-332     [000] .....    62.406844: tracing_mark_write: hello1
+  # 4. Stop reading and see the stats, now 0 entries, and 1 event readed:
+  # cat per_cpu/cpu0/stats
+   entries: 0
+   [...]
+   read events: 1
+  # 5. Reduce the ring buffer
+  # echo 7 > per_cpu/cpu0/buffer_size_kb
+  # 6. Now entries became unexpected 1 because actually no entries!!!
+  # cat per_cpu/cpu0/stats
+   entries: 1
+   [...]
+   read events: 0
+
+To fix it, introduce 'page_removed' field to count total removed pages
+since last reset, then use it to let read iterators reset themselves
+instead of changing the 'read' pointer.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230724054040.3489499-1-zhengyejian1@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Cc: <vnagarnaik@google.com>
+Fixes: 83f40318dab0 ("ring-buffer: Make removal of ring buffer pages atomic")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index c264421c4ecd8..c49ed619a64dd 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -529,6 +529,8 @@ struct ring_buffer_per_cpu {
+ 	rb_time_t			before_stamp;
+ 	u64				event_stamp[MAX_NEST];
+ 	u64				read_stamp;
++	/* pages removed since last reset */
++	unsigned long			pages_removed;
+ 	/* ring buffer pages to update, > 0 to add, < 0 to remove */
+ 	long				nr_pages_to_update;
+ 	struct list_head		new_pages; /* new pages to add */
+@@ -564,6 +566,7 @@ struct ring_buffer_iter {
+ 	struct buffer_page		*head_page;
+ 	struct buffer_page		*cache_reader_page;
+ 	unsigned long			cache_read;
++	unsigned long			cache_pages_removed;
+ 	u64				read_stamp;
+ 	u64				page_stamp;
+ 	struct ring_buffer_event	*event;
+@@ -1967,6 +1970,8 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
+ 		to_remove = rb_list_head(to_remove)->next;
+ 		head_bit |= (unsigned long)to_remove & RB_PAGE_HEAD;
+ 	}
++	/* Read iterators need to reset themselves when some pages removed */
++	cpu_buffer->pages_removed += nr_removed;
+ 
+ 	next_page = rb_list_head(to_remove)->next;
+ 
+@@ -1988,12 +1993,6 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
+ 		cpu_buffer->head_page = list_entry(next_page,
+ 						struct buffer_page, list);
+ 
+-	/*
+-	 * change read pointer to make sure any read iterators reset
+-	 * themselves
+-	 */
+-	cpu_buffer->read = 0;
+-
+ 	/* pages are removed, resume tracing and then free the pages */
+ 	atomic_dec(&cpu_buffer->record_disabled);
+ 	raw_spin_unlock_irq(&cpu_buffer->reader_lock);
+@@ -4385,6 +4384,7 @@ static void rb_iter_reset(struct ring_buffer_iter *iter)
+ 
+ 	iter->cache_reader_page = iter->head_page;
+ 	iter->cache_read = cpu_buffer->read;
++	iter->cache_pages_removed = cpu_buffer->pages_removed;
+ 
+ 	if (iter->head) {
+ 		iter->read_stamp = cpu_buffer->read_stamp;
+@@ -4841,12 +4841,13 @@ rb_iter_peek(struct ring_buffer_iter *iter, u64 *ts)
+ 	buffer = cpu_buffer->buffer;
+ 
+ 	/*
+-	 * Check if someone performed a consuming read to
+-	 * the buffer. A consuming read invalidates the iterator
+-	 * and we need to reset the iterator in this case.
++	 * Check if someone performed a consuming read to the buffer
++	 * or removed some pages from the buffer. In these cases,
++	 * iterator was invalidated and we need to reset it.
