--- /dev/null
+From f11e151c6b05bcf663193022abd52e7532d98063 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 11:18:50 +0300
+Subject: ABI: testing: fix admv8818 attr description
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+[ Upstream commit 7d34b4ad8cd2867b130b5b8d7d76d0d6092bd019 ]
+
+Fix description of the filter_mode_available attribute by pointing to
+the correct name of the attribute that can be written with valid values.
+
+Fixes: bf92d87d7c67 ("iio:filter:admv8818: Add sysfs ABI documentation")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Link: https://patch.msgid.link/20240702081851.4663-1-antoniu.miclaus@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
+index 31dbb390573ff..c431f0a13cf50 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
++++ b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
+@@ -3,7 +3,7 @@ KernelVersion:
+ Contact: linux-iio@vger.kernel.org
+ Description:
+ Reading this returns the valid values that can be written to the
+- on_altvoltage0_mode attribute:
++ filter_mode attribute:
+
+ - auto -> Adjust bandpass filter to track changes in input clock rate.
+ - manual -> disable/unregister the clock rate notifier / input clock tracking.
+--
+2.43.0
+
--- /dev/null
+From ebe6eb67fdb9311c3d348a57f72885eb9ade53a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 12:16:44 +0200
+Subject: ACPI: CPPC: Fix MASK_VAL() usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 60949b7b805424f21326b450ca4f1806c06d982e ]
+
+MASK_VAL() was added as a way to handle bit_offset and bit_width for
+registers located in system memory address space. However, while suited
+for reading, it does not work for writing and result in corrupted
+registers when writing values with bit_offset > 0. Moreover, when a
+register is collocated with another one at the same address but with a
+different mask, the current code results in the other registers being
+overwritten with 0s. The write procedure for SYSTEM_MEMORY registers
+should actually read the value, mask it, update it and write it with the
+updated value. Moreover, since registers can be located in the same
+word, we must take care of locking the access before doing it. We should
+potentially use a global lock since we don't know in if register
+addresses aren't shared with another _CPC package but better not
+encourage vendors to do so. Assume that registers can use the same word
+inside a _CPC package and thus, use a per _CPC package lock.
+
+Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Link: https://patch.msgid.link/20240826101648.95654-1-cleger@rivosinc.com
+[ rjw: Dropped redundant semicolon ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 43 ++++++++++++++++++++++++++++++++++++----
+ include/acpi/cppc_acpi.h | 2 ++
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 1d857978f5f40..2a588e4ed4af4 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -170,8 +170,11 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
+ #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
+
+ /* Shift and apply the mask for CPC reads/writes */
+-#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \
++#define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) & \
+ GENMASK(((reg)->bit_width) - 1, 0))
++#define MASK_VAL_WRITE(reg, prev_val, val) \
++ ((((val) & GENMASK(((reg)->bit_width) - 1, 0)) << (reg)->bit_offset) | \
++ ((prev_val) & ~(GENMASK(((reg)->bit_width) - 1, 0) << (reg)->bit_offset))) \
+
+ static ssize_t show_feedback_ctrs(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+@@ -857,6 +860,7 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
+
+ /* Store CPU Logical ID */
+ cpc_ptr->cpu_id = pr->id;
++ spin_lock_init(&cpc_ptr->rmw_lock);
+
+ /* Parse PSD data for this CPU */
+ ret = acpi_get_psd(cpc_ptr, handle);
+@@ -1062,7 +1066,7 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val)
+ }
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+- *val = MASK_VAL(reg, *val);
++ *val = MASK_VAL_READ(reg, *val);
+
+ return 0;
+ }
+@@ -1071,9 +1075,11 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ {
+ int ret_val = 0;
+ int size;
++ u64 prev_val;
+ void __iomem *vaddr = NULL;
+ int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
+ struct cpc_reg *reg = ®_res->cpc_entry.reg;
++ struct cpc_desc *cpc_desc;
+
+ size = GET_BIT_WIDTH(reg);
+
+@@ -1106,8 +1112,34 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ return acpi_os_write_memory((acpi_physical_address)reg->address,
+ val, size);
+
+- if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+- val = MASK_VAL(reg, val);
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
++ cpc_desc = per_cpu(cpc_desc_ptr, cpu);
++ if (!cpc_desc) {
++ pr_debug("No CPC descriptor for CPU:%d\n", cpu);
++ return -ENODEV;
++ }
++
++ spin_lock(&cpc_desc->rmw_lock);
++ switch (size) {
++ case 8:
++ prev_val = readb_relaxed(vaddr);
++ break;
++ case 16:
++ prev_val = readw_relaxed(vaddr);
++ break;
++ case 32:
++ prev_val = readl_relaxed(vaddr);
++ break;
++ case 64:
++ prev_val = readq_relaxed(vaddr);
++ break;
++ default:
++ spin_unlock(&cpc_desc->rmw_lock);
++ return -EFAULT;
++ }
++ val = MASK_VAL_WRITE(reg, prev_val, val);
++ val |= prev_val;
++ }
+
+ switch (size) {
+ case 8:
+@@ -1134,6 +1166,9 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ break;
+ }
+
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
++ spin_unlock(&cpc_desc->rmw_lock);
++
+ return ret_val;
+ }
+
+diff --git a/include/acpi/cppc_acpi.h b/include/acpi/cppc_acpi.h
+index 930b6afba6f4d..e1720d9306669 100644
+--- a/include/acpi/cppc_acpi.h
++++ b/include/acpi/cppc_acpi.h
+@@ -64,6 +64,8 @@ struct cpc_desc {
+ int cpu_id;
+ int write_cmd_status;
+ int write_cmd_id;
++ /* Lock used for RMW operations in cpc_write() */
++ spinlock_t rmw_lock;
+ struct cpc_register_resource cpc_regs[MAX_CPC_REG_ENT];
+ struct acpi_psd_package domain_info;
+ struct kobject kobj;
+--
+2.43.0
+
--- /dev/null
+From 6f6410fd696803f29ac789dd223044d4b06b91d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 01:53:39 +0300
+Subject: ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ]
+
+In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which
+is useless.
+
+Fix this issue by removing unneeded check.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru
+[ rjw: Subject edit ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pmic/tps68470_pmic.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/pmic/tps68470_pmic.c b/drivers/acpi/pmic/tps68470_pmic.c
+index ebd03e4729555..0d1a82eeb4b0b 100644
+--- a/drivers/acpi/pmic/tps68470_pmic.c
++++ b/drivers/acpi/pmic/tps68470_pmic.c
+@@ -376,10 +376,8 @@ static int tps68470_pmic_opregion_probe(struct platform_device *pdev)
+ struct tps68470_pmic_opregion *opregion;
+ acpi_status status;
+
+- if (!dev || !tps68470_regmap) {
+- dev_warn(dev, "dev or regmap is NULL\n");
+- return -EINVAL;
+- }
++ if (!tps68470_regmap)
++ return dev_err_probe(dev, -EINVAL, "regmap is missing\n");
+
+ if (!handle) {
+ dev_warn(dev, "acpi handle is NULL\n");
+--
+2.43.0
+
--- /dev/null
+From 09c0530715db1ecd96d7ba8993ceef902ef0749b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 20:08:47 +0000
+Subject: ACPI: video: force native for Apple MacbookPro9,2
+
+From: Esther Shimanovich <eshimanovich@chromium.org>
+
+[ Upstream commit 7dc918daaf2994963690171584ba423f28724df5 ]
+
+It used to be that the MacbookPro9,2 used its native intel backlight
+device until the following commit was introduced:
+
+commit b1d36e73cc1c ("drm/i915: Don't register backlight when another
+backlight should be used (v2)")
+
+This commit forced this model to use its firmware acpi_video backlight
+device instead.
+
+That worked fine until an additional commit was added:
+
+commit 92714006eb4d ("drm/i915/backlight: Do not bump min brightness
+to max on enable")
+
+That commit uncovered a bug in the MacbookPro 9,2's acpi_video
+backlight firmware; the backlight does not come back up after resume.
+
+Add DMI quirk to select the working native intel interface instead
+so that the backlight successfully comes back up after resume.
+
+Fixes: 92714006eb4d ("drm/i915/backlight: Do not bump min brightness to max on enable")
+Signed-off-by: Esther Shimanovich <eshimanovich@chromium.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/20240806-acpi-video-quirk-v1-1-369d8f7abc59@chromium.org
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 674b9db7a1ef8..75a5f559402f8 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -549,6 +549,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
+ },
+ },
++ {
++ .callback = video_detect_force_native,
++ /* Apple MacBook Pro 9,2 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro9,2"),
++ },
++ },
+ {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */
+ .callback = video_detect_force_native,
+--
+2.43.0
+
--- /dev/null
+From 5661c748aff529ca275c7783d2bb545644ca32ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 13:56:24 +0000
+Subject: ACPI: video: force native for some T2 macbooks
+
+From: Orlando Chamberlain <orlandoch.dev@gmail.com>
+
+[ Upstream commit d010a0282e045f02895f88299e5442506585b46c ]
+
+The intel backlight is needed for these, previously users had nothing in
+/sys/class/backlight.
+
+Signed-off-by: Orlando Chamberlain <orlandoch.dev@gmail.com>
+Signed-off-by: Aditya Garg <gargaditya08@live.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/3DA0EAE3-9EB7-492B-96FC-988503BBDCCC@live.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: 7dc918daaf29 ("ACPI: video: force native for Apple MacbookPro9,2")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index ff6f260433a11..674b9db7a1ef8 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -541,6 +541,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "iMac12,2"),
+ },
+ },
++ {
++ .callback = video_detect_force_native,
++ /* Apple MacBook Air 9,1 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
++ },
++ },
+ {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */
+ .callback = video_detect_force_native,
+@@ -550,6 +558,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro12,1"),
+ },
+ },
++ {
++ .callback = video_detect_force_native,
++ /* Apple MacBook Pro 16,2 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro16,2"),
++ },
++ },
+ {
+ .callback = video_detect_force_native,
+ /* Dell Inspiron N4010 */
+--
+2.43.0
+
--- /dev/null
+From 35c463ebcdc7a3f1df1ae0ebb3cde56ec280d958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 21:12:40 -0700
+Subject: ACPICA: executer/exsystem: Don't nag user about every Stall()
+ violating the spec
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+[ Upstream commit c82c507126c9c9db350be28f14c83fad1c7969ae ]
+
+ACPICA commit 129b75516fc49fe1fd6b8c5798f86c13854630b3
+
+Stop nagging user about every Stall() that violates the spec
+
+On my Dell XPS 15 7590 I get hundreds of these warnings after few hours of
+uptime:
+
+$ dmesg | grep "fix the firmware" | wc -l
+261
+
+I cannot fix the firmware and I doubt that Dell cares about 4 year old
+laptop either
+
+Fixes: ace8f1c54a02 ("ACPICA: executer/exsystem: Inform users about ACPI spec violation")
+Link: https://github.com/acpica/acpica/commit/129b7551
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exsystem.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/exsystem.c b/drivers/acpi/acpica/exsystem.c
+index f665ffd9a396c..2c384bd52b9c4 100644
+--- a/drivers/acpi/acpica/exsystem.c
++++ b/drivers/acpi/acpica/exsystem.c
+@@ -133,14 +133,15 @@ acpi_status acpi_ex_system_do_stall(u32 how_long_us)
+ * (ACPI specifies 100 usec as max, but this gives some slack in
+ * order to support existing BIOSs)
+ */
+- ACPI_ERROR((AE_INFO,
+- "Time parameter is too large (%u)", how_long_us));
++ ACPI_ERROR_ONCE((AE_INFO,
++ "Time parameter is too large (%u)",
++ how_long_us));
+ status = AE_AML_OPERAND_VALUE;
+ } else {
+ if (how_long_us > 100) {
+- ACPI_WARNING((AE_INFO,
+- "Time parameter %u us > 100 us violating ACPI spec, please fix the firmware.",
+- how_long_us));
++ ACPI_WARNING_ONCE((AE_INFO,
++ "Time parameter %u us > 100 us violating ACPI spec, please fix the firmware.",
++ how_long_us));
+ }
+ acpi_os_stall(how_long_us);
+ }
+--
+2.43.0
+
--- /dev/null
+From a21cfd5d5693572d692aec5b52afe562feaeffc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 21:09:45 -0700
+Subject: ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+[ Upstream commit 632b746b108e3c62e0795072d00ed597371c738a ]
+
+ACPICA commit 2ad4e6e7c4118f4cdfcad321c930b836cec77406
+
+In some cases it is not practical nor useful to nag user about some
+firmware errors that they cannot fix. Add a macro that will print a
+warning or error only once to be used in these cases.
+
+Link: https://github.com/acpica/acpica/commit/2ad4e6e7
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: c82c507126c9 ("ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/acpi/acoutput.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/include/acpi/acoutput.h b/include/acpi/acoutput.h
+index b1571dd96310a..5e0346142f983 100644
+--- a/include/acpi/acoutput.h
++++ b/include/acpi/acoutput.h
+@@ -193,6 +193,7 @@
+ */
+ #ifndef ACPI_NO_ERROR_MESSAGES
+ #define AE_INFO _acpi_module_name, __LINE__
++#define ACPI_ONCE(_fn, _plist) { static char _done; if (!_done) { _done = 1; _fn _plist; } }
+
+ /*
+ * Error reporting. Callers module and line number are inserted by AE_INFO,
+@@ -201,8 +202,10 @@
+ */
+ #define ACPI_INFO(plist) acpi_info plist
+ #define ACPI_WARNING(plist) acpi_warning plist
++#define ACPI_WARNING_ONCE(plist) ACPI_ONCE(acpi_warning, plist)
+ #define ACPI_EXCEPTION(plist) acpi_exception plist
+ #define ACPI_ERROR(plist) acpi_error plist
++#define ACPI_ERROR_ONCE(plist) ACPI_ONCE(acpi_error, plist)
+ #define ACPI_BIOS_WARNING(plist) acpi_bios_warning plist
+ #define ACPI_BIOS_EXCEPTION(plist) acpi_bios_exception plist
+ #define ACPI_BIOS_ERROR(plist) acpi_bios_error plist
+@@ -214,8 +217,10 @@
+
+ #define ACPI_INFO(plist)
+ #define ACPI_WARNING(plist)
++#define ACPI_WARNING_ONCE(plist)
+ #define ACPI_EXCEPTION(plist)
+ #define ACPI_ERROR(plist)
++#define ACPI_ERROR_ONCE(plist)
+ #define ACPI_BIOS_WARNING(plist)
+ #define ACPI_BIOS_EXCEPTION(plist)
+ #define ACPI_BIOS_ERROR(plist)
+--
+2.43.0
+
--- /dev/null
+From 2e096a356d1128e628662aee51239df903c4e4e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 09:13:12 +0000
+Subject: ALSA: hda: cs35l41: fix module autoloading
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit 48f1434a4632c7da1a6a94e159512ebddbe13392 ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from spi_device_id table.
+
+Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Link: https://patch.msgid.link/20240815091312.757139-1-liuyuntao12@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/cs35l41_hda_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/cs35l41_hda_spi.c b/sound/pci/hda/cs35l41_hda_spi.c
+index b76c0dfd5fefc..f8c356ad0d340 100644
+--- a/sound/pci/hda/cs35l41_hda_spi.c
++++ b/sound/pci/hda/cs35l41_hda_spi.c
+@@ -38,6 +38,7 @@ static const struct spi_device_id cs35l41_hda_spi_id[] = {
+ { "cs35l41-hda", 0 },
+ {}
+ };
++MODULE_DEVICE_TABLE(spi, cs35l41_hda_spi_id);
+
+ static const struct acpi_device_id cs35l41_acpi_hda_match[] = {
+ { "CSC3551", 0 },
+--
+2.43.0
+
--- /dev/null
+From 925a02a4169b62159a6d0a347d297cb43608449e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 17:05:51 +0100
+Subject: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros
+
+From: Calvin Owens <calvin@wbinvd.org>
+
+[ Upstream commit 89a906dfa8c3b21b3e5360f73c49234ac1eb885b ]
+
+Floating point instructions in userspace can crash some arm kernels
+built with clang/LLD 17.0.6:
+
+ BUG: unsupported FP instruction in kernel mode
+ FPEXC == 0xc0000780
+ Internal error: Oops - undefined instruction: 0 [#1] ARM
+ CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1
+ Hardware name: BCM2835
+ PC is at vfp_support_entry+0xc8/0x2cc
+ LR is at do_undefinstr+0xa8/0x250
+ pc : [<c0101d50>] lr : [<c010a80c>] psr: a0000013
+ sp : dc8d1f68 ip : 60000013 fp : bedea19c
+ r10: ec532b17 r9 : 00000010 r8 : 0044766c
+ r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0
+ r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 00c5387d Table: 0251c008 DAC: 00000051
+ Register r0 information: non-paged memory
+ Register r1 information: vmalloc memory
+ Register r2 information: non-slab/vmalloc memory
+ Register r3 information: non-slab/vmalloc memory
+ Register r4 information: 2-page vmalloc region
+ Register r5 information: slab kmalloc-cg-2k
+ Register r6 information: vmalloc memory
+ Register r7 information: non-slab/vmalloc memory
+ Register r8 information: non-paged memory
+ Register r9 information: zero-size pointer
+ Register r10 information: vmalloc memory
+ Register r11 information: non-paged memory
+ Register r12 information: non-paged memory
+ Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)
+ Stack: (0xdc8d1f68 to 0xdc8d2000)
+ 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0
+ 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010
+ 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188
+ 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
+ 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000
+ Call trace:
+ [<c0101d50>] (vfp_support_entry) from [<c010a80c>] (do_undefinstr+0xa8/0x250)
+ [<c010a80c>] (do_undefinstr) from [<c0100f10>] (__und_usr+0x70/0x80)
+ Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)
+ 1fa0: b6f68af8 00448fc0 00000000 bedea188
+ 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
+ 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff
+ Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Fatal exception in interrupt
+ ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+This is a minimal userspace reproducer on a Raspberry Pi Zero W:
+
+ #include <stdio.h>
+ #include <math.h>
+
+ int main(void)
+ {
+ double v = 1.0;
+ printf("%fn", NAN + *(volatile double *)&v);
+ return 0;
+ }
+
+Another way to consistently trigger the oops is:
+
+ calvin@raspberry-pi-zero-w ~$ python -c "import json"
+
+The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,
+because the pr_debug() calls act as barriers even when not activated.
+
+This is the output from the same kernel source built with the same
+compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as
+expected:
+
+ VFP: bounce: trigger ec532b17 fpexc c0000780
+ VFP: emulate: INST=0xee377b06 SCR=0x00000000
+ VFP: bounce: trigger eef1fa10 fpexc c0000780
+ VFP: emulate: INST=0xeeb40b40 SCR=0x00000000
+ VFP: raising exceptions 30000000
+
+ calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer
+ nan
+
+Crudely grepping for vmsr/vmrs instructions in the otherwise nearly
+idential text for vfp_support_entry() makes the problem obvious:
+
+ vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc
+ vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0
+ vmlinux.llvm.good [0xc0101d20] <+152>: vmsr fpexc, r7
+ vmlinux.llvm.good [0xc0101d38] <+176>: vmrs r4, fpexc
+ vmlinux.llvm.good [0xc0101d6c] <+228>: vmrs r0, fpscr
+ vmlinux.llvm.good [0xc0101dc4] <+316>: vmsr fpexc, r0
+ vmlinux.llvm.good [0xc0101dc8] <+320>: vmrs r0, fpsid
+ vmlinux.llvm.good [0xc0101dcc] <+324>: vmrs r6, fpscr
+ vmlinux.llvm.good [0xc0101e10] <+392>: vmrs r10, fpinst
+ vmlinux.llvm.good [0xc0101eb8] <+560>: vmrs r10, fpinst2
+
+ vmlinux.llvm.bad [0xc0101cb8] <+48>: vmrs r7, fpexc
+ vmlinux.llvm.bad [0xc0101cd8] <+80>: vmsr fpexc, r0
+ vmlinux.llvm.bad [0xc0101d20] <+152>: vmsr fpexc, r7
+ vmlinux.llvm.bad [0xc0101d30] <+168>: vmrs r0, fpscr
+ vmlinux.llvm.bad [0xc0101d50] <+200>: vmrs r6, fpscr <== BOOM!
+ vmlinux.llvm.bad [0xc0101d6c] <+228>: vmsr fpexc, r0
+ vmlinux.llvm.bad [0xc0101d70] <+232>: vmrs r0, fpsid
+ vmlinux.llvm.bad [0xc0101da4] <+284>: vmrs r10, fpinst
+ vmlinux.llvm.bad [0xc0101df8] <+368>: vmrs r4, fpexc
+ vmlinux.llvm.bad [0xc0101e5c] <+468>: vmrs r10, fpinst2
+
+I think LLVM's reordering is valid as the code is currently written: the
+compiler doesn't know the instructions have side effects in hardware.
+
+Fix by using "asm volatile" in fmxr() and fmrx(), so they cannot be
+reordered with respect to each other. The original compiler now produces
+working kernels on my hardware with DYNAMIC_DEBUG=n.
+
+This is the relevant piece of the diff of the vfp_support_entry() text,
+from the original oopsing kernel to a working kernel with this patch:
+
+ vmrs r0, fpscr
+ tst r0, #4096
+ bne 0xc0101d48
+ tst r0, #458752
+ beq 0xc0101ecc
+ orr r7, r7, #536870912
+ ldr r0, [r4, #0x3c]
+ mov r9, #16
+ -vmrs r6, fpscr
+ orr r9, r9, #251658240
+ add r0, r0, #4
+ str r0, [r4, #0x3c]
+ mvn r0, #159
+ sub r0, r0, #-1207959552
+ and r0, r7, r0
+ vmsr fpexc, r0
+ vmrs r0, fpsid
+ +vmrs r6, fpscr
+ and r0, r0, #983040
+ cmp r0, #65536
+ bne 0xc0101d88
+
+Fixes: 4708fb041346 ("ARM: vfp: Reimplement VFP exception entry in C code")
+Signed-off-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/vfp/vfpinstr.h | 48 ++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 22 deletions(-)
+
+diff --git a/arch/arm/vfp/vfpinstr.h b/arch/arm/vfp/vfpinstr.h
+index 3c7938fd40aad..32090b0fb250b 100644
+--- a/arch/arm/vfp/vfpinstr.h
++++ b/arch/arm/vfp/vfpinstr.h
+@@ -64,33 +64,37 @@
+
+ #ifdef CONFIG_AS_VFP_VMRS_FPINST
+
+-#define fmrx(_vfp_) ({ \
+- u32 __v; \
+- asm(".fpu vfpv2\n" \
+- "vmrs %0, " #_vfp_ \
+- : "=r" (__v) : : "cc"); \
+- __v; \
+- })
+-
+-#define fmxr(_vfp_,_var_) \
+- asm(".fpu vfpv2\n" \
+- "vmsr " #_vfp_ ", %0" \
+- : : "r" (_var_) : "cc")
++#define fmrx(_vfp_) ({ \
++ u32 __v; \
++ asm volatile (".fpu vfpv2\n" \
++ "vmrs %0, " #_vfp_ \
++ : "=r" (__v) : : "cc"); \
++ __v; \
++})
++
++#define fmxr(_vfp_, _var_) ({ \
++ asm volatile (".fpu vfpv2\n" \
++ "vmsr " #_vfp_ ", %0" \
++ : : "r" (_var_) : "cc"); \
++})
+
+ #else
+
+ #define vfpreg(_vfp_) #_vfp_
+
+-#define fmrx(_vfp_) ({ \
+- u32 __v; \
+- asm("mrc p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmrx %0, " #_vfp_ \
+- : "=r" (__v) : : "cc"); \
+- __v; \
+- })
+-
+-#define fmxr(_vfp_,_var_) \
+- asm("mcr p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmxr " #_vfp_ ", %0" \
+- : : "r" (_var_) : "cc")
++#define fmrx(_vfp_) ({ \
++ u32 __v; \
++ asm volatile ("mrc p10, 7, %0, " vfpreg(_vfp_) "," \
++ "cr0, 0 @ fmrx %0, " #_vfp_ \
++ : "=r" (__v) : : "cc"); \
++ __v; \
++})
++
++#define fmxr(_vfp_, _var_) ({ \
++ asm volatile ("mcr p10, 7, %0, " vfpreg(_vfp_) "," \
++ "cr0, 0 @ fmxr " #_vfp_ ", %0" \
++ : : "r" (_var_) : "cc"); \
++})
+
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From 0fbc3c832a480936b410d3645a90c4889f09c2d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 11:56:36 +0200
+Subject: ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 0e49cfe364dea4345551516eb2fe53135a10432b ]
+
+There is no "fsl,phy" property in pin controller pincfg nodes:
+
+ imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,pins' is a required property
+ imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,phy' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Fixes: f496e6750083 ("ARM: dts: Add ZII support for ZII i.MX7 RMU2 board")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
+index 521493342fe97..8f5566027c25a 100644
+--- a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
++++ b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
+@@ -350,7 +350,7 @@
+
+ &iomuxc_lpsr {
+ pinctrl_enet1_phy_interrupt: enet1phyinterruptgrp {
+- fsl,phy = <
++ fsl,pins = <
+ MX7D_PAD_LPSR_GPIO1_IO02__GPIO1_IO2 0x08
+ >;
+ };
+--
+2.43.0
+
--- /dev/null
+From dd74a7fbf7ea079932ce133687c8efb32f07d50b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 07:51:36 +0200
+Subject: ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks
+
+From: Alexander Dahl <ada@thorsis.com>
+
+[ Upstream commit d355c895fa4ddd8bec15569eee540baeed7df8c5 ]
+
+The RTC and RTT peripherals use the timing domain slow clock (TD_SLCK),
+sourced from the 32.768 kHz crystal oscillator or slow rc oscillator.
+
+The previously used Monitoring domain slow clock (MD_SLCK) is sourced
+from an internal RC oscillator which is most probably not precise enough
+for real time clock purposes.
+
+Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board")
+Fixes: 5f6b33f46346 ("ARM: dts: sam9x60: add rtt")
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+Link: https://lore.kernel.org/r/20240821055136.6858-1-ada@thorsis.com
+[claudiu.beznea: removed () around the last commit description paragraph,
+ removed " in front of "timing domain slow clock", described that
+ TD_SLCK can also be sourced from slow rc oscillator]
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sam9x60.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sam9x60.dtsi b/arch/arm/boot/dts/microchip/sam9x60.dtsi
+index 291540e5d81e7..d077afd5024db 100644
+--- a/arch/arm/boot/dts/microchip/sam9x60.dtsi
++++ b/arch/arm/boot/dts/microchip/sam9x60.dtsi
+@@ -1312,7 +1312,7 @@
+ compatible = "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt";
+ reg = <0xfffffe20 0x20>;
+ interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ pit: timer@fffffe40 {
+@@ -1338,7 +1338,7 @@
+ compatible = "microchip,sam9x60-rtc", "atmel,at91sam9x5-rtc";
+ reg = <0xfffffea8 0x100>;
+ interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ watchdog: watchdog@ffffff80 {
+--
+2.43.0
+
--- /dev/null
+From 5082e7cf45c65d70a66bd14a1ed7033512a2bd06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 19:53:20 +0300
+Subject: ARM: dts: microchip: sama7g5: Fix RTT clock
+
+From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+
+[ Upstream commit 867bf1923200e6ad82bad0289f43bf20b4ac7ff9 ]
+
+According to datasheet, Chapter 34. Clock Generator, section 34.2,
+Embedded characteristics, source clock for RTT is the TD_SLCK, registered
+with ID 1 by the slow clock controller driver. Fix RTT clock.
+
+Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
+Link: https://lore.kernel.org/r/20240826165320.3068359-1-claudiu.beznea@tuxon.dev
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sama7g5.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sama7g5.dtsi b/arch/arm/boot/dts/microchip/sama7g5.dtsi
+index 75778be126a3d..17bcdcf0cf4a0 100644
+--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi
++++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi
+@@ -272,7 +272,7 @@
+ compatible = "microchip,sama7g5-rtt", "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt";
+ reg = <0xe001d020 0x30>;
+ interrupts = <GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ clk32k: clock-controller@e001d050 {
+--
+2.43.0
+
--- /dev/null
+From 1a1256c5e0eaf984187082890f5e4f683233f262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 07:49:33 +0200
+Subject: ARM: versatile: fix OF node leak in CPUs prepare
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ]
+
+Machine code is leaking OF node reference from of_find_matching_node()
+in realview_smp_prepare_cpus().
+
+Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-versatile/platsmp-realview.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-versatile/platsmp-realview.c b/arch/arm/mach-versatile/platsmp-realview.c
+index 6965a1de727b0..d38b2e174257e 100644
+--- a/arch/arm/mach-versatile/platsmp-realview.c
++++ b/arch/arm/mach-versatile/platsmp-realview.c
+@@ -70,6 +70,7 @@ static void __init realview_smp_prepare_cpus(unsigned int max_cpus)
+ return;
+ }
+ map = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(map)) {
+ pr_err("PLATSMP: No syscon regmap\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From 1636730af682c7a35040f5e5f56511ec2ebdbb97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 19:58:32 +0200
+Subject: arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB
+
+From: David Virag <virag.david003@gmail.com>
+
+[ Upstream commit d281814b8f7a710a75258da883fb0dfe1329c031 ]
+
+All known jackpotlte variants have 4GB of RAM, let's use it all.
+RAM was set to 3GB from a mistake in the vendor provided DTS file.
+
+Fixes: 06874015327b ("arm64: dts: exynos: Add initial device tree support for Exynos7885 SoC")
+Signed-off-by: David Virag <virag.david003@gmail.com>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20240713180607.147942-3-virag.david003@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
+index 47a389d9ff7d7..9d74fa6bfed9f 100644
+--- a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
++++ b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
+@@ -32,7 +32,7 @@
+ device_type = "memory";
+ reg = <0x0 0x80000000 0x3da00000>,
+ <0x0 0xc0000000 0x40000000>,
+- <0x8 0x80000000 0x40000000>;
++ <0x8 0x80000000 0x80000000>;
+ };
+
+ gpio-keys {
+--
+2.43.0
+
--- /dev/null
+From c2cae70fda6f726b77ead750a64f6012bd14a88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jul 2024 09:22:43 +0200
+Subject: arm64: dts: mediatek: mt8186: Fix supported-hw mask for GPU OPPs
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 2317d018b835842df0501d8f9e9efa843068a101 ]
+
+The speedbin eFuse reads a value 'x' from 0 to 7 and, in order to
+make that compatible with opp-supported-hw, it gets post processed
+as BIT(x).
+
+Change all of the 0x30 supported-hw to 0x20 to avoid getting
+duplicate OPPs for speedbin 4, and also change all of the 0x8 to
+0xcf because speedbins different from 4 and 5 do support 900MHz,
+950MHz, 1000MHz with the higher voltage of 850mV, 900mV, 950mV
+respectively.
+
+Fixes: f38ea593ad0d ("arm64: dts: mediatek: mt8186: Wire up GPU voltage/frequency scaling")
+Link: https://lore.kernel.org/r/20240725072243.173104-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8186.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8186.dtsi b/arch/arm64/boot/dts/mediatek/mt8186.dtsi
+index 4763ed5dc86cf..d63a9defe73e1 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8186.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8186.dtsi
+@@ -731,7 +731,7 @@
+ opp-900000000-3 {
+ opp-hz = /bits/ 64 <900000000>;
+ opp-microvolt = <850000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-900000000-4 {
+@@ -743,13 +743,13 @@
+ opp-900000000-5 {
+ opp-hz = /bits/ 64 <900000000>;
+ opp-microvolt = <825000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+
+ opp-950000000-3 {
+ opp-hz = /bits/ 64 <950000000>;
+ opp-microvolt = <900000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-950000000-4 {
+@@ -761,13 +761,13 @@
+ opp-950000000-5 {
+ opp-hz = /bits/ 64 <950000000>;
+ opp-microvolt = <850000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+
+ opp-1000000000-3 {
+ opp-hz = /bits/ 64 <1000000000>;
+ opp-microvolt = <950000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-1000000000-4 {
+@@ -779,7 +779,7 @@
+ opp-1000000000-5 {
+ opp-hz = /bits/ 64 <1000000000>;
+ opp-microvolt = <875000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 5a5c4f935260256d05e206f632f70c27e4d57d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 15:09:50 +0800
+Subject: arm64: dts: mediatek: mt8195: Correct clock order for dp_intf*
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 51bc68debab9e30b50c6352315950f3cfc309b32 ]
+
+The clocks for dp_intf* device nodes are given in the wrong order,
+causing the binding validation to fail.
+
+Fixes: 6c2503b5856a ("arm64: dts: mt8195: Add dp-intf nodes")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20240802070951.1086616-1-wenst@chromium.org
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 2ee45752583c0..98c15eb68589a 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -3251,10 +3251,10 @@
+ compatible = "mediatek,mt8195-dp-intf";
+ reg = <0 0x1c015000 0 0x1000>;
+ interrupts = <GIC_SPI 657 IRQ_TYPE_LEVEL_HIGH 0>;
+- clocks = <&vdosys0 CLK_VDO0_DP_INTF0>,
+- <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>,
++ clocks = <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>,
++ <&vdosys0 CLK_VDO0_DP_INTF0>,
+ <&apmixedsys CLK_APMIXED_TVDPLL1>;
+- clock-names = "engine", "pixel", "pll";
++ clock-names = "pixel", "engine", "pll";
+ status = "disabled";
+ };
+
+@@ -3521,10 +3521,10 @@
+ reg = <0 0x1c113000 0 0x1000>;
+ interrupts = <GIC_SPI 513 IRQ_TYPE_LEVEL_HIGH 0>;
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+- clocks = <&vdosys1 CLK_VDO1_DP_INTF0_MM>,
+- <&vdosys1 CLK_VDO1_DPINTF>,
++ clocks = <&vdosys1 CLK_VDO1_DPINTF>,
++ <&vdosys1 CLK_VDO1_DP_INTF0_MM>,
+ <&apmixedsys CLK_APMIXED_TVDPLL2>;
+- clock-names = "engine", "pixel", "pll";
++ clock-names = "pixel", "engine", "pll";
+ status = "disabled";
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 3ecaac07ae905278dacc896f0ccf56deae40251e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 15:03:28 +0300
+Subject: arm64: dts: qcom: x1e80100: Fix PHY for DP2
+
+From: Abel Vesa <abel.vesa@linaro.org>
+
+[ Upstream commit ba728bda663b0e812cb20450d18af5d0edd803a2 ]
+
+The actual PHY used by MDSS DP2 is the USB SS2 QMP one. So switch to it
+instead. This is needed to get external DP support on boards like CRD
+where the 3rd Type-C USB port (right-hand side) is connected to DP2.
+
+Fixes: 1940c25eaa63 ("arm64: dts: qcom: x1e80100: Add display nodes")
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Reviewed-by: Konrad Dybcio <konradybcio@kernel.org>
+Link: https://lore.kernel.org/r/20240829-x1e80100-dts-dp2-use-qmpphy-ss2-v1-1-9ba3dca61ccc@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+index 36c398e5fe501..64d5f6e4c0b01 100644
+--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+@@ -3998,14 +3998,14 @@
+
+ assigned-clocks = <&dispcc DISP_CC_MDSS_DPTX2_LINK_CLK_SRC>,
+ <&dispcc DISP_CC_MDSS_DPTX2_PIXEL0_CLK_SRC>;
+- assigned-clock-parents = <&mdss_dp2_phy 0>,
+- <&mdss_dp2_phy 1>;
++ assigned-clock-parents = <&usb_1_ss2_qmpphy QMP_USB43DP_DP_LINK_CLK>,
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>;
+
+ operating-points-v2 = <&mdss_dp2_opp_table>;
+
+ power-domains = <&rpmhpd RPMHPD_MMCX>;
+
+- phys = <&mdss_dp2_phy>;
++ phys = <&usb_1_ss2_qmpphy QMP_USB43DP_DP_PHY>;
+ phy-names = "dp";
+
+ #sound-dai-cells = <0>;
+@@ -4189,8 +4189,8 @@
+ <&usb_1_ss0_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+ <&usb_1_ss1_qmpphy QMP_USB43DP_DP_LINK_CLK>, /* dp1 */
+ <&usb_1_ss1_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+- <&mdss_dp2_phy 0>, /* dp2 */
+- <&mdss_dp2_phy 1>,
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_LINK_CLK>, /* dp2 */
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+ <&mdss_dp3_phy 0>, /* dp3 */
+ <&mdss_dp3_phy 1>;
+ power-domains = <&rpmhpd RPMHPD_MMCX>;
+--
+2.43.0
+
--- /dev/null
+From 6c731ead33e0d80af240c751e43cca38c95239d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:34 +0100
+Subject: arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ab39547f739236e7f16b8b0a51fdca95cc9cadd3 ]
+
+The RZ/G2UL SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Despite the RZ/G2UL SoC being single-core, it has two instances of GICR.
+
+Fixes: cf40c9689e510 ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-3-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g043u.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
+index 18ef297db9336..20fb5e41c5988 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
+@@ -210,8 +210,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+ };
+--
+2.43.0
+
--- /dev/null
+From 81135456969a03fa0ff3941a8a656e717e5ffa3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:36 +0100
+Subject: arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 833948fb2b63155847ab691a54800f801555429b ]
+
+The RZ/G2L(C) SoC is equipped with the GIC-600. The GICD is 64KiB +
+64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per
+CPU.
+
+Fixes: 68a45525297b2 ("arm64: dts: renesas: Add initial DTSI for RZ/G2{L,LC} SoC's")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+index 1a9891ba6c02c..960537e401f4c 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+@@ -1043,8 +1043,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 07ad03c9228795985c164c81c650bb8fec2360c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:35 +0100
+Subject: arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 45afa9eacb59b258d2e53c7f63430ea1e8344803 ]
+
+The RZ/V2L SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Fixes: 7c2b8198f4f32 ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+index a2318478a66ba..66894b676c01e 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+@@ -1051,8 +1051,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From fccfa9de1462cc91697dcf737adc96e12f2b591c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:33 +0100
+Subject: arm64: dts: renesas: r9a08g045: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ec9532628eb9d82282b8e52fd9c4a3800d87feec ]
+
+The RZ/G3S SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Despite the RZ/G3S SoC being single-core, it has two instances of GICR.
+
+Fixes: e20396d65b959 ("arm64: dts: renesas: Add initial DTSI for RZ/G3S SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a08g045.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a08g045.dtsi b/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
+index a2adc4e27ce97..17609d81af294 100644
+--- a/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
+@@ -269,8 +269,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x12400000 0 0x40000>,
+- <0x0 0x12440000 0 0x60000>;
++ reg = <0x0 0x12400000 0 0x20000>,
++ <0x0 0x12440000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 71f393305c785f9e2fc75eff75697206d6913567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 21:18:16 +0000
+Subject: arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 735065e774dcfc62e38df01a535862138b6c92ed ]
+
+The vendor prefix for Hardkernel ODROID-M1 is incorrectly listed as
+rockchip. Use the proper hardkernel vendor prefix for this board, while
+at it also drop the redundant soc prefix.
+
+Fixes: fd3583267703 ("arm64: dts: rockchip: Add Hardkernel ODROID-M1 board")
+Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20240827211825.1419820-3-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
+index a337f547caf53..6a02db4f073f2 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
+@@ -13,7 +13,7 @@
+
+ / {
+ model = "Hardkernel ODROID-M1";
+- compatible = "rockchip,rk3568-odroid-m1", "rockchip,rk3568";
++ compatible = "hardkernel,odroid-m1", "rockchip,rk3568";
+
+ aliases {
+ ethernet0 = &gmac0;
+--
+2.43.0
+
--- /dev/null
+From a318169c68a403e3797011a122e9b37a32ab9350 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 16:40:00 +0530
+Subject: arm64: dts: ti: k3-am654-idk: Fix dtbs_check warning in ICSSG dmas
+
+From: MD Danish Anwar <danishanwar@ti.com>
+
+[ Upstream commit 2bea7920da8001172f54359395700616269ccb70 ]
+
+ICSSG doesn't use mgmnt rsp dmas. But these are added in the dmas for
+icssg1-eth and icssg0-eth node.
+
+These mgmnt rsp dmas result in below dtbs_check warnings.
+
+/workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg1-eth: dmas: [[39, 49664], [39, 49665], [39, 49666], [39, 49667], [39, 49668], [39, 49669], [39, 49670], [39, 49671], [39, 16896], [39, 16897], [39, 16898], [39, 16899]] is too long
+ from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml#
+/workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg0-eth: dmas: [[39, 49408], [39, 49409], [39, 49410], [39, 49411], [39, 49412], [39, 49413], [39, 49414], [39, 49415], [39, 16640], [39, 16641], [39, 16642], [39, 16643]] is too long
+ from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml#
+
+Fix these warnings by removing mgmnt rsp dmas from icssg1-eth and
+icssg0-eth nodes.
