--- /dev/null
+From 5f91c2a170d8198d1971d66f05733ec770dae380 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 14:39:03 +0000
+Subject: afs: Increase buffer size in afs_update_volume_status()
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d ]
+
+The max length of volume->vid value is 20 characters.
+So increase idbuf[] size up to 24 to avoid overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/20240211150442.3416-1-d.dulov@aladdin.ru/ # v1
+Link: https://lore.kernel.org/r/20240212083347.10742-1-d.dulov@aladdin.ru/ # v2
+Link: https://lore.kernel.org/r/20240219143906.138346-3-dhowells@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/volume.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index 115c081a8e2ce..c028598a903c9 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -337,7 +337,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key)
+ {
+ struct afs_server_list *new, *old, *discard;
+ struct afs_vldb_entry *vldb;
+- char idbuf[16];
++ char idbuf[24];
+ int ret, idsz;
+
+ _enter("");
+@@ -345,7 +345,7 @@ static int afs_update_volume_status(struct afs_volume *volume, struct key *key)
+ /* We look up an ID by passing it as a decimal string in the
+ * operation's name parameter.
+ */
+- idsz = sprintf(idbuf, "%llu", volume->vid);
++ idsz = snprintf(idbuf, sizeof(idbuf), "%llu", volume->vid);
+
+ vldb = afs_vl_lookup_vldb(volume->cell, key, idbuf, idsz);
+ if (IS_ERR(vldb)) {
+--
+2.43.0
+
--- /dev/null
+From 52b293712fadc75aa344caaeda59234c0f41f913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Dec 2023 01:02:42 +0100
+Subject: arm64: dts: imx8mp: Disable UART4 by default on Data Modul i.MX8M
+ Plus eDM SBC
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit f03869698bc3bd6d9d2d9f216b20da08a8c2508a ]
+
+UART4 is used as CM7 coprocessor debug UART and may not be accessible from
+Linux in case it is protected by RDC. The RDC protection is set up by the
+platform firmware. UART4 is not used on this platform by Linux. Disable
+UART4 by default to prevent boot hangs, which occur when the RDC protection
+is in place.
+
+Fixes: 562d222f23f0 ("arm64: dts: imx8mp: Add support for Data Modul i.MX8M Plus eDM SBC")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+index d98a040860a48..5828c9d7821de 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+@@ -486,7 +486,7 @@
+ &uart4 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_uart4>;
+- status = "okay";
++ status = "disabled";
+ };
+
+ &usb3_phy0 {
+--
+2.43.0
+
--- /dev/null
+From f9c55441f6cdff9d68c197a68819f841530bdad5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jan 2024 14:19:42 -0600
+Subject: arm64: dts: rockchip: Correct Indiedroid Nova GPIO Names
+
+From: Chris Morgan <macromorgan@hotmail.com>
+
+[ Upstream commit c22d03a95b0d815cd186302fdd93f74d99f1c914 ]
+
+Correct the names given to a few of the GPIO pins. The original names
+were unknowingly based on the header from a pre-production board. The
+production board has a slightly different pin assignment for the 40-pin
+GPIO header.
+
+Fixes: 3900160e164b ("arm64: dts: rockchip: Add Indiedroid Nova board")
+Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
+Link: https://lore.kernel.org/r/20240125201943.90476-2-macroalpha82@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3588s-indiedroid-nova.dts | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts b/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts
+index 60f00ceb630e1..3b675fd0c5ea5 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3588s-indiedroid-nova.dts
+@@ -196,13 +196,13 @@
+
+ &gpio1 {
+ gpio-line-names = /* GPIO1 A0-A7 */
+- "HEADER_27_3v3", "HEADER_28_3v3", "", "",
++ "HEADER_27_3v3", "", "", "",
+ "HEADER_29_1v8", "", "HEADER_7_1v8", "",
+ /* GPIO1 B0-B7 */
+ "", "HEADER_31_1v8", "HEADER_33_1v8", "",
+ "HEADER_11_1v8", "HEADER_13_1v8", "", "",
+ /* GPIO1 C0-C7 */
+- "", "", "", "",
++ "", "HEADER_28_3v3", "", "",
+ "", "", "", "",
+ /* GPIO1 D0-D7 */
+ "", "", "", "",
+@@ -226,11 +226,11 @@
+
+ &gpio4 {
+ gpio-line-names = /* GPIO4 A0-A7 */
+- "", "", "HEADER_37_3v3", "HEADER_32_3v3",
+- "HEADER_36_3v3", "", "HEADER_35_3v3", "HEADER_38_3v3",
++ "", "", "HEADER_37_3v3", "HEADER_8_3v3",
++ "HEADER_10_3v3", "", "HEADER_32_3v3", "HEADER_35_3v3",
+ /* GPIO4 B0-B7 */
+ "", "", "", "HEADER_40_3v3",
+- "HEADER_8_3v3", "HEADER_10_3v3", "", "",
++ "HEADER_38_3v3", "HEADER_36_3v3", "", "",
+ /* GPIO4 C0-C7 */
+ "", "", "", "",
+ "", "", "", "",
+--
+2.43.0
+
--- /dev/null
+From 2ce4f0336025fadb1abad8c10ab5f99ca8cea225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 11:16:56 +0100
+Subject: arm64: dts: rockchip: set num-cs property for spi on px30
+
+From: Heiko Stuebner <heiko.stuebner@cherry.de>
+
+[ Upstream commit 334bf0710c98d391f4067b72f535d6c4c84dfb6f ]
+
+The px30 has two spi controllers with two chip-selects each.
+The num-cs property is specified as the total number of chip
+selects a controllers has and is used since 2020 to find uses
+of chipselects outside that range in the Rockchip spi driver.
+
+Without the property set, the default is 1, so spi devices
+using the second chipselect will not be created.
+
+Fixes: eb1262e3cc8b ("spi: spi-rockchip: use num-cs property and ctlr->enable_gpiods")
+Signed-off-by: Heiko Stuebner <heiko.stuebner@cherry.de>
+Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20240119101656.965744-1-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/px30.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/px30.dtsi b/arch/arm64/boot/dts/rockchip/px30.dtsi
+index 42ce78beb4134..20955556b624d 100644
+--- a/arch/arm64/boot/dts/rockchip/px30.dtsi
++++ b/arch/arm64/boot/dts/rockchip/px30.dtsi
+@@ -632,6 +632,7 @@
+ clock-names = "spiclk", "apb_pclk";
+ dmas = <&dmac 12>, <&dmac 13>;
+ dma-names = "tx", "rx";
++ num-cs = <2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&spi0_clk &spi0_csn &spi0_miso &spi0_mosi>;
+ #address-cells = <1>;
+@@ -647,6 +648,7 @@
+ clock-names = "spiclk", "apb_pclk";
+ dmas = <&dmac 14>, <&dmac 15>;
+ dma-names = "tx", "rx";
++ num-cs = <2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&spi1_clk &spi1_csn0 &spi1_csn1 &spi1_miso &spi1_mosi>;
+ #address-cells = <1>;
+--
+2.43.0
+
--- /dev/null
+From f5e76cf0646cb8fd9416ed9a7507209e868b30b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jan 2024 10:08:49 +0100
+Subject: arm64: dts: tqma8mpql: fix audio codec iov-supply
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit a620a7f2ae8b08c5beea6369f61e87064ee222dc ]
+
+IOVDD is supplied by 1.8V, fix the referenced regulator.
+
+Fixes: d8f9d8126582d ("arm64: dts: imx8mp: Add analog audio output on i.MX8MP TQMa8MPxL/MBa8MPxL")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts
+index 4240e20d38ac3..258e90cc16ff3 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts
+@@ -168,6 +168,13 @@
+ enable-active-high;
+ };
+
++ reg_vcc_1v8: regulator-1v8 {
++ compatible = "regulator-fixed";
++ regulator-name = "VCC_1V8";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ };
++
+ reg_vcc_3v3: regulator-3v3 {
+ compatible = "regulator-fixed";
+ regulator-name = "VCC_3V3";
+@@ -464,7 +471,7 @@
+ clock-names = "mclk";
+ clocks = <&audio_blk_ctrl IMX8MP_CLK_AUDIOMIX_SAI3_MCLK1>;
+ reset-gpios = <&gpio4 29 GPIO_ACTIVE_LOW>;
+- iov-supply = <®_vcc_3v3>;
++ iov-supply = <®_vcc_1v8>;
+ ldoin-supply = <®_vcc_3v3>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 2bf244b2048228c3bd9565174f5ba4499e601196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 23:06:33 +0000
+Subject: arm64/sme: Restore SMCR_EL1.EZT0 on exit from suspend
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit d7b77a0d565b048cb0808fa8a4fb031352b22a01 ]
+
+The fields in SMCR_EL1 reset to an architecturally UNKNOWN value. Since we
+do not otherwise manage the traps configured in this register at runtime we
+need to reconfigure them after a suspend in case nothing else was kind
+enough to preserve them for us. Do so for SMCR_EL1.EZT0.
+
+Fixes: d4913eee152d ("arm64/sme: Add basic enumeration for SME2")
+Reported-by: Jackson Cooper-Driver <Jackson.Cooper-Driver@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240213-arm64-sme-resume-v3-2-17e05e493471@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index db1eba8d5f66d..0898ac9979045 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1348,6 +1348,8 @@ void sme_suspend_exit(void)
+
+ if (system_supports_fa64())
+ smcr |= SMCR_ELx_FA64;
++ if (system_supports_sme2())
++ smcr |= SMCR_ELx_EZT0;
+
+ write_sysreg_s(smcr, SYS_SMCR_EL1);
+ write_sysreg_s(0, SYS_SMPRI_EL1);
+--
+2.43.0
+
--- /dev/null
+From 05924b634b03e31a0a1740200ef8ca68cad6bd94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 23:06:32 +0000
+Subject: arm64/sme: Restore SME registers on exit from suspend
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 9533864816fb4a6207c63b7a98396351ce1a9fae ]
+
+The fields in SMCR_EL1 and SMPRI_EL1 reset to an architecturally UNKNOWN
+value. Since we do not otherwise manage the traps configured in this
+register at runtime we need to reconfigure them after a suspend in case
+nothing else was kind enough to preserve them for us.
+
+The vector length will be restored as part of restoring the SME state for
+the next SME using task.
+
+Fixes: a1f4ccd25cc2 ("arm64/sme: Provide Kconfig for SME")
+Reported-by: Jackson Cooper-Driver <Jackson.Cooper-Driver@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240213-arm64-sme-resume-v3-1-17e05e493471@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/fpsimd.h | 2 ++
+ arch/arm64/kernel/fpsimd.c | 14 ++++++++++++++
+ arch/arm64/kernel/suspend.c | 3 +++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h
+index 50e5f25d3024c..7780d343ef080 100644
+--- a/arch/arm64/include/asm/fpsimd.h
++++ b/arch/arm64/include/asm/fpsimd.h
+@@ -386,6 +386,7 @@ extern void sme_alloc(struct task_struct *task, bool flush);
+ extern unsigned int sme_get_vl(void);
+ extern int sme_set_current_vl(unsigned long arg);
+ extern int sme_get_current_vl(void);
++extern void sme_suspend_exit(void);
+
+ /*
+ * Return how many bytes of memory are required to store the full SME
+@@ -421,6 +422,7 @@ static inline int sme_max_vl(void) { return 0; }
+ static inline int sme_max_virtualisable_vl(void) { return 0; }
+ static inline int sme_set_current_vl(unsigned long arg) { return -EINVAL; }
+ static inline int sme_get_current_vl(void) { return -EINVAL; }
++static inline void sme_suspend_exit(void) { }
+
+ static inline size_t sme_state_size(struct task_struct const *task)
+ {
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index f7d8f5d81cfe9..db1eba8d5f66d 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1339,6 +1339,20 @@ void __init sme_setup(void)
+ get_sme_default_vl());
+ }
+
++void sme_suspend_exit(void)
++{
++ u64 smcr = 0;
++
++ if (!system_supports_sme())
++ return;
++
++ if (system_supports_fa64())
++ smcr |= SMCR_ELx_FA64;
++
++ write_sysreg_s(smcr, SYS_SMCR_EL1);
++ write_sysreg_s(0, SYS_SMPRI_EL1);
++}
++
+ #endif /* CONFIG_ARM64_SME */
+
+ static void sve_init_regs(void)
+diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
+index eca4d04352118..eaaff94329cdd 100644
+--- a/arch/arm64/kernel/suspend.c
++++ b/arch/arm64/kernel/suspend.c
+@@ -12,6 +12,7 @@
+ #include <asm/daifflags.h>
+ #include <asm/debug-monitors.h>
+ #include <asm/exec.h>
++#include <asm/fpsimd.h>
+ #include <asm/mte.h>
+ #include <asm/memory.h>
+ #include <asm/mmu_context.h>
+@@ -80,6 +81,8 @@ void notrace __cpu_suspend_exit(void)
+ */
+ spectre_v4_enable_mitigation(NULL);
+
++ sme_suspend_exit();
++
+ /* Restore additional feature-specific configuration */
+ ptrauth_suspend_exit();
+ }
+--
+2.43.0
+
--- /dev/null
+From b0ef979a5c7ae41636d6456ea71522439aecb16f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 15:05:16 -0800
+Subject: arp: Prevent overflow in arp_req_get().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a7d6027790acea24446ddd6632d394096c0f4667 ]
+
+syzkaller reported an overflown write in arp_req_get(). [0]
+
+When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
+entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.
+
+The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
+the sa_data buffer is just 14 bytes.
+
+In the splat below, 2 bytes are overflown to the next int field,
+arp_flags. We initialise the field just after the memcpy(), so it's
+not a problem.
+
+However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
+arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
+in arp_ioctl() before calling arp_req_get().
+
+To avoid the overflow, let's limit the max length of memcpy().
+
+Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
+array in struct sockaddr") just silenced syzkaller.
+
+[0]:
+memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
+WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
+Modules linked in:
+CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
+RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
+Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
+RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
+RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
+R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
+FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
+ inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
+ sock_do_ioctl+0xdf/0x260 net/socket.c:1204
+ sock_ioctl+0x3ef/0x650 net/socket.c:1321
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x64/0xce
+RIP: 0033:0x7f172b262b8d
+Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
+RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
+RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
+ </TASK>
+
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Bjoern Doebel <doebel@amazon.de>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240215230516.31330-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/arp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 9456f5bb35e5d..0d0d725b46ad0 100644
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -1125,7 +1125,8 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev)
+ if (neigh) {
+ if (!(READ_ONCE(neigh->nud_state) & NUD_NOARP)) {
+ read_lock_bh(&neigh->lock);
+- memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
++ memcpy(r->arp_ha.sa_data, neigh->ha,
++ min(dev->addr_len, sizeof(r->arp_ha.sa_data_min)));
+ r->arp_flags = arp_state_to_flags(neigh);
+ read_unlock_bh(&neigh->lock);
+ r->arp_ha.sa_family = dev->type;
+--
+2.43.0
+
--- /dev/null
+From 04d45ffe9370c1a26a9ee3f8c4d8124b15b18622 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 23:44:57 +0530
+Subject: ata: ahci_ceva: fix error handling for Xilinx GT PHY support
+
+From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+
+[ Upstream commit 26c8404e162b43dddcb037ba2d0cb58c0ed60aab ]
+
+Platform clock and phy error resources are not cleaned up in Xilinx GT PHY
+error path.
+
+To fix introduce the function ceva_ahci_platform_enable_resources() which
+is a customized version of ahci_platform_enable_resources() and inline with
+SATA IP programming sequence it does:
+
+- Assert SATA reset
+- Program PS GTR phy
+- Bring SATA by de-asserting the reset
+- Wait for GT lane PLL to be locked
+
+ceva_ahci_platform_enable_resources() is also used in the resume path
+as the same SATA programming sequence (as in probe) should be followed.
+Also cleanup the mixed usage of ahci_platform_enable_resources() and custom
+implementation in the probe function as both are not required.
+
+Fixes: 9a9d3abe24bb ("ata: ahci: ceva: Update the driver to support xilinx GT phy")
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci_ceva.c | 125 +++++++++++++++++++++++++---------------
+ 1 file changed, 79 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/ata/ahci_ceva.c b/drivers/ata/ahci_ceva.c
+index 64f7f7d6ba84e..11a2c199a7c24 100644
+--- a/drivers/ata/ahci_ceva.c
++++ b/drivers/ata/ahci_ceva.c
+@@ -88,7 +88,6 @@ struct ceva_ahci_priv {
+ u32 axicc;
+ bool is_cci_enabled;
+ int flags;
+- struct reset_control *rst;
+ };
+
+ static unsigned int ceva_ahci_read_id(struct ata_device *dev,
+@@ -189,6 +188,60 @@ static const struct scsi_host_template ahci_platform_sht = {
+ AHCI_SHT(DRV_NAME),
+ };
+
++static int ceva_ahci_platform_enable_resources(struct ahci_host_priv *hpriv)
++{
++ int rc, i;
++
++ rc = ahci_platform_enable_regulators(hpriv);
++ if (rc)
++ return rc;
++
++ rc = ahci_platform_enable_clks(hpriv);
++ if (rc)
++ goto disable_regulator;
++
++ /* Assert the controller reset */
++ rc = ahci_platform_assert_rsts(hpriv);
++ if (rc)
++ goto disable_clks;
++
++ for (i = 0; i < hpriv->nports; i++) {
++ rc = phy_init(hpriv->phys[i]);
++ if (rc)
++ goto disable_rsts;
++ }
++
++ /* De-assert the controller reset */
++ ahci_platform_deassert_rsts(hpriv);
++
++ for (i = 0; i < hpriv->nports; i++) {
++ rc = phy_power_on(hpriv->phys[i]);
++ if (rc) {
++ phy_exit(hpriv->phys[i]);
++ goto disable_phys;
++ }
++ }
++
++ return 0;
++
++disable_rsts:
++ ahci_platform_deassert_rsts(hpriv);
++
++disable_phys:
++ while (--i >= 0) {
++ phy_power_off(hpriv->phys[i]);
++ phy_exit(hpriv->phys[i]);
++ }
++
++disable_clks:
++ ahci_platform_disable_clks(hpriv);
++
++disable_regulator:
++ ahci_platform_disable_regulators(hpriv);
++
++ return rc;
++}
++
+ static int ceva_ahci_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
+@@ -203,47 +256,19 @@ static int ceva_ahci_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ cevapriv->ahci_pdev = pdev;
+-
+- cevapriv->rst = devm_reset_control_get_optional_exclusive(&pdev->dev,
+- NULL);
+- if (IS_ERR(cevapriv->rst))
+- dev_err_probe(&pdev->dev, PTR_ERR(cevapriv->rst),
+- "failed to get reset\n");
+-
+ hpriv = ahci_platform_get_resources(pdev, 0);
+ if (IS_ERR(hpriv))
+ return PTR_ERR(hpriv);
+
+- if (!cevapriv->rst) {
+- rc = ahci_platform_enable_resources(hpriv);
+- if (rc)
+- return rc;
+- } else {
+- int i;
++ hpriv->rsts = devm_reset_control_get_optional_exclusive(&pdev->dev,
++ NULL);
++ if (IS_ERR(hpriv->rsts))
++ return dev_err_probe(&pdev->dev, PTR_ERR(hpriv->rsts),
++ "failed to get reset\n");
+
+- rc = ahci_platform_enable_clks(hpriv);
+- if (rc)
+- return rc;
+- /* Assert the controller reset */
+- reset_control_assert(cevapriv->rst);
+-
+- for (i = 0; i < hpriv->nports; i++) {
+- rc = phy_init(hpriv->phys[i]);
+- if (rc)
+- return rc;
+- }
+-
+- /* De-assert the controller reset */
+- reset_control_deassert(cevapriv->rst);
+-
+- for (i = 0; i < hpriv->nports; i++) {
+- rc = phy_power_on(hpriv->phys[i]);
+- if (rc) {
+- phy_exit(hpriv->phys[i]);
+- return rc;
+- }
+- }
+- }
++ rc = ceva_ahci_platform_enable_resources(hpriv);
++ if (rc)
++ return rc;
+
+ if (of_property_read_bool(np, "ceva,broken-gen2"))
+ cevapriv->flags = CEVA_FLAG_BROKEN_GEN2;
+@@ -252,52 +277,60 @@ static int ceva_ahci_probe(struct platform_device *pdev)
+ if (of_property_read_u8_array(np, "ceva,p0-cominit-params",
+ (u8 *)&cevapriv->pp2c[0], 4) < 0) {
+ dev_warn(dev, "ceva,p0-cominit-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ if (of_property_read_u8_array(np, "ceva,p1-cominit-params",
+ (u8 *)&cevapriv->pp2c[1], 4) < 0) {
+ dev_warn(dev, "ceva,p1-cominit-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ /* Read OOB timing value for COMWAKE from device-tree*/
+ if (of_property_read_u8_array(np, "ceva,p0-comwake-params",
+ (u8 *)&cevapriv->pp3c[0], 4) < 0) {
+ dev_warn(dev, "ceva,p0-comwake-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ if (of_property_read_u8_array(np, "ceva,p1-comwake-params",
+ (u8 *)&cevapriv->pp3c[1], 4) < 0) {
+ dev_warn(dev, "ceva,p1-comwake-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ /* Read phy BURST timing value from device-tree */
+ if (of_property_read_u8_array(np, "ceva,p0-burst-params",
+ (u8 *)&cevapriv->pp4c[0], 4) < 0) {
+ dev_warn(dev, "ceva,p0-burst-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ if (of_property_read_u8_array(np, "ceva,p1-burst-params",
+ (u8 *)&cevapriv->pp4c[1], 4) < 0) {
+ dev_warn(dev, "ceva,p1-burst-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ /* Read phy RETRY interval timing value from device-tree */
+ if (of_property_read_u16_array(np, "ceva,p0-retry-params",
+ (u16 *)&cevapriv->pp5c[0], 2) < 0) {
+ dev_warn(dev, "ceva,p0-retry-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ if (of_property_read_u16_array(np, "ceva,p1-retry-params",
+ (u16 *)&cevapriv->pp5c[1], 2) < 0) {
+ dev_warn(dev, "ceva,p1-retry-params property not defined\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto disable_resources;
+ }
+
+ /*
+@@ -335,7 +368,7 @@ static int __maybe_unused ceva_ahci_resume(struct device *dev)
+ struct ahci_host_priv *hpriv = host->private_data;
+ int rc;
+
+- rc = ahci_platform_enable_resources(hpriv);
++ rc = ceva_ahci_platform_enable_resources(hpriv);
+ if (rc)
+ return rc;
+
+--
+2.43.0
+
--- /dev/null
+From a424d2388cd5e2a142884fce99584001ac88c6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 13:12:17 -0800
+Subject: bpf: Fix racing between bpf_timer_cancel_and_free and
+ bpf_timer_cancel
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit 0281b919e175bb9c3128bd3872ac2903e9436e3f ]
+
+The following race is possible between bpf_timer_cancel_and_free
+and bpf_timer_cancel. It will lead a UAF on the timer->timer.
+
+bpf_timer_cancel();
+ spin_lock();
+ t = timer->time;
+ spin_unlock();
+
+ bpf_timer_cancel_and_free();
+ spin_lock();
+ t = timer->timer;
+ timer->timer = NULL;
+ spin_unlock();
+ hrtimer_cancel(&t->timer);
+ kfree(t);
+
+ /* UAF on t */
+ hrtimer_cancel(&t->timer);
+
+In bpf_timer_cancel_and_free, this patch frees the timer->timer
+after a rcu grace period. This requires a rcu_head addition
+to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init,
+this does not need a kfree_rcu because it is still under the
+spin_lock and timer->timer has not been visible by others yet.
+
+In bpf_timer_cancel, rcu_read_lock() is added because this helper
+can be used in a non rcu critical section context (e.g. from
+a sleepable bpf prog). Other timer->timer usages in helpers.c
+have been audited, bpf_timer_cancel() is the only place where
+timer->timer is used outside of the spin_lock.
+
+Another solution considered is to mark a t->flag in bpf_timer_cancel
+and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,
+it busy waits for the flag to be cleared before kfree(t). This patch
+goes with a straight forward solution and frees timer->timer after
+a rcu grace period.
+
+Fixes: b00628b1c7d5 ("bpf: Introduce bpf timers.")
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/bpf/20240215211218.990808-1-martin.lau@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index b3053af6427d2..ce4729ef1ad2d 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -1101,6 +1101,7 @@ struct bpf_hrtimer {
+ struct bpf_prog *prog;
+ void __rcu *callback_fn;
+ void *value;
++ struct rcu_head rcu;
+ };
+
+ /* the actual struct hidden inside uapi struct bpf_timer */
+@@ -1332,6 +1333,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer)
+
+ if (in_nmi())
+ return -EOPNOTSUPP;
++ rcu_read_lock();
+ __bpf_spin_lock_irqsave(&timer->lock);
+ t = timer->timer;
+ if (!t) {
+@@ -1353,6 +1355,7 @@ BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer)
+ * if it was running.
+ */
+ ret = ret ?: hrtimer_cancel(&t->timer);
++ rcu_read_unlock();
+ return ret;
+ }
+
+@@ -1407,7 +1410,7 @@ void bpf_timer_cancel_and_free(void *val)
+ */
+ if (this_cpu_read(hrtimer_running) != t)
+ hrtimer_cancel(&t->timer);
+- kfree(t);
++ kfree_rcu(t, rcu);
+ }
+
+ BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr)
+--
+2.43.0
+
--- /dev/null
+From f0278fbd5fc4b5bbf96276fc3f031fae0141429b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 23:05:46 +0000
+Subject: bpf, scripts: Correct GPL license name
+
+From: Gianmarco Lusvardi <glusvardi@posteo.net>
+
+[ Upstream commit e37243b65d528a8a9f8b9a57a43885f8e8dfc15c ]
+
+The bpf_doc script refers to the GPL as the "GNU Privacy License".
+I strongly suspect that the author wanted to refer to the GNU General
+Public License, under which the Linux kernel is released, as, to the
+best of my knowledge, there is no license named "GNU Privacy License".
+This patch corrects the license name in the script accordingly.
+
+Fixes: 56a092c89505 ("bpf: add script and prepare bpf.h for new helpers documentation")
+Signed-off-by: Gianmarco Lusvardi <glusvardi@posteo.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20240213230544.930018-3-glusvardi@posteo.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/bpf_doc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/bpf_doc.py b/scripts/bpf_doc.py
+index 61b7dddedc461..0669bac5e900e 100755
+--- a/scripts/bpf_doc.py
++++ b/scripts/bpf_doc.py
+@@ -513,7 +513,7 @@ eBPF programs can have an associated license, passed along with the bytecode
+ instructions to the kernel when the programs are loaded. The format for that
+ string is identical to the one in use for kernel modules (Dual licenses, such
+ as "Dual BSD/GPL", may be used). Some helper functions are only accessible to
+-programs that are compatible with the GNU Privacy License (GPL).
++programs that are compatible with the GNU General Public License (GNU GPL).
+
+ In order to use such helpers, the eBPF program must be loaded with the correct
+ license string passed (via **attr**) to the **bpf**\\ () system call, and this
+--
+2.43.0
+
--- /dev/null
+From 9d0036756521a986adc9fec05139696ee5712081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 00:09:33 +0900
+Subject: bpf, sockmap: Fix NULL pointer dereference in
+ sk_psock_verdict_data_ready()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 4cd12c6065dfcdeba10f49949bffcf383b3952d8 ]
+
+syzbot reported the following NULL pointer dereference issue [1]:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ <TASK>
+ sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230
+ unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+ ___sys_sendmsg net/socket.c:2638 [inline]
+ __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called
+concurrently, psock->saved_data_ready can be NULL, causing the above issue.
+
+This patch fixes this issue by calling the appropriate data ready function
+using the sk_psock_data_ready() helper and protecting it from concurrency
+with sk->sk_callback_lock.
+
+Fixes: 6df7f764cd3c ("bpf, sockmap: Wake up polling after data copy")
+Reported-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fd7b34375c1c8ce29c93 [1]
+Link: https://lore.kernel.org/bpf/20240218150933.6004-1-syoshida@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 93ecfceac1bc4..4d75ef9d24bfa 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -1226,8 +1226,11 @@ static void sk_psock_verdict_data_ready(struct sock *sk)
+
+ rcu_read_lock();
+ psock = sk_psock(sk);
+- if (psock)
+- psock->saved_data_ready(sk);
++ if (psock) {
++ read_lock_bh(&sk->sk_callback_lock);
++ sk_psock_data_ready(sk, psock);
++ read_unlock_bh(&sk->sk_callback_lock);
++ }
+ rcu_read_unlock();
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 8ee80014b967fcb5f8f61c55acc3f7cbe124b46c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 19:50:26 +0100
+Subject: bus: imx-weim: fix valid range check
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 7bca405c986075c99b9f729d3587b5c45db39d01 ]
+
+When the range parsing was open-coded the number of u32 entries to
+parse had to be a multiple of 4 and the driver checks this. With
+the range parsing converted to the range parser the counting changes
+from individual u32 entries to a complete range, so the check must
+not reject counts not divisible by 4.
+
+Fixes: 2a88e4792c6d ("bus: imx-weim: Remove open coded "ranges" parsing")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/imx-weim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bus/imx-weim.c b/drivers/bus/imx-weim.c
+index 42c9386a7b423..f9fd1582f150d 100644
+--- a/drivers/bus/imx-weim.c
++++ b/drivers/bus/imx-weim.c
+@@ -117,7 +117,7 @@ static int imx_weim_gpr_setup(struct platform_device *pdev)
+ i++;
+ }
+
+- if (i == 0 || i % 4)
++ if (i == 0)
+ goto err;
+
+ for (i = 0; i < ARRAY_SIZE(gprvals); i++) {
+--
+2.43.0
+
--- /dev/null
+From 43bd2c62193011ac9cee4f613eef26aabd5eb54c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Feb 2024 21:26:40 +0000
+Subject: cache: ax45mp_cache: Align end size to cache boundary in
+ ax45mp_dma_cache_wback()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 9bd405c48b0ac4de087c0c4440fd79597201b8a7 ]
+
+Align the end size to cache boundary size in ax45mp_dma_cache_wback()
+callback likewise done in ax45mp_dma_cache_inv() callback.
+
+Additionally return early in case of start == end.
+
+Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core")
+Reported-by: Pavel Machek <pavel@denx.de>
+Link: https://lore.kernel.org/cip-dev/ZYsdKDiw7G+kxQ3m@duo.ucw.cz/
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/ax45mp_cache.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c
+index 57186c58dc849..1d7dd3d2c101c 100644
+--- a/drivers/cache/ax45mp_cache.c
++++ b/drivers/cache/ax45mp_cache.c
+@@ -129,8 +129,12 @@ static void ax45mp_dma_cache_wback(phys_addr_t paddr, size_t size)
+ unsigned long line_size;
+ unsigned long flags;
+
++ if (unlikely(start == end))
++ return;
++
+ line_size = ax45mp_priv.ax45mp_cache_line_size;
+ start = start & (~(line_size - 1));
++ end = ((end + line_size - 1) & (~(line_size - 1)));
+ local_irq_save(flags);
+ ax45mp_cpu_dcache_wb_range(start, end);
+ local_irq_restore(flags);
+--
+2.43.0
+
--- /dev/null
+From ce71397396125ef837b800693c68686c94b8c51e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 11:13:08 -0800
+Subject: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after
+ check_estalblished().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f ]
+
+syzkaller reported a warning [0] in inet_csk_destroy_sock() with no
+repro.
+
+ WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);
+
+However, the syzkaller's log hinted that connect() failed just before
+the warning due to FAULT_INJECTION. [1]
+
+When connect() is called for an unbound socket, we search for an
+available ephemeral port. If a bhash bucket exists for the port, we
+call __inet_check_established() or __inet6_check_established() to check
+if the bucket is reusable.
+
+If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.
+
+Later, we look up the corresponding bhash2 bucket and try to allocate
+it if it does not exist.
+
+Although it rarely occurs in real use, if the allocation fails, we must
+revert the changes by check_established(). Otherwise, an unconnected
+socket could illegally occupy an ehash entry.
+
+Note that we do not put tw back into ehash because sk might have
+already responded to a packet for tw and it would be better to free
+tw earlier under such memory presure.
+
+[0]:
+WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
+Modules linked in:
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
+Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05
+RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40
+RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8
+RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000
+R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0
+R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000
+FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)
+ dccp_close (net/dccp/proto.c:1078)
+ inet_release (net/ipv4/af_inet.c:434)
+ __sock_release (net/socket.c:660)
+ sock_close (net/socket.c:1423)
+ __fput (fs/file_table.c:377)
+ __fput_sync (fs/file_table.c:462)
+ __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)
+ do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
+RIP: 0033:0x7f03e53852bb
+Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44
+RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb
+RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c
+R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000
+R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170
+ </TASK>
+
+[1]:
+FAULT_INJECTION: forcing a failure.