+ 	 */
+ 	if (unlikely(iter->cache_read != cpu_buffer->read ||
+-		     iter->cache_reader_page != cpu_buffer->reader_page))
++		     iter->cache_reader_page != cpu_buffer->reader_page ||
++		     iter->cache_pages_removed != cpu_buffer->pages_removed))
+ 		rb_iter_reset(iter);
+ 
+  again:
+@@ -5291,6 +5292,7 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+ 	cpu_buffer->last_overrun = 0;
+ 
+ 	rb_head_page_activate(cpu_buffer);
++	cpu_buffer->pages_removed = 0;
+ }
+ 
+ /* Must have disabled the cpu buffer then done a synchronize_rcu */
+-- 
+2.40.1
+
diff --git a/queue-6.1/series b/queue-6.1/series
index aa962f7ccef..b7180f87200 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -112,3 +112,34 @@ net-sched-mqprio-add-length-check-for-tca_mqprio_-ma.patch
 benet-fix-return-value-check-in-be_lancer_xmit_worka.patch
 tipc-check-return-value-of-pskb_trim.patch
 tipc-stop-tipc-crypto-on-failure-in-tipc_node_create.patch
+rdma-mlx4-make-check-for-invalid-flags-stricter.patch
+drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
+drm-msm-adreno-fix-snapshot-bindless_data-size.patch
+rdma-irdma-add-missing-read-barriers.patch
+rdma-irdma-fix-data-race-on-cqp-completion-stats.patch
+rdma-irdma-fix-data-race-on-cqp-request-done.patch
+rdma-mthca-fix-crash-when-polling-cq-for-shared-qps.patch
+rdma-bnxt_re-prevent-handling-any-completions-after-.patch
+drm-msm-fix-is_err_or_null-vs-null-check-in-a5xx_sub.patch
+cxl-acpi-fix-a-use-after-free-in-cxl_parse_cfmws.patch
+cxl-acpi-return-rc-instead-of-0-in-cxl_parse_cfmws.patch
+asoc-fsl_spdif-silence-output-on-stop.patch
+block-fix-a-source-code-comment-in-include-uapi-linu.patch
+smb3-do-not-set-ntlmssp_version-flag-for-negotiate-n.patch
+drm-i915-fix-an-error-handling-path-in-igt_write_hug.patch
+xenbus-check-xen_domain-in-xenbus_probe_initcall.patch
+dm-raid-fix-missing-reconfig_mutex-unlock-in-raid_ct.patch
+dm-raid-clean-up-four-equivalent-goto-tags-in-raid_c.patch
+dm-raid-protect-md_stop-with-reconfig_mutex.patch
+drm-amd-fix-an-error-handling-mistake-in-psp_sw_init.patch
+drm-amd-display-unlock-on-error-path-in-dm_handle_ms.patch
+rdma-irdma-fix-op_type-reporting-in-cqes.patch
+rdma-irdma-report-correct-wc-error.patch
+drm-msm-switch-idr_lock-to-spinlock.patch
+drm-msm-disallow-submit-with-fence-id-0.patch
+ublk_drv-move-ublk_get_device_from_id-into-ublk_ctrl.patch
+ublk-fail-to-start-device-if-queue-setup-is-interrup.patch
+ublk-fail-to-recover-device-if-queue-setup-is-interr.patch
+ata-pata_ns87415-mark-ns87560_tf_read-static.patch
+ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch
+tracing-fix-warning-in-trace_buffered_event_disable.patch
diff --git a/queue-6.1/smb3-do-not-set-ntlmssp_version-flag-for-negotiate-n.patch b/queue-6.1/smb3-do-not-set-ntlmssp_version-flag-for-negotiate-n.patch
new file mode 100644
index 00000000000..4bd917819a1
--- /dev/null
+++ b/queue-6.1/smb3-do-not-set-ntlmssp_version-flag-for-negotiate-n.patch
@@ -0,0 +1,49 @@
+From fffe872feb59b994d32a77e5edb9217920a4f623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 01:05:23 -0500
+Subject: smb3: do not set NTLMSSP_VERSION flag for negotiate not auth request
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 19826558210b9102a7d4681c91784d137d60d71b ]
+
+The NTLMSSP_NEGOTIATE_VERSION flag only needs to be sent during
+the NTLMSSP NEGOTIATE (not the AUTH) request, so filter it out for
+NTLMSSP AUTH requests. See MS-NLMP 2.2.1.3
+
+This fixes a problem found by the gssntlmssp server.