+
+Fixes: a4d5bc3214eb ("arm64: dts: ti: k3-am654-idk: Add ICSSG Ethernet ports")
+Signed-off-by: MD Danish Anwar <danishanwar@ti.com>
+Reviewed-by: Roger Quadros <rogerq@kernel.org>
+Link: https://lore.kernel.org/r/20240830111000.232028-1-danishanwar@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am654-idk.dtso | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am654-idk.dtso b/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
+index 8bdb87fcbde00..1674ad564be1f 100644
+--- a/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
++++ b/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
+@@ -58,9 +58,7 @@
+ <&main_udmap 0xc107>, /* egress slice 1 */
+
+ <&main_udmap 0x4100>, /* ingress slice 0 */
+- <&main_udmap 0x4101>, /* ingress slice 1 */
+- <&main_udmap 0x4102>, /* mgmnt rsp slice 0 */
+- <&main_udmap 0x4103>; /* mgmnt rsp slice 1 */
++ <&main_udmap 0x4101>; /* ingress slice 1 */
+ dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3",
+ "tx1-0", "tx1-1", "tx1-2", "tx1-3",
+ "rx0", "rx1";
+@@ -126,9 +124,7 @@
+ <&main_udmap 0xc207>, /* egress slice 1 */
+
+ <&main_udmap 0x4200>, /* ingress slice 0 */
+- <&main_udmap 0x4201>, /* ingress slice 1 */
+- <&main_udmap 0x4202>, /* mgmnt rsp slice 0 */
+- <&main_udmap 0x4203>; /* mgmnt rsp slice 1 */
++ <&main_udmap 0x4201>; /* ingress slice 1 */
+ dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3",
+ "tx1-0", "tx1-1", "tx1-2", "tx1-3",
+ "rx0", "rx1";
+--
+2.43.0
+
--- /dev/null
+From 249be756182433bcbcbed10316d51c4f5e0dd6fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 13:12:32 -0500
+Subject: arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout
+ locations
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 1a314099b7559690fe23cdf3300dfff6e830ecb1 ]
+
+The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at
+0xa7000000. These are reversed in DT. While both C6x can access either
+region, so this is not normally a problem, but if we start restricting
+the memory each core can access (such as with firewalls) the cores
+accessing the regions for the wrong core will not work. Fix this here.
+
+Fixes: fae14a1cb8dd ("arm64: dts: ti: Add k3-j721e-beagleboneai64")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240801181232.55027-2-afd@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
+index a2925555fe818..fb899c99753ec 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
++++ b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
+@@ -123,7 +123,7 @@
+ no-map;
+ };
+
+- c66_1_dma_memory_region: c66-dma-memory@a6000000 {
++ c66_0_dma_memory_region: c66-dma-memory@a6000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa6000000 0x00 0x100000>;
+ no-map;
+@@ -135,7 +135,7 @@
+ no-map;
+ };
+
+- c66_0_dma_memory_region: c66-dma-memory@a7000000 {
++ c66_1_dma_memory_region: c66-dma-memory@a7000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa7000000 0x00 0x100000>;
+ no-map;
+--
+2.43.0
+
--- /dev/null
+From bc70368fc660fa103d212b173cc1298d55970542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 13:12:31 -0500
+Subject: arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 9f3814a7c06b7c7296cf8c1622078ad71820454b ]
+
+The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at
+0xa7000000. These are reversed in DT. While both C6x can access either
+region, so this is not normally a problem, but if we start restricting
+the memory each core can access (such as with firewalls) the cores
+accessing the regions for the wrong core will not work. Fix this here.
+
+Fixes: f46d16cf5b43 ("arm64: dts: ti: k3-j721e-sk: Add DDR carveout memory nodes")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240801181232.55027-1-afd@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+index 0c4575ad8d7cb..53156b71e4796 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
++++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+@@ -119,7 +119,7 @@
+ no-map;
+ };
+
+- c66_1_dma_memory_region: c66-dma-memory@a6000000 {
++ c66_0_dma_memory_region: c66-dma-memory@a6000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa6000000 0x00 0x100000>;
+ no-map;
+@@ -131,7 +131,7 @@
+ no-map;
+ };
+
+- c66_0_dma_memory_region: c66-dma-memory@a7000000 {
++ c66_1_dma_memory_region: c66-dma-memory@a7000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa7000000 0x00 0x100000>;
+ no-map;
+--
+2.43.0
+
--- /dev/null
+From f47770b641ad044b9cba1bc157b5230719dbe156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:20:05 +0100
+Subject: arm64: signal: Fix some under-bracketed UAPI macros
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+[ Upstream commit fc2220c9b15828319b09384e68399b4afc6276d9 ]
+
+A few SME-related sigcontext UAPI macros leave an argument
+unprotected from misparsing during macro expansion.
+
+Add parentheses around references to macro arguments where
+appropriate.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Fixes: ee072cf70804 ("arm64/sme: Implement signal handling for ZT")
+Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling")
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240729152005.289844-1-Dave.Martin@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/uapi/asm/sigcontext.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h
+index 8a45b7a411e04..57f76d82077ea 100644
+--- a/arch/arm64/include/uapi/asm/sigcontext.h
++++ b/arch/arm64/include/uapi/asm/sigcontext.h
+@@ -320,10 +320,10 @@ struct zt_context {
+ ((sizeof(struct za_context) + (__SVE_VQ_BYTES - 1)) \
+ / __SVE_VQ_BYTES * __SVE_VQ_BYTES)
+
+-#define ZA_SIG_REGS_SIZE(vq) ((vq * __SVE_VQ_BYTES) * (vq * __SVE_VQ_BYTES))
++#define ZA_SIG_REGS_SIZE(vq) (((vq) * __SVE_VQ_BYTES) * ((vq) * __SVE_VQ_BYTES))
+
+ #define ZA_SIG_ZAV_OFFSET(vq, n) (ZA_SIG_REGS_OFFSET + \
+- (SVE_SIG_ZREG_SIZE(vq) * n))
++ (SVE_SIG_ZREG_SIZE(vq) * (n)))
+
+ #define ZA_SIG_CONTEXT_SIZE(vq) \
+ (ZA_SIG_REGS_OFFSET + ZA_SIG_REGS_SIZE(vq))
+@@ -334,7 +334,7 @@ struct zt_context {
+
+ #define ZT_SIG_REGS_OFFSET sizeof(struct zt_context)
+
+-#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * n)
++#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * (n))
+
+ #define ZT_SIG_CONTEXT_SIZE(n) \
+ (sizeof(struct zt_context) + ZT_SIG_REGS_SIZE(n))
+--
+2.43.0
+
--- /dev/null
+From 4370860807164f6c71aaf64f32cf4d809d03befd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 14:53:57 -0700
+Subject: arm64: smp: smp_send_stop() and crash_smp_send_stop() should try
+ non-NMI first
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit fdfa588124b6356cd08e5d3f0c3643c4ec3d6887 ]
+
+When testing hard lockup handling on my sc7180-trogdor-lazor device
+with pseudo-NMI enabled, with serial console enabled and with kgdb
+disabled, I found that the stack crawls printed to the serial console
+ended up as a jumbled mess. After rebooting, the pstore-based console
+looked fine though. Also, enabling kgdb to trap the panic made the
+console look fine and avoided the mess.
+
+After a bit of tracking down, I came to the conclusion that this was
+what was happening:
+1. The panic path was stopping all other CPUs with
+ panic_other_cpus_shutdown().
+2. At least one of those other CPUs was in the middle of printing to
+ the serial console and holding the console port's lock, which is
+ grabbed with "irqsave". ...but since we were stopping with an NMI
+ we didn't care about the "irqsave" and interrupted anyway.
+3. Since we stopped the CPU while it was holding the lock it would
+ never release it.
+4. All future calls to output to the console would end up failing to
+ get the lock in qcom_geni_serial_console_write(). This isn't
+ _totally_ unexpected at panic time but it's a code path that's not
+ well tested, hard to get right, and apparently doesn't work
+ terribly well on the Qualcomm geni serial driver.
+
+The Qualcomm geni serial driver was fixed to be a bit better in commit
+9e957a155005 ("serial: qcom-geni: Don't cancel/abort if we can't get
+the port lock") but it's nice not to get into this situation in the
+first place.
+
+Taking a page from what x86 appears to do in native_stop_other_cpus(),
+do this:
+1. First, try to stop other CPUs with a normal IPI and wait a second.
+ This gives them a chance to leave critical sections.
+2. If CPUs fail to stop then retry with an NMI, but give a much lower
+ timeout since there's no good reason for a CPU not to react quickly
+ to a NMI.
+
+This works well and avoids the corrupted console and (presumably)
+could help avoid other similar issues.
+
+In order to do this, we need to do a little re-organization of our
+IPIs since we don't have any more free IDs. Do what was suggested in
+previous conversations and combine "stop" and "crash stop". That frees
+up an IPI so now we can have a "stop" and "stop NMI".
+
+In order to do this we also need a slight change in the way we keep
+track of which CPUs still need to be stopped. We need to know
+specifically which CPUs haven't stopped yet when we fall back to NMI
+but in the "crash stop" case the "cpu_online_mask" isn't updated as
+CPUs go down. This is why that code path had an atomic of the number
+of CPUs left. Solve this by also updating the "cpu_online_mask" for
+crash stops.
+
+All of the above lets us combine the logic for "stop" and "crash stop"
+code, which appeared to have a bunch of arbitrary implementation
+differences.
+
+Aside from the above change where we try a normal IPI and then an NMI,
+the combined function has a few subtle differences:
+* In the normal smp_send_stop(), if we fail to stop one or more CPUs
+ then we won't include the current CPU (the one running
+ smp_send_stop()) in the error message.
+* In crash_smp_send_stop(), if we fail to stop some CPUs we'll print
+ the CPUs that we failed to stop instead of printing all _but_ the
+ current running CPU.
+* In crash_smp_send_stop(), we will now only print "SMP: stopping
+ secondary CPUs" if (system_state <= SYSTEM_RUNNING).
+
+Fixes: d7402513c935 ("arm64: smp: IPI_CPU_STOP and IPI_CPU_CRASH_STOP should try for NMI")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240821145353.v3.1.Id4817adef610302554b8aa42b090d57270dc119c@changeid
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/smp.c | 160 ++++++++++++++++++++++++----------------
+ 1 file changed, 97 insertions(+), 63 deletions(-)
+
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index 05688f6a275f1..d36b9160e9346 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -71,7 +71,7 @@ enum ipi_msg_type {
+ IPI_RESCHEDULE,
+ IPI_CALL_FUNC,
+ IPI_CPU_STOP,
+- IPI_CPU_CRASH_STOP,
++ IPI_CPU_STOP_NMI,
+ IPI_TIMER,
+ IPI_IRQ_WORK,
+ NR_IPI,
+@@ -88,6 +88,8 @@ static int ipi_irq_base __ro_after_init;
+ static int nr_ipi __ro_after_init = NR_IPI;
+ static struct irq_desc *ipi_desc[MAX_IPI] __ro_after_init;
+
++static bool crash_stop;
++
+ static void ipi_setup(int cpu);
+
+ #ifdef CONFIG_HOTPLUG_CPU
+@@ -773,7 +775,7 @@ static const char *ipi_types[MAX_IPI] __tracepoint_string = {
+ [IPI_RESCHEDULE] = "Rescheduling interrupts",
+ [IPI_CALL_FUNC] = "Function call interrupts",
+ [IPI_CPU_STOP] = "CPU stop interrupts",
+- [IPI_CPU_CRASH_STOP] = "CPU stop (for crash dump) interrupts",
++ [IPI_CPU_STOP_NMI] = "CPU stop NMIs",
+ [IPI_TIMER] = "Timer broadcast interrupts",
+ [IPI_IRQ_WORK] = "IRQ work interrupts",
+ [IPI_CPU_BACKTRACE] = "CPU backtrace interrupts",
+@@ -817,9 +819,9 @@ void arch_irq_work_raise(void)
+ }
+ #endif
+
+-static void __noreturn local_cpu_stop(void)
++static void __noreturn local_cpu_stop(unsigned int cpu)
+ {
+- set_cpu_online(smp_processor_id(), false);
++ set_cpu_online(cpu, false);
+
+ local_daif_mask();
+ sdei_mask_local_cpu();
+@@ -833,21 +835,26 @@ static void __noreturn local_cpu_stop(void)
+ */
+ void __noreturn panic_smp_self_stop(void)
+ {
+- local_cpu_stop();
++ local_cpu_stop(smp_processor_id());
+ }
+
+-#ifdef CONFIG_KEXEC_CORE
+-static atomic_t waiting_for_crash_ipi = ATOMIC_INIT(0);
+-#endif
+-
+ static void __noreturn ipi_cpu_crash_stop(unsigned int cpu, struct pt_regs *regs)
+ {
+ #ifdef CONFIG_KEXEC_CORE
++ /*
++ * Use local_daif_mask() instead of local_irq_disable() to make sure
++ * that pseudo-NMIs are disabled. The "crash stop" code starts with
++ * an IRQ and falls back to NMI (which might be pseudo). If the IRQ
++ * finally goes through right as we're timing out then the NMI could
++ * interrupt us. It's better to prevent the NMI and let the IRQ
++ * finish since the pt_regs will be better.
++ */
++ local_daif_mask();
++
+ crash_save_cpu(regs, cpu);
+
+- atomic_dec(&waiting_for_crash_ipi);
++ set_cpu_online(cpu, false);
+
+- local_irq_disable();
+ sdei_mask_local_cpu();
+
+ if (IS_ENABLED(CONFIG_HOTPLUG_CPU))
+@@ -912,14 +919,12 @@ static void do_handle_IPI(int ipinr)
+ break;
+
+ case IPI_CPU_STOP:
+- local_cpu_stop();
+- break;
+-
+- case IPI_CPU_CRASH_STOP:
+- if (IS_ENABLED(CONFIG_KEXEC_CORE)) {
++ case IPI_CPU_STOP_NMI:
++ if (IS_ENABLED(CONFIG_KEXEC_CORE) && crash_stop) {
+ ipi_cpu_crash_stop(cpu, get_irq_regs());
+-
+ unreachable();
++ } else {
++ local_cpu_stop(cpu);
+ }
+ break;
+
+@@ -974,8 +979,7 @@ static bool ipi_should_be_nmi(enum ipi_msg_type ipi)
+ return false;
+
+ switch (ipi) {
+- case IPI_CPU_STOP:
+- case IPI_CPU_CRASH_STOP:
++ case IPI_CPU_STOP_NMI:
+ case IPI_CPU_BACKTRACE:
+ case IPI_KGDB_ROUNDUP:
+ return true;
+@@ -1088,79 +1092,109 @@ static inline unsigned int num_other_online_cpus(void)
+
+ void smp_send_stop(void)
+ {
++ static unsigned long stop_in_progress;
++ cpumask_t mask;
+ unsigned long timeout;
+
+- if (num_other_online_cpus()) {
+- cpumask_t mask;
++ /*
++ * If this cpu is the only one alive at this point in time, online or
++ * not, there are no stop messages to be sent around, so just back out.
++ */
++ if (num_other_online_cpus() == 0)
++ goto skip_ipi;
+
+- cpumask_copy(&mask, cpu_online_mask);
+- cpumask_clear_cpu(smp_processor_id(), &mask);
++ /* Only proceed if this is the first CPU to reach this code */
++ if (test_and_set_bit(0, &stop_in_progress))
++ return;
+
+- if (system_state <= SYSTEM_RUNNING)
+- pr_crit("SMP: stopping secondary CPUs\n");
+- smp_cross_call(&mask, IPI_CPU_STOP);
+- }
++ /*
++ * Send an IPI to all currently online CPUs except the CPU running
++ * this code.
++ *
++ * NOTE: we don't do anything here to prevent other CPUs from coming
++ * online after we snapshot `cpu_online_mask`. Ideally, the calling code
++ * should do something to prevent other CPUs from coming up. This code
++ * can be called in the panic path and thus it doesn't seem wise to
++ * grab the CPU hotplug mutex ourselves. Worst case:
++ * - If a CPU comes online as we're running, we'll likely notice it
++ * during the 1 second wait below and then we'll catch it when we try
++ * with an NMI (assuming NMIs are enabled) since we re-snapshot the
++ * mask before sending an NMI.
++ * - If we leave the function and see that CPUs are still online we'll
++ * at least print a warning. Especially without NMIs this function
++ * isn't foolproof anyway so calling code will just have to accept
++ * the fact that there could be cases where a CPU can't be stopped.
++ */
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
+
+- /* Wait up to one second for other CPUs to stop */
++ if (system_state <= SYSTEM_RUNNING)
++ pr_crit("SMP: stopping secondary CPUs\n");
++
++ /*
++ * Start with a normal IPI and wait up to one second for other CPUs to
++ * stop. We do this first because it gives other processors a chance
++ * to exit critical sections / drop locks and makes the rest of the
++ * stop process (especially console flush) more robust.
++ */
++ smp_cross_call(&mask, IPI_CPU_STOP);
+ timeout = USEC_PER_SEC;
+ while (num_other_online_cpus() && timeout--)
+ udelay(1);
+
+- if (num_other_online_cpus())
++ /*
++ * If CPUs are still online, try an NMI. There's no excuse for this to
++ * be slow, so we only give them an extra 10 ms to respond.
++ */
++ if (num_other_online_cpus() && ipi_should_be_nmi(IPI_CPU_STOP_NMI)) {
++ smp_rmb();
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
++
++ pr_info("SMP: retry stop with NMI for CPUs %*pbl\n",
++ cpumask_pr_args(&mask));
++
++ smp_cross_call(&mask, IPI_CPU_STOP_NMI);
++ timeout = USEC_PER_MSEC * 10;
++ while (num_other_online_cpus() && timeout--)
++ udelay(1);
++ }
++
++ if (num_other_online_cpus()) {
++ smp_rmb();
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
++
+ pr_warn("SMP: failed to stop secondary CPUs %*pbl\n",
+- cpumask_pr_args(cpu_online_mask));
++ cpumask_pr_args(&mask));
++ }
+
++skip_ipi:
+ sdei_mask_local_cpu();
+ }
+
+ #ifdef CONFIG_KEXEC_CORE
+ void crash_smp_send_stop(void)
+ {
+- static int cpus_stopped;
+- cpumask_t mask;
+- unsigned long timeout;
+-
+ /*
+ * This function can be called twice in panic path, but obviously
+ * we execute this only once.
++ *
++ * We use this same boolean to tell whether the IPI we send was a
++ * stop or a "crash stop".
+ */
+- if (cpus_stopped)
++ if (crash_stop)
+ return;
++ crash_stop = 1;
+
+- cpus_stopped = 1;
++ smp_send_stop();
+
+- /*
+- * If this cpu is the only one alive at this point in time, online or
+- * not, there are no stop messages to be sent around, so just back out.
+- */
+- if (num_other_online_cpus() == 0)
+- goto skip_ipi;
+-
+- cpumask_copy(&mask, cpu_online_mask);
+- cpumask_clear_cpu(smp_processor_id(), &mask);
+-
+- atomic_set(&waiting_for_crash_ipi, num_other_online_cpus());
+-
+- pr_crit("SMP: stopping secondary CPUs\n");
+- smp_cross_call(&mask, IPI_CPU_CRASH_STOP);
+-
+- /* Wait up to one second for other CPUs to stop */
+- timeout = USEC_PER_SEC;
+- while ((atomic_read(&waiting_for_crash_ipi) > 0) && timeout--)
+- udelay(1);
+-
+- if (atomic_read(&waiting_for_crash_ipi) > 0)
+- pr_warn("SMP: failed to stop secondary CPUs %*pbl\n",
+- cpumask_pr_args(&mask));
+-
+-skip_ipi:
+- sdei_mask_local_cpu();
+ sdei_handler_abort();
+ }
+
+ bool smp_crash_stop_failed(void)
+ {
+- return (atomic_read(&waiting_for_crash_ipi) > 0);
++ return num_other_online_cpus() != 0;
+ }
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From bff24550bed3b340442c27765d8735912dc6e365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 14:20:20 +0100
+Subject: arm64: tegra: Correct location of power-sensors for IGX Orin
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit b93679b8f165467e1584f9b23055db83f45c32ce ]
+
+The power-sensors are located on the carrier board and not the
+module board and so update the IGX Orin device-tree files to fix this.
+
+Fixes: 9152ed09309d ("arm64: tegra: Add power-sensors for Tegra234 boards")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/nvidia/tegra234-p3701-0008.dtsi | 33 -------------------
+ .../boot/dts/nvidia/tegra234-p3740-0002.dtsi | 33 +++++++++++++++++++
+ 2 files changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi b/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
+index 553fa4ba1cd48..62c4fdad0b600 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
+@@ -44,39 +44,6 @@
+ status = "okay";
+ };
+
+- i2c@c250000 {
+- power-sensor@41 {
+- compatible = "ti,ina3221";
+- reg = <0x41>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+-
+- input@0 {
+- reg = <0x0>;
+- label = "CVB_ATX_12V";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+-
+- input@1 {
+- reg = <0x1>;
+- label = "CVB_ATX_3V3";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+-
+- input@2 {
+- reg = <0x2>;
+- label = "CVB_ATX_5V";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+- };
+-
+- power-sensor@44 {
+- compatible = "ti,ina219";
+- reg = <0x44>;
+- shunt-resistor = <2000>;
+- };
+- };
+-
+ rtc@c2a0000 {
+ status = "okay";
+ };
+diff --git a/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi b/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
+index 527f2f3aee3ad..377f518bd3e57 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
+@@ -183,6 +183,39 @@
+ phy-names = "usb2-0", "usb2-1", "usb2-2", "usb2-3",
+ "usb3-0", "usb3-1", "usb3-2";
+ };
++
++ i2c@c250000 {
++ power-sensor@41 {
++ compatible = "ti,ina3221";
++ reg = <0x41>;
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ input@0 {
++ reg = <0x0>;
++ label = "CVB_ATX_12V";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++
++ input@1 {
++ reg = <0x1>;
++ label = "CVB_ATX_3V3";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++
++ input@2 {
++ reg = <0x2>;
++ label = "CVB_ATX_5V";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++ };
++
++ power-sensor@44 {
++ compatible = "ti,ina219";
++ reg = <0x44>;
++ shunt-resistor = <2000>;
++ };
++ };
+ };
+
+ vdd_3v3_dp: regulator-vdd-3v3-dp {
+--
+2.43.0
+
--- /dev/null
+From 1765ec7f521ab0a7b5d048cd79fdb4bcbc92cba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 17:06:20 +0800
+Subject: ASoC: loongson: fix error release
+
+From: tangbin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit 97688a9c5b1fd2b826c682cdfa36d411a5c99828 ]
+
+In function loongson_card_parse_of(), when get device_node
+'codec' failed, the function of_node_put(codec) should not
+be invoked, thus fix error release.
+
+Fixes: d24028606e76 ("ASoC: loongson: Add Loongson ASoC Sound Card Support")
+Signed-off-by: tangbin <tangbin@cmss.chinamobile.com>
+Link: https://patch.msgid.link/20240903090620.6276-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/loongson/loongson_card.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/loongson/loongson_card.c b/sound/soc/loongson/loongson_card.c
+index fae5e9312bf08..2c8dbdba27c5f 100644
+--- a/sound/soc/loongson/loongson_card.c
++++ b/sound/soc/loongson/loongson_card.c
+@@ -127,8 +127,8 @@ static int loongson_card_parse_of(struct loongson_card_data *data)
+ codec = of_get_child_by_name(dev->of_node, "codec");
+ if (!codec) {
+ dev_err(dev, "audio-codec property missing or invalid\n");
+- ret = -EINVAL;
+- goto err;
++ of_node_put(cpu);
++ return -EINVAL;
+ }
+
+ for (i = 0; i < card->num_links; i++) {
+--
+2.43.0
+
--- /dev/null
+From 7320133a4a2e5087ea816795c6b2260d3dc2aba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 19:54:36 +0800
+Subject: ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the
+ error
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 3ff810b9bebe5578a245cfa97c252ab602e703f1 ]
+
+Return devm_of_clk_add_hw_provider() in order to transfer the error, if it
+fails due to resource allocation failure or device tree clock provider
+registration failure.
+
+Fixes: bdd229ab26be ("ASoC: rt5682s: Add driver for ALC5682I-VS codec")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20240717115436.3449492-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5682s.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/rt5682s.c b/sound/soc/codecs/rt5682s.c
+index f50f196d700d7..ce2e88e066f3e 100644
+--- a/sound/soc/codecs/rt5682s.c
++++ b/sound/soc/codecs/rt5682s.c
+@@ -2828,7 +2828,9 @@ static int rt5682s_register_dai_clks(struct snd_soc_component *component)
+ }
+
+ if (dev->of_node) {
+- devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw);
++ ret = devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw);
++ if (ret)
++ return ret;
+ } else {
+ ret = devm_clk_hw_register_clkdev(dev, dai_clk_hw,
+ init.name, dev_name(dev));
+--
+2.43.0
+
--- /dev/null
+From e6db9a3eef9fce7e2e2df688b1899a9a5c62d7c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:02:32 +0200
+Subject: ASoC: tas2781-i2c: Drop weird GPIO code
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit c2c0b67dca3cb3b3cea0dd60075a1c5ba77e2fcd ]
+
+The tas2781-i2c driver gets an IRQ from either ACPI or device tree,
+then proceeds to check if the IRQ has a corresponding GPIO and in
+case it does enforce the GPIO as input and set a label on it.
+
+This is abuse of the API:
+
+- First we cannot guarantee that the numberspaces of the GPIOs and
+ the IRQs are the same, i.e that an IRQ number corresponds to
+ a GPIO number like that.
+
+- Second, GPIO chips and IRQ chips should be treated as orthogonal
+ APIs, the irqchip needs to ascertain that the backing GPIO line
+ is set to input etc just using the irqchip.
+
+- Third it is using the legacy <linux/gpio.h> API which should not
+ be used in new code yet this was added just a year ago.
+
+Delete the offending code.
+
+If this creates problems the GPIO and irqchip maintainers can help
+to fix the issues.
+
+It *should* not create any problems, because the irq isn't
+used anywhere in the driver, it's just obtained and then
+left unused.
+
+Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-1-bd0f2705d58b@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/tas2781.h | 7 +------
+ sound/pci/hda/tas2781_hda_i2c.c | 2 +-
+ sound/soc/codecs/tas2781-comlib.c | 3 ---
+ sound/soc/codecs/tas2781-fmwlib.c | 1 -
+ sound/soc/codecs/tas2781-i2c.c | 24 +++---------------------
+ 5 files changed, 5 insertions(+), 32 deletions(-)
+
+diff --git a/include/sound/tas2781.h b/include/sound/tas2781.h
+index 99ca3e401fd1f..6f6e3e2f652c9 100644
+--- a/include/sound/tas2781.h
++++ b/include/sound/tas2781.h
+@@ -80,11 +80,6 @@ struct tasdevice {
+ bool is_loaderr;
+ };
+
+-struct tasdevice_irqinfo {
+- int irq_gpio;
+- int irq;
+-};
+-
+ struct calidata {
+ unsigned char *data;
+ unsigned long total_sz;
+@@ -92,7 +87,6 @@ struct calidata {
+
+ struct tasdevice_priv {
+ struct tasdevice tasdevice[TASDEVICE_MAX_CHANNELS];
+- struct tasdevice_irqinfo irq_info;
+ struct tasdevice_rca rcabin;
+ struct calidata cali_data;
+ struct tasdevice_fw *fmw;
+@@ -113,6 +107,7 @@ struct tasdevice_priv {
+ unsigned int chip_id;
+ unsigned int sysclk;
+
++ int irq;
+ int cur_prog;
+ int cur_conf;
+ int fw_state;
+diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c
+index 9e88d39eac1e2..0676b41605660 100644
+--- a/sound/pci/hda/tas2781_hda_i2c.c
++++ b/sound/pci/hda/tas2781_hda_i2c.c
+@@ -822,7 +822,7 @@ static int tas2781_hda_i2c_probe(struct i2c_client *clt)
+ } else
+ return -ENODEV;
+
+- tas_hda->priv->irq_info.irq = clt->irq;
++ tas_hda->priv->irq = clt->irq;
+ ret = tas2781_read_acpi(tas_hda->priv, device_name);
+ if (ret)
+ return dev_err_probe(tas_hda->dev, ret,
+diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c
+index 3aa81514dad76..0444cf90c5119 100644
+--- a/sound/soc/codecs/tas2781-comlib.c
++++ b/sound/soc/codecs/tas2781-comlib.c
+@@ -14,7 +14,6 @@
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+@@ -406,8 +405,6 @@ EXPORT_SYMBOL_GPL(tasdevice_dsp_remove);
+
+ void tasdevice_remove(struct tasdevice_priv *tas_priv)
+ {
+- if (gpio_is_valid(tas_priv->irq_info.irq_gpio))
+- gpio_free(tas_priv->irq_info.irq_gpio);
+ mutex_destroy(&tas_priv->codec_lock);
+ }
+ EXPORT_SYMBOL_GPL(tasdevice_remove);
+diff --git a/sound/soc/codecs/tas2781-fmwlib.c b/sound/soc/codecs/tas2781-fmwlib.c
+index 8f9a3ae7153e9..f3a7605f07104 100644
+--- a/sound/soc/codecs/tas2781-fmwlib.c
++++ b/sound/soc/codecs/tas2781-fmwlib.c
+@@ -13,7 +13,6 @@
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index 1963c777ba8e0..d6bbf94d55713 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -22,7 +22,6 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+@@ -619,7 +618,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ {
+ struct i2c_client *client = (struct i2c_client *)tas_priv->client;
+ unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS];
+- int rc, i, ndev = 0;
++ int i, ndev = 0;
+
+ if (tas_priv->isacpi) {
+ ndev = device_property_read_u32_array(&client->dev,
+@@ -634,7 +633,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ "ti,audio-slots", dev_addrs, ndev);
+ }
+
+- tas_priv->irq_info.irq_gpio =
++ tas_priv->irq =
+ acpi_dev_gpio_irq_get(ACPI_COMPANION(&client->dev), 0);
+ } else if (IS_ENABLED(CONFIG_OF)) {
+ struct device_node *np = tas_priv->dev->of_node;
+@@ -646,7 +645,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ dev_addrs[ndev++] = addr;
+ }
+
+- tas_priv->irq_info.irq_gpio = of_irq_get(np, 0);
++ tas_priv->irq = of_irq_get(np, 0);
+ } else {
+ ndev = 1;
+ dev_addrs[0] = client->addr;
+@@ -662,23 +661,6 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ __func__);
+
+ strcpy(tas_priv->dev_name, tasdevice_id[tas_priv->chip_id].name);
+-
+- if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) {
+- rc = gpio_request(tas_priv->irq_info.irq_gpio,
+- "AUDEV-IRQ");
+- if (!rc) {
+- gpio_direction_input(
+- tas_priv->irq_info.irq_gpio);
+-
+- tas_priv->irq_info.irq =
+- gpio_to_irq(tas_priv->irq_info.irq_gpio);
+- } else
+- dev_err(tas_priv->dev, "%s: GPIO %d request error\n",
+- __func__, tas_priv->irq_info.irq_gpio);
+- } else
+- dev_err(tas_priv->dev,
+- "Looking up irq-gpio property failed %d\n",
+- tas_priv->irq_info.irq_gpio);
+ }
+
+ static int tasdevice_i2c_probe(struct i2c_client *i2c)
+--
+2.43.0
+
--- /dev/null
+From daa95407cd063f8945ad5b86aa75cc2f5ecd6e49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:02:33 +0200
+Subject: ASoC: tas2781-i2c: Get the right GPIO line
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 1c4b509edad15192bfb64c81d3c305bbae8070db ]
+
+The code is obtaining a GPIO reset using the reset GPIO
+name "reset-gpios", but the gpiolib is already adding the
+suffix "-gpios" to anything passed to this function and
+will be looking for "reset-gpios-gpios" which is most
+certainly not what the author desired.
+
+Fix it up.
+
+Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-2-bd0f2705d58b@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2781-i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index d6bbf94d55713..edd1ad3062c88 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -655,7 +655,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ tas_priv->tasdevice[i].dev_addr = dev_addrs[i];
+
+ tas_priv->reset = devm_gpiod_get_optional(&client->dev,
+- "reset-gpios", GPIOD_OUT_HIGH);
++ "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(tas_priv->reset))
+ dev_err(tas_priv->dev, "%s Can't get reset GPIO\n",
+ __func__);
+--
+2.43.0
+
--- /dev/null
+From f15de9690bdc101b97b626ce81e76a2f2c5adac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 15:54:01 -0600
+Subject: ASoC: tas2781: Use of_property_read_reg()
+
+From: Rob Herring (Arm) <robh@kernel.org>
+
+[ Upstream commit 31a45f9190b5b4f5cd8cdec8471babd5215eee04 ]
+
+Replace the open-coded parsing of "reg" with of_property_read_reg().
+The #ifdef is also easily replaced with IS_ENABLED().
+
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://patch.msgid.link/20240702215402.839673-1-robh@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: c2c0b67dca3c ("ASoC: tas2781-i2c: Drop weird GPIO code")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2781-i2c.c | 34 +++++++++++-----------------------
+ 1 file changed, 11 insertions(+), 23 deletions(-)
+
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index c64d458e524e2..1963c777ba8e0 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -21,6 +21,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
++#include <linux/of_address.h>
+ #include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+@@ -635,33 +636,20 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+
+ tas_priv->irq_info.irq_gpio =
+ acpi_dev_gpio_irq_get(ACPI_COMPANION(&client->dev), 0);
+- } else {
++ } else if (IS_ENABLED(CONFIG_OF)) {
+ struct device_node *np = tas_priv->dev->of_node;
+-#ifdef CONFIG_OF
+- const __be32 *reg, *reg_end;
+- int len, sw, aw;
+-
+- aw = of_n_addr_cells(np);
+- sw = of_n_size_cells(np);
+- if (sw == 0) {
+- reg = (const __be32 *)of_get_property(np,
+- "reg", &len);
+- reg_end = reg + len/sizeof(*reg);
+- ndev = 0;
+- do {
+- dev_addrs[ndev] = of_read_number(reg, aw);
+- reg += aw;
+- ndev++;
+- } while (reg < reg_end);
+- } else {
+- ndev = 1;
+- dev_addrs[0] = client->addr;
++ u64 addr;
++
++ for (i = 0; i < TASDEVICE_MAX_CHANNELS; i++) {
++ if (of_property_read_reg(np, i, &addr, NULL))
++ break;
++ dev_addrs[ndev++] = addr;
+ }
+-#else
++
++ tas_priv->irq_info.irq_gpio = of_irq_get(np, 0);
++ } else {
+ ndev = 1;
+ dev_addrs[0] = client->addr;
+-#endif
+- tas_priv->irq_info.irq_gpio = of_irq_get(np, 0);
+ }
+ tas_priv->ndev = ndev;
+ for (i = 0; i < ndev; i++)
+--
+2.43.0
+
--- /dev/null
+From 7cc5a784787e612e0538bc91743102179c5e1040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 17:42:38 +0200
+Subject: ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit e5dd410acb34c7341a0a93b429dcf3dabf9e3323 ]
+
+When ata_qc_complete() schedules a command for EH using
+ata_qc_schedule_eh(), blk_abort_request() will be called, which leads to
+req->q->mq_ops->timeout() / scsi_timeout() being called.
+
+scsi_timeout(), if the LLDD has no abort handler (libata has no abort
+handler), will set host byte to DID_TIME_OUT, and then call
+scsi_eh_scmd_add() to add the command to EH.
+
+Thus, when commands first enter libata's EH strategy_handler, all the
+commands that have been added to EH will have DID_TIME_OUT set.
+
+libata has its own flag (AC_ERR_TIMEOUT), that it sets for commands that
+have not received a completion at the time of entering EH.
+
+Thus, libata doesn't really care about DID_TIME_OUT at all, and currently
+clears the host byte at the end of EH, in ata_scsi_qc_complete(), before
+scsi_eh_finish_cmd() is called.
+
+However, this clearing in ata_scsi_qc_complete() is currently only done
+for commands that are not ATA passthrough commands.
+
+Since the host byte is visible in the completion that we return to user
+space for ATA passthrough commands, for ATA passthrough commands that got
+completed via EH (commands with sense data), the user will incorrectly see:
+ATA pass-through(16): transport error: Host_status=0x03 [DID_TIME_OUT]
+
+Fix this by moving the clearing of the host byte (which is currently only
+done for commands that are not ATA passthrough commands) from
+ata_scsi_qc_complete() to the start of EH (regardless if the command is
+ATA passthrough or not).
+
+While at it, use the proper helper function to clear the host byte, rather
+than open coding the clearing.
+
+This will make sure that we:
+-Correctly clear DID_TIME_OUT for both ATA passthrough commands and
+ commands that are not ATA passthrough commands.
+-Do not needlessly clear the host byte for commands that did not go via EH.
+ ata_scsi_qc_complete() is called both for commands that are completed
+ normally (without going via EH), and for commands that went via EH,
+ however, only commands that went via EH will have DID_TIME_OUT set.
+
+Fixes: 24aeebbf8ea9 ("scsi: ata: libata: Change ata_eh_request_sense() to not set CHECK_CONDITION")
+Reported-by: Igor Pylypiv <ipylypiv@google.com>
+Closes: https://lore.kernel.org/linux-ide/ZttIN8He8TOZ7Lct@google.com/
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Igor Pylypiv <ipylypiv@google.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 8 ++++++++
+ drivers/ata/libata-scsi.c | 3 ---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 214b935c2ced7..7df9ec9f924c4 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -630,6 +630,14 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
+ list_for_each_entry_safe(scmd, tmp, eh_work_q, eh_entry) {
+ struct ata_queued_cmd *qc;
+
++ /*
++ * If the scmd was added to EH, via ata_qc_schedule_eh() ->
++ * scsi_timeout() -> scsi_eh_scmd_add(), scsi_timeout() will
++ * have set DID_TIME_OUT (since libata does not have an abort
++ * handler). Thus, to clear DID_TIME_OUT, clear the host byte.
++ */
++ set_host_byte(scmd, DID_OK);
++
+ ata_qc_for_each_raw(ap, qc, i) {
+ if (qc->flags & ATA_QCFLAG_ACTIVE &&
+ qc->scsicmd == scmd)
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 4116ae0887191..fdddd28089c5f 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1693,9 +1693,6 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc)
+ set_status_byte(qc->scsicmd, SAM_STAT_CHECK_CONDITION);
+ } else if (is_error && !have_sense) {
+ ata_gen_ata_sense(qc);
+- } else {
+- /* Keep the SCSI ML and status byte, clear host byte. */
+- cmd->result &= 0x0000ffff;
+ }
+
+ ata_qc_done(qc);
+--
+2.43.0
+
--- /dev/null
+From e1c284d763f41c5ad5f6117988d2009e25970726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 23:10:27 +1000
+Subject: autofs: fix missing fput for FSCONFIG_SET_FD
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+[ Upstream commit 6a64c5220c5df235448b846aeff3c0660d4cc83e ]
+
+If you pass an fd using FSCONFIG_SET_FD, autofs_parse_fd() "steals" the
+param->file and so the fs_context infrastructure will not do fput() for
+us.
+
+Fixes: e6ec453bd0f0 ("autofs: convert autofs to use the new mount api")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Link: https://lore.kernel.org/r/20240731-fsconfig-fsparam_fd-fixes-v2-1-e7c472224417@cyphar.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
+index 1f5db68636631..bb404bfce036b 100644
+--- a/fs/autofs/inode.c
++++ b/fs/autofs/inode.c
+@@ -172,8 +172,7 @@ static int autofs_parse_fd(struct fs_context *fc, struct autofs_sb_info *sbi,
+ ret = autofs_check_pipe(pipe);
+ if (ret < 0) {
+ errorf(fc, "Invalid/unusable pipe");
+- if (param->type != fs_value_is_file)
+- fput(pipe);
++ fput(pipe);
+ return -EBADF;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b68848a2238913c215d14b439ca4f95997a59018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 11:20:58 +0200
+Subject: bareudp: Pull inner IP header in bareudp_udp_encap_recv().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 45fa29c85117170b0508790f878b13ec6593c888 ]
+
+Bareudp reads the inner IP header to get the ECN value. Therefore, it
+needs to ensure that it's part of the skb's linear data.
+
+This is similar to the vxlan and geneve fixes for that same problem:
+ * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().")
+ * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in
+ geneve_rx()")
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/5205940067c40218a70fbb888080466b2fc288db.1726046181.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index 7aca0544fb29c..b4e820a123caf 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -68,6 +68,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ __be16 proto;
+ void *oiph;
+ int err;
++ int nh;
+
+ bareudp = rcu_dereference_sk_user_data(sk);
+ if (!bareudp)
+@@ -148,10 +149,25 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ }
+ skb_dst_set(skb, &tun_dst->dst);
+ skb->dev = bareudp->dev;
+- oiph = skb_network_header(skb);
+- skb_reset_network_header(skb);
+ skb_reset_mac_header(skb);
+
++ /* Save offset of outer header relative to skb->head,
++ * because we are going to reset the network header to the inner header
++ * and might change skb->head.
++ */
++ nh = skb_network_header(skb) - skb->head;
++
++ skb_reset_network_header(skb);
++
++ if (!pskb_inet_may_pull(skb)) {
++ DEV_STATS_INC(bareudp->dev, rx_length_errors);
++ DEV_STATS_INC(bareudp->dev, rx_errors);
++ goto drop;
++ }
++
++ /* Get the outer header. */
++ oiph = skb->head + nh;
++
+ if (!ipv6_mod_enabled() || family == AF_INET)
+ err = IP_ECN_decapsulate(oiph, skb);
+ else
+--
+2.43.0
+
--- /dev/null
+From 80fc10feb7d9c4539fc56aed4bb1f65829b9200a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 11:21:05 +0200
+Subject: bareudp: Pull inner IP header on xmit.
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit c471236b2359e6b27388475dd04fff0a5e2bf922 ]
+
+Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner
+IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore
+we need to ensure that the inner IP header is part of the skb's linear
+data.
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/267328222f0a11519c6de04c640a4f87a38ea9ed.1726046181.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index b4e820a123caf..e80992b4f9de9 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -317,6 +317,9 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be32 saddr;
+ int err;
+
++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
++ return -EINVAL;
++
+ if (!sock)
+ return -ESHUTDOWN;
+
+@@ -384,6 +387,9 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be16 sport;
+ int err;
+
++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
++ return -EINVAL;
++
+ if (!sock)
+ return -ESHUTDOWN;
+
+--
+2.43.0
+
--- /dev/null
+From eaad09230d6fbb7920cd68fde7a9c292edc5495f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:27 +0800
+Subject: block, bfq: choose the last bfqq from merge chain in
+ bfq_setup_cooperator()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ]
+
+Consider the following merge chain:
+
+Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \--------------\ \-------------\ \-------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+
+IO from Process 1 will get bfqf2 from BIC1 first, then
+bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then
+handle this IO from bfqq3. However, the merge chain can be much deeper
+and bfqq3 can be merged to other bfqq as well.