+name failslab, interval 1, probability 0, space 0, times 0
+CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
+ should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
+ should_failslab (mm/slub.c:3748)
+ kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)
+ inet_bind2_bucket_create (net/ipv4/inet_hashtables.c:135)
+ __inet_hash_connect (net/ipv4/inet_hashtables.c:1100)
+ dccp_v4_connect (net/dccp/ipv4.c:116)
+ __inet_stream_connect (net/ipv4/af_inet.c:676)
+ inet_stream_connect (net/ipv4/af_inet.c:747)
+ __sys_connect_file (net/socket.c:2048 (discriminator 2))
+ __sys_connect (net/socket.c:2065)
+ __x64_sys_connect (net/socket.c:2072)
+ do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
+RIP: 0033:0x7f03e5284e5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007f03e4641cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f03e5284e5d
+RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
+RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 000000000000000b R14: 00007f03e52e5530 R15: 0000000000000000
+ </TASK>
+
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index a532f749e4778..9456bf9e2705b 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -1131,10 +1131,33 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ return 0;
+
+ error:
++ if (sk_hashed(sk)) {
++ spinlock_t *lock = inet_ehash_lockp(hinfo, sk->sk_hash);
++
++ sock_prot_inuse_add(net, sk->sk_prot, -1);
++
++ spin_lock(lock);
++ sk_nulls_del_node_init_rcu(sk);
++ spin_unlock(lock);
++
++ sk->sk_hash = 0;
++ inet_sk(sk)->inet_sport = 0;
++ inet_sk(sk)->inet_num = 0;
++
++ if (tw)
++ inet_twsk_bind_unhash(tw, hinfo);
++ }
++
+ spin_unlock(&head2->lock);
+ if (tb_created)
+ inet_bind_bucket_destroy(hinfo->bind_bucket_cachep, tb);
+- spin_unlock_bh(&head->lock);
++ spin_unlock(&head->lock);
++
++ if (tw)
++ inet_twsk_deschedule_put(tw);
++
++ local_bh_enable();
++
+ return -ENOMEM;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a35478ad29833237beb89ab48ee8a7214fb3f035 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 08:52:45 +0100
+Subject: devlink: fix port dump cmd type
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 61c43780e9444123410cd48c2483e01d2b8f75e8 ]
+
+Unlike other commands, due to a c&p error, port dump fills-up cmd with
+wrong value, different from port-get request cmd, port-get doit reply
+and port notification.
+
+Fix it by filling cmd with value DEVLINK_CMD_PORT_NEW.
+
+Skimmed through devlink userspace implementations, none of them cares
+about this cmd value. Only ynl, for which, this is actually a fix, as it
+expects doit and dumpit ops rsp_value to be the same.
+
+Omit the fixes tag, even thought this is fix, better to target this for
+next release.
+
+Fixes: bfcd3a466172 ("Introduce devlink infrastructure")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20240220075245.75416-1-jiri@resnulli.us
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/port.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/devlink/port.c b/net/devlink/port.c
+index 841a3eafa328e..d39ee6053cc7b 100644
+--- a/net/devlink/port.c
++++ b/net/devlink/port.c
+@@ -581,7 +581,7 @@ devlink_nl_port_get_dump_one(struct sk_buff *msg, struct devlink *devlink,
+
+ xa_for_each_start(&devlink->ports, port_index, devlink_port, state->idx) {
+ err = devlink_nl_port_fill(msg, devlink_port,
+- DEVLINK_CMD_NEW,
++ DEVLINK_CMD_PORT_NEW,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, flags,
+ cb->extack);
+--
+2.43.0
+
--- /dev/null
+From c4e63d6d02938bf2630524672a22933d482dadcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 23:34:00 +0300
+Subject: devlink: fix possible use-after-free and memory leaks in
+ devlink_init()
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit def689fc26b9a9622d2e2cb0c4933dd3b1c8071c ]
+
+The pernet operations structure for the subsystem must be registered
+before registering the generic netlink family.
+
+Make an unregister in case of unsuccessful registration.
+
+Fixes: 687125b5799c ("devlink: split out core code")
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/r/20240215203400.29976-1-kovalev@altlinux.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/core.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/devlink/core.c b/net/devlink/core.c
+index cbf8560c93752..bc3d265fe2d6e 100644
+--- a/net/devlink/core.c
++++ b/net/devlink/core.c
+@@ -529,14 +529,20 @@ static int __init devlink_init(void)
+ {
+ int err;
+
+- err = genl_register_family(&devlink_nl_family);
+- if (err)
+- goto out;
+ err = register_pernet_subsys(&devlink_pernet_ops);
+ if (err)
+ goto out;
++ err = genl_register_family(&devlink_nl_family);
++ if (err)
++ goto out_unreg_pernet_subsys;
+ err = register_netdevice_notifier(&devlink_port_netdevice_nb);
++ if (!err)
++ return 0;
++
++ genl_unregister_family(&devlink_nl_family);
+
++out_unreg_pernet_subsys:
++ unregister_pernet_subsys(&devlink_pernet_ops);
+ out:
+ WARN_ON(err);
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 9b4bc1ab1af27bb96770832fd1dc9aa2deaa536d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 01:50:50 +0100
+Subject: drm/amd/display: Fix memory leak in dm_sw_fini()
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit bae67893578d608e35691dcdfa90c4957debf1d3 ]
+
+After destroying dmub_srv, the memory associated with it is
+not freed, causing a memory leak:
+
+unreferenced object 0xffff896302b45800 (size 1024):
+ comm "(udev-worker)", pid 222, jiffies 4294894636
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 6265fd77):
+ [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340
+ [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu]
+ [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu]
+ [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu]
+ [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]
+ [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]
+ [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90
+ [<ffffffff996918a3>] pci_device_probe+0xc3/0x230
+ [<ffffffff99805872>] really_probe+0xe2/0x480
+ [<ffffffff99805c98>] __driver_probe_device+0x78/0x160
+ [<ffffffff99805daf>] driver_probe_device+0x1f/0x90
+ [<ffffffff9980601e>] __driver_attach+0xce/0x1c0
+ [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0
+ [<ffffffff99804822>] bus_add_driver+0x112/0x210
+ [<ffffffff99807245>] driver_register+0x55/0x100
+ [<ffffffff990012d1>] do_one_initcall+0x41/0x300
+
+Fix this by freeing dmub_srv after destroying it.
+
+Fixes: 743b9786b14a ("drm/amd/display: Hook up the DMUB service in DM")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index d83c4128fa165..88ca985603de5 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -2245,6 +2245,7 @@ static int dm_sw_fini(void *handle)
+
+ if (adev->dm.dmub_srv) {
+ dmub_srv_destroy(adev->dm.dmub_srv);
++ kfree(adev->dm.dmub_srv);
+ adev->dm.dmub_srv = NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From c3d08828bbd2f95b0112145a6ee1ef73ddb2c239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 09:23:19 -0300
+Subject: drm/amd/display: fix null-pointer dereference on edid reading
+
+From: Melissa Wen <mwen@igalia.com>
+
+[ Upstream commit 9671761792156f2339627918bafcd713a8a6f777 ]
+
+Use i2c adapter when there isn't aux_mode in dc_link to fix a
+null-pointer derefence that happens when running
+igt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector
+detected as below:
+
+[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0
+[ +0.000010] #PF: supervisor read access in kernel mode
+[ +0.000005] #PF: error_code(0x0000) - not-present page
+[ +0.000004] PGD 0 P4D 0
+[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152
+[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021
+[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100
+[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16
+[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246
+[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080
+[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0
+[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980
+[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080
+[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f
+[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000
+[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0
+[ +0.000003] PKRU: 55555554
+[ +0.000003] Call Trace:
+[ +0.000006] <TASK>
+[ +0.000006] ? __die+0x23/0x70
+[ +0.000011] ? page_fault_oops+0x17d/0x4c0
+[ +0.000008] ? preempt_count_add+0x6e/0xa0
+[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f
+[ +0.000011] ? exc_page_fault+0x7f/0x180
+[ +0.000009] ? asm_exc_page_fault+0x26/0x30
+[ +0.000013] ? i2c_transfer+0xd/0x100
+[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]
+[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f
+[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]
+[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]
+[ +0.000042] edid_block_read+0x3b/0xd0 [drm]
+[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]
+[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]
+[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]
+[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]
+[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]
+[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]
+[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]
+[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
+[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]
+[ +0.000000] status_store+0xb2/0x1f0 [drm]
+[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0
+[ +0.000000] vfs_write+0x24d/0x440
+[ +0.000000] ksys_write+0x6f/0xf0
+[ +0.000000] do_syscall_64+0x60/0xc0
+[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
+[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40
+[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f
+[ +0.000000] ? do_syscall_64+0x6c/0xc0
+[ +0.000000] ? do_syscall_64+0x6c/0xc0
+[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ +0.000000] RIP: 0033:0x7f9ad46b4b00
+[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
+[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00
+[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009
+[ +0.000000] RBP: 0000000000000002 R08: 0000000000000064 R09: 0000000000000000
+[ +0.000000] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f9ad48a7417
+[ +0.000000] R13: 0000000000000009 R14: 00007ffcbd3bd760 R15: 0000000000000001
+[ +0.000000] </TASK>
+[ +0.000000] Modules linked in: ctr ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash algif_skcipher af_alg bnep btusb btrtl btbcm btintel btmtk bluetooth uvcvideo videobuf2_vmalloc sha3_generic videobuf2_memops uvc jitterentropy_rng videobuf2_v4l2 videodev drbg videobuf2_common ansi_cprng mc ecdh_generic ecc qrtr binfmt_misc hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio snd_ctl_led joydev hid_sensor_iio_common rtw89_8852ae rtw89_8852a rtw89_pci snd_hda_codec_realtek rtw89_core snd_hda_codec_generic intel_rapl_msr ledtrig_audio intel_rapl_common snd_hda_codec_hdmi mac80211 snd_hda_intel snd_intel_dspcfg kvm_amd snd_hda_codec snd_soc_dmic snd_acp3x_rn snd_acp3x_pdm_dma libarc4 snd_hwdep snd_soc_core kvm snd_hda_core cfg80211 snd_pci_acp6x snd_pcm nls_ascii snd_timer hp_wmi snd_pci_acp5x nls_cp437 snd_rn_pci_acp3x ucsi_acpi sparse_keymap ccp snd platform_profile snd_acp_config typec_ucsi irqbypass vfat sp5100_tco
+[ +0.000000] snd_soc_acpi fat rapl pcspkr wmi_bmof roles rfkill rng_core snd_pci_acp3x soundcore k10temp watchdog typec battery ac amd_pmc acpi_tad button hid_sensor_hub hid_multitouch evdev serio_raw msr parport_pc ppdev lp parport fuse loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic dm_crypt dm_mod efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c crc32c_generic xor raid6_pq raid1 raid0 multipath linear md_mod amdgpu amdxcp i2c_algo_bit drm_ttm_helper ttm crc32_pclmul crc32c_intel drm_exec gpu_sched drm_suballoc_helper nvme ghash_clmulni_intel drm_buddy drm_display_helper sha512_ssse3 nvme_core ahci xhci_pci sha512_generic hid_generic xhci_hcd libahci rtsx_pci_sdmmc t10_pi i2c_hid_acpi drm_kms_helper i2c_hid mmc_core libata aesni_intel crc64_rocksoft_generic crypto_simd amd_sfh crc64_rocksoft scsi_mod usbcore cryptd crc_t10dif cec drm crct10dif_generic hid rtsx_pci crct10dif_pclmul scsi_common rc_core crc64 i2c_piix4
+[ +0.000000] usb_common crct10dif_common video wmi
+[ +0.000000] CR2: 00000000000004c0
+[ +0.000000] ---[ end trace 0000000000000000 ]---
+
+Fixes: 0e859faf8670 ("drm/amd/display: Remove unwanted drm edid references")
+Signed-off-by: Melissa Wen <mwen@igalia.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 88ca985603de5..272c27495ede6 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -6445,10 +6445,15 @@ amdgpu_dm_connector_late_register(struct drm_connector *connector)
+ static void amdgpu_dm_connector_funcs_force(struct drm_connector *connector)
+ {
+ struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector);
+- struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(connector);
+ struct dc_link *dc_link = aconnector->dc_link;
+ struct dc_sink *dc_em_sink = aconnector->dc_em_sink;
+ struct edid *edid;
++ struct i2c_adapter *ddc;
++
++ if (dc_link->aux_mode)
++ ddc = &aconnector->dm_dp_aux.aux.ddc;
++ else
++ ddc = &aconnector->i2c->base;
+
+ /*
+ * Note: drm_get_edid gets edid in the following order:
+@@ -6456,7 +6461,7 @@ static void amdgpu_dm_connector_funcs_force(struct drm_connector *connector)
+ * 2) firmware EDID if set via edid_firmware module parameter
+ * 3) regular DDC read.
+ */
+- edid = drm_get_edid(connector, &amdgpu_connector->ddc_bus->aux.ddc);
++ edid = drm_get_edid(connector, ddc);
+ if (!edid) {
+ DRM_ERROR("No EDID found on connector: %s.\n", connector->name);
+ return;
+@@ -6497,12 +6502,18 @@ static int get_modes(struct drm_connector *connector)
+ static void create_eml_sink(struct amdgpu_dm_connector *aconnector)
+ {
+ struct drm_connector *connector = &aconnector->base;
+- struct amdgpu_connector *amdgpu_connector = to_amdgpu_connector(&aconnector->base);
++ struct dc_link *dc_link = aconnector->dc_link;
+ struct dc_sink_init_data init_params = {
+ .link = aconnector->dc_link,
+ .sink_signal = SIGNAL_TYPE_VIRTUAL
+ };
+ struct edid *edid;
++ struct i2c_adapter *ddc;
++
++ if (dc_link->aux_mode)
++ ddc = &aconnector->dm_dp_aux.aux.ddc;
++ else
++ ddc = &aconnector->i2c->base;
+
+ /*
+ * Note: drm_get_edid gets edid in the following order:
+@@ -6510,7 +6521,7 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector)
+ * 2) firmware EDID if set via edid_firmware module parameter
+ * 3) regular DDC read.
+ */
+- edid = drm_get_edid(connector, &amdgpu_connector->ddc_bus->aux.ddc);
++ edid = drm_get_edid(connector, ddc);
+ if (!edid) {
+ DRM_ERROR("No EDID found on connector: %s.\n", connector->name);
+ return;
+--
+2.43.0
+
--- /dev/null
+From cefdfef47f82acca6a89fe9890f5ea2a9fccf071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 11:43:16 +0530
+Subject: drm/amd/display: Fix potential null pointer dereference in
+ dc_dmub_srv
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907 ]
+
+Fixes potential null pointer dereference warnings in the
+dc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()
+functions.
+
+In both functions, the 'dc_dmub_srv' variable was being dereferenced
+before it was checked for null. This could lead to a null pointer
+dereference if 'dc_dmub_srv' is null. The fix is to check if
+'dc_dmub_srv' is null before dereferencing it.
+
+Thus moving the null checks for 'dc_dmub_srv' to the beginning of the
+functions to ensure that 'dc_dmub_srv' is not null when it is
+dereferenced.
+
+Found by smatch & thus fixing the below:
+drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128)
+drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164)
+
+Fixes: 028bac583449 ("drm/amd/display: decouple dmcub execution to reduce lock granularity")
+Fixes: 65138eb72e1f ("drm/amd/display: Add DCN35 DMUB")
+Cc: JinZe.Xu <jinze.xu@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Josip Pavic <josip.pavic@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Qingqing Zhuo <Qingqing.Zhuo@amd.com>
+Cc: Harry Wentland <Harry.Wentland@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
+index 61d1b4eadbee3..05b3433cbb0b4 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
++++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
+@@ -124,7 +124,7 @@ bool dc_dmub_srv_cmd_list_queue_execute(struct dc_dmub_srv *dc_dmub_srv,
+ unsigned int count,
+ union dmub_rb_cmd *cmd_list)
+ {
+- struct dc_context *dc_ctx = dc_dmub_srv->ctx;
++ struct dc_context *dc_ctx;
+ struct dmub_srv *dmub;
+ enum dmub_status status;
+ int i;
+@@ -132,6 +132,7 @@ bool dc_dmub_srv_cmd_list_queue_execute(struct dc_dmub_srv *dc_dmub_srv,
+ if (!dc_dmub_srv || !dc_dmub_srv->dmub)
+ return false;
+
++ dc_ctx = dc_dmub_srv->ctx;
+ dmub = dc_dmub_srv->dmub;
+
+ for (i = 0 ; i < count; i++) {
+@@ -1129,7 +1130,7 @@ void dc_dmub_srv_subvp_save_surf_addr(const struct dc_dmub_srv *dc_dmub_srv, con
+
+ bool dc_dmub_srv_is_hw_pwr_up(struct dc_dmub_srv *dc_dmub_srv, bool wait)
+ {
+- struct dc_context *dc_ctx = dc_dmub_srv->ctx;
++ struct dc_context *dc_ctx;
+ enum dmub_status status;
+
+ if (!dc_dmub_srv || !dc_dmub_srv->dmub)
+@@ -1138,6 +1139,8 @@ bool dc_dmub_srv_is_hw_pwr_up(struct dc_dmub_srv *dc_dmub_srv, bool wait)
+ if (dc_dmub_srv->ctx->dc->debug.dmcub_emulation)
+ return true;
+
++ dc_ctx = dc_dmub_srv->ctx;
++
+ if (wait) {
+ status = dmub_srv_wait_for_hw_pwr_up(dc_dmub_srv->dmub, 500000);
+ if (status != DMUB_STATUS_OK) {
+--
+2.43.0
+
--- /dev/null
+From 937478def5f245b8bf9a6a09337c992815e304a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 14:12:51 +0100
+Subject: drm/i915/tv: Fix TV mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Ripard <mripard@kernel.org>
+
+[ Upstream commit fb1e881273f432e593f8789f99e725b09304cc97 ]
+
+Commit 1fd4a5a36f9f ("drm/connector: Rename legacy TV property") failed
+to update all the users of the struct drm_tv_connector_state mode field,
+which resulted in a build failure in i915.
+
+However, a subsequent commit in the same series reintroduced a mode
+field in that structure, with a different semantic but the same type,
+with the assumption that all previous users were updated.
+
+Since that didn't happen, the i915 driver now compiles, but mixes
+accesses to the legacy_mode field and the newer mode field, but with the
+previous semantics.
+
+This obviously doesn't work very well, so we need to update the accesses
+that weren't in the legacy renaming commit.
+
+Fixes: 1fd4a5a36f9f ("drm/connector: Rename legacy TV property")
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240220131251.453060-1-mripard@kernel.org
+(cherry picked from commit bf7626f19d6ff14b9722273e23700400cc4d78ba)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_sdvo.c | 10 +++++-----
+ drivers/gpu/drm/i915/display/intel_tv.c | 10 +++++-----
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_sdvo.c b/drivers/gpu/drm/i915/display/intel_sdvo.c
+index a9ac7d45d1f33..312f88d90af95 100644
+--- a/drivers/gpu/drm/i915/display/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/display/intel_sdvo.c
+@@ -1208,7 +1208,7 @@ static bool intel_sdvo_set_tv_format(struct intel_sdvo *intel_sdvo,
+ struct intel_sdvo_tv_format format;
+ u32 format_map;
+
+- format_map = 1 << conn_state->tv.mode;
++ format_map = 1 << conn_state->tv.legacy_mode;
+ memset(&format, 0, sizeof(format));
+ memcpy(&format, &format_map, min(sizeof(format), sizeof(format_map)));
+
+@@ -2288,7 +2288,7 @@ static int intel_sdvo_get_tv_modes(struct drm_connector *connector)
+ * Read the list of supported input resolutions for the selected TV
+ * format.
+ */
+- format_map = 1 << conn_state->tv.mode;
++ format_map = 1 << conn_state->tv.legacy_mode;
+ memcpy(&tv_res, &format_map,
+ min(sizeof(format_map), sizeof(struct intel_sdvo_sdtv_resolution_request)));
+
+@@ -2353,7 +2353,7 @@ intel_sdvo_connector_atomic_get_property(struct drm_connector *connector,
+ int i;
+
+ for (i = 0; i < intel_sdvo_connector->format_supported_num; i++)
+- if (state->tv.mode == intel_sdvo_connector->tv_format_supported[i]) {
++ if (state->tv.legacy_mode == intel_sdvo_connector->tv_format_supported[i]) {
+ *val = i;
+
+ return 0;
+@@ -2409,7 +2409,7 @@ intel_sdvo_connector_atomic_set_property(struct drm_connector *connector,
+ struct intel_sdvo_connector_state *sdvo_state = to_intel_sdvo_connector_state(state);
+
+ if (property == intel_sdvo_connector->tv_format) {
+- state->tv.mode = intel_sdvo_connector->tv_format_supported[val];
++ state->tv.legacy_mode = intel_sdvo_connector->tv_format_supported[val];
+
+ if (state->crtc) {
+ struct drm_crtc_state *crtc_state =
+@@ -3066,7 +3066,7 @@ static bool intel_sdvo_tv_create_property(struct intel_sdvo *intel_sdvo,
+ drm_property_add_enum(intel_sdvo_connector->tv_format, i,
+ tv_format_names[intel_sdvo_connector->tv_format_supported[i]]);
+
+- intel_sdvo_connector->base.base.state->tv.mode = intel_sdvo_connector->tv_format_supported[0];
++ intel_sdvo_connector->base.base.state->tv.legacy_mode = intel_sdvo_connector->tv_format_supported[0];
+ drm_object_attach_property(&intel_sdvo_connector->base.base.base,
+ intel_sdvo_connector->tv_format, 0);
+ return true;
+diff --git a/drivers/gpu/drm/i915/display/intel_tv.c b/drivers/gpu/drm/i915/display/intel_tv.c
+index 2ee4f0d958513..f790fd10ba00a 100644
+--- a/drivers/gpu/drm/i915/display/intel_tv.c
++++ b/drivers/gpu/drm/i915/display/intel_tv.c
+@@ -949,7 +949,7 @@ intel_disable_tv(struct intel_atomic_state *state,
+
+ static const struct tv_mode *intel_tv_mode_find(const struct drm_connector_state *conn_state)
+ {
+- int format = conn_state->tv.mode;
++ int format = conn_state->tv.legacy_mode;
+
+ return &tv_modes[format];
+ }
+@@ -1710,7 +1710,7 @@ static void intel_tv_find_better_format(struct drm_connector *connector)
+ break;
+ }
+
+- connector->state->tv.mode = i;
++ connector->state->tv.legacy_mode = i;
+ }
+
+ static int
+@@ -1865,7 +1865,7 @@ static int intel_tv_atomic_check(struct drm_connector *connector,
+ old_state = drm_atomic_get_old_connector_state(state, connector);
+ new_crtc_state = drm_atomic_get_new_crtc_state(state, new_state->crtc);
+
+- if (old_state->tv.mode != new_state->tv.mode ||
++ if (old_state->tv.legacy_mode != new_state->tv.legacy_mode ||
+ old_state->tv.margins.left != new_state->tv.margins.left ||
+ old_state->tv.margins.right != new_state->tv.margins.right ||
+ old_state->tv.margins.top != new_state->tv.margins.top ||
+@@ -1902,7 +1902,7 @@ static void intel_tv_add_properties(struct drm_connector *connector)
+ conn_state->tv.margins.right = 46;
+ conn_state->tv.margins.bottom = 37;
+
+- conn_state->tv.mode = 0;
++ conn_state->tv.legacy_mode = 0;
+
+ /* Create TV properties then attach current values */
+ for (i = 0; i < ARRAY_SIZE(tv_modes); i++) {
+@@ -1916,7 +1916,7 @@ static void intel_tv_add_properties(struct drm_connector *connector)
+
+ drm_object_attach_property(&connector->base,
+ i915->drm.mode_config.legacy_tv_mode_property,
+- conn_state->tv.mode);
++ conn_state->tv.legacy_mode);
+ drm_object_attach_property(&connector->base,
+ i915->drm.mode_config.tv_left_margin_property,
+ conn_state->tv.margins.left);
+--
+2.43.0
+
--- /dev/null
+From 965cde7d67ef87d8fe4fcd002134393ae4f3b4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 21:09:57 +0300
+Subject: drm/nouveau/mmu/r535: uninitialized variable in r535_bar_new_()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 65323796debe49a1922ba507020f7530a4b3f9af ]
+
+If gf100_bar_new_() fails then "bar" is not initialized.
+
+Fixes: 5bf0257136a2 ("drm/nouveau/mmu/r535: initial support")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Danilo Krummrich <dakr@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/dab21df7-4d90-4479-97d8-97e5d228c714@moroto.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c
+index 4135690326f44..3a30bea30e366 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/r535.c
+@@ -168,12 +168,11 @@ r535_bar_new_(const struct nvkm_bar_func *hw, struct nvkm_device *device,
+ rm->flush = r535_bar_flush;
+
+ ret = gf100_bar_new_(rm, device, type, inst, &bar);
+- *pbar = bar;
+ if (ret) {
+- if (!bar)
+- kfree(rm);
++ kfree(rm);
+ return ret;
+ }
++ *pbar = bar;
+
+ bar->flushBAR2PhysMode = ioremap(device->func->resource_addr(device, 3), PAGE_SIZE);
+ if (!bar->flushBAR2PhysMode)
+--
+2.43.0
+
--- /dev/null
+From 40be1ac73a3ea6b46d0211861ff0cdb3fd8bb176 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 08:32:06 -0800
+Subject: drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag
+ is set
+
+From: Erik Kurzinger <ekurzinger@nvidia.com>
+
+[ Upstream commit 3c43177ffb54ea5be97505eb8e2690e99ac96bc9 ]
+
+When waiting for a syncobj timeline point whose fence has not yet been
+submitted with the WAIT_FOR_SUBMIT flag, a callback is registered using
+drm_syncobj_fence_add_wait and the thread is put to sleep until the
+timeout expires. If the fence is submitted before then,
+drm_syncobj_add_point will wake up the sleeping thread immediately which
+will proceed to wait for the fence to be signaled.
+
+However, if the WAIT_AVAILABLE flag is used instead,
+drm_syncobj_fence_add_wait won't get called, meaning the waiting thread
+will always sleep for the full timeout duration, even if the fence gets
+submitted earlier. If it turns out that the fence *has* been submitted
+by the time it eventually wakes up, it will still indicate to userspace
+that the wait completed successfully (it won't return -ETIME), but it
+will have taken much longer than it should have.
+
+To fix this, we must call drm_syncobj_fence_add_wait if *either* the
+WAIT_FOR_SUBMIT flag or the WAIT_AVAILABLE flag is set. The only
+difference being that with WAIT_FOR_SUBMIT we will also wait for the
+fence to be signaled after it has been submitted while with
+WAIT_AVAILABLE we will return immediately.
+
+IGT test patch: https://lists.freedesktop.org/archives/igt-dev/2024-January/067537.html
+
+v1 -> v2: adjust lockdep_assert_none_held_once condition
+
+(cherry picked from commit 8c44ea81634a4a337df70a32621a5f3791be23df)
+
+Fixes: 01d6c3578379 ("drm/syncobj: add support for timeline point wait v8")
+Signed-off-by: Erik Kurzinger <ekurzinger@nvidia.com>
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240119163208.3723457-1-ekurzinger@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_syncobj.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
+index 01da6789d0440..b3433265be6ab 100644
+--- a/drivers/gpu/drm/drm_syncobj.c
++++ b/drivers/gpu/drm/drm_syncobj.c
+@@ -1034,7 +1034,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs,
+ uint64_t *points;
+ uint32_t signaled_count, i;
+
+- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT)
++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT |
++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE))
+ lockdep_assert_none_held_once();
+
+ points = kmalloc_array(count, sizeof(*points), GFP_KERNEL);
+@@ -1103,7 +1104,8 @@ static signed long drm_syncobj_array_wait_timeout(struct drm_syncobj **syncobjs,
+ * fallthough and try a 0 timeout wait!
+ */
+
+- if (flags & DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT) {
++ if (flags & (DRM_SYNCOBJ_WAIT_FLAGS_WAIT_FOR_SUBMIT |
++ DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE)) {
+ for (i = 0; i < count; ++i)
+ drm_syncobj_fence_add_wait(syncobjs[i], &entries[i]);
+ }
+--
+2.43.0
+
--- /dev/null
+From e814a67b65f602278e3310a57d07ba331a414c3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 10:44:28 -0800
+Subject: drm/syncobj: handle NULL fence in syncobj_eventfd_entry_func
+
+From: Erik Kurzinger <ekurzinger@nvidia.com>
+
+[ Upstream commit 2aa6f5b0fd052e363bb9d4b547189f0bf6b3d6d3 ]
+
+During syncobj_eventfd_entry_func, dma_fence_chain_find_seqno may set
+the fence to NULL if the given seqno is signaled and a later seqno has
+already been submitted. In that case, the eventfd should be signaled
+immediately which currently does not happen.
+
+This is a similar issue to the one addressed by commit b19926d4f3a6
+("drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.").
+
+As a fix, if the return value of dma_fence_chain_find_seqno indicates
+success but it sets the fence to NULL, we will assign a stub fence to
+ensure the following code still signals the eventfd.
+
+v1 -> v2: assign a stub fence instead of signaling the eventfd
+
+Signed-off-by: Erik Kurzinger <ekurzinger@nvidia.com>
+Fixes: c7a472297169 ("drm/syncobj: add IOCTL to register an eventfd")
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240221184527.37667-1-ekurzinger@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_syncobj.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
+index b3433265be6ab..5860428da8de8 100644
+--- a/drivers/gpu/drm/drm_syncobj.c
++++ b/drivers/gpu/drm/drm_syncobj.c
+@@ -1380,10 +1380,21 @@ syncobj_eventfd_entry_func(struct drm_syncobj *syncobj,
+
+ /* This happens inside the syncobj lock */
+ fence = dma_fence_get(rcu_dereference_protected(syncobj->fence, 1));
++ if (!fence)
++ return;
++
+ ret = dma_fence_chain_find_seqno(&fence, entry->point);
+- if (ret != 0 || !fence) {
++ if (ret != 0) {
++ /* The given seqno has not been submitted yet. */
+ dma_fence_put(fence);
+ return;
++ } else if (!fence) {
++ /* If dma_fence_chain_find_seqno returns 0 but sets the fence
++ * to NULL, it implies that the given seqno is signaled and a
++ * later seqno has already been submitted. Assign a stub fence
++ * so that the eventfd still gets signaled below.
++ */
++ fence = dma_fence_get_stub();
+ }
+
+ list_del_init(&entry->node);
+--
+2.43.0
+
--- /dev/null
+From 4220e8f2c7ff498a37f95a1a8eee8af2614069ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 14:52:54 +0100
+Subject: Fix write to cloned skb in ipv6_hop_ioam()
+
+From: Justin Iurman <justin.iurman@uliege.be>
+
+[ Upstream commit f198d933c2e4f8f89e0620fbaf1ea7eac384a0eb ]
+
+ioam6_fill_trace_data() writes inside the skb payload without ensuring
+it's writeable (e.g., not cloned). This function is called both from the
+input and output path. The output path (ioam6_iptunnel) already does the
+check. This commit provides a fix for the input path, inside
+ipv6_hop_ioam(). It also updates ip6_parse_tlv() to refresh the network
+header pointer ("nh") when returning from ipv6_hop_ioam().
+
+Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/exthdrs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
+index 4952ae7924505..02e9ffb63af19 100644
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -177,6 +177,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
+ case IPV6_TLV_IOAM:
+ if (!ipv6_hop_ioam(skb, off))
+ return false;
++
++ nh = skb_network_header(skb);
+ break;
+ case IPV6_TLV_JUMBO:
+ if (!ipv6_hop_jumbo(skb, off))
+@@ -943,6 +945,14 @@ static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
+ if (!skb_valid_dst(skb))
+ ip6_route_input(skb);
+
++ /* About to mangle packet header */
++ if (skb_ensure_writable(skb, optoff + 2 + hdr->opt_len))
++ goto drop;
++
++ /* Trace pointer may have changed */
++ trace = (struct ioam6_trace_hdr *)(skb_network_header(skb)
++ + optoff + sizeof(*hdr));
++
+ ioam6_fill_trace_data(skb, ns, trace, true);
+ break;
+ default:
+--
+2.43.0
+
--- /dev/null
+From 1abd23fd10d91005cb6d5c950b0ec4b86d134330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 18:25:13 +0100
+Subject: gpiolib: Handle no pin_ranges in gpiochip_generic_config()
+
+From: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+
+[ Upstream commit ae366ba8576da0135d7d3db2dfa6304f3338d0c2 ]
+
+Similar to gpiochip_generic_request() and gpiochip_generic_free() the
+gpiochip_generic_config() function needs to handle the case where there
+are no pinctrl pins mapped to the GPIOs, usually through the gpio-ranges
+device tree property.
+
+Commit f34fd6ee1be8 ("gpio: dwapb: Use generic request, free and
+set_config") set the .set_config callback to gpiochip_generic_config()
+in the dwapb GPIO driver so the GPIO API can set pinctrl configuration
+for the corresponding pins. Most boards using the dwapb driver do not
+set the gpio-ranges device tree property though, and in this case
+gpiochip_generic_config() would return -EPROPE_DEFER rather than the
+previous -ENOTSUPP return value. This in turn makes
+gpio_set_config_with_argument_optional() fail and propagate the error to
+any driver requesting GPIOs.
+
+Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips")
+Reported-by: Jisheng Zhang <jszhang@kernel.org>
+Closes: https://lore.kernel.org/linux-gpio/ZdC_g3U4l0CJIWzh@xhacker/
+Tested-by: Jisheng Zhang <jszhang@kernel.org>
+Signed-off-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 95d2a7b2ea3e2..15de124d5b402 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2043,6 +2043,11 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_free);
+ int gpiochip_generic_config(struct gpio_chip *gc, unsigned int offset,
+ unsigned long config)
+ {
++#ifdef CONFIG_PINCTRL
++ if (list_empty(&gc->gpiodev->pin_ranges))
++ return -ENOTSUPP;
++#endif
++
+ return pinctrl_gpio_set_config(gc, offset, config);
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_generic_config);
+--
+2.43.0
+
--- /dev/null
+From 3b9b91fc9631b5a0285b1d19237b7f82bdfe8b1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 06:01:20 -0800
+Subject: hwmon: (nct6775) Fix access to temperature configuration registers
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit d56e460e19ea8382f813eb489730248ec8d7eb73 ]
+
+The number of temperature configuration registers does
+not always match the total number of temperature registers.