+
+Link: https://github.com/gssapi/gss-ntlmssp/issues/95
+Fixes: 52d005337b2c ("smb3: send NTLMSSP version information")
+Acked-by: Roy Shterman <roy.shterman@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/sess.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
+index 81be17845072a..1e3e22979604f 100644
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -1014,6 +1014,7 @@ int build_ntlmssp_smb3_negotiate_blob(unsigned char **pbuffer,
+ }
+ 
+ 
++/* See MS-NLMP 2.2.1.3 */
+ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
+ 					u16 *buflen,
+ 				   struct cifs_ses *ses,
+@@ -1048,7 +1049,8 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
+ 
+ 	flags = ses->ntlmssp->server_flags | NTLMSSP_REQUEST_TARGET |
+ 		NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED;
+-
++	/* we only send version information in ntlmssp negotiate, so do not set this flag */
++	flags = flags & ~NTLMSSP_NEGOTIATE_VERSION;
+ 	tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
+ 	sec_blob->NegotiateFlags = cpu_to_le32(flags);
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/tracing-fix-warning-in-trace_buffered_event_disable.patch b/queue-6.1/tracing-fix-warning-in-trace_buffered_event_disable.patch
new file mode 100644
index 00000000000..994d713bf38
--- /dev/null
+++ b/queue-6.1/tracing-fix-warning-in-trace_buffered_event_disable.patch
@@ -0,0 +1,119 @@
+From c5ab402ea8427c5bc1e14562a24b8e2fa2752ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 17:58:04 +0800
+Subject: tracing: Fix warning in trace_buffered_event_disable()
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit dea499781a1150d285c62b26659f62fb00824fce ]
+
+Warning happened in trace_buffered_event_disable() at
+  WARN_ON_ONCE(!trace_buffered_event_ref)
+
+  Call Trace:
+   ? __warn+0xa5/0x1b0
+   ? trace_buffered_event_disable+0x189/0x1b0
+   __ftrace_event_enable_disable+0x19e/0x3e0
+   free_probe_data+0x3b/0xa0
+   unregister_ftrace_function_probe_func+0x6b8/0x800
+   event_enable_func+0x2f0/0x3d0
+   ftrace_process_regex.isra.0+0x12d/0x1b0
+   ftrace_filter_write+0xe6/0x140
+   vfs_write+0x1c9/0x6f0
+   [...]
+
+The cause of the warning is in __ftrace_event_enable_disable(),
+trace_buffered_event_enable() was called once while
+trace_buffered_event_disable() was called twice.
+Reproduction script show as below, for analysis, see the comments:
+ ```
+ #!/bin/bash
+
+ cd /sys/kernel/tracing/
+
+ # 1. Register a 'disable_event' command, then:
+ #    1) SOFT_DISABLED_BIT was set;
+ #    2) trace_buffered_event_enable() was called first time;
+ echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \
+     set_ftrace_filter
+
+ # 2. Enable the event registered, then:
+ #    1) SOFT_DISABLED_BIT was cleared;
+ #    2) trace_buffered_event_disable() was called first time;
+ echo 1 > events/initcall/initcall_finish/enable
+
+ # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was
+ #    set again!!!
+ cat /proc/cmdline
+
+ # 4. Unregister the 'disable_event' command, then:
+ #    1) SOFT_DISABLED_BIT was cleared again;
+ #    2) trace_buffered_event_disable() was called second time!!!
+ echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \
+     set_ftrace_filter
+ ```
+
+To fix it, IIUC, we can change to call trace_buffered_event_enable() at
+fist time soft-mode enabled, and call trace_buffered_event_disable() at
+last time soft-mode disabled.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230726095804.920457-1-zhengyejian1@huawei.com
+
+Cc: <mhiramat@kernel.org>
+Fixes: 0fc1b09ff1ff ("tracing: Use temp buffer when filtering events")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
+index e679239864965..0447c46ef4d71 100644
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -609,7 +609,6 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
+ {
+ 	struct trace_event_call *call = file->event_call;
+ 	struct trace_array *tr = file->tr;
+-	unsigned long file_flags = file->flags;
+ 	int ret = 0;
+ 	int disable;
+ 
+@@ -633,6 +632,8 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
+ 				break;
+ 			disable = file->flags & EVENT_FILE_FL_SOFT_DISABLED;
+ 			clear_bit(EVENT_FILE_FL_SOFT_MODE_BIT, &file->flags);
++			/* Disable use of trace_buffered_event */
++			trace_buffered_event_disable();
+ 		} else
+ 			disable = !(file->flags & EVENT_FILE_FL_SOFT_MODE);
+ 
+@@ -671,6 +672,8 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
+ 			if (atomic_inc_return(&file->sm_ref) > 1)
+ 				break;
+ 			set_bit(EVENT_FILE_FL_SOFT_MODE_BIT, &file->flags);
++			/* Enable use of trace_buffered_event */
++			trace_buffered_event_enable();
+ 		}
+ 
+ 		if (!(file->flags & EVENT_FILE_FL_ENABLED)) {
+@@ -710,15 +713,6 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
+ 		break;
+ 	}
+ 
+-	/* Enable or disable use of trace_buffered_event */
+-	if ((file_flags & EVENT_FILE_FL_SOFT_DISABLED) !=
+-	    (file->flags & EVENT_FILE_FL_SOFT_DISABLED)) {
+-		if (file->flags & EVENT_FILE_FL_SOFT_DISABLED)
+-			trace_buffered_event_enable();
+-		else
+-			trace_buffered_event_disable();
+-	}
+-
+ 	return ret;
+ }
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/ublk-fail-to-recover-device-if-queue-setup-is-interr.patch b/queue-6.1/ublk-fail-to-recover-device-if-queue-setup-is-interr.patch
new file mode 100644
index 00000000000..6e31d1c719e
--- /dev/null
+++ b/queue-6.1/ublk-fail-to-recover-device-if-queue-setup-is-interr.patch
@@ -0,0 +1,43 @@
+From 553fe4bc245d5160dacb7745fccb66c5e4f74abb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 22:45:01 +0800
+Subject: ublk: fail to recover device if queue setup is interrupted
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 0c0cbd4ebc375ceebc75c89df04b74f215fab23a ]
+
+In ublk_ctrl_end_recovery(), if wait_for_completion_interruptible() is
+interrupted by signal, queues aren't setup successfully yet, so we
+have to fail UBLK_CMD_END_USER_RECOVERY, otherwise kernel oops can be
+triggered.
+
+Fixes: c732a852b419 ("ublk_drv: add START_USER_RECOVERY and END_USER_RECOVERY support")
+Reported-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20230726144502.566785-3-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 495e1bf9003b6..4459cfbdbcb18 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1954,7 +1954,9 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub,
+ 	pr_devel("%s: Waiting for new ubq_daemons(nr: %d) are ready, dev id %d...\n",
+ 			__func__, ub->dev_info.nr_hw_queues, header->dev_id);
+ 	/* wait until new ubq_daemon sending all FETCH_REQ */
+-	wait_for_completion_interruptible(&ub->completion);
++	if (wait_for_completion_interruptible(&ub->completion))
++		return -EINTR;
++
+ 	pr_devel("%s: All new ubq_daemons(nr: %d) are ready, dev id %d\n",
+ 			__func__, ub->dev_info.nr_hw_queues, header->dev_id);
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/ublk-fail-to-start-device-if-queue-setup-is-interrup.patch b/queue-6.1/ublk-fail-to-start-device-if-queue-setup-is-interrup.patch
new file mode 100644
index 00000000000..70d902d9665
--- /dev/null
+++ b/queue-6.1/ublk-fail-to-start-device-if-queue-setup-is-interrup.patch
@@ -0,0 +1,43 @@
+From 837f425bb1317520e2df1116acbd109a65429c2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 22:45:00 +0800
+Subject: ublk: fail to start device if queue setup is interrupted
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 53e7d08f6d6e214c40db1f51291bb2975c789dc2 ]
+
+In ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is
+interrupted by signal, queues aren't setup successfully yet, so we
+have to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.
+
+Reported by German when working on qemu-storage-deamon which requires
+single thread ublk daemon.