+
+Fix this problem by iterating to the last bfqq in
+bfq_setup_cooperator().
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 4f02056f1d413..279ea5bed78d8 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2911,8 +2911,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ struct bfq_iocq_bfqq_data *bfqq_data = &bic->bfqq_data[a_idx];
+
+ /* if a merge has already been setup, then proceed with that first */
+- if (bfqq->new_bfqq)
+- return bfqq->new_bfqq;
++ new_bfqq = bfqq->new_bfqq;
++ if (new_bfqq) {
++ while (new_bfqq->new_bfqq)
++ new_bfqq = new_bfqq->new_bfqq;
++ return new_bfqq;
++ }
+
+ /*
+ * Check delayed stable merge for rotational or non-queueing
+--
+2.43.0
+
--- /dev/null
+From 45b5f99d38e135b4c8dc1777dc375c3c3a6bf54d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:28 +0800
+Subject: block, bfq: don't break merge chain in bfq_split_bfqq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ]
+
+Consider the following scenario:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \-------------\ \-------------\ \--------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 1 2 4
+
+If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq()
+decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference
+of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will
+break the merge chain.
+
+Expected result: caller will allocate a new bfqq for BIC1
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ | | |
+ \-------------\ \--------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 0 1 3
+
+Since the condition is only used for the last bfqq4 when the previous
+bfqq2 and bfqq3 are already splited. Fix the problem by checking if
+bfqq is the last one in the merge chain as well.
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 279ea5bed78d8..2b6fff39b9f4b 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6725,7 +6725,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)
+ {
+ bfq_log_bfqq(bfqq->bfqd, bfqq, "splitting queue");
+
+- if (bfqq_process_refs(bfqq) == 1) {
++ if (bfqq_process_refs(bfqq) == 1 && !bfqq->new_bfqq) {
+ bfqq->pid = current->pid;
+ bfq_clear_bfqq_coop(bfqq);
+ bfq_clear_bfqq_split_coop(bfqq);
+--
+2.43.0
+
--- /dev/null
+From de1927518c3de80dfe6234c4cbc542318a9d8bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:26 +0800
+Subject: block, bfq: fix possible UAF for bfqq->bic with merge chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ]
+
+1) initial state, three tasks:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | Λ | Λ | Λ
+ | | | | | |
+ V | V | V |
+ bfqq1 bfqq2 bfqq3
+process ref: 1 1 1
+
+2) bfqq1 merged to bfqq2:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | | | Λ
+ \--------------\| | |
+ V V |
+ bfqq1--------->bfqq2 bfqq3
+process ref: 0 2 1
+
+3) bfqq2 merged to bfqq3:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ here -> Λ | |
+ \--------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3
+process ref: 0 1 3
+
+In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
+get bfqq3 through merge chain, and finially handle IO by bfqq3.
+Howerver, current code will think bfqq2 is owned by BIC1, like initial
+state, and set bfqq2->bic to BIC1.
+
+bfq_insert_request
+-> by Process 1
+ bfqq = bfq_init_rq(rq)
+ bfqq = bfq_get_bfqq_handle_split
+ bfqq = bic_to_bfqq
+ -> get bfqq2 from BIC1
+ bfqq->ref++
+ rq->elv.priv[0] = bic
+ rq->elv.priv[1] = bfqq
+ if (bfqq_process_refs(bfqq) == 1)
+ bfqq->bic = bic
+ -> record BIC1 to bfqq2
+
+ __bfq_insert_request
+ new_bfqq = bfq_setup_cooperator
+ -> get bfqq3 from bfqq2->new_bfqq
+ bfqq_request_freed(bfqq)
+ new_bfqq->ref++
+ rq->elv.priv[1] = new_bfqq
+ -> handle IO by bfqq3
+
+Fix the problem by checking bfqq is from merge chain fist. And this
+might fix a following problem reported by our syzkaller(unreproducible):
+
+==================================================================
+BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
+
+CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+Workqueue: kblockd blk_mq_requeue_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:364 [inline]
+ print_report+0x10d/0x610 mm/kasan/report.c:475
+ kasan_report+0x8e/0xc0 mm/kasan/report.c:588
+ bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+ bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+ bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+ bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
+ bfq_init_rq block/bfq-iosched.c:6876 [inline]
+ bfq_insert_request block/bfq-iosched.c:6254 [inline]
+ bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
+ blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
+ blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+ </TASK>
+
+Allocated by task 20776:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:188 [inline]
+ slab_post_alloc_hook mm/slab.h:763 [inline]
+ slab_alloc_node mm/slub.c:3458 [inline]
+ kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
+ ioc_create_icq block/blk-ioc.c:370 [inline]
+ ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436
+ bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812
+ blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403
+ __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517
+ blk_mq_get_new_requests block/blk-mq.c:2940 [inline]
+ blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042
+ __submit_bio+0x331/0x6f0 block/blk-core.c:624
+ __submit_bio_noacct_mq block/blk-core.c:703 [inline]
+ submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732
+ submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826
+ xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958
+ xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619
+ xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Freed by task 946:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:164 [inline]
+ slab_free_hook mm/slub.c:1815 [inline]
+ slab_free_freelist_hook mm/slub.c:1841 [inline]
+ slab_free mm/slub.c:3786 [inline]
+ kmem_cache_free+0x118/0x6f0 mm/slub.c:3808
+ rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189
+ rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462
+ __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553
+
+Last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+The buggy address belongs to the object at ffff888123839d68
+ which belongs to the cache bfq_io_cq of size 1360
+The buggy address is located 336 bytes inside of
+ freed 1360-byte region [ffff888123839d68, ffff88812383a2b8)
+
+The buggy address belongs to the physical page:
+page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838
+head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
+page_type: 0xffffffff()
+raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488
+raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 4b88a54a9b76c..4f02056f1d413 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6932,7 +6932,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ * addition, if the queue has also just been split, we have to
+ * resume its state.
+ */
+- if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) {
++ if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq &&
++ bfqq_process_refs(bfqq) == 1) {
+ bfqq->bic = bic;
+ if (split) {
+ /*
+--
+2.43.0
+
--- /dev/null
+From 45c7aedcad8539de280f68f3e02c622c23483942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:41:49 +0800
+Subject: block, bfq: fix procress reference leakage for bfqq in merge chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ]
+
+Original state:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \--------------\ \-------------\ \-------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 1 2 4
+
+After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge
+chain in bfq_setup_cooperator()"), if P1 issues a new IO:
+
+Without the patch:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \------------------------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 0 2 4
+
+bfqq3 will be used to handle IO from P1, this is not expected, IO
+should be redirected to bfqq4;
+
+With the patch:
+
+ -------------------------------------------
+ | |
+ Process 1 Process 2 Process 3 | Process 4
+ (BIC1) (BIC2) (BIC3) | (BIC4)
+ | | | |
+ \-------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 0 2 4
+
+IO is redirected to bfqq4, however, procress reference of bfqq3 is still
+2, while there is only P2 using it.
+
+Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge
+chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify
+code.
+
+Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 37 +++++++++++++++++--------------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 2423e25fc23ae..05372a78cd516 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -3129,10 +3129,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+ bfq_put_queue(bfqq);
+ }
+
+-static void
+-bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+- struct bfq_queue *bfqq, struct bfq_queue *new_bfqq)
++static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd,
++ struct bfq_io_cq *bic,
++ struct bfq_queue *bfqq)
+ {
++ struct bfq_queue *new_bfqq = bfqq->new_bfqq;
++
+ bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu",
+ (unsigned long)new_bfqq->pid);
+ /* Save weight raising and idle window of the merged queues */
+@@ -3226,6 +3228,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+ bfq_reassign_last_bfqq(bfqq, new_bfqq);
+
+ bfq_release_process_ref(bfqd, bfqq);
++
++ return new_bfqq;
+ }
+
+ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq,
+@@ -3261,14 +3265,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq,
+ * fulfilled, i.e., bic can be redirected to new_bfqq
+ * and bfqq can be put.
+ */
+- bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq,
+- new_bfqq);
+- /*
+- * If we get here, bio will be queued into new_queue,
+- * so use new_bfqq to decide whether bio and rq can be
+- * merged.
+- */
+- bfqq = new_bfqq;
++ while (bfqq != new_bfqq)
++ bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq);
+
+ /*
+ * Change also bqfd->bio_bfqq, as
+@@ -5703,9 +5701,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ * state before killing it.
+ */
+ bfqq->bic = bic;
+- bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq);
+-
+- return new_bfqq;
++ return bfq_merge_bfqqs(bfqd, bic, bfqq);
+ }
+
+ /*
+@@ -6160,6 +6156,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq)
+ bool waiting, idle_timer_disabled = false;
+
+ if (new_bfqq) {
++ struct bfq_queue *old_bfqq = bfqq;
+ /*
+ * Release the request's reference to the old bfqq
+ * and make sure one is taken to the shared queue.
+@@ -6176,18 +6173,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq)
+ * new_bfqq.
+ */
+ if (bic_to_bfqq(RQ_BIC(rq), true,
+- bfq_actuator_index(bfqd, rq->bio)) == bfqq)
+- bfq_merge_bfqqs(bfqd, RQ_BIC(rq),
+- bfqq, new_bfqq);
++ bfq_actuator_index(bfqd, rq->bio)) == bfqq) {
++ while (bfqq != new_bfqq)
++ bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq);
++ }
+
+- bfq_clear_bfqq_just_created(bfqq);
++ bfq_clear_bfqq_just_created(old_bfqq);
+ /*
+ * rq is about to be enqueued into new_bfqq,
+ * release rq reference on bfqq
+ */
+- bfq_put_queue(bfqq);
++ bfq_put_queue(old_bfqq);
+ rq->elv.priv[1] = new_bfqq;
+- bfqq = new_bfqq;
+ }
+
+ bfq_update_io_thinktime(bfqd, bfqq);
+--
+2.43.0
+
--- /dev/null
+From 23f8a317d8916d612569e770c9f1f87e65650761 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:41:48 +0800
+Subject: block, bfq: fix uaf for accessing waker_bfqq after splitting
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 1ba0403ac6447f2d63914fb760c44a3b19c44eaf ]
+
+After commit 42c306ed7233 ("block, bfq: don't break merge chain in
+bfq_split_bfqq()"), if the current procress is the last holder of bfqq,
+the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and
+then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq
+may in the merge chain of bfqq, hence just recored waker_bfqq is still
+not safe.
+
+Fix the problem by adding a helper bfq_waker_bfqq() to check if
+bfqq->waker_bfqq is in the merge chain, and current procress is the only
+holder.
+
+Fixes: 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240909134154.954924-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 2b6fff39b9f4b..2423e25fc23ae 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6823,6 +6823,31 @@ static void bfq_prepare_request(struct request *rq)
+ rq->elv.priv[0] = rq->elv.priv[1] = NULL;
+ }
+
++static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
++{
++ struct bfq_queue *new_bfqq = bfqq->new_bfqq;
++ struct bfq_queue *waker_bfqq = bfqq->waker_bfqq;
++
++ if (!waker_bfqq)
++ return NULL;
++
++ while (new_bfqq) {
++ if (new_bfqq == waker_bfqq) {
++ /*
++ * If waker_bfqq is in the merge chain, and current
++ * is the only procress.
++ */
++ if (bfqq_process_refs(waker_bfqq) == 1)
++ return NULL;
++ break;
++ }
++
++ new_bfqq = new_bfqq->new_bfqq;
++ }
++
++ return waker_bfqq;
++}
++
+ /*
+ * If needed, init rq, allocate bfq data structures associated with
+ * rq, and increment reference counters in the destination bfq_queue
+@@ -6884,7 +6909,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ /* If the queue was seeky for too long, break it apart. */
+ if (bfq_bfqq_coop(bfqq) && bfq_bfqq_split_coop(bfqq) &&
+ !bic->bfqq_data[a_idx].stably_merged) {
+- struct bfq_queue *old_bfqq = bfqq;
++ struct bfq_queue *waker_bfqq = bfq_waker_bfqq(bfqq);
+
+ /* Update bic before losing reference to bfqq */
+ if (bfq_bfqq_in_large_burst(bfqq))
+@@ -6904,7 +6929,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ bfqq_already_existing = true;
+
+ if (!bfqq_already_existing) {
+- bfqq->waker_bfqq = old_bfqq->waker_bfqq;
++ bfqq->waker_bfqq = waker_bfqq;
+ bfqq->tentative_waker_bfqq = NULL;
+
+ /*
+@@ -6914,7 +6939,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ * woken_list of the waker. See
+ * bfq_check_waker for details.
+ */
+- if (bfqq->waker_bfqq)
++ if (waker_bfqq)
+ hlist_add_head(&bfqq->woken_list_node,
+ &bfqq->waker_bfqq->woken_list);
+ }
+--
+2.43.0
+
--- /dev/null
+From ed71b3f1472adcb52de8ed9e579ff9f0860a5e18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 18:59:54 +0530
+Subject: block: fix potential invalid pointer dereference in blk_add_partition
+
+From: Riyan Dhiman <riyandhiman14@gmail.com>
+
+[ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ]
+
+The blk_add_partition() function initially used a single if-condition
+(IS_ERR(part)) to check for errors when adding a partition. This was
+modified to handle the specific case of -ENXIO separately, allowing the
+function to proceed without logging the error in this case. However,
+this change unintentionally left a path where md_autodetect_dev()
+could be called without confirming that part is a valid pointer.
+
+This commit separates the error handling logic by splitting the
+initial if-condition, improving code readability and handling specific
+error scenarios explicitly. The function now distinguishes the general
+error case from -ENXIO without altering the existing behavior of
+md_autodetect_dev() calls.
+
+Fixes: b72053072c0b (block: allow partitions on host aware zone devices)
+Signed-off-by: Riyan Dhiman <riyandhiman14@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/partitions/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/partitions/core.c b/block/partitions/core.c
+index ab76e64f0f6c3..5bd7a603092ea 100644
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -555,9 +555,11 @@ static bool blk_add_partition(struct gendisk *disk,
+
+ part = add_partition(disk, p, from, size, state->parts[p].flags,
+ &state->parts[p].info);
+- if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) {
+- printk(KERN_ERR " %s: p%d could not be added: %pe\n",
+- disk->disk_name, p, part);
++ if (IS_ERR(part)) {
++ if (PTR_ERR(part) != -ENXIO) {
++ printk(KERN_ERR " %s: p%d could not be added: %pe\n",
++ disk->disk_name, p, part);
++ }
+ return true;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3735ba98a60bd1703c521455653dbff8f52563e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 16:51:52 -0400
+Subject: Bluetooth: btusb: Fix not handling ZPL/short-transfer
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ]
+
+Requesting transfers of the exact same size of wMaxPacketSize may result
+in ZPL/short-transfer since the USB stack cannot handle it as we are
+limiting the buffer size to be the same as wMaxPacketSize.
+
+Also, in terms of throughput this change has the same effect to
+interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput
+by increasing the frame size" had for the bulk endpoint, so users of the
+advertisement bearer (e.g. BT Mesh) may benefit from this change.
+
+Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 0927f51867c26..c41b86608ba86 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1393,7 +1393,10 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
+ if (!urb)
+ return -ENOMEM;
+
+- size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
++ /* Use maximum HCI Event size so the USB stack handles
++ * ZPL/short-transfer automatically.
++ */
++ size = HCI_MAX_EVENT_SIZE;
+
+ buf = kmalloc(size, mem_flags);
+ if (!buf) {
+--
+2.43.0
+
--- /dev/null
+From 8d38b9697b282405bd79b9785fa96edf188a6f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 17:29:27 -0400
+Subject: Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit d47da6bd4cfa982fe903f33423b9e2ec541e9496 ]
+
+If HCI_CONN_MGMT_CONNECTED has been set then the event shall be
+HCI_CONN_MGMT_DISCONNECTED.
+
+Fixes: b644ba336997 ("Bluetooth: Update device_connected and device_found events to latest API")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 4 ++--
+ net/bluetooth/hci_conn.c | 6 ++----
+ net/bluetooth/mgmt.c | 13 +++++++++----
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index ecb6824e9add8..9cfd1ce0fd36c 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -2258,8 +2258,8 @@ void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ bool mgmt_connected);
+ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ u8 link_type, u8 addr_type, u8 status);
+-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
+- u8 addr_type, u8 status);
++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn,
++ u8 status);
+ void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure);
+ void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ u8 status);
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 3c74d171085de..bfa773730f3bd 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -107,8 +107,7 @@ void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
+ * where a timeout + cancel does indicate an actual failure.
+ */
+ if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
+- mgmt_connect_failed(hdev, &conn->dst, conn->type,
+- conn->dst_type, status);
++ mgmt_connect_failed(hdev, conn, status);
+
+ /* The connection attempt was doing scan for new RPA, and is
+ * in scan phase. If params are not associated with any other
+@@ -1251,8 +1250,7 @@ void hci_conn_failed(struct hci_conn *conn, u8 status)
+ hci_le_conn_failed(conn, status);
+ break;
+ case ACL_LINK:
+- mgmt_connect_failed(hdev, &conn->dst, conn->type,
+- conn->dst_type, status);
++ mgmt_connect_failed(hdev, conn, status);
+ break;
+ }
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index ba28907afb3fa..c383eb44d516b 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -9734,13 +9734,18 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ mgmt_pending_remove(cmd);
+ }
+
+-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
+- u8 addr_type, u8 status)
++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn, u8 status)
+ {
+ struct mgmt_ev_connect_failed ev;
+
+- bacpy(&ev.addr.bdaddr, bdaddr);
+- ev.addr.type = link_to_bdaddr(link_type, addr_type);
++ if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
++ mgmt_device_disconnected(hdev, &conn->dst, conn->type,
++ conn->dst_type, status, true);
++ return;
++ }
++
++ bacpy(&ev.addr.bdaddr, &conn->dst);
++ ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
+ ev.status = mgmt_status(status);
+
+ mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
+--
+2.43.0
+
--- /dev/null
+From 9c3c812608759023a77e84fb1d578517a0533faa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 12:05:00 -0700
+Subject: Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit cfbfeee61582e638770a1a10deef866c9adb38f5 ]
+
+This ignores errors from HCI_OP_REMOTE_NAME_REQ_CANCEL since it
+shouldn't interfere with the stopping of discovery and in certain
+conditions it seems to be failing.
+
+Link: https://github.com/bluez/bluez/issues/575
+Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index f4a54dbc07f19..86fee9d6c1424 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5331,7 +5331,10 @@ int hci_stop_discovery_sync(struct hci_dev *hdev)
+ if (!e)
+ return 0;
+
+- return hci_remote_name_cancel_sync(hdev, &e->data.bdaddr);
++ /* Ignore cancel errors since it should interfere with stopping
++ * of the discovery.
++ */
++ hci_remote_name_cancel_sync(hdev, &e->data.bdaddr);
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 3033ddb70d07e77f3cd3f0950866182b22788113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 14:06:02 +0000
+Subject: bonding: Fix unnecessary warnings and logs from
+ bond_xdp_get_xmit_slave()
+
+From: Jiwon Kim <jiwonaid0@gmail.com>
+
+[ Upstream commit 0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c ]
+
+syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce
+this[1], one bond device (bond1) has xdpdrv, which increases
+bpf_master_redirect_enabled_key. Another bond device (bond0) which is
+unsupported by XDP but its slave (veth3) has xdpgeneric that returns
+XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().
+To reduce unnecessary warnings and improve log management, we need to
+delete the WARN_ON_ONCE() and add ratelimit to the netdev_err().
+
+[1] Steps to reproduce:
+ # Needs tx_xdp with return XDP_TX;
+ ip l add veth0 type veth peer veth1
+ ip l add veth3 type veth peer veth4
+ ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP
+ ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default
+ ip l set veth0 master bond1
+ ip l set bond1 up
+ # Increases bpf_master_redirect_enabled_key
+ ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx
+ ip l set veth3 master bond0
+ ip l set bond0 up
+ ip l set veth4 up
+ # Triggers WARN_ON_ONCE() from the xdp_master_redirect()
+ ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx
+
+Reported-by: syzbot+c187823a52ed505b2257@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c187823a52ed505b2257
+Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
+Signed-off-by: Jiwon Kim <jiwonaid0@gmail.com>
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20240918140602.18644-1-jiwonaid0@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 60db34095a255..3c61f5fbe6b7f 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -5536,9 +5536,9 @@ bond_xdp_get_xmit_slave(struct net_device *bond_dev, struct xdp_buff *xdp)
+ break;
+
+ default:
+- /* Should never happen. Mode guarded by bond_xdp_check() */
+- netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n", BOND_MODE(bond));
+- WARN_ON_ONCE(1);
++ if (net_ratelimit())
++ netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n",
++ BOND_MODE(bond));
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8bb3ae11f45200ef32349a5c7a18cda8fad3cda2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 20:39:01 +0800
+Subject: bpf, arm64: Fix tailcall hierarchy
+
+From: Leon Hwang <hffilwlqm@gmail.com>
+
+[ Upstream commit 66ff4d61dc124eafe9efaeaef696a09b7f236da2 ]
+
+This patch fixes a tailcall issue caused by abusing the tailcall in
+bpf2bpf feature on arm64 like the way of "bpf, x64: Fix tailcall
+hierarchy".
+
+On arm64, when a tail call happens, it uses tail_call_cnt_ptr to
+increment tail_call_cnt, too.
+
+At the prologue of main prog, it has to initialize tail_call_cnt and
+prepare tail_call_cnt_ptr.
+
+At the prologue of subprog, it pushes x26 register twice, and does not
+initialize tail_call_cnt.
+
+At the epilogue, it pops x26 twice, no matter whether it is main prog or
+subprog.
+
+Fixes: d4609a5d8c70 ("bpf, arm64: Keep tail call count across bpf2bpf calls")
+Acked-by: Puranjay Mohan <puranjay@kernel.org>
+Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
+Link: https://lore.kernel.org/r/20240714123902.32305-3-hffilwlqm@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 57 +++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index 1bf483ec971d9..c4190865f2433 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -26,7 +26,7 @@
+
+ #define TMP_REG_1 (MAX_BPF_JIT_REG + 0)
+ #define TMP_REG_2 (MAX_BPF_JIT_REG + 1)
+-#define TCALL_CNT (MAX_BPF_JIT_REG + 2)
++#define TCCNT_PTR (MAX_BPF_JIT_REG + 2)
+ #define TMP_REG_3 (MAX_BPF_JIT_REG + 3)
+ #define FP_BOTTOM (MAX_BPF_JIT_REG + 4)
+ #define ARENA_VM_START (MAX_BPF_JIT_REG + 5)
+@@ -63,8 +63,8 @@ static const int bpf2a64[] = {
+ [TMP_REG_1] = A64_R(10),
+ [TMP_REG_2] = A64_R(11),
+ [TMP_REG_3] = A64_R(12),
+- /* tail_call_cnt */
+- [TCALL_CNT] = A64_R(26),
++ /* tail_call_cnt_ptr */
++ [TCCNT_PTR] = A64_R(26),
+ /* temporary register for blinding constants */
+ [BPF_REG_AX] = A64_R(9),
+ [FP_BOTTOM] = A64_R(27),
+@@ -282,13 +282,35 @@ static bool is_lsi_offset(int offset, int scale)
+ * mov x29, sp
+ * stp x19, x20, [sp, #-16]!
+ * stp x21, x22, [sp, #-16]!
+- * stp x25, x26, [sp, #-16]!
++ * stp x26, x25, [sp, #-16]!
++ * stp x26, x25, [sp, #-16]!
+ * stp x27, x28, [sp, #-16]!
+ * mov x25, sp
+ * mov tcc, #0
+ * // PROLOGUE_OFFSET
+ */
+
++static void prepare_bpf_tail_call_cnt(struct jit_ctx *ctx)
++{
++ const struct bpf_prog *prog = ctx->prog;
++ const bool is_main_prog = !bpf_is_subprog(prog);
++ const u8 ptr = bpf2a64[TCCNT_PTR];
++ const u8 fp = bpf2a64[BPF_REG_FP];
++ const u8 tcc = ptr;
++
++ emit(A64_PUSH(ptr, fp, A64_SP), ctx);
++ if (is_main_prog) {
++ /* Initialize tail_call_cnt. */
++ emit(A64_MOVZ(1, tcc, 0, 0), ctx);
++ emit(A64_PUSH(tcc, fp, A64_SP), ctx);
++ emit(A64_MOV(1, ptr, A64_SP), ctx);
++ } else {
++ emit(A64_PUSH(ptr, fp, A64_SP), ctx);
++ emit(A64_NOP, ctx);
++ emit(A64_NOP, ctx);
++ }
++}
++
+ #define BTI_INSNS (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL) ? 1 : 0)
+ #define PAC_INSNS (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL) ? 1 : 0)
+
+@@ -296,7 +318,7 @@ static bool is_lsi_offset(int offset, int scale)
+ #define POKE_OFFSET (BTI_INSNS + 1)
+
+ /* Tail call offset to jump into */
+-#define PROLOGUE_OFFSET (BTI_INSNS + 2 + PAC_INSNS + 8)
++#define PROLOGUE_OFFSET (BTI_INSNS + 2 + PAC_INSNS + 10)
+
+ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ bool is_exception_cb, u64 arena_vm_start)
+@@ -308,7 +330,6 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ const u8 r8 = bpf2a64[BPF_REG_8];
+ const u8 r9 = bpf2a64[BPF_REG_9];
+ const u8 fp = bpf2a64[BPF_REG_FP];
+- const u8 tcc = bpf2a64[TCALL_CNT];
+ const u8 fpb = bpf2a64[FP_BOTTOM];
+ const u8 arena_vm_base = bpf2a64[ARENA_VM_START];
+ const int idx0 = ctx->idx;
+@@ -359,7 +380,7 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ /* Save callee-saved registers */
+ emit(A64_PUSH(r6, r7, A64_SP), ctx);
+ emit(A64_PUSH(r8, r9, A64_SP), ctx);
+- emit(A64_PUSH(fp, tcc, A64_SP), ctx);
++ prepare_bpf_tail_call_cnt(ctx);
+ emit(A64_PUSH(fpb, A64_R(28), A64_SP), ctx);
+ } else {
+ /*
+@@ -372,18 +393,15 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ * callee-saved registers. The exception callback will not push
+ * anything and re-use the main program's stack.
+ *
+- * 10 registers are on the stack
++ * 12 registers are on the stack
+ */
+- emit(A64_SUB_I(1, A64_SP, A64_FP, 80), ctx);
++ emit(A64_SUB_I(1, A64_SP, A64_FP, 96), ctx);
+ }
+
+ /* Set up BPF prog stack base register */
+ emit(A64_MOV(1, fp, A64_SP), ctx);
+
+ if (!ebpf_from_cbpf && is_main_prog) {
+- /* Initialize tail_call_cnt */
+- emit(A64_MOVZ(1, tcc, 0, 0), ctx);
+-
+ cur_offset = ctx->idx - idx0;
+ if (cur_offset != PROLOGUE_OFFSET) {
+ pr_err_once("PROLOGUE_OFFSET = %d, expected %d!\n",
+@@ -432,7 +450,8 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+
+ const u8 tmp = bpf2a64[TMP_REG_1];
+ const u8 prg = bpf2a64[TMP_REG_2];
+- const u8 tcc = bpf2a64[TCALL_CNT];
++ const u8 tcc = bpf2a64[TMP_REG_3];
++ const u8 ptr = bpf2a64[TCCNT_PTR];
+ const int idx0 = ctx->idx;
+ #define cur_offset (ctx->idx - idx0)
+ #define jmp_offset (out_offset - (cur_offset))
+@@ -449,11 +468,12 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+ emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+
+ /*
+- * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
++ * if ((*tail_call_cnt_ptr) >= MAX_TAIL_CALL_CNT)
+ * goto out;
+- * tail_call_cnt++;
++ * (*tail_call_cnt_ptr)++;
+ */
+ emit_a64_mov_i64(tmp, MAX_TAIL_CALL_CNT, ctx);
++ emit(A64_LDR64I(tcc, ptr, 0), ctx);
+ emit(A64_CMP(1, tcc, tmp), ctx);
+ emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+ emit(A64_ADD_I(1, tcc, tcc, 1), ctx);
+@@ -469,6 +489,9 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+ emit(A64_LDR64(prg, tmp, prg), ctx);
+ emit(A64_CBZ(1, prg, jmp_offset), ctx);
+
++ /* Update tail_call_cnt if the slot is populated. */
++ emit(A64_STR64I(tcc, ptr, 0), ctx);
++
+ /* goto *(prog->bpf_func + prologue_offset); */
+ off = offsetof(struct bpf_prog, bpf_func);
+ emit_a64_mov_i64(tmp, off, ctx);
+@@ -721,6 +744,7 @@ static void build_epilogue(struct jit_ctx *ctx, bool is_exception_cb)
+ const u8 r8 = bpf2a64[BPF_REG_8];
+ const u8 r9 = bpf2a64[BPF_REG_9];
+ const u8 fp = bpf2a64[BPF_REG_FP];
++ const u8 ptr = bpf2a64[TCCNT_PTR];
+ const u8 fpb = bpf2a64[FP_BOTTOM];
+
+ /* We're done with BPF stack */
+@@ -738,7 +762,8 @@ static void build_epilogue(struct jit_ctx *ctx, bool is_exception_cb)
+ /* Restore x27 and x28 */
+ emit(A64_POP(fpb, A64_R(28), A64_SP), ctx);
+ /* Restore fs (x25) and x26 */
+- emit(A64_POP(fp, A64_R(26), A64_SP), ctx);
++ emit(A64_POP(ptr, fp, A64_SP), ctx);
++ emit(A64_POP(ptr, fp, A64_SP), ctx);
+
+ /* Restore callee-saved register */
+ emit(A64_POP(r8, r9, A64_SP), ctx);
+--
+2.43.0
+
--- /dev/null
+From b7fbfd08785e640d053c77fdf7864051d926cd97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 01:01:23 -0700
+Subject: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ]
+
+In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL
+referencing a non-existing BTF type, function bpf_core_calc_relo_insn
+would cause a null pointer deference.
+
+Fix this by adding a proper check upper in call stack, as malformed
+relocation records could be passed from user space.
+
+Simplest reproducer is a program:
+
+ r0 = 0
+ exit
+
+With a single relocation record:
+
+ .insn_off = 0, /* patch first instruction */
+ .type_id = 100500, /* this type id does not exist */
+ .access_str_off = 6, /* offset of string "0" */
+ .kind = BPF_CORE_TYPE_ID_LOCAL,
+
+See the link for original reproducer or next commit for a test case.
+
+Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().")
+Reported-by: Liu RuiTong <cnitlrt@gmail.com>
+Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzipFSA@mail.gmail.com/
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 49aba8e507996..96e8596a76cea 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -8718,6 +8718,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+ struct bpf_core_cand_list cands = {};
+ struct bpf_core_relo_res targ_res;
+ struct bpf_core_spec *specs;
++ const struct btf_type *type;
+ int err;
+
+ /* ~4k of temp memory necessary to convert LLVM spec like "0:1:0:5"
+@@ -8727,6 +8728,13 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+ if (!specs)
+ return -ENOMEM;
+
++ type = btf_type_by_id(ctx->btf, relo->type_id);
++ if (!type) {
++ bpf_log(ctx->log, "relo #%u: bad type id %u\n",
++ relo_idx, relo->type_id);
++ return -EINVAL;
++ }
++
+ if (need_cands) {
+ struct bpf_cand_cache *cc;
+ int i;
+--
+2.43.0
+
--- /dev/null
+From 76ae65b5bae553365880e0a356a66786c681d3b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 08:34:39 -0700
+Subject: bpf: Fail verification for sign-extension of packet
+ data/data_end/data_meta
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit 92de36080c93296ef9005690705cba260b9bd68a ]
+
+syzbot reported a kernel crash due to
+ commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses").
+The reason is due to sign-extension of 32-bit load for
+packet data/data_end/data_meta uapi field.
+
+The original code looks like:
+ r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
+ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto +1
+ ...
+Note that __sk_buff->data load has 32-bit sign extension.
+
+After verification and convert_ctx_accesses(), the final asm code looks like:
+ r2 = *(u64 *)(r1 +208)
+ r2 = (s32)r2
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+ ...
+Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid
+which may cause runtime failure.
+
+Currently, in C code, typically we have
+ void *data = (void *)(long)skb->data;
+ void *data_end = (void *)(long)skb->data_end;
+ ...
+and it will generate
+ r2 = *(u64 *)(r1 +208)
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+
+If we allow sign-extension,
+ void *data = (void *)(long)(int)skb->data;
+ void *data_end = (void *)(long)skb->data_end;
+ ...
+the generated code looks like
+ r2 = *(u64 *)(r1 +208)
+ r2 <<= 32
+ r2 s>>= 32
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+and this will cause verification failure since "r2 <<= 32" is not allowed
+as "r2" is a packet pointer.
+
+To fix this issue for case
+ r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
+this patch added additional checking in is_valid_access() callback
+function for packet data/data_end/data_meta access. If those accesses
+are with sign-extenstion, the verification will fail.
+
+ [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/
+
+Reported-by: syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com
+Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses")
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20240723153439.2429035-1-yonghong.song@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ kernel/bpf/verifier.c | 5 +++--
+ net/core/filter.c | 21 ++++++++++++++++-----
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 42b998518038a..b13af44f20ada 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -919,6 +919,7 @@ static_assert(__BPF_REG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT);
+ */
+ struct bpf_insn_access_aux {
+ enum bpf_reg_type reg_type;
++ bool is_ldsx;
+ union {
+ int ctx_field_size;
+ struct {
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 203ce12e687d2..ed612052fc7ac 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5594,12 +5594,13 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
+ /* check access to 'struct bpf_context' fields. Supports fixed offsets only */
+ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
+ enum bpf_access_type t, enum bpf_reg_type *reg_type,
+- struct btf **btf, u32 *btf_id, bool *is_retval)
++ struct btf **btf, u32 *btf_id, bool *is_retval, bool is_ldsx)
+ {
+ struct bpf_insn_access_aux info = {
+ .reg_type = *reg_type,
+ .log = &env->log,
+ .is_retval = false,
++ .is_ldsx = is_ldsx,
+ };
+
+ if (env->ops->is_valid_access &&
+@@ -6913,7 +6914,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ return err;
+
+ err = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf,
+- &btf_id, &is_retval);
++ &btf_id, &is_retval, is_ldsx);
+ if (err)
+ verbose_linfo(env, insn_idx, "; ");
+ if (!err && t == BPF_READ && value_regno >= 0) {
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 55b1d9de2334d..bbcce4ddfb7bf 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8568,13 +8568,16 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
+ if (off + size > offsetofend(struct __sk_buff, cb[4]))
+ return false;
+ break;
++ case bpf_ctx_range(struct __sk_buff, data):
++ case bpf_ctx_range(struct __sk_buff, data_meta):
++ case bpf_ctx_range(struct __sk_buff, data_end):
++ if (info->is_ldsx || size != size_default)
++ return false;
++ break;
+ case bpf_ctx_range_till(struct __sk_buff, remote_ip6[0], remote_ip6[3]):
+ case bpf_ctx_range_till(struct __sk_buff, local_ip6[0], local_ip6[3]):
+ case bpf_ctx_range_till(struct __sk_buff, remote_ip4, remote_ip4):
+ case bpf_ctx_range_till(struct __sk_buff, local_ip4, local_ip4):
+- case bpf_ctx_range(struct __sk_buff, data):
+- case bpf_ctx_range(struct __sk_buff, data_meta):
+- case bpf_ctx_range(struct __sk_buff, data_end):
+ if (size != size_default)
+ return false;
+ break;
+@@ -9018,6 +9021,14 @@ static bool xdp_is_valid_access(int off, int size,
+ }
+ }
+ return false;
++ } else {
++ switch (off) {
++ case offsetof(struct xdp_md, data_meta):
++ case offsetof(struct xdp_md, data):
++ case offsetof(struct xdp_md, data_end):
++ if (info->is_ldsx)
++ return false;
++ }
+ }
+
+ switch (off) {
+@@ -9343,12 +9354,12 @@ static bool flow_dissector_is_valid_access(int off, int size,
+
+ switch (off) {
+ case bpf_ctx_range(struct __sk_buff, data):
+- if (size != size_default)
++ if (info->is_ldsx || size != size_default)
+ return false;
+ info->reg_type = PTR_TO_PACKET;
+ return true;
+ case bpf_ctx_range(struct __sk_buff, data_end):
+- if (size != size_default)
++ if (info->is_ldsx || size != size_default)
+ return false;
+ info->reg_type = PTR_TO_PACKET_END;
+ return true;
+--
+2.43.0
+
--- /dev/null
+From 7aa474794e6a0278b0e1c9b5f12174b410d4dce2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:46 +0200
+Subject: bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ]
+
+The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit:
+
+The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long"
+and therefore always considered fixed 64bit no matter if 64 or 32bit underlying
+architecture.
+
+This contract breaks in case of the two mentioned helpers since their BPF_CALL
+definition for the helpers was added with {unsigned,}long *res. Meaning, the
+transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper)
+breaks here.
+
+Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning
+the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program
+point of view, this means upper bits will be seen as uninitialised.
+
+Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation.
+
+Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h
+for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger
+compiler warnings (incompatible pointer types passing 'long *' to parameter of type
+'__s64 *' (aka 'long long *')) for existing BPF programs.
+
+Leaving the signatures as-is would be fine as from BPF program point of view it is
+still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying
+architectures.
+
+Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue.
+
+Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
+Reported-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/481fcec8-c12c-9abb-8ecb-76c71c009959@iogearbox.net
+Link: https://lore.kernel.org/r/20240913191754.13290-1-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 7268370600f6e..ffabd06be1240 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -517,7 +517,7 @@ static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags,
+ }
+
+ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
+- long *, res)
++ s64 *, res)
+ {
+ long long _res;
+ int err;
+@@ -542,7 +542,7 @@ const struct bpf_func_proto bpf_strtol_proto = {
+ };
+
+ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+- unsigned long *, res)
++ u64 *, res)
+ {
+ unsigned long long _res;
+ bool is_negative;
+--
+2.43.0
+
--- /dev/null
+From 876779ca9e296ffd63d58120c06f1a3351cc5758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 19:00:54 +0800
+Subject: bpf: Fix compare error in function retval_range_within
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 763aa759d3b2c4f95b11855e3d37b860860107e2 ]
+
+After checking lsm hook return range in verifier, the test case
+"test_progs -t test_lsm" failed, and the failure log says:
+
+libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument
+libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LOG --
+0: R1=ctx() R10=fp0
+; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89
+0: (79) r0 = *(u64 *)(r1 +24) ; R0_w=scalar(smin=smin32=-4095,smax=smax32=0) R1=ctx()
+
+[...]
+
+24: (b4) w0 = -1 ; R0_w=0xffffffff
+; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89
+25: (95) exit
+At program exit the register R0 has smin=4294967295 smax=4294967295 should have been in [-4095, 0]
+
+It can be seen that instruction "w0 = -1" zero extended -1 to 64-bit
+register r0, setting both smin and smax values of r0 to 4294967295.
+This resulted in a false reject when r0 was checked with range [-4095, 0].
+
+Given bpf lsm does not return 64-bit values, this patch fixes it by changing
+the compare between r0 and return range from 64-bit operation to 32-bit
+operation for bpf lsm.
+
+Fixes: 8fa4ecd49b81 ("bpf: enforce exact retval range on subprog/callback exit")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240719110059.797546-5-xukuohai@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index b95f7f5bd5a49..203ce12e687d2 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -9952,9 +9952,13 @@ static bool in_rbtree_lock_required_cb(struct bpf_verifier_env *env)
+ return is_rbtree_lock_required_kfunc(kfunc_btf_id);
+ }
+
+-static bool retval_range_within(struct bpf_retval_range range, const struct bpf_reg_state *reg)
++static bool retval_range_within(struct bpf_retval_range range, const struct bpf_reg_state *reg,
++ bool return_32bit)
+ {
+- return range.minval <= reg->smin_value && reg->smax_value <= range.maxval;
++ if (return_32bit)
++ return range.minval <= reg->s32_min_value && reg->s32_max_value <= range.maxval;
++ else
++ return range.minval <= reg->smin_value && reg->smax_value <= range.maxval;
+ }
+
+ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
+@@ -9991,8 +9995,8 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
+ if (err)
+ return err;
+
+- /* enforce R0 return value range */
+- if (!retval_range_within(callee->callback_ret_range, r0)) {
++ /* enforce R0 return value range, and bpf_callback_t returns 64bit */
++ if (!retval_range_within(callee->callback_ret_range, r0, false)) {
+ verbose_invalid_scalar(env, r0, callee->callback_ret_range,
+ "At callback return", "R0");
+ return -EINVAL;
+@@ -15613,6 +15617,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ int err;
+ struct bpf_func_state *frame = env->cur_state->frame[0];
+ const bool is_subprog = frame->subprogno;
++ bool return_32bit = false;
+
+ /* LSM and struct_ops func-ptr's return type could be "void" */
+ if (!is_subprog || frame->in_exception_callback_fn) {
+@@ -15724,6 +15729,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ /* no restricted range, any return value is allowed */
+ if (range.minval == S32_MIN && range.maxval == S32_MAX)
+ return 0;
++ return_32bit = true;
+ } else if (!env->prog->aux->attach_func_proto->type) {
+ /* Make sure programs that attach to void
+ * hooks don't try to modify return value.