+This can result in access errors reported if KASAN is enabled.
+
+BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/linux-hwmon/d51181d1-d26b-42b2-b002-3f5a4037721f@roeck-us.net/
+Fixes: b7f1f7b2523a ("hwmon: (nct6775) Additional TEMP registers for nct6799")
+Cc: Ahmad Khalifa <ahmad@khalifa.ws>
+Tested-by: Ahmad Khalifa <ahmad@khalifa.ws>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775-core.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
+index 92a49fafe2c02..f3bf2e4701c38 100644
+--- a/drivers/hwmon/nct6775-core.c
++++ b/drivers/hwmon/nct6775-core.c
+@@ -3512,6 +3512,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ const u16 *reg_temp_mon, *reg_temp_alternate, *reg_temp_crit;
+ const u16 *reg_temp_crit_l = NULL, *reg_temp_crit_h = NULL;
+ int num_reg_temp, num_reg_temp_mon, num_reg_tsi_temp;
++ int num_reg_temp_config;
+ struct device *hwmon_dev;
+ struct sensor_template_group tsi_temp_tg;
+
+@@ -3594,6 +3595,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6106_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6106_REG_TEMP_HYST;
+ reg_temp_config = NCT6106_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6106_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6106_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6106_REG_TEMP_CRIT;
+ reg_temp_crit_l = NCT6106_REG_TEMP_CRIT_L;
+@@ -3669,6 +3671,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6106_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6106_REG_TEMP_HYST;
+ reg_temp_config = NCT6106_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6106_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6106_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6106_REG_TEMP_CRIT;
+ reg_temp_crit_l = NCT6106_REG_TEMP_CRIT_L;
+@@ -3746,6 +3749,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6775_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6775_REG_TEMP_HYST;
+ reg_temp_config = NCT6775_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6775_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6775_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6775_REG_TEMP_CRIT;
+
+@@ -3821,6 +3825,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6775_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6775_REG_TEMP_HYST;
+ reg_temp_config = NCT6776_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6776_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6776_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6776_REG_TEMP_CRIT;
+
+@@ -3900,6 +3905,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6779_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6779_REG_TEMP_HYST;
+ reg_temp_config = NCT6779_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6779_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6779_REG_TEMP_CRIT;
+
+@@ -4034,6 +4040,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6779_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6779_REG_TEMP_HYST;
+ reg_temp_config = NCT6779_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6779_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6779_REG_TEMP_CRIT;
+
+@@ -4123,6 +4130,7 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ reg_temp_over = NCT6798_REG_TEMP_OVER;
+ reg_temp_hyst = NCT6798_REG_TEMP_HYST;
+ reg_temp_config = NCT6779_REG_TEMP_CONFIG;
++ num_reg_temp_config = ARRAY_SIZE(NCT6779_REG_TEMP_CONFIG);
+ reg_temp_alternate = NCT6798_REG_TEMP_ALTERNATE;
+ reg_temp_crit = NCT6798_REG_TEMP_CRIT;
+
+@@ -4204,7 +4212,8 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ = reg_temp_crit[src - 1];
+ if (reg_temp_crit_l && reg_temp_crit_l[i])
+ data->reg_temp[4][src - 1] = reg_temp_crit_l[i];
+- data->reg_temp_config[src - 1] = reg_temp_config[i];
++ if (i < num_reg_temp_config)
++ data->reg_temp_config[src - 1] = reg_temp_config[i];
+ data->temp_src[src - 1] = src;
+ continue;
+ }
+@@ -4217,7 +4226,8 @@ int nct6775_probe(struct device *dev, struct nct6775_data *data,
+ data->reg_temp[0][s] = reg_temp[i];
+ data->reg_temp[1][s] = reg_temp_over[i];
+ data->reg_temp[2][s] = reg_temp_hyst[i];
+- data->reg_temp_config[s] = reg_temp_config[i];
++ if (i < num_reg_temp_config)
++ data->reg_temp_config[s] = reg_temp_config[i];
+ if (reg_temp_crit_h && reg_temp_crit_h[i])
+ data->reg_temp[3][s] = reg_temp_crit_h[i];
+ else if (reg_temp_crit[src - 1])
+--
+2.43.0
+
--- /dev/null
+From d51568ed339142de8c050d65a5c5ed0f1e944df5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 20:27:13 +0100
+Subject: i2c: imx: when being a target, mark the last read as processed
+
+From: Corey Minyard <minyard@acm.org>
+
+[ Upstream commit 87aec499368d488c20292952d6d4be7cb9e49c5e ]
+
+When being a target, NAK from the controller means that all bytes have
+been transferred. So, the last byte needs also to be marked as
+'processed'. Otherwise index registers of backends may not increase.
+
+Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Tested-by: Andrew Manley <andrew.manley@sealingtech.com>
+Reviewed-by: Andrew Manley <andrew.manley@sealingtech.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+[wsa: fixed comment and commit message to properly describe the case]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
+index 1775a79aeba2a..0951bfdc89cfa 100644
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -803,6 +803,11 @@ static irqreturn_t i2c_imx_slave_handle(struct imx_i2c_struct *i2c_imx,
+ ctl &= ~I2CR_MTX;
+ imx_i2c_write_reg(ctl, i2c_imx, IMX_I2C_I2CR);
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR);
++
++ /* flag the last byte as processed */
++ i2c_imx_slave_event(i2c_imx,
++ I2C_SLAVE_READ_PROCESSED, &value);
++
+ i2c_imx_slave_finish_op(i2c_imx);
+ return IRQ_HANDLED;
+ }
+--
+2.43.0
+
--- /dev/null
+From 65a1ee9bc9e221078867052851a72fc3b31f95f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jan 2024 16:55:23 +0800
+Subject: IB/hfi1: Fix a memleak in init_credit_return
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 809aa64ebff51eb170ee31a95f83b2d21efa32e2 ]
+
+When dma_alloc_coherent fails to allocate dd->cr_base[i].va,
+init_credit_return should deallocate dd->cr_base and
+dd->cr_base[i] that allocated before. Or those resources
+would be never freed and a memleak is triggered.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Link: https://lore.kernel.org/r/20240112085523.3731720-1-alexious@zju.edu.cn
+Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/pio.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c
+index 68c621ff59d03..5a91cbda4aee6 100644
+--- a/drivers/infiniband/hw/hfi1/pio.c
++++ b/drivers/infiniband/hw/hfi1/pio.c
+@@ -2086,7 +2086,7 @@ int init_credit_return(struct hfi1_devdata *dd)
+ "Unable to allocate credit return DMA range for NUMA %d\n",
+ i);
+ ret = -ENOMEM;
+- goto done;
++ goto free_cr_base;
+ }
+ }
+ set_dev_node(&dd->pcidev->dev, dd->node);
+@@ -2094,6 +2094,10 @@ int init_credit_return(struct hfi1_devdata *dd)
+ ret = 0;
+ done:
+ return ret;
++
++free_cr_base:
++ free_credit_return(dd);
++ goto done;
+ }
+
+ void free_credit_return(struct hfi1_devdata *dd)
+--
+2.43.0
+
--- /dev/null
+From 52e6883e6668997a6b6a70b684bcc8f209bf459b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 11:29:12 +0200
+Subject: IB/mlx5: Don't expose debugfs entries for RRoCE general parameters if
+ not supported
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 43fdbd140238d44e7e847232719fef7d20f9d326 ]
+
+debugfs entries for RRoCE general CC parameters must be exposed only when
+they are supported, otherwise when accessing them there may be a syndrome
+error in kernel log, for example:
+
+$ cat /sys/kernel/debug/mlx5/0000:08:00.1/cc_params/rtt_resp_dscp
+cat: '/sys/kernel/debug/mlx5/0000:08:00.1/cc_params/rtt_resp_dscp': Invalid argument
+$ dmesg
+ mlx5_core 0000:08:00.1: mlx5_cmd_out_err:805:(pid 1253): QUERY_CONG_PARAMS(0x824) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x325a82), err(-22)
+
+Fixes: 66fb1d5df6ac ("IB/mlx5: Extend debug control for CC parameters")
+Reviewed-by: Edward Srouji <edwards@nvidia.com>
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Link: https://lore.kernel.org/r/e7ade70bad52b7468bdb1de4d41d5fad70c8b71c.1706433934.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cong.c | 6 ++++++
+ include/linux/mlx5/mlx5_ifc.h | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cong.c b/drivers/infiniband/hw/mlx5/cong.c
+index f87531318feb8..a78a067e3ce7f 100644
+--- a/drivers/infiniband/hw/mlx5/cong.c
++++ b/drivers/infiniband/hw/mlx5/cong.c
+@@ -458,6 +458,12 @@ void mlx5_ib_init_cong_debugfs(struct mlx5_ib_dev *dev, u32 port_num)
+ dbg_cc_params->root = debugfs_create_dir("cc_params", mlx5_debugfs_get_dev_root(mdev));
+
+ for (i = 0; i < MLX5_IB_DBG_CC_MAX; i++) {
++ if ((i == MLX5_IB_DBG_CC_GENERAL_RTT_RESP_DSCP_VALID ||
++ i == MLX5_IB_DBG_CC_GENERAL_RTT_RESP_DSCP))
++ if (!MLX5_CAP_GEN(mdev, roce) ||
++ !MLX5_CAP_ROCE(mdev, roce_cc_general))
++ continue;
++
+ dbg_cc_params->params[i].offset = i;
+ dbg_cc_params->params[i].dev = dev;
+ dbg_cc_params->params[i].port_num = port_num;
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index fb8d26a15df47..77cd2e13724e7 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1103,7 +1103,7 @@ struct mlx5_ifc_roce_cap_bits {
+ u8 sw_r_roce_src_udp_port[0x1];
+ u8 fl_rc_qp_when_roce_disabled[0x1];
+ u8 fl_rc_qp_when_roce_enabled[0x1];
+- u8 reserved_at_7[0x1];
++ u8 roce_cc_general[0x1];
+ u8 qp_ooo_transmit_default[0x1];
+ u8 reserved_at_9[0x15];
+ u8 qp_ts_format[0x2];
+--
+2.43.0
+
--- /dev/null
+From 1339c5c25a70f92acd8167090553d294101442be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Oct 2023 08:05:22 +0800
+Subject: iommu: Add mm_get_enqcmd_pasid() helper function
+
+From: Tina Zhang <tina.zhang@intel.com>
+
+[ Upstream commit 2396046d75d3c0b2cfead852a77efd023f8539dc ]
+
+mm_get_enqcmd_pasid() should be used by architecture code and closely
+related to learn the PASID value that the x86 ENQCMD operation should
+use for the mm.
+
+For the moment SMMUv3 uses this without any connection to ENQCMD, it
+will be cleaned up similar to how the prior patch made VT-d use the
+PASID argument of set_dev_pasid().
+
+The motivation is to replace mm->pasid with an iommu private data
+structure that is introduced in a later patch.
+
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Tested-by: Nicolin Chen <nicolinc@nvidia.com>
+Signed-off-by: Tina Zhang <tina.zhang@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20231027000525.1278806-4-tina.zhang@intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: b5bf7778b722 ("iommu/arm-smmu-v3: Do not use GFP_KERNEL under as spinlock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/traps.c | 2 +-
+ .../iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 23 ++++++++++++-------
+ drivers/iommu/iommu-sva.c | 2 +-
+ include/linux/iommu.h | 12 ++++++++++
+ 4 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index c876f1d36a81a..832f4413d96a8 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -591,7 +591,7 @@ static bool try_fixup_enqcmd_gp(void)
+ if (!mm_valid_pasid(current->mm))
+ return false;
+
+- pasid = current->mm->pasid;
++ pasid = mm_get_enqcmd_pasid(current->mm);
+
+ /*
+ * Did this thread already have its PASID activated?
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
+index 353248ab18e76..05722121f00e7 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
+@@ -246,7 +246,8 @@ static void arm_smmu_mm_arch_invalidate_secondary_tlbs(struct mmu_notifier *mn,
+ smmu_domain);
+ }
+
+- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, start, size);
++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), start,
++ size);
+ }
+
+ static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm)
+@@ -264,10 +265,11 @@ static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm)
+ * DMA may still be running. Keep the cd valid to avoid C_BAD_CD events,
+ * but disable translation.
+ */
+- arm_smmu_update_ctx_desc_devices(smmu_domain, mm->pasid, &quiet_cd);
++ arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm),
++ &quiet_cd);
+
+ arm_smmu_tlb_inv_asid(smmu_domain->smmu, smmu_mn->cd->asid);
+- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, 0, 0);
++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), 0, 0);
+
+ smmu_mn->cleared = true;
+ mutex_unlock(&sva_lock);
+@@ -325,10 +327,13 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain,
+
+ spin_lock_irqsave(&smmu_domain->devices_lock, flags);
+ list_for_each_entry(master, &smmu_domain->devices, domain_head) {
+- ret = arm_smmu_write_ctx_desc(master, mm->pasid, cd);
++ ret = arm_smmu_write_ctx_desc(master, mm_get_enqcmd_pasid(mm),
++ cd);
+ if (ret) {
+- list_for_each_entry_from_reverse(master, &smmu_domain->devices, domain_head)
+- arm_smmu_write_ctx_desc(master, mm->pasid, NULL);
++ list_for_each_entry_from_reverse(
++ master, &smmu_domain->devices, domain_head)
++ arm_smmu_write_ctx_desc(
++ master, mm_get_enqcmd_pasid(mm), NULL);
+ break;
+ }
+ }
+@@ -358,7 +363,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn)
+
+ list_del(&smmu_mn->list);
+
+- arm_smmu_update_ctx_desc_devices(smmu_domain, mm->pasid, NULL);
++ arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm),
++ NULL);
+
+ /*
+ * If we went through clear(), we've already invalidated, and no
+@@ -366,7 +372,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn)
+ */
+ if (!smmu_mn->cleared) {
+ arm_smmu_tlb_inv_asid(smmu_domain->smmu, cd->asid);
+- arm_smmu_atc_inv_domain(smmu_domain, mm->pasid, 0, 0);
++ arm_smmu_atc_inv_domain(smmu_domain, mm_get_enqcmd_pasid(mm), 0,
++ 0);
+ }
+
+ /* Frees smmu_mn */
+diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c
+index b78671a8a9143..4a2f5699747f1 100644
+--- a/drivers/iommu/iommu-sva.c
++++ b/drivers/iommu/iommu-sva.c
+@@ -141,7 +141,7 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
+ {
+ struct iommu_domain *domain = handle->domain;
+
+- return domain->mm->pasid;
++ return mm_get_enqcmd_pasid(domain->mm);
+ }
+ EXPORT_SYMBOL_GPL(iommu_sva_get_pasid);
+
+diff --git a/include/linux/iommu.h b/include/linux/iommu.h
+index 6291aa7b079b0..81553770e411a 100644
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -1346,6 +1346,12 @@ static inline bool mm_valid_pasid(struct mm_struct *mm)
+ {
+ return mm->pasid != IOMMU_PASID_INVALID;
+ }
++
++static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm)
++{
++ return mm->pasid;
++}
++
+ void mm_pasid_drop(struct mm_struct *mm);
+ struct iommu_sva *iommu_sva_bind_device(struct device *dev,
+ struct mm_struct *mm);
+@@ -1368,6 +1374,12 @@ static inline u32 iommu_sva_get_pasid(struct iommu_sva *handle)
+ }
+ static inline void mm_pasid_init(struct mm_struct *mm) {}
+ static inline bool mm_valid_pasid(struct mm_struct *mm) { return false; }
++
++static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm)
++{
++ return IOMMU_PASID_INVALID;
++}
++
+ static inline void mm_pasid_drop(struct mm_struct *mm) {}
+ #endif /* CONFIG_IOMMU_SVA */
+
+--
+2.43.0
+
--- /dev/null
+From 07511b9734d777a94df86f591472c3c67cedb816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 20:27:02 -0400
+Subject: iommu/arm-smmu-v3: Do not use GFP_KERNEL under as spinlock
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit b5bf7778b722105d7a04b1d51e884497b542638b ]
+
+If the SMMU is configured to use a two level CD table then
+arm_smmu_write_ctx_desc() allocates a CD table leaf internally using
+GFP_KERNEL. Due to recent changes this is being done under a spinlock to
+iterate over the device list - thus it will trigger a sleeping while
+atomic warning:
+
+ arm_smmu_sva_set_dev_pasid()
+ mutex_lock(&sva_lock);
+ __arm_smmu_sva_bind()
+ arm_smmu_mmu_notifier_get()
+ spin_lock_irqsave()
+ arm_smmu_write_ctx_desc()
+ arm_smmu_get_cd_ptr()
+ arm_smmu_alloc_cd_leaf_table()
+ dmam_alloc_coherent(GFP_KERNEL)
+
+This is a 64K high order allocation and really should not be done
+atomically.
+
+At the moment the rework of the SVA to follow the new API is half
+finished. Recently the CD table memory was moved from the domain to the
+master, however we have the confusing situation where the SVA code is
+wrongly using the RID domains device's list to track which CD tables the
+SVA is installed in.
+
+Remove the logic to replicate the CD across all the domain's masters
+during attach. We know which master and which CD table the PASID should be
+installed in.
+
+Right now SVA only works when dma-iommu.c is in control of the RID
+translation, which means we have a single iommu_domain shared across the
+entire group and that iommu_domain is not shared outside the group.
+
+Critically this means that the iommu_group->devices list and RID's
+smmu_domain->devices list describe the same set of masters.
+
+For PCI cases the core code also insists on singleton groups so there is
+only one entry in the smmu_domain->devices list that is equal to the
+master being passed in to arm_smmu_sva_set_dev_pasid().
+
+Only non-PCI cases may have multi-device groups. However, the core code
+will repeat the calls to arm_smmu_sva_set_dev_pasid() across the entire
+iommu_group->devices list.
+
+Instead of having arm_smmu_mmu_notifier_get() indirectly loop over all the
+devices in the group via the RID's smmu_domain, rely on
+__arm_smmu_sva_bind() to be called for each device in the group and
+install the repeated CD entry that way.
+
+This avoids taking the spinlock to access the devices list and permits the
+arm_smmu_write_ctx_desc() to use a sleeping allocation. Leave the
+arm_smmu_mm_release() as a confusing situation, this requires tracking
+attached masters inside the SVA domain.
+
+Removing the loop allows arm_smmu_write_ctx_desc() to be called outside
+the spinlock and thus is safe to use GFP_KERNEL.
+
+Move the clearing of the CD into arm_smmu_sva_remove_dev_pasid() so that
+arm_smmu_mmu_notifier_get/put() remain paired functions.
+
+Fixes: 24503148c545 ("iommu/arm-smmu-v3: Refactor write_ctx_desc")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/4e25d161-0cf8-4050-9aa3-dfa21cd63e56@moroto.mountain/
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Michael Shavit <mshavit@google.com>
+Link: https://lore.kernel.org/r/0-v3-11978fc67151+112-smmu_cd_atomic_jgg@nvidia.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 38 ++++++-------------
+ 1 file changed, 12 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
+index 05722121f00e7..4a27fbdb2d844 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c
+@@ -292,10 +292,8 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain,
+ struct mm_struct *mm)
+ {
+ int ret;
+- unsigned long flags;
+ struct arm_smmu_ctx_desc *cd;
+ struct arm_smmu_mmu_notifier *smmu_mn;
+- struct arm_smmu_master *master;
+
+ list_for_each_entry(smmu_mn, &smmu_domain->mmu_notifiers, list) {
+ if (smmu_mn->mn.mm == mm) {
+@@ -325,28 +323,9 @@ arm_smmu_mmu_notifier_get(struct arm_smmu_domain *smmu_domain,
+ goto err_free_cd;
+ }
+
+- spin_lock_irqsave(&smmu_domain->devices_lock, flags);
+- list_for_each_entry(master, &smmu_domain->devices, domain_head) {
+- ret = arm_smmu_write_ctx_desc(master, mm_get_enqcmd_pasid(mm),
+- cd);
+- if (ret) {
+- list_for_each_entry_from_reverse(
+- master, &smmu_domain->devices, domain_head)
+- arm_smmu_write_ctx_desc(
+- master, mm_get_enqcmd_pasid(mm), NULL);
+- break;
+- }
+- }
+- spin_unlock_irqrestore(&smmu_domain->devices_lock, flags);
+- if (ret)
+- goto err_put_notifier;
+-
+ list_add(&smmu_mn->list, &smmu_domain->mmu_notifiers);
+ return smmu_mn;
+
+-err_put_notifier:
+- /* Frees smmu_mn */
+- mmu_notifier_put(&smmu_mn->mn);
+ err_free_cd:
+ arm_smmu_free_shared_cd(cd);
+ return ERR_PTR(ret);
+@@ -363,9 +342,6 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn)
+
+ list_del(&smmu_mn->list);
+
+- arm_smmu_update_ctx_desc_devices(smmu_domain, mm_get_enqcmd_pasid(mm),
+- NULL);
+-
+ /*
+ * If we went through clear(), we've already invalidated, and no
+ * new TLB entry can have been formed.
+@@ -381,7 +357,8 @@ static void arm_smmu_mmu_notifier_put(struct arm_smmu_mmu_notifier *smmu_mn)
+ arm_smmu_free_shared_cd(cd);
+ }
+
+-static int __arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm)
++static int __arm_smmu_sva_bind(struct device *dev, ioasid_t pasid,
++ struct mm_struct *mm)
+ {
+ int ret;
+ struct arm_smmu_bond *bond;
+@@ -404,9 +381,15 @@ static int __arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm)
+ goto err_free_bond;
+ }
+
++ ret = arm_smmu_write_ctx_desc(master, pasid, bond->smmu_mn->cd);
++ if (ret)
++ goto err_put_notifier;
++
+ list_add(&bond->list, &master->bonds);
+ return 0;
+
++err_put_notifier:
++ arm_smmu_mmu_notifier_put(bond->smmu_mn);
+ err_free_bond:
+ kfree(bond);
+ return ret;
+@@ -568,6 +551,9 @@ void arm_smmu_sva_remove_dev_pasid(struct iommu_domain *domain,
+ struct arm_smmu_master *master = dev_iommu_priv_get(dev);
+
+ mutex_lock(&sva_lock);
++
++ arm_smmu_write_ctx_desc(master, id, NULL);
++
+ list_for_each_entry(t, &master->bonds, list) {
+ if (t->mm == mm) {
+ bond = t;
+@@ -590,7 +576,7 @@ static int arm_smmu_sva_set_dev_pasid(struct iommu_domain *domain,
+ struct mm_struct *mm = domain->mm;
+
+ mutex_lock(&sva_lock);
+- ret = __arm_smmu_sva_bind(dev, mm);
++ ret = __arm_smmu_sva_bind(dev, id, mm);
+ mutex_unlock(&sva_lock);
+
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From a9dfb71392e3728bb24b82b14d8df695fafde4c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:15:59 +0800
+Subject: iommu/vt-d: Add missing dirty tracking set for parent domain
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit f1e1610950eac0af5e40f6ee02315952f78192f7 ]
+
+Setting dirty tracking for a s2 domain requires to loop all the related
+devices and set the dirty tracking enable bit in the PASID table entry.
+This includes the devices that are attached to the nested domains of a
+s2 domain if this s2 domain is used as parent. However, the existing dirty
+tracking set only loops s2 domain's own devices. It will miss dirty page
+logs in the parent domain.
+
+Now, the parent domain tracks the nested domains, so it can loop the
+nested domains and the devices attached to the nested domains to ensure
+dirty tracking on the parent is set completely.
+
+Fixes: b41e38e22539 ("iommu/vt-d: Add nested domain allocation")
+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20240208082307.15759-9-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index e3b3ab506b185..a8366b1f4f48b 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4884,6 +4884,35 @@ static int device_set_dirty_tracking(struct list_head *devices, bool enable)
+ return ret;
+ }
+
++static int parent_domain_set_dirty_tracking(struct dmar_domain *domain,
++ bool enable)
++{
++ struct dmar_domain *s1_domain;
++ unsigned long flags;
++ int ret;
++
++ spin_lock(&domain->s1_lock);
++ list_for_each_entry(s1_domain, &domain->s1_domains, s2_link) {
++ spin_lock_irqsave(&s1_domain->lock, flags);
++ ret = device_set_dirty_tracking(&s1_domain->devices, enable);
++ spin_unlock_irqrestore(&s1_domain->lock, flags);
++ if (ret)
++ goto err_unwind;
++ }
++ spin_unlock(&domain->s1_lock);
++ return 0;
++
++err_unwind:
++ list_for_each_entry(s1_domain, &domain->s1_domains, s2_link) {
++ spin_lock_irqsave(&s1_domain->lock, flags);
++ device_set_dirty_tracking(&s1_domain->devices,
++ domain->dirty_tracking);
++ spin_unlock_irqrestore(&s1_domain->lock, flags);
++ }
++ spin_unlock(&domain->s1_lock);
++ return ret;
++}
++
+ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+ bool enable)
+ {
+@@ -4898,6 +4927,12 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+ if (ret)
+ goto err_unwind;
+
++ if (dmar_domain->nested_parent) {
++ ret = parent_domain_set_dirty_tracking(dmar_domain, enable);
++ if (ret)
++ goto err_unwind;
++ }
++
+ dmar_domain->dirty_tracking = enable;
+ out_unlock:
+ spin_unlock(&dmar_domain->lock);
+--
+2.43.0
+
--- /dev/null
+From f6504fa1c4a4f5afcdf5464aa587037d572d1da6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:15:57 +0800
+Subject: iommu/vt-d: Remove domain parameter for
+ intel_pasid_setup_dirty_tracking()
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit 56ecaf6c5834ace14941d7f13dceb48bc3327111 ]
+
+The only usage of input @domain is to get the domain id (DID) to flush
+cache after setting dirty tracking. However, DID can be obtained from
+the pasid entry. So no need to pass in domain. This can make this helper
+cleaner when adding the missing dirty tracking for the parent domain,
+which needs to use the DID of nested domain.
+
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20240208082307.15759-7-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 7 +++----
+ drivers/iommu/intel/pasid.c | 3 +--
+ drivers/iommu/intel/pasid.h | 1 -
+ 3 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 9f7954c4c26f8..88f9b4ffd5774 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4877,8 +4877,7 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+ goto out_unlock;
+
+ list_for_each_entry(info, &dmar_domain->devices, link) {
+- ret = intel_pasid_setup_dirty_tracking(info->iommu,
+- info->domain, info->dev,
++ ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev,
+ IOMMU_NO_PASID, enable);
+ if (ret)
+ goto err_unwind;
+@@ -4892,8 +4891,8 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+
+ err_unwind:
+ list_for_each_entry(info, &dmar_domain->devices, link)
+- intel_pasid_setup_dirty_tracking(info->iommu, dmar_domain,
+- info->dev, IOMMU_NO_PASID,
++ intel_pasid_setup_dirty_tracking(info->iommu, info->dev,
++ IOMMU_NO_PASID,
+ dmar_domain->dirty_tracking);
+ spin_unlock(&dmar_domain->lock);
+ return ret;
+diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
+index 74e8e4c17e814..9f8f389ff255c 100644
+--- a/drivers/iommu/intel/pasid.c
++++ b/drivers/iommu/intel/pasid.c
+@@ -695,7 +695,6 @@ int intel_pasid_setup_second_level(struct intel_iommu *iommu,
+ * Set up dirty tracking on a second only or nested translation type.
+ */
+ int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu,
+- struct dmar_domain *domain,
+ struct device *dev, u32 pasid,
+ bool enabled)
+ {
+@@ -712,7 +711,7 @@ int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu,
+ return -ENODEV;
+ }
+
+- did = domain_id_iommu(domain, iommu);
++ did = pasid_get_domain_id(pte);
+ pgtt = pasid_pte_get_pgtt(pte);
+ if (pgtt != PASID_ENTRY_PGTT_SL_ONLY &&
+ pgtt != PASID_ENTRY_PGTT_NESTED) {
+diff --git a/drivers/iommu/intel/pasid.h b/drivers/iommu/intel/pasid.h
+index dd37611175cc1..3568adca1fd82 100644
+--- a/drivers/iommu/intel/pasid.h
++++ b/drivers/iommu/intel/pasid.h
+@@ -107,7 +107,6 @@ int intel_pasid_setup_second_level(struct intel_iommu *iommu,
+ struct dmar_domain *domain,
+ struct device *dev, u32 pasid);
+ int intel_pasid_setup_dirty_tracking(struct intel_iommu *iommu,
+- struct dmar_domain *domain,
+ struct device *dev, u32 pasid,
+ bool enabled);
+ int intel_pasid_setup_pass_through(struct intel_iommu *iommu,
+--
+2.43.0
+
--- /dev/null
+From 859b57e27effd53ed488091a7856f7a715eeecb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:16:00 +0800
+Subject: iommu/vt-d: Set SSADE when attaching to a parent with dirty tracking
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit 1f0198fce68340e0da2d438f4ea9fc20d2c958da ]
+
+Should set the SSADE (Second Stage Access/Dirty bit Enable) bit of the
+pasid entry when attaching a device to a nested domain if its parent
+has already enabled dirty tracking.
+
+Fixes: 111bf85c68f6 ("iommu/vt-d: Add helper to setup pasid nested translation")
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Link: https://lore.kernel.org/r/20240208091414.28133-1-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/pasid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
+index 9f8f389ff255c..6e102cbbde845 100644
+--- a/drivers/iommu/intel/pasid.c
++++ b/drivers/iommu/intel/pasid.c
+@@ -925,6 +925,8 @@ int intel_pasid_setup_nested(struct intel_iommu *iommu, struct device *dev,
+ pasid_set_domain_id(pte, did);
+ pasid_set_address_width(pte, s2_domain->agaw);
+ pasid_set_page_snoop(pte, !!ecap_smpwc(iommu->ecap));
++ if (s2_domain->dirty_tracking)
++ pasid_set_ssade(pte);
+ pasid_set_translation_type(pte, PASID_ENTRY_PGTT_NESTED);
+ pasid_set_present(pte);
+ spin_unlock(&iommu->lock);
+--
+2.43.0
+
--- /dev/null
+From f4e3636c865c8166ae9c63998258e7179abc8de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:15:52 +0800
+Subject: iommu/vt-d: Track nested domains in parent
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit 85ce8e1d6d73e8d54cb244d10dd4021771231746 ]
+
+Today the parent domain (s2_domain) is unaware of which DID's are
+used by and which devices are attached to nested domains (s1_domain)
+nested on it. This leads to a problem that some operations (flush
+iotlb/devtlb and enable dirty tracking) on parent domain only apply to
+DID's and devices directly tracked in the parent domain hence are
+incomplete.
+
+This tracks the nested domains in list in parent domain. With this,
+operations on parent domain can loop the nested domains and refer to
+the devices and iommu_array to ensure the operations on parent domain
+take effect on all the affected devices and iommus.
+
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20240208082307.15759-2-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 18 ++++++++++++++----
+ drivers/iommu/intel/iommu.h | 6 ++++++
+ drivers/iommu/intel/nested.c | 12 +++++++++++-
+ 3 files changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 0cc6e08e12c13..9f7954c4c26f8 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4069,6 +4069,7 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags,
+ bool dirty_tracking = flags & IOMMU_HWPT_ALLOC_DIRTY_TRACKING;
+ bool nested_parent = flags & IOMMU_HWPT_ALLOC_NEST_PARENT;
+ struct intel_iommu *iommu = info->iommu;
++ struct dmar_domain *dmar_domain;
+ struct iommu_domain *domain;
+
+ /* Must be NESTING domain */
+@@ -4094,11 +4095,16 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags,
+ if (!domain)
+ return ERR_PTR(-ENOMEM);
+
+- if (nested_parent)
+- to_dmar_domain(domain)->nested_parent = true;
++ dmar_domain = to_dmar_domain(domain);
++
++ if (nested_parent) {
++ dmar_domain->nested_parent = true;
++ INIT_LIST_HEAD(&dmar_domain->s1_domains);
++ spin_lock_init(&dmar_domain->s1_lock);
++ }
+
+ if (dirty_tracking) {
+- if (to_dmar_domain(domain)->use_first_level) {
++ if (dmar_domain->use_first_level) {
+ iommu_domain_free(domain);
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+@@ -4110,8 +4116,12 @@ intel_iommu_domain_alloc_user(struct device *dev, u32 flags,
+
+ static void intel_iommu_domain_free(struct iommu_domain *domain)
+ {
++ struct dmar_domain *dmar_domain = to_dmar_domain(domain);
++
++ WARN_ON(dmar_domain->nested_parent &&
++ !list_empty(&dmar_domain->s1_domains));
+ if (domain != &si_domain->domain)
+- domain_exit(to_dmar_domain(domain));
++ domain_exit(dmar_domain);
+ }
+
+ int prepare_domain_attach_device(struct iommu_domain *domain,
+diff --git a/drivers/iommu/intel/iommu.h b/drivers/iommu/intel/iommu.h
+index 70ac2b989127a..efc00d2b4527a 100644
+--- a/drivers/iommu/intel/iommu.h
++++ b/drivers/iommu/intel/iommu.h
+@@ -630,6 +630,10 @@ struct dmar_domain {
+ int agaw;
+ /* maximum mapped address */
+ u64 max_addr;
++ /* Protect the s1_domains list */
++ spinlock_t s1_lock;
++ /* Track s1_domains nested on this domain */
++ struct list_head s1_domains;
+ };
+
+ /* Nested user domain */
+@@ -640,6 +644,8 @@ struct dmar_domain {
+ unsigned long s1_pgtbl;
+ /* page table attributes */
+ struct iommu_hwpt_vtd_s1 s1_cfg;
++ /* link to parent domain siblings */
++ struct list_head s2_link;
+ };
+ };
+
+diff --git a/drivers/iommu/intel/nested.c b/drivers/iommu/intel/nested.c
+index 694c1c4223f66..92e82b33ea979 100644
+--- a/drivers/iommu/intel/nested.c
++++ b/drivers/iommu/intel/nested.c
+@@ -72,7 +72,13 @@ static int intel_nested_attach_dev(struct iommu_domain *domain,
+
+ static void intel_nested_domain_free(struct iommu_domain *domain)
+ {
+- kfree(to_dmar_domain(domain));
++ struct dmar_domain *dmar_domain = to_dmar_domain(domain);
++ struct dmar_domain *s2_domain = dmar_domain->s2_domain;
++
++ spin_lock(&s2_domain->s1_lock);
++ list_del(&dmar_domain->s2_link);
++ spin_unlock(&s2_domain->s1_lock);
++ kfree(dmar_domain);
+ }
+
+ static const struct iommu_domain_ops intel_nested_domain_ops = {
+@@ -115,5 +121,9 @@ struct iommu_domain *intel_nested_domain_alloc(struct iommu_domain *parent,
+ spin_lock_init(&domain->lock);
+ xa_init(&domain->iommu_array);
+
++ spin_lock(&s2_domain->s1_lock);
++ list_add(&domain->s2_link, &s2_domain->s1_domains);
++ spin_unlock(&s2_domain->s1_lock);
++
+ return &domain->domain;
+ }
+--
+2.43.0
+
--- /dev/null
+From d6ef4289f22ae3b783e689a57297e5c25f65c8fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:15:55 +0800
+Subject: iommu/vt-d: Update iotlb in nested domain attach
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit 29e10487d6df050afeee886b7c1da208f389cb5b ]
+
+Should call domain_update_iotlb() to update the has_iotlb_device flag
+of the domain after attaching device to nested domain. Without it, this
+flag is not set properly and would result in missing device TLB flush.