+
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Reported-by: German Maglione <gmaglione@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230726144502.566785-2-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 3ae22e7eb0b09..495e1bf9003b6 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1539,7 +1539,8 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, struct io_uring_cmd *cmd)
+ 	if (ublksrv_pid <= 0)
+ 		return -EINVAL;
+ 
+-	wait_for_completion_interruptible(&ub->completion);
++	if (wait_for_completion_interruptible(&ub->completion) != 0)
++		return -EINTR;
+ 
+ 	schedule_delayed_work(&ub->monitor_work, UBLK_DAEMON_MONITOR_PERIOD);
+ 
+-- 
+2.40.1
+
diff --git a/queue-6.1/ublk_drv-move-ublk_get_device_from_id-into-ublk_ctrl.patch b/queue-6.1/ublk_drv-move-ublk_get_device_from_id-into-ublk_ctrl.patch
new file mode 100644
index 00000000000..9be99276c1c
--- /dev/null
+++ b/queue-6.1/ublk_drv-move-ublk_get_device_from_id-into-ublk_ctrl.patch
@@ -0,0 +1,378 @@
+From dcdeda966330250a31f6a0dc782997dab7792bb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 12:17:08 +0800
+Subject: ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit bfbcef036396a73fbf4b3fee385cc670159df5ad ]
+
+It is annoying for each control command handler to get/put ublk
+device and deal with failure.
+
+Control command handler is simplified a lot by moving
+ublk_get_device_from_id into ublk_ctrl_uring_cmd().
+
+Reviewed-by: ZiyangZhang <ZiyangZhang@linux.alibaba.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230106041711.914434-4-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 53e7d08f6d6e ("ublk: fail to start device if queue setup is interrupted")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 138 ++++++++++++++-------------------------
+ 1 file changed, 49 insertions(+), 89 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index c56d1c6d8e58d..3ae22e7eb0b09 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1529,21 +1529,16 @@ static struct ublk_device *ublk_get_device_from_id(int idx)
+ 	return ub;
+ }
+ 
+-static int ublk_ctrl_start_dev(struct io_uring_cmd *cmd)
++static int ublk_ctrl_start_dev(struct ublk_device *ub, struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	int ublksrv_pid = (int)header->data[0];
+-	struct ublk_device *ub;
+ 	struct gendisk *disk;
+ 	int ret = -EINVAL;
+ 
+ 	if (ublksrv_pid <= 0)
+ 		return -EINVAL;
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	wait_for_completion_interruptible(&ub->completion);
+ 
+ 	schedule_delayed_work(&ub->monitor_work, UBLK_DAEMON_MONITOR_PERIOD);
+@@ -1593,21 +1588,20 @@ static int ublk_ctrl_start_dev(struct io_uring_cmd *cmd)
+ 		put_disk(disk);
+ out_unlock:
+ 	mutex_unlock(&ub->mutex);
+-	ublk_put_device(ub);
+ 	return ret;
+ }
+ 
+-static int ublk_ctrl_get_queue_affinity(struct io_uring_cmd *cmd)
++static int ublk_ctrl_get_queue_affinity(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	void __user *argp = (void __user *)(unsigned long)header->addr;
+-	struct ublk_device *ub;
+ 	cpumask_var_t cpumask;
+ 	unsigned long queue;
+ 	unsigned int retlen;
+ 	unsigned int i;
+-	int ret = -EINVAL;
+-	
++	int ret;
++
+ 	if (header->len * BITS_PER_BYTE < nr_cpu_ids)
+ 		return -EINVAL;
+ 	if (header->len & (sizeof(unsigned long)-1))
+@@ -1615,17 +1609,12 @@ static int ublk_ctrl_get_queue_affinity(struct io_uring_cmd *cmd)
+ 	if (!header->addr)
+ 		return -EINVAL;
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	queue = header->data[0];
+ 	if (queue >= ub->dev_info.nr_hw_queues)
+-		goto out_put_device;
++		return -EINVAL;
+ 
+-	ret = -ENOMEM;
+ 	if (!zalloc_cpumask_var(&cpumask, GFP_KERNEL))
+-		goto out_put_device;
++		return -ENOMEM;
+ 
+ 	for_each_possible_cpu(i) {
+ 		if (ub->tag_set.map[HCTX_TYPE_DEFAULT].mq_map[i] == queue)
+@@ -1643,8 +1632,6 @@ static int ublk_ctrl_get_queue_affinity(struct io_uring_cmd *cmd)
+ 	ret = 0;
+ out_free_cpumask:
+ 	free_cpumask_var(cpumask);
+-out_put_device:
+-	ublk_put_device(ub);
+ 	return ret;
+ }
+ 
+@@ -1765,30 +1752,27 @@ static inline bool ublk_idr_freed(int id)
+ 	return ptr == NULL;
+ }
+ 
+-static int ublk_ctrl_del_dev(int idx)
++static int ublk_ctrl_del_dev(struct ublk_device **p_ub)
+ {
+-	struct ublk_device *ub;
++	struct ublk_device *ub = *p_ub;
++	int idx = ub->ub_number;
+ 	int ret;
+ 
+ 	ret = mutex_lock_killable(&ublk_ctl_mutex);
+ 	if (ret)
+ 		return ret;
+ 
+-	ub = ublk_get_device_from_id(idx);
+-	if (ub) {
+-		ublk_remove(ub);
+-		ublk_put_device(ub);
+-		ret = 0;
+-	} else {
+-		ret = -ENODEV;
+-	}
++	ublk_remove(ub);
++
++	/* Mark the reference as consumed */
++	*p_ub = NULL;
++	ublk_put_device(ub);
+ 
+ 	/*
+ 	 * Wait until the idr is removed, then it can be reused after
+ 	 * DEL_DEV command is returned.