+@@ -15754,7 +15760,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ if (err)
+ return err;
+
+- if (!retval_range_within(range, reg)) {
++ if (!retval_range_within(range, reg, return_32bit)) {
+ verbose_invalid_scalar(env, reg, range, exit_ctx, reg_name);
+ if (!is_subprog &&
+ prog->expected_attach_type == BPF_LSM_CGROUP &&
+--
+2.43.0
+
--- /dev/null
+From 511613d948480861737bef309ab334907eed04be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:48 +0200
+Subject: bpf: Fix helper writes to read-only maps
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 32556ce93bc45c730829083cb60f95a2728ea48b ]
+
+Lonial found an issue that despite user- and BPF-side frozen BPF map
+(like in case of .rodata), it was still possible to write into it from
+a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}
+as arguments.
+
+In check_func_arg() when the argument is as mentioned, the meta->raw_mode
+is never set. Later, check_helper_mem_access(), under the case of
+PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the
+subsequent call to check_map_access_type() and given the BPF map is
+read-only it succeeds.
+
+The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
+when results are written into them as opposed to read out of them. The
+latter indicates that it's okay to pass a pointer to uninitialized memory
+as the memory is written to anyway.
+
+However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
+just with additional alignment requirement. So it is better to just get
+rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the
+fixed size memory types. For this, add MEM_ALIGNED to additionally ensure
+alignment given these helpers write directly into the args via *<ptr> = val.
+The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).
+
+MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
+argument types, since in !MEM_FIXED_SIZE cases the verifier does not know
+the buffer size a priori and therefore cannot blindly write *<ptr> = val.
+
+Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types")
+Reported-by: Lonial Con <kongln9170@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240913191754.13290-3-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 7 +++++--
+ kernel/bpf/helpers.c | 6 ++++--
+ kernel/bpf/syscall.c | 3 ++-
+ kernel/bpf/verifier.c | 41 +++++-----------------------------------
+ kernel/trace/bpf_trace.c | 6 ++++--
+ net/core/filter.c | 6 ++++--
+ 6 files changed, 24 insertions(+), 45 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index b13af44f20ada..5e880f0b56620 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -694,6 +694,11 @@ enum bpf_type_flag {
+ /* DYNPTR points to xdp_buff */
+ DYNPTR_TYPE_XDP = BIT(16 + BPF_BASE_TYPE_BITS),
+
++ /* Memory must be aligned on some architectures, used in combination with
++ * MEM_FIXED_SIZE.
++ */
++ MEM_ALIGNED = BIT(17 + BPF_BASE_TYPE_BITS),
++
+ __BPF_TYPE_FLAG_MAX,
+ __BPF_TYPE_LAST_FLAG = __BPF_TYPE_FLAG_MAX - 1,
+ };
+@@ -731,8 +736,6 @@ enum bpf_arg_type {
+ ARG_ANYTHING, /* any (initialized) argument is ok */
+ ARG_PTR_TO_SPIN_LOCK, /* pointer to bpf_spin_lock */
+ ARG_PTR_TO_SOCK_COMMON, /* pointer to sock_common */
+- ARG_PTR_TO_INT, /* pointer to int */
+- ARG_PTR_TO_LONG, /* pointer to long */
+ ARG_PTR_TO_SOCKET, /* pointer to bpf_sock (fullsock) */
+ ARG_PTR_TO_BTF_ID, /* pointer to in-kernel struct */
+ ARG_PTR_TO_RINGBUF_MEM, /* pointer to dynamically reserved ringbuf memory */
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index ffabd06be1240..3155ea611c94d 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -538,7 +538,8 @@ const struct bpf_func_proto bpf_strtol_proto = {
+ .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(s64),
+ };
+
+ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+@@ -566,7 +567,8 @@ const struct bpf_func_proto bpf_strtoul_proto = {
+ .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(u64),
+ };
+
+ BPF_CALL_3(bpf_strncmp, const char *, s1, u32, s1_sz, const char *, s2)
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index f45ed6adc092a..d813abc86d12e 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5930,7 +5930,8 @@ static const struct bpf_func_proto bpf_kallsyms_lookup_name_proto = {
+ .arg1_type = ARG_PTR_TO_MEM,
+ .arg2_type = ARG_CONST_SIZE_OR_ZERO,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(u64),
+ };
+
+ static const struct bpf_func_proto *
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index ed612052fc7ac..e924e520b23ae 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8168,16 +8168,6 @@ static bool arg_type_is_dynptr(enum bpf_arg_type type)
+ return base_type(type) == ARG_PTR_TO_DYNPTR;
+ }
+
+-static int int_ptr_type_to_size(enum bpf_arg_type type)
+-{
+- if (type == ARG_PTR_TO_INT)
+- return sizeof(u32);
+- else if (type == ARG_PTR_TO_LONG)
+- return sizeof(u64);
+-
+- return -EINVAL;
+-}
+-
+ static int resolve_map_arg_type(struct bpf_verifier_env *env,
+ const struct bpf_call_arg_meta *meta,
+ enum bpf_arg_type *arg_type)
+@@ -8250,16 +8240,6 @@ static const struct bpf_reg_types mem_types = {
+ },
+ };
+
+-static const struct bpf_reg_types int_ptr_types = {
+- .types = {
+- PTR_TO_STACK,
+- PTR_TO_PACKET,
+- PTR_TO_PACKET_META,
+- PTR_TO_MAP_KEY,
+- PTR_TO_MAP_VALUE,
+- },
+-};
+-
+ static const struct bpf_reg_types spin_lock_types = {
+ .types = {
+ PTR_TO_MAP_VALUE,
+@@ -8315,8 +8295,6 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
+ [ARG_PTR_TO_SPIN_LOCK] = &spin_lock_types,
+ [ARG_PTR_TO_MEM] = &mem_types,
+ [ARG_PTR_TO_RINGBUF_MEM] = &ringbuf_mem_types,
+- [ARG_PTR_TO_INT] = &int_ptr_types,
+- [ARG_PTR_TO_LONG] = &int_ptr_types,
+ [ARG_PTR_TO_PERCPU_BTF_ID] = &percpu_btf_ptr_types,
+ [ARG_PTR_TO_FUNC] = &func_ptr_types,
+ [ARG_PTR_TO_STACK] = &stack_ptr_types,
+@@ -8877,9 +8855,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ */
+ meta->raw_mode = arg_type & MEM_UNINIT;
+ if (arg_type & MEM_FIXED_SIZE) {
+- err = check_helper_mem_access(env, regno,
+- fn->arg_size[arg], false,
+- meta);
++ err = check_helper_mem_access(env, regno, fn->arg_size[arg], false, meta);
++ if (err)
++ return err;
++ if (arg_type & MEM_ALIGNED)
++ err = check_ptr_alignment(env, reg, 0, fn->arg_size[arg], true);
+ }
+ break;
+ case ARG_CONST_SIZE:
+@@ -8904,17 +8884,6 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ if (err)
+ return err;
+ break;
+- case ARG_PTR_TO_INT:
+- case ARG_PTR_TO_LONG:
+- {
+- int size = int_ptr_type_to_size(arg_type);
+-
+- err = check_helper_mem_access(env, regno, size, false, meta);
+- if (err)
+- return err;
+- err = check_ptr_alignment(env, reg, 0, size, true);
+- break;
+- }
+ case ARG_PTR_TO_CONST_STR:
+ {
+ err = check_reg_const_str(env, reg, regno);
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index d1daeab1bbc14..f0b7e9eb81729 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1226,7 +1226,8 @@ static const struct bpf_func_proto bpf_get_func_arg_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_LONG,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u64),
+ };
+
+ BPF_CALL_2(get_func_ret, void *, ctx, u64 *, value)
+@@ -1242,7 +1243,8 @@ static const struct bpf_func_proto bpf_get_func_ret_proto = {
+ .func = get_func_ret,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+- .arg2_type = ARG_PTR_TO_LONG,
++ .arg2_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg2_size = sizeof(u64),
+ };
+
+ BPF_CALL_1(get_func_arg_cnt, void *, ctx)
+diff --git a/net/core/filter.c b/net/core/filter.c
+index bbcce4ddfb7bf..45a6b61f759fa 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -6342,7 +6342,8 @@ static const struct bpf_func_proto bpf_skb_check_mtu_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_INT,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u32),
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+ };
+@@ -6353,7 +6354,8 @@ static const struct bpf_func_proto bpf_xdp_check_mtu_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_INT,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u32),
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+ };
+--
+2.43.0
+
--- /dev/null
+From 2151043410a42c98eee76985d222432f65669798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:49 +0200
+Subject: bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 18752d73c1898fd001569195ba4b0b8c43255f4a ]
+
+When checking malformed helper function signatures, also take other argument
+types into account aside from just ARG_PTR_TO_UNINIT_MEM.
+
+This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can
+be passed there, too.
+
+The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier:
+add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos
+which had more than just one MEM_UNINIT-tagged type as arguments.
+
+The reason more than one is currently not supported is as we mark stack slots with
+STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to
+allow uninitialized stack memory to be passed to helpers when they just write into
+the buffer.
+
+Probing for base type as well as MEM_UNINIT tagging ensures that other types do not
+get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}).
+
+Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types")
+Reported-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240913191754.13290-4-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index e924e520b23ae..c821713249c81 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8158,6 +8158,12 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type)
+ type == ARG_CONST_SIZE_OR_ZERO;
+ }
+
++static bool arg_type_is_raw_mem(enum bpf_arg_type type)
++{
++ return base_type(type) == ARG_PTR_TO_MEM &&
++ type & MEM_UNINIT;
++}
++
+ static bool arg_type_is_release(enum bpf_arg_type type)
+ {
+ return type & OBJ_RELEASE;
+@@ -9200,15 +9206,15 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn)
+ {
+ int count = 0;
+
+- if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg1_type))
+ count++;
+- if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg2_type))
+ count++;
+- if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg3_type))
+ count++;
+- if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg4_type))
+ count++;
+- if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg5_type))
+ count++;
+
+ /* We only support one arg being in raw mode at the moment,
+--
+2.43.0
+
--- /dev/null
+From 0944b4a1a53f6def7df74668f283d4294de4fa57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 19:00:52 +0800
+Subject: bpf, lsm: Add check for BPF LSM return value
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 5d99e198be279045e6ecefe220f5c52f8ce9bfd5 ]
+
+A bpf prog returning a positive number attached to file_alloc_security
+hook makes kernel panic.
+
+This happens because file system can not filter out the positive number
+returned by the LSM prog using IS_ERR, and misinterprets this positive
+number as a file pointer.
+
+Given that hook file_alloc_security never returned positive number
+before the introduction of BPF LSM, and other BPF LSM hooks may
+encounter similar issues, this patch adds LSM return value check
+in verifier, to ensure no unexpected value is returned.
+
+Fixes: 520b7aa00d8c ("bpf: lsm: Initialize the BPF LSM hooks")
+Reported-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240719110059.797546-3-xukuohai@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ include/linux/bpf_lsm.h | 8 ++++++
+ kernel/bpf/bpf_lsm.c | 34 ++++++++++++++++++++++-
+ kernel/bpf/btf.c | 5 +++-
+ kernel/bpf/verifier.c | 60 ++++++++++++++++++++++++++++++++++-------
+ 5 files changed, 97 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 5e694a308081a..42b998518038a 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -927,6 +927,7 @@ struct bpf_insn_access_aux {
+ };
+ };
+ struct bpf_verifier_log *log; /* for verbose logs */
++ bool is_retval; /* is accessing function return value ? */
+ };
+
+ static inline void
+diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
+index 1de7ece5d36d4..aefcd65642512 100644
+--- a/include/linux/bpf_lsm.h
++++ b/include/linux/bpf_lsm.h
+@@ -9,6 +9,7 @@
+
+ #include <linux/sched.h>
+ #include <linux/bpf.h>
++#include <linux/bpf_verifier.h>
+ #include <linux/lsm_hooks.h>
+
+ #ifdef CONFIG_BPF_LSM
+@@ -45,6 +46,8 @@ void bpf_inode_storage_free(struct inode *inode);
+
+ void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog, bpf_func_t *bpf_func);
+
++int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *range);
+ #else /* !CONFIG_BPF_LSM */
+
+ static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)
+@@ -78,6 +81,11 @@ static inline void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog,
+ {
+ }
+
++static inline int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *range)
++{
++ return -EOPNOTSUPP;
++}
+ #endif /* CONFIG_BPF_LSM */
+
+ #endif /* _LINUX_BPF_LSM_H */
+diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
+index 68240c3c6e7de..7f8a66a62661b 100644
+--- a/kernel/bpf/bpf_lsm.c
++++ b/kernel/bpf/bpf_lsm.c
+@@ -11,7 +11,6 @@
+ #include <linux/lsm_hooks.h>
+ #include <linux/bpf_lsm.h>
+ #include <linux/kallsyms.h>
+-#include <linux/bpf_verifier.h>
+ #include <net/bpf_sk_storage.h>
+ #include <linux/bpf_local_storage.h>
+ #include <linux/btf_ids.h>
+@@ -389,3 +388,36 @@ const struct bpf_verifier_ops lsm_verifier_ops = {
+ .get_func_proto = bpf_lsm_func_proto,
+ .is_valid_access = btf_ctx_access,
+ };
++
++/* hooks return 0 or 1 */
++BTF_SET_START(bool_lsm_hooks)
++#ifdef CONFIG_SECURITY_NETWORK_XFRM
++BTF_ID(func, bpf_lsm_xfrm_state_pol_flow_match)
++#endif
++#ifdef CONFIG_AUDIT
++BTF_ID(func, bpf_lsm_audit_rule_known)
++#endif
++BTF_ID(func, bpf_lsm_inode_xattr_skipcap)
++BTF_SET_END(bool_lsm_hooks)
++
++int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *retval_range)
++{
++ /* no return value range for void hooks */
++ if (!prog->aux->attach_func_proto->type)
++ return -EINVAL;
++
++ if (btf_id_set_contains(&bool_lsm_hooks, prog->aux->attach_btf_id)) {
++ retval_range->minval = 0;
++ retval_range->maxval = 1;
++ } else {
++ /* All other available LSM hooks, except task_prctl, return 0
++ * on success and negative error code on failure.
++ * To keep things simple, we only allow bpf progs to return 0
++ * or negative errno for task_prctl too.
++ */
++ retval_range->minval = -MAX_ERRNO;
++ retval_range->maxval = 0;
++ }
++ return 0;
++}
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 2f157ffbc67ce..49aba8e507996 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -6250,8 +6250,11 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
+
+ if (arg == nr_args) {
+ switch (prog->expected_attach_type) {
+- case BPF_LSM_CGROUP:
+ case BPF_LSM_MAC:
++ /* mark we are accessing the return value */
++ info->is_retval = true;
++ fallthrough;
++ case BPF_LSM_CGROUP:
+ case BPF_TRACE_FEXIT:
+ /* When LSM programs are attached to void LSM hooks
+ * they use FEXIT trampolines and when attached to
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 73f55f4b945ee..b95f7f5bd5a49 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2334,6 +2334,25 @@ static void mark_reg_unknown(struct bpf_verifier_env *env,
+ __mark_reg_unknown(env, regs + regno);
+ }
+
++static int __mark_reg_s32_range(struct bpf_verifier_env *env,
++ struct bpf_reg_state *regs,
++ u32 regno,
++ s32 s32_min,
++ s32 s32_max)
++{
++ struct bpf_reg_state *reg = regs + regno;
++
++ reg->s32_min_value = max_t(s32, reg->s32_min_value, s32_min);
++ reg->s32_max_value = min_t(s32, reg->s32_max_value, s32_max);
++
++ reg->smin_value = max_t(s64, reg->smin_value, s32_min);
++ reg->smax_value = min_t(s64, reg->smax_value, s32_max);
++
++ reg_bounds_sync(reg);
++
++ return reg_bounds_sanity_check(env, reg, "s32_range");
++}
++
+ static void __mark_reg_not_init(const struct bpf_verifier_env *env,
+ struct bpf_reg_state *reg)
+ {
+@@ -5575,11 +5594,12 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
+ /* check access to 'struct bpf_context' fields. Supports fixed offsets only */
+ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
+ enum bpf_access_type t, enum bpf_reg_type *reg_type,
+- struct btf **btf, u32 *btf_id)
++ struct btf **btf, u32 *btf_id, bool *is_retval)
+ {
+ struct bpf_insn_access_aux info = {
+ .reg_type = *reg_type,
+ .log = &env->log,
++ .is_retval = false,
+ };
+
+ if (env->ops->is_valid_access &&
+@@ -5592,6 +5612,7 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
+ * type of narrower access.
+ */
+ *reg_type = info.reg_type;
++ *is_retval = info.is_retval;
+
+ if (base_type(*reg_type) == PTR_TO_BTF_ID) {
+ *btf = info.btf;
+@@ -6760,6 +6781,17 @@ static int check_stack_access_within_bounds(
+ return grow_stack_state(env, state, -min_off /* size */);
+ }
+
++static bool get_func_retval_range(struct bpf_prog *prog,
++ struct bpf_retval_range *range)
++{
++ if (prog->type == BPF_PROG_TYPE_LSM &&
++ prog->expected_attach_type == BPF_LSM_MAC &&
++ !bpf_lsm_get_retval_range(prog, range)) {
++ return true;
++ }
++ return false;
++}
++
+ /* check whether memory at (regno + off) is accessible for t = (read | write)
+ * if t==write, value_regno is a register which value is stored into memory
+ * if t==read, value_regno is a register which will receive the value from memory
+@@ -6864,6 +6896,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ if (!err && value_regno >= 0 && (t == BPF_READ || rdonly_mem))
+ mark_reg_unknown(env, regs, value_regno);
+ } else if (reg->type == PTR_TO_CTX) {
++ bool is_retval = false;
++ struct bpf_retval_range range;
+ enum bpf_reg_type reg_type = SCALAR_VALUE;
+ struct btf *btf = NULL;
+ u32 btf_id = 0;
+@@ -6879,7 +6913,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ return err;
+
+ err = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf,
+- &btf_id);
++ &btf_id, &is_retval);
+ if (err)
+ verbose_linfo(env, insn_idx, "; ");
+ if (!err && t == BPF_READ && value_regno >= 0) {
+@@ -6888,7 +6922,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ * case, we know the offset is zero.
+ */
+ if (reg_type == SCALAR_VALUE) {
+- mark_reg_unknown(env, regs, value_regno);
++ if (is_retval && get_func_retval_range(env->prog, &range)) {
++ err = __mark_reg_s32_range(env, regs, value_regno,
++ range.minval, range.maxval);
++ if (err)
++ return err;
++ } else {
++ mark_reg_unknown(env, regs, value_regno);
++ }
+ } else {
+ mark_reg_known_zero(env, regs,
+ value_regno);
+@@ -15677,12 +15718,13 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+
+ case BPF_PROG_TYPE_LSM:
+ if (env->prog->expected_attach_type != BPF_LSM_CGROUP) {
+- /* Regular BPF_PROG_TYPE_LSM programs can return
+- * any value.
+- */
+- return 0;
+- }
+- if (!env->prog->aux->attach_func_proto->type) {
++ /* no range found, any return value is allowed */
++ if (!get_func_retval_range(env->prog, &range))
++ return 0;
++ /* no restricted range, any return value is allowed */
++ if (range.minval == S32_MIN && range.maxval == S32_MAX)
++ return 0;
++ } else if (!env->prog->aux->attach_func_proto->type) {
+ /* Make sure programs that attach to void
+ * hooks don't try to modify return value.
+ */
+--
+2.43.0
+
--- /dev/null
+From b2cbca9f18c42a291257f30057426289447e1184 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 20:39:00 +0800
+Subject: bpf, x64: Fix tailcall hierarchy
+
+From: Leon Hwang <hffilwlqm@gmail.com>
+
+[ Upstream commit 116e04ba1459fc08f80cf27b8c9f9f188be0fcb2 ]
+
+This patch fixes a tailcall issue caused by abusing the tailcall in
+bpf2bpf feature.
+
+As we know, tail_call_cnt propagates by rax from caller to callee when
+to call subprog in tailcall context. But, like the following example,
+MAX_TAIL_CALL_CNT won't work because of missing tail_call_cnt
+back-propagation from callee to caller.
+
+\#include <linux/bpf.h>
+\#include <bpf/bpf_helpers.h>
+\#include "bpf_legacy.h"
+
+struct {
+ __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+ __uint(max_entries, 1);
+ __uint(key_size, sizeof(__u32));
+ __uint(value_size, sizeof(__u32));
+} jmp_table SEC(".maps");
+
+int count = 0;
+
+static __noinline
+int subprog_tail1(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+static __noinline
+int subprog_tail2(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+ volatile int ret = 1;
+
+ count++;
+ subprog_tail1(skb);
+ subprog_tail2(skb);
+
+ return ret;
+}
+
+char __license[] SEC("license") = "GPL";
+
+At run time, the tail_call_cnt in entry() will be propagated to
+subprog_tail1() and subprog_tail2(). But, when the tail_call_cnt in
+subprog_tail1() updates when bpf_tail_call_static(), the tail_call_cnt
+in entry() won't be updated at the same time. As a result, in entry(),
+when tail_call_cnt in entry() is less than MAX_TAIL_CALL_CNT and
+subprog_tail1() returns because of MAX_TAIL_CALL_CNT limit,
+bpf_tail_call_static() in suprog_tail2() is able to run because the
+tail_call_cnt in subprog_tail2() propagated from entry() is less than
+MAX_TAIL_CALL_CNT.
+
+So, how many tailcalls are there for this case if no error happens?
+
+From top-down view, does it look like hierarchy layer and layer?
+
+With this view, there will be 2+4+8+...+2^33 = 2^34 - 2 = 17,179,869,182
+tailcalls for this case.
+
+How about there are N subprog_tail() in entry()? There will be almost
+N^34 tailcalls.
+
+Then, in this patch, it resolves this case on x86_64.
+
+In stead of propagating tail_call_cnt from caller to callee, it
+propagates its pointer, tail_call_cnt_ptr, tcc_ptr for short.
+
+However, where does it store tail_call_cnt?
+
+It stores tail_call_cnt on the stack of main prog. When tail call
+happens in subprog, it increments tail_call_cnt by tcc_ptr.
+
+Meanwhile, it stores tail_call_cnt_ptr on the stack of main prog, too.
+
+And, before jump to tail callee, it has to pop tail_call_cnt and
+tail_call_cnt_ptr.
+
+Then, at the prologue of subprog, it must not make rax as
+tail_call_cnt_ptr again. It has to reuse tail_call_cnt_ptr from caller.
+
+As a result, at run time, it has to recognize rax is tail_call_cnt or
+tail_call_cnt_ptr at prologue by:
+
+1. rax is tail_call_cnt if rax is <= MAX_TAIL_CALL_CNT.
+2. rax is tail_call_cnt_ptr if rax is > MAX_TAIL_CALL_CNT, because a
+ pointer won't be <= MAX_TAIL_CALL_CNT.
+
+Here's an example to dump JITed.
+
+struct {
+ __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+ __uint(max_entries, 1);
+ __uint(key_size, sizeof(__u32));
+ __uint(value_size, sizeof(__u32));
+} jmp_table SEC(".maps");
+
+int count = 0;
+
+static __noinline
+int subprog_tail(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+ int ret = 1;
+
+ count++;
+ subprog_tail(skb);
+ subprog_tail(skb);
+
+ return ret;
+}
+
+When bpftool p d j id 42:
+
+int entry(struct __sk_buff * skb):
+bpf_prog_0c0f4c2413ef19b1_entry:
+; int entry(struct __sk_buff *skb)
+ 0: endbr64
+ 4: nopl (%rax,%rax)
+ 9: xorq %rax, %rax ;; rax = 0 (tail_call_cnt)
+ c: pushq %rbp
+ d: movq %rsp, %rbp
+ 10: endbr64
+ 14: cmpq $33, %rax ;; if rax > 33, rax = tcc_ptr
+ 18: ja 0x20 ;; if rax > 33 goto 0x20 ---+
+ 1a: pushq %rax ;; [rbp - 8] = rax = 0 |
+ 1b: movq %rsp, %rax ;; rax = rbp - 8 |
+ 1e: jmp 0x21 ;; ---------+ |
+ 20: pushq %rax ;; <--------|---------------+
+ 21: pushq %rax ;; <--------+ [rbp - 16] = rax
+ 22: pushq %rbx ;; callee saved
+ 23: movq %rdi, %rbx ;; rbx = skb (callee saved)
+; count++;
+ 26: movabsq $-82417199407104, %rdi
+ 30: movl (%rdi), %esi
+ 33: addl $1, %esi
+ 36: movl %esi, (%rdi)
+; subprog_tail(skb);
+ 39: movq %rbx, %rdi ;; rdi = skb
+ 3c: movq -16(%rbp), %rax ;; rax = tcc_ptr
+ 43: callq 0x80 ;; call subprog_tail()
+; subprog_tail(skb);
+ 48: movq %rbx, %rdi ;; rdi = skb
+ 4b: movq -16(%rbp), %rax ;; rax = tcc_ptr
+ 52: callq 0x80 ;; call subprog_tail()
+; return ret;
+ 57: movl $1, %eax
+ 5c: popq %rbx
+ 5d: leave
+ 5e: retq
+
+int subprog_tail(struct __sk_buff * skb):
+bpf_prog_3a140cef239a4b4f_subprog_tail:
+; int subprog_tail(struct __sk_buff *skb)
+ 0: endbr64
+ 4: nopl (%rax,%rax)
+ 9: nopl (%rax) ;; do not touch tail_call_cnt
+ c: pushq %rbp
+ d: movq %rsp, %rbp
+ 10: endbr64
+ 14: pushq %rax ;; [rbp - 8] = rax (tcc_ptr)
+ 15: pushq %rax ;; [rbp - 16] = rax (tcc_ptr)
+ 16: pushq %rbx ;; callee saved
+ 17: pushq %r13 ;; callee saved
+ 19: movq %rdi, %rbx ;; rbx = skb
+; asm volatile("r1 = %[ctx]\n\t"
+ 1c: movabsq $-105487587488768, %r13 ;; r13 = jmp_table
+ 26: movq %rbx, %rdi ;; 1st arg, skb
+ 29: movq %r13, %rsi ;; 2nd arg, jmp_table
+ 2c: xorl %edx, %edx ;; 3rd arg, index = 0
+ 2e: movq -16(%rbp), %rax ;; rax = [rbp - 16] (tcc_ptr)
+ 35: cmpq $33, (%rax)
+ 39: jae 0x4e ;; if *tcc_ptr >= 33 goto 0x4e --------+
+ 3b: jmp 0x4e ;; jmp bypass, toggled by poking |
+ 40: addq $1, (%rax) ;; (*tcc_ptr)++ |
+ 44: popq %r13 ;; callee saved |
+ 46: popq %rbx ;; callee saved |
+ 47: popq %rax ;; undo rbp-16 push |
+ 48: popq %rax ;; undo rbp-8 push |
+ 49: nopl (%rax,%rax) ;; tail call target, toggled by poking |
+; return 0; ;; |
+ 4e: popq %r13 ;; restore callee saved <--------------+
+ 50: popq %rbx ;; restore callee saved
+ 51: leave
+ 52: retq
+
+Furthermore, when trampoline is the caller of bpf prog, which is
+tail_call_reachable, it is required to propagate rax through trampoline.
+
+Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
+Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT")
+Reviewed-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
+Link: https://lore.kernel.org/r/20240714123902.32305-2-hffilwlqm@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 107 ++++++++++++++++++++++++++----------
+ 1 file changed, 79 insertions(+), 28 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 5159c7a229229..2f28a9b34b91e 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -273,7 +273,7 @@ struct jit_context {
+ /* Number of bytes emit_patch() needs to generate instructions */
+ #define X86_PATCH_SIZE 5
+ /* Number of bytes that will be skipped on tailcall */
+-#define X86_TAIL_CALL_OFFSET (11 + ENDBR_INSN_SIZE)
++#define X86_TAIL_CALL_OFFSET (12 + ENDBR_INSN_SIZE)
+
+ static void push_r12(u8 **pprog)
+ {
+@@ -403,6 +403,37 @@ static void emit_cfi(u8 **pprog, u32 hash)
+ *pprog = prog;
+ }
+
++static void emit_prologue_tail_call(u8 **pprog, bool is_subprog)
++{
++ u8 *prog = *pprog;
++
++ if (!is_subprog) {
++ /* cmp rax, MAX_TAIL_CALL_CNT */
++ EMIT4(0x48, 0x83, 0xF8, MAX_TAIL_CALL_CNT);
++ EMIT2(X86_JA, 6); /* ja 6 */
++ /* rax is tail_call_cnt if <= MAX_TAIL_CALL_CNT.
++ * case1: entry of main prog.
++ * case2: tail callee of main prog.
++ */
++ EMIT1(0x50); /* push rax */
++ /* Make rax as tail_call_cnt_ptr. */
++ EMIT3(0x48, 0x89, 0xE0); /* mov rax, rsp */
++ EMIT2(0xEB, 1); /* jmp 1 */
++ /* rax is tail_call_cnt_ptr if > MAX_TAIL_CALL_CNT.
++ * case: tail callee of subprog.
++ */
++ EMIT1(0x50); /* push rax */
++ /* push tail_call_cnt_ptr */
++ EMIT1(0x50); /* push rax */
++ } else { /* is_subprog */
++ /* rax is tail_call_cnt_ptr. */
++ EMIT1(0x50); /* push rax */
++ EMIT1(0x50); /* push rax */
++ }
++
++ *pprog = prog;
++}
++
+ /*
+ * Emit x86-64 prologue code for BPF program.
+ * bpf_tail_call helper will skip the first X86_TAIL_CALL_OFFSET bytes
+@@ -424,10 +455,10 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf,
+ /* When it's the entry of the whole tailcall context,
+ * zeroing rax means initialising tail_call_cnt.
+ */
+- EMIT2(0x31, 0xC0); /* xor eax, eax */
++ EMIT3(0x48, 0x31, 0xC0); /* xor rax, rax */
+ else
+ /* Keep the same instruction layout. */
+- EMIT2(0x66, 0x90); /* nop2 */
++ emit_nops(&prog, 3); /* nop3 */
+ }
+ /* Exception callback receives FP as third parameter */
+ if (is_exception_cb) {
+@@ -453,7 +484,7 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf,
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xEC, round_up(stack_depth, 8));
+ if (tail_call_reachable)
+- EMIT1(0x50); /* push rax */
++ emit_prologue_tail_call(&prog, is_subprog);
+ *pprog = prog;
+ }
+
+@@ -589,13 +620,15 @@ static void emit_return(u8 **pprog, u8 *ip)
+ *pprog = prog;
+ }
+
++#define BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack) (-16 - round_up(stack, 8))
++
+ /*
+ * Generate the following code:
+ *
+ * ... bpf_tail_call(void *ctx, struct bpf_array *array, u64 index) ...
+ * if (index >= array->map.max_entries)
+ * goto out;
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ * prog = array->ptrs[index];
+ * if (prog == NULL)
+@@ -608,7 +641,7 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ u32 stack_depth, u8 *ip,
+ struct jit_context *ctx)
+ {
+- int tcc_off = -4 - round_up(stack_depth, 8);
++ int tcc_ptr_off = BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack_depth);
+ u8 *prog = *pprog, *start = *pprog;
+ int offset;
+
+@@ -630,16 +663,14 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ EMIT2(X86_JBE, offset); /* jbe out */
+
+ /*
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- EMIT2_off32(0x8B, 0x85, tcc_off); /* mov eax, dword ptr [rbp - tcc_off] */
+- EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
++ EMIT3_off32(0x48, 0x8B, 0x85, tcc_ptr_off); /* mov rax, qword ptr [rbp - tcc_ptr_off] */
++ EMIT4(0x48, 0x83, 0x38, MAX_TAIL_CALL_CNT); /* cmp qword ptr [rax], MAX_TAIL_CALL_CNT */
+
+ offset = ctx->tail_call_indirect_label - (prog + 2 - start);
+ EMIT2(X86_JAE, offset); /* jae out */
+- EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
+- EMIT2_off32(0x89, 0x85, tcc_off); /* mov dword ptr [rbp - tcc_off], eax */
+
+ /* prog = array->ptrs[index]; */
+ EMIT4_off32(0x48, 0x8B, 0x8C, 0xD6, /* mov rcx, [rsi + rdx * 8 + offsetof(...)] */
+@@ -654,6 +685,9 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ offset = ctx->tail_call_indirect_label - (prog + 2 - start);
+ EMIT2(X86_JE, offset); /* je out */
+
++ /* Inc tail_call_cnt if the slot is populated. */
++ EMIT4(0x48, 0x83, 0x00, 0x01); /* add qword ptr [rax], 1 */
++
+ if (bpf_prog->aux->exception_boundary) {
+ pop_callee_regs(&prog, all_callee_regs_used);
+ pop_r12(&prog);
+@@ -663,6 +697,11 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ pop_r12(&prog);
+ }
+
++ /* Pop tail_call_cnt_ptr. */
++ EMIT1(0x58); /* pop rax */
++ /* Pop tail_call_cnt, if it's main prog.
++ * Pop tail_call_cnt_ptr, if it's subprog.
++ */
+ EMIT1(0x58); /* pop rax */
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xC4, /* add rsp, sd */
+@@ -691,21 +730,19 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ bool *callee_regs_used, u32 stack_depth,
+ struct jit_context *ctx)
+ {
+- int tcc_off = -4 - round_up(stack_depth, 8);
++ int tcc_ptr_off = BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack_depth);
+ u8 *prog = *pprog, *start = *pprog;
+ int offset;
+
+ /*
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- EMIT2_off32(0x8B, 0x85, tcc_off); /* mov eax, dword ptr [rbp - tcc_off] */
+- EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
++ EMIT3_off32(0x48, 0x8B, 0x85, tcc_ptr_off); /* mov rax, qword ptr [rbp - tcc_ptr_off] */
++ EMIT4(0x48, 0x83, 0x38, MAX_TAIL_CALL_CNT); /* cmp qword ptr [rax], MAX_TAIL_CALL_CNT */
+
+ offset = ctx->tail_call_direct_label - (prog + 2 - start);
+ EMIT2(X86_JAE, offset); /* jae out */
+- EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
+- EMIT2_off32(0x89, 0x85, tcc_off); /* mov dword ptr [rbp - tcc_off], eax */
+
+ poke->tailcall_bypass = ip + (prog - start);
+ poke->adj_off = X86_TAIL_CALL_OFFSET;
+@@ -715,6 +752,9 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ emit_jump(&prog, (u8 *)poke->tailcall_target + X86_PATCH_SIZE,
+ poke->tailcall_bypass);
+
++ /* Inc tail_call_cnt if the slot is populated. */
++ EMIT4(0x48, 0x83, 0x00, 0x01); /* add qword ptr [rax], 1 */
++
+ if (bpf_prog->aux->exception_boundary) {
+ pop_callee_regs(&prog, all_callee_regs_used);
+ pop_r12(&prog);
+@@ -724,6 +764,11 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ pop_r12(&prog);
+ }
+
++ /* Pop tail_call_cnt_ptr. */
++ EMIT1(0x58); /* pop rax */
++ /* Pop tail_call_cnt, if it's main prog.
++ * Pop tail_call_cnt_ptr, if it's subprog.
++ */
+ EMIT1(0x58); /* pop rax */
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xC4, round_up(stack_depth, 8));
+@@ -1313,9 +1358,11 @@ static void emit_shiftx(u8 **pprog, u32 dst_reg, u8 src_reg, bool is64, u8 op)
+
+ #define INSN_SZ_DIFF (((addrs[i] - addrs[i - 1]) - (prog - temp)))
+
+-/* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
+-#define RESTORE_TAIL_CALL_CNT(stack) \
+- EMIT3_off32(0x48, 0x8B, 0x85, -round_up(stack, 8) - 8)
++#define __LOAD_TCC_PTR(off) \
++ EMIT3_off32(0x48, 0x8B, 0x85, off)
++/* mov rax, qword ptr [rbp - rounded_stack_depth - 16] */
++#define LOAD_TAIL_CALL_CNT_PTR(stack) \
++ __LOAD_TCC_PTR(BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack))
+
+ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, u8 *rw_image,
+ int oldproglen, struct jit_context *ctx, bool jmp_padding)
+@@ -2038,7 +2085,7 @@ st: if (is_imm8(insn->off))
+
+ func = (u8 *) __bpf_call_base + imm32;
+ if (tail_call_reachable) {
+- RESTORE_TAIL_CALL_CNT(bpf_prog->aux->stack_depth);
++ LOAD_TAIL_CALL_CNT_PTR(bpf_prog->aux->stack_depth);
+ ip += 7;
+ }
+ if (!imm32)
+@@ -2713,6 +2760,10 @@ static int invoke_bpf_mod_ret(const struct btf_func_model *m, u8 **pprog,
+ return 0;
+ }
+
++/* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
++#define LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack) \
++ __LOAD_TCC_PTR(-round_up(stack, 8) - 8)
++
+ /* Example:
+ * __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev);
+ * its 'struct btf_func_model' will be nr_args=2
+@@ -2833,7 +2884,7 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ * [ ... ]
+ * [ stack_arg2 ]
+ * RBP - arg_stack_off [ stack_arg1 ]
+- * RSP [ tail_call_cnt ] BPF_TRAMP_F_TAIL_CALL_CTX
++ * RSP [ tail_call_cnt_ptr ] BPF_TRAMP_F_TAIL_CALL_CTX
+ */
+
+ /* room for return value of orig_call or fentry prog */
+@@ -2962,10 +3013,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ save_args(m, &prog, arg_stack_off, true);
+
+ if (flags & BPF_TRAMP_F_TAIL_CALL_CTX) {
+- /* Before calling the original function, restore the
+- * tail_call_cnt from stack to rax.
++ /* Before calling the original function, load the
++ * tail_call_cnt_ptr from stack to rax.
+ */
+- RESTORE_TAIL_CALL_CNT(stack_size);
++ LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack_size);
+ }
+
+ if (flags & BPF_TRAMP_F_ORIG_STACK) {
+@@ -3024,10 +3075,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ goto cleanup;
+ }
+ } else if (flags & BPF_TRAMP_F_TAIL_CALL_CTX) {
+- /* Before running the original function, restore the
+- * tail_call_cnt from stack to rax.
++ /* Before running the original function, load the
++ * tail_call_cnt_ptr from stack to rax.
+ */
+- RESTORE_TAIL_CALL_CNT(stack_size);
++ LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack_size);
+ }
+
+ /* restore return value of orig_call or fentry prog back into RAX */
+--
+2.43.0
+
--- /dev/null
+From d3001672f0127e8f51ed0227bdc6e57b0beec876 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:50 +0200
+Subject: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 4b3786a6c5397dc220b1483d8e2f4867743e966f ]
+
+For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
+arguments, zero the value for the case of an error as otherwise it could leak
+memory. For tracing, it is not needed given CAP_PERFMON can already read all
+kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
+in here.
+
+Also, the MTU helpers mtu_len pointer value is being written but also read.
+Technically, the MEM_UNINIT should not be there in order to always force init.
+Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
+implies two things actually: i) write into memory, ii) memory does not have
+to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
+ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
+readding the issue we're trying to fix, that is, it would then be able to
+write back into things like .rodata BPF maps. Follow-up work will rework the
+MEM_UNINIT semantics such that the intent can be better expressed. For now
+just clear the *mtu_len on error path which can be lifted later again.
+
+Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types")
+Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/e5edd241-59e7-5e39-0ee5-a51e31b6840a@iogearbox.net
+Link: https://lore.kernel.org/r/20240913191754.13290-5-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 2 ++
+ kernel/bpf/syscall.c | 1 +
+ net/core/filter.c | 44 +++++++++++++++++++++++---------------------
+ 3 files changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 3155ea611c94d..a9ae8f8e61807 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -522,6 +522,7 @@ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
+ long long _res;
+ int err;
+
++ *res = 0;
+ err = __bpf_strtoll(buf, buf_len, flags, &_res);
+ if (err < 0)
+ return err;
+@@ -549,6 +550,7 @@ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+ bool is_negative;
+ int err;
+
++ *res = 0;
+ err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative);
+ if (err < 0)
+ return err;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index d813abc86d12e..f6b6d297fad6e 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5910,6 +5910,7 @@ static const struct bpf_func_proto bpf_sys_close_proto = {
+
+ BPF_CALL_4(bpf_kallsyms_lookup_name, const char *, name, int, name_sz, int, flags, u64 *, res)
+ {
++ *res = 0;
+ if (flags)
+ return -EINVAL;
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 45a6b61f759fa..61da5512cd4d2 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -6258,20 +6258,25 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
+ int ret = BPF_MTU_CHK_RET_FRAG_NEEDED;
+ struct net_device *dev = skb->dev;
+ int skb_len, dev_len;
+- int mtu;
++ int mtu = 0;
+
+- if (unlikely(flags & ~(BPF_MTU_CHK_SEGS)))
+- return -EINVAL;
++ if (unlikely(flags & ~(BPF_MTU_CHK_SEGS))) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+- if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len)))
+- return -EINVAL;
++ if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len))) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ dev = __dev_via_ifindex(dev, ifindex);
+- if (unlikely(!dev))
+- return -ENODEV;
++ if (unlikely(!dev)) {
++ ret = -ENODEV;
++ goto out;
++ }
+
+ mtu = READ_ONCE(dev->mtu);
+-
+ dev_len = mtu + dev->hard_header_len;
+
+ /* If set use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */
+@@ -6289,15 +6294,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
+ */
+ if (skb_is_gso(skb)) {
+ ret = BPF_MTU_CHK_RET_SUCCESS;
+-
+ if (flags & BPF_MTU_CHK_SEGS &&
+ !skb_gso_validate_network_len(skb, mtu))
+ ret = BPF_MTU_CHK_RET_SEGS_TOOBIG;
+ }
+ out:
+- /* BPF verifier guarantees valid pointer */
+ *mtu_len = mtu;
+-
+ return ret;
+ }
+
+@@ -6307,19 +6309,21 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
+ struct net_device *dev = xdp->rxq->dev;
+ int xdp_len = xdp->data_end - xdp->data;
+ int ret = BPF_MTU_CHK_RET_SUCCESS;
+- int mtu, dev_len;
++ int mtu = 0, dev_len;
+
+ /* XDP variant doesn't support multi-buffer segment check (yet) */
+- if (unlikely(flags))
+- return -EINVAL;
++ if (unlikely(flags)) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ dev = __dev_via_ifindex(dev, ifindex);
+- if (unlikely(!dev))
+- return -ENODEV;
++ if (unlikely(!dev)) {
++ ret = -ENODEV;
++ goto out;
++ }
+
+ mtu = READ_ONCE(dev->mtu);
+-
+- /* Add L2-header as dev MTU is L3 size */
+ dev_len = mtu + dev->hard_header_len;
+
+ /* Use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */
+@@ -6329,10 +6333,8 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
+ xdp_len += len_diff; /* minus result pass check */
+ if (xdp_len > dev_len)
+ ret = BPF_MTU_CHK_RET_FRAG_NEEDED;
+-
+- /* BPF verifier guarantees valid pointer */
++out:
+ *mtu_len = mtu;
+-
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 93f36f340c58ffcb81d3b060838bb11cc182f800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 15:35:29 +0100
+Subject: cachefiles: Fix non-taking of sb_writers around set/removexattr
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 80887f31672970abae3aaa9cf62ac72a124e7c89 ]
+
+Unlike other vfs_xxxx() calls, vfs_setxattr() and vfs_removexattr() don't
+take the sb_writers lock, so the caller should do it for them.