+
+Fixes: 9838f2bb6b6b ("iommu/vt-d: Set the nested domain to a device")
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20240208082307.15759-5-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 4 +---
+ drivers/iommu/intel/iommu.h | 1 +
+ drivers/iommu/intel/nested.c | 2 ++
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 897159dba47de..0cc6e08e12c13 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -540,8 +540,6 @@ static int domain_update_device_node(struct dmar_domain *domain)
+ return nid;
+ }
+
+-static void domain_update_iotlb(struct dmar_domain *domain);
+-
+ /* Return the super pagesize bitmap if supported. */
+ static unsigned long domain_super_pgsize_bitmap(struct dmar_domain *domain)
+ {
+@@ -1362,7 +1360,7 @@ domain_lookup_dev_info(struct dmar_domain *domain,
+ return NULL;
+ }
+
+-static void domain_update_iotlb(struct dmar_domain *domain)
++void domain_update_iotlb(struct dmar_domain *domain)
+ {
+ struct dev_pasid_info *dev_pasid;
+ struct device_domain_info *info;
+diff --git a/drivers/iommu/intel/iommu.h b/drivers/iommu/intel/iommu.h
+index ce030c5b5772a..70ac2b989127a 100644
+--- a/drivers/iommu/intel/iommu.h
++++ b/drivers/iommu/intel/iommu.h
+@@ -888,6 +888,7 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc,
+ */
+ #define QI_OPT_WAIT_DRAIN BIT(0)
+
++void domain_update_iotlb(struct dmar_domain *domain);
+ int domain_attach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu);
+ void domain_detach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu);
+ void device_block_translation(struct device *dev);
+diff --git a/drivers/iommu/intel/nested.c b/drivers/iommu/intel/nested.c
+index b5a5563ab32c6..694c1c4223f66 100644
+--- a/drivers/iommu/intel/nested.c
++++ b/drivers/iommu/intel/nested.c
+@@ -65,6 +65,8 @@ static int intel_nested_attach_dev(struct iommu_domain *domain,
+ list_add(&info->link, &dmar_domain->devices);
+ spin_unlock_irqrestore(&dmar_domain->lock, flags);
+
++ domain_update_iotlb(dmar_domain);
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3c57be5954d2f7fee62a5b65ef4aaeac01e0d9b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:15:58 +0800
+Subject: iommu/vt-d: Wrap the dirty tracking loop to be a helper
+
+From: Yi Liu <yi.l.liu@intel.com>
+
+[ Upstream commit 0c7f2497b39da44253d7bcf2b41f52b0048859ad ]
+
+Add device_set_dirty_tracking() to loop all the devices and set the dirty
+tracking per the @enable parameter.
+
+Signed-off-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Link: https://lore.kernel.org/r/20240208082307.15759-8-yi.l.liu@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: f1e1610950ea ("iommu/vt-d: Add missing dirty tracking set for parent domain")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 88f9b4ffd5774..e3b3ab506b185 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4865,23 +4865,38 @@ static void *intel_iommu_hw_info(struct device *dev, u32 *length, u32 *type)
+ return vtd;
+ }
+
++/*
++ * Set dirty tracking for the device list of a domain. The caller must
++ * hold the domain->lock when calling it.
++ */
++static int device_set_dirty_tracking(struct list_head *devices, bool enable)
++{
++ struct device_domain_info *info;
++ int ret = 0;
++
++ list_for_each_entry(info, devices, link) {
++ ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev,
++ IOMMU_NO_PASID, enable);
++ if (ret)
++ break;
++ }
++
++ return ret;
++}
++
+ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+ bool enable)
+ {
+ struct dmar_domain *dmar_domain = to_dmar_domain(domain);
+- struct device_domain_info *info;
+ int ret;
+
+ spin_lock(&dmar_domain->lock);
+ if (dmar_domain->dirty_tracking == enable)
+ goto out_unlock;
+
+- list_for_each_entry(info, &dmar_domain->devices, link) {
+- ret = intel_pasid_setup_dirty_tracking(info->iommu, info->dev,
+- IOMMU_NO_PASID, enable);
+- if (ret)
+- goto err_unwind;
+- }
++ ret = device_set_dirty_tracking(&dmar_domain->devices, enable);
++ if (ret)
++ goto err_unwind;
+
+ dmar_domain->dirty_tracking = enable;
+ out_unlock:
+@@ -4890,10 +4905,8 @@ static int intel_iommu_set_dirty_tracking(struct iommu_domain *domain,
+ return 0;
+
+ err_unwind:
+- list_for_each_entry(info, &dmar_domain->devices, link)
+- intel_pasid_setup_dirty_tracking(info->iommu, info->dev,
+- IOMMU_NO_PASID,
+- dmar_domain->dirty_tracking);
++ device_set_dirty_tracking(&dmar_domain->devices,
++ dmar_domain->dirty_tracking);
+ spin_unlock(&dmar_domain->lock);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 32290f152fd36f9c87d2647eed124c30a29979b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 13:34:07 +0000
+Subject: iommufd/iova_bitmap: Bounds check mapped::pages access
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit a4ab7dedaee0e39b15653c5fd0367e420739f7ef ]
+
+Dirty IOMMU hugepages reported on a base page page-size granularity can
+lead to an attempt to set dirty pages in the bitmap beyond the limits that
+are pinned.
+
+Bounds check the page index of the array we are trying to access is within
+the limits before we kmap() and return otherwise.
+
+While it is also a defensive check, this is also in preparation to defer
+setting bits (outside the mapped range) to the next iteration(s) when the
+pages become available.
+
+Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries")
+Link: https://lore.kernel.org/r/20240202133415.23819-2-joao.m.martins@oracle.com
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Tested-by: Avihai Horon <avihaih@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/iova_bitmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
+index 0a92c9eeaf7f5..a3606b4c22292 100644
+--- a/drivers/iommu/iommufd/iova_bitmap.c
++++ b/drivers/iommu/iommufd/iova_bitmap.c
+@@ -409,6 +409,7 @@ void iova_bitmap_set(struct iova_bitmap *bitmap,
+ mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE;
+ unsigned long last_bit = (((iova + length - 1) - mapped->iova) >>
+ mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE;
++ unsigned long last_page_idx = mapped->npages - 1;
+
+ do {
+ unsigned int page_idx = cur_bit / BITS_PER_PAGE;
+@@ -417,6 +418,9 @@ void iova_bitmap_set(struct iova_bitmap *bitmap,
+ last_bit - cur_bit + 1);
+ void *kaddr;
+
++ if (unlikely(page_idx > last_page_idx))
++ break;
++
+ kaddr = kmap_local_page(mapped->pages[page_idx]);
+ bitmap_set(kaddr, offset, nbits);
+ kunmap_local(kaddr);
+--
+2.43.0
+
--- /dev/null
+From cd2de5cd34d4659e3f492efd5644bcb8edfede3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 13:34:15 +0000
+Subject: iommufd/iova_bitmap: Consider page offset for the pages to be pinned
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit 4bbcbc6ea2fa379632a24c14cfb47aa603816ac6 ]
+
+For small bitmaps that aren't PAGE_SIZE aligned *and* that are less than
+512 pages in bitmap length, use an extra page to be able to cover the
+entire range e.g. [1M..3G] which would be iterated more efficiently in a
+single iteration, rather than two.
+
+Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries")
+Link: https://lore.kernel.org/r/20240202133415.23819-10-joao.m.martins@oracle.com
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Tested-by: Avihai Horon <avihaih@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/iova_bitmap.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
+index b370e8ee88665..db8c46bee1559 100644
+--- a/drivers/iommu/iommufd/iova_bitmap.c
++++ b/drivers/iommu/iommufd/iova_bitmap.c
+@@ -178,18 +178,19 @@ static int iova_bitmap_get(struct iova_bitmap *bitmap)
+ bitmap->mapped_base_index) *
+ sizeof(*bitmap->bitmap), PAGE_SIZE);
+
+- /*
+- * We always cap at max number of 'struct page' a base page can fit.
+- * This is, for example, on x86 means 2M of bitmap data max.
+- */
+- npages = min(npages, PAGE_SIZE / sizeof(struct page *));
+-
+ /*
+ * Bitmap address to be pinned is calculated via pointer arithmetic
+ * with bitmap u64 word index.
+ */
+ addr = bitmap->bitmap + bitmap->mapped_base_index;
+
++ /*
++ * We always cap at max number of 'struct page' a base page can fit.
++ * This is, for example, on x86 means 2M of bitmap data max.
++ */
++ npages = min(npages + !!offset_in_page(addr),
++ PAGE_SIZE / sizeof(struct page *));
++
+ ret = pin_user_pages_fast((unsigned long)addr, npages,
+ FOLL_WRITE, mapped->pages);
+ if (ret <= 0)
+--
+2.43.0
+
--- /dev/null
+From 84c2437c5f8d2a1e1688d757650c70077140699e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 13:34:10 +0000
+Subject: iommufd/iova_bitmap: Handle recording beyond the mapped pages
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit 2780025e01e2e1c92f83ee7da91d9727c2e58a3e ]
+
+IOVA bitmap is a zero-copy scheme of recording dirty bits that iterate the
+different bitmap user pages at chunks of a maximum of
+PAGE_SIZE/sizeof(struct page*) pages.
+
+When the iterations are split up into 64G, the end of the range may be
+broken up in a way that's aligned with a non base page PTE size. This
+leads to only part of the huge page being recorded in the bitmap. Note
+that in pratice this is only a problem for IOMMU dirty tracking i.e. when
+the backing PTEs are in IOMMU hugepages and the bitmap is in base page
+granularity. So far this not something that affects VF dirty trackers
+(which reports and records at the same granularity).
+
+To fix that, if there is a remainder of bits left to set in which the
+current IOVA bitmap doesn't cover, make a copy of the bitmap structure and
+iterate-and-set the rest of the bits remaining. Finally, when advancing
+the iterator, skip all the bits that were set ahead.
+
+Link: https://lore.kernel.org/r/20240202133415.23819-5-joao.m.martins@oracle.com
+Reported-by: Avihai Horon <avihaih@nvidia.com>
+Fixes: f35f22cc760e ("iommu/vt-d: Access/Dirty bit support for SS domains")
+Fixes: 421a511a293f ("iommu/amd: Access/Dirty bit support in IOPTEs")
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Tested-by: Avihai Horon <avihaih@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/iova_bitmap.c | 43 +++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
+index 9d42ab51a6bb3..b370e8ee88665 100644
+--- a/drivers/iommu/iommufd/iova_bitmap.c
++++ b/drivers/iommu/iommufd/iova_bitmap.c
+@@ -113,6 +113,9 @@ struct iova_bitmap {
+
+ /* length of the IOVA range for the whole bitmap */
+ size_t length;
++
++ /* length of the IOVA range set ahead the pinned pages */
++ unsigned long set_ahead_length;
+ };
+
+ /*
+@@ -341,6 +344,32 @@ static bool iova_bitmap_done(struct iova_bitmap *bitmap)
+ return bitmap->mapped_base_index >= bitmap->mapped_total_index;
+ }
+
++static int iova_bitmap_set_ahead(struct iova_bitmap *bitmap,
++ size_t set_ahead_length)
++{
++ int ret = 0;
++
++ while (set_ahead_length > 0 && !iova_bitmap_done(bitmap)) {
++ unsigned long length = iova_bitmap_mapped_length(bitmap);
++ unsigned long iova = iova_bitmap_mapped_iova(bitmap);
++
++ ret = iova_bitmap_get(bitmap);
++ if (ret)
++ break;
++
++ length = min(length, set_ahead_length);
++ iova_bitmap_set(bitmap, iova, length);
++
++ set_ahead_length -= length;
++ bitmap->mapped_base_index +=
++ iova_bitmap_offset_to_index(bitmap, length - 1) + 1;
++ iova_bitmap_put(bitmap);
++ }
++
++ bitmap->set_ahead_length = 0;
++ return ret;
++}
++
+ /*
+ * Advances to the next range, releases the current pinned
+ * pages and pins the next set of bitmap pages.
+@@ -357,6 +386,15 @@ static int iova_bitmap_advance(struct iova_bitmap *bitmap)
+ if (iova_bitmap_done(bitmap))
+ return 0;
+
++ /* Iterate, set and skip any bits requested for next iteration */
++ if (bitmap->set_ahead_length) {
++ int ret;
++
++ ret = iova_bitmap_set_ahead(bitmap, bitmap->set_ahead_length);
++ if (ret)
++ return ret;
++ }
++
+ /* When advancing the index we pin the next set of bitmap pages */
+ return iova_bitmap_get(bitmap);
+ }
+@@ -426,5 +464,10 @@ void iova_bitmap_set(struct iova_bitmap *bitmap,
+ kunmap_local(kaddr);
+ cur_bit += nbits;
+ } while (cur_bit <= last_bit);
++
++ if (unlikely(cur_bit <= last_bit)) {
++ bitmap->set_ahead_length =
++ ((last_bit - cur_bit + 1) << bitmap->mapped.pgshift);
++ }
+ }
+ EXPORT_SYMBOL_NS_GPL(iova_bitmap_set, IOMMUFD);
+--
+2.43.0
+
--- /dev/null
+From 6238cb20d4be81e33b7a303dedff706056c2a033 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 13:34:08 +0000
+Subject: iommufd/iova_bitmap: Switch iova_bitmap::bitmap to an u8 array
+
+From: Joao Martins <joao.m.martins@oracle.com>
+
+[ Upstream commit d18411ec305728c6371806c4fb09be07016aad0b ]
+
+iova_bitmap_mapped_length() don't deal correctly with the small bitmaps
+(< 2M bitmaps) when the starting address isn't u64 aligned, leading to
+skipping a tiny part of the IOVA range. This is materialized as not
+marking data dirty that should otherwise have been.
+
+Fix that by using a u8 * in the internal state of IOVA bitmap. Most of the
+data structures use the type of the bitmap to adjust its indexes, thus
+changing the type of the bitmap decreases the granularity of the bitmap
+indexes.
+
+Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries")
+Link: https://lore.kernel.org/r/20240202133415.23819-3-joao.m.martins@oracle.com
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Tested-by: Avihai Horon <avihaih@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/iova_bitmap.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
+index a3606b4c22292..9d42ab51a6bb3 100644
+--- a/drivers/iommu/iommufd/iova_bitmap.c
++++ b/drivers/iommu/iommufd/iova_bitmap.c
+@@ -100,7 +100,7 @@ struct iova_bitmap {
+ struct iova_bitmap_map mapped;
+
+ /* userspace address of the bitmap */
+- u64 __user *bitmap;
++ u8 __user *bitmap;
+
+ /* u64 index that @mapped points to */
+ unsigned long mapped_base_index;
+@@ -162,7 +162,7 @@ static int iova_bitmap_get(struct iova_bitmap *bitmap)
+ {
+ struct iova_bitmap_map *mapped = &bitmap->mapped;
+ unsigned long npages;
+- u64 __user *addr;
++ u8 __user *addr;
+ long ret;
+
+ /*
+@@ -247,7 +247,7 @@ struct iova_bitmap *iova_bitmap_alloc(unsigned long iova, size_t length,
+
+ mapped = &bitmap->mapped;
+ mapped->pgshift = __ffs(page_size);
+- bitmap->bitmap = data;
++ bitmap->bitmap = (u8 __user *)data;
+ bitmap->mapped_total_index =
+ iova_bitmap_offset_to_index(bitmap, length - 1) + 1;
+ bitmap->iova = iova;
+@@ -304,7 +304,7 @@ static unsigned long iova_bitmap_mapped_remaining(struct iova_bitmap *bitmap)
+
+ remaining = bitmap->mapped_total_index - bitmap->mapped_base_index;
+ remaining = min_t(unsigned long, remaining,
+- bytes / sizeof(*bitmap->bitmap));
++ DIV_ROUND_UP(bytes, sizeof(*bitmap->bitmap)));
+
+ return remaining;
+ }
+--
+2.43.0
+
--- /dev/null
+From cbab42865ce5eb39aec175e4f101968c31a3c43d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 14:43:54 -0400
+Subject: iommufd: Reject non-zero data_type if no data_len is provided
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 7adc0c1cfa7732b81bf7bf2ed16ffb99719ceebf ]
+
+Since the current design doesn't forward the data_type to the driver to
+check unless there is a data_len/uptr for a driver specific struct we
+should check and ensure that data_type is 0 if data_len is 0. Otherwise
+any value is permitted.
+
+Fixes: bd529dbb661d ("iommufd: Add a nested HW pagetable object")
+Link: https://lore.kernel.org/r/0-v1-9b1ea6869554+110c60-iommufd_ck_data_type_jgg@nvidia.com
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/hw_pagetable.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/hw_pagetable.c
+index cbb5df0a6c32f..6f680959b23ed 100644
+--- a/drivers/iommu/iommufd/hw_pagetable.c
++++ b/drivers/iommu/iommufd/hw_pagetable.c
+@@ -261,7 +261,8 @@ int iommufd_hwpt_alloc(struct iommufd_ucmd *ucmd)
+
+ if (cmd->__reserved)
+ return -EOPNOTSUPP;
+- if (cmd->data_type == IOMMU_HWPT_DATA_NONE && cmd->data_len)
++ if ((cmd->data_type == IOMMU_HWPT_DATA_NONE && cmd->data_len) ||
++ (cmd->data_type != IOMMU_HWPT_DATA_NONE && !cmd->data_len))
+ return -EINVAL;
+
+ idev = iommufd_get_device(ucmd, cmd->dev_id);
+--
+2.43.0
+
--- /dev/null
+From d939c5abb26d39765b6746780f0d5b4657a1212f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:21:06 +0000
+Subject: ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 081a0e3b0d4c061419d3f4679dec9f68725b17e4 ]
+
+net->dev_base_seq and ipv4.dev_addr_genid are monotonically increasing.
+
+If we XOR their values, we could miss to detect if both values
+were changed with the same amount.
+
+Fixes: 0465277f6b3f ("ipv4: provide addr and netconf dump consistency info")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index ca0ff15dc8fa3..bc74f131fe4df 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1825,6 +1825,21 @@ static int in_dev_dump_addr(struct in_device *in_dev, struct sk_buff *skb,
+ return err;
+ }
+
++/* Combine dev_addr_genid and dev_base_seq to detect changes.
++ */
++static u32 inet_base_seq(const struct net *net)
++{
++ u32 res = atomic_read(&net->ipv4.dev_addr_genid) +
++ net->dev_base_seq;
++
++ /* Must not return 0 (see nl_dump_check_consistent()).
++ * Chose a value far away from 0.
++ */
++ if (!res)
++ res = 0x80000000;
++ return res;
++}
++
+ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ const struct nlmsghdr *nlh = cb->nlh;
+@@ -1876,8 +1891,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
+ idx = 0;
+ head = &tgt_net->dev_index_head[h];
+ rcu_read_lock();
+- cb->seq = atomic_read(&tgt_net->ipv4.dev_addr_genid) ^
+- tgt_net->dev_base_seq;
++ cb->seq = inet_base_seq(tgt_net);
+ hlist_for_each_entry_rcu(dev, head, index_hlist) {
+ if (idx < s_idx)
+ goto cont;
+@@ -2278,8 +2292,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb,
+ idx = 0;
+ head = &net->dev_index_head[h];
+ rcu_read_lock();
+- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
+- net->dev_base_seq;
++ cb->seq = inet_base_seq(net);
+ hlist_for_each_entry_rcu(dev, head, index_hlist) {
+ if (idx < s_idx)
+ goto cont;
+--
+2.43.0
+
--- /dev/null
+From df22ef95c5b0bb57c47b7194b51dca212219315f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:21:07 +0000
+Subject: ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e898e4cd1aab271ca414f9ac6e08e4c761f6913c ]
+
+net->dev_base_seq and ipv6.dev_addr_genid are monotonically increasing.
+
+If we XOR their values, we could miss to detect if both values
+were changed with the same amount.
+
+Fixes: 63998ac24f83 ("ipv6: provide addr and netconf dump consistency info")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 733ace18806c6..5a839c5fb1a5a 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -708,6 +708,22 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb,
+ return err;
+ }
+
++/* Combine dev_addr_genid and dev_base_seq to detect changes.
++ */
++static u32 inet6_base_seq(const struct net *net)
++{
++ u32 res = atomic_read(&net->ipv6.dev_addr_genid) +
++ net->dev_base_seq;
++
++ /* Must not return 0 (see nl_dump_check_consistent()).
++ * Chose a value far away from 0.
++ */
++ if (!res)
++ res = 0x80000000;
++ return res;
++}
++
++
+ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
+ struct netlink_callback *cb)
+ {
+@@ -741,8 +757,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
+ idx = 0;
+ head = &net->dev_index_head[h];
+ rcu_read_lock();
+- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^
+- net->dev_base_seq;
++ cb->seq = inet6_base_seq(net);
+ hlist_for_each_entry_rcu(dev, head, index_hlist) {
+ if (idx < s_idx)
+ goto cont;
+@@ -5362,7 +5377,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
+ }
+
+ rcu_read_lock();
+- cb->seq = atomic_read(&tgt_net->ipv6.dev_addr_genid) ^ tgt_net->dev_base_seq;
++ cb->seq = inet6_base_seq(tgt_net);
+ for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
+ idx = 0;
+ head = &tgt_net->dev_index_head[h];
+--
+2.43.0
+
--- /dev/null
+From 9f3751bd53ad14e3fc1fd6329957ff376d0e9c0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 23:27:17 +0300
+Subject: ipv6: sr: fix possible use-after-free and null-ptr-deref
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit 5559cea2d5aa3018a5f00dd2aca3427ba09b386b ]
+
+The pernet operations structure for the subsystem must be registered
+before registering the generic netlink family.
+
+Fixes: 915d7e5e5930 ("ipv6: sr: add code base for control plane support of SR-IPv6")
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/r/20240215202717.29815-1-kovalev@altlinux.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
+index 29346a6eec9ff..35508abd76f43 100644
+--- a/net/ipv6/seg6.c
++++ b/net/ipv6/seg6.c
+@@ -512,22 +512,24 @@ int __init seg6_init(void)
+ {
+ int err;
+
+- err = genl_register_family(&seg6_genl_family);
++ err = register_pernet_subsys(&ip6_segments_ops);
+ if (err)
+ goto out;
+
+- err = register_pernet_subsys(&ip6_segments_ops);
++ err = genl_register_family(&seg6_genl_family);
+ if (err)
+- goto out_unregister_genl;
++ goto out_unregister_pernet;
+
+ #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
+ err = seg6_iptunnel_init();
+ if (err)
+- goto out_unregister_pernet;
++ goto out_unregister_genl;
+
+ err = seg6_local_init();
+- if (err)
+- goto out_unregister_pernet;
++ if (err) {
++ seg6_iptunnel_exit();
++ goto out_unregister_genl;
++ }
+ #endif
+
+ #ifdef CONFIG_IPV6_SEG6_HMAC
+@@ -548,11 +550,11 @@ int __init seg6_init(void)
+ #endif
+ #endif
+ #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
+-out_unregister_pernet:
+- unregister_pernet_subsys(&ip6_segments_ops);
+-#endif
+ out_unregister_genl:
+ genl_unregister_family(&seg6_genl_family);
++#endif
++out_unregister_pernet:
++ unregister_pernet_subsys(&ip6_segments_ops);
+ goto out;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 156173fd9b390e49d44252b872e5adf1e974d2fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 11:15:26 +0530
+Subject: KVM: PPC: Book3S HV: Fix L2 guest reboot failure due to empty
+ 'arch_compat'
+
+From: Amit Machhiwal <amachhiw@linux.ibm.com>
+
+[ Upstream commit 20c8c4dafe93e82441583e93bd68c0d256d7bed4 ]
+
+Currently, rebooting a pseries nested qemu-kvm guest (L2) results in
+below error as L1 qemu sends PVR value 'arch_compat' == 0 via
+ppc_set_compat ioctl. This triggers a condition failure in
+kvmppc_set_arch_compat() resulting in an EINVAL.
+
+qemu-system-ppc64: Unable to set CPU compatibility mode in KVM: Invalid
+argument
+
+Also, a value of 0 for arch_compat generally refers the default
+compatibility of the host. But, arch_compat, being a Guest Wide Element
+in nested API v2, cannot be set to 0 in GSB as PowerVM (L0) expects a
+non-zero value. A value of 0 triggers a kernel trap during a reboot and
+consequently causes it to fail:
+
+[ 22.106360] reboot: Restarting system
+KVM: unknown exit, hardware reason ffffffffffffffea
+NIP 0000000000000100 LR 000000000000fe44 CTR 0000000000000000 XER 0000000020040092 CPU#0
+MSR 0000000000001000 HID0 0000000000000000 HF 6c000000 iidx 3 didx 3
+TB 00000000 00000000 DECR 0
+GPR00 0000000000000000 0000000000000000 c000000002a8c300 000000007fe00000
+GPR04 0000000000000000 0000000000000000 0000000000001002 8000000002803033
+GPR08 000000000a000000 0000000000000000 0000000000000004 000000002fff0000
+GPR12 0000000000000000 c000000002e10000 0000000105639200 0000000000000004
+GPR16 0000000000000000 000000010563a090 0000000000000000 0000000000000000
+GPR20 0000000105639e20 00000001056399c8 00007fffe54abab0 0000000105639288
+GPR24 0000000000000000 0000000000000001 0000000000000001 0000000000000000
+GPR28 0000000000000000 0000000000000000 c000000002b30840 0000000000000000
+CR 00000000 [ - - - - - - - - ] RES 000@ffffffffffffffff
+ SRR0 0000000000000000 SRR1 0000000000000000 PVR 0000000000800200 VRSAVE 0000000000000000
+SPRG0 0000000000000000 SPRG1 0000000000000000 SPRG2 0000000000000000 SPRG3 0000000000000000
+SPRG4 0000000000000000 SPRG5 0000000000000000 SPRG6 0000000000000000 SPRG7 0000000000000000
+HSRR0 0000000000000000 HSRR1 0000000000000000
+ CFAR 0000000000000000
+ LPCR 0000000000020400
+ PTCR 0000000000000000 DAR 0000000000000000 DSISR 0000000000000000
+
+ kernel:trap=0xffffffea | pc=0x100 | msr=0x1000
+
+This patch updates kvmppc_set_arch_compat() to use the host PVR value if
+'compat_pvr' == 0 indicating that qemu doesn't want to enforce any
+specific PVR compat mode.
+
+The relevant part of the code might need a rework if PowerVM implements
+a support for `arch_compat == 0` in nestedv2 API.
+
+Fixes: 19d31c5f1157 ("KVM: PPC: Add support for nestedv2 guests")
+Reviewed-by: "Aneesh Kumar K.V (IBM)" <aneesh.kumar@kernel.org>
+Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Signed-off-by: Amit Machhiwal <amachhiw@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240207054526.3720087-1-amachhiw@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 26 ++++++++++++++++++++++++--
+ arch/powerpc/kvm/book3s_hv_nestedv2.c | 20 ++++++++++++++++++--
+ 2 files changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 002a7573a5d44..b5c6af0bef81e 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -391,6 +391,24 @@ static void kvmppc_set_pvr_hv(struct kvm_vcpu *vcpu, u32 pvr)
+ /* Dummy value used in computing PCR value below */
+ #define PCR_ARCH_31 (PCR_ARCH_300 << 1)
+
++static inline unsigned long map_pcr_to_cap(unsigned long pcr)
++{
++ unsigned long cap = 0;
++
++ switch (pcr) {
++ case PCR_ARCH_300:
++ cap = H_GUEST_CAP_POWER9;
++ break;
++ case PCR_ARCH_31:
++ cap = H_GUEST_CAP_POWER10;
++ break;
++ default:
++ break;
++ }
++
++ return cap;
++}
++
+ static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat)
+ {
+ unsigned long host_pcr_bit = 0, guest_pcr_bit = 0, cap = 0;
+@@ -424,11 +442,9 @@ static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat)
+ break;
+ case PVR_ARCH_300:
+ guest_pcr_bit = PCR_ARCH_300;
+- cap = H_GUEST_CAP_POWER9;
+ break;
+ case PVR_ARCH_31:
+ guest_pcr_bit = PCR_ARCH_31;
+- cap = H_GUEST_CAP_POWER10;
+ break;
+ default:
+ return -EINVAL;
+@@ -440,6 +456,12 @@ static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat)
+ return -EINVAL;
+
+ if (kvmhv_on_pseries() && kvmhv_is_nestedv2()) {
++ /*
++ * 'arch_compat == 0' would mean the guest should default to
++ * L1's compatibility. In this case, the guest would pick
++ * host's PCR and evaluate the corresponding capabilities.
++ */
++ cap = map_pcr_to_cap(guest_pcr_bit);
+ if (!(cap & nested_capabilities))
+ return -EINVAL;
+ }
+diff --git a/arch/powerpc/kvm/book3s_hv_nestedv2.c b/arch/powerpc/kvm/book3s_hv_nestedv2.c
+index fd3c4f2d94805..f354af7e85114 100644
+--- a/arch/powerpc/kvm/book3s_hv_nestedv2.c
++++ b/arch/powerpc/kvm/book3s_hv_nestedv2.c
+@@ -138,6 +138,7 @@ static int gs_msg_ops_vcpu_fill_info(struct kvmppc_gs_buff *gsb,
+ vector128 v;
+ int rc, i;
+ u16 iden;
++ u32 arch_compat = 0;
+
+ vcpu = gsm->data;
+
+@@ -347,8 +348,23 @@ static int gs_msg_ops_vcpu_fill_info(struct kvmppc_gs_buff *gsb,
+ break;
+ }
+ case KVMPPC_GSID_LOGICAL_PVR:
+- rc = kvmppc_gse_put_u32(gsb, iden,
+- vcpu->arch.vcore->arch_compat);
++ /*
++ * Though 'arch_compat == 0' would mean the default
++ * compatibility, arch_compat, being a Guest Wide
++ * Element, cannot be filled with a value of 0 in GSB
++ * as this would result into a kernel trap.
++ * Hence, when `arch_compat == 0`, arch_compat should
++ * default to L1's PVR.
++ */
++ if (!vcpu->arch.vcore->arch_compat) {
++ if (cpu_has_feature(CPU_FTR_ARCH_31))
++ arch_compat = PVR_ARCH_31;
++ else if (cpu_has_feature(CPU_FTR_ARCH_300))
++ arch_compat = PVR_ARCH_300;
++ } else {
++ arch_compat = vcpu->arch.vcore->arch_compat;
++ }
++ rc = kvmppc_gse_put_u32(gsb, iden, arch_compat);
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 368a6e18a50beac828dfe286a58ed0cea043226c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 10:27:31 -0800
+Subject: net: bcmasp: Indicate MAC is in charge of PHY PM
+
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+
+[ Upstream commit 5b76d928f8b779a1b19c5842e7cabee4cbb610c3 ]
+
+Avoid the PHY library call unnecessarily into the suspend/resume
+functions by setting phydev->mac_managed_pm to true. The ASP driver
+essentially does exactly what mdio_bus_phy_resume() does.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index 53e5428812552..9cae5a3090000 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -1048,6 +1048,9 @@ static int bcmasp_netif_init(struct net_device *dev, bool phy_connect)
+ netdev_err(dev, "could not attach to PHY\n");
+ goto err_phy_disable;
+ }
++
++ /* Indicate that the MAC is responsible for PHY PM */
++ phydev->mac_managed_pm = true;
+ } else if (!intf->wolopts) {
+ ret = phy_resume(dev->phydev);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From a4a6207b7a2f076e13624a0807200ff245351933 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 10:27:32 -0800
+Subject: net: bcmasp: Sanity check is off by one
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit f120e62e37f0af4c4cbe08e5a88ea60a6a17c858 ]
+
+A sanity check for OOB write is off by one leading to a false positive
+when the array is full.