+ 	 */
+-	if (!ret)
+-		wait_event(ublk_idr_wq, ublk_idr_freed(idx));
++	wait_event(ublk_idr_wq, ublk_idr_freed(idx));
+ 	mutex_unlock(&ublk_ctl_mutex);
+ 
+ 	return ret;
+@@ -1803,50 +1787,36 @@ static inline void ublk_ctrl_cmd_dump(struct io_uring_cmd *cmd)
+ 			header->data[0], header->addr, header->len);
+ }
+ 
+-static int ublk_ctrl_stop_dev(struct io_uring_cmd *cmd)
++static int ublk_ctrl_stop_dev(struct ublk_device *ub)
+ {
+-	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+-	struct ublk_device *ub;
+-
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	ublk_stop_dev(ub);
+ 	cancel_work_sync(&ub->stop_work);
+ 	cancel_work_sync(&ub->quiesce_work);
+ 
+-	ublk_put_device(ub);
+ 	return 0;
+ }
+ 
+-static int ublk_ctrl_get_dev_info(struct io_uring_cmd *cmd)
++static int ublk_ctrl_get_dev_info(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	void __user *argp = (void __user *)(unsigned long)header->addr;
+-	struct ublk_device *ub;
+-	int ret = 0;
+ 
+ 	if (header->len < sizeof(struct ublksrv_ctrl_dev_info) || !header->addr)
+ 		return -EINVAL;
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	if (copy_to_user(argp, &ub->dev_info, sizeof(ub->dev_info)))
+-		ret = -EFAULT;
+-	ublk_put_device(ub);
++		return -EFAULT;
+ 
+-	return ret;
++	return 0;
+ }
+ 
+-static int ublk_ctrl_get_params(struct io_uring_cmd *cmd)
++static int ublk_ctrl_get_params(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	void __user *argp = (void __user *)(unsigned long)header->addr;
+ 	struct ublk_params_header ph;
+-	struct ublk_device *ub;
+ 	int ret;
+ 
+ 	if (header->len <= sizeof(ph) || !header->addr)
+@@ -1861,10 +1831,6 @@ static int ublk_ctrl_get_params(struct io_uring_cmd *cmd)
+ 	if (ph.len > sizeof(struct ublk_params))
+ 		ph.len = sizeof(struct ublk_params);
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	mutex_lock(&ub->mutex);
+ 	if (copy_to_user(argp, &ub->params, ph.len))
+ 		ret = -EFAULT;
+@@ -1872,16 +1838,15 @@ static int ublk_ctrl_get_params(struct io_uring_cmd *cmd)
+ 		ret = 0;
+ 	mutex_unlock(&ub->mutex);
+ 
+-	ublk_put_device(ub);
+ 	return ret;
+ }
+ 
+-static int ublk_ctrl_set_params(struct io_uring_cmd *cmd)
++static int ublk_ctrl_set_params(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	void __user *argp = (void __user *)(unsigned long)header->addr;
+ 	struct ublk_params_header ph;
+-	struct ublk_device *ub;
+ 	int ret = -EFAULT;
+ 
+ 	if (header->len <= sizeof(ph) || !header->addr)
+@@ -1896,10 +1861,6 @@ static int ublk_ctrl_set_params(struct io_uring_cmd *cmd)
+ 	if (ph.len > sizeof(struct ublk_params))
+ 		ph.len = sizeof(struct ublk_params);
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return -EINVAL;
+-
+ 	/* parameters can only be changed when device isn't live */
+ 	mutex_lock(&ub->mutex);
+ 	if (ub->dev_info.state == UBLK_S_DEV_LIVE) {
+@@ -1914,7 +1875,6 @@ static int ublk_ctrl_set_params(struct io_uring_cmd *cmd)