+
+Fix cachefiles to do this.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Christian Brauner <brauner@kernel.org>
+cc: Gao Xiang <xiang@kernel.org>
+cc: netfs@lists.linux.dev
+cc: linux-erofs@lists.ozlabs.org
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20240814203850.2240469-3-dhowells@redhat.com/ # v2
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/xattr.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c
+index 4dd8a993c60a8..7c6f260a3be56 100644
+--- a/fs/cachefiles/xattr.c
++++ b/fs/cachefiles/xattr.c
+@@ -64,9 +64,15 @@ int cachefiles_set_object_xattr(struct cachefiles_object *object)
+ memcpy(buf->data, fscache_get_aux(object->cookie), len);
+
+ ret = cachefiles_inject_write_error();
+- if (ret == 0)
+- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache,
+- buf, sizeof(struct cachefiles_xattr) + len, 0);
++ if (ret == 0) {
++ ret = mnt_want_write_file(file);
++ if (ret == 0) {
++ ret = vfs_setxattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache, buf,
++ sizeof(struct cachefiles_xattr) + len, 0);
++ mnt_drop_write_file(file);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(object, file_inode(file), ret,
+ cachefiles_trace_setxattr_error);
+@@ -151,8 +157,14 @@ int cachefiles_remove_object_xattr(struct cachefiles_cache *cache,
+ int ret;
+
+ ret = cachefiles_inject_remove_error();
+- if (ret == 0)
+- ret = vfs_removexattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache);
++ if (ret == 0) {
++ ret = mnt_want_write(cache->mnt);
++ if (ret == 0) {
++ ret = vfs_removexattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache);
++ mnt_drop_write(cache->mnt);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(object, d_inode(dentry), ret,
+ cachefiles_trace_remxattr_error);
+@@ -208,9 +220,15 @@ bool cachefiles_set_volume_xattr(struct cachefiles_volume *volume)
+ memcpy(buf->data, p, volume->vcookie->coherency_len);
+
+ ret = cachefiles_inject_write_error();
+- if (ret == 0)
+- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache,
+- buf, len, 0);
++ if (ret == 0) {
++ ret = mnt_want_write(volume->cache->mnt);
++ if (ret == 0) {
++ ret = vfs_setxattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache,
++ buf, len, 0);
++ mnt_drop_write(volume->cache->mnt);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(NULL, d_inode(dentry), ret,
+ cachefiles_trace_setxattr_error);
+--
+2.43.0
+
--- /dev/null
+From 8ecbc11a5c4fb8f1bedad95fafe9ffa34b54ddbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 18:22:37 -0700
+Subject: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ]
+
+syzbot reported a warning in bcm_release(). [0]
+
+The blamed change fixed another warning that is triggered when
+connect() is issued again for a socket whose connect()ed device has
+been unregistered.
+
+However, if the socket is just close()d without the 2nd connect(), the
+remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
+in bcm_release().
+
+Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
+
+[0]
+name '4986'
+WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Modules linked in:
+CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
+RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
+RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
+R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
+R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
+FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ bcm_release+0x250/0x880 net/can/bcm.c:1578
+ __sock_release net/socket.c:659 [inline]
+ sock_close+0xbc/0x240 net/socket.c:1421
+ __fput+0x24a/0x8a0 fs/file_table.c:422
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xa2f/0x27f0 kernel/exit.c:882
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1031
+ __do_sys_exit_group kernel/exit.c:1042 [inline]
+ __se_sys_exit_group kernel/exit.c:1040 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fcfb51ee969
+Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
+RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
+RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
+RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
+R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
+R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
+ </TASK>
+
+Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.")
+Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e
+Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 46d3ec3aa44b4..217049fa496e9 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1471,8 +1471,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+ /* remove device reference, if this is our bound device */
+ if (bo->bound && bo->ifindex == dev->ifindex) {
+ #if IS_ENABLED(CONFIG_PROC_FS)
+- if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) {
+ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++ bo->bcm_proc_read = NULL;
++ }
+ #endif
+ bo->bound = 0;
+ bo->ifindex = 0;
+--
+2.43.0
+
--- /dev/null
+From 0a23ab76c8d43a7b7b7ebe8cf66c51cd0fa81c3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 20:48:23 +0800
+Subject: can: j1939: use correct function name in comment
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit dc2ddcd136fe9b6196a7dd01f75f824beb02d43f ]
+
+The function j1939_cancel_all_active_sessions() was renamed to
+j1939_cancel_active_session() but name in comment wasn't updated.
+
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://patch.msgid.link/1724935703-44621-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 4be73de5033cb..319f47df33300 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1179,10 +1179,10 @@ static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
+ break;
+ case -ENETDOWN:
+ /* In this case we should get a netdev_event(), all active
+- * sessions will be cleared by
+- * j1939_cancel_all_active_sessions(). So handle this as an
+- * error, but let j1939_cancel_all_active_sessions() do the
+- * cleanup including propagation of the error to user space.
++ * sessions will be cleared by j1939_cancel_active_session().
++ * So handle this as an error, but let
++ * j1939_cancel_active_session() do the cleanup including
++ * propagation of the error to user space.
+ */
+ break;
+ case -EOVERFLOW:
+--
+2.43.0
+
--- /dev/null
+From 7d4740b9b1f889f51d177f9570defbd9a3bd6e9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 23:19:51 +0000
+Subject: can: m_can: enable NAPI before enabling interrupts
+
+From: Jake Hamby <Jake.Hamby@Teledyne.com>
+
+[ Upstream commit 801ad2f87b0c6d0c34a75a4efd6bfd3a2d9f9298 ]
+
+If an interrupt (RX-complete or error flag) is set when bringing up
+the CAN device, e.g. due to CAN bus traffic before initializing the
+device, when m_can_start() is called and interrupts are enabled,
+m_can_isr() is called immediately, which disables all CAN interrupts
+and calls napi_schedule().
+
+Because napi_enable() isn't called until later in m_can_open(), the
+call to napi_schedule() never schedules the m_can_poll() callback and
+the device is left with interrupts disabled and can't receive any CAN
+packets until rebooted.
+
+This can be verified by running "cansend" from another device before
+setting the bitrate and calling "ip link set up can0" on the test
+device. Adding debug lines to m_can_isr() shows it's called with flags
+(IR_EP | IR_EW | IR_CRCE), which calls m_can_disable_all_interrupts()
+and napi_schedule(), and then m_can_poll() is never called.
+
+Move the call to napi_enable() above the call to m_can_start() to
+enable any initial interrupt flags to be handled by m_can_poll() so
+that interrupts are reenabled. Add a call to napi_disable() in the
+error handling section of m_can_open(), to handle the case where later
+functions return errors.
+
+Also, in m_can_close(), move the call to napi_disable() below the call
+to m_can_stop() to ensure all interrupts are handled when bringing
+down the device. This race condition is much less likely to occur.
+
+Tested on a Microchip SAMA7G54 MPU. The fix should be applicable to
+any SoC with a Bosch M_CAN controller.
+
+Signed-off-by: Jake Hamby <Jake.Hamby@Teledyne.com>
+Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
+Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-1-6c1720ba45ce@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index ddde067f593fc..2baf4451a9b5e 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1720,9 +1720,6 @@ static int m_can_close(struct net_device *dev)
+
+ netif_stop_queue(dev);
+
+- if (!cdev->is_peripheral)
+- napi_disable(&cdev->napi);
+-
+ m_can_stop(dev);
+ m_can_clk_stop(cdev);
+ free_irq(dev->irq, dev);
+@@ -1733,6 +1730,8 @@ static int m_can_close(struct net_device *dev)
+ destroy_workqueue(cdev->tx_wq);
+ cdev->tx_wq = NULL;
+ can_rx_offload_disable(&cdev->offload);
++ } else {
++ napi_disable(&cdev->napi);
+ }
+
+ close_candev(dev);
+@@ -1987,6 +1986,8 @@ static int m_can_open(struct net_device *dev)
+
+ if (cdev->is_peripheral)
+ can_rx_offload_enable(&cdev->offload);
++ else
++ napi_enable(&cdev->napi);
+
+ /* register interrupt handler */
+ if (cdev->is_peripheral) {
+@@ -2020,9 +2021,6 @@ static int m_can_open(struct net_device *dev)
+ if (err)
+ goto exit_start_fail;
+
+- if (!cdev->is_peripheral)
+- napi_enable(&cdev->napi);
+-
+ netif_start_queue(dev);
+
+ return 0;
+@@ -2036,6 +2034,8 @@ static int m_can_open(struct net_device *dev)
+ out_wq_fail:
+ if (cdev->is_peripheral)
+ can_rx_offload_disable(&cdev->offload);
++ else
++ napi_disable(&cdev->napi);
+ close_candev(dev);
+ exit_disable_clks:
+ m_can_clk_stop(cdev);
+--
+2.43.0
+
--- /dev/null
+From a18c918b0236ce9a97242715b231d3de7f9b9f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 15:07:41 +0200
+Subject: can: m_can: m_can_close(): stop clocks after device has been shut
+ down
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 2c09b50efcad985cf920ca88baa9aa52b1999dcc ]
+
+After calling m_can_stop() an interrupt may be pending or NAPI might
+still be executed. This means the driver might still touch registers
+of the IP core after the clocks have been disabled. This is not good
+practice and might lead to aborts depending on the SoC integration.
+
+To avoid these potential problems, make m_can_close() symmetric to
+m_can_open(), i.e. stop the clocks at the end, right before shutting
+down the transceiver.
+
+Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
+Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-2-6c1720ba45ce@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 2baf4451a9b5e..0f9f17fdb3bb8 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1721,7 +1721,6 @@ static int m_can_close(struct net_device *dev)
+ netif_stop_queue(dev);
+
+ m_can_stop(dev);
+- m_can_clk_stop(cdev);
+ free_irq(dev->irq, dev);
+
+ m_can_clean(dev);
+@@ -1736,6 +1735,7 @@ static int m_can_close(struct net_device *dev)
+
+ close_candev(dev);
+
++ m_can_clk_stop(cdev);
+ phy_power_off(cdev->transceiver);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From ab9637f1e8697bdf1a77a60cafb25f6e1ada304c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 17:13:15 +0300
+Subject: clk: at91: sama7g5: Allocate only the needed amount of memory for
+ PLLs
+
+From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+
+[ Upstream commit 2d6e9ee7cb3e79b1713783c633b13af9aeffc90c ]
+
+The maximum number of PLL components on SAMA7G5 is 3 (one fractional
+part and 2 dividers). Allocate the needed amount of memory for
+sama7g5_plls 2d array. Previous code used to allocate 7 array entries for
+each PLL. While at it, replace 3 with PLL_COMPID_MAX in the loop which
+parses the sama7g5_plls 2d array.
+
+Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5")
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20240714141315.19480-1-claudiu.beznea@tuxon.dev
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/sama7g5.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/at91/sama7g5.c b/drivers/clk/at91/sama7g5.c
+index 91b5c6f148196..4e9594714b142 100644
+--- a/drivers/clk/at91/sama7g5.c
++++ b/drivers/clk/at91/sama7g5.c
+@@ -66,6 +66,7 @@ enum pll_component_id {
+ PLL_COMPID_FRAC,
+ PLL_COMPID_DIV0,
+ PLL_COMPID_DIV1,
++ PLL_COMPID_MAX,
+ };
+
+ /*
+@@ -165,7 +166,7 @@ static struct sama7g5_pll {
+ u8 t;
+ u8 eid;
+ u8 safe_div;
+-} sama7g5_plls[][PLL_ID_MAX] = {
++} sama7g5_plls[][PLL_COMPID_MAX] = {
+ [PLL_ID_CPU] = {
+ [PLL_COMPID_FRAC] = {
+ .n = "cpupll_fracck",
+@@ -1038,7 +1039,7 @@ static void __init sama7g5_pmc_setup(struct device_node *np)
+ sama7g5_pmc->chws[PMC_MAIN] = hw;
+
+ for (i = 0; i < PLL_ID_MAX; i++) {
+- for (j = 0; j < 3; j++) {
++ for (j = 0; j < PLL_COMPID_MAX; j++) {
+ struct clk_hw *parent_hw;
+
+ if (!sama7g5_plls[i][j].n)
+--
+2.43.0
+
--- /dev/null
+From 2690f40e7811284d60b1cc7bd8c8255ff76e1ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 15:42:03 +0800
+Subject: clk: imx: clk-audiomix: Correct parent clock for earc_phy and audpll
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d40371a1c963db688b37826adaf5ffdafb0862a1 ]
+
+According to Reference Manual of i.MX8MP
+The parent clock of "earc_phy" is "sai_pll_out_div2",
+The parent clock of "audpll" is "osc_24m".
+
+Add CLK_GATE_PARENT() macro for usage of specifying parent clock.
+
+Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1718350923-21392-6-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp-audiomix.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp-audiomix.c b/drivers/clk/imx/clk-imx8mp-audiomix.c
+index b381d6f784c89..0767d613b68b0 100644
+--- a/drivers/clk/imx/clk-imx8mp-audiomix.c
++++ b/drivers/clk/imx/clk-imx8mp-audiomix.c
+@@ -154,6 +154,15 @@ static const struct clk_parent_data clk_imx8mp_audiomix_pll_bypass_sels[] = {
+ PDM_SEL, 2, 0 \
+ }
+
++#define CLK_GATE_PARENT(gname, cname, pname) \
++ { \
++ gname"_cg", \
++ IMX8MP_CLK_AUDIOMIX_##cname, \
++ { .fw_name = pname, .name = pname }, NULL, 1, \
++ CLKEN0 + 4 * !!(IMX8MP_CLK_AUDIOMIX_##cname / 32), \
++ 1, IMX8MP_CLK_AUDIOMIX_##cname % 32 \
++ }
++
+ struct clk_imx8mp_audiomix_sel {
+ const char *name;
+ int clkid;
+@@ -171,14 +180,14 @@ static struct clk_imx8mp_audiomix_sel sels[] = {
+ CLK_GATE("earc", EARC_IPG),
+ CLK_GATE("ocrama", OCRAMA_IPG),
+ CLK_GATE("aud2htx", AUD2HTX_IPG),
+- CLK_GATE("earc_phy", EARC_PHY),
++ CLK_GATE_PARENT("earc_phy", EARC_PHY, "sai_pll_out_div2"),
+ CLK_GATE("sdma2", SDMA2_ROOT),
+ CLK_GATE("sdma3", SDMA3_ROOT),
+ CLK_GATE("spba2", SPBA2_ROOT),
+ CLK_GATE("dsp", DSP_ROOT),
+ CLK_GATE("dspdbg", DSPDBG_ROOT),
+ CLK_GATE("edma", EDMA_ROOT),
+- CLK_GATE("audpll", AUDPLL_ROOT),
++ CLK_GATE_PARENT("audpll", AUDPLL_ROOT, "osc_24m"),
+ CLK_GATE("mu2", MU2_ROOT),
+ CLK_GATE("mu3", MU3_ROOT),
+ CLK_PDM,
+--
+2.43.0
+
--- /dev/null
+From 3605fac7c1ad755775548e82ec23e614238b884b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:35 +0800
+Subject: clk: imx: composite-7ulp: Check the PCC present bit
+
+From: Ye Li <ye.li@nxp.com>
+
+[ Upstream commit 4717ccadb51e2630790dddd222830702de17f090 ]
+
+When some module is disabled by fuse, its PCC PR bit is default 0 and
+PCC is not operational. Any write to this PCC will cause SError.
+
+Fixes: b40ba8065347 ("clk: imx: Update the compsite driver to support imx8ulp")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Ye Li <ye.li@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-4-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-7ulp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-composite-7ulp.c b/drivers/clk/imx/clk-composite-7ulp.c
+index e208ddc511339..db7f40b07d1ab 100644
+--- a/drivers/clk/imx/clk-composite-7ulp.c
++++ b/drivers/clk/imx/clk-composite-7ulp.c
+@@ -14,6 +14,7 @@
+ #include "../clk-fractional-divider.h"
+ #include "clk.h"
+
++#define PCG_PR_MASK BIT(31)
+ #define PCG_PCS_SHIFT 24
+ #define PCG_PCS_MASK 0x7
+ #define PCG_CGC_SHIFT 30
+@@ -78,6 +79,12 @@ static struct clk_hw *imx_ulp_clk_hw_composite(const char *name,
+ struct clk_hw *hw;
+ u32 val;
+
++ val = readl(reg);
++ if (!(val & PCG_PR_MASK)) {
++ pr_info("PCC PR is 0 for clk:%s, bypass\n", name);
++ return 0;
++ }
++
+ if (mux_present) {
+ mux = kzalloc(sizeof(*mux), GFP_KERNEL);
+ if (!mux)
+--
+2.43.0
+
--- /dev/null
+From d13eb16218d1b06cc187bfe264b835ff812288d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:33 +0800
+Subject: clk: imx: composite-8m: Enable gate clk with mcore_booted
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 8f32e9dd0916eb3fd4bcf550ed1d04542a65cb9e ]
+
+Bootloader might disable some CCM ROOT Slices. So if mcore_booted set with
+display CCM ROOT disabled by Bootloader, kernel display BLK CTRL driver
+imx8m_blk_ctrl_driver_init may hang the system because the BUS clk is
+disabled.
+
+Add back gate ops, but with disable doing nothing, then the CCM ROOT
+will be enabled when used.
+
+Fixes: bb7e897b002a ("clk: imx8m: check mcore_booted before register clk")
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-2-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-8m.c | 53 +++++++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c
+index 8cc07d056a838..f187582ba4919 100644
+--- a/drivers/clk/imx/clk-composite-8m.c
++++ b/drivers/clk/imx/clk-composite-8m.c
+@@ -204,6 +204,34 @@ static const struct clk_ops imx8m_clk_composite_mux_ops = {
+ .determine_rate = imx8m_clk_composite_mux_determine_rate,
+ };
+
++static int imx8m_clk_composite_gate_enable(struct clk_hw *hw)
++{
++ struct clk_gate *gate = to_clk_gate(hw);
++ unsigned long flags;
++ u32 val;
++
++ spin_lock_irqsave(gate->lock, flags);
++
++ val = readl(gate->reg);
++ val |= BIT(gate->bit_idx);
++ writel(val, gate->reg);
++
++ spin_unlock_irqrestore(gate->lock, flags);
++
++ return 0;
++}
++
++static void imx8m_clk_composite_gate_disable(struct clk_hw *hw)
++{
++ /* composite clk requires the disable hook */
++}
++
++static const struct clk_ops imx8m_clk_composite_gate_ops = {
++ .enable = imx8m_clk_composite_gate_enable,
++ .disable = imx8m_clk_composite_gate_disable,
++ .is_enabled = clk_gate_is_enabled,
++};
++
+ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ const char * const *parent_names,
+ int num_parents, void __iomem *reg,
+@@ -217,6 +245,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ struct clk_mux *mux;
+ const struct clk_ops *divider_ops;
+ const struct clk_ops *mux_ops;
++ const struct clk_ops *gate_ops;
+
+ mux = kzalloc(sizeof(*mux), GFP_KERNEL);
+ if (!mux)
+@@ -257,20 +286,22 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ div->flags = CLK_DIVIDER_ROUND_CLOSEST;
+
+ /* skip registering the gate ops if M4 is enabled */
+- if (!mcore_booted) {
+- gate = kzalloc(sizeof(*gate), GFP_KERNEL);
+- if (!gate)
+- goto free_div;
+-
+- gate_hw = &gate->hw;
+- gate->reg = reg;
+- gate->bit_idx = PCG_CGC_SHIFT;
+- gate->lock = &imx_ccm_lock;
+- }
++ gate = kzalloc(sizeof(*gate), GFP_KERNEL);
++ if (!gate)
++ goto free_div;
++
++ gate_hw = &gate->hw;
++ gate->reg = reg;
++ gate->bit_idx = PCG_CGC_SHIFT;
++ gate->lock = &imx_ccm_lock;
++ if (!mcore_booted)
++ gate_ops = &clk_gate_ops;
++ else
++ gate_ops = &imx8m_clk_composite_gate_ops;
+
+ hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+ mux_hw, mux_ops, div_hw,
+- divider_ops, gate_hw, &clk_gate_ops, flags);
++ divider_ops, gate_hw, gate_ops, flags);
+ if (IS_ERR(hw))
+ goto free_gate;
+
+--
+2.43.0
+
--- /dev/null
+From 5fe23920326ac4cfa7f8a375207cb5152027bc0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:34 +0800
+Subject: clk: imx: composite-93: keep root clock on when mcore enabled
+
+From: Jacky Bai <ping.bai@nxp.com>
+
+[ Upstream commit d342df11726bfac9c3a9d2037afa508ac0e9e44e ]
+
+Previously we assumed that the root clock slice is enabled
+by default when kernel boot up. But the bootloader may disable
+the clocks before jump into kernel. The gate ops should be registered
+rather than NULL to make sure the disabled clock can be enabled
+when kernel boot up. Refine the code to skip disable the clock
+if mcore booted.
+
+Fixes: a740d7350ff7 ("clk: imx: imx93: add mcore_booted module paratemter")
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Chancel Liu <chancel.liu@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-3-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-93.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-composite-93.c b/drivers/clk/imx/clk-composite-93.c
+index 81164bdcd6cc9..6c6c5a30f3282 100644
+--- a/drivers/clk/imx/clk-composite-93.c
++++ b/drivers/clk/imx/clk-composite-93.c
+@@ -76,6 +76,13 @@ static int imx93_clk_composite_gate_enable(struct clk_hw *hw)
+
+ static void imx93_clk_composite_gate_disable(struct clk_hw *hw)
+ {
++ /*
++ * Skip disable the root clock gate if mcore enabled.
++ * The root clock may be used by the mcore.
++ */
++ if (mcore_booted)
++ return;
++
+ imx93_clk_composite_gate_endisable(hw, 0);
+ }
+
+@@ -222,7 +229,7 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p
+ hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+ mux_hw, &clk_mux_ro_ops, div_hw,
+ &clk_divider_ro_ops, NULL, NULL, flags);
+- } else if (!mcore_booted) {
++ } else {
+ gate = kzalloc(sizeof(*gate), GFP_KERNEL);
+ if (!gate)
+ goto fail;
+@@ -238,12 +245,6 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p
+ &imx93_clk_composite_divider_ops, gate_hw,
+ &imx93_clk_composite_gate_ops,
+ flags | CLK_SET_RATE_NO_REPARENT);
+- } else {
+- hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+- mux_hw, &imx93_clk_composite_mux_ops, div_hw,
+- &imx93_clk_composite_divider_ops, NULL,
+- &imx93_clk_composite_gate_ops,
+- flags | CLK_SET_RATE_NO_REPARENT);
+ }
+
+ if (IS_ERR(hw))
+--
+2.43.0
+
--- /dev/null
+From 985c7a562b468377be4250e28ece2b458c003fef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:36 +0800
+Subject: clk: imx: fracn-gppll: fix fractional part of PLL getting lost
+
+From: Pengfei Li <pengfei.li_1@nxp.com>
+
+[ Upstream commit 7622f888fca125ae46f695edf918798ebc0506c5 ]
+
+Fractional part of PLL gets lost after re-enabling the PLL. the
+MFN can NOT be automatically loaded when doing frac PLL enable/disable,
+So when re-enable PLL, configure mfn explicitly.
+
+Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll")
+Signed-off-by: Pengfei Li <pengfei.li_1@nxp.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-5-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-fracn-gppll.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-fracn-gppll.c b/drivers/clk/imx/clk-fracn-gppll.c
+index 44462ab50e513..1becba2b62d0b 100644
+--- a/drivers/clk/imx/clk-fracn-gppll.c
++++ b/drivers/clk/imx/clk-fracn-gppll.c
+@@ -291,6 +291,10 @@ static int clk_fracn_gppll_prepare(struct clk_hw *hw)
+ if (val & POWERUP_MASK)
+ return 0;
+
++ if (pll->flags & CLK_FRACN_GPPLL_FRACN)
++ writel_relaxed(readl_relaxed(pll->base + PLL_NUMERATOR),
++ pll->base + PLL_NUMERATOR);
++
+ val |= CLKMUX_BYPASS;
+ writel_relaxed(val, pll->base + PLL_CTRL);
+
+--
+2.43.0
+
--- /dev/null
+From d6b117f3030240af111450d717e3a720b39fef37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 17:14:33 +0200
+Subject: clk: imx: imx6ul: fix default parent for enet*_ref_sel
+
+From: Sebastien Laveze <slaveze@smartandconnective.com>
+
+[ Upstream commit e52fd71333b4ed78fd5bb43094bdc46476614d25 ]
+
+The clk_set_parent for "enet1_ref_sel" and "enet2_ref_sel" are
+incorrect, therefore the original requirements to have "enet_clk_ref" as
+output sourced by iMX ENET PLL as a default config is not met.
+
+Only "enet[1,2]_ref_125m" "enet[1,2]_ref_pad" are possible parents for
+"enet1_ref_sel" and "enet2_ref_sel".
+
+This was observed as a regression using a custom device tree which was
+expecting this default config.
+
+This can be fixed at the device tree level but having a default config
+matching the original behavior (before refclock mux) will avoid breaking
+existing configs.
+
+Fixes: 4e197ee880c2 ("clk: imx6ul: add ethernet refclock mux support")
+Link: https://lore.kernel.org/lkml/20230306020226.GC143566@dragon/T/
+Signed-off-by: Sebastien Laveze <slaveze@smartandconnective.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20240528151434.227602-1-slaveze@smartandconnective.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx6ul.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx6ul.c b/drivers/clk/imx/clk-imx6ul.c
+index f9394e94f69d7..05c7a82b751f3 100644
+--- a/drivers/clk/imx/clk-imx6ul.c
++++ b/drivers/clk/imx/clk-imx6ul.c
+@@ -542,8 +542,8 @@ static void __init imx6ul_clocks_init(struct device_node *ccm_node)
+
+ clk_set_parent(hws[IMX6UL_CLK_ENFC_SEL]->clk, hws[IMX6UL_CLK_PLL2_PFD2]->clk);
+
+- clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET_REF]->clk);
+- clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF]->clk);
++ clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET1_REF_125M]->clk);
++ clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF_125M]->clk);
+
+ imx_register_uart_clocks();
+ }
+--
+2.43.0
+
--- /dev/null
+From 294d88cb223d1526b7eeaae51fde57efe0d362eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:38 +0800
+Subject: clk: imx: imx8mp: fix clock tree update of TF-A managed clocks
+
+From: Zhipeng Wang <zhipeng.wang_1@nxp.com>
+
+[ Upstream commit 3d29036853b9cb07ac49e8261fca82a940be5c41 ]
+
+On the i.MX8M*, the TF-A exposes a SiP (Silicon Provider) service
+for DDR frequency scaling. The imx8m-ddrc-devfreq driver calls the
+SiP and then does clk_set_parent on the DDR muxes to synchronize
+the clock tree.
+
+since commit 936c383673b9 ("clk: imx: fix composite peripheral flags"),
+these TF-A managed muxes have SET_PARENT_GATE set, which results
+in imx8m-ddrc-devfreq's clk_set_parent after SiP failing with -EBUSY:
+
+clk_set_parent(dram_apb_src, sys1_pll_40m);(busfreq-imx8mq.c)
+
+commit 926bf91248dd
+("clk: imx8m: fix clock tree update of TF-A managed clocks") adds this
+method and enables 8mm, 8mn and 8mq. i.MX8MP also needs it.
+
+This is safe to do, because updating the Linux clock tree to reflect
+reality will always be glitch-free.
+
+Another reason to this patch is that powersave image BT music
+requires dram to be 400MTS, so clk_set_parent(dram_alt_src,
+sys1_pll_800m); is required. Without this patch, it will not succeed.
+
+Fixes: 936c383673b9 ("clk: imx: fix composite peripheral flags")
+Signed-off-by: Zhipeng Wang <zhipeng.wang_1@nxp.com>
+Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-7-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c
+index 670aa2bab3017..e561ff7b135fb 100644
+--- a/drivers/clk/imx/clk-imx8mp.c
++++ b/drivers/clk/imx/clk-imx8mp.c
+@@ -551,8 +551,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev)
+
+ hws[IMX8MP_CLK_IPG_ROOT] = imx_clk_hw_divider2("ipg_root", "ahb_root", ccm_base + 0x9080, 0, 1);
+
+- hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000);
+- hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080);
++ hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_fw_managed_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000);
++ hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_fw_managed_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080);
+ hws[IMX8MP_CLK_VPU_G1] = imx8m_clk_hw_composite("vpu_g1", imx8mp_vpu_g1_sels, ccm_base + 0xa100);
+ hws[IMX8MP_CLK_VPU_G2] = imx8m_clk_hw_composite("vpu_g2", imx8mp_vpu_g2_sels, ccm_base + 0xa180);
+ hws[IMX8MP_CLK_CAN1] = imx8m_clk_hw_composite("can1", imx8mp_can1_sels, ccm_base + 0xa200);
+--
+2.43.0
+
--- /dev/null
+From b277f57d50df2ab3002ca8a06cbec78f5f68c14d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:46 +0800
+Subject: clk: imx: imx8qxp: Parent should be initialized earlier than the
+ clock
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 766c386c16c9899461b83573a06380d364c6e261 ]
+
+The initialization order of SCU clocks affects the sequence of SCU clock
+resume. If there are no other effects, the earlier the initialization,
+the earlier the resume. During SCU clock resume, the clock rate is
+restored. As SCFW guidelines, configure the parent clock rate before
+configuring the child rate.
+
+Fixes: babfaa9556d7 ("clk: imx: scu: add more scu clocks")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-15-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8qxp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c
+index 16710eef641ba..83f2e8bd6d506 100644
+--- a/drivers/clk/imx/clk-imx8qxp.c
++++ b/drivers/clk/imx/clk-imx8qxp.c
+@@ -170,8 +170,8 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu("pwm_clk", IMX_SC_R_LCD_0_PWM_0, IMX_SC_PM_CLK_PER);
+ imx_clk_scu("elcdif_pll", IMX_SC_R_ELCDIF_PLL, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu2("lcd_clk", lcd_sels, ARRAY_SIZE(lcd_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_PER);
+- imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0);
+ imx_clk_scu("lcd_pxl_bypass_div_clk", IMX_SC_R_LCD_0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0);
+
+ /* Audio SS */
+ imx_clk_scu("audio_pll0_clk", IMX_SC_R_AUDIO_PLL_0, IMX_SC_PM_CLK_PLL);
+@@ -213,11 +213,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+- imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
+- imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc1_pll0_clk", IMX_SC_R_DC_1_PLL_0, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc1_pll1_clk", IMX_SC_R_DC_1_PLL_1, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc1_bypass0_clk", IMX_SC_R_DC_1_VIDEO0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
++ imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc1_bypass1_clk", IMX_SC_R_DC_1_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+ /* MIPI-LVDS SS */
+--
+2.43.0
+
--- /dev/null
+From 6d09fe6a63504c51c357176eaf461d1ae85552ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:45 +0800
+Subject: clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit e61352d5ecdc0da2e7253121c15d9a3e040f78a1 ]
+
+The initialization order of SCU clocks affects the sequence of SCU clock
+resume. If there are no other effects, the earlier the initialization,
+the earlier the resume. During SCU clock resume, the clock rate is
+restored. As SCFW guidelines, configure the parent clock rate before
+configuring the child rate.
+
+Fixes: 91e916771de0 ("clk: imx: scu: remove legacy scu clock binding support")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-14-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8qxp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c
+index 7d8883916cacd..16710eef641ba 100644
+--- a/drivers/clk/imx/clk-imx8qxp.c
++++ b/drivers/clk/imx/clk-imx8qxp.c
+@@ -206,11 +206,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu("usb3_lpm_div", IMX_SC_R_USB_2, IMX_SC_PM_CLK_MISC);
+
+ /* Display controller SS */
+- imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0);
+- imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_pll0_clk", IMX_SC_R_DC_0_PLL_0, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc0_pll1_clk", IMX_SC_R_DC_0_PLL_1, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc0_bypass0_clk", IMX_SC_R_DC_0_VIDEO0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0);
++ imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+ imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
+--
+2.43.0
+
--- /dev/null
+From 27b72bc93a77cb7b2a904456df8afc50f23fe9e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:06 +0300
+Subject: clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 362be5cbaec2a663eb86b7105313368b4a71fc1e ]
+
+According to msm-5.10 the lucid 5lpe PLLs have require slightly
+different configuration that trion / lucid PLLs, it doesn't set
+PLL_UPDATE_BYPASS bit. Add corresponding function and use it for the
+display clock controller on Qualcomm SM8350 platform.
+
+Fixes: 205737fe3345 ("clk: qcom: add support for SM8350 DISPCC")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-2-1149dd8399fe@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-alpha-pll.c | 52 ++++++++++++++++++++++++++++++++
+ drivers/clk/qcom/clk-alpha-pll.h | 2 ++
+ drivers/clk/qcom/dispcc-sm8250.c | 9 ++++--
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/clk-alpha-pll.c b/drivers/clk/qcom/clk-alpha-pll.c
+index 25a7b4b15c56a..2720cbc40e0ac 100644
+--- a/drivers/clk/qcom/clk-alpha-pll.c
++++ b/drivers/clk/qcom/clk-alpha-pll.c
+@@ -1784,6 +1784,58 @@ const struct clk_ops clk_alpha_pll_agera_ops = {
+ };
+ EXPORT_SYMBOL_GPL(clk_alpha_pll_agera_ops);
+
++/**
++ * clk_lucid_5lpe_pll_configure - configure the lucid 5lpe pll
++ *
++ * @pll: clk alpha pll
++ * @regmap: register map
++ * @config: configuration to apply for pll
++ */
++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
++ const struct alpha_pll_config *config)
++{
++ /*
++ * If the bootloader left the PLL enabled it's likely that there are
++ * RCGs that will lock up if we disable the PLL below.
++ */
++ if (trion_pll_is_enabled(pll, regmap)) {
++ pr_debug("Lucid 5LPE PLL is already enabled, skipping configuration\n");
++ return;
++ }
++
++ clk_alpha_pll_write_config(regmap, PLL_L_VAL(pll), config->l);
++ regmap_write(regmap, PLL_CAL_L_VAL(pll), TRION_PLL_CAL_VAL);
++ clk_alpha_pll_write_config(regmap, PLL_ALPHA_VAL(pll), config->alpha);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL(pll),
++ config->config_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U(pll),
++ config->config_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U1(pll),
++ config->config_ctl_hi1_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL(pll),
++ config->user_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U(pll),
++ config->user_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U1(pll),
++ config->user_ctl_hi1_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL(pll),
++ config->test_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U(pll),
++ config->test_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U1(pll),
++ config->test_ctl_hi1_val);
++
++ /* Disable PLL output */
++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_OUTCTRL, 0);
++
++ /* Set operation mode to OFF */
++ regmap_write(regmap, PLL_OPMODE(pll), PLL_STANDBY);
++
++ /* Place the PLL in STANDBY mode */
++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_RESET_N, PLL_RESET_N);
++}
++EXPORT_SYMBOL_GPL(clk_lucid_5lpe_pll_configure);
++
+ static int alpha_pll_lucid_5lpe_enable(struct clk_hw *hw)
+ {
+ struct clk_alpha_pll *pll = to_clk_alpha_pll(hw);
+diff --git a/drivers/clk/qcom/clk-alpha-pll.h b/drivers/clk/qcom/clk-alpha-pll.h
+index c7055b6c42f1d..d89ec4723e2d9 100644
+--- a/drivers/clk/qcom/clk-alpha-pll.h
++++ b/drivers/clk/qcom/clk-alpha-pll.h
+@@ -205,6 +205,8 @@ void clk_agera_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+
+ void clk_zonda_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+ const struct alpha_pll_config *config);
++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
++ const struct alpha_pll_config *config);
+ void clk_lucid_evo_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+ const struct alpha_pll_config *config);
+ void clk_lucid_ole_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
+index 43307c8a342ca..2103e22ca3dde 100644
+--- a/drivers/clk/qcom/dispcc-sm8250.c
++++ b/drivers/clk/qcom/dispcc-sm8250.c
+@@ -1357,8 +1357,13 @@ static int disp_cc_sm8250_probe(struct platform_device *pdev)
+ disp_cc_sm8250_clocks[DISP_CC_MDSS_EDP_GTC_CLK_SRC] = NULL;
+ }
+
+- clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
+- clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ if (of_device_is_compatible(pdev->dev.of_node, "qcom,sm8350-dispcc")) {
++ clk_lucid_5lpe_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
++ clk_lucid_5lpe_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ } else {
++ clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
++ clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ }
+
+ /* Enable clock gating for MDP clocks */
+ regmap_update_bits(regmap, 0x8000, 0x10, 0x10);
+--
+2.43.0
+
--- /dev/null
+From 74478936cd0077b3af20ad902d5b0983a2a05320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:28 +0300
+Subject: clk: qcom: dispcc-sm8550: fix several supposed typos
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7b6a4b907297b28727933493b9e0c95494504634 ]
+
+Fix seveal odd-looking places in SM8550's dispcc driver:
+
+- duplicate entries in disp_cc_parent_map_4 and disp_cc_parent_map_5
+- using &disp_cc_mdss_dptx0_link_div_clk_src as a source for
+ disp_cc_mdss_dptx1_usb_router_link_intf_clk
+
+The SM8650 driver has been used as a reference.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-1-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index 38ecea805503d..56918e2a7734d 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -196,7 +196,7 @@ static const struct clk_parent_data disp_cc_parent_data_3[] = {
+ static const struct parent_map disp_cc_parent_map_4[] = {
+ { P_BI_TCXO, 0 },
+ { P_DP0_PHY_PLL_LINK_CLK, 1 },
+- { P_DP1_PHY_PLL_VCO_DIV_CLK, 2 },
++ { P_DP0_PHY_PLL_VCO_DIV_CLK, 2 },
+ { P_DP3_PHY_PLL_VCO_DIV_CLK, 3 },
+ { P_DP1_PHY_PLL_VCO_DIV_CLK, 4 },
+ { P_DP2_PHY_PLL_VCO_DIV_CLK, 6 },
+@@ -213,7 +213,7 @@ static const struct clk_parent_data disp_cc_parent_data_4[] = {
+
+ static const struct parent_map disp_cc_parent_map_5[] = {
+ { P_BI_TCXO, 0 },
+- { P_DSI0_PHY_PLL_OUT_BYTECLK, 4 },
++ { P_DSI0_PHY_PLL_OUT_BYTECLK, 2 },
+ { P_DSI1_PHY_PLL_OUT_BYTECLK, 4 },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 4d4381621d5318e5ed1428589683bb9df4c7d84a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:29 +0300
+Subject: clk: qcom: dispcc-sm8550: use rcg2_ops for mdss_dptx1_aux_clk_src
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit cb4c00698f2f27d99a69adcce659370ca286cf2a ]
+
+clk_dp_ops should only be used for DisplayPort pixel clocks. Use
+clk_rcg2_ops for disp_cc_mdss_dptx1_aux_clk_src.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-2-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index 56918e2a7734d..6ac7a0cd7e063 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -400,7 +400,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
+ .parent_data = disp_cc_parent_data_0,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_0),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_dp_ops,
++ .ops = &clk_rcg2_ops,
+ },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 856850b7bad6bb2f266bbae3597b7e0fe357bb11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:32 +0300
+Subject: clk: qcom: dispcc-sm8550: use rcg2_shared_ops for ESC RCGs
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c8bee3ff6c9220092b646ff929f9c832c1adab6d ]
+
+Follow the recommendations and park disp_cc_mdss_esc[01]_clk_src to the
+XO instead of disabling the clocks by using the clk_rcg2_shared_ops.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-5-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index abf03fe5727d3..1ba01bdb763b7 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -562,7 +562,7 @@ static struct clk_rcg2 disp_cc_mdss_esc0_clk_src = {
+ .parent_data = disp_cc_parent_data_5,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_5),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_shared_ops,
+ },
+ };
+
+@@ -577,7 +577,7 @@ static struct clk_rcg2 disp_cc_mdss_esc1_clk_src = {
+ .parent_data = disp_cc_parent_data_5,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_5),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_shared_ops,
+ },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From e5985d6e9eef47e84d866a3f2da95896afea9f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:31 +0300
+Subject: clk: qcom: dispcc-sm8650: Update the GDSC flags
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7de10ddbdb9d03651cff5fbdc8cf01837c698526 ]
+
+Add missing POLL_CFG_GDSCR to the MDSS GDSC flags.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-4-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index 6ac7a0cd7e063..abf03fe5727d3 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -1611,7 +1611,7 @@ static struct gdsc mdss_gdsc = {
+ .name = "mdss_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = HW_CTRL | RETAIN_FF_ENABLE,
++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE,
+ };
+
+ static struct gdsc mdss_int2_gdsc = {
+@@ -1620,7 +1620,7 @@ static struct gdsc mdss_int2_gdsc = {
+ .name = "mdss_int2_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = HW_CTRL | RETAIN_FF_ENABLE,
++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE,
+ };
+
+ static struct clk_regmap *disp_cc_sm8550_clocks[] = {
+--
+2.43.0
+
--- /dev/null
+From 463dc849846c04c644fe461d252f6f0f85161da9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 11:18:15 +0530
+Subject: clk: qcom: ipq5332: Register gcc_qdss_tsctr_clk_src
+
+From: Varadarajan Narayanan <quic_varada@quicinc.com>
+
+[ Upstream commit 0e1ac23dfa3f635e486fdeb08206b981cb0a2a6b ]
+
+gcc_qdss_tsctr_clk_src (enabled in the boot loaders and dependent
+on gpll4_main) was not registered as one of the ipq5332 clocks.