+
+Fixes: 9b90aca97f6d ("net: ethernet: bcmasp: fix possible OOB write in bcmasp_netfilt_get_all_active()")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+index 29b04a274d077..80245c65cc904 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+@@ -535,9 +535,6 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs,
+ int j = 0, i;
+
+ for (i = 0; i < NUM_NET_FILTERS; i++) {
+- if (j == *rule_cnt)
+- return -EMSGSIZE;
+-
+ if (!priv->net_filters[i].claimed ||
+ priv->net_filters[i].port != intf->port)
+ continue;
+@@ -547,6 +544,9 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs,
+ priv->net_filters[i - 1].wake_filter)
+ continue;
+
++ if (j == *rule_cnt)
++ return -EMSGSIZE;
++
+ rule_locs[j++] = priv->net_filters[i].fs.location;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 661883e4857cea4139c70ad7331c5296bfa5ab38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 22:40:04 +0100
+Subject: net: bridge: switchdev: Ensure deferred event delivery on unoffload
+
+From: Tobias Waldekranz <tobias@waldekranz.com>
+
+[ Upstream commit f7a70d650b0b6b0134ccba763d672c8439d9f09b ]
+
+When unoffloading a device, it is important to ensure that all
+relevant deferred events are delivered to it before it disassociates
+itself from the bridge.
+
+Before this change, this was true for the normal case when a device
+maps 1:1 to a net_bridge_port, i.e.
+
+ br0
+ /
+swp0
+
+When swp0 leaves br0, the call to switchdev_deferred_process() in
+del_nbp() makes sure to process any outstanding events while the
+device is still associated with the bridge.
+
+In the case when the association is indirect though, i.e. when the
+device is attached to the bridge via an intermediate device, like a
+LAG...
+
+ br0
+ /
+ lag0
+ /
+swp0
+
+...then detaching swp0 from lag0 does not cause any net_bridge_port to
+be deleted, so there was no guarantee that all events had been
+processed before the device disassociated itself from the bridge.
+
+Fix this by always synchronously processing all deferred events before
+signaling completion of unoffloading back to the driver.
+
+Fixes: 4e51bf44a03a ("net: bridge: move the switchdev object replay helpers to "push" mode")
+Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_switchdev.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
+index 6a7cb01f121c7..7b41ee8740cbb 100644
+--- a/net/bridge/br_switchdev.c
++++ b/net/bridge/br_switchdev.c
+@@ -804,6 +804,16 @@ static void nbp_switchdev_unsync_objs(struct net_bridge_port *p,
+ br_switchdev_mdb_replay(br_dev, dev, ctx, false, blocking_nb, NULL);
+
+ br_switchdev_vlan_replay(br_dev, ctx, false, blocking_nb, NULL);
++
++ /* Make sure that the device leaving this bridge has seen all
++ * relevant events before it is disassociated. In the normal
++ * case, when the device is directly attached to the bridge,
++ * this is covered by del_nbp(). If the association was indirect
++ * however, e.g. via a team or bond, and the device is leaving
++ * that intermediate device, then the bridge port remains in
++ * place.
++ */
++ switchdev_deferred_process();
+ }
+
+ /* Let the bridge know that this port is offloaded, so that it can assign a
+--
+2.43.0
+
--- /dev/null
+From a2d0d574ebf76c216ecfedf095598f59b956ea78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 22:40:03 +0100
+Subject: net: bridge: switchdev: Skip MDB replays of deferred events on
+ offload
+
+From: Tobias Waldekranz <tobias@waldekranz.com>
+
+[ Upstream commit dc489f86257cab5056e747344f17a164f63bff4b ]
+
+Before this change, generation of the list of MDB events to replay
+would race against the creation of new group memberships, either from
+the IGMP/MLD snooping logic or from user configuration.
+
+While new memberships are immediately visible to walkers of
+br->mdb_list, the notification of their existence to switchdev event
+subscribers is deferred until a later point in time. So if a replay
+list was generated during a time that overlapped with such a window,
+it would also contain a replay of the not-yet-delivered event.
+
+The driver would thus receive two copies of what the bridge internally
+considered to be one single event. On destruction of the bridge, only
+a single membership deletion event was therefore sent. As a
+consequence of this, drivers which reference count memberships (at
+least DSA), would be left with orphan groups in their hardware
+database when the bridge was destroyed.
+
+This is only an issue when replaying additions. While deletion events
+may still be pending on the deferred queue, they will already have
+been removed from br->mdb_list, so no duplicates can be generated in
+that scenario.
+
+To a user this meant that old group memberships, from a bridge in
+which a port was previously attached, could be reanimated (in
+hardware) when the port joined a new bridge, without the new bridge's
+knowledge.
+
+For example, on an mv88e6xxx system, create a snooping bridge and
+immediately add a port to it:
+
+ root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \
+ > ip link set dev x3 up master br0
+
+And then destroy the bridge:
+
+ root@infix-06-0b-00:~$ ip link del dev br0
+ root@infix-06-0b-00:~$ mvls atu
+ ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a
+ DEV:0 Marvell 88E6393X
+ 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .
+ 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .
+ ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a
+ root@infix-06-0b-00:~$
+
+The two IPv6 groups remain in the hardware database because the
+port (x3) is notified of the host's membership twice: once via the
+original event and once via a replay. Since only a single delete
+notification is sent, the count remains at 1 when the bridge is
+destroyed.
+
+Then add the same port (or another port belonging to the same hardware
+domain) to a new bridge, this time with snooping disabled:
+
+ root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \
+ > ip link set dev x3 up master br1
+
+All multicast, including the two IPv6 groups from br0, should now be
+flooded, according to the policy of br1. But instead the old
+memberships are still active in the hardware database, causing the
+switch to only forward traffic to those groups towards the CPU (port
+0).
+
+Eliminate the race in two steps:
+
+1. Grab the write-side lock of the MDB while generating the replay
+ list.
+
+This prevents new memberships from showing up while we are generating
+the replay list. But it leaves the scenario in which a deferred event
+was already generated, but not delivered, before we grabbed the
+lock. Therefore:
+
+2. Make sure that no deferred version of a replay event is already
+ enqueued to the switchdev deferred queue, before adding it to the
+ replay list, when replaying additions.
+
+Fixes: 4f2673b3a2b6 ("net: bridge: add helper to replay port and host-joined mdb entries")
+Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/switchdev.h | 3 ++
+ net/bridge/br_switchdev.c | 74 ++++++++++++++++++++++++---------------
+ net/switchdev/switchdev.c | 73 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 122 insertions(+), 28 deletions(-)
+
+diff --git a/include/net/switchdev.h b/include/net/switchdev.h
+index a43062d4c734b..8346b0d29542c 100644
+--- a/include/net/switchdev.h
++++ b/include/net/switchdev.h
+@@ -308,6 +308,9 @@ void switchdev_deferred_process(void);
+ int switchdev_port_attr_set(struct net_device *dev,
+ const struct switchdev_attr *attr,
+ struct netlink_ext_ack *extack);
++bool switchdev_port_obj_act_is_deferred(struct net_device *dev,
++ enum switchdev_notifier_type nt,
++ const struct switchdev_obj *obj);
+ int switchdev_port_obj_add(struct net_device *dev,
+ const struct switchdev_obj *obj,
+ struct netlink_ext_ack *extack);
+diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
+index ee84e783e1dff..6a7cb01f121c7 100644
+--- a/net/bridge/br_switchdev.c
++++ b/net/bridge/br_switchdev.c
+@@ -595,21 +595,40 @@ br_switchdev_mdb_replay_one(struct notifier_block *nb, struct net_device *dev,
+ }
+
+ static int br_switchdev_mdb_queue_one(struct list_head *mdb_list,
++ struct net_device *dev,
++ unsigned long action,
+ enum switchdev_obj_id id,
+ const struct net_bridge_mdb_entry *mp,
+ struct net_device *orig_dev)
+ {
+- struct switchdev_obj_port_mdb *mdb;
++ struct switchdev_obj_port_mdb mdb = {
++ .obj = {
++ .id = id,
++ .orig_dev = orig_dev,
++ },
++ };
++ struct switchdev_obj_port_mdb *pmdb;
+
+- mdb = kzalloc(sizeof(*mdb), GFP_ATOMIC);
+- if (!mdb)
+- return -ENOMEM;
++ br_switchdev_mdb_populate(&mdb, mp);
+
+- mdb->obj.id = id;
+- mdb->obj.orig_dev = orig_dev;
+- br_switchdev_mdb_populate(mdb, mp);
+- list_add_tail(&mdb->obj.list, mdb_list);
++ if (action == SWITCHDEV_PORT_OBJ_ADD &&
++ switchdev_port_obj_act_is_deferred(dev, action, &mdb.obj)) {
++ /* This event is already in the deferred queue of
++ * events, so this replay must be elided, lest the
++ * driver receives duplicate events for it. This can
++ * only happen when replaying additions, since
++ * modifications are always immediately visible in
++ * br->mdb_list, whereas actual event delivery may be
++ * delayed.
++ */
++ return 0;
++ }
++
++ pmdb = kmemdup(&mdb, sizeof(mdb), GFP_ATOMIC);
++ if (!pmdb)
++ return -ENOMEM;
+
++ list_add_tail(&pmdb->obj.list, mdb_list);
+ return 0;
+ }
+
+@@ -677,51 +696,50 @@ br_switchdev_mdb_replay(struct net_device *br_dev, struct net_device *dev,
+ if (!br_opt_get(br, BROPT_MULTICAST_ENABLED))
+ return 0;
+
+- /* We cannot walk over br->mdb_list protected just by the rtnl_mutex,
+- * because the write-side protection is br->multicast_lock. But we
+- * need to emulate the [ blocking ] calling context of a regular
+- * switchdev event, so since both br->multicast_lock and RCU read side
+- * critical sections are atomic, we have no choice but to pick the RCU
+- * read side lock, queue up all our events, leave the critical section
+- * and notify switchdev from blocking context.
++ if (adding)
++ action = SWITCHDEV_PORT_OBJ_ADD;
++ else
++ action = SWITCHDEV_PORT_OBJ_DEL;
++
++ /* br_switchdev_mdb_queue_one() will take care to not queue a
++ * replay of an event that is already pending in the switchdev
++ * deferred queue. In order to safely determine that, there
++ * must be no new deferred MDB notifications enqueued for the
++ * duration of the MDB scan. Therefore, grab the write-side
++ * lock to avoid racing with any concurrent IGMP/MLD snooping.
+ */
+- rcu_read_lock();
++ spin_lock_bh(&br->multicast_lock);
+
+- hlist_for_each_entry_rcu(mp, &br->mdb_list, mdb_node) {
++ hlist_for_each_entry(mp, &br->mdb_list, mdb_node) {
+ struct net_bridge_port_group __rcu * const *pp;
+ const struct net_bridge_port_group *p;
+
+ if (mp->host_joined) {
+- err = br_switchdev_mdb_queue_one(&mdb_list,
++ err = br_switchdev_mdb_queue_one(&mdb_list, dev, action,
+ SWITCHDEV_OBJ_ID_HOST_MDB,
+ mp, br_dev);
+ if (err) {
+- rcu_read_unlock();
++ spin_unlock_bh(&br->multicast_lock);
+ goto out_free_mdb;
+ }
+ }
+
+- for (pp = &mp->ports; (p = rcu_dereference(*pp)) != NULL;
++ for (pp = &mp->ports; (p = mlock_dereference(*pp, br)) != NULL;
+ pp = &p->next) {
+ if (p->key.port->dev != dev)
+ continue;
+
+- err = br_switchdev_mdb_queue_one(&mdb_list,
++ err = br_switchdev_mdb_queue_one(&mdb_list, dev, action,
+ SWITCHDEV_OBJ_ID_PORT_MDB,
+ mp, dev);
+ if (err) {
+- rcu_read_unlock();
++ spin_unlock_bh(&br->multicast_lock);
+ goto out_free_mdb;
+ }
+ }
+ }
+
+- rcu_read_unlock();
+-
+- if (adding)
+- action = SWITCHDEV_PORT_OBJ_ADD;
+- else
+- action = SWITCHDEV_PORT_OBJ_DEL;
++ spin_unlock_bh(&br->multicast_lock);
+
+ list_for_each_entry(obj, &mdb_list, list) {
+ err = br_switchdev_mdb_replay_one(nb, dev,
+diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
+index 5b045284849e0..c9189a970eec3 100644
+--- a/net/switchdev/switchdev.c
++++ b/net/switchdev/switchdev.c
+@@ -19,6 +19,35 @@
+ #include <linux/rtnetlink.h>
+ #include <net/switchdev.h>
+
++static bool switchdev_obj_eq(const struct switchdev_obj *a,
++ const struct switchdev_obj *b)
++{
++ const struct switchdev_obj_port_vlan *va, *vb;
++ const struct switchdev_obj_port_mdb *ma, *mb;
++
++ if (a->id != b->id || a->orig_dev != b->orig_dev)
++ return false;
++
++ switch (a->id) {
++ case SWITCHDEV_OBJ_ID_PORT_VLAN:
++ va = SWITCHDEV_OBJ_PORT_VLAN(a);
++ vb = SWITCHDEV_OBJ_PORT_VLAN(b);
++ return va->flags == vb->flags &&
++ va->vid == vb->vid &&
++ va->changed == vb->changed;
++ case SWITCHDEV_OBJ_ID_PORT_MDB:
++ case SWITCHDEV_OBJ_ID_HOST_MDB:
++ ma = SWITCHDEV_OBJ_PORT_MDB(a);
++ mb = SWITCHDEV_OBJ_PORT_MDB(b);
++ return ma->vid == mb->vid &&
++ ether_addr_equal(ma->addr, mb->addr);
++ default:
++ break;
++ }
++
++ BUG();
++}
++
+ static LIST_HEAD(deferred);
+ static DEFINE_SPINLOCK(deferred_lock);
+
+@@ -307,6 +336,50 @@ int switchdev_port_obj_del(struct net_device *dev,
+ }
+ EXPORT_SYMBOL_GPL(switchdev_port_obj_del);
+
++/**
++ * switchdev_port_obj_act_is_deferred - Is object action pending?
++ *
++ * @dev: port device
++ * @nt: type of action; add or delete
++ * @obj: object to test
++ *
++ * Returns true if a deferred item is pending, which is
++ * equivalent to the action @nt on an object @obj.
++ *
++ * rtnl_lock must be held.
++ */
++bool switchdev_port_obj_act_is_deferred(struct net_device *dev,
++ enum switchdev_notifier_type nt,
++ const struct switchdev_obj *obj)
++{
++ struct switchdev_deferred_item *dfitem;
++ bool found = false;
++
++ ASSERT_RTNL();
++
++ spin_lock_bh(&deferred_lock);
++
++ list_for_each_entry(dfitem, &deferred, list) {
++ if (dfitem->dev != dev)
++ continue;
++
++ if ((dfitem->func == switchdev_port_obj_add_deferred &&
++ nt == SWITCHDEV_PORT_OBJ_ADD) ||
++ (dfitem->func == switchdev_port_obj_del_deferred &&
++ nt == SWITCHDEV_PORT_OBJ_DEL)) {
++ if (switchdev_obj_eq((const void *)dfitem->data, obj)) {
++ found = true;
++ break;
++ }
++ }
++ }
++
++ spin_unlock_bh(&deferred_lock);
++
++ return found;
++}
++EXPORT_SYMBOL_GPL(switchdev_port_obj_act_is_deferred);
++
+ static ATOMIC_NOTIFIER_HEAD(switchdev_notif_chain);
+ static BLOCKING_NOTIFIER_HEAD(switchdev_blocking_notif_chain);
+
+--
+2.43.0
+
--- /dev/null
+From 83ba69af58fd914e1cc7fc1f65f556088adbe9c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 23:00:50 -0800
+Subject: net: ethernet: adi: requires PHYLIB support
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a9f80df4f51440303d063b55bb98720857693821 ]
+
+This driver uses functions that are supplied by the Kconfig symbol
+PHYLIB, so select it to ensure that they are built as needed.
+
+When CONFIG_ADIN1110=y and CONFIG_PHYLIB=m, there are multiple build
+(linker) errors that are resolved by this Kconfig change:
+
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_net_open':
+ drivers/net/ethernet/adi/adin1110.c:933: undefined reference to `phy_start'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_probe_netdevs':
+ drivers/net/ethernet/adi/adin1110.c:1603: undefined reference to `get_phy_device'
+ ld: drivers/net/ethernet/adi/adin1110.c:1609: undefined reference to `phy_connect'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_disconnect_phy':
+ drivers/net/ethernet/adi/adin1110.c:1226: undefined reference to `phy_disconnect'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `devm_mdiobus_alloc':
+ include/linux/phy.h:455: undefined reference to `devm_mdiobus_alloc_size'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_register_mdiobus':
+ drivers/net/ethernet/adi/adin1110.c:529: undefined reference to `__devm_mdiobus_register'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_net_stop':
+ drivers/net/ethernet/adi/adin1110.c:958: undefined reference to `phy_stop'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_disconnect_phy':
+ drivers/net/ethernet/adi/adin1110.c:1226: undefined reference to `phy_disconnect'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_adjust_link':
+ drivers/net/ethernet/adi/adin1110.c:1077: undefined reference to `phy_print_status'
+ ld: drivers/net/ethernet/adi/adin1110.o: in function `adin1110_ioctl':
+ drivers/net/ethernet/adi/adin1110.c:790: undefined reference to `phy_do_ioctl'
+ ld: drivers/net/ethernet/adi/adin1110.o:(.rodata+0xf60): undefined reference to `phy_ethtool_get_link_ksettings'
+ ld: drivers/net/ethernet/adi/adin1110.o:(.rodata+0xf68): undefined reference to `phy_ethtool_set_link_ksettings'
+
+Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202402070626.eZsfVHG5-lkp@intel.com/
+Cc: Lennart Franzen <lennart@lfdomain.com>
+Cc: Alexandru Tachici <alexandru.tachici@analog.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/adi/Kconfig b/drivers/net/ethernet/adi/Kconfig
+index da3bdd3025022..c91b4dcef4ec2 100644
+--- a/drivers/net/ethernet/adi/Kconfig
++++ b/drivers/net/ethernet/adi/Kconfig
+@@ -7,6 +7,7 @@ config NET_VENDOR_ADI
+ bool "Analog Devices devices"
+ default y
+ depends on SPI
++ select PHYLIB
+ help
+ If you have a network (Ethernet) card belonging to this class, say Y.
+
+--
+2.43.0
+
--- /dev/null
+From 42ad90eb03f1162f3d9dc9d2441eaafb67762bec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 14:12:20 +0000
+Subject: net: implement lockless setsockopt(SO_PEEK_OFF)
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 56667da7399eb19af857e30f41bea89aa6fa812c ]
+
+syzbot reported a lockdep violation [1] involving af_unix
+support of SO_PEEK_OFF.
+
+Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket
+sk_peek_off field), there is really no point to enforce a pointless
+thread safety in the kernel.
+
+After this patch :
+
+- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.
+
+- skb_consume_udp() no longer has to acquire the socket lock.
+
+- af_unix no longer needs a special version of sk_set_peek_off(),
+ because it does not lock u->iolock anymore.
+
+As a followup, we could replace prot->set_peek_off to be a boolean
+and avoid an indirect call, since we always use sk_set_peek_off().
+
+[1]
+
+WARNING: possible circular locking dependency detected
+6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted
+
+syz-executor.2/30025 is trying to acquire lock:
+ ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
+
+but task is already holding lock:
+ ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
+ ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]
+ ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:
+ lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
+ lock_sock_nested+0x48/0x100 net/core/sock.c:3524
+ lock_sock include/net/sock.h:1691 [inline]
+ __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415
+ sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046
+ ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801
+ ___sys_recvmsg net/socket.c:2845 [inline]
+ do_recvmmsg+0x474/0xae0 net/socket.c:2939
+ __sys_recvmmsg net/socket.c:3018 [inline]
+ __do_sys_recvmmsg net/socket.c:3041 [inline]
+ __se_sys_recvmmsg net/socket.c:3034 [inline]
+ __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+-> #0 (&u->iolock){+.+.}-{3:3}:
+ check_prev_add kernel/locking/lockdep.c:3134 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3253 [inline]
+ validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
+ __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
+ lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
+ __mutex_lock_common kernel/locking/mutex.c:608 [inline]
+ __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
+ unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
+ sk_setsockopt+0x207e/0x3360
+ do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307
+ __sys_setsockopt+0x1ad/0x250 net/socket.c:2334
+ __do_sys_setsockopt net/socket.c:2343 [inline]
+ __se_sys_setsockopt net/socket.c:2340 [inline]
+ __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(sk_lock-AF_UNIX);
+ lock(&u->iolock);
+ lock(sk_lock-AF_UNIX);
+ lock(&u->iolock);
+
+ *** DEADLOCK ***
+
+1 lock held by syz-executor.2/30025:
+ #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
+ #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]
+ #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193
+
+stack backtrace:
+CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
+ check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
+ check_prev_add kernel/locking/lockdep.c:3134 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3253 [inline]
+ validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
+ __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
+ lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
+ __mutex_lock_common kernel/locking/mutex.c:608 [inline]
+ __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
+ unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789
+ sk_setsockopt+0x207e/0x3360
+ do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307
+ __sys_setsockopt+0x1ad/0x250 net/socket.c:2334
+ __do_sys_setsockopt net/socket.c:2343 [inline]
+ __se_sys_setsockopt net/socket.c:2340 [inline]
+ __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+RIP: 0033:0x7f78a1c7dda9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f78a0fde0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007f78a1dac050 RCX: 00007f78a1c7dda9
+RDX: 000000000000002a RSI: 0000000000000001 RDI: 0000000000000006
+RBP: 00007f78a1cca47a R08: 0000000000000004 R09: 0000000000000000
+R10: 0000000020000180 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f78a1dac050 R15: 00007ffe5cd81ae8
+
+Fixes: 859051dd165e ("bpf: Implement cgroup sockaddr hooks for unix sockets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Daan De Meyer <daan.j.demeyer@gmail.com>
+Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 23 +++++++++++------------
+ net/ipv4/udp.c | 7 +------
+ net/unix/af_unix.c | 19 +++----------------
+ 3 files changed, 15 insertions(+), 34 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index e5d43a068f8ed..20160865ede9c 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1192,6 +1192,17 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
+ */
+ WRITE_ONCE(sk->sk_txrehash, (u8)val);
+ return 0;
++ case SO_PEEK_OFF:
++ {
++ int (*set_peek_off)(struct sock *sk, int val);
++
++ set_peek_off = READ_ONCE(sock->ops)->set_peek_off;
++ if (set_peek_off)
++ ret = set_peek_off(sk, val);
++ else
++ ret = -EOPNOTSUPP;
++ return ret;
++ }
+ }
+
+ sockopt_lock_sock(sk);
+@@ -1434,18 +1445,6 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
+ sock_valbool_flag(sk, SOCK_WIFI_STATUS, valbool);
+ break;
+
+- case SO_PEEK_OFF:
+- {
+- int (*set_peek_off)(struct sock *sk, int val);
+-
+- set_peek_off = READ_ONCE(sock->ops)->set_peek_off;
+- if (set_peek_off)
+- ret = set_peek_off(sk, val);
+- else
+- ret = -EOPNOTSUPP;
+- break;
+- }
+-
+ case SO_NOFCS:
+ sock_valbool_flag(sk, SOCK_NOFCS, valbool);
+ break;
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index f631b0a21af4c..e474b201900f9 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1589,12 +1589,7 @@ int udp_init_sock(struct sock *sk)
+
+ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len)
+ {
+- if (unlikely(READ_ONCE(sk->sk_peek_off) >= 0)) {
+- bool slow = lock_sock_fast(sk);
+-
+- sk_peek_offset_bwd(sk, len);
+- unlock_sock_fast(sk, slow);
+- }
++ sk_peek_offset_bwd(sk, len);
+
+ if (!skb_unref(skb))
+ return;
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 30b178ebba60a..0748e7ea5210e 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -782,19 +782,6 @@ static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t);
+ static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t,
+ int);
+
+-static int unix_set_peek_off(struct sock *sk, int val)
+-{
+- struct unix_sock *u = unix_sk(sk);
+-
+- if (mutex_lock_interruptible(&u->iolock))
+- return -EINTR;
+-
+- WRITE_ONCE(sk->sk_peek_off, val);
+- mutex_unlock(&u->iolock);
+-
+- return 0;
+-}
+-
+ #ifdef CONFIG_PROC_FS
+ static int unix_count_nr_fds(struct sock *sk)
+ {
+@@ -862,7 +849,7 @@ static const struct proto_ops unix_stream_ops = {
+ .read_skb = unix_stream_read_skb,
+ .mmap = sock_no_mmap,
+ .splice_read = unix_stream_splice_read,
+- .set_peek_off = unix_set_peek_off,
++ .set_peek_off = sk_set_peek_off,
+ .show_fdinfo = unix_show_fdinfo,
+ };
+
+@@ -886,7 +873,7 @@ static const struct proto_ops unix_dgram_ops = {
+ .read_skb = unix_read_skb,
+ .recvmsg = unix_dgram_recvmsg,
+ .mmap = sock_no_mmap,
+- .set_peek_off = unix_set_peek_off,
++ .set_peek_off = sk_set_peek_off,
+ .show_fdinfo = unix_show_fdinfo,
+ };
+
+@@ -909,7 +896,7 @@ static const struct proto_ops unix_seqpacket_ops = {
+ .sendmsg = unix_seqpacket_sendmsg,
+ .recvmsg = unix_seqpacket_recvmsg,
+ .mmap = sock_no_mmap,
+- .set_peek_off = unix_set_peek_off,
++ .set_peek_off = sk_set_peek_off,
+ .show_fdinfo = unix_show_fdinfo,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 05ea4658bc7b0ebb9b1237012b1632c65be035ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 08:40:15 -0600
+Subject: net: ipa: don't overrun IPA suspend interrupt registers
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit d80f8e96d47d7374794a30fbed69be43f3388afc ]
+
+In newer hardware, IPA supports more than 32 endpoints. Some
+registers--such as IPA interrupt registers--represent endpoints
+as bits in a 4-byte register, and such registers are repeated as
+needed to represent endpoints beyond the first 32.
+
+In ipa_interrupt_suspend_clear_all(), we clear all pending IPA
+suspend interrupts by reading all status register(s) and writing
+corresponding registers to clear interrupt conditions.
+
+Unfortunately the number of registers to read/write is calculated
+incorrectly, and as a result we access *many* more registers than
+intended. This bug occurs only when the IPA hardware signals a
+SUSPEND interrupt, which happens when a packet is received for an
+endpoint (or its underlying GSI channel) that is suspended. This
+situation is difficult to reproduce, but possible.
+
+Fix this by correctly computing the number of interrupt registers to
+read and write. This is the only place in the code where registers
+that map endpoints or channels this way perform this calculation.
+
+Fixes: f298ba785e2d ("net: ipa: add a parameter to suspend registers")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/ipa_interrupt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipa/ipa_interrupt.c b/drivers/net/ipa/ipa_interrupt.c
+index 4bc05948f772d..a78c692f2d3c5 100644
+--- a/drivers/net/ipa/ipa_interrupt.c
++++ b/drivers/net/ipa/ipa_interrupt.c
+@@ -212,7 +212,7 @@ void ipa_interrupt_suspend_clear_all(struct ipa_interrupt *interrupt)
+ u32 unit_count;
+ u32 unit;
+
+- unit_count = roundup(ipa->endpoint_count, 32);
++ unit_count = DIV_ROUND_UP(ipa->endpoint_count, 32);
+ for (unit = 0; unit < unit_count; unit++) {
+ const struct reg *reg;
+ u32 val;
+--
+2.43.0
+
--- /dev/null
+From cedb0e21da2523baa16a7bed45df9e611f82464b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 15:53:08 +0800
+Subject: net: mctp: put sock on tag allocation failure
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit 9990889be14288d4f1743e4768222d5032a79c27 ]
+
+We may hold an extra reference on a socket if a tag allocation fails: we
+optimistically allocate the sk_key, and take a ref there, but do not
+drop if we end up not using the allocated key.
+
+Ensure we're dropping the sock on this failure by doing a proper unref
+rather than directly kfree()ing.
+
+Fixes: de8a6b15d965 ("net: mctp: add an explicit reference from a mctp_sk_key to sock")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/ce9b61e44d1cdae7797be0c5e3141baf582d23a0.1707983487.git.jk@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index 7a47a58aa54b4..6218dcd07e184 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -663,7 +663,7 @@ struct mctp_sk_key *mctp_alloc_local_tag(struct mctp_sock *msk,
+ spin_unlock_irqrestore(&mns->keys_lock, flags);
+
+ if (!tagbits) {
+- kfree(key);
++ mctp_key_unref(key);
+ return ERR_PTR(-EBUSY);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6c2d0f250d435ecd7ea1dcd8cb1bacf7b41e3fe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 12:30:07 +0530
+Subject: net: phy: realtek: Fix rtl8211f_config_init() for
+ RTL8211F(D)(I)-VD-CG PHY
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+[ Upstream commit 3489182b11d35f1944c1245fc9c4867cf622c50f ]
+
+Commit bb726b753f75 ("net: phy: realtek: add support for
+RTL8211F(D)(I)-VD-CG") extended support of the driver from the existing
+support for RTL8211F(D)(I)-CG PHY to the newer RTL8211F(D)(I)-VD-CG PHY.
+
+While that commit indicated that the RTL8211F_PHYCR2 register is not
+supported by the "VD-CG" PHY model and therefore updated the corresponding
+section in rtl8211f_config_init() to be invoked conditionally, the call to
+"genphy_soft_reset()" was left as-is, when it should have also been invoked
+conditionally. This is because the call to "genphy_soft_reset()" was first
+introduced by the commit 0a4355c2b7f8 ("net: phy: realtek: add dt property
+to disable CLKOUT clock") since the RTL8211F guide indicates that a PHY
+reset should be issued after setting bits in the PHYCR2 register.
+
+As the PHYCR2 register is not applicable to the "VD-CG" PHY model, fix the
+rtl8211f_config_init() function by invoking "genphy_soft_reset()"
+conditionally based on the presence of the "PHYCR2" register.
+
+Fixes: bb726b753f75 ("net: phy: realtek: add support for RTL8211F(D)(I)-VD-CG")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240220070007.968762-1-s-vadapalli@ti.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c
+index 894172a3e15fe..337899c69738e 100644
+--- a/drivers/net/phy/realtek.c
++++ b/drivers/net/phy/realtek.c
+@@ -421,9 +421,11 @@ static int rtl8211f_config_init(struct phy_device *phydev)
+ ERR_PTR(ret));
+ return ret;
+ }
++
++ return genphy_soft_reset(phydev);
+ }
+
+- return genphy_soft_reset(phydev);
++ return 0;
+ }
+
+ static int rtl821x_suspend(struct phy_device *phydev)
+--
+2.43.0
+
--- /dev/null
+From 61f1fabf3da9a628f280eae5acf09952d8a3a0b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 15:16:21 -0300
+Subject: net/sched: act_mirred: Create function tcf_mirred_to_dev and improve
+ readability
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+[ Upstream commit 16085e48cb48aeb50a1178dc276747749910b0f2 ]
+
+As a preparation for adding block ID to mirred, separate the part of
+mirred that redirect/mirrors to a dev into a specific function so that it
+can be called by blockcast for each dev.
+
+Also improve readability. Eg. rename use_reinsert to dont_clone and skb2
+to skb_to_send.
+
+Co-developed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Co-developed-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 52f671db1882 ("net/sched: act_mirred: use the backlog for mirred ingress")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 129 +++++++++++++++++++++++------------------
+ 1 file changed, 72 insertions(+), 57 deletions(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 0a711c184c29b..6f2544c1e3961 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -225,48 +225,26 @@ static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
+ return err;
+ }
+
+-TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
+- const struct tc_action *a,
+- struct tcf_result *res)
++static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m,
++ struct net_device *dev,
++ const bool m_mac_header_xmit, int m_eaction,
++ int retval)
+ {
+- struct tcf_mirred *m = to_mirred(a);
+- struct sk_buff *skb2 = skb;
+- bool m_mac_header_xmit;
+- struct net_device *dev;
+- unsigned int nest_level;
+- int retval, err = 0;
+- bool use_reinsert;
++ struct sk_buff *skb_to_send = skb;
+ bool want_ingress;
+ bool is_redirect;
+ bool expects_nh;
+ bool at_ingress;
+- int m_eaction;
++ bool dont_clone;
+ int mac_len;
+ bool at_nh;
++ int err;
+
+- nest_level = __this_cpu_inc_return(mirred_nest_level);
+- if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
+- net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
+- netdev_name(skb->dev));
+- __this_cpu_dec(mirred_nest_level);
+- return TC_ACT_SHOT;
+- }
+-
+- tcf_lastuse_update(&m->tcf_tm);
+- tcf_action_update_bstats(&m->common, skb);
+-
+- m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit);
+- m_eaction = READ_ONCE(m->tcfm_eaction);
+- retval = READ_ONCE(m->tcf_action);
+- dev = rcu_dereference_bh(m->tcfm_dev);
+- if (unlikely(!dev)) {
+- pr_notice_once("tc mirred: target device is gone\n");
+- goto out;
+- }
+-
++ is_redirect = tcf_mirred_is_act_redirect(m_eaction);
+ if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
+ net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
+ dev->name);
++ err = -ENODEV;
+ goto out;
+ }
+
+@@ -274,61 +252,98 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
+ * since we can't easily detect the clsact caller, skip clone only for
+ * ingress - that covers the TC S/W datapath.