+ 			ub->params.types = 0;
+ 	}
+ 	mutex_unlock(&ub->mutex);
+-	ublk_put_device(ub);
+ 
+ 	return ret;
+ }
+@@ -1941,17 +1901,13 @@ static void ublk_queue_reinit(struct ublk_device *ub, struct ublk_queue *ubq)
+ 	}
+ }
+ 
+-static int ublk_ctrl_start_recovery(struct io_uring_cmd *cmd)
++static int ublk_ctrl_start_recovery(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+-	struct ublk_device *ub;
+ 	int ret = -EINVAL;
+ 	int i;
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return ret;
+-
+ 	mutex_lock(&ub->mutex);
+ 	if (!ublk_can_use_recovery(ub))
+ 		goto out_unlock;
+@@ -1984,21 +1940,16 @@ static int ublk_ctrl_start_recovery(struct io_uring_cmd *cmd)
+ 	ret = 0;
+  out_unlock:
+ 	mutex_unlock(&ub->mutex);
+-	ublk_put_device(ub);
+ 	return ret;
+ }
+ 
+-static int ublk_ctrl_end_recovery(struct io_uring_cmd *cmd)
++static int ublk_ctrl_end_recovery(struct ublk_device *ub,
++		struct io_uring_cmd *cmd)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
+ 	int ublksrv_pid = (int)header->data[0];
+-	struct ublk_device *ub;
+ 	int ret = -EINVAL;
+ 
+-	ub = ublk_get_device_from_id(header->dev_id);
+-	if (!ub)
+-		return ret;
+-
+ 	pr_devel("%s: Waiting for new ubq_daemons(nr: %d) are ready, dev id %d...\n",
+ 			__func__, ub->dev_info.nr_hw_queues, header->dev_id);
+ 	/* wait until new ubq_daemon sending all FETCH_REQ */
+@@ -2026,7 +1977,6 @@ static int ublk_ctrl_end_recovery(struct io_uring_cmd *cmd)
+ 	ret = 0;
+  out_unlock:
+ 	mutex_unlock(&ub->mutex);
+-	ublk_put_device(ub);
+ 	return ret;
+ }
+ 
+@@ -2034,6 +1984,7 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
+ 		unsigned int issue_flags)
+ {
+ 	struct ublksrv_ctrl_cmd *header = (struct ublksrv_ctrl_cmd *)cmd->cmd;
++	struct ublk_device *ub = NULL;
+ 	int ret = -EINVAL;
+ 
+ 	if (issue_flags & IO_URING_F_NONBLOCK)
+@@ -2048,41 +1999,50 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		goto out;
+ 
+-	ret = -ENODEV;
++	if (cmd->cmd_op != UBLK_CMD_ADD_DEV) {
++		ret = -ENODEV;
++		ub = ublk_get_device_from_id(header->dev_id);
++		if (!ub)
++			goto out;
++	}
++
+ 	switch (cmd->cmd_op) {
+ 	case UBLK_CMD_START_DEV:
+-		ret = ublk_ctrl_start_dev(cmd);
++		ret = ublk_ctrl_start_dev(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_STOP_DEV:
+-		ret = ublk_ctrl_stop_dev(cmd);
++		ret = ublk_ctrl_stop_dev(ub);
+ 		break;
+ 	case UBLK_CMD_GET_DEV_INFO:
+-		ret = ublk_ctrl_get_dev_info(cmd);
++		ret = ublk_ctrl_get_dev_info(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_ADD_DEV:
+ 		ret = ublk_ctrl_add_dev(cmd);
+ 		break;
+ 	case UBLK_CMD_DEL_DEV:
+-		ret = ublk_ctrl_del_dev(header->dev_id);
++		ret = ublk_ctrl_del_dev(&ub);
+ 		break;
+ 	case UBLK_CMD_GET_QUEUE_AFFINITY:
+-		ret = ublk_ctrl_get_queue_affinity(cmd);
++		ret = ublk_ctrl_get_queue_affinity(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_GET_PARAMS:
+-		ret = ublk_ctrl_get_params(cmd);