+Hence clk_disable_unused() disabled 'gpll4_main' assuming there
+were no consumers for 'gpll4_main' resulting in system freeze or
+reboots.
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC")
+Signed-off-by: Varadarajan Narayanan <quic_varada@quicinc.com>
+Link: https://lore.kernel.org/r/20240730054817.1915652-4-quic_varada@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-ipq5332.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/qcom/gcc-ipq5332.c b/drivers/clk/qcom/gcc-ipq5332.c
+index f98591148a976..6a4877d888294 100644
+--- a/drivers/clk/qcom/gcc-ipq5332.c
++++ b/drivers/clk/qcom/gcc-ipq5332.c
+@@ -3388,6 +3388,7 @@ static struct clk_regmap *gcc_ipq5332_clocks[] = {
+ [GCC_QDSS_DAP_DIV_CLK_SRC] = &gcc_qdss_dap_div_clk_src.clkr,
+ [GCC_QDSS_ETR_USB_CLK] = &gcc_qdss_etr_usb_clk.clkr,
+ [GCC_QDSS_EUD_AT_CLK] = &gcc_qdss_eud_at_clk.clkr,
++ [GCC_QDSS_TSCTR_CLK_SRC] = &gcc_qdss_tsctr_clk_src.clkr,
+ [GCC_QPIC_AHB_CLK] = &gcc_qpic_ahb_clk.clkr,
+ [GCC_QPIC_CLK] = &gcc_qpic_clk.clkr,
+ [GCC_QPIC_IO_MACRO_CLK] = &gcc_qpic_io_macro_clk.clkr,
+--
+2.43.0
+
--- /dev/null
+From d797dce876dcc7e4a0a24ca8d4b5a4113cfea7be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 08:28:20 +0300
+Subject: clk: rockchip: rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+[ Upstream commit 0d02e8d284a45bfa8997ebe8764437b8eb6b108b ]
+
+The 32kHz input clock is named "xin32k" in the driver,
+so the name "32k" appears to be a typo in this case. Lets fix this.
+
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588")
+Link: https://lore.kernel.org/r/20240829052820.3604-1-eagle.alexander923@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3588.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c
+index b30279a96dc8a..3027379f2fdd1 100644
+--- a/drivers/clk/rockchip/clk-rk3588.c
++++ b/drivers/clk/rockchip/clk-rk3588.c
+@@ -526,7 +526,7 @@ PNAME(pmu_200m_100m_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src" };
+ PNAME(pmu_300m_24m_p) = { "clk_300m_src", "xin24m" };
+ PNAME(pmu_400m_24m_p) = { "clk_400m_src", "xin24m" };
+ PNAME(pmu_100m_50m_24m_src_p) = { "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" };
+-PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "32k", "clk_pmu1_100m_src" };
++PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "xin32k", "clk_pmu1_100m_src" };
+ PNAME(hclk_pmu1_root_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" };
+ PNAME(hclk_pmu_cm0_root_p) = { "clk_pmu1_400m_src", "clk_pmu1_200m_src", "clk_pmu1_100m_src", "xin24m" };
+ PNAME(mclk_pdm0_p) = { "clk_pmu1_300m_src", "clk_pmu1_200m_src" };
+--
+2.43.0
+
--- /dev/null
+From b05dd17da4d04b5dcdfc35c7003e891dfa8ccac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:53 +0000
+Subject: clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ]
+
+Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically
+parented by the hdmiphy clk and it is expected that the DCLK_VOP and
+hdmiphy clk rate are kept in sync.
+
+Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used
+on RK3328, to make full use of all possible supported display modes.
+
+Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP")
+Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3228.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c
+index a24a35553e134..7343d2d7676bc 100644
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -409,7 +409,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = {
+ RK2928_CLKSEL_CON(29), 0, 3, DFLAGS),
+ DIV(0, "sclk_vop_pre", "sclk_vop_src", 0,
+ RK2928_CLKSEL_CON(27), 8, 8, DFLAGS),
+- MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, 0,
++ MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT,
+ RK2928_CLKSEL_CON(27), 1, 1, MFLAGS),
+
+ FACTOR(0, "xin12m", "xin24m", 0, 1, 2),
+--
+2.43.0
+
--- /dev/null
+From 900219f575e2c2f0be9da83f476516ee0a117c84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 09:38:53 +0000
+Subject: clk: starfive: Use pm_runtime_resume_and_get to fix
+ pm_runtime_get_sync() usage
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit 55c312c1b2be6d43e39c280ad6ab4b711e545b89 ]
+
+We need to call pm_runtime_put_noidle() when pm_runtime_get_sync()
+fails, so use pm_runtime_resume_and_get() instead. this function
+will handle this.
+
+Fixes: dae5448a327ed ("clk: starfive: Add StarFive JH7110 Video-Output clock driver")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Link: https://lore.kernel.org/r/20240815093853.757487-1-liuyuntao12@huawei.com
+Reviewed-by: Xingyu Wu <xingyu.wu@starfivetech.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/starfive/clk-starfive-jh7110-vout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/starfive/clk-starfive-jh7110-vout.c b/drivers/clk/starfive/clk-starfive-jh7110-vout.c
+index 53f7af234cc23..aabd0484ac23f 100644
+--- a/drivers/clk/starfive/clk-starfive-jh7110-vout.c
++++ b/drivers/clk/starfive/clk-starfive-jh7110-vout.c
+@@ -145,7 +145,7 @@ static int jh7110_voutcrg_probe(struct platform_device *pdev)
+
+ /* enable power domain and clocks */
+ pm_runtime_enable(priv->dev);
+- ret = pm_runtime_get_sync(priv->dev);
++ ret = pm_runtime_resume_and_get(priv->dev);
+ if (ret < 0)
+ return dev_err_probe(priv->dev, ret, "failed to turn on power\n");
+
+--
+2.43.0
+
--- /dev/null
+From a6ebb439feb96525d107c44dcd7860461b87abe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 10:35:29 -0500
+Subject: clk: ti: dra7-atl: Fix leak of of_nodes
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ]
+
+This fix leaking the of_node references in of_dra7_atl_clk_probe().
+
+The docs for of_parse_phandle_with_args() say that the caller must call
+of_node_put() on the returned node. This adds the missing of_node_put()
+to fix the leak.
+
+Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk-dra7-atl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index d964e3affd42c..0eab7f3e2eab9 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -240,6 +240,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ }
+
+ clk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(clk)) {
+ pr_err("%s: failed to get atl clock %d from provider\n",
+ __func__, i);
+--
+2.43.0
+
--- /dev/null
+From 6cc58634e3440de40b819698bc322f394700f1b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 15:27:13 +0530
+Subject: clocksource/drivers/qcom: Add missing iounmap() on errors in
+ msm_dt_timer_init()
+
+From: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+
+[ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ]
+
+Add the missing iounmap() when clock frequency fails to get read by the
+of_property_read_u32() call, or if the call to msm_timer_init() fails.
+
+Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
+Signed-off-by: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-qcom.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c
+index b4afe3a675835..eac4c95c6127f 100644
+--- a/drivers/clocksource/timer-qcom.c
++++ b/drivers/clocksource/timer-qcom.c
+@@ -233,6 +233,7 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ }
+
+ if (of_property_read_u32(np, "clock-frequency", &freq)) {
++ iounmap(cpu0_base);
+ pr_err("Unknown frequency\n");
+ return -EINVAL;
+ }
+@@ -243,7 +244,11 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ freq /= 4;
+ writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL);
+
+- return msm_timer_init(freq, 32, irq, !!percpu_offset);
++ ret = msm_timer_init(freq, 32, irq, !!percpu_offset);
++ if (ret)
++ iounmap(cpu0_base);
++
++ return ret;
+ }
+ TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init);
+ TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init);
+--
+2.43.0
+
--- /dev/null
+From 4fb370d94c8bd701d17dd10274d1e814d520f5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:28:44 +0800
+Subject: Coresight: Set correct cs_mode for dummy source to fix disable issue
+
+From: Jie Gan <quic_jiegan@quicinc.com>
+
+[ Upstream commit e6b64cda393efd84709ab3df2e42d36d36d7553e ]
+
+The coresight_disable_source_sysfs function should verify the
+mode of the coresight device before disabling the source.
+However, the mode for the dummy source device is always set to
+CS_MODE_DISABLED, resulting in the check consistently failing.
+As a result, dummy source cannot be properly disabled.
+
+Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement.
+Configure CS_MODE_DISABLED during the disablement.
+
+Fixes: 9d3ba0b6c056 ("Coresight: Add coresight dummy driver")
+Signed-off-by: Jie Gan <quic_jiegan@quicinc.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240812042844.2890115-1-quic_jiegan@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-dummy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-dummy.c b/drivers/hwtracing/coresight/coresight-dummy.c
+index ac70c0b491beb..dab389a5507c1 100644
+--- a/drivers/hwtracing/coresight/coresight-dummy.c
++++ b/drivers/hwtracing/coresight/coresight-dummy.c
+@@ -23,6 +23,9 @@ DEFINE_CORESIGHT_DEVLIST(sink_devs, "dummy_sink");
+ static int dummy_source_enable(struct coresight_device *csdev,
+ struct perf_event *event, enum cs_mode mode)
+ {
++ if (!coresight_take_mode(csdev, mode))
++ return -EBUSY;
++
+ dev_dbg(csdev->dev.parent, "Dummy source enabled\n");
+
+ return 0;
+@@ -31,6 +34,7 @@ static int dummy_source_enable(struct coresight_device *csdev,
+ static void dummy_source_disable(struct coresight_device *csdev,
+ struct perf_event *event)
+ {
++ coresight_set_mode(csdev, CS_MODE_DISABLED);
+ dev_dbg(csdev->dev.parent, "Dummy source disabled\n");
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 65ae6afc0bbd09975159ecc78e55236a9fe83b20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:30:43 +0800
+Subject: Coresight: Set correct cs_mode for TPDM to fix disable issue
+
+From: Jie Gan <quic_jiegan@quicinc.com>
+
+[ Upstream commit 14f5fa9b5fcbe2b3d5098893aba6ad62254d2ef6 ]
+
+The coresight_disable_source_sysfs function should verify the
+mode of the coresight device before disabling the source.
+
+However, the mode for the TPDM device is always set to
+CS_MODE_DISABLED, resulting in the check consistently failing.
+As a result, TPDM cannot be properly disabled.
+
+Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement.
+Configure CS_MODE_DISABLED during the disablement.
+
+Fixes: b3c71626a933 ("Coresight: Add coresight TPDM source driver")
+Signed-off-by: Jie Gan <quic_jiegan@quicinc.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240812043043.2890694-1-quic_jiegan@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tpdm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tpdm.c b/drivers/hwtracing/coresight/coresight-tpdm.c
+index 0726f8842552c..5c5a4b3fe6871 100644
+--- a/drivers/hwtracing/coresight/coresight-tpdm.c
++++ b/drivers/hwtracing/coresight/coresight-tpdm.c
+@@ -449,6 +449,11 @@ static int tpdm_enable(struct coresight_device *csdev, struct perf_event *event,
+ return -EBUSY;
+ }
+
++ if (!coresight_take_mode(csdev, mode)) {
++ spin_unlock(&drvdata->spinlock);
++ return -EBUSY;
++ }
++
+ __tpdm_enable(drvdata);
+ drvdata->enable = true;
+ spin_unlock(&drvdata->spinlock);
+@@ -506,6 +511,7 @@ static void tpdm_disable(struct coresight_device *csdev,
+ }
+
+ __tpdm_disable(drvdata);
++ coresight_set_mode(csdev, CS_MODE_DISABLED);
+ drvdata->enable = false;
+ spin_unlock(&drvdata->spinlock);
+
+--
+2.43.0
+
--- /dev/null
+From ed3bb4fce1e73a3a33f8ce876426d239faa343f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 14:28:46 +0100
+Subject: coresight: tmc: sg: Do not leak sg_table
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ]
+
+Running perf with cs_etm on Juno triggers the following kmemleak warning !
+
+:~# cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffffff8806b6d720 (size 96):
+ comm "perf", pid 562, jiffies 4297810960
+ hex dump (first 32 bytes):
+ 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8...............
+ 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................
+ backtrace (crc 1dbf6e00):
+ [<ffffffc08107381c>] kmemleak_alloc+0xbc/0xd8
+ [<ffffffc0802f9798>] kmalloc_trace_noprof+0x220/0x2e8
+ [<ffffffc07bb71948>] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc]
+ [<ffffffc07bb71cbc>] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc]
+ [<ffffffc07bb72538>] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc]
+ [<ffffffc07bb7280c>] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc]
+ [<ffffffc07bb72950>] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc]
+ [<ffffffc07bb38afc>] etm_setup_aux+0x204/0x3b0 [coresight]
+ [<ffffffc08025837c>] rb_alloc_aux+0x20c/0x318
+ [<ffffffc08024dd84>] perf_mmap+0x2e4/0x7a0
+ [<ffffffc0802cceb0>] mmap_region+0x3b0/0xa08
+ [<ffffffc0802cd8a8>] do_mmap+0x3a0/0x500
+ [<ffffffc080295328>] vm_mmap_pgoff+0x100/0x1d0
+ [<ffffffc0802cadf8>] ksys_mmap_pgoff+0xb8/0x110
+ [<ffffffc080020688>] __arm64_sys_mmap+0x38/0x58
+ [<ffffffc080028fc0>] invoke_syscall.constprop.0+0x58/0x100
+
+This due to the fact that we do not free the "sg_table" itself while
+freeing up the SG table and data pages. Fix this by freeing the sg_table
+in tmc_free_sg_table().
+
+Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+index e75428fa1592a..610ad51cda656 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -261,6 +261,7 @@ void tmc_free_sg_table(struct tmc_sg_table *sg_table)
+ {
+ tmc_free_table_pages(sg_table);
+ tmc_free_data_pages(sg_table);
++ kfree(sg_table);
+ }
+ EXPORT_SYMBOL_GPL(tmc_free_sg_table);
+
+@@ -342,7 +343,6 @@ struct tmc_sg_table *tmc_alloc_sg_table(struct device *dev,
+ rc = tmc_alloc_table_pages(sg_table);
+ if (rc) {
+ tmc_free_sg_table(sg_table);
+- kfree(sg_table);
+ return ERR_PTR(rc);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 29db3d69e5f464801d6a4670fe760627c5d5aeaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 08:19:15 -0500
+Subject: cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails
+ appropriately
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit abc00ffda43bd4ba85896713464c7510c39f8165 ]
+
+Commit b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx
+and omap36xx") introduced special handling for OMAP3 class devices
+where syscon node may not be present. However, this also creates a bug
+where the syscon node is present, however the offset used to read
+is beyond the syscon defined range.
+
+Fix this by providing a quirk option that is populated when such
+special handling is required. This allows proper failure for all other
+platforms when the syscon node and efuse offsets are mismatched.
+
+Fixes: b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx and omap36xx")
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Tested-by: Dhruva Gole <d-gole@ti.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/ti-cpufreq.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/ti-cpufreq.c b/drivers/cpufreq/ti-cpufreq.c
+index 5af85c4cbad0c..f8e6dc3c14d35 100644
+--- a/drivers/cpufreq/ti-cpufreq.c
++++ b/drivers/cpufreq/ti-cpufreq.c
+@@ -61,6 +61,9 @@ struct ti_cpufreq_soc_data {
+ unsigned long efuse_shift;
+ unsigned long rev_offset;
+ bool multi_regulator;
++/* Backward compatibility hack: Might have missing syscon */
++#define TI_QUIRK_SYSCON_MAY_BE_MISSING 0x1
++ u8 quirks;
+ };
+
+ struct ti_cpufreq_data {
+@@ -182,6 +185,7 @@ static struct ti_cpufreq_soc_data omap34xx_soc_data = {
+ .efuse_mask = BIT(3),
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = false,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ /*
+@@ -209,6 +213,7 @@ static struct ti_cpufreq_soc_data omap36xx_soc_data = {
+ .efuse_mask = BIT(9),
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = true,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ /*
+@@ -223,6 +228,7 @@ static struct ti_cpufreq_soc_data am3517_soc_data = {
+ .efuse_mask = 0,
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = false,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ static struct ti_cpufreq_soc_data am625_soc_data = {
+@@ -250,7 +256,7 @@ static int ti_cpufreq_get_efuse(struct ti_cpufreq_data *opp_data,
+
+ ret = regmap_read(opp_data->syscon, opp_data->soc_data->efuse_offset,
+ &efuse);
+- if (ret == -EIO) {
++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) {
+ /* not a syscon register! */
+ void __iomem *regs = ioremap(OMAP3_SYSCON_BASE +
+ opp_data->soc_data->efuse_offset, 4);
+@@ -291,7 +297,7 @@ static int ti_cpufreq_get_rev(struct ti_cpufreq_data *opp_data,
+
+ ret = regmap_read(opp_data->syscon, opp_data->soc_data->rev_offset,
+ &revision);
+- if (ret == -EIO) {
++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) {
+ /* not a syscon register! */
+ void __iomem *regs = ioremap(OMAP3_SYSCON_BASE +
+ opp_data->soc_data->rev_offset, 4);
+--
+2.43.0
+
--- /dev/null
+From 57aa8c14acd22b2d626c02519ec5feabd90dccf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 17:57:13 +0800
+Subject: crypto: caam - Pad SG length when allocating hash edesc
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 5124bc96162667766f6120b19f57a640c2eccb2a ]
+
+Because hardware will read in multiples of 4 SG entries, ensure
+the allocated length is always padded. This was already done
+by some callers of ahash_edesc_alloc, but ahash_digest was conspicuously
+missing.
+
+In any case, doing it in the allocation function ensures that the
+memory is always there.
+
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Fixes: a5e5c13398f3 ("crypto: caam - fix S/G table passing page boundary")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caamhash.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index fdd724228c2fa..25c02e2672585 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -708,6 +708,7 @@ static struct ahash_edesc *ahash_edesc_alloc(struct ahash_request *req,
+ GFP_KERNEL : GFP_ATOMIC;
+ struct ahash_edesc *edesc;
+
++ sg_num = pad_sg_nents(sg_num);
+ edesc = kzalloc(struct_size(edesc, sec4_sg, sg_num), flags);
+ if (!edesc)
+ return NULL;
+--
+2.43.0
+
--- /dev/null
+From 11f5380e4cffce79c3c90ea91ed042658b453eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 12:20:07 +0200
+Subject: crypto: ccp - do not request interrupt on cmd completion when irqs
+ disabled
+
+From: Amit Shah <amit.shah@amd.com>
+
+[ Upstream commit 3401f63e72596dcb7d912a5b67b4291643cc1034 ]
+
+While sending a command to the PSP, we always requested an interrupt
+from the PSP after command completion. This worked for most cases. For
+the special case of irqs being disabled -- e.g. when running within
+crashdump or kexec contexts, we should not set the SEV_CMDRESP_IOC flag,
+so the PSP knows to not attempt interrupt delivery.
+
+Fixes: 8ef979584ea8 ("crypto: ccp: Add panic notifier for SEV/SNP firmware shutdown on kdump")
+
+Based-on-patch-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Amit Shah <amit.shah@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 1912bee22dd4a..f2ad4653a58cb 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -910,7 +910,18 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
+
+ sev->int_rcvd = 0;
+
+- reg = FIELD_PREP(SEV_CMDRESP_CMD, cmd) | SEV_CMDRESP_IOC;
++ reg = FIELD_PREP(SEV_CMDRESP_CMD, cmd);
++
++ /*
++ * If invoked during panic handling, local interrupts are disabled so
++ * the PSP command completion interrupt can't be used.
++ * sev_wait_cmd_ioc() already checks for interrupts disabled and
++ * polls for PSP command completion. Ensure we do not request an
++ * interrupt from the PSP if irqs disabled.
++ */
++ if (!irqs_disabled())
++ reg |= SEV_CMDRESP_IOC;
++
+ iowrite32(reg, sev->io_regs + sev->vdata->cmdresp_reg);
+
+ /* wait for command completion */
+--
+2.43.0
+
--- /dev/null
+From 370c7a1482b46ae4968fed0f2033da0fa60441b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:30 +0800
+Subject: crypto: hisilicon/hpre - mask cluster timeout error
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 145013f723947c83b1a5f76a0cf6e7237d59e973 ]
+
+The timeout threshold of the hpre cluster is 16ms. When the CPU
+and device share virtual address, page fault processing time may
+exceed the threshold.
+
+In the current test, there is a high probability that the
+cluster times out. However, the cluster is waiting for the
+completion of memory access, which is not an error, the device
+does not need to be reset. If an error occurs in the cluster,
+qm also reports the error. Therefore, the cluster timeout
+error of hpre can be masked.
+
+Fixes: d90fab0deb8e ("crypto: hisilicon/qm - get error type from hardware registers")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index 10aa4da93323f..f8340d68afe1d 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -13,9 +13,7 @@
+ #include <linux/uacce.h>
+ #include "hpre.h"
+
+-#define HPRE_QM_ABNML_INT_MASK 0x100004
+ #define HPRE_CTRL_CNT_CLR_CE_BIT BIT(0)
+-#define HPRE_COMM_CNT_CLR_CE 0x0
+ #define HPRE_CTRL_CNT_CLR_CE 0x301000
+ #define HPRE_FSM_MAX_CNT 0x301008
+ #define HPRE_VFG_AXQOS 0x30100c
+@@ -42,7 +40,6 @@
+ #define HPRE_HAC_INT_SET 0x301500
+ #define HPRE_RNG_TIMEOUT_NUM 0x301A34
+ #define HPRE_CORE_INT_ENABLE 0
+-#define HPRE_CORE_INT_DISABLE GENMASK(21, 0)
+ #define HPRE_RDCHN_INI_ST 0x301a00
+ #define HPRE_CLSTR_BASE 0x302000
+ #define HPRE_CORE_EN_OFFSET 0x04
+@@ -66,7 +63,6 @@
+ #define HPRE_CLSTR_ADDR_INTRVL 0x1000
+ #define HPRE_CLUSTER_INQURY 0x100
+ #define HPRE_CLSTR_ADDR_INQRY_RSLT 0x104
+-#define HPRE_TIMEOUT_ABNML_BIT 6
+ #define HPRE_PASID_EN_BIT 9
+ #define HPRE_REG_RD_INTVRL_US 10
+ #define HPRE_REG_RD_TMOUT_US 1000
+@@ -203,9 +199,9 @@ static const struct hisi_qm_cap_info hpre_basic_info[] = {
+ {HPRE_QM_RESET_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0xC37, 0x6C37},
+ {HPRE_QM_OOO_SHUTDOWN_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0x4, 0x6C37},
+ {HPRE_QM_CE_MASK_CAP, 0x312C, 0, GENMASK(31, 0), 0x0, 0x8, 0x8},
+- {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFFFE},
+- {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFFFE},
+- {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFFFE},
++ {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFC3E},
++ {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFC3E},
++ {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFC3E},
+ {HPRE_CE_MASK_CAP, 0x3138, 0, GENMASK(31, 0), 0x0, 0x1, 0x1},
+ {HPRE_CLUSTER_NUM_CAP, 0x313c, 20, GENMASK(3, 0), 0x0, 0x4, 0x1},
+ {HPRE_CORE_TYPE_NUM_CAP, 0x313c, 16, GENMASK(3, 0), 0x0, 0x2, 0x2},
+@@ -654,11 +650,6 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm)
+ writel(HPRE_QM_USR_CFG_MASK, qm->io_base + QM_AWUSER_M_CFG_ENABLE);
+ writel_relaxed(HPRE_QM_AXI_CFG_MASK, qm->io_base + QM_AXI_M_CFG);
+
+- /* HPRE need more time, we close this interrupt */
+- val = readl_relaxed(qm->io_base + HPRE_QM_ABNML_INT_MASK);
+- val |= BIT(HPRE_TIMEOUT_ABNML_BIT);
+- writel_relaxed(val, qm->io_base + HPRE_QM_ABNML_INT_MASK);
+-
+ if (qm->ver >= QM_HW_V3)
+ writel(HPRE_RSA_ENB | HPRE_ECC_ENB,
+ qm->io_base + HPRE_TYPES_ENB);
+@@ -667,9 +658,7 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm)
+
+ writel(HPRE_QM_VFG_AX_MASK, qm->io_base + HPRE_VFG_AXCACHE);
+ writel(0x0, qm->io_base + HPRE_BD_ENDIAN);
+- writel(0x0, qm->io_base + HPRE_INT_MASK);
+ writel(0x0, qm->io_base + HPRE_POISON_BYPASS);
+- writel(0x0, qm->io_base + HPRE_COMM_CNT_CLR_CE);
+ writel(0x0, qm->io_base + HPRE_ECC_BYPASS);
+
+ writel(HPRE_BD_USR_MASK, qm->io_base + HPRE_BD_ARUSR_CFG);
+@@ -759,7 +748,7 @@ static void hpre_hw_error_disable(struct hisi_qm *qm)
+
+ static void hpre_hw_error_enable(struct hisi_qm *qm)
+ {
+- u32 ce, nfe;
++ u32 ce, nfe, err_en;
+
+ ce = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_CE_MASK_CAP, qm->cap_ver);
+ nfe = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_NFE_MASK_CAP, qm->cap_ver);
+@@ -776,7 +765,8 @@ static void hpre_hw_error_enable(struct hisi_qm *qm)
+ hpre_master_ooo_ctrl(qm, true);
+
+ /* enable hpre hw error interrupts */
+- writel(HPRE_CORE_INT_ENABLE, qm->io_base + HPRE_INT_MASK);
++ err_en = ce | nfe | HPRE_HAC_RAS_FE_ENABLE;
++ writel(~err_en, qm->io_base + HPRE_INT_MASK);
+ }
+
+ static inline struct hisi_qm *hpre_file_to_qm(struct hpre_debugfs_file *file)
+--
+2.43.0
+
--- /dev/null
+From 1e09a3e13d1ef79d0a4b0760d0eb09903b8babf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:31 +0800
+Subject: crypto: hisilicon/qm - inject error before stopping queue
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit b04f06fc0243600665b3b50253869533b7938468 ]
+
+The master ooo cannot be completely closed when the
+accelerator core reports memory error. Therefore, the driver
+needs to inject the qm error to close the master ooo. Currently,
+the qm error is injected after stopping queue, memory may be
+released immediately after stopping queue, causing the device to
+access the released memory. Therefore, error is injected to close master
+ooo before stopping queue to ensure that the device does not access
+the released memory.
+
+Fixes: 6c6dd5802c2d ("crypto: hisilicon/qm - add controller reset interface")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 47 ++++++++++++++++++-----------------
+ 1 file changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index d51f0dc64affc..da562ceaaf277 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -4020,6 +4020,28 @@ static int qm_set_vf_mse(struct hisi_qm *qm, bool set)
+ return -ETIMEDOUT;
+ }
+
++static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
++{
++ u32 nfe_enb = 0;
++
++ /* Kunpeng930 hardware automatically close master ooo when NFE occurs */
++ if (qm->ver >= QM_HW_V3)
++ return;
++
++ if (!qm->err_status.is_dev_ecc_mbit &&
++ qm->err_status.is_qm_ecc_mbit &&
++ qm->err_ini->close_axi_master_ooo) {
++ qm->err_ini->close_axi_master_ooo(qm);
++ } else if (qm->err_status.is_dev_ecc_mbit &&
++ !qm->err_status.is_qm_ecc_mbit &&
++ !qm->err_ini->close_axi_master_ooo) {
++ nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE);
++ writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE,
++ qm->io_base + QM_RAS_NFE_ENABLE);
++ writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET);
++ }
++}
++
+ static int qm_vf_reset_prepare(struct hisi_qm *qm,
+ enum qm_stop_reason stop_reason)
+ {
+@@ -4084,6 +4106,8 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm)
+ return ret;
+ }
+
++ qm_dev_ecc_mbit_handle(qm);
++
+ /* PF obtains the information of VF by querying the register. */
+ qm_cmd_uninit(qm);
+
+@@ -4130,28 +4154,6 @@ static int qm_master_ooo_check(struct hisi_qm *qm)
+ return ret;
+ }
+
+-static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+-{
+- u32 nfe_enb = 0;
+-
+- /* Kunpeng930 hardware automatically close master ooo when NFE occurs */
+- if (qm->ver >= QM_HW_V3)
+- return;
+-
+- if (!qm->err_status.is_dev_ecc_mbit &&
+- qm->err_status.is_qm_ecc_mbit &&
+- qm->err_ini->close_axi_master_ooo) {
+- qm->err_ini->close_axi_master_ooo(qm);
+- } else if (qm->err_status.is_dev_ecc_mbit &&
+- !qm->err_status.is_qm_ecc_mbit &&
+- !qm->err_ini->close_axi_master_ooo) {
+- nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE);
+- writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE,
+- qm->io_base + QM_RAS_NFE_ENABLE);
+- writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET);
+- }
+-}
+-
+ static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+@@ -4176,7 +4178,6 @@ static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ return ret;
+ }
+
+- qm_dev_ecc_mbit_handle(qm);
+ ret = qm_master_ooo_check(qm);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From b633b4621f0a7a77c4be204ab34b469ee3dc12f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:29 +0800
+Subject: crypto: hisilicon/qm - reset device before enabling it
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 5d2d1ee0874c26b8010ddf7f57e2f246e848af38 ]
+
+Before the device is enabled again, the device may still
+store the previously processed data. If an error occurs in
+the previous task, the device may fail to be enabled again.
+Therefore, before enabling device, reset the device to restore
+the initial state.
+
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: b04f06fc0243 ("crypto: hisilicon/qm - inject error before stopping queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 32 +++---
+ drivers/crypto/hisilicon/qm.c | 114 +++++++++++++++-------
+ drivers/crypto/hisilicon/sec2/sec_main.c | 16 ++-
+ drivers/crypto/hisilicon/zip/zip_main.c | 23 +++--
+ 4 files changed, 121 insertions(+), 64 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index f8340d68afe1d..6b536ad2ada52 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -354,6 +354,8 @@ static struct dfx_diff_registers hpre_diff_regs[] = {
+ },
+ };
+
++static const struct hisi_qm_err_ini hpre_err_ini;
++
+ bool hpre_check_alg_support(struct hisi_qm *qm, u32 alg)
+ {
+ u32 cap_val;
+@@ -1151,6 +1153,7 @@ static int hpre_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &hpre_devices;
++ qm->err_ini = &hpre_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ }
+@@ -1340,8 +1343,6 @@ static int hpre_pf_probe_init(struct hpre *hpre)
+
+ hpre_open_sva_prefetch(qm);
+
+- qm->err_ini = &hpre_err_ini;
+- qm->err_ini->err_info_init(qm);
+ hisi_qm_dev_err_init(qm);
+ ret = hpre_show_last_regs_init(qm);
+ if (ret)
+@@ -1370,6 +1371,18 @@ static int hpre_probe_init(struct hpre *hpre)
+ return 0;
+ }
+
++static void hpre_probe_uninit(struct hisi_qm *qm)
++{
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ hpre_cnt_regs_clear(qm);
++ qm->debug.curr_qm_qp_num = 0;
++ hpre_show_last_regs_uninit(qm);
++ hpre_close_sva_prefetch(qm);
++ hisi_qm_dev_err_uninit(qm);
++}
++
+ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ struct hisi_qm *qm;
+@@ -1395,7 +1408,7 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = hisi_qm_start(qm);
+ if (ret)
+- goto err_with_err_init;
++ goto err_with_probe_init;
+
+ ret = hpre_debugfs_init(qm);
+ if (ret)
+@@ -1434,9 +1447,8 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ hpre_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+-err_with_err_init:
+- hpre_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++err_with_probe_init:
++ hpre_probe_uninit(qm);
+
+ err_with_qm_init:
+ hisi_qm_uninit(qm);
+@@ -1458,13 +1470,7 @@ static void hpre_remove(struct pci_dev *pdev)
+ hpre_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+- if (qm->fun_type == QM_HW_PF) {
+- hpre_cnt_regs_clear(qm);
+- qm->debug.curr_qm_qp_num = 0;
+- hpre_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
+- }
+-
++ hpre_probe_uninit(qm);
+ hisi_qm_uninit(qm);
+ }
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 3dac8d8e85686..d51f0dc64affc 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -450,6 +450,7 @@ static struct qm_typical_qos_table shaper_cbs_s[] = {
+ };
+
+ static void qm_irqs_unregister(struct hisi_qm *qm);
++static int qm_reset_device(struct hisi_qm *qm);
+
+ static u32 qm_get_hw_error_status(struct hisi_qm *qm)
+ {
+@@ -4113,6 +4114,22 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm)
+ return 0;
+ }
+
++static int qm_master_ooo_check(struct hisi_qm *qm)
++{
++ u32 val;
++ int ret;
++
++ /* Check the ooo register of the device before resetting the device. */
++ writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN, qm->io_base + ACC_MASTER_GLOBAL_CTRL);
++ ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
++ val, (val == ACC_MASTER_TRANS_RETURN_RW),
++ POLL_PERIOD, POLL_TIMEOUT);
++ if (ret)
++ pci_warn(qm->pdev, "Bus lock! Please reset system.\n");
++
++ return ret;
++}
++
+ static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+ {
+ u32 nfe_enb = 0;
+@@ -4135,11 +4152,10 @@ static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+ }
+ }
+
+-static int qm_soft_reset(struct hisi_qm *qm)
++static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+ int ret;
+- u32 val;
+
+ /* Ensure all doorbells and mailboxes received by QM */
+ ret = qm_check_req_recv(qm);
+@@ -4161,29 +4177,23 @@ static int qm_soft_reset(struct hisi_qm *qm)
+ }
+
+ qm_dev_ecc_mbit_handle(qm);
+-
+- /* OOO register set and check */
+- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN,
+- qm->io_base + ACC_MASTER_GLOBAL_CTRL);
+-
+- /* If bus lock, reset chip */
+- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
+- val,
+- (val == ACC_MASTER_TRANS_RETURN_RW),
+- POLL_PERIOD, POLL_TIMEOUT);
+- if (ret) {
+- pci_emerg(pdev, "Bus lock! Please reset system.\n");
++ ret = qm_master_ooo_check(qm);
++ if (ret)
+ return ret;
+- }
+
+ if (qm->err_ini->close_sva_prefetch)
+ qm->err_ini->close_sva_prefetch(qm);
+
+ ret = qm_set_pf_mse(qm, false);
+- if (ret) {
++ if (ret)
+ pci_err(pdev, "Fails to disable pf MSE bit.\n");
+- return ret;
+- }
++
++ return ret;
++}
++
++static int qm_reset_device(struct hisi_qm *qm)
++{
++ struct pci_dev *pdev = qm->pdev;
+
+ /* The reset related sub-control registers are not in PCI BAR */
+ if (ACPI_HANDLE(&pdev->dev)) {
+@@ -4202,12 +4212,23 @@ static int qm_soft_reset(struct hisi_qm *qm)
+ pci_err(pdev, "Reset step %llu failed!\n", value);
+ return -EIO;
+ }
+- } else {
+- pci_err(pdev, "No reset method!\n");
+- return -EINVAL;
++
++ return 0;
+ }
+
+- return 0;
++ pci_err(pdev, "No reset method!\n");
++ return -EINVAL;
++}
++
++static int qm_soft_reset(struct hisi_qm *qm)
++{
++ int ret;
++
++ ret = qm_soft_reset_prepare(qm);
++ if (ret)
++ return ret;
++
++ return qm_reset_device(qm);
+ }
+
+ static int qm_vf_reset_done(struct hisi_qm *qm)
+@@ -5160,6 +5181,35 @@ static int qm_get_pci_res(struct hisi_qm *qm)
+ return ret;
+ }
+
++static int qm_clear_device(struct hisi_qm *qm)
++{
++ acpi_handle handle = ACPI_HANDLE(&qm->pdev->dev);
++ int ret;
++
++ if (qm->fun_type == QM_HW_VF)
++ return 0;
++
++ /* Device does not support reset, return */
++ if (!qm->err_ini->err_info_init)
++ return 0;
++ qm->err_ini->err_info_init(qm);
++
++ if (!handle)
++ return 0;
++
++ /* No reset method, return */
++ if (!acpi_has_method(handle, qm->err_info.acpi_rst))
++ return 0;
++
++ ret = qm_master_ooo_check(qm);
++ if (ret) {
++ writel(0x0, qm->io_base + ACC_MASTER_GLOBAL_CTRL);
++ return ret;
++ }
++
++ return qm_reset_device(qm);
++}
++
+ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+@@ -5189,8 +5239,14 @@ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ goto err_get_pci_res;
+ }
+
++ ret = qm_clear_device(qm);
++ if (ret)
++ goto err_free_vectors;
++
+ return 0;
+
++err_free_vectors:
++ pci_free_irq_vectors(pdev);
+ err_get_pci_res:
+ qm_put_pci_res(qm);
+ err_disable_pcidev:
+@@ -5491,7 +5547,6 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+ int ret;
+- u32 val;
+
+ ret = qm->ops->set_msi(qm, false);
+ if (ret) {
+@@ -5499,18 +5554,9 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm)
+ return ret;
+ }
+
+- /* shutdown OOO register */
+- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN,
+- qm->io_base + ACC_MASTER_GLOBAL_CTRL);
+-
+- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
+- val,
+- (val == ACC_MASTER_TRANS_RETURN_RW),
+- POLL_PERIOD, POLL_TIMEOUT);
+- if (ret) {
+- pci_emerg(pdev, "Bus lock! Please reset system.\n");
++ ret = qm_master_ooo_check(qm);
++ if (ret)
+ return ret;
+- }
+
+ ret = qm_set_pf_mse(qm, false);
+ if (ret)
+diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c
+index 75aad04ffe5eb..c35533d8930b2 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_main.c
++++ b/drivers/crypto/hisilicon/sec2/sec_main.c
+@@ -1065,9 +1065,6 @@ static int sec_pf_probe_init(struct sec_dev *sec)
+ struct hisi_qm *qm = &sec->qm;
+ int ret;
+
+- qm->err_ini = &sec_err_ini;
+- qm->err_ini->err_info_init(qm);
+-
+ ret = sec_set_user_domain_and_cache(qm);
+ if (ret)
+ return ret;
+@@ -1122,6 +1119,7 @@ static int sec_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &sec_devices;
++ qm->err_ini = &sec_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) {
+@@ -1186,6 +1184,12 @@ static int sec_probe_init(struct sec_dev *sec)
+
+ static void sec_probe_uninit(struct hisi_qm *qm)
+ {
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ sec_debug_regs_clear(qm);
++ sec_show_last_regs_uninit(qm);
++ sec_close_sva_prefetch(qm);
+ hisi_qm_dev_err_uninit(qm);
+ }
+
+@@ -1274,7 +1278,6 @@ static int sec_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ sec_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+ err_probe_uninit:
+- sec_show_last_regs_uninit(qm);
+ sec_probe_uninit(qm);
+ err_qm_uninit:
+ sec_qm_uninit(qm);
+@@ -1296,11 +1299,6 @@ static void sec_remove(struct pci_dev *pdev)
+ sec_debugfs_exit(qm);
+
+ (void)hisi_qm_stop(qm, QM_NORMAL);
+-
+- if (qm->fun_type == QM_HW_PF)
+- sec_debug_regs_clear(qm);
+- sec_show_last_regs_uninit(qm);
+-
+ sec_probe_uninit(qm);
+
+ sec_qm_uninit(qm);
+diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
+index c94a7b20d07e6..befef0b0e6bbe 100644
+--- a/drivers/crypto/hisilicon/zip/zip_main.c
++++ b/drivers/crypto/hisilicon/zip/zip_main.c
+@@ -1149,8 +1149,6 @@ static int hisi_zip_pf_probe_init(struct hisi_zip *hisi_zip)
+
+ hisi_zip->ctrl = ctrl;
+ ctrl->hisi_zip = hisi_zip;
+- qm->err_ini = &hisi_zip_err_ini;
+- qm->err_ini->err_info_init(qm);
+
+ ret = hisi_zip_set_user_domain_and_cache(qm);
+ if (ret)
+@@ -1211,6 +1209,7 @@ static int hisi_zip_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &zip_devices;
++ qm->err_ini = &hisi_zip_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) {
+@@ -1277,6 +1276,16 @@ static int hisi_zip_probe_init(struct hisi_zip *hisi_zip)
+ return 0;
+ }
+
++static void hisi_zip_probe_uninit(struct hisi_qm *qm)
++{
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ hisi_zip_show_last_regs_uninit(qm);
++ hisi_zip_close_sva_prefetch(qm);
++ hisi_qm_dev_err_uninit(qm);
++}
++
+ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ struct hisi_zip *hisi_zip;
+@@ -1303,7 +1312,7 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = hisi_qm_start(qm);
+ if (ret)
+- goto err_dev_err_uninit;
++ goto err_probe_uninit;
+
+ ret = hisi_zip_debugfs_init(qm);
+ if (ret)
+@@ -1342,9 +1351,8 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ hisi_zip_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+-err_dev_err_uninit:
+- hisi_zip_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++err_probe_uninit:
++ hisi_zip_probe_uninit(qm);
+
+ err_qm_uninit:
+ hisi_zip_qm_uninit(qm);
+@@ -1366,8 +1374,7 @@ static void hisi_zip_remove(struct pci_dev *pdev)
+
+ hisi_zip_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+- hisi_zip_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++ hisi_zip_probe_uninit(qm);
+ hisi_zip_qm_uninit(qm);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6d4ee20724a735a05d501f8fad28e64837f9a392 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 11:09:43 -0500
+Subject: crypto: iaa - Fix potential use after free bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209 ]
+
+The free_device_compression_mode(iaa_device, device_mode) function frees
+"device_mode" but it iss passed to iaa_compression_modes[i]->free() a few
+lines later resulting in a use after free.