+ */
+- is_redirect = tcf_mirred_is_act_redirect(m_eaction);
+ at_ingress = skb_at_tc_ingress(skb);
+- use_reinsert = at_ingress && is_redirect &&
+- tcf_mirred_can_reinsert(retval);
+- if (!use_reinsert) {
+- skb2 = skb_clone(skb, GFP_ATOMIC);
+- if (!skb2)
++ dont_clone = skb_at_tc_ingress(skb) && is_redirect &&
++ tcf_mirred_can_reinsert(retval);
++ if (!dont_clone) {
++ skb_to_send = skb_clone(skb, GFP_ATOMIC);
++ if (!skb_to_send) {
++ err = -ENOMEM;
+ goto out;
++ }
+ }
+
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+
+ /* All mirred/redirected skbs should clear previous ct info */
+- nf_reset_ct(skb2);
++ nf_reset_ct(skb_to_send);
+ if (want_ingress && !at_ingress) /* drop dst for egress -> ingress */
+- skb_dst_drop(skb2);
++ skb_dst_drop(skb_to_send);
+
+ expects_nh = want_ingress || !m_mac_header_xmit;
+ at_nh = skb->data == skb_network_header(skb);
+ if (at_nh != expects_nh) {
+- mac_len = skb_at_tc_ingress(skb) ? skb->mac_len :
++ mac_len = at_ingress ? skb->mac_len :
+ skb_network_offset(skb);
+ if (expects_nh) {
+ /* target device/action expect data at nh */
+- skb_pull_rcsum(skb2, mac_len);
++ skb_pull_rcsum(skb_to_send, mac_len);
+ } else {
+ /* target device/action expect data at mac */
+- skb_push_rcsum(skb2, mac_len);
++ skb_push_rcsum(skb_to_send, mac_len);
+ }
+ }
+
+- skb2->skb_iif = skb->dev->ifindex;
+- skb2->dev = dev;
++ skb_to_send->skb_iif = skb->dev->ifindex;
++ skb_to_send->dev = dev;
+
+- /* mirror is always swallowed */
+ if (is_redirect) {
+- skb_set_redirected(skb2, skb2->tc_at_ingress);
+-
+- /* let's the caller reinsert the packet, if possible */
+- if (use_reinsert) {
+- err = tcf_mirred_forward(want_ingress, skb);
+- if (err)
+- tcf_action_inc_overlimit_qstats(&m->common);
+- __this_cpu_dec(mirred_nest_level);
+- return TC_ACT_CONSUMED;
+- }
++ if (skb == skb_to_send)
++ retval = TC_ACT_CONSUMED;
++
++ skb_set_redirected(skb_to_send, skb_to_send->tc_at_ingress);
++
++ err = tcf_mirred_forward(want_ingress, skb_to_send);
++ } else {
++ err = tcf_mirred_forward(want_ingress, skb_to_send);
+ }
+
+- err = tcf_mirred_forward(want_ingress, skb2);
+ if (err) {
+ out:
+ tcf_action_inc_overlimit_qstats(&m->common);
+- if (tcf_mirred_is_act_redirect(m_eaction))
++ if (is_redirect)
+ retval = TC_ACT_SHOT;
+ }
++
++ return retval;
++}
++
++TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
++ const struct tc_action *a,
++ struct tcf_result *res)
++{
++ struct tcf_mirred *m = to_mirred(a);
++ int retval = READ_ONCE(m->tcf_action);
++ unsigned int nest_level;
++ bool m_mac_header_xmit;
++ struct net_device *dev;
++ int m_eaction;
++
++ nest_level = __this_cpu_inc_return(mirred_nest_level);
++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
++ net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
++ netdev_name(skb->dev));
++ retval = TC_ACT_SHOT;
++ goto dec_nest_level;
++ }
++
++ tcf_lastuse_update(&m->tcf_tm);
++ tcf_action_update_bstats(&m->common, skb);
++
++ dev = rcu_dereference_bh(m->tcfm_dev);
++ if (unlikely(!dev)) {
++ pr_notice_once("tc mirred: target device is gone\n");
++ tcf_action_inc_overlimit_qstats(&m->common);
++ goto dec_nest_level;
++ }
++
++ m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit);
++ m_eaction = READ_ONCE(m->tcfm_eaction);
++
++ retval = tcf_mirred_to_dev(skb, m, dev, m_mac_header_xmit, m_eaction,
++ retval);
++
++dec_nest_level:
+ __this_cpu_dec(mirred_nest_level);
+
+ return retval;
+--
+2.43.0
+
--- /dev/null
+From c25049ea06d33fc66f6dca0cbc49d724bd7d8a81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 06:33:46 -0800
+Subject: net/sched: act_mirred: don't override retval if we already lost the
+ skb
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ]
+
+If we're redirecting the skb, and haven't called tcf_mirred_forward(),
+yet, we need to tell the core to drop the skb by setting the retcode
+to SHOT. If we have called tcf_mirred_forward(), however, the skb
+is out of our hands and returning SHOT will lead to UaF.
+
+Move the retval override to the error path which actually need it.
+
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index bab090bb5e80a..674f7ae356ca2 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -240,8 +240,7 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m,
+ if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
+ net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
+ dev->name);
+- err = -ENODEV;
+- goto out;
++ goto err_cant_do;
+ }
+
+ /* we could easily avoid the clone only if called by ingress and clsact;
+@@ -253,10 +252,8 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m,
+ tcf_mirred_can_reinsert(retval);
+ if (!dont_clone) {
+ skb_to_send = skb_clone(skb, GFP_ATOMIC);
+- if (!skb_to_send) {
+- err = -ENOMEM;
+- goto out;
+- }
++ if (!skb_to_send)
++ goto err_cant_do;
+ }
+
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+@@ -293,15 +290,16 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m,
+ } else {
+ err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send);
+ }
+-
+- if (err) {
+-out:
++ if (err)
+ tcf_action_inc_overlimit_qstats(&m->common);
+- if (is_redirect)
+- retval = TC_ACT_SHOT;
+- }
+
+ return retval;
++
++err_cant_do:
++ if (is_redirect)
++ retval = TC_ACT_SHOT;
++ tcf_action_inc_overlimit_qstats(&m->common);
++ return retval;
+ }
+
+ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
+--
+2.43.0
+
--- /dev/null
+From 16314e5aff1dacad78ce5bbfc8c9eeb0b7adcef6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 06:33:45 -0800
+Subject: net/sched: act_mirred: use the backlog for mirred ingress
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 52f671db18823089a02f07efc04efdb2272ddc17 ]
+
+The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog
+for nested calls to mirred ingress") hangs our testing VMs every 10 or so
+runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by
+lockdep.
+
+The problem as previously described by Davide (see Link) is that
+if we reverse flow of traffic with the redirect (egress -> ingress)
+we may reach the same socket which generated the packet. And we may
+still be holding its socket lock. The common solution to such deadlocks
+is to put the packet in the Rx backlog, rather than run the Rx path
+inline. Do that for all egress -> ingress reversals, not just once
+we started to nest mirred calls.
+
+In the past there was a concern that the backlog indirection will
+lead to loss of error reporting / less accurate stats. But the current
+workaround does not seem to address the issue.
+
+Fixes: 53592b364001 ("net/sched: act_mirred: Implement ingress actions")
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Suggested-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 14 +++++---------
+ .../testing/selftests/net/forwarding/tc_actions.sh | 3 ---
+ 2 files changed, 5 insertions(+), 12 deletions(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 6f2544c1e3961..bab090bb5e80a 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -206,18 +206,14 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
+ return err;
+ }
+
+-static bool is_mirred_nested(void)
+-{
+- return unlikely(__this_cpu_read(mirred_nest_level) > 1);
+-}
+-
+-static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
++static int
++tcf_mirred_forward(bool at_ingress, bool want_ingress, struct sk_buff *skb)
+ {
+ int err;
+
+ if (!want_ingress)
+ err = tcf_dev_queue_xmit(skb, dev_queue_xmit);
+- else if (is_mirred_nested())
++ else if (!at_ingress)
+ err = netif_rx(skb);
+ else
+ err = netif_receive_skb(skb);
+@@ -293,9 +289,9 @@ static int tcf_mirred_to_dev(struct sk_buff *skb, struct tcf_mirred *m,
+
+ skb_set_redirected(skb_to_send, skb_to_send->tc_at_ingress);
+
+- err = tcf_mirred_forward(want_ingress, skb_to_send);
++ err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send);
+ } else {
+- err = tcf_mirred_forward(want_ingress, skb_to_send);
++ err = tcf_mirred_forward(at_ingress, want_ingress, skb_to_send);
+ }
+
+ if (err) {
+diff --git a/tools/testing/selftests/net/forwarding/tc_actions.sh b/tools/testing/selftests/net/forwarding/tc_actions.sh
+index b0f5e55d2d0b2..5896296365022 100755
+--- a/tools/testing/selftests/net/forwarding/tc_actions.sh
++++ b/tools/testing/selftests/net/forwarding/tc_actions.sh
+@@ -235,9 +235,6 @@ mirred_egress_to_ingress_tcp_test()
+ check_err $? "didn't mirred redirect ICMP"
+ tc_check_packets "dev $h1 ingress" 102 10
+ check_err $? "didn't drop mirred ICMP"
+- local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits)
+- test ${overlimits} = 10
+- check_err $? "wrong overlimits, expected 10 got ${overlimits}"
+
+ tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
+ tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower
+--
+2.43.0
+
--- /dev/null
+From 9cc0421170832125729a880bf13f887deaddf61b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 08:59:28 +0000
+Subject: net/sched: flower: Add lock protection when remove filter handle
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 1fde0ca3a0de7e9f917668941156959dd5e9108b ]
+
+As IDR can't protect itself from the concurrent modification, place
+idr_remove() under the protection of tp->lock.
+
+Fixes: 08a0063df3ae ("net/sched: flower: Move filter handle initialization earlier")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20240220085928.9161-1-jianbol@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_flower.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index efb9d2811b73d..6ee7064c82fcc 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -2460,8 +2460,11 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
+ }
+
+ errout_idr:
+- if (!fold)
++ if (!fold) {
++ spin_lock(&tp->lock);
+ idr_remove(&head->handle_idr, fnew->handle);
++ spin_unlock(&tp->lock);
++ }
+ __fl_put(fnew);
+ errout_tb:
+ kfree(tb);
+--
+2.43.0
+
--- /dev/null
+From 22000c02bda467eb2366d40fa9aeae7b4e40a4b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 09:00:43 +0100
+Subject: net: sparx5: Add spinlock for frame transmission from CPU
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 603ead96582d85903baec2d55f021b8dac5c25d2 ]
+
+Both registers used when doing manual injection or fdma injection are
+shared between all the net devices of the switch. It was noticed that
+when having two process which each of them trying to inject frames on
+different ethernet ports, that the HW started to behave strange, by
+sending out more frames then expected. When doing fdma injection it is
+required to set the frame in the DCB and then make sure that the next
+pointer of the last DCB is invalid. But because there is no locks for
+this, then easily this pointer between the DCB can be broken and then it
+would create a loop of DCBs. And that means that the HW will
+continuously transmit these frames in a loop. Until the SW will break
+this loop.
+Therefore to fix this issue, add a spin lock for when accessing the
+registers for manual or fdma injection.
+
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Daniel Machon <daniel.machon@microchip.com>
+Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support")
+Link: https://lore.kernel.org/r/20240219080043.1561014-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 1 +
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 1 +
+ drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 2 ++
+ 3 files changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+index d1f7fc8b1b71a..3c066b62e6894 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+@@ -757,6 +757,7 @@ static int mchp_sparx5_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, sparx5);
+ sparx5->pdev = pdev;
+ sparx5->dev = &pdev->dev;
++ spin_lock_init(&sparx5->tx_lock);
+
+ /* Do switch core reset if available */
+ reset = devm_reset_control_get_optional_shared(&pdev->dev, "switch");
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+index 6f565c0c0c3dc..316fed5f27355 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+@@ -280,6 +280,7 @@ struct sparx5 {
+ int xtr_irq;
+ /* Frame DMA */
+ int fdma_irq;
++ spinlock_t tx_lock; /* lock for frame transmission */
+ struct sparx5_rx rx;
+ struct sparx5_tx tx;
+ /* PTP */
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+index 6db6ac6a3bbc2..ac7e1cffbcecf 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+@@ -244,10 +244,12 @@ netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev)
+ }
+
+ skb_tx_timestamp(skb);
++ spin_lock(&sparx5->tx_lock);
+ if (sparx5->fdma_irq > 0)
+ ret = sparx5_fdma_xmit(sparx5, ifh, skb);
+ else
+ ret = sparx5_inject(sparx5, ifh, skb, dev);
++ spin_unlock(&sparx5->tx_lock);
+
+ if (ret == -EBUSY)
+ goto busy;
+--
+2.43.0
+
--- /dev/null
+From 2500ef08bf679bf20f6991b06d6b9d2b99503917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 12:27:17 +0300
+Subject: net: stmmac: Fix incorrect dereference in interrupt handlers
+
+From: Pavel Sakharov <p.sakharov@ispras.ru>
+
+[ Upstream commit 97dde84026339e4b4af9a6301f825d1828d7874b ]
+
+If 'dev' or 'data' is NULL, the 'priv' variable has an incorrect address
+when dereferencing calling netdev_err().
+
+Since we get as 'dev_id' or 'data' what was passed as the 'dev' argument
+to request_irq() during interrupt initialization (that is, the net_device
+and rx/tx queue pointers initialized at the time of the call) and since
+there are usually no checks for the 'dev_id' argument in such handlers
+in other drivers, remove these checks from the handlers in stmmac driver.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 8532f613bc78 ("net: stmmac: introduce MSI Interrupt routines for mac, safety, RX & TX")
+Signed-off-by: Pavel Sakharov <p.sakharov@ispras.ru>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 20 -------------------
+ 1 file changed, 20 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index ec34768e054da..e9a1b60ebb503 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -5977,11 +5977,6 @@ static irqreturn_t stmmac_mac_interrupt(int irq, void *dev_id)
+ struct net_device *dev = (struct net_device *)dev_id;
+ struct stmmac_priv *priv = netdev_priv(dev);
+
+- if (unlikely(!dev)) {
+- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__);
+- return IRQ_NONE;
+- }
+-
+ /* Check if adapter is up */
+ if (test_bit(STMMAC_DOWN, &priv->state))
+ return IRQ_HANDLED;
+@@ -5997,11 +5992,6 @@ static irqreturn_t stmmac_safety_interrupt(int irq, void *dev_id)
+ struct net_device *dev = (struct net_device *)dev_id;
+ struct stmmac_priv *priv = netdev_priv(dev);
+
+- if (unlikely(!dev)) {
+- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__);
+- return IRQ_NONE;
+- }
+-
+ /* Check if adapter is up */
+ if (test_bit(STMMAC_DOWN, &priv->state))
+ return IRQ_HANDLED;
+@@ -6023,11 +6013,6 @@ static irqreturn_t stmmac_msi_intr_tx(int irq, void *data)
+ dma_conf = container_of(tx_q, struct stmmac_dma_conf, tx_queue[chan]);
+ priv = container_of(dma_conf, struct stmmac_priv, dma_conf);
+
+- if (unlikely(!data)) {
+- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__);
+- return IRQ_NONE;
+- }
+-
+ /* Check if adapter is up */
+ if (test_bit(STMMAC_DOWN, &priv->state))
+ return IRQ_HANDLED;
+@@ -6054,11 +6039,6 @@ static irqreturn_t stmmac_msi_intr_rx(int irq, void *data)
+ dma_conf = container_of(rx_q, struct stmmac_dma_conf, rx_queue[chan]);
+ priv = container_of(dma_conf, struct stmmac_priv, dma_conf);
+
+- if (unlikely(!data)) {
+- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__);
+- return IRQ_NONE;
+- }
+-
+ /* Check if adapter is up */
+ if (test_bit(STMMAC_DOWN, &priv->state))
+ return IRQ_HANDLED;
+--
+2.43.0
+
--- /dev/null
+From a864779d6628d77e1714750bbfe427b92f88226b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 19:43:53 +0100
+Subject: netfilter: nf_tables: register hooks last when adding new
+ chain/flowtable
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d472e9853d7b46a6b094224d131d09ccd3a03daf ]
+
+Register hooks last when adding chain/flowtable to ensure that packets do
+not walk over datastructure that is being released in the error path
+without waiting for the rcu grace period.
+
+Fixes: 91c7b38dc9f0 ("netfilter: nf_tables: use new transaction infrastructure to handle chain")
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 78 ++++++++++++++++++-----------------
+ 1 file changed, 40 insertions(+), 38 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index dc26986fd4b93..6901067d715dc 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -684,15 +684,16 @@ static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
+ return err;
+ }
+
+-static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
+- struct nft_flowtable *flowtable)
++static struct nft_trans *
++nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
++ struct nft_flowtable *flowtable)
+ {
+ struct nft_trans *trans;
+
+ trans = nft_trans_alloc(ctx, msg_type,
+ sizeof(struct nft_trans_flowtable));
+ if (trans == NULL)
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ if (msg_type == NFT_MSG_NEWFLOWTABLE)
+ nft_activate_next(ctx->net, flowtable);
+@@ -701,22 +702,22 @@ static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
+ nft_trans_flowtable(trans) = flowtable;
+ nft_trans_commit_list_add_tail(ctx->net, trans);
+
+- return 0;
++ return trans;
+ }
+
+ static int nft_delflowtable(struct nft_ctx *ctx,
+ struct nft_flowtable *flowtable)
+ {
+- int err;
++ struct nft_trans *trans;
+
+- err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
+- if (err < 0)
+- return err;
++ trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
++ if (IS_ERR(trans))
++ return PTR_ERR(trans);
+
+ nft_deactivate_next(ctx->net, flowtable);
+ nft_use_dec(&ctx->table->use);
+
+- return err;
++ return 0;
+ }
+
+ static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
+@@ -2504,19 +2505,15 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
+ RCU_INIT_POINTER(chain->blob_gen_0, blob);
+ RCU_INIT_POINTER(chain->blob_gen_1, blob);
+
+- err = nf_tables_register_hook(net, table, chain);
+- if (err < 0)
+- goto err_destroy_chain;
+-
+ if (!nft_use_inc(&table->use)) {
+ err = -EMFILE;
+- goto err_use;
++ goto err_destroy_chain;
+ }
+
+ trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
+ if (IS_ERR(trans)) {
+ err = PTR_ERR(trans);
+- goto err_unregister_hook;
++ goto err_trans;
+ }
+
+ nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
+@@ -2524,17 +2521,22 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
+ nft_trans_chain_policy(trans) = policy;
+
+ err = nft_chain_add(table, chain);
+- if (err < 0) {
+- nft_trans_destroy(trans);
+- goto err_unregister_hook;
+- }
++ if (err < 0)
++ goto err_chain_add;
++
++ /* This must be LAST to ensure no packets are walking over this chain. */
++ err = nf_tables_register_hook(net, table, chain);
++ if (err < 0)
++ goto err_register_hook;
+
+ return 0;
+
+-err_unregister_hook:
++err_register_hook:
++ nft_chain_del(chain);
++err_chain_add:
++ nft_trans_destroy(trans);
++err_trans:
+ nft_use_dec_restore(&table->use);
+-err_use:
+- nf_tables_unregister_hook(net, table, chain);
+ err_destroy_chain:
+ nf_tables_chain_destroy(ctx);
+
+@@ -8373,9 +8375,9 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ u8 family = info->nfmsg->nfgen_family;
+ const struct nf_flowtable_type *type;
+ struct nft_flowtable *flowtable;
+- struct nft_hook *hook, *next;
+ struct net *net = info->net;
+ struct nft_table *table;
++ struct nft_trans *trans;
+ struct nft_ctx ctx;
+ int err;
+
+@@ -8455,34 +8457,34 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
+ extack, true);
+ if (err < 0)
+- goto err4;
++ goto err_flowtable_parse_hooks;
+
+ list_splice(&flowtable_hook.list, &flowtable->hook_list);
+ flowtable->data.priority = flowtable_hook.priority;
+ flowtable->hooknum = flowtable_hook.num;
+
++ trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
++ if (IS_ERR(trans)) {
++ err = PTR_ERR(trans);
++ goto err_flowtable_trans;
++ }
++
++ /* This must be LAST to ensure no packets are walking over this flowtable. */
+ err = nft_register_flowtable_net_hooks(ctx.net, table,
+ &flowtable->hook_list,
+ flowtable);
+- if (err < 0) {
+- nft_hooks_destroy(&flowtable->hook_list);
+- goto err4;
+- }
+-
+- err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
+ if (err < 0)
+- goto err5;
++ goto err_flowtable_hooks;
+
+ list_add_tail_rcu(&flowtable->list, &table->flowtables);
+
+ return 0;
+-err5:
+- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
+- nft_unregister_flowtable_hook(net, flowtable, hook);
+- list_del_rcu(&hook->list);
+- kfree_rcu(hook, rcu);
+- }
+-err4:
++
++err_flowtable_hooks:
++ nft_trans_destroy(trans);
++err_flowtable_trans:
++ nft_hooks_destroy(&flowtable->hook_list);
++err_flowtable_parse_hooks:
+ flowtable->data.type->free(&flowtable->data);
+ err3:
+ module_put(type->owner);
+--
+2.43.0
+
--- /dev/null
+From 7b348a99308ca472db2eeca0f59c2b2b4bfa08b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 16:58:04 +0100
+Subject: netfilter: nf_tables: set dormant flag on hook register failure
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit bccebf64701735533c8db37773eeacc6566cc8ec ]
+
+We need to set the dormant flag again if we fail to register
+the hooks.
+
+During memory pressure hook registration can fail and we end up
+with a table marked as active but no registered hooks.
+
+On table/base chain deletion, nf_tables will attempt to unregister
+the hook again which yields a warn splat from the nftables core.
+
+Reported-and-tested-by: syzbot+de4025c006ec68ac56fc@syzkaller.appspotmail.com
+Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 04c5aa4debc74..dc26986fd4b93 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1251,6 +1251,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
+ return 0;
+
+ err_register_hooks:
++ ctx->table->flags |= NFT_TABLE_F_DORMANT;
+ nft_trans_destroy(trans);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 72541d30578e7dd5a8085117d2863fed0d05f181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 18:38:45 +0100
+Subject: netfilter: nf_tables: use kzalloc for hook allocation
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 195e5f88c2e48330ba5483e0bad2de3b3fad484f ]
+
+KMSAN reports unitialized variable when registering the hook,
+ reg->hook_ops_type == NF_HOOK_OP_BPF)
+ ~~~~~~~~~~~ undefined
+
+This is a small structure, just use kzalloc to make sure this
+won't happen again when new fields get added to nf_hook_ops.
+
+Fixes: 7b4b2fa37587 ("netfilter: annotate nf_tables base hook ops")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 6901067d715dc..79e088e6f103e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2082,7 +2082,7 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
+ struct nft_hook *hook;
+ int err;
+
+- hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
++ hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
+ if (!hook) {
+ err = -ENOMEM;
+ goto err_hook_alloc;
+--
+2.43.0
+
--- /dev/null
+From 665b78846a6233c6a37d8adadea733ba06a5dc0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 21:36:39 +0100
+Subject: netfilter: nft_flow_offload: release dst in case direct xmit path is
+ used
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 8762785f459be1cfe6fcf7285c123aad6a3703f0 ]
+
+Direct xmit does not use it since it calls dev_queue_xmit() to send
+packets, hence it calls dst_release().
+
+kmemleak reports:
+
+unreferenced object 0xffff88814f440900 (size 184):
+ comm "softirq", pid 0, jiffies 4294951896
+ hex dump (first 32 bytes):
+ 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[.............
+ 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P.............
+ backtrace (crc cb2bf5d6):
+ [<000000003ee17107>] kmem_cache_alloc+0x286/0x340
+ [<0000000021a5de2c>] dst_alloc+0x43/0xb0
+ [<00000000f0671159>] rt_dst_alloc+0x2e/0x190
+ [<00000000fe5092c9>] __mkroute_output+0x244/0x980
+ [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160
+ [<0000000045367433>] nf_ip_route+0xf/0x30
+ [<0000000085da1d8e>] nf_route+0x2d/0x60
+ [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload]
+ [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload]
+ [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables]
+ [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables]
+ [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables]
+ [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160
+ [<0000000005eccab1>] ip_forward+0x8b6/0x9b0
+ [<00000000553a269b>] ip_rcv+0x221/0x230
+ [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110
+
+Fixes: fa502c865666 ("netfilter: flowtable: simplify route logic")
+Reported-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
+index 7502d6d73a600..a0571339239c4 100644
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
+ ETH_ALEN);
+ flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
+ flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
++ dst_release(dst);
+ break;
+ case FLOW_OFFLOAD_XMIT_XFRM:
+ case FLOW_OFFLOAD_XMIT_NEIGH:
+--
+2.43.0
+
--- /dev/null
+From a88e54d92d6bfa80551368c8b53167df1be305b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 12:32:58 +0100
+Subject: netfilter: nft_flow_offload: reset dst in route object after setting
+ up flow
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 9e0f0430389be7696396c62f037be4bf72cf93e3 ]
+
+dst is transferred to the flow object, route object does not own it
+anymore. Reset dst in route object, otherwise if flow_offload_add()
+fails, error path releases dst twice, leading to a refcount underflow.
+
+Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_flow_table.h | 2 +-
+ net/netfilter/nf_flow_table_core.c | 16 +++++++++++++---
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
+index 692d5955911c7..4a767b3d20b9d 100644
+--- a/include/net/netfilter/nf_flow_table.h
++++ b/include/net/netfilter/nf_flow_table.h
+@@ -275,7 +275,7 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
+ }
+
+ void flow_offload_route_init(struct flow_offload *flow,
+- const struct nf_flow_route *route);
++ struct nf_flow_route *route);
+
+ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);
+ void flow_offload_refresh(struct nf_flowtable *flow_table,
+diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
+index 920a5a29ae1dc..7502d6d73a600 100644
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -87,12 +87,22 @@ static u32 flow_offload_dst_cookie(struct flow_offload_tuple *flow_tuple)
+ return 0;
+ }
+
++static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route,
++ enum flow_offload_tuple_dir dir)
++{
++ struct dst_entry *dst = route->tuple[dir].dst;
++
++ route->tuple[dir].dst = NULL;
++
++ return dst;
++}
++
+ static int flow_offload_fill_route(struct flow_offload *flow,
+- const struct nf_flow_route *route,
++ struct nf_flow_route *route,
+ enum flow_offload_tuple_dir dir)
+ {
+ struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple;
+- struct dst_entry *dst = route->tuple[dir].dst;
++ struct dst_entry *dst = nft_route_dst_fetch(route, dir);
+ int i, j = 0;
+
+ switch (flow_tuple->l3proto) {
+@@ -146,7 +156,7 @@ static void nft_flow_dst_release(struct flow_offload *flow,
+ }
+
+ void flow_offload_route_init(struct flow_offload *flow,
+- const struct nf_flow_route *route)
++ struct nf_flow_route *route)
+ {
+ flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_ORIGINAL);
+ flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_REPLY);
+--
+2.43.0
+
--- /dev/null
+From 41de72468affc2b7ec3af96eed3f1e778b6ac062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 10:57:37 +0100
+Subject: nouveau: fix function cast warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 0affdba22aca5573f9d989bcb1d71d32a6a03efe ]
+
+clang-16 warns about casting between incompatible function types:
+
+drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c:161:10: error: cast from 'void (*)(const struct firmware *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 161 | .fini = (void(*)(void *))release_firmware,
+
+This one was done to use the generic shadow_fw_release() function as a
+callback for struct nvbios_source. Change it to use the same prototype
+as the other five instances, with a trivial helper function that actually
+calls release_firmware.
+
+Fixes: 70c0f263cc2e ("drm/nouveau/bios: pull in basic vbios subdev, more to come later")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Danilo Krummrich <dakr@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240213095753.455062-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c
+index 19188683c8fca..8c2bf1c16f2a9 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c
+@@ -154,11 +154,17 @@ shadow_fw_init(struct nvkm_bios *bios, const char *name)
+ return (void *)fw;
+ }
+
++static void
++shadow_fw_release(void *fw)
++{
++ release_firmware(fw);
++}
++
+ static const struct nvbios_source
+ shadow_fw = {
+ .name = "firmware",
+ .init = shadow_fw_init,
+- .fini = (void(*)(void *))release_firmware,
++ .fini = shadow_fw_release,
+ .read = shadow_fw_read,
+ .rw = false,
+ };
+--
+2.43.0
+
--- /dev/null
+From 8caa82646453eea135788b92a827bba38e63a810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 18:25:14 +0530
+Subject: octeontx2-af: Consider the action set by PF
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 3b1ae9b71c2a97f848b00fb085a2bd29bddbe8d9 ]
+
+AF reserves MCAM entries for each PF, VF present in the
+system and populates the entry with DMAC and action with
+default RSS so that basic packet I/O works. Since PF/VF is
+not aware of the RSS action installed by AF, AF only fixup
+the actions of the rules installed by PF/VF with corresponding
+default RSS action. This worked well for rules installed by
+PF/VF for features like RX VLAN offload and DMAC filters but
+rules involving action like drop/forward to queue are also
+getting modified by AF. Hence fix it by setting the default
+RSS action only if requested by PF/VF.
+
+Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+index 3784347b6fd88..55639c133dd02 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -437,6 +437,10 @@ static void npc_fixup_vf_rule(struct rvu *rvu, struct npc_mcam *mcam,
+ return;
+ }
+
++ /* AF modifies given action iff PF/VF has requested for it */
++ if ((entry->action & 0xFULL) != NIX_RX_ACTION_DEFAULT)
++ return;
++
+ /* copy VF default entry action to the VF mcam entry */
+ rx_action = npc_get_default_entry_action(rvu, mcam, blkaddr,
+ target_func);
+--
+2.43.0
+
--- /dev/null
+From b0a90dd6093cacae63e5d498d551e54705815881 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 13:51:45 -0800
+Subject: parisc: Fix stack unwinder
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 882a2a724ee964c1ebe7268a91d5c8c8ddc796bf ]
+
+Debugging shows a large number of unaligned access traps in the unwinder
+code. Code analysis reveals a number of issues with this code:
+
+- handle_interruption is passed twice through
+ dereference_kernel_function_descriptor()
+- ret_from_kernel_thread, syscall_exit, intr_return,
+ _switch_to_ret, and _call_on_stack are passed through
+ dereference_kernel_function_descriptor() even though they are
+ not declared as function pointers.
+
+To fix the problems, drop one of the calls to
+dereference_kernel_function_descriptor() for handle_interruption,
+and compare the other pointers directly.
+
+Fixes: 6414b30b39f9 ("parisc: unwind: Avoid missing prototype warning for handle_interruption()")
+Fixes: 8e0ba125c2bf ("parisc/unwind: fix unwinder when CONFIG_64BIT is enabled")
+Cc: Helge Deller <deller@gmx.de>
+Cc: Sven Schnelle <svens@stackframe.org>
+Cc: John David Anglin <dave.anglin@bell.net>
+Cc: Charlie Jenkins <charlie@rivosinc.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/unwind.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c
+index 27ae40a443b80..f7e0fee5ee55a 100644
+--- a/arch/parisc/kernel/unwind.c
++++ b/arch/parisc/kernel/unwind.c
+@@ -228,10 +228,8 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ #ifdef CONFIG_IRQSTACKS
+ extern void * const _call_on_stack;
+ #endif /* CONFIG_IRQSTACKS */
+- void *ptr;
+
+- ptr = dereference_kernel_function_descriptor(&handle_interruption);
+- if (pc_is_kernel_fn(pc, ptr)) {
++ if (pc_is_kernel_fn(pc, handle_interruption)) {
+ struct pt_regs *regs = (struct pt_regs *)(info->sp - frame_size - PT_SZ_ALGN);
+ dbg("Unwinding through handle_interruption()\n");
+ info->prev_sp = regs->gr[30];
+@@ -239,13 +237,13 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ return 1;
+ }
+
+- if (pc_is_kernel_fn(pc, ret_from_kernel_thread) ||
+- pc_is_kernel_fn(pc, syscall_exit)) {
++ if (pc == (unsigned long)&ret_from_kernel_thread ||
++ pc == (unsigned long)&syscall_exit) {
+ info->prev_sp = info->prev_ip = 0;
+ return 1;
+ }
+
+- if (pc_is_kernel_fn(pc, intr_return)) {
++ if (pc == (unsigned long)&intr_return) {
+ struct pt_regs *regs;
+
+ dbg("Found intr_return()\n");
+@@ -257,14 +255,14 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ }
+
+ if (pc_is_kernel_fn(pc, _switch_to) ||
+- pc_is_kernel_fn(pc, _switch_to_ret)) {
++ pc == (unsigned long)&_switch_to_ret) {
+ info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE;
+ info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET);
+ return 1;
+ }
+
+ #ifdef CONFIG_IRQSTACKS
+- if (pc_is_kernel_fn(pc, _call_on_stack)) {
++ if (pc == (unsigned long)&_call_on_stack) {
+ info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ);
+ info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET);
+ return 1;
+--
+2.43.0
+
--- /dev/null
+From 8053a09268a1e9eb5dd4df1556322cc6e3bcd06b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Feb 2024 10:12:14 +0200
+Subject: phonet/pep: fix racy skb_queue_empty() use
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rémi Denis-Courmont <courmisch@gmail.com>
+
+[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ]
+
+The receive queues are protected by their respective spin-lock, not
+the socket lock. This could lead to skb_peek() unexpectedly
+returning NULL or a pointer to an already dequeued socket buffer.