++		ret = ublk_ctrl_get_params(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_SET_PARAMS:
+-		ret = ublk_ctrl_set_params(cmd);
++		ret = ublk_ctrl_set_params(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_START_USER_RECOVERY:
+-		ret = ublk_ctrl_start_recovery(cmd);
++		ret = ublk_ctrl_start_recovery(ub, cmd);
+ 		break;
+ 	case UBLK_CMD_END_USER_RECOVERY:
+-		ret = ublk_ctrl_end_recovery(cmd);
++		ret = ublk_ctrl_end_recovery(ub, cmd);
+ 		break;
+ 	default:
++		ret = -ENOTSUPP;
+ 		break;
+ 	}
++	if (ub)
++		ublk_put_device(ub);
+  out:
+ 	io_uring_cmd_done(cmd, ret, 0, issue_flags);
+ 	pr_devel("%s: cmd done ret %d cmd_op %x, dev id %d qid %d\n",
+-- 
+2.40.1
+
diff --git a/queue-6.1/xenbus-check-xen_domain-in-xenbus_probe_initcall.patch b/queue-6.1/xenbus-check-xen_domain-in-xenbus_probe_initcall.patch
new file mode 100644
index 00000000000..b29940fbd73
--- /dev/null
+++ b/queue-6.1/xenbus-check-xen_domain-in-xenbus_probe_initcall.patch
@@ -0,0 +1,58 @@
+From cdcbd8dc5bddb6265717d4fc42c5f0206b1b9e3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 16:13:03 -0700
+Subject: xenbus: check xen_domain in xenbus_probe_initcall
+
+From: Stefano Stabellini <sstabellini@kernel.org>
+
+[ Upstream commit 0d8f7cc8057890db08c54fe610d8a94af59da082 ]
+
+The same way we already do in xenbus_init.
+Fixes the following warning:
+
+[  352.175563] Trying to free already-free IRQ 0
+[  352.177355] WARNING: CPU: 1 PID: 88 at kernel/irq/manage.c:1893 free_irq+0xbf/0x350
+[...]
+[  352.213951] Call Trace:
+[  352.214390]  <TASK>
+[  352.214717]  ? __warn+0x81/0x170
+[  352.215436]  ? free_irq+0xbf/0x350
+[  352.215906]  ? report_bug+0x10b/0x200
+[  352.216408]  ? prb_read_valid+0x17/0x20
+[  352.216926]  ? handle_bug+0x44/0x80
+[  352.217409]  ? exc_invalid_op+0x13/0x60
+[  352.217932]  ? asm_exc_invalid_op+0x16/0x20
+[  352.218497]  ? free_irq+0xbf/0x350
+[  352.218979]  ? __pfx_xenbus_probe_thread+0x10/0x10
+[  352.219600]  xenbus_probe+0x7a/0x80
+[  352.221030]  xenbus_probe_thread+0x76/0xc0
+
+Fixes: 5b3353949e89 ("xen: add support for initializing xenstore later as HVM domain")
+Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
+Tested-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+
+Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2307211609140.3118466@ubuntu-linux-20-04-desktop
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xenbus/xenbus_probe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c
+index 58b732dcbfb83..639bf628389ba 100644
+--- a/drivers/xen/xenbus/xenbus_probe.c
++++ b/drivers/xen/xenbus/xenbus_probe.c
+@@ -811,6 +811,9 @@ static int xenbus_probe_thread(void *unused)
+ 
+ static int __init xenbus_probe_initcall(void)
+ {
++	if (!xen_domain())
++		return -ENODEV;
++
+ 	/*
+ 	 * Probe XenBus here in the XS_PV case, and also XS_HVM unless we
+ 	 * need to wait for the platform PCI device to come up or
+-- 
+2.40.1
+
-- 
2.47.3