+
+The good news is that, so far as I can tell, nothing implements the
+->free() function and the use after free happens in dead code. But, with
+this fix, when something does implement it, we'll be ready. :)
+
+Fixes: b190447e0fa3 ("crypto: iaa - Add compression mode management along with fixed mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/iaa/iaa_crypto_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c
+index e810d286ee8c4..237f870000702 100644
+--- a/drivers/crypto/intel/iaa/iaa_crypto_main.c
++++ b/drivers/crypto/intel/iaa/iaa_crypto_main.c
+@@ -495,10 +495,10 @@ static void remove_device_compression_modes(struct iaa_device *iaa_device)
+ if (!device_mode)
+ continue;
+
+- free_device_compression_mode(iaa_device, device_mode);
+- iaa_device->compression_modes[i] = NULL;
+ if (iaa_compression_modes[i]->free)
+ iaa_compression_modes[i]->free(device_mode);
++ free_device_compression_mode(iaa_device, device_mode);
++ iaa_device->compression_modes[i] = NULL;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From aea1852f95760c1b824da951080a6aff2fd8ea1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 17:30:24 +0800
+Subject: crypto: n2 - Set err to EINVAL if snprintf fails for hmac
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ce212d2afca47acd366a2e74c76fe82c31f785ab ]
+
+Return EINVAL if the snprintf check fails when constructing the
+algorithm names.
+
+Fixes: 8c20982caca4 ("crypto: n2 - Silence gcc format-truncation false positive warnings")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202409090726.TP0WfY7p-lkp@intel.com/
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/n2_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/n2_core.c b/drivers/crypto/n2_core.c
+index 59d472cb11e75..509aeffdedc69 100644
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1357,6 +1357,7 @@ static int __n2_register_one_hmac(struct n2_ahash_alg *n2ahash)
+ ahash->setkey = n2_hmac_async_setkey;
+
+ base = &ahash->halg.base;
++ err = -EINVAL;
+ if (snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)",
+ p->child_alg) >= CRYPTO_MAX_ALG_NAME)
+ goto out_free_p;
+--
+2.43.0
+
--- /dev/null
+From 7f09b2b7ec50eaf7fd421e7d0c5daaf04c5e3087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 07:36:37 -0400
+Subject: crypto: powerpc/p10-aes-gcm - Disable CRYPTO_AES_GCM_P10
+
+From: Danny Tsen <dtsen@linux.ibm.com>
+
+[ Upstream commit 44ac4625ea002deecd0c227336c95b724206c698 ]
+
+Data mismatch found when testing ipsec tunnel with AES/GCM crypto.
+Disabling CRYPTO_AES_GCM_P10 in Kconfig for this feature.
+
+Fixes: fd0e9b3e2ee6 ("crypto: p10-aes-gcm - An accelerated AES/GCM stitched implementation")
+Fixes: cdcecfd9991f ("crypto: p10-aes-gcm - Glue code for AES/GCM stitched implementation")
+Fixes: 45a4672b9a6e2 ("crypto: p10-aes-gcm - Update Kconfig and Makefile")
+Signed-off-by: Danny Tsen <dtsen@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig
+index 1e201b7ae2fc6..bd9d77b0c92ec 100644
+--- a/arch/powerpc/crypto/Kconfig
++++ b/arch/powerpc/crypto/Kconfig
+@@ -96,6 +96,7 @@ config CRYPTO_AES_PPC_SPE
+
+ config CRYPTO_AES_GCM_P10
+ tristate "Stitched AES/GCM acceleration support on P10 or later CPU (PPC)"
++ depends on BROKEN
+ depends on PPC64 && CPU_LITTLE_ENDIAN && VSX
+ select CRYPTO_LIB_AES
+ select CRYPTO_ALGAPI
+--
+2.43.0
+
--- /dev/null
+From bd418670930702291ed2849cb91ea8476215c46d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:57 -0400
+Subject: crypto: qat - disable IOV in adf_dev_stop()
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit b6c7d36292d50627dbe6a57fa344f87c776971e6 ]
+
+Disabling IOV has the side effect of re-enabling the AEs that might
+attempt to do DMAs into the heartbeat buffers.
+Move the disable_iov() function in adf_dev_stop() before the AEs are
+stopped.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_init.c b/drivers/crypto/intel/qat/qat_common/adf_init.c
+index 74f0818c07034..55f1ff1e0b322 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
+@@ -323,6 +323,8 @@ static void adf_dev_stop(struct adf_accel_dev *accel_dev)
+ if (hw_data->stop_timer)
+ hw_data->stop_timer(accel_dev);
+
++ hw_data->disable_iov(accel_dev);
++
+ if (wait)
+ msleep(100);
+
+@@ -386,8 +388,6 @@ static void adf_dev_shutdown(struct adf_accel_dev *accel_dev)
+
+ adf_tl_shutdown(accel_dev);
+
+- hw_data->disable_iov(accel_dev);
+-
+ if (test_bit(ADF_STATUS_IRQ_ALLOCATED, &accel_dev->status)) {
+ hw_data->free_irq(accel_dev);
+ clear_bit(ADF_STATUS_IRQ_ALLOCATED, &accel_dev->status);
+--
+2.43.0
+
--- /dev/null
+From 1715480ff258e14baf9f41ec8f83921cb499f830 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:59 -0400
+Subject: crypto: qat - ensure correct order in VF restarting handler
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit cd8d2d74292c199b433ef77762bb1d28a4821784 ]
+
+In the process of sending the ADF_PF2VF_MSGTYPE_RESTARTING message to
+Virtual Functions (VFs), the Physical Function (PF) should set the
+`vf->restarting` flag to true before dispatching the message.
+This change is necessary to prevent a race condition where the handling
+of the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message (which sets the
+`vf->restarting` flag to false) runs immediately after the message is sent,
+but before the flag is set to true.
+
+Set the `vf->restarting` to true before sending the message
+ADF_PF2VF_MSGTYPE_RESTARTING, if supported by the version of the
+protocol and if the VF is started.
+
+Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c b/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
+index 0e31f4b41844e..0cee3b23dee90 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
+@@ -18,14 +18,17 @@ void adf_pf2vf_notify_restarting(struct adf_accel_dev *accel_dev)
+
+ dev_dbg(&GET_DEV(accel_dev), "pf2vf notify restarting\n");
+ for (i = 0, vf = accel_dev->pf.vf_info; i < num_vfs; i++, vf++) {
+- vf->restarting = false;
++ if (vf->init && vf->vf_compat_ver >= ADF_PFVF_COMPAT_FALLBACK)
++ vf->restarting = true;
++ else
++ vf->restarting = false;
++
+ if (!vf->init)
+ continue;
++
+ if (adf_send_pf2vf_msg(accel_dev, i, msg))
+ dev_err(&GET_DEV(accel_dev),
+ "Failed to send restarting msg to VF%d\n", i);
+- else if (vf->vf_compat_ver >= ADF_PFVF_COMPAT_FALLBACK)
+- vf->restarting = true;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ec0a2841bd510403069b22534e9ceae586e82715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 16:47:23 +0100
+Subject: crypto: qat - fix "Full Going True" macro definition
+
+From: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+
+[ Upstream commit 694a6f594817462942acbb1a35b1f7d61e2d49e7 ]
+
+The macro `ADF_RP_INT_SRC_SEL_F_RISE_MASK` is currently set to the value
+`0100b` which means "Empty Going False". This might cause an incorrect
+restore of the bank state during live migration.
+
+Fix the definition of the macro to properly represent the "Full Going
+True" state which is encoded as `0011b`.
+
+Fixes: bbfdde7d195f ("crypto: qat - add bank save and restore flows")
+Signed-off-by: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+Reviewed-by: Xin Zeng <xin.zeng@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
+index 8b10926cedbac..e8c53bd76f1bd 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
+@@ -83,7 +83,7 @@
+ #define ADF_WQM_CSR_RPRESETSTS(bank) (ADF_WQM_CSR_RPRESETCTL(bank) + 4)
+
+ /* Ring interrupt */
+-#define ADF_RP_INT_SRC_SEL_F_RISE_MASK BIT(2)
++#define ADF_RP_INT_SRC_SEL_F_RISE_MASK GENMASK(1, 0)
+ #define ADF_RP_INT_SRC_SEL_F_FALL_MASK GENMASK(2, 0)
+ #define ADF_RP_INT_SRC_SEL_RANGE_WIDTH 4
+ #define ADF_COALESCED_POLL_TIMEOUT_US (1 * USEC_PER_SEC)
+--
+2.43.0
+
--- /dev/null
+From d1dd2fa1e80add52e4b1983662da0884c7ad1955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:58 -0400
+Subject: crypto: qat - fix recovery flow for VFs
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit 6f1b5236348fced7e7691a933327694b4106bc39 ]
+
+When the PFVF protocol was updated to support version 5, i.e.
+ADF_PFVF_COMPAT_FALLBACK, the compatibility version for the VF was
+updated without supporting the message RESTARTING_COMPLETE required for
+such version.
+
+Add support for the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message in the
+VF drivers. This message is sent by the VF driver to the PF to notify
+the completion of the shutdown flow.
+
+Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c | 14 ++++++++++++++
+ .../crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_vf_isr.c | 2 ++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
+index 1141258db4b65..10c91e56d6be3 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
+@@ -48,6 +48,20 @@ void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ }
+ EXPORT_SYMBOL_GPL(adf_vf2pf_notify_shutdown);
+
++void adf_vf2pf_notify_restart_complete(struct adf_accel_dev *accel_dev)
++{
++ struct pfvf_message msg = { .type = ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE };
++
++ /* Check compatibility version */
++ if (accel_dev->vf.pf_compat_ver < ADF_PFVF_COMPAT_FALLBACK)
++ return;
++
++ if (adf_send_vf2pf_msg(accel_dev, msg))
++ dev_err(&GET_DEV(accel_dev),
++ "Failed to send Restarting complete event to PF\n");
++}
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_restart_complete);
++
+ int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev)
+ {
+ u8 pf_version;
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
+index 71bc0e3f1d933..d79340ab3134f 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
+@@ -6,6 +6,7 @@
+ #if defined(CONFIG_PCI_IOV)
+ int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev);
+ void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev);
++void adf_vf2pf_notify_restart_complete(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_get_capabilities(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_get_ring_to_svc(struct adf_accel_dev *accel_dev);
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c b/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
+index cdbb2d687b1b0..4ab9ac3315195 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
+@@ -13,6 +13,7 @@
+ #include "adf_cfg.h"
+ #include "adf_cfg_strings.h"
+ #include "adf_cfg_common.h"
++#include "adf_pfvf_vf_msg.h"
+ #include "adf_transport_access_macros.h"
+ #include "adf_transport_internal.h"
+
+@@ -75,6 +76,7 @@ static void adf_dev_stop_async(struct work_struct *work)
+
+ /* Re-enable PF2VF interrupts */
+ adf_enable_pf2vf_interrupts(accel_dev);
++ adf_vf2pf_notify_restart_complete(accel_dev);
+ kfree(stop_data);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 889a569d5b97fd1d25b5114356d215f7e36159c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 14:24:52 +0200
+Subject: crypto: xor - fix template benchmarking
+
+From: Helge Deller <deller@kernel.org>
+
+[ Upstream commit ab9a244c396aae4aaa34b2399b82fc15ec2df8c1 ]
+
+Commit c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking")
+switched from using jiffies to ktime-based performance benchmarking.
+
+This works nicely on machines which have a fine-grained ktime()
+clocksource as e.g. x86 machines with TSC.
+But other machines, e.g. my 4-way HP PARISC server, don't have such
+fine-grained clocksources, which is why it seems that 800 xor loops
+take zero seconds, which then shows up in the logs as:
+
+ xor: measuring software checksum speed
+ 8regs : -1018167296 MB/sec
+ 8regs_prefetch : -1018167296 MB/sec
+ 32regs : -1018167296 MB/sec
+ 32regs_prefetch : -1018167296 MB/sec
+
+Fix this with some small modifications to the existing code to improve
+the algorithm to always produce correct results without introducing
+major delays for architectures with a fine-grained ktime()
+clocksource:
+a) Delay start of the timing until ktime() just advanced. On machines
+with a fast ktime() this should be just one additional ktime() call.
+b) Count the number of loops. Run at minimum 800 loops and finish
+earliest when the ktime() counter has progressed.
+
+With that the throughput can now be calculated more accurately under all
+conditions.
+
+Fixes: c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Tested-by: John David Anglin <dave.anglin@bell.net>
+
+v2:
+- clean up coding style (noticed & suggested by Herbert Xu)
+- rephrased & fixed typo in commit message
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/xor.c | 31 ++++++++++++++-----------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/crypto/xor.c b/crypto/xor.c
+index 8e72e5d5db0de..56aa3169e8717 100644
+--- a/crypto/xor.c
++++ b/crypto/xor.c
+@@ -83,33 +83,30 @@ static void __init
+ do_xor_speed(struct xor_block_template *tmpl, void *b1, void *b2)
+ {
+ int speed;
+- int i, j;
+- ktime_t min, start, diff;
++ unsigned long reps;
++ ktime_t min, start, t0;
+
+ tmpl->next = template_list;
+ template_list = tmpl;
+
+ preempt_disable();
+
+- min = (ktime_t)S64_MAX;
+- for (i = 0; i < 3; i++) {
+- start = ktime_get();
+- for (j = 0; j < REPS; j++) {
+- mb(); /* prevent loop optimization */
+- tmpl->do_2(BENCH_SIZE, b1, b2);
+- mb();
+- }
+- diff = ktime_sub(ktime_get(), start);
+- if (diff < min)
+- min = diff;
+- }
++ reps = 0;
++ t0 = ktime_get();
++ /* delay start until time has advanced */
++ while ((start = ktime_get()) == t0)
++ cpu_relax();
++ do {
++ mb(); /* prevent loop optimization */
++ tmpl->do_2(BENCH_SIZE, b1, b2);
++ mb();
++ } while (reps++ < REPS || (t0 = ktime_get()) == start);
++ min = ktime_sub(t0, start);
+
+ preempt_enable();
+
+ // bytes/ns == GB/s, multiply by 1000 to get MB/s [not MiB/s]
+- if (!min)
+- min = 1;
+- speed = (1000 * REPS * BENCH_SIZE) / (unsigned int)ktime_to_ns(min);
++ speed = (1000 * reps * BENCH_SIZE) / (unsigned int)ktime_to_ns(min);
+ tmpl->speed = speed;
+
+ pr_info(" %-16s: %5d MB/sec\n", tmpl->name, speed);
+--
+2.43.0
+
--- /dev/null
+From a8e4438a70c91d72e71b5bdd2972ab055f5f5570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 16:42:28 +0800
+Subject: cxl/pci: Fix to record only non-zero ranges
+
+From: Yanfei Xu <yanfei.xu@intel.com>
+
+[ Upstream commit 55e268694e8b07026c88191f9b6949b6887d9ce3 ]
+
+The function cxl_dvsec_rr_decode() retrieves and records DVSEC ranges
+into info->dvsec_range[], regardless of whether it is non-zero range,
+and the variable info->ranges indicates the number of non-zero ranges.
+However, in cxl_hdm_decode_init(), the validation for
+info->dvsec_range[] occurs in a for loop that iterates based on
+info->ranges. It may result in zero range to be validated but non-zero
+range not be validated, in turn, the number of allowed ranges is to be
+0. Address it by only record non-zero ranges.
+
+This fix is not urgent as it requires a configuration that zeroes out
+the first dvsec range while populating the second. This has not been
+observed, but it is theoretically possible. If this gets picked up for
+-stable, no harm done, but there is no urgency to backport.
+
+Fixes: 560f78559006 ("cxl/pci: Retrieve CXL DVSEC memory info")
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Yanfei Xu <yanfei.xu@intel.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Link: https://patch.msgid.link/20240828084231.1378789-2-yanfei.xu@intel.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/pci.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
+index 8567dd11eaac7..205085ccf12c3 100644
+--- a/drivers/cxl/core/pci.c
++++ b/drivers/cxl/core/pci.c
+@@ -390,10 +390,6 @@ int cxl_dvsec_rr_decode(struct device *dev, int d,
+
+ size |= temp & CXL_DVSEC_MEM_SIZE_LOW_MASK;
+ if (!size) {
+- info->dvsec_range[i] = (struct range) {
+- .start = 0,
+- .end = CXL_RESOURCE_NONE,
+- };
+ continue;
+ }
+
+@@ -411,12 +407,10 @@ int cxl_dvsec_rr_decode(struct device *dev, int d,
+
+ base |= temp & CXL_DVSEC_MEM_BASE_LOW_MASK;
+
+- info->dvsec_range[i] = (struct range) {
++ info->dvsec_range[ranges++] = (struct range) {
+ .start = base,
+ .end = base + size - 1
+ };
+-
+- ranges++;
+ }
+
+ info->ranges = ranges;
+--
+2.43.0
+
--- /dev/null
+From 55ebbfceb121fa5f4261b7539314968478d33033 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 16:06:58 +0800
+Subject: driver core: Fix a potential null-ptr-deref in module_add_driver()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8 ]
+
+Inject fault while probing of-fpga-region, if kasprintf() fails in
+module_add_driver(), the second sysfs_remove_link() in exit path will cause
+null-ptr-deref as below because kernfs_name_hash() will call strlen() with
+NULL driver_name.
+
+Fix it by releasing resources based on the exit path sequence.
+
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ Mem abort info:
+ ESR = 0x0000000096000005
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x05: level 1 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [dfffffc000000000] address between user and kernel address ranges
+ Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]
+ CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : strlen+0x24/0xb0
+ lr : kernfs_name_hash+0x1c/0xc4
+ sp : ffffffc081f97380
+ x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0
+ x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000
+ x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
+ x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840
+ x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42
+ x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d
+ x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000
+ x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001
+ x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000
+ Call trace:
+ strlen+0x24/0xb0
+ kernfs_name_hash+0x1c/0xc4
+ kernfs_find_ns+0x118/0x2e8
+ kernfs_remove_by_name_ns+0x80/0x100
+ sysfs_remove_link+0x74/0xa8
+ module_add_driver+0x278/0x394
+ bus_add_driver+0x1f0/0x43c
+ driver_register+0xf4/0x3c0
+ __platform_driver_register+0x60/0x88
+ of_fpga_region_init+0x20/0x1000 [of_fpga_region]
+ do_one_initcall+0x110/0x788
+ do_init_module+0x1dc/0x5c8
+ load_module+0x3c38/0x4cac
+ init_module_from_file+0xd4/0x128
+ idempotent_init_module+0x2cc/0x528
+ __arm64_sys_finit_module+0xac/0x100
+ invoke_syscall+0x6c/0x258
+ el0_svc_common.constprop.0+0x160/0x22c
+ do_el0_svc+0x44/0x5c
+ el0_svc+0x48/0xb8
+ el0t_64_sync_handler+0x13c/0x158
+ el0t_64_sync+0x190/0x194
+ Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Oops: Fatal exception
+
+Fixes: 85d2b0aa1703 ("module: don't ignore sysfs_create_link() failures")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240812080658.2791982-1-ruanjinjie@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/module.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/base/module.c b/drivers/base/module.c
+index b0b79b9c189d4..0d5c5da367f72 100644
+--- a/drivers/base/module.c
++++ b/drivers/base/module.c
+@@ -66,27 +66,31 @@ int module_add_driver(struct module *mod, struct device_driver *drv)
+ driver_name = make_driver_name(drv);
+ if (!driver_name) {
+ ret = -ENOMEM;
+- goto out;
++ goto out_remove_kobj;
+ }
+
+ module_create_drivers_dir(mk);
+ if (!mk->drivers_dir) {
+ ret = -EINVAL;
+- goto out;
++ goto out_free_driver_name;
+ }
+
+ ret = sysfs_create_link(mk->drivers_dir, &drv->p->kobj, driver_name);
+ if (ret)
+- goto out;
++ goto out_remove_drivers_dir;
+
+ kfree(driver_name);
+
+ return 0;
+-out:
+- sysfs_remove_link(&drv->p->kobj, "module");
++
++out_remove_drivers_dir:
+ sysfs_remove_link(mk->drivers_dir, driver_name);
++
++out_free_driver_name:
+ kfree(driver_name);
+
++out_remove_kobj:
++ sysfs_remove_link(&drv->p->kobj, "module");
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7a93c33564429ab55ac9b3a6ed803e3b71d81eca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:48:10 +0800
+Subject: driver core: Fix error handling in driver API device_rename()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 6d8249ac29bc23260dfa9747eb398ce76012d73c ]
+
+For class-device, device_rename() failure maybe cause unexpected link name
+within its class folder as explained below:
+
+/sys/class/.../old_name -> /sys/devices/.../old_name
+device_rename(..., new_name) and failed
+/sys/class/.../new_name -> /sys/devices/.../old_name
+
+Fixed by undoing renaming link if renaming kobject failed.
+
+Fixes: f349cf34731c ("driver core: Implement ns directory support for device classes.")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240722-device_rename_fix-v2-1-77de1a6c6495@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/core.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index b5399262198a6..6c1a944c00d9b 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -4515,9 +4515,11 @@ EXPORT_SYMBOL_GPL(device_destroy);
+ */
+ int device_rename(struct device *dev, const char *new_name)
+ {
++ struct subsys_private *sp = NULL;
+ struct kobject *kobj = &dev->kobj;
+ char *old_device_name = NULL;
+ int error;
++ bool is_link_renamed = false;
+
+ dev = get_device(dev);
+ if (!dev)
+@@ -4532,7 +4534,7 @@ int device_rename(struct device *dev, const char *new_name)
+ }
+
+ if (dev->class) {
+- struct subsys_private *sp = class_to_subsys(dev->class);
++ sp = class_to_subsys(dev->class);
+
+ if (!sp) {
+ error = -EINVAL;
+@@ -4541,16 +4543,19 @@ int device_rename(struct device *dev, const char *new_name)
+
+ error = sysfs_rename_link_ns(&sp->subsys.kobj, kobj, old_device_name,
+ new_name, kobject_namespace(kobj));
+- subsys_put(sp);
+ if (error)
+ goto out;
++
++ is_link_renamed = true;
+ }
+
+ error = kobject_rename(kobj, new_name);
+- if (error)
+- goto out;
+-
+ out:
++ if (error && is_link_renamed)
++ sysfs_rename_link_ns(&sp->subsys.kobj, kobj, new_name,
++ old_device_name, kobject_namespace(kobj));
++ subsys_put(sp);
++
+ put_device(dev);
+
+ kfree(old_device_name);
+--
+2.43.0
+
--- /dev/null
+From 653457079dd9a9a3f11aa0456ba74991647e7fcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 17:09:27 +0800
+Subject: drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()
+
+From: Yuesong Li <liyuesong@vivo.com>
+
+[ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ]
+
+cocci reported a double assignment problem. Upon reviewing previous
+commits, it appears this may actually be an incorrect assignment.
+
+Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages")
+Signed-off-by: Yuesong Li <liyuesong@vivo.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+index 1b111e2c33472..752339d33f39a 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+@@ -1174,7 +1174,7 @@ static int gsc_bind(struct device *dev, struct device *master, void *data)
+ struct exynos_drm_ipp *ipp = &ctx->ipp;
+
+ ctx->drm_dev = drm_dev;
+- ctx->drm_dev = drm_dev;
++ ipp->drm_dev = drm_dev;
+ exynos_drm_register_dma(drm_dev, dev, &ctx->dma_priv);
+
+ exynos_drm_ipp_register(dev, ipp, &ipp_funcs,
+--
+2.43.0
+
--- /dev/null
+From 3ececb970717e3bb3396ad989e2f5bb94a298211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 01:50:23 +0800
+Subject: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ]
+
+Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter")
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2830.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c
+index 30d10fe4b33e3..320aa2bf99d42 100644
+--- a/drivers/media/dvb-frontends/rtl2830.c
++++ b/drivers/media/dvb-frontends/rtl2830.c
+@@ -609,7 +609,7 @@ static int rtl2830_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, int on
+ index, pid, onoff);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From c23b963b81d6859f3eef686cbed0527d106400d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:24:13 +0800
+Subject: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ]
+
+Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter")
+[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2832.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
+index 5142820b1b3d9..76c3f40443b2c 100644
+--- a/drivers/media/dvb-frontends/rtl2832.c
++++ b/drivers/media/dvb-frontends/rtl2832.c
+@@ -983,7 +983,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid,
+ index, pid, onoff, dev->slave_ts);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From f6198562dec582d232e0e31fe98eb6ccdb5dbad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 11:33:31 +0800
+Subject: drivers/perf: Fix ali_drw_pmu driver interrupt status clearing
+
+From: Jing Zhang <renyu.zj@linux.alibaba.com>
+
+[ Upstream commit a3dd920977dccc453c550260c4b7605b280b79c3 ]
+
+The alibaba_uncore_pmu driver forgot to clear all interrupt status
+in the interrupt processing function. After the PMU counter overflow
+interrupt occurred, an interrupt storm occurred, causing the system
+to hang.
+
+Therefore, clear the correct interrupt status in the interrupt handling
+function to fix it.
+
+Fixes: cf7b61073e45 ("drivers/perf: add DDR Sub-System Driveway PMU driver for Yitian 710 SoC")
+Signed-off-by: Jing Zhang <renyu.zj@linux.alibaba.com>
+Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1724297611-20686-1-git-send-email-renyu.zj@linux.alibaba.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/alibaba_uncore_drw_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/alibaba_uncore_drw_pmu.c b/drivers/perf/alibaba_uncore_drw_pmu.c
+index 38a2947ae8130..c6ff1bc7d336b 100644
+--- a/drivers/perf/alibaba_uncore_drw_pmu.c
++++ b/drivers/perf/alibaba_uncore_drw_pmu.c
+@@ -400,7 +400,7 @@ static irqreturn_t ali_drw_pmu_isr(int irq_num, void *data)
+ }
+
+ /* clear common counter intr status */
+- clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, 1);
++ clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, status);
+ writel(clr_status,
+ drw_pmu->cfg_base + ALI_DRW_PMU_OV_INTR_CLR);
+ }
+--
+2.43.0
+
--- /dev/null
+From 23ea5dc27e4b02c6a32ef0963f81b8934026584e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 17:03:31 +0800
+Subject: drivers/perf: hisi_pcie: Fix TLP headers bandwidth counting
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 17bf68aeb3642221e3e770399b5a52f370747ac1 ]
+
+We make the initial value of event ctrl register as HISI_PCIE_INIT_SET
+and modify according to the user options. This will make TLP headers
+bandwidth only counting never take effect since HISI_PCIE_INIT_SET
+configures to count the TLP payloads bandwidth. Fix this by making
+the initial value of event ctrl register as 0.
+
+Fixes: 17d573984d4d ("drivers/perf: hisi: Add TLP filter support")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240829090332.28756-3-yangyicong@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_pcie_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+index fba569a8640cf..f7d6c59d99301 100644
+--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c
++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+@@ -208,7 +208,7 @@ static void hisi_pcie_pmu_writeq(struct hisi_pcie_pmu *pcie_pmu, u32 reg_offset,
+ static u64 hisi_pcie_pmu_get_event_ctrl_val(struct perf_event *event)
+ {
+ u64 port, trig_len, thr_len, len_mode;
+- u64 reg = HISI_PCIE_INIT_SET;
++ u64 reg = 0;
+
+ /* Config HISI_PCIE_EVENT_CTRL according to event. */
+ reg |= FIELD_PREP(HISI_PCIE_EVENT_M, hisi_pcie_get_real_event(event));
+--
+2.43.0
+
--- /dev/null
+From 95e6c07db98c57c6f8b5e127c4f0cb3eef4208f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 17:03:30 +0800
+Subject: drivers/perf: hisi_pcie: Record hardware counts correctly
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit daecd3373a16a039ad241086e30a1ec46fc9d61f ]
+
+Currently we set the period and record it as the initial value of the
+counter without checking it's set to the hardware successfully or not.
+However the counter maybe unwritable if the target event is unsupported
+by the device. In such case we will pass user a wrong count:
+
+[start counts when setting the period]
+hwc->prev_count = 0x8000000000000000
+device.counter_value = 0 // the counter is not set as the period
+[when user reads the counter]
+event->count = device.counter_value - hwc->prev_count
+ = 0x8000000000000000 // wrong. should be 0.
+
+Fix this by record the hardware counter counts correctly when setting
+the period.
+
+Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240829090332.28756-2-yangyicong@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+index f06027574a241..fba569a8640cf 100644
+--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c
++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+@@ -452,10 +452,24 @@ static void hisi_pcie_pmu_set_period(struct perf_event *event)
+ struct hisi_pcie_pmu *pcie_pmu = to_pcie_pmu(event->pmu);
+ struct hw_perf_event *hwc = &event->hw;
+ int idx = hwc->idx;
++ u64 orig_cnt, cnt;
++
++ orig_cnt = hisi_pcie_pmu_read_counter(event);
+
+ local64_set(&hwc->prev_count, HISI_PCIE_INIT_VAL);
+ hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_CNT, idx, HISI_PCIE_INIT_VAL);
+ hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_EXT_CNT, idx, HISI_PCIE_INIT_VAL);
++
++ /*
++ * The counter maybe unwritable if the target event is unsupported.
++ * Check this by comparing the counts after setting the period. If
++ * the counts stay unchanged after setting the period then update
++ * the hwc->prev_count correctly. Otherwise the final counts user
++ * get maybe totally wrong.
++ */
++ cnt = hisi_pcie_pmu_read_counter(event);
++ if (orig_cnt == cnt)
++ local64_set(&hwc->prev_count, cnt);
+ }
+
+ static void hisi_pcie_pmu_enable_counter(struct hisi_pcie_pmu *pcie_pmu, struct hw_perf_event *hwc)
+--
+2.43.0
+
--- /dev/null
+From 49658363d4c29d8b74bef36217a9007531a085f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 12:10:40 +0800
+Subject: drm/amd/amdgpu: Properly tune the size of struct
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 0cee47cde41e22712c034ae961076067d4ac13a0 ]
+
+The struct assertion is failed because sparse cannot parse
+`#pragma pack(push, 1)` and `#pragma pack(pop)` correctly.
+GCC's output is still 1-byte-aligned. No harm to memory layout.
+
+The error can be filtered out by sparse-diff, but sometimes
+multiple lines queezed into one, making the sparse-diff thinks
+its a new error. I'm trying to aviod this by fixing errors.
+
+Link: https://lore.kernel.org/all/20230620045919.492128-1-suhui@nfschina.com/
+Link: https://lore.kernel.org/all/93d10611-9fbb-4242-87b8-5860b2606042@suswa.mountain/
+Fixes: 1721bc1b2afa ("drm/amdgpu: Update VF2PF interface")
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: wenlunpeng <wenlunpeng@uniontech.com>
+Reported-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
+index fb2b394bb9c55..6e9eeaeb3de1d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
+@@ -213,7 +213,7 @@ struct amd_sriov_msg_pf2vf_info {
+ uint32_t gpu_capacity;
+ /* reserved */
+ uint32_t reserved[256 - AMD_SRIOV_MSG_PF2VF_INFO_FILLED_SIZE];
+-};
++} __packed;
+
+ struct amd_sriov_msg_vf2pf_info_header {
+ /* the total structure size in byte */
+@@ -273,7 +273,7 @@ struct amd_sriov_msg_vf2pf_info {
+ uint32_t mes_info_size;
+ /* reserved */
+ uint32_t reserved[256 - AMD_SRIOV_MSG_VF2PF_INFO_FILLED_SIZE];
+-};
++} __packed;
+
+ /* mailbox message send from guest to host */
+ enum amd_sriov_mailbox_request_message {
+--
+2.43.0
+
--- /dev/null
+From 3d7f72662120d48a9e32870592bb1490d28b39ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:18:17 +0530
+Subject: drm/amd/display: Add null check for set_output_gamma in
+ dcn30_set_output_transfer_func
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2 ]
+
+This commit adds a null check for the set_output_gamma function pointer
+in the dcn30_set_output_transfer_func function. Previously,
+set_output_gamma was being checked for nullity at line 386, but then it
+was being dereferenced without any nullity check at line 401. This
+could potentially lead to a null pointer dereference error if
+set_output_gamma is indeed null.
+
+To fix this, we now ensure that set_output_gamma is not null before
+dereferencing it. We do this by adding a nullity check for
+set_output_gamma before the call to set_output_gamma at line 401. If
+set_output_gamma is null, we log an error message and do not call the
+function.
+
+This fix prevents a potential null pointer dereference error.
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
+error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c
+ 373 bool dcn30_set_output_transfer_func(struct dc *dc,
+ 374 struct pipe_ctx *pipe_ctx,
+ 375 const struct dc_stream_state *stream)
+ 376 {
+ 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;
+ 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
+ 379 const struct pwl_params *params = NULL;
+ 380 bool ret = false;
+ 381
+ 382 /* program OGAM or 3DLUT only for the top pipe*/
+ 383 if (pipe_ctx->top_pipe == NULL) {
+ 384 /*program rmu shaper and 3dlut in MPC*/
+ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
+ 386 if (ret == false && mpc->funcs->set_output_gamma) {
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL
+
+ 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
+ 388 params = &stream->out_transfer_func.pwl;
+ 389 else if (pipe_ctx->stream->out_transfer_func.type ==
+ 390 TF_TYPE_DISTRIBUTED_POINTS &&
+ 391 cm3_helper_translate_curve_to_hw_format(
+ 392 &stream->out_transfer_func,
+ 393 &mpc->blender_params, false))
+ 394 params = &mpc->blender_params;
+ 395 /* there are no ROM LUTs in OUTGAM */
+ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
+ 397 BREAK_TO_DEBUGGER();
+ 398 }
+ 399 }
+ 400
+--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash
+
+ 402 return ret;
+ 403 }
+
+Fixes: d99f13878d6f ("drm/amd/display: Add DCN3 HWSEQ")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
+index 4c47061533050..05c5d4f04e1bd 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
+@@ -395,7 +395,11 @@ bool dcn30_set_output_transfer_func(struct dc *dc,
+ }
+ }
+
+- mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
++ if (mpc->funcs->set_output_gamma)
++ mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
++ else
++ DC_LOG_ERROR("%s: set_output_gamma function pointer is NULL.\n", __func__);
++
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3f6e037fb82fcb83dd5f2913036c4589ded0aee2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 08:56:07 -0400
+Subject: drm/amdgpu: fix invalid fence handling in amdgpu_vm_tlb_flush
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lang Yu <lang.yu@amd.com>
+
+[ Upstream commit 4453808d9eab0461dea338e89372ffc4a3c50acc ]
+
+CPU based update doesn't produce a fence, handle such cases properly.
+
+Fixes: d8a3f0a0348d ("drm/amdgpu: implement TLB flush fence")
+Signed-off-by: Lang Yu <lang.yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index 0f7106066480e..3fdbc10aebce1 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -902,10 +902,12 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_update_params *params,
+ {
+ struct amdgpu_vm *vm = params->vm;
+
+- if (!fence || !*fence)
++ tlb_cb->vm = vm;
++ if (!fence || !*fence) {
++ amdgpu_vm_tlb_seq_cb(NULL, &tlb_cb->cb);
+ return;
++ }
+
+- tlb_cb->vm = vm;
+ if (!dma_fence_add_callback(*fence, &tlb_cb->cb,
+ amdgpu_vm_tlb_seq_cb)) {
+ dma_fence_put(vm->last_tlb_flush);
+--
+2.43.0
+
--- /dev/null
+From ac1a293dce0782b72f79c4dd141317bed8f7a8d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:23:56 -0400
+Subject: drm/amdgpu: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/atombios_encoders.c | 29 ++++++++++---------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+index 25feab188dfe6..ebf83fee43bb9 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+@@ -2065,26 +2065,29 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder)
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ adev->mode_info.bios_hardcoded_edid = edid;
+ adev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From 37bf5a5a80889a608eb10c02f03b1cdc0105ddee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 17:16:37 +0800
+Subject: drm/bridge: lontium-lt8912b: Validate mode in
+ drm_bridge_funcs::mode_valid()
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit fe828fbd87786238b30f44cafd698d975d956c97 ]
+
+If the bridge is attached with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set,
+this driver won't initialize a connector and hence display mode won't be
+validated in drm_connector_helper_funcs::mode_valid(). So, move the mode
+validation from drm_connector_helper_funcs::mode_valid() to
+drm_bridge_funcs::mode_valid(), because the mode validation is always done
+for the bridge.
+
+Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240813091637.1054586-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 ++++++++++++------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt8912b.c b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+index 1a9defa15663c..e265ab3c8c929 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c
++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+@@ -422,22 +422,6 @@ static const struct drm_connector_funcs lt8912_connector_funcs = {
+ .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
+ };
+
+-static enum drm_mode_status
+-lt8912_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
+-{
+- if (mode->clock > 150000)
+- return MODE_CLOCK_HIGH;
+-
+- if (mode->hdisplay > 1920)
+- return MODE_BAD_HVALUE;
+-
+- if (mode->vdisplay > 1080)
+- return MODE_BAD_VVALUE;
+-
+- return MODE_OK;
+-}
+-
+ static int lt8912_connector_get_modes(struct drm_connector *connector)
+ {
+ const struct drm_edid *drm_edid;
+@@ -463,7 +447,6 @@ static int lt8912_connector_get_modes(struct drm_connector *connector)
+
+ static const struct drm_connector_helper_funcs lt8912_connector_helper_funcs = {
+ .get_modes = lt8912_connector_get_modes,
+- .mode_valid = lt8912_connector_mode_valid,
+ };
+
+ static void lt8912_bridge_mode_set(struct drm_bridge *bridge,
+@@ -605,6 +588,23 @@ static void lt8912_bridge_detach(struct drm_bridge *bridge)
+ drm_bridge_hpd_disable(lt->hdmi_port);
+ }
+
++static enum drm_mode_status
++lt8912_bridge_mode_valid(struct drm_bridge *bridge,
++ const struct drm_display_info *info,
++ const struct drm_display_mode *mode)
++{
++ if (mode->clock > 150000)
++ return MODE_CLOCK_HIGH;
++
++ if (mode->hdisplay > 1920)
++ return MODE_BAD_HVALUE;
++
++ if (mode->vdisplay > 1080)
++ return MODE_BAD_VVALUE;
++
++ return MODE_OK;
++}
++
+ static enum drm_connector_status
+ lt8912_bridge_detect(struct drm_bridge *bridge)
+ {
+@@ -635,6 +635,7 @@ static const struct drm_edid *lt8912_bridge_edid_read(struct drm_bridge *bridge,
+ static const struct drm_bridge_funcs lt8912_bridge_funcs = {
+ .attach = lt8912_bridge_attach,
+ .detach = lt8912_bridge_detach,
++ .mode_valid = lt8912_bridge_mode_valid,
+ .mode_set = lt8912_bridge_mode_set,
+ .enable = lt8912_bridge_enable,
+ .detect = lt8912_bridge_detect,
+--
+2.43.0
+
--- /dev/null
+From 184af684acee7731c82eedc76c242bcba405a2fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 22:55:19 +0800
+Subject: drm/mediatek: Fix missing configuration flags in
+ mtk_crtc_ddp_config()
+
+From: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+
+[ Upstream commit fe30bae552ce27b9fefe0b12db1544e73d07325f ]
+
+In mtk_crtc_ddp_config(), mtk_crtc will use some configuration flags to
+generate instructions to cmdq_handle, such as:
+ state->pending_config
+ mtk_crtc->pending_planes
+ plane_state->pending.config
+ mtk_crtc->pending_async_planes
+ plane_state->pending.async_config
+
+These configuration flags may be set to false when a GCE IRQ comes calling
+ddp_cmdq_cb(). This may result in missing prepare instructions,
+especially if mtk_crtc_update_config() with the flase need_vblank (no need
+to wait for vblank) cases.
+
+Therefore, the mtk_crtc->config_updating flag is set at the beginning of
+mtk_crtc_update_config() to ensure that these configuration flags won't be
+changed when the mtk_crtc_ddp_config() is preparing instructions.
+But somehow the ddp_cmdq_cb() didn't use the mtk_crtc->config_updating
+flag to prevent those pending config flags from being cleared.