+
+Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
+Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
+Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index faba31f2eff29..3dd5f52bc1b58 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -917,6 +917,37 @@ static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len)
+ return 0;
+ }
+
++static unsigned int pep_first_packet_length(struct sock *sk)
++{
++ struct pep_sock *pn = pep_sk(sk);
++ struct sk_buff_head *q;
++ struct sk_buff *skb;
++ unsigned int len = 0;
++ bool found = false;
++
++ if (sock_flag(sk, SOCK_URGINLINE)) {
++ q = &pn->ctrlreq_queue;
++ spin_lock_bh(&q->lock);
++ skb = skb_peek(q);
++ if (skb) {
++ len = skb->len;
++ found = true;
++ }
++ spin_unlock_bh(&q->lock);
++ }
++
++ if (likely(!found)) {
++ q = &sk->sk_receive_queue;
++ spin_lock_bh(&q->lock);
++ skb = skb_peek(q);
++ if (skb)
++ len = skb->len;
++ spin_unlock_bh(&q->lock);
++ }
++
++ return len;
++}
++
+ static int pep_ioctl(struct sock *sk, int cmd, int *karg)
+ {
+ struct pep_sock *pn = pep_sk(sk);
+@@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, int cmd, int *karg)
+ break;
+ }
+
+- lock_sock(sk);
+- if (sock_flag(sk, SOCK_URGINLINE) &&
+- !skb_queue_empty(&pn->ctrlreq_queue))
+- *karg = skb_peek(&pn->ctrlreq_queue)->len;
+- else if (!skb_queue_empty(&sk->sk_receive_queue))
+- *karg = skb_peek(&sk->sk_receive_queue)->len;
+- else
+- *karg = 0;
+- release_sock(sk);
++ *karg = pep_first_packet_length(sk);
+ ret = 0;
+ break;
+
+--
+2.43.0
+
--- /dev/null
+From 62ffdf7d41ee10eaf5bb278dcfdb6af056ff36b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Feb 2024 10:12:13 +0200
+Subject: phonet: take correct lock to peek at the RX queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rémi Denis-Courmont <courmisch@gmail.com>
+
+[ Upstream commit 3b2d9bc4d4acdf15a876eae2c0d83149250e85ba ]
+
+The receive queue is protected by its embedded spin-lock, not the
+socket lock, so we need the former lock here (and only that one).
+
+Fixes: 107d0d9b8d9a ("Phonet: Phonet datagram transport protocol")
+Reported-by: Luosili <rootlab@huawei.com>
+Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240218081214.4806-1-remi@remlab.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/phonet/datagram.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
+index 3aa50dc7535b7..976fe250b5095 100644
+--- a/net/phonet/datagram.c
++++ b/net/phonet/datagram.c
+@@ -34,10 +34,10 @@ static int pn_ioctl(struct sock *sk, int cmd, int *karg)
+
+ switch (cmd) {
+ case SIOCINQ:
+- lock_sock(sk);
++ spin_lock_bh(&sk->sk_receive_queue.lock);
+ skb = skb_peek(&sk->sk_receive_queue);
+ *karg = skb ? skb->len : 0;
+- release_sock(sk);
++ spin_unlock_bh(&sk->sk_receive_queue.lock);
+ return 0;
+
+ case SIOCPNADDRESOURCE:
+--
+2.43.0
+
--- /dev/null
+From 1ed8f0f163dc0f7a7e30b4f377398ae918526fa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 10:23:47 -0500
+Subject: platform/x86: think-lmi: Fix password opcode ordering for
+ workstations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+[ Upstream commit 6f7d0f5fd8e440c3446560100ac4ff9a55eec340 ]
+
+The Lenovo workstations require the password opcode to be run before
+the attribute value is changed (if Admin password is enabled).
+
+Tested on some Thinkpads to confirm they are OK with this order too.
+
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Fixes: 640a5fa50a42 ("platform/x86: think-lmi: Opcode support")
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20240209152359.528919-1-mpearson-lenovo@squebb.ca
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/think-lmi.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index 3a396b763c496..ce3e08815a8e6 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -1009,7 +1009,16 @@ static ssize_t current_value_store(struct kobject *kobj,
+ * Note - this sets the variable and then the password as separate
+ * WMI calls. Function tlmi_save_bios_settings will error if the
+ * password is incorrect.
++ * Workstation's require the opcode to be set before changing the
++ * attribute.
+ */
++ if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
++ ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
++ tlmi_priv.pwd_admin->password);
++ if (ret)
++ goto out;
++ }
++
+ set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name,
+ new_setting);
+ if (!set_str) {
+@@ -1021,17 +1030,10 @@ static ssize_t current_value_store(struct kobject *kobj,
+ if (ret)
+ goto out;
+
+- if (tlmi_priv.save_mode == TLMI_SAVE_BULK) {
++ if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
+ tlmi_priv.save_required = true;
+- } else {
+- if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+- ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
+- tlmi_priv.pwd_admin->password);
+- if (ret)
+- goto out;
+- }
++ else
+ ret = tlmi_save_bios_settings("");
+- }
+ } else { /* old non-opcode based authentication method (deprecated) */
+ if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+ auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
+--
+2.43.0
+
--- /dev/null
+From 595a21641556dc181022d04f19da433e0bdd938b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 20:23:11 -0600
+Subject: platform/x86: thinkpad_acpi: Only update profile if successfully
+ converted
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 427c70dec738318b7f71e1b9d829ff0e9771d493 ]
+
+Randomly a Lenovo Z13 will trigger a kernel warning traceback from this
+condition:
+
+```
+if (WARN_ON((profile < 0) || (profile >= ARRAY_SIZE(profile_names))))
+```
+
+This happens because thinkpad-acpi always assumes that
+convert_dytc_to_profile() successfully updated the profile. On the
+contrary a condition can occur that when dytc_profile_refresh() is called
+the profile doesn't get updated as there is a -EOPNOTSUPP branch.
+
+Catch this situation and avoid updating the profile. Also log this into
+dynamic debugging in case any other modes should be added in the future.
+
+Fixes: c3bfcd4c6762 ("platform/x86: thinkpad_acpi: Add platform profile support")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20240217022311.113879-1-mario.limonciello@amd.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index c4895e9bc7148..5ecd9d33250d7 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -10308,6 +10308,7 @@ static int convert_dytc_to_profile(int funcmode, int dytcmode,
+ return 0;
+ default:
+ /* Unknown function */
++ pr_debug("unknown function 0x%x\n", funcmode);
+ return -EOPNOTSUPP;
+ }
+ return 0;
+@@ -10493,8 +10494,8 @@ static void dytc_profile_refresh(void)
+ return;
+
+ perfmode = (output >> DYTC_GET_MODE_BIT) & 0xF;
+- convert_dytc_to_profile(funcmode, perfmode, &profile);
+- if (profile != dytc_current_profile) {
++ err = convert_dytc_to_profile(funcmode, perfmode, &profile);
++ if (!err && profile != dytc_current_profile) {
+ dytc_current_profile = profile;
+ platform_profile_notify();
+ }
+--
+2.43.0
+
--- /dev/null
+From f38214cadedb8bb2c6aff2750bd116b8dcfb246e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 16:18:33 -0600
+Subject: powerpc/pseries/iommu: DLPAR add doesn't completely initialize
+ pci_controller
+
+From: Gaurav Batra <gbatra@linux.ibm.com>
+
+[ Upstream commit a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321 ]
+
+When a PCI device is dynamically added, the kernel oopses with a NULL
+pointer dereference:
+
+ BUG: Kernel NULL pointer dereference on read at 0x00000030
+ Faulting instruction address: 0xc0000000006bbe5c
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse
+ CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66
+ Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries
+ NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8
+ REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)
+ MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006
+ CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0
+ ...
+ NIP sysfs_add_link_to_group+0x34/0x94
+ LR iommu_device_link+0x5c/0x118
+ Call Trace:
+ iommu_init_device+0x26c/0x318 (unreliable)
+ iommu_device_link+0x5c/0x118
+ iommu_init_device+0xa8/0x318
+ iommu_probe_device+0xc0/0x134
+ iommu_bus_notifier+0x44/0x104
+ notifier_call_chain+0xb8/0x19c
+ blocking_notifier_call_chain+0x64/0x98
+ bus_notify+0x50/0x7c
+ device_add+0x640/0x918
+ pci_device_add+0x23c/0x298
+ of_create_pci_dev+0x400/0x884
+ of_scan_pci_dev+0x124/0x1b0
+ __of_scan_bus+0x78/0x18c
+ pcibios_scan_phb+0x2a4/0x3b0
+ init_phb_dynamic+0xb8/0x110
+ dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]
+ add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]
+ kobj_attr_store+0x2c/0x48
+ sysfs_kf_write+0x64/0x78
+ kernfs_fop_write_iter+0x1b0/0x290
+ vfs_write+0x350/0x4a0
+ ksys_write+0x84/0x140
+ system_call_exception+0x124/0x330
+ system_call_vectored_common+0x15c/0x2ec
+
+Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities
+and allow blocking domains") broke DLPAR add of PCI devices.
+
+The above added iommu_device structure to pci_controller. During
+system boot, PCI devices are discovered and this newly added iommu_device
+structure is initialized by a call to iommu_device_register().
+
+During DLPAR add of a PCI device, a new pci_controller structure is
+allocated but there are no calls made to iommu_device_register()
+interface.
+
+Fix is to register the iommu device during DLPAR add as well.
+
+Fixes: a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains")
+Signed-off-by: Gaurav Batra <gbatra@linux.ibm.com>
+Reviewed-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240215221833.4817-1-gbatra@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/ppc-pci.h | 10 ++++++++++
+ arch/powerpc/kernel/iommu.c | 23 ++++++++++++++++------
+ arch/powerpc/platforms/pseries/pci_dlpar.c | 4 ++++
+ 3 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/ppc-pci.h b/arch/powerpc/include/asm/ppc-pci.h
+index d9fcff5750271..2689e7139b9ea 100644
+--- a/arch/powerpc/include/asm/ppc-pci.h
++++ b/arch/powerpc/include/asm/ppc-pci.h
+@@ -30,6 +30,16 @@ void *pci_traverse_device_nodes(struct device_node *start,
+ void *data);
+ extern void pci_devs_phb_init_dynamic(struct pci_controller *phb);
+
++#if defined(CONFIG_IOMMU_API) && (defined(CONFIG_PPC_PSERIES) || \
++ defined(CONFIG_PPC_POWERNV))
++extern void ppc_iommu_register_device(struct pci_controller *phb);
++extern void ppc_iommu_unregister_device(struct pci_controller *phb);
++#else
++static inline void ppc_iommu_register_device(struct pci_controller *phb) { }
++static inline void ppc_iommu_unregister_device(struct pci_controller *phb) { }
++#endif
++
++
+ /* From rtas_pci.h */
+ extern void init_pci_config_tokens (void);
+ extern unsigned long get_phb_buid (struct device_node *);
+diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
+index df17b33b89d13..2c0173e7094da 100644
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -1341,7 +1341,7 @@ static struct iommu_device *spapr_tce_iommu_probe_device(struct device *dev)
+ struct pci_controller *hose;
+
+ if (!dev_is_pci(dev))
+- return ERR_PTR(-EPERM);
++ return ERR_PTR(-ENODEV);
+
+ pdev = to_pci_dev(dev);
+ hose = pdev->bus->sysdata;
+@@ -1390,6 +1390,21 @@ static const struct attribute_group *spapr_tce_iommu_groups[] = {
+ NULL,
+ };
+
++void ppc_iommu_register_device(struct pci_controller *phb)
++{
++ iommu_device_sysfs_add(&phb->iommu, phb->parent,
++ spapr_tce_iommu_groups, "iommu-phb%04x",
++ phb->global_number);
++ iommu_device_register(&phb->iommu, &spapr_tce_iommu_ops,
++ phb->parent);
++}
++
++void ppc_iommu_unregister_device(struct pci_controller *phb)
++{
++ iommu_device_unregister(&phb->iommu);
++ iommu_device_sysfs_remove(&phb->iommu);
++}
++
+ /*
+ * This registers IOMMU devices of PHBs. This needs to happen
+ * after core_initcall(iommu_init) + postcore_initcall(pci_driver_init) and
+@@ -1400,11 +1415,7 @@ static int __init spapr_tce_setup_phb_iommus_initcall(void)
+ struct pci_controller *hose;
+
+ list_for_each_entry(hose, &hose_list, list_node) {
+- iommu_device_sysfs_add(&hose->iommu, hose->parent,
+- spapr_tce_iommu_groups, "iommu-phb%04x",
+- hose->global_number);
+- iommu_device_register(&hose->iommu, &spapr_tce_iommu_ops,
+- hose->parent);
++ ppc_iommu_register_device(hose);
+ }
+ return 0;
+ }
+diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c
+index 4ba8245681192..4448386268d99 100644
+--- a/arch/powerpc/platforms/pseries/pci_dlpar.c
++++ b/arch/powerpc/platforms/pseries/pci_dlpar.c
+@@ -35,6 +35,8 @@ struct pci_controller *init_phb_dynamic(struct device_node *dn)
+
+ pseries_msi_allocate_domains(phb);
+
++ ppc_iommu_register_device(phb);
++
+ /* Create EEH devices for the PHB */
+ eeh_phb_pe_create(phb);
+
+@@ -76,6 +78,8 @@ int remove_phb_dynamic(struct pci_controller *phb)
+ }
+ }
+
++ ppc_iommu_unregister_device(phb);
++
+ pseries_msi_free_domains(phb);
+
+ /* Keep a reference so phb isn't freed yet */
+--
+2.43.0
+
--- /dev/null
+From 2362d9039c31d2863b0d6df4d86b8e7ae5aaac29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 20:54:37 -0800
+Subject: RDMA/bnxt_re: Add a missing check in bnxt_qplib_query_srq
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 80dde187f734cf9ccf988d5c2ef1a46b990660fd ]
+
+Before populating the response, driver has to check the status
+of HWRM command.
+
+Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1705985677-15551-6-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index abbabea7f5fa3..2a62239187622 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -748,7 +748,8 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res,
+ bnxt_qplib_fill_cmdqmsg(&msg, &req, &resp, &sbuf, sizeof(req),
+ sizeof(resp), 0);
+ rc = bnxt_qplib_rcfw_send_message(rcfw, &msg);
+- srq->threshold = le16_to_cpu(sb->srq_limit);
++ if (!rc)
++ srq->threshold = le16_to_cpu(sb->srq_limit);
+ dma_free_coherent(&rcfw->pdev->dev, sbuf.size,
+ sbuf.sb, sbuf.dma_addr);
+
+--
+2.43.0
+
--- /dev/null
+From 2869847523dff0af90db63bcdb31d20e96fa6627 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 20:54:36 -0800
+Subject: RDMA/bnxt_re: Return error for SRQ resize
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3687b450c5f32e80f179ce4b09e0454da1449eac ]
+
+SRQ resize is not supported in the driver. But driver is not
+returning error from bnxt_re_modify_srq() for SRQ resize.
+
+Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1705985677-15551-5-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index faa88d12ee868..cc466dfd792b0 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1809,7 +1809,7 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr,
+ switch (srq_attr_mask) {
+ case IB_SRQ_MAX_WR:
+ /* SRQ resize is not supported */
+- break;
++ return -EINVAL;
+ case IB_SRQ_LIMIT:
+ /* Change the SRQ threshold */
+ if (srq_attr->srq_limit > srq->qplib_srq.max_wqe)
+@@ -1824,13 +1824,12 @@ int bnxt_re_modify_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr,
+ /* On success, update the shadow */
+ srq->srq_limit = srq_attr->srq_limit;
+ /* No need to Build and send response back to udata */
+- break;
++ return 0;
+ default:
+ ibdev_err(&rdev->ibdev,
+ "Unsupported srq_attr_mask 0x%x", srq_attr_mask);
+ return -EINVAL;
+ }
+- return 0;
+ }
+
+ int bnxt_re_query_srq(struct ib_srq *ib_srq, struct ib_srq_attr *srq_attr)
+--
+2.43.0
+
--- /dev/null
+From a4d8bdb9abc2c58443e254bd774da6a40a83cee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 17:38:49 -0600
+Subject: RDMA/irdma: Add AE for too many RNRS
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 630bdb6f28ca9e5ff79e244030170ac788478332 ]
+
+Add IRDMA_AE_LLP_TOO_MANY_RNRS to the list of AE's processed as an
+abnormal asyncronous event.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@gmail.com>
+Link: https://lore.kernel.org/r/20240131233849.400285-5-sindhu.devale@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/defs.h | 1 +
+ drivers/infiniband/hw/irdma/hw.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/irdma/defs.h b/drivers/infiniband/hw/irdma/defs.h
+index 8fb752f2eda29..2cb4b96db7212 100644
+--- a/drivers/infiniband/hw/irdma/defs.h
++++ b/drivers/infiniband/hw/irdma/defs.h
+@@ -346,6 +346,7 @@ enum irdma_cqp_op_type {
+ #define IRDMA_AE_LLP_TOO_MANY_KEEPALIVE_RETRIES 0x050b
+ #define IRDMA_AE_LLP_DOUBT_REACHABILITY 0x050c
+ #define IRDMA_AE_LLP_CONNECTION_ESTABLISHED 0x050e
++#define IRDMA_AE_LLP_TOO_MANY_RNRS 0x050f
+ #define IRDMA_AE_RESOURCE_EXHAUSTION 0x0520
+ #define IRDMA_AE_RESET_SENT 0x0601
+ #define IRDMA_AE_TERMINATE_SENT 0x0602
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index 2f8d18d8be3b7..ad50b77282f8a 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -387,6 +387,7 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
+ case IRDMA_AE_LLP_TOO_MANY_RETRIES:
+ case IRDMA_AE_LCE_QP_CATASTROPHIC:
+ case IRDMA_AE_LCE_FUNCTION_CATASTROPHIC:
++ case IRDMA_AE_LLP_TOO_MANY_RNRS:
+ case IRDMA_AE_LCE_CQ_CATASTROPHIC:
+ case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG:
+ default:
+--
+2.43.0
+
--- /dev/null
+From 0e585678b105c0db42f337fe3920444bdc3aeefe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 17:38:46 -0600
+Subject: RDMA/irdma: Fix KASAN issue with tasklet
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+[ Upstream commit bd97cea7b18a0a553773af806dfbfac27a7c4acb ]
+
+KASAN testing revealed the following issue assocated with freeing an IRQ.
+
+[50006.466686] Call Trace:
+[50006.466691] <IRQ>
+[50006.489538] dump_stack+0x5c/0x80
+[50006.493475] print_address_description.constprop.6+0x1a/0x150
+[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
+[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
+[50006.511644] kasan_report.cold.11+0x7f/0x118
+[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
+[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]
+[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]
+[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]
+[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]
+[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0
+[50006.551096] __do_softirq+0x1d0/0xaf8
+[50006.555396] irq_exit_rcu+0x219/0x260
+[50006.559670] irq_exit+0xa/0x20
+[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690
+[50006.568645] apic_timer_interrupt+0xf/0x20
+[50006.573341] </IRQ>
+
+The issue is that a tasklet could be pending on another core racing
+the delete of the irq.
+
+Fix by insuring any scheduled tasklet is killed after deleting the
+irq.
+
+Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions")
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Link: https://lore.kernel.org/r/20240131233849.400285-2-sindhu.devale@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/hw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index bd4b2b8964444..2f8d18d8be3b7 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -570,6 +570,13 @@ static void irdma_destroy_irq(struct irdma_pci_f *rf,
+ dev->irq_ops->irdma_dis_irq(dev, msix_vec->idx);
+ irq_update_affinity_hint(msix_vec->irq, NULL);
+ free_irq(msix_vec->irq, dev_id);
++ if (rf == dev_id) {
++ tasklet_kill(&rf->dpc_tasklet);
++ } else {
++ struct irdma_ceq *iwceq = (struct irdma_ceq *)dev_id;
++
++ tasklet_kill(&iwceq->dpc_tasklet);
++ }
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 87b2633c54cd9deee7b4d5f5685ee1de7e23ad5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 17:38:48 -0600
+Subject: RDMA/irdma: Set the CQ read threshold for GEN 1
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 666047f3ece9f991774c1fe9b223139a9ef8908d ]
+
+The CQ shadow read threshold is currently not set for GEN 2. This could
+cause an invalid CQ overflow condition, so remove the GEN check that
+exclused GEN 1.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Link: https://lore.kernel.org/r/20240131233849.400285-4-sindhu.devale@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index cb828e3da478e..0b046c061742b 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -2186,9 +2186,8 @@ static int irdma_create_cq(struct ib_cq *ibcq,
+ info.cq_base_pa = iwcq->kmem.pa;
+ }
+
+- if (dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2)
+- info.shadow_read_threshold = min(info.cq_uk_init_info.cq_size / 2,
+- (u32)IRDMA_MAX_CQ_READ_THRESH);
++ info.shadow_read_threshold = min(info.cq_uk_init_info.cq_size / 2,
++ (u32)IRDMA_MAX_CQ_READ_THRESH);
+
+ if (irdma_sc_cq_init(cq, &info)) {
+ ibdev_dbg(&iwdev->ibdev, "VERBS: init cq fail\n");
+--
+2.43.0
+
--- /dev/null
+From cc04e3c72ed554bbc29d4522544491f728b927d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 17:38:47 -0600
+Subject: RDMA/irdma: Validate max_send_wr and max_recv_wr
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit ee107186bcfd25d7873258f3f75440e20f5e6416 ]
+
+Validate that max_send_wr and max_recv_wr is within the
+supported range.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Change-Id: I2fc8b10292b641fddd20b36986a9dae90a93f4be
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Link: https://lore.kernel.org/r/20240131233849.400285-3-sindhu.devale@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index b5eb8d421988c..cb828e3da478e 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -839,7 +839,9 @@ static int irdma_validate_qp_attrs(struct ib_qp_init_attr *init_attr,
+
+ if (init_attr->cap.max_inline_data > uk_attrs->max_hw_inline ||
+ init_attr->cap.max_send_sge > uk_attrs->max_hw_wq_frags ||
+- init_attr->cap.max_recv_sge > uk_attrs->max_hw_wq_frags)
++ init_attr->cap.max_recv_sge > uk_attrs->max_hw_wq_frags ||
++ init_attr->cap.max_send_wr > uk_attrs->max_hw_wq_quanta ||
++ init_attr->cap.max_recv_wr > uk_attrs->max_hw_rq_quanta)
+ return -EINVAL;
+
+ if (rdma_protocol_roce(&iwdev->ibdev, 1)) {
+--
+2.43.0
+
--- /dev/null
+From b0859f4d8f7b28f2fa34516befc8bebc25b7f158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Feb 2024 17:36:28 -0500
+Subject: RDMA/qedr: Fix qedr_create_user_qp error flow
+
+From: Kamal Heib <kheib@redhat.com>
+
+[ Upstream commit 5ba4e6d5863c53e937f49932dee0ecb004c65928 ]
+
+Avoid the following warning by making sure to free the allocated
+resources in case that qedr_init_user_queue() fail.
+
+-----------[ cut here ]-----------
+WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
+Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3
+ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]
+CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1
+Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022
+RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
+Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff
+RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286
+RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016
+RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600
+RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
+R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80
+R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0
+Call Trace:
+<TASK>
+? show_trace_log_lvl+0x1c4/0x2df
+? show_trace_log_lvl+0x1c4/0x2df
+? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]
+? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
+? __warn+0x81/0x110
+? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
+? report_bug+0x10a/0x140
+? handle_bug+0x3c/0x70
+? exc_invalid_op+0x14/0x70
+? asm_exc_invalid_op+0x16/0x20
+? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]
+ib_uverbs_close+0x1f/0xb0 [ib_uverbs]
+__fput+0x94/0x250
+task_work_run+0x5c/0x90
+do_exit+0x270/0x4a0
+do_group_exit+0x2d/0x90
+get_signal+0x87c/0x8c0
+arch_do_signal_or_restart+0x25/0x100
+? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]
+exit_to_user_mode_loop+0x9c/0x130
+exit_to_user_mode_prepare+0xb6/0x100
+syscall_exit_to_user_mode+0x12/0x40
+do_syscall_64+0x69/0x90
+? syscall_exit_work+0x103/0x130
+? syscall_exit_to_user_mode+0x22/0x40
+? do_syscall_64+0x69/0x90
+? syscall_exit_work+0x103/0x130
+? syscall_exit_to_user_mode+0x22/0x40
+? do_syscall_64+0x69/0x90
+? do_syscall_64+0x69/0x90
+? common_interrupt+0x43/0xa0
+entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x1470abe3ec6b
+Code: Unable to access opcode bytes at RIP 0x1470abe3ec41.
+RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b
+RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004
+RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00
+R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358
+R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470
+</TASK>
+--[ end trace 888a9b92e04c5c97 ]--
+
+Fixes: df15856132bc ("RDMA/qedr: restructure functions that create/destroy QPs")
+Signed-off-by: Kamal Heib <kheib@redhat.com>
+Link: https://lore.kernel.org/r/20240208223628.2040841-1-kheib@redhat.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
+index 7887a6786ed43..f118ce0a9a617 100644
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -1879,8 +1879,17 @@ static int qedr_create_user_qp(struct qedr_dev *dev,
+ /* RQ - read access only (0) */
+ rc = qedr_init_user_queue(udata, dev, &qp->urq, ureq.rq_addr,
+ ureq.rq_len, true, 0, alloc_and_init);
+- if (rc)
++ if (rc) {
++ ib_umem_release(qp->usq.umem);
++ qp->usq.umem = NULL;
++ if (rdma_protocol_roce(&dev->ibdev, 1)) {
++ qedr_free_pbl(dev, &qp->usq.pbl_info,
++ qp->usq.pbl_tbl);
++ } else {
++ kfree(qp->usq.pbl_tbl);
++ }
+ return rc;
++ }
+ }
+
+ memset(&in_params, 0, sizeof(in_params));
+--
+2.43.0
+
--- /dev/null
+From caf98e1c3105d57c0aa486600d271132e19b8df3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 11:07:13 +0100
+Subject: RDMA/srpt: fix function pointer cast warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit eb5c7465c3240151cd42a55c7ace9da0026308a1 ]
+
+clang-16 notices that srpt_qp_event() gets called through an incompatible
+pointer here:
+
+drivers/infiniband/ulp/srpt/ib_srpt.c:1815:5: error: cast from 'void (*)(struct ib_event *, struct srpt_rdma_ch *)' to 'void (*)(struct ib_event *, void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1815 | = (void(*)(struct ib_event *, void*))srpt_qp_event;
+
+Change srpt_qp_event() to use the correct prototype and adjust the
+argument inside of it.
+
+Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240213100728.458348-1-arnd@kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index d2dce6ce30a94..040234c01be4d 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -214,10 +214,12 @@ static const char *get_ch_state_name(enum rdma_ch_state s)
+ /**
+ * srpt_qp_event - QP event callback function
+ * @event: Description of the event that occurred.
+- * @ch: SRPT RDMA channel.
++ * @ptr: SRPT RDMA channel.
+ */
+-static void srpt_qp_event(struct ib_event *event, struct srpt_rdma_ch *ch)
++static void srpt_qp_event(struct ib_event *event, void *ptr)
+ {
++ struct srpt_rdma_ch *ch = ptr;
++
+ pr_debug("QP event %d on ch=%p sess_name=%s-%d state=%s\n",
+ event->event, ch, ch->sess_name, ch->qp->qp_num,
+ get_ch_state_name(ch->state));
+@@ -1811,8 +1813,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
+ ch->cq_size = ch->rq_size + sq_size;
+
+ qp_init->qp_context = (void *)ch;
+- qp_init->event_handler
+- = (void(*)(struct ib_event *, void*))srpt_qp_event;
++ qp_init->event_handler = srpt_qp_event;
+ qp_init->send_cq = ch->cq;
+ qp_init->recv_cq = ch->cq;
+ qp_init->sq_sig_type = IB_SIGNAL_REQ_WR;
+--
+2.43.0
+
--- /dev/null
+From 2a0f8d350c2613117b0dd42ad6d16922d5e9bc4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Feb 2024 16:42:07 -0800
+Subject: RDMA/srpt: Support specifying the srpt_service_guid parameter
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit fdfa083549de5d50ebf7f6811f33757781e838c0 ]
+
+Make loading ib_srpt with this parameter set work. The current behavior is
+that setting that parameter while loading the ib_srpt kernel module
+triggers the following kernel crash:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+Call Trace:
+ <TASK>
+ parse_one+0x18c/0x1d0
+ parse_args+0xe1/0x230
+ load_module+0x8de/0xa60
+ init_module_from_file+0x8b/0xd0
+ idempotent_init_module+0x181/0x240
+ __x64_sys_finit_module+0x5a/0xb0
+ do_syscall_64+0x5f/0xe0
+ entry_SYSCALL_64_after_hwframe+0x6e/0x76
+
+Cc: LiHonggang <honggangli@163.com>
+Reported-by: LiHonggang <honggangli@163.com>
+Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20240205004207.17031-1-bvanassche@acm.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 58f70cfec45a7..d2dce6ce30a94 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -79,12 +79,16 @@ module_param(srpt_srq_size, int, 0444);
+ MODULE_PARM_DESC(srpt_srq_size,
+ "Shared receive queue (SRQ) size.");
+
++static int srpt_set_u64_x(const char *buffer, const struct kernel_param *kp)
++{
++ return kstrtou64(buffer, 16, (u64 *)kp->arg);
++}
+ static int srpt_get_u64_x(char *buffer, const struct kernel_param *kp)
+ {
+ return sprintf(buffer, "0x%016llx\n", *(u64 *)kp->arg);
+ }
+-module_param_call(srpt_service_guid, NULL, srpt_get_u64_x, &srpt_service_guid,
+- 0444);
++module_param_call(srpt_service_guid, srpt_set_u64_x, srpt_get_u64_x,
++ &srpt_service_guid, 0444);
+ MODULE_PARM_DESC(srpt_service_guid,
+ "Using this value for ioc_guid, id_ext, and cm_listen_id instead of using the node_guid of the first HCA.");
+
+--
+2.43.0
+
--- /dev/null
+From 931cbe5524532b2a97b866ca9b6e7e070de2bdd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 20:48:14 -0400
+Subject: s390: use the correct count for __iowrite64_copy()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 723a2cc8d69d4342b47dfddbfe6c19f1b135f09b ]
+
+The signature for __iowrite64_copy() requires the number of 64 bit
+quantities, not bytes. Multiple by 8 to get to a byte length before
+invoking zpci_memcpy_toio()
+
+Fixes: 87bc359b9822 ("s390/pci: speed up __iowrite64_copy by using pci store block insn")
+Acked-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/0-v1-9223d11a7662+1d7785-s390_iowrite64_jgg@nvidia.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
+index 676ac74026a82..52a44e353796c 100644
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -252,7 +252,7 @@ resource_size_t pcibios_align_resource(void *data, const struct resource *res,
+ /* combine single writes by using store-block insn */
+ void __iowrite64_copy(void __iomem *to, const void *from, size_t count)
+ {
+- zpci_memcpy_toio(to, from, count);
++ zpci_memcpy_toio(to, from, count * 8);
+ }
+
+ void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size,
+--
+2.43.0
+
--- /dev/null
+From 8b48ac4762a55ef68416fd59778c1fb61638ee66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 21:59:53 -0800
+Subject: scsi: jazz_esp: Only build if SCSI core is builtin
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 9ddf190a7df77b77817f955fdb9c2ae9d1c9c9a3 ]
+
+JAZZ_ESP is a bool kconfig symbol that selects SCSI_SPI_ATTRS. When
+CONFIG_SCSI=m, this results in SCSI_SPI_ATTRS=m while JAZZ_ESP=y, which
+causes many undefined symbol linker errors.
+
+Fix this by only offering to build this driver when CONFIG_SCSI=y.
+
+[mkp: JAZZ_ESP is unique in that it does not support being compiled as a
+module unlike the remaining SPI SCSI HBA drivers]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20240214055953.9612-1-rdunlap@infradead.org
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: James E.J. Bottomley <jejb@linux.ibm.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202402112222.Gl0udKyU-lkp@intel.com/
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/Kconfig b/drivers/scsi/Kconfig
+index addac7fbe37b9..9ce27092729c3 100644
+--- a/drivers/scsi/Kconfig
++++ b/drivers/scsi/Kconfig
+@@ -1270,7 +1270,7 @@ source "drivers/scsi/arm/Kconfig"
+
+ config JAZZ_ESP
+ bool "MIPS JAZZ FAS216 SCSI support"
+- depends on MACH_JAZZ && SCSI
++ depends on MACH_JAZZ && SCSI=y
+ select SCSI_SPI_ATTRS
+ help
+ This is the driver for the onboard SCSI host adapter of MIPS Magnum
+--
+2.43.0
+
--- /dev/null
+From aaf7d956fa0606d54120dd6a0baae49234301276 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 10:22:00 -0600
+Subject: scsi: smartpqi: Fix disable_managed_interrupts
+
+From: Don Brace <don.brace@microchip.com>
+
+[ Upstream commit 5761eb9761d2d5fe8248a9b719efc4d8baf1f24a ]
+
+Correct blk-mq registration issue with module parameter
+disable_managed_interrupts enabled.
+
+When we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to
+register with blk-mq using blk_mq_map_queues(). The driver is currently
+calling blk_mq_pci_map_queues() which results in a stack trace and possibly
+undefined behavior.
+
+Stack Trace:
+[ 7.860089] scsi host2: smartpqi
+[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0
+[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse
+[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1
+[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022
+[ 7.963026] Workqueue: events work_for_cpu_fn
+[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0
+[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54
+[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216
+[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010
+[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310
+[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00
+[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000
+[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8
+[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000
+[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0
+[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 8.172818] PKRU: 55555554
+[ 8.172819] Call Trace:
+[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310
+[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245
+[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]
+[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]
+[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]
+[ 8.323286] local_pci_probe+0x42/0x80
+[ 8.337855] work_for_cpu_fn+0x16/0x20
+[ 8.351193] process_one_work+0x1a7/0x360
+[ 8.364462] ? create_worker+0x1a0/0x1a0
+[ 8.379252] worker_thread+0x1ce/0x390
+[ 8.392623] ? create_worker+0x1a0/0x1a0
+[ 8.406295] kthread+0x10a/0x120
+[ 8.418428] ? set_kthread_struct+0x50/0x50
+[ 8.431532] ret_from_fork+0x1f/0x40
+[ 8.444137] ---[ end trace 1bf0173d39354506 ]---
+
+Fixes: cf15c3e734e8 ("scsi: smartpqi: Add module param to disable managed ints")
+Tested-by: Yogesh Chandra Pandey <YogeshChandra.Pandey@microchip.com>
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Reviewed-by: Mahesh Rajashekhara <mahesh.rajashekhara@microchip.com>
+Reviewed-by: Mike McGowen <mike.mcgowen@microchip.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Link: https://lore.kernel.org/r/20240213162200.1875970-2-don.brace@microchip.com
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 081bb2c098063..868453b18c9ae 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -6533,8 +6533,11 @@ static void pqi_map_queues(struct Scsi_Host *shost)
+ {
+ struct pqi_ctrl_info *ctrl_info = shost_to_hba(shost);
+
+- blk_mq_pci_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT],
++ if (!ctrl_info->disable_managed_interrupts)
++ return blk_mq_pci_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT],
+ ctrl_info->pci_dev, 0);
++ else
++ return blk_mq_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT]);
+ }
+
+ static inline bool pqi_is_tape_changer_device(struct pqi_scsi_dev *device)
+--
+2.43.0
+
--- /dev/null
+From dc6de3cc62c31695238cbf2ba3924aa16cf17e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 21:08:09 +0300
+Subject: scsi: ufs: Uninitialized variable in ufshcd_devfreq_target()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f2dced9d1992824d677593072bc20eccf66ac5d5 ]
+
+There is one goto where "sched_clk_scaling_suspend_work" is true but
+"scale_up" is uninitialized. It leads to a Smatch uninitialized variable
+warning:
+
+drivers/ufs/core/ufshcd.c:1589 ufshcd_devfreq_target() error: uninitialized symbol 'scale_up'.
+
+Fixes: 1d969731b87f ("scsi: ufs: core: Only suspend clock scaling if scaling down")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/c787d37f-1107-4512-8991-bccf80e74a35@moroto.mountain
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index e197b9828c3c3..d2d760143ca30 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -1456,7 +1456,7 @@ static int ufshcd_devfreq_target(struct device *dev,
+ int ret = 0;
+ struct ufs_hba *hba = dev_get_drvdata(dev);
+ ktime_t start;
+- bool scale_up, sched_clk_scaling_suspend_work = false;
++ bool scale_up = false, sched_clk_scaling_suspend_work = false;
+ struct list_head *clk_list = &hba->clk_list_head;
+ struct ufs_clk_info *clki;
+ unsigned long irq_flags;
+--
+2.43.0
+
--- /dev/null
+From 1c56b0dfa12368d6a882bdd9eee2a30ec0f5d476 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 10:33:25 +0800
+Subject: selftests: bonding: set active slave to primary eth1 specifically
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit cd65c48d66920457129584553f217005d09b1edb ]
+
+In bond priority testing, we set the primary interface to eth1 and add
+eth0,1,2 to bond in serial. This is OK in normal times. But when in
+debug kernel, the bridge port that eth0,1,2 connected would start
+slowly (enter blocking, forwarding state), which caused the primary
+interface down for a while after enslaving and active slave changed.
+Here is a test log from Jakub's debug test[1].
+
+ [ 400.399070][ T50] br0: port 1(s0) entered disabled state
+ [ 400.400168][ T50] br0: port 4(s2) entered disabled state
+ [ 400.941504][ T2791] bond0: (slave eth0): making interface the new active one
+ [ 400.942603][ T2791] bond0: (slave eth0): Enslaving as an active interface with an up link
+ [ 400.943633][ T2766] br0: port 1(s0) entered blocking state
+ [ 400.944119][ T2766] br0: port 1(s0) entered forwarding state
+ [ 401.128792][ T2792] bond0: (slave eth1): making interface the new active one
+ [ 401.130771][ T2792] bond0: (slave eth1): Enslaving as an active interface with an up link
+ [ 401.131643][ T69] br0: port 2(s1) entered blocking state
+ [ 401.132067][ T69] br0: port 2(s1) entered forwarding state
+ [ 401.346201][ T2793] bond0: (slave eth2): Enslaving as a backup interface with an up link
+ [ 401.348414][ T50] br0: port 4(s2) entered blocking state
+ [ 401.348857][ T50] br0: port 4(s2) entered forwarding state
+ [ 401.519669][ T250] bond0: (slave eth0): link status definitely down, disabling slave
+ [ 401.526522][ T250] bond0: (slave eth1): link status definitely down, disabling slave
+ [ 401.526986][ T250] bond0: (slave eth2): making interface the new active one
+ [ 401.629470][ T250] bond0: (slave eth0): link status definitely up
+ [ 401.630089][ T250] bond0: (slave eth1): link status definitely up
+ [...]
+ # TEST: prio (active-backup ns_ip6_target primary_reselect 1) [FAIL]
+ # Current active slave is eth2 but not eth1
+
+Fix it by setting active slave to primary slave specifically before
+testing.
+
+[1] https://netdev-3.bots.linux.dev/vmksft-bonding-dbg/results/464301/1-bond-options-sh/stdout
+
+Fixes: 481b56e0391e ("selftests: bonding: re-format bond option tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/bonding/bond_options.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/drivers/net/bonding/bond_options.sh b/tools/testing/selftests/drivers/net/bonding/bond_options.sh
+index d508486cc0bdc..9a3d3c389dadd 100755
+--- a/tools/testing/selftests/drivers/net/bonding/bond_options.sh
++++ b/tools/testing/selftests/drivers/net/bonding/bond_options.sh
+@@ -62,6 +62,8 @@ prio_test()
+
+ # create bond
+ bond_reset "${param}"
++ # set active_slave to primary eth1 specifically
++ ip -n ${s_ns} link set bond0 type bond active_slave eth1
+
+ # check bonding member prio value
+ ip -n ${s_ns} link set eth0 type bond_slave prio 0
+--
+2.43.0
+
--- /dev/null
+From a7b487a63a1d7c8d2d26832b553084320be4824b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 12:49:33 +0500
+Subject: selftests/iommu: fix the config fragment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+[ Upstream commit 510325e5ac5f45c1180189d3bfc108c54bf64544 ]
+
+The config fragment doesn't follow the correct format to enable those
+config options which make the config options getting missed while
+merging with other configs.
+
+➜ merge_config.sh -m .config tools/testing/selftests/iommu/config
+Using .config as base
+Merging tools/testing/selftests/iommu/config
+➜ make olddefconfig
+.config:5295:warning: unexpected data: CONFIG_IOMMUFD
+.config:5296:warning: unexpected data: CONFIG_IOMMUFD_TEST
+
+While at it, add CONFIG_FAULT_INJECTION as well which is needed for
+CONFIG_IOMMUFD_TEST. If CONFIG_FAULT_INJECTION isn't present in base
+config (such as x86 defconfig), CONFIG_IOMMUFD_TEST doesn't get enabled.
+
+Fixes: 57f0988706fe ("iommufd: Add a selftest")
+Link: https://lore.kernel.org/r/20240222074934.71380-1-usama.anjum@collabora.com
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/iommu/config | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/iommu/config b/tools/testing/selftests/iommu/config
+index 6c4f901d6fed3..110d73917615d 100644
+--- a/tools/testing/selftests/iommu/config
++++ b/tools/testing/selftests/iommu/config
+@@ -1,2 +1,3 @@
+-CONFIG_IOMMUFD
+-CONFIG_IOMMUFD_TEST
++CONFIG_IOMMUFD=y
++CONFIG_FAULT_INJECTION=y
++CONFIG_IOMMUFD_TEST=y
+--
+2.43.0
+
drm-amd-display-avoid-enum-conversion-warning.patch
drm-amd-display-fix-buffer-overflow-in-get_host_router_total_dp_tunnel_bw.patch
revert-drm-amd-display-increased-min_dcfclk_mhz-and-min_fclk_mhz.patch
+ib-hfi1-fix-a-memleak-in-init_credit_return.patch
+rdma-bnxt_re-return-error-for-srq-resize.patch
+rdma-bnxt_re-add-a-missing-check-in-bnxt_qplib_query.patch
+ib-mlx5-don-t-expose-debugfs-entries-for-rroce-gener.patch
+arm64-dts-imx8mp-disable-uart4-by-default-on-data-mo.patch
+rdma-irdma-fix-kasan-issue-with-tasklet.patch
+rdma-irdma-validate-max_send_wr-and-max_recv_wr.patch
+rdma-irdma-set-the-cq-read-threshold-for-gen-1.patch
+rdma-irdma-add-ae-for-too-many-rnrs.patch
+rdma-srpt-support-specifying-the-srpt_service_guid-p.patch
+arm64-dts-tqma8mpql-fix-audio-codec-iov-supply.patch
+bus-imx-weim-fix-valid-range-check.patch
+iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch
+iommufd-iova_bitmap-switch-iova_bitmap-bitmap-to-an-.patch
+iommufd-iova_bitmap-handle-recording-beyond-the-mapp.patch
+iommufd-iova_bitmap-consider-page-offset-for-the-pag.patch
+rdma-qedr-fix-qedr_create_user_qp-error-flow.patch
+arm64-dts-rockchip-set-num-cs-property-for-spi-on-px.patch
+arm64-dts-rockchip-correct-indiedroid-nova-gpio-name.patch
+xsk-add-truesize-to-skb_add_rx_frag.patch
+rdma-srpt-fix-function-pointer-cast-warnings.patch
+bpf-scripts-correct-gpl-license-name.patch
+scsi-ufs-uninitialized-variable-in-ufshcd_devfreq_ta.patch
+scsi-smartpqi-fix-disable_managed_interrupts.patch
+scsi-jazz_esp-only-build-if-scsi-core-is-builtin.patch
+net-bridge-switchdev-skip-mdb-replays-of-deferred-ev.patch
+net-bridge-switchdev-ensure-deferred-event-delivery-.patch
+dccp-tcp-unhash-sk-from-ehash-for-tb2-alloc-failure-.patch
+net-ethernet-adi-requires-phylib-support.patch
+net-sched-act_mirred-create-function-tcf_mirred_to_d.patch
+net-sched-act_mirred-use-the-backlog-for-mirred-ingr.patch
+net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
+nouveau-fix-function-cast-warnings.patch
+drm-nouveau-mmu-r535-uninitialized-variable-in-r535_.patch
+x86-numa-fix-the-address-overlap-check-in-numa_fill_.patch
+x86-numa-fix-the-sort-compare-func-used-in-numa_fill.patch
+net-stmmac-fix-incorrect-dereference-in-interrupt-ha.patch
+ipv4-properly-combine-dev_base_seq-and-ipv4.dev_addr.patch
+ipv6-properly-combine-dev_base_seq-and-ipv6.dev_addr.patch
+net-bcmasp-indicate-mac-is-in-charge-of-phy-pm.patch
+net-bcmasp-sanity-check-is-off-by-one.patch
+powerpc-pseries-iommu-dlpar-add-doesn-t-completely-i.patch
+selftests-bonding-set-active-slave-to-primary-eth1-s.patch
+ata-ahci_ceva-fix-error-handling-for-xilinx-gt-phy-s.patch
+bpf-fix-racing-between-bpf_timer_cancel_and_free-and.patch
+platform-x86-think-lmi-fix-password-opcode-ordering-.patch
+parisc-fix-stack-unwinder.patch
+afs-increase-buffer-size-in-afs_update_volume_status.patch
+ipv6-sr-fix-possible-use-after-free-and-null-ptr-der.patch
+devlink-fix-possible-use-after-free-and-memory-leaks.patch
+arp-prevent-overflow-in-arp_req_get.patch
+kvm-ppc-book3s-hv-fix-l2-guest-reboot-failure-due-to.patch
+gpiolib-handle-no-pin_ranges-in-gpiochip_generic_con.patch
+arm64-sme-restore-sme-registers-on-exit-from-suspend.patch
+arm64-sme-restore-smcr_el1.ezt0-on-exit-from-suspend.patch
+platform-x86-thinkpad_acpi-only-update-profile-if-su.patch
+drm-i915-tv-fix-tv-mode.patch
+iommu-vt-d-update-iotlb-in-nested-domain-attach.patch
+iommu-vt-d-track-nested-domains-in-parent.patch
+iommu-vt-d-remove-domain-parameter-for-intel_pasid_s.patch
+iommu-vt-d-wrap-the-dirty-tracking-loop-to-be-a-help.patch
+iommu-vt-d-add-missing-dirty-tracking-set-for-parent.patch
+iommu-vt-d-set-ssade-when-attaching-to-a-parent-with.patch
+octeontx2-af-consider-the-action-set-by-pf.patch
+net-implement-lockless-setsockopt-so_peek_off.patch
+net-ipa-don-t-overrun-ipa-suspend-interrupt-register.patch
+iommufd-reject-non-zero-data_type-if-no-data_len-is-.patch
+s390-use-the-correct-count-for-__iowrite64_copy.patch
+bpf-sockmap-fix-null-pointer-dereference-in-sk_psock.patch
+cache-ax45mp_cache-align-end-size-to-cache-boundary-.patch
+hwmon-nct6775-fix-access-to-temperature-configuratio.patch
+tls-break-out-of-main-loop-when-peek-gets-a-non-data.patch
+tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch
+tls-don-t-skip-over-different-type-records-from-the-.patch
+netfilter-nf_tables-set-dormant-flag-on-hook-registe.patch
+netfilter-nft_flow_offload-reset-dst-in-route-object.patch
+netfilter-nft_flow_offload-release-dst-in-case-direc.patch
+netfilter-nf_tables-register-hooks-last-when-adding-.patch
+netfilter-nf_tables-use-kzalloc-for-hook-allocation.patch
+net-mctp-put-sock-on-tag-allocation-failure.patch
+tools-ynl-make-sure-we-always-pass-yarg-to-mnl_cb_ru.patch
+tools-ynl-don-t-leak-mcast_groups-on-init-error.patch
+devlink-fix-port-dump-cmd-type.patch
+net-sched-flower-add-lock-protection-when-remove-fil.patch
+net-sparx5-add-spinlock-for-frame-transmission-from-.patch
+phonet-take-correct-lock-to-peek-at-the-rx-queue.patch
+phonet-pep-fix-racy-skb_queue_empty-use.patch
+fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch
+net-phy-realtek-fix-rtl8211f_config_init-for-rtl8211.patch
+drm-syncobj-call-drm_syncobj_fence_add_wait-when-wai.patch
+iommu-add-mm_get_enqcmd_pasid-helper-function.patch
+iommu-arm-smmu-v3-do-not-use-gfp_kernel-under-as-spi.patch
+drm-syncobj-handle-null-fence-in-syncobj_eventfd_ent.patch
+selftests-iommu-fix-the-config-fragment.patch
+drm-amd-display-fix-potential-null-pointer-dereferen.patch
+drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch
+drm-amd-display-fix-null-pointer-dereference-on-edid.patch
+i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch
--- /dev/null
+From 892ece070d4514609f675ef0816deadfbb10f74c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:17:29 +0100
+Subject: tls: break out of main loop when PEEK gets a non-data record
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 10f41d0710fc81b7af93fa6106678d57b1ff24a7 ]
+
+PEEK needs to leave decrypted records on the rx_list so that we can
+receive them later on, so it jumps back into the async code that
+queues the skb. Unfortunately that makes us skip the
+TLS_RECORD_TYPE_DATA check at the bottom of the main loop, so if two
+records of the same (non-DATA) type are queued, we end up merging
+them.
+
+Add the same record type check, and make it unlikely to not penalize
+the async fastpath. Async decrypt only applies to data record, so this
+check is only needed for PEEK.
+
+process_rx_list also has similar issues.
+
+Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/3df2eef4fdae720c55e69472b5bea668772b45a2.1708007371.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 9fbc70200cd0f..78aedfc682ba8 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -2064,6 +2064,8 @@ int tls_sw_recvmsg(struct sock *sk,
+ decrypted += chunk;
+ len -= chunk;
+ __skb_queue_tail(&ctx->rx_list, skb);
++ if (unlikely(control != TLS_RECORD_TYPE_DATA))
++ break;
+ continue;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2ef0dd498a4bd489a0aa393e92c61d4c21e8b169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:17:31 +0100
+Subject: tls: don't skip over different type records from the rx_list
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit ec823bf3a479d42c589dc0f28ef4951c49cd2d2a ]
+
+If we queue 3 records:
+ - record 1, type DATA
+ - record 2, some other type
+ - record 3, type DATA
+and do a recv(PEEK), the rx_list will contain the first two records.
+
+The next large recv will walk through the rx_list and copy data from
+record 1, then stop because record 2 is a different type. Since we
+haven't filled up our buffer, we will process the next available
+record. It's also DATA, so we can merge it with the current read.
+
+We shouldn't do that, since there was a record in between that we
+ignored.
+
+Add a flag to let process_rx_list inform tls_sw_recvmsg that it had
+more data available.
+
+Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/f00c0c0afa080c60f016df1471158c1caf983c34.1708007371.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 43dd0d82b6ed7..de96959336c48 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1772,7 +1772,8 @@ static int process_rx_list(struct tls_sw_context_rx *ctx,
+ u8 *control,
+ size_t skip,
+ size_t len,
+- bool is_peek)
++ bool is_peek,
++ bool *more)
+ {
+ struct sk_buff *skb = skb_peek(&ctx->rx_list);
+ struct tls_msg *tlm;
+@@ -1785,7 +1786,7 @@ static int process_rx_list(struct tls_sw_context_rx *ctx,
+
+ err = tls_record_content_type(msg, tlm, control);
+ if (err <= 0)
+- goto out;
++ goto more;
+
+ if (skip < rxm->full_len)
+ break;
+@@ -1803,12 +1804,12 @@ static int process_rx_list(struct tls_sw_context_rx *ctx,
+
+ err = tls_record_content_type(msg, tlm, control);
+ if (err <= 0)
+- goto out;
++ goto more;
+
+ err = skb_copy_datagram_msg(skb, rxm->offset + skip,
+ msg, chunk);
+ if (err < 0)
+- goto out;
++ goto more;
+
+ len = len - chunk;
+ copied = copied + chunk;
+@@ -1844,6 +1845,10 @@ static int process_rx_list(struct tls_sw_context_rx *ctx,
+
+ out:
+ return copied ? : err;
++more:
++ if (more)
++ *more = true;
++ goto out;
+ }
+
+ static bool
+@@ -1947,6 +1952,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ int target, err;
+ bool is_kvec = iov_iter_is_kvec(&msg->msg_iter);
+ bool is_peek = flags & MSG_PEEK;
++ bool rx_more = false;
+ bool released = true;
+ bool bpf_strp_enabled;
+ bool zc_capable;
+@@ -1966,12 +1972,12 @@ int tls_sw_recvmsg(struct sock *sk,
+ goto end;
+
+ /* Process pending decrypted records. It must be non-zero-copy */
+- err = process_rx_list(ctx, msg, &control, 0, len, is_peek);
++ err = process_rx_list(ctx, msg, &control, 0, len, is_peek, &rx_more);
+ if (err < 0)
+ goto end;
+
+ copied = err;
+- if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA))
++ if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA) || rx_more)
+ goto end;
+
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
+@@ -2130,10 +2136,10 @@ int tls_sw_recvmsg(struct sock *sk,
+ /* Drain records from the rx_list & copy if required */
+ if (is_peek || is_kvec)
+ err = process_rx_list(ctx, msg, &control, copied,
+- decrypted, is_peek);
++ decrypted, is_peek, NULL);
+ else
+ err = process_rx_list(ctx, msg, &control, 0,
+- async_copy_bytes, is_peek);
++ async_copy_bytes, is_peek, NULL);
+ }
+
+ copied += decrypted;
+--
+2.43.0
+
--- /dev/null
+From 20f5381f6e7863bde76bc65f6088c01532dc3442 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:17:30 +0100
+Subject: tls: stop recv() if initial process_rx_list gave us non-DATA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit fdfbaec5923d9359698cbb286bc0deadbb717504 ]
+
+If we have a non-DATA record on the rx_list and another record of the
+same type still on the queue, we will end up merging them:
+ - process_rx_list copies the non-DATA record
+ - we start the loop and process the first available record since it's
+ of the same type
+ - we break out of the loop since the record was not DATA
+
+Just check the record type and jump to the end in case process_rx_list
+did some work.
+
+Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/bd31449e43bd4b6ff546f5c51cf958c31c511deb.1708007371.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 78aedfc682ba8..43dd0d82b6ed7 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1971,7 +1971,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ goto end;
+
+ copied = err;
+- if (len <= copied)
++ if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA))
+ goto end;
+
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);
+--
+2.43.0
+
--- /dev/null
+From 02619e1ffb4e5aa8ad8765092fd42ad0a4f00a0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 08:11:12 -0800
+Subject: tools: ynl: don't leak mcast_groups on init error
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 5d78b73e851455d525a064f3b042b29fdc0c1a4a ]
+
+Make sure to free the already-parsed mcast_groups if
+we don't get an ack from the kernel when reading family info.
+This is part of the ynl_sock_create() error path, so we won't
+get a call to ynl_sock_destroy() to free them later.
+
+Fixes: 86878f14d71a ("tools: ynl: user space helpers")
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20240220161112.2735195-3-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/lib/ynl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/net/ynl/lib/ynl.c b/tools/net/ynl/lib/ynl.c
+index 65975a8306738..591f5f50ddaab 100644
+--- a/tools/net/ynl/lib/ynl.c
++++ b/tools/net/ynl/lib/ynl.c
+@@ -584,7 +584,13 @@ static int ynl_sock_read_family(struct ynl_sock *ys, const char *family_name)
+ return err;
+ }
+
+- return ynl_recv_ack(ys, err);
++ err = ynl_recv_ack(ys, err);
++ if (err < 0) {
++ free(ys->mcast_groups);
++ return err;
++ }
++
++ return 0;
+ }
+
+ struct ynl_sock *
+--
+2.43.0
+
--- /dev/null
+From c6d34919cb82e3ec49ea7a47dcae5998d140f493 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 08:11:11 -0800
+Subject: tools: ynl: make sure we always pass yarg to mnl_cb_run
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit e4fe082c38cd74a8fa384bc7542cf3edf1cb7318 ]
+
+There is one common error handler in ynl - ynl_cb_error().
+It expects priv to be a pointer to struct ynl_parse_arg AKA yarg.
+To avoid potential crashes if we encounter a stray NLMSG_ERROR
+always pass yarg as priv (or a struct which has it as the first
+member).
+
+ynl_cb_null() has a similar problem directly - it expects yarg
+but priv passed by the caller is ys.
+
+Found by code inspection.
+
+Fixes: 86878f14d71a ("tools: ynl: user space helpers")
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20240220161112.2735195-2-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/lib/ynl.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/tools/net/ynl/lib/ynl.c b/tools/net/ynl/lib/ynl.c
+index 830d25097009a..65975a8306738 100644
+--- a/tools/net/ynl/lib/ynl.c
++++ b/tools/net/ynl/lib/ynl.c
+@@ -462,6 +462,8 @@ ynl_gemsg_start_dump(struct ynl_sock *ys, __u32 id, __u8 cmd, __u8 version)
+
+ int ynl_recv_ack(struct ynl_sock *ys, int ret)
+ {
++ struct ynl_parse_arg yarg = { .ys = ys, };
++
+ if (!ret) {
+ yerr(ys, YNL_ERROR_EXPECT_ACK,
+ "Expecting an ACK but nothing received");
+@@ -474,7 +476,7 @@ int ynl_recv_ack(struct ynl_sock *ys, int ret)
+ return ret;
+ }
+ return mnl_cb_run(ys->rx_buf, ret, ys->seq, ys->portid,
+- ynl_cb_null, ys);
++ ynl_cb_null, &yarg);
+ }
+
+ int ynl_cb_null(const struct nlmsghdr *nlh, void *data)
+@@ -737,11 +739,14 @@ static int ynl_ntf_parse(struct ynl_sock *ys, const struct nlmsghdr *nlh)
+
+ static int ynl_ntf_trampoline(const struct nlmsghdr *nlh, void *data)
+ {
+- return ynl_ntf_parse((struct ynl_sock *)data, nlh);
++ struct ynl_parse_arg *yarg = data;
++
++ return ynl_ntf_parse(yarg->ys, nlh);
+ }
+
+ int ynl_ntf_check(struct ynl_sock *ys)
+ {
++ struct ynl_parse_arg yarg = { .ys = ys, };
+ ssize_t len;
+ int err;
+
+@@ -763,7 +768,7 @@ int ynl_ntf_check(struct ynl_sock *ys)
+ return len;
+
+ err = mnl_cb_run2(ys->rx_buf, len, ys->seq, ys->portid,
+- ynl_ntf_trampoline, ys,
++ ynl_ntf_trampoline, &yarg,
+ ynl_cb_array, NLMSG_MIN_TYPE);
+ if (err < 0)
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 354a034ec822d1eba18e27c0c4e0e318a8324a43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jan 2024 12:09:50 -0800
+Subject: x86/numa: Fix the address overlap check in numa_fill_memblks()
+
+From: Alison Schofield <alison.schofield@intel.com>
+
+[ Upstream commit 9b99c17f7510bed2adbe17751fb8abddba5620bc ]
+
+numa_fill_memblks() fills in the gaps in numa_meminfo memblks over a
+physical address range. To do so, it first creates a list of existing
+memblks that overlap that address range. The issue is that it is off
+by one when comparing to the end of the address range, so memblks
+that do not overlap are selected.
+
+The impact of selecting a memblk that does not actually overlap is
+that an existing memblk may be filled when the expected action is to
+do nothing and return NUMA_NO_MEMBLK to the caller. The caller can
+then add a new NUMA node and memblk.
+
+Replace the broken open-coded search for address overlap with the
+memblock helper memblock_addrs_overlap(). Update the kernel doc
+and in code comments.
+
+Suggested by: "Huang, Ying" <ying.huang@intel.com>
+
+Fixes: 8f012db27c95 ("x86/numa: Introduce numa_fill_memblks()")
+Signed-off-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Mike Rapoport (IBM) <rppt@kernel.org>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Link: https://lore.kernel.org/r/10a3e6109c34c21a8dd4c513cf63df63481a2b07.1705085543.git.alison.schofield@intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/numa.c | 19 +++++++------------
+ include/linux/memblock.h | 2 ++
+ mm/memblock.c | 5 +++--
+ 3 files changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
+index b29ceb19e46ec..efc5f1be8d3af 100644
+--- a/arch/x86/mm/numa.c
++++ b/arch/x86/mm/numa.c
+@@ -974,14 +974,12 @@ static struct numa_memblk *numa_memblk_list[NR_NODE_MEMBLKS] __initdata;
+ * @start: address to begin fill
+ * @end: address to end fill
+ *
+- * Find and extend numa_meminfo memblks to cover the @start-@end
+- * physical address range, such that the first memblk includes
+- * @start, the last memblk includes @end, and any gaps in between
+- * are filled.
++ * Find and extend numa_meminfo memblks to cover the physical
++ * address range @start-@end
+ *
+ * RETURNS:
+ * 0 : Success
+- * NUMA_NO_MEMBLK : No memblk exists in @start-@end range
++ * NUMA_NO_MEMBLK : No memblks exist in address range @start-@end
+ */
+
+ int __init numa_fill_memblks(u64 start, u64 end)
+@@ -993,17 +991,14 @@ int __init numa_fill_memblks(u64 start, u64 end)
+
+ /*
+ * Create a list of pointers to numa_meminfo memblks that
+- * overlap start, end. Exclude (start == bi->end) since
+- * end addresses in both a CFMWS range and a memblk range
+- * are exclusive.
+- *
+- * This list of pointers is used to make in-place changes
+- * that fill out the numa_meminfo memblks.
++ * overlap start, end. The list is used to make in-place
++ * changes that fill out the numa_meminfo memblks.
+ */
+ for (int i = 0; i < mi->nr_blks; i++) {
+ struct numa_memblk *bi = &mi->blk[i];
+
+- if (start < bi->end && end >= bi->start) {
++ if (memblock_addrs_overlap(start, end - start, bi->start,
++ bi->end - bi->start)) {
+ blk[count] = &mi->blk[i];
+ count++;
+ }
+diff --git a/include/linux/memblock.h b/include/linux/memblock.h
+index ae3bde302f704..ccf0176ba3681 100644
+--- a/include/linux/memblock.h
++++ b/include/linux/memblock.h
+@@ -121,6 +121,8 @@ int memblock_reserve(phys_addr_t base, phys_addr_t size);
+ int memblock_physmem_add(phys_addr_t base, phys_addr_t size);
+ #endif
+ void memblock_trim_memory(phys_addr_t align);
++unsigned long memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1,
++ phys_addr_t base2, phys_addr_t size2);
+ bool memblock_overlaps_region(struct memblock_type *type,
+ phys_addr_t base, phys_addr_t size);
+ int memblock_mark_hotplug(phys_addr_t base, phys_addr_t size);
+diff --git a/mm/memblock.c b/mm/memblock.c
+index 1572956c5e31e..9a5248fe9cf97 100644
+--- a/mm/memblock.c
++++ b/mm/memblock.c
+@@ -180,8 +180,9 @@ static inline phys_addr_t memblock_cap_size(phys_addr_t base, phys_addr_t *size)
+ /*
+ * Address comparison utilities
+ */
+-static unsigned long __init_memblock memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1,
+- phys_addr_t base2, phys_addr_t size2)
++unsigned long __init_memblock
++memblock_addrs_overlap(phys_addr_t base1, phys_addr_t size1, phys_addr_t base2,
++ phys_addr_t size2)
+ {
+ return ((base1 < (base2 + size2)) && (base2 < (base1 + size1)));
+ }
+--
+2.43.0
+
--- /dev/null
+From 0b250eb267f5f24bac76f7120046ca0fc56f6442 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jan 2024 12:09:51 -0800
+Subject: x86/numa: Fix the sort compare func used in numa_fill_memblks()
+
+From: Alison Schofield <alison.schofield@intel.com>
+
+[ Upstream commit b626070ffc14acca5b87a2aa5f581db98617584c ]
+
+The compare function used to sort memblks into starting address
+order fails when the result of its u64 address subtraction gets
+truncated to an int upon return.
+
+The impact of the bad sort is that memblks will be filled out
+incorrectly. Depending on the set of memblks, a user may see no
+errors at all but still have a bad fill, or see messages reporting
+a node overlap that leads to numa init failure:
+
+[] node 0 [mem: ] overlaps with node 1 [mem: ]
+[] No NUMA configuration found
+
+Replace with a comparison that can only result in: 1, 0, -1.
+
+Fixes: 8f012db27c95 ("x86/numa: Introduce numa_fill_memblks()")
+Signed-off-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Link: https://lore.kernel.org/r/99dcb3ae87e04995e9f293f6158dc8fa0749a487.1705085543.git.alison.schofield@intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/numa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
+index efc5f1be8d3af..9d63cfff1fd41 100644
+--- a/arch/x86/mm/numa.c
++++ b/arch/x86/mm/numa.c
+@@ -964,7 +964,7 @@ static int __init cmp_memblk(const void *a, const void *b)
+ const struct numa_memblk *ma = *(const struct numa_memblk **)a;
+ const struct numa_memblk *mb = *(const struct numa_memblk **)b;
+
+- return ma->start - mb->start;
++ return (ma->start > mb->start) - (ma->start < mb->start);
+ }
+
+ static struct numa_memblk *numa_memblk_list[NR_NODE_MEMBLKS] __initdata;
+--
+2.43.0
+
--- /dev/null
+From 930ed316a8920b47981f4961a2c89c4f36a65d6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 17:32:20 +0100
+Subject: xsk: Add truesize to skb_add_rx_frag().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 2127c604383666675789fd4a5fc2aead46c73aad ]
+
+xsk_build_skb() allocates a page and adds it to the skb via
+skb_add_rx_frag() and specifies 0 for truesize. This leads to a warning
+in skb_add_rx_frag() with CONFIG_DEBUG_NET enabled because size is
+larger than truesize.
+
+Increasing truesize requires to add the same amount to socket's
+sk_wmem_alloc counter in order not to underflow the counter during
+release in the destructor (sock_wfree()).
+
+Pass the size of the allocated page as truesize to skb_add_rx_frag().
+Add this mount to socket's sk_wmem_alloc counter.
+
+Fixes: cf24f5a5feea ("xsk: add support for AF_XDP multi-buffer on Tx path")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/bpf/20240202163221.2488589-1-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index 688e641cd2784..da1582de6e84a 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -711,7 +711,8 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
+ memcpy(vaddr, buffer, len);
+ kunmap_local(vaddr);
+
+- skb_add_rx_frag(skb, nr_frags, page, 0, len, 0);
++ skb_add_rx_frag(skb, nr_frags, page, 0, len, PAGE_SIZE);
++ refcount_add(PAGE_SIZE, &xs->sk.sk_wmem_alloc);
+ }
+ }
+
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