+
+To avoid missing the configuration when generating the config instruction,
+the config_updating flag should be added into ddp_cmdq_cb() and be
+protected with spin_lock.
+
+Fixes: 7f82d9c43879 ("drm/mediatek: Clear pending flag when cmdq packet is done")
+Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Reviewed-by: Fei Shao <fshao@chromium.org>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-1-4761005211ec@mediatek.com/
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-2-4761005211ec@mediatek.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_crtc.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c
+index 6f34f573e127e..d7f0926f896d6 100644
+--- a/drivers/gpu/drm/mediatek/mtk_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_crtc.c
+@@ -69,6 +69,8 @@ struct mtk_crtc {
+ /* lock for display hardware access */
+ struct mutex hw_lock;
+ bool config_updating;
++ /* lock for config_updating to cmd buffer */
++ spinlock_t config_lock;
+ };
+
+ struct mtk_crtc_state {
+@@ -106,11 +108,16 @@ static void mtk_crtc_finish_page_flip(struct mtk_crtc *mtk_crtc)
+
+ static void mtk_drm_finish_page_flip(struct mtk_crtc *mtk_crtc)
+ {
++ unsigned long flags;
++
+ drm_crtc_handle_vblank(&mtk_crtc->base);
++
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ if (!mtk_crtc->config_updating && mtk_crtc->pending_needs_vblank) {
+ mtk_crtc_finish_page_flip(mtk_crtc);
+ mtk_crtc->pending_needs_vblank = false;
+ }
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
+ }
+
+ #if IS_REACHABLE(CONFIG_MTK_CMDQ)
+@@ -308,12 +315,19 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg)
+ struct mtk_crtc *mtk_crtc = container_of(cmdq_cl, struct mtk_crtc, cmdq_client);
+ struct mtk_crtc_state *state;
+ unsigned int i;
++ unsigned long flags;
+
+ if (data->sta < 0)
+ return;
+
+ state = to_mtk_crtc_state(mtk_crtc->base.state);
+
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
++ if (mtk_crtc->config_updating) {
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++ goto ddp_cmdq_cb_out;
++ }
++
+ state->pending_config = false;
+
+ if (mtk_crtc->pending_planes) {
+@@ -340,6 +354,10 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg)
+ mtk_crtc->pending_async_planes = false;
+ }
+
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
++ddp_cmdq_cb_out:
++
+ mtk_crtc->cmdq_vblank_cnt = 0;
+ wake_up(&mtk_crtc->cb_blocking_queue);
+ }
+@@ -569,9 +587,14 @@ static void mtk_crtc_update_config(struct mtk_crtc *mtk_crtc, bool needs_vblank)
+ struct mtk_drm_private *priv = crtc->dev->dev_private;
+ unsigned int pending_planes = 0, pending_async_planes = 0;
+ int i;
++ unsigned long flags;
+
+ mutex_lock(&mtk_crtc->hw_lock);
++
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ mtk_crtc->config_updating = true;
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
+ if (needs_vblank)
+ mtk_crtc->pending_needs_vblank = true;
+
+@@ -625,7 +648,10 @@ static void mtk_crtc_update_config(struct mtk_crtc *mtk_crtc, bool needs_vblank)
+ mbox_client_txdone(mtk_crtc->cmdq_client.chan, 0);
+ }
+ #endif
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ mtk_crtc->config_updating = false;
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
+ mutex_unlock(&mtk_crtc->hw_lock);
+ }
+
+@@ -1068,6 +1094,7 @@ int mtk_crtc_create(struct drm_device *drm_dev, const unsigned int *path,
+ drm_mode_crtc_set_gamma_size(&mtk_crtc->base, gamma_lut_size);
+ drm_crtc_enable_color_mgmt(&mtk_crtc->base, 0, has_ctm, gamma_lut_size);
+ mutex_init(&mtk_crtc->hw_lock);
++ spin_lock_init(&mtk_crtc->config_lock);
+
+ #if IS_REACHABLE(CONFIG_MTK_CMDQ)
+ i = priv->mbox_index++;
+--
+2.43.0
+
--- /dev/null
+From 720e47f98989daa30b5b43ab2a58ad713a60a140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 18:14:47 +0800
+Subject: drm/mediatek: Use spin_lock_irqsave() for CRTC event lock
+
+From: Fei Shao <fshao@chromium.org>
+
+[ Upstream commit be03b30b7aa99aca876fbc7c1c1b73b2d0339321 ]
+
+Use the state-aware spin_lock_irqsave() and spin_unlock_irqrestore()
+to avoid unconditionally re-enabling the local interrupts.
+
+Fixes: 411f5c1eacfe ("drm/mediatek: handle events when enabling/disabling crtc")
+Signed-off-by: Fei Shao <fshao@chromium.org>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240828101511.3269822-1-fshao@chromium.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_crtc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c
+index d7f0926f896d6..a90504359e8d2 100644
+--- a/drivers/gpu/drm/mediatek/mtk_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_crtc.c
+@@ -467,6 +467,7 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_crtc *mtk_crtc)
+ {
+ struct drm_device *drm = mtk_crtc->base.dev;
+ struct drm_crtc *crtc = &mtk_crtc->base;
++ unsigned long flags;
+ int i;
+
+ for (i = 0; i < mtk_crtc->ddp_comp_nr; i++) {
+@@ -498,10 +499,10 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_crtc *mtk_crtc)
+ pm_runtime_put(drm->dev);
+
+ if (crtc->state->event && !crtc->state->active) {
+- spin_lock_irq(&crtc->dev->event_lock);
++ spin_lock_irqsave(&crtc->dev->event_lock, flags);
+ drm_crtc_send_vblank_event(crtc, crtc->state->event);
+ crtc->state->event = NULL;
+- spin_unlock_irq(&crtc->dev->event_lock);
++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ed51b512705121a65d4f542d0f441bbab7b9e156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:00 +0000
+Subject: drm/msm/a5xx: disable preemption in submits by default
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit db9dec2db76146d65e1cfbb6afb2e2bd5dab67f8 ]
+
+Fine grain preemption (switching from/to points within submits)
+requires extra handling in command stream of those submits, especially
+when rendering with tiling (using GMEM). However this handling is
+missing at this point in mesa (and always was). For this reason we get
+random GPU faults and hangs if more than one priority level is used
+because local preemption is enabled prior to executing command stream
+from submit.
+With that said it was ahead of time to enable local preemption by
+default considering the fact that even on downstream kernel it is only
+enabled if requested via UAPI.
+
+Fixes: a7a4c19c36de ("drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612041/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index c003f970189b0..64466282689fd 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -150,9 +150,13 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ OUT_PKT7(ring, CP_SET_PROTECTED_MODE, 1);
+ OUT_RING(ring, 1);
+
+- /* Enable local preemption for finegrain preemption */
++ /*
++ * Disable local preemption by default because it requires
++ * user-space to be aware of it and provide additional handling
++ * to restore rendering state or do various flushes on switch.
++ */
+ OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1);
+- OUT_RING(ring, 0x1);
++ OUT_RING(ring, 0x0);
+
+ /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */
+ OUT_PKT7(ring, CP_YIELD_ENABLE, 1);
+--
+2.43.0
+
--- /dev/null
+From 4df61a4bff13a8e4e3b88d3200d5a7db1ab349f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:02 +0000
+Subject: drm/msm/a5xx: fix races in preemption evaluation stage
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ]
+
+On A5XX GPUs when preemption is used it's invietable to enter a soft
+lock-up state in which GPU is stuck at empty ring-buffer doing nothing.
+This appears as full UI lockup and not detected as GPU hang (because
+it's not). This happens due to not triggering preemption when it was
+needed. Sometimes this state can be recovered by some new submit but
+generally it won't happen because applications are waiting for old
+submits to retire.
+
+One of the reasons why this happens is a race between a5xx_submit and
+a5xx_preempt_trigger called from IRQ during submit retire. Former thread
+updates ring->cur of previously empty and not current ring right after
+latter checks it for emptiness. Then both threads can just exit because
+for first one preempt_state wasn't NONE yet and for second one all rings
+appeared to be empty.
+
+To prevent such situations from happening we need to establish guarantee
+for preempt_trigger to make decision after each submit or retire. To
+implement this we serialize preemption initiation using spinlock. If
+switch is already in progress we need to re-trigger preemption when it
+finishes.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612045/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 24 +++++++++++++++++++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+index c7187bcc5e908..b4d06ca3e499d 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -36,6 +36,7 @@ struct a5xx_gpu {
+ uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
+
+ atomic_t preempt_state;
++ spinlock_t preempt_start_lock;
+ struct timer_list preempt_timer;
+
+ struct drm_gem_object *shadow_bo;
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index 67a8ef4adf6b6..c65b34a4a8cc2 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -97,12 +97,19 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ if (gpu->nr_rings == 1)
+ return;
+
++ /*
++ * Serialize preemption start to ensure that we always make
++ * decision on latest state. Otherwise we can get stuck in
++ * lower priority or empty ring.
++ */
++ spin_lock_irqsave(&a5xx_gpu->preempt_start_lock, flags);
++
+ /*
+ * Try to start preemption by moving from NONE to START. If
+ * unsuccessful, a preemption is already in flight
+ */
+ if (!try_preempt_state(a5xx_gpu, PREEMPT_NONE, PREEMPT_START))
+- return;
++ goto out;
+
+ /* Get the next ring to preempt to */
+ ring = get_next_ring(gpu);
+@@ -127,9 +134,11 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ set_preempt_state(a5xx_gpu, PREEMPT_ABORT);
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
+- return;
++ goto out;
+ }
+
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
++
+ /* Make sure the wptr doesn't update while we're in motion */
+ spin_lock_irqsave(&ring->preempt_lock, flags);
+ a5xx_gpu->preempt[ring->id]->wptr = get_wptr(ring);
+@@ -152,6 +161,10 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+
+ /* And actually start the preemption */
+ gpu_write(gpu, REG_A5XX_CP_CONTEXT_SWITCH_CNTL, 1);
++ return;
++
++out:
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
+ }
+
+ void a5xx_preempt_irq(struct msm_gpu *gpu)
+@@ -188,6 +201,12 @@ void a5xx_preempt_irq(struct msm_gpu *gpu)
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
++
++ /*
++ * Try to trigger preemption again in case there was a submit or
++ * retire during ring switch
++ */
++ a5xx_preempt_trigger(gpu);
+ }
+
+ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+@@ -300,5 +319,6 @@ void a5xx_preempt_init(struct msm_gpu *gpu)
+ }
+ }
+
++ spin_lock_init(&a5xx_gpu->preempt_start_lock);
+ timer_setup(&a5xx_gpu->preempt_timer, a5xx_preempt_timer, 0);
+ }
+--
+2.43.0
+
--- /dev/null
+From 5931e06a379888d1f63791e56c313e16379c782f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:01 +0000
+Subject: drm/msm/a5xx: properly clear preemption records on resume
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ]
+
+Two fields of preempt_record which are used by CP aren't reset on
+resume: "data" and "info". This is the reason behind faults which happen
+when we try to switch to the ring that was active last before suspend.
+In addition those faults can't be recovered from because we use suspend
+and resume to do so (keeping values of those fields again).
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/612043/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index f58dd564d122b..67a8ef4adf6b6 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -204,6 +204,8 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+ return;
+
+ for (i = 0; i < gpu->nr_rings; i++) {
++ a5xx_gpu->preempt[i]->data = 0;
++ a5xx_gpu->preempt[i]->info = 0;
+ a5xx_gpu->preempt[i]->wptr = 0;
+ a5xx_gpu->preempt[i]->rptr = 0;
+ a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova;
+--
+2.43.0
+
--- /dev/null
+From 3d73c1d49d1e57281ec2552e94317735dc2defd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:03 +0000
+Subject: drm/msm/a5xx: workaround early ring-buffer emptiness check
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit a30f9f65b5ac82d4390548c32ed9c7f05de7ddf5 ]
+
+There is another cause for soft lock-up of GPU in empty ring-buffer:
+race between GPU executing last commands and CPU checking ring for
+emptiness. On GPU side IRQ for retire is triggered by CACHE_FLUSH_TS
+event and RPTR shadow (which is used to check ring emptiness) is updated
+a bit later from CP_CONTEXT_SWITCH_YIELD. Thus if GPU is executing its
+last commands slow enough or we check that ring too fast we will miss a
+chance to trigger switch to lower priority ring because current ring isn't
+empty just yet. This can escalate to lock-up situation described in
+previous patch.
+To work-around this issue we keep track of last submit sequence number
+for each ring and compare it with one written to memptrs from GPU during
+execution of CACHE_FLUSH_TS event.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612047/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 ++++
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 4 ++++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index 64466282689fd..0eb3db9c3d9e6 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -65,6 +65,8 @@ void a5xx_flush(struct msm_gpu *gpu, struct msm_ringbuffer *ring,
+
+ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ {
++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
+ struct msm_ringbuffer *ring = submit->ring;
+ struct drm_gem_object *obj;
+ uint32_t *ptr, dwords;
+@@ -109,6 +111,7 @@ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit
+ }
+ }
+
++ a5xx_gpu->last_seqno[ring->id] = submit->seqno;
+ a5xx_flush(gpu, ring, true);
+ a5xx_preempt_trigger(gpu);
+
+@@ -210,6 +213,7 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ /* Write the fence to the scratch register */
+ OUT_PKT4(ring, REG_A5XX_CP_SCRATCH_REG(2), 1);
+ OUT_RING(ring, submit->seqno);
++ a5xx_gpu->last_seqno[ring->id] = submit->seqno;
+
+ /*
+ * Execute a CACHE_FLUSH_TS event. This will ensure that the
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+index b4d06ca3e499d..9c0d701fe4b85 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -34,6 +34,7 @@ struct a5xx_gpu {
+ struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS];
+ struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS];
+ uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
++ uint32_t last_seqno[MSM_GPU_MAX_RINGS];
+
+ atomic_t preempt_state;
+ spinlock_t preempt_start_lock;
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index c65b34a4a8cc2..0469fea550108 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -55,6 +55,8 @@ static inline void update_wptr(struct msm_gpu *gpu, struct msm_ringbuffer *ring)
+ /* Return the highest priority ringbuffer with something in it */
+ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu)
+ {
++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
+ unsigned long flags;
+ int i;
+
+@@ -64,6 +66,8 @@ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu)
+
+ spin_lock_irqsave(&ring->preempt_lock, flags);
+ empty = (get_wptr(ring) == gpu->funcs->get_rptr(gpu, ring));
++ if (!empty && ring == a5xx_gpu->cur_ring)
++ empty = ring->memptrs->fence == a5xx_gpu->last_seqno[i];
+ spin_unlock_irqrestore(&ring->preempt_lock, flags);
+
+ if (!empty)
+--
+2.43.0
+
--- /dev/null
+From ac0c51e36cc268ad6ea73b20a9548585c720676e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 12:50:11 -0700
+Subject: drm/msm/dp: enable widebus on all relevant chipsets
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit c7c412202623951dcfc22316f5255fd84fd56186 ]
+
+Hardware document indicates that widebus is recommended on DP on all
+MDSS chipsets starting version 5.x.x and above.
+
+Follow the guideline and mark widebus support on all relevant
+chipsets for DP.
+
+Fixes: 766f705204a0 ("drm/msm/dp: Remove now unused connector_type from desc")
+Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 757a2f36ab09 ("drm/msm/dp: enable widebus feature for display port")
+Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650")
+Patchwork: https://patchwork.freedesktop.org/patch/606556/
+Link: https://lore.kernel.org/r/20240730195012.2595980-1-quic_abhinavk@quicinc.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 672a7ba52edad..9dc44ea85b7c6 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -119,7 +119,7 @@ struct msm_dp_desc {
+ };
+
+ static const struct msm_dp_desc sc7180_dp_descs[] = {
+- { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0 },
++ { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
+ {}
+ };
+
+@@ -130,9 +130,9 @@ static const struct msm_dp_desc sc7280_dp_descs[] = {
+ };
+
+ static const struct msm_dp_desc sc8180x_dp_descs[] = {
+- { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0 },
+- { .io_start = 0x0ae98000, .id = MSM_DP_CONTROLLER_1 },
+- { .io_start = 0x0ae9a000, .id = MSM_DP_CONTROLLER_2 },
++ { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
++ { .io_start = 0x0ae98000, .id = MSM_DP_CONTROLLER_1, .wide_bus_supported = true },
++ { .io_start = 0x0ae9a000, .id = MSM_DP_CONTROLLER_2, .wide_bus_supported = true },
+ {}
+ };
+
+@@ -149,7 +149,7 @@ static const struct msm_dp_desc sc8280xp_dp_descs[] = {
+ };
+
+ static const struct msm_dp_desc sm8650_dp_descs[] = {
+- { .io_start = 0x0af54000, .id = MSM_DP_CONTROLLER_0 },
++ { .io_start = 0x0af54000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
+ {}
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 49c0da554e9fa0ccb43d94dccd31864e57c9e170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:07 +0300
+Subject: drm/msm/dsi: correct programming sequence for SM8350 / SM8450
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 1328cb7c34bf6d056df9ff694ee5194537548258 ]
+
+According to the display-drivers, 5nm DSI PLL (v4.2, v4.3) have
+different boundaries for pll_clock_inverters programming. Follow the
+vendor code and use correct values.
+
+Fixes: 2f9ae4e395ed ("drm/msm/dsi: add support for DSI-PHY on SM8350 and SM8450")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/606947/
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-3-1149dd8399fe@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
+index 82d015aa2d634..29aa91238bc47 100644
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
+@@ -135,7 +135,7 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config
+ config->pll_clock_inverters = 0x00;
+ else
+ config->pll_clock_inverters = 0x40;
+- } else {
++ } else if (pll->phy->cfg->quirks & DSI_PHY_7NM_QUIRK_V4_1) {
+ if (pll_freq <= 1000000000ULL)
+ config->pll_clock_inverters = 0xa0;
+ else if (pll_freq <= 2500000000ULL)
+@@ -144,6 +144,16 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config
+ config->pll_clock_inverters = 0x00;
+ else
+ config->pll_clock_inverters = 0x40;
++ } else {
++ /* 4.2, 4.3 */
++ if (pll_freq <= 1000000000ULL)
++ config->pll_clock_inverters = 0xa0;
++ else if (pll_freq <= 2500000000ULL)
++ config->pll_clock_inverters = 0x20;
++ else if (pll_freq <= 3500000000ULL)
++ config->pll_clock_inverters = 0x00;
++ else
++ config->pll_clock_inverters = 0x40;
+ }
+
+ config->decimal_div_start = dec;
+--
+2.43.0
+
--- /dev/null
+From fcb5e01c4fb71851b17e1695109b5453f943cdee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:28 +0100
+Subject: drm/msm: Dump correct dbgahb clusters on a750
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit d8c17d7aadc2463a395f9340f44c7c34399f1d48 ]
+
+This was missed thanks to the family mixup fixed in the previous commit.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607393/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+index f2030e521a03a..0fcae53c0b140 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+@@ -663,10 +663,13 @@ static void a7xx_get_dbgahb_clusters(struct msm_gpu *gpu,
+ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ dbgahb_clusters = gen7_0_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_0_0_sptp_clusters);
+- } else {
+- BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ dbgahb_clusters = gen7_2_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_2_0_sptp_clusters);
++ } else {
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
++ dbgahb_clusters = gen7_9_0_sptp_clusters;
++ dbgahb_clusters_size = ARRAY_SIZE(gen7_9_0_sptp_clusters);
+ }
+
+ a6xx_state->dbgahb_clusters = state_kcalloc(a6xx_state,
+--
+2.43.0
+
--- /dev/null
+From 88763106524233c17ca962a79233a699babfa02e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:29 +0100
+Subject: drm/msm: Fix CP_BV_DRAW_STATE_ADDR name
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit a47cfb688d78217983c4a0051449aa88e2ff5ebb ]
+
+This was missed because we weren't using the a750-specific indexed regs.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607394/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h b/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
+index 260d66eccfecb..9a327d543f27d 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
++++ b/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
+@@ -1303,7 +1303,7 @@ static struct a6xx_indexed_registers gen7_9_0_cp_indexed_reg_list[] = {
+ REG_A6XX_CP_ROQ_DBG_DATA, 0x00800},
+ { "CP_UCODE_DBG_DATA", REG_A6XX_CP_SQE_UCODE_DBG_ADDR,
+ REG_A6XX_CP_SQE_UCODE_DBG_DATA, 0x08000},
+- { "CP_BV_SQE_STAT_ADDR", REG_A7XX_CP_BV_DRAW_STATE_ADDR,
++ { "CP_BV_DRAW_STATE_ADDR", REG_A7XX_CP_BV_DRAW_STATE_ADDR,
+ REG_A7XX_CP_BV_DRAW_STATE_DATA, 0x00200},
+ { "CP_BV_ROQ_DBG_ADDR", REG_A7XX_CP_BV_ROQ_DBG_ADDR,
+ REG_A7XX_CP_BV_ROQ_DBG_DATA, 0x00800},
+--
+2.43.0
+
--- /dev/null
+From 6f372f51028a86f7ac9979682a268263844ce335 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 12:13:12 +0300
+Subject: drm/msm: Fix incorrect file name output in adreno_request_fw()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit e19366911340c2313a1abbb09c54eaf9bdea4f58 ]
+
+In adreno_request_fw() when debugging information is printed to the log
+after firmware load, an incorrect filename is printed. 'newname' is used
+instead of 'fwname', so prefix "qcom/" is being added to filename.
+Looks like "copy-paste" mistake.
+
+Fix this mistake by replacing 'newname' with 'fwname'.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 2c41ef1b6f7d ("drm/msm/adreno: deal with linux-firmware fw paths")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/602382/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+index b93ed15f04a30..d5d9361e11aa5 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+@@ -475,7 +475,7 @@ adreno_request_fw(struct adreno_gpu *adreno_gpu, const char *fwname)
+ ret = request_firmware_direct(&fw, fwname, drm->dev);
+ if (!ret) {
+ DRM_DEV_INFO(drm->dev, "loaded %s from legacy location\n",
+- newname);
++ fwname);
+ adreno_gpu->fwloc = FW_LOCATION_LEGACY;
+ goto out;
+ } else if (adreno_gpu->fwloc != FW_LOCATION_UNKNOWN) {
+--
+2.43.0
+
--- /dev/null
+From 4b9c6ffb31b148704b4bb65642cae9540f115b9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 09:53:37 -0700
+Subject: drm/msm: fix %s null argument error
+
+From: Sherry Yang <sherry.yang@oracle.com>
+
+[ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ]
+
+The following build error was triggered because of NULL string argument:
+
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump':
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n",
+BUILDSTDERR: | ^~
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+
+This happens from the commit a61ddb4393ad ("drm: enable (most) W=1
+warnings by default across the subsystem"). Using "(null)" instead
+to fix it.
+
+Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status")
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/611071/
+Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+index 3a7f7edda96b2..500b7dc895d05 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+@@ -351,7 +351,7 @@ void mdp5_smp_dump(struct mdp5_smp *smp, struct drm_printer *p,
+
+ drm_printf(p, "%s:%d\t%d\t%s\n",
+ pipe2name(pipe), j, inuse,
+- plane ? plane->name : NULL);
++ plane ? plane->name : "(null)");
+
+ total += inuse;
+ }
+--
+2.43.0
+
--- /dev/null
+From 4a918f4bca2ca7150ec493343a79f6ffeb73e72b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:27 +0100
+Subject: drm/msm: Use a7xx family directly in gpu_state
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit db75ef03d72ea75515f5282fe8a4925ae8373fe1 ]
+
+With a7xx, we need to import a new header for each new generation and
+switch to a different list of registers, instead of making
+backwards-compatible changes. Using the helpers inadvertently made a750
+use the a740 list of registers, instead use the family directly to fix
+this.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607392/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 41 ++++++++++-----------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+index 789a11416f7a4..f2030e521a03a 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+@@ -388,18 +388,18 @@ static void a7xx_get_debugbus_blocks(struct msm_gpu *gpu,
+ const u32 *debugbus_blocks, *gbif_debugbus_blocks;
+ int i;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ debugbus_blocks = gen7_0_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_0_0_debugbus_blocks);
+ gbif_debugbus_blocks = a7xx_gbif_debugbus_blocks;
+ gbif_debugbus_blocks_count = ARRAY_SIZE(a7xx_gbif_debugbus_blocks);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ debugbus_blocks = gen7_2_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_2_0_debugbus_blocks);
+ gbif_debugbus_blocks = a7xx_gbif_debugbus_blocks;
+ gbif_debugbus_blocks_count = ARRAY_SIZE(a7xx_gbif_debugbus_blocks);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ debugbus_blocks = gen7_9_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_9_0_debugbus_blocks);
+ gbif_debugbus_blocks = gen7_9_0_gbif_debugbus_blocks;
+@@ -509,7 +509,7 @@ static void a6xx_get_debugbus(struct msm_gpu *gpu,
+ const struct a6xx_debugbus_block *cx_debugbus_blocks;
+
+ if (adreno_is_a7xx(adreno_gpu)) {
+- BUG_ON(!(adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu)));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ cx_debugbus_blocks = a7xx_cx_debugbus_blocks;
+ nr_cx_debugbus_blocks = ARRAY_SIZE(a7xx_cx_debugbus_blocks);
+ } else {
+@@ -660,11 +660,11 @@ static void a7xx_get_dbgahb_clusters(struct msm_gpu *gpu,
+ const struct gen7_sptp_cluster_registers *dbgahb_clusters;
+ unsigned dbgahb_clusters_size;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ dbgahb_clusters = gen7_0_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_0_0_sptp_clusters);
+ } else {
+- BUG_ON(!adreno_is_a740_family(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ dbgahb_clusters = gen7_2_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_2_0_sptp_clusters);
+ }
+@@ -818,14 +818,14 @@ static void a7xx_get_clusters(struct msm_gpu *gpu,
+ const struct gen7_cluster_registers *clusters;
+ unsigned clusters_size;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ clusters = gen7_0_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_0_0_clusters);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ clusters = gen7_2_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_2_0_clusters);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ clusters = gen7_9_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_9_0_clusters);
+ }
+@@ -893,7 +893,7 @@ static void a7xx_get_shader_block(struct msm_gpu *gpu,
+ if (WARN_ON(datasize > A6XX_CD_DATA_SIZE))
+ return;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ gpu_rmw(gpu, REG_A7XX_SP_DBG_CNTL, GENMASK(1, 0), 3);
+ }
+
+@@ -923,7 +923,7 @@ static void a7xx_get_shader_block(struct msm_gpu *gpu,
+ datasize);
+
+ out:
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ gpu_rmw(gpu, REG_A7XX_SP_DBG_CNTL, GENMASK(1, 0), 0);
+ }
+ }
+@@ -956,14 +956,14 @@ static void a7xx_get_shaders(struct msm_gpu *gpu,
+ unsigned num_shader_blocks;
+ int i;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ shader_blocks = gen7_0_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_0_0_shader_blocks);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ shader_blocks = gen7_2_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_2_0_shader_blocks);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ shader_blocks = gen7_9_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_9_0_shader_blocks);
+ }
+@@ -1348,14 +1348,14 @@ static void a7xx_get_registers(struct msm_gpu *gpu,
+ const u32 *pre_crashdumper_regs;
+ const struct gen7_reg_list *reglist;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ reglist = gen7_0_0_reg_list;
+ pre_crashdumper_regs = gen7_0_0_pre_crashdumper_gpu_registers;
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ reglist = gen7_2_0_reg_list;
+ pre_crashdumper_regs = gen7_0_0_pre_crashdumper_gpu_registers;
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ reglist = gen7_9_0_reg_list;
+ pre_crashdumper_regs = gen7_9_0_pre_crashdumper_gpu_registers;
+ }
+@@ -1405,8 +1405,7 @@ static void a7xx_get_post_crashdumper_registers(struct msm_gpu *gpu,
+ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
+ const u32 *regs;
+
+- BUG_ON(!(adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu) ||
+- adreno_is_a750(adreno_gpu)));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ regs = gen7_0_0_post_crashdumper_registers;
+
+ a7xx_get_ahb_gpu_registers(gpu,
+@@ -1514,11 +1513,11 @@ static void a7xx_get_indexed_registers(struct msm_gpu *gpu,
+ const struct a6xx_indexed_registers *indexed_regs;
+ int i, indexed_count, mempool_count;
+
+- if (adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu)) {
++ if (adreno_gpu->info->family <= ADRENO_7XX_GEN2) {
+ indexed_regs = a7xx_indexed_reglist;
+ indexed_count = ARRAY_SIZE(a7xx_indexed_reglist);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ indexed_regs = gen7_9_0_cp_indexed_reg_list;
+ indexed_count = ARRAY_SIZE(gen7_9_0_cp_indexed_reg_list);
+ }
+--
+2.43.0
+
--- /dev/null
+From 5b6d7aeb581bbc3053d86815b7d01309a982eb81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:19:04 -0700
+Subject: drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ]
+
+Several cs track offsets (such as 'track->db_s_read_offset')
+either are initialized with or plainly take big enough values that,
+once shifted 8 bits left, may be hit with integer overflow if the
+resulting values end up going over u32 limit.
+
+Same goes for a few instances of 'surf.layer_size * mslice'
+multiplications that are added to 'offset' variable - they may
+potentially overflow as well and need to be validated properly.
+
+While some debug prints in this code section take possible overflow
+issues into account, simply casting to (unsigned long) may be
+erroneous in its own way, as depending on CPU architecture one is
+liable to get different results.
+
+Fix said problems by:
+ - casting 'offset' to fixed u64 data type instead of
+ ambiguous unsigned long.
+ - casting one of the operands in vulnerable to integer
+ overflow cases to u64.
+ - adjust format specifiers in debug prints to properly
+ represent 'offset' values.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++--------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
+index 1fe6e0d883c79..675a649fa7ab5 100644
+--- a/drivers/gpu/drm/radeon/evergreen_cs.c
++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
+@@ -395,7 +395,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1;
+@@ -433,14 +433,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ return r;
+ }
+
+- offset = track->cb_color_bo_offset[id] << 8;
++ offset = (u64)track->cb_color_bo_offset[id] << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, id, offset, surf.base_align);
+ return -EINVAL;
+ }
+
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->cb_color_bo[id])) {
+ /* old ddx are broken they allocate bo with w*h*bpp but
+ * program slice with ALIGN(h, 8), catch this and patch
+@@ -448,14 +448,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ */
+ if (!surf.mode) {
+ uint32_t *ib = p->ib.ptr;
+- unsigned long tmp, nby, bsize, size, min = 0;
++ u64 tmp, nby, bsize, size, min = 0;
+
+ /* find the height the ddx wants */
+ if (surf.nby > 8) {
+ min = surf.nby - 8;
+ }
+ bsize = radeon_bo_size(track->cb_color_bo[id]);
+- tmp = track->cb_color_bo_offset[id] << 8;
++ tmp = (u64)track->cb_color_bo_offset[id] << 8;
+ for (nby = surf.nby; nby > min; nby--) {
+ size = nby * surf.nbx * surf.bpe * surf.nsamples;
+ if ((tmp + size * mslice) <= bsize) {
+@@ -467,7 +467,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ slice = ((nby * surf.nbx) / 64) - 1;
+ if (!evergreen_surface_check(p, &surf, "cb")) {
+ /* check if this one works */
+- tmp += surf.layer_size * mslice;
++ tmp += (u64)surf.layer_size * mslice;
+ if (tmp <= bsize) {
+ ib[track->cb_color_slice_idx[id]] = slice;
+ goto old_ddx_ok;
+@@ -476,9 +476,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ }
+ }
+ dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, "
+- "offset %d, max layer %d, bo size %ld, slice %d)\n",
++ "offset %llu, max layer %d, bo size %ld, slice %d)\n",
+ __func__, __LINE__, id, surf.layer_size,
+- track->cb_color_bo_offset[id] << 8, mslice,
++ (u64)track->cb_color_bo_offset[id] << 8, mslice,
+ radeon_bo_size(track->cb_color_bo[id]), slice);
+ dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n",
+ __func__, __LINE__, surf.nbx, surf.nby,
+@@ -562,7 +562,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -608,18 +608,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_s_read_offset << 8;
++ offset = (u64)track->db_s_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_read_bo)) {
+ dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_read_offset << 8, mslice,
++ (u64)track->db_s_read_offset << 8, mslice,
+ radeon_bo_size(track->db_s_read_bo));
+ dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n",
+ __func__, __LINE__, track->db_depth_size,
+@@ -627,18 +627,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return -EINVAL;
+ }
+
+- offset = track->db_s_write_offset << 8;
++ offset = (u64)track->db_s_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_write_bo)) {
+ dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_write_offset << 8, mslice,
++ (u64)track->db_s_write_offset << 8, mslice,
+ radeon_bo_size(track->db_s_write_bo));
+ return -EINVAL;
+ }
+@@ -659,7 +659,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -706,34 +706,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_z_read_offset << 8;
++ offset = (u64)track->db_z_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_read_bo)) {
+ dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_read_offset << 8, mslice,
++ (u64)track->db_z_read_offset << 8, mslice,
+ radeon_bo_size(track->db_z_read_bo));
+ return -EINVAL;
+ }
+
+- offset = track->db_z_write_offset << 8;
++ offset = (u64)track->db_z_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_write_bo)) {
+ dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_write_offset << 8, mslice,
++ (u64)track->db_z_write_offset << 8, mslice,
+ radeon_bo_size(track->db_z_write_bo));
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From 60a6e271d83600c6a052e5c94b23deaa3cadad9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:31:58 -0400
+Subject: drm/radeon: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 29 +++++++++++++-----------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 10793a433bf58..d698a899eaf4c 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1717,26 +1717,29 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ rdev->mode_info.bios_hardcoded_edid = edid;
+ rdev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From b1daadab6517c6b17b7814b911f75beaa939b75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:55 +0000
+Subject: drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit a5d024541ec466f428e6c514577d511a40779c7b ]
+
+EDID cannot be read on RK3328 until after read_hpd has been called and
+correct io voltage has been configured based on connection status.
+
+When a forced mode is used, e.g. video=1920x1080@60e, the connector
+detect ops, that in turn normally calls the read_hpd, never gets called.
+
+This result in reading EDID to fail in connector get_modes ops.
+
+Call dw_hdmi_rk3328_read_hpd at end of dw_hdmi_rk3328_setup_hpd to
+correct io voltage and allow reading EDID after setup_hpd.
+
+Fixes: 1c53ba8f22a1 ("drm/rockchip: dw_hdmi: add dw-hdmi support for the rk3328")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-5-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
+index fe33092abbe7d..aae48e906af11 100644
+--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
+@@ -434,6 +434,8 @@ static void dw_hdmi_rk3328_setup_hpd(struct dw_hdmi *dw_hdmi, void *data)
+ HIWORD_UPDATE(RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK,
+ RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK |
+ RK3328_HDMI_HPD_IOE));
++
++ dw_hdmi_rk3328_read_hpd(dw_hdmi, data);
+ }
+
+ static const struct dw_hdmi_phy_ops rk3228_hdmi_phy_ops = {
+--
+2.43.0
+
--- /dev/null
+From 561d68e92a3f3dd9ab707d6bd4518fbb9f020734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:54 +0000
+Subject: drm/rockchip: vop: Allow 4096px width scaling
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ]
+
+There is no reason to limit VOP scaling to 3840px width, the limit of
+RK3288, when there are newer VOP versions that support 4096px width.
+
+Change to enforce a maximum of 4096px width plane scaling, the maximum
+supported output width of the VOP versions supported by this driver.
+
+Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index a13473b2d54c4..4a9c6ea7f15dc 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -396,8 +396,8 @@ static void scl_vop_cal_scl_fac(struct vop *vop, const struct vop_win_data *win,
+ if (info->is_yuv)
+ is_yuv = true;
+
+- if (dst_w > 3840) {
+- DRM_DEV_ERROR(vop->dev, "Maximum dst width (3840) exceeded\n");
++ if (dst_w > 4096) {
++ DRM_DEV_ERROR(vop->dev, "Maximum dst width (4096) exceeded\n");
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3f775b8bf6c5ab8fd36ff8e4a45a4794a550b42b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jan 2024 17:54:32 +0100
+Subject: drm/stm: Fix an error handling path in stm_drm_platform_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ]
+
+If drm_dev_register() fails, a call to drv_load() must be undone, as
+already done in the remove function.
+
+Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/stm/drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
+index e8523abef27a5..4d2db079ad4ff 100644
+--- a/drivers/gpu/drm/stm/drv.c
++++ b/drivers/gpu/drm/stm/drv.c
+@@ -203,12 +203,14 @@ static int stm_drm_platform_probe(struct platform_device *pdev)
+
+ ret = drm_dev_register(ddev, 0);
+ if (ret)
+- goto err_put;
++ goto err_unload;
+
+ drm_fbdev_dma_setup(ddev, 16);
+
+ return 0;
+
++err_unload:
++ drv_unload(ddev);
+ err_put:
+ drm_dev_put(ddev);
+
+--
+2.43.0
+
--- /dev/null
+From 7132025f2500d9c1af8a025ec03bceecfd05b6bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 10:28:54 +0300
+Subject: drm/stm: ltdc: check memory returned by devm_kzalloc()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit fd39730c58890cd7f0a594231e19bb357f28877c ]
+
+devm_kzalloc() can fail and return NULL pointer. Check its return status.
+Identified with Coccinelle (kmerr.cocci script).
+
+Fixes: 484e72d3146b ("drm/stm: ltdc: add support of ycbcr pixel formats")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230531072854.142629-1-claudiu.beznea@microchip.com
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/stm/ltdc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
+index 5576fdae49623..5aec1e58c968c 100644
+--- a/drivers/gpu/drm/stm/ltdc.c
++++ b/drivers/gpu/drm/stm/ltdc.c
+@@ -1580,6 +1580,8 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
+ ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
+ ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
+ sizeof(*formats), GFP_KERNEL);
++ if (!formats)
++ return NULL;
+
+ for (i = 0; i < ldev->caps.pix_fmt_nb; i++) {
+ drm_fmt = ldev->caps.pix_fmt_drm[i];
+--
+2.43.0
+
--- /dev/null
+From c34d92f5340a3da0a91977b30aff59d1fca8fbd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 23:40:45 +0200
+Subject: drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit f1a54e860b1bc8d824925b5a77f510913880e8d6 ]
+
+The commit 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is
+powered in detect") introduced the necessary power management handling
+to avoid register access while controller is powered down.
+Unfortunately it just print a warning if pm_runtime_resume_and_get()
+fails and proceed anyway.
+
+This could happen during suspend to idle. So we must assume it is unsafe
+to access the HDMI register. So bail out properly.
+
+Fixes: 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is powered in detect")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Maíra Canal <mcanal@igalia.com>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240821214052.6800-3-wahrenst@gmx.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index d30f8e8e89671..c75bd5af2cefd 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -462,6 +462,7 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector,
+ {
+ struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
+ enum drm_connector_status status = connector_status_disconnected;
++ int ret;
+
+ /*
+ * NOTE: This function should really take vc4_hdmi->mutex, but
+@@ -474,7 +475,12 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector,
+ * the lock for now.
+ */
+
+- WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
++ ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
++ if (ret) {
++ drm_err_once(connector->dev, "Failed to retain HDMI power domain: %d\n",
++ ret);
++ return connector_status_unknown;
++ }
+
+ if (vc4_hdmi->hpd_gpio) {
+ if (gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio))
+--
+2.43.0
+
--- /dev/null
+From c2d1664cd25f9aacef04adcdc6b7e95d9f5bf6a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 07:30:16 +0200
+Subject: dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116
+ compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit c7668ac67bc21aebdd8e2d7f839bfffba31b7713 ]
+
+All compatibles in this binding without prefixes were deprecated, so
+adding a new deprecated one after some time is not allowed, because it
+defies the core logic of deprecating things.
+
+Drop the AK09916 vendorless compatible.
+
+Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://patch.msgid.link/20240806053016.6401-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
+index 9790f75fc669e..fe5145d3b73cf 100644
+--- a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
++++ b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
+@@ -23,7 +23,6 @@ properties:
+ - ak8963
+ - ak09911
+ - ak09912
+- - ak09916
+ deprecated: true
+
+ reg:
+--
+2.43.0
+
--- /dev/null
+From e6955440cf0406d765f55d3132f0c7046fa798d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:38:32 -0400
+Subject: dt-bindings: PCI: layerscape-pci: Replace fsl,lx2160a-pcie with
+ fsl,lx2160ar2-pcie
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Li <Frank.Li@nxp.com>
+
+[ Upstream commit 1a1bf58897d20fc38b454dfecd2771e142d36966 ]
+
+The fsl,lx2160a-pcie compatible is used for mobivel according to the
+Documentation/devicetree/bindings/pci/layerscape-pcie-gen4.txt file.
+
+Whereas the fsl,layerscape-pcie is used for DesignWare PCIe controller binding.
+
+So change it to fsl,lx2160ar2-pcie and allow a fall back to fsl,ls2088a-pcie.
+
+While at it, sort compatible string.
+
+Fixes: 24cd7ecb3886 ("dt-bindings: PCI: layerscape-pci: Convert to YAML format")
+Link: https://lore.kernel.org/linux-pci/20240826-2160r2-v1-1-106340d538d6@nxp.com
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/pci/fsl,layerscape-pcie.yaml | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml b/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
+index 793986c5af7ff..daeab5c0758d1 100644
+--- a/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
++++ b/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
+@@ -22,18 +22,20 @@ description:
+
+ properties:
+ compatible:
+- enum:
+- - fsl,ls1021a-pcie
+- - fsl,ls2080a-pcie
+- - fsl,ls2085a-pcie
+- - fsl,ls2088a-pcie
+- - fsl,ls1088a-pcie
+- - fsl,ls1046a-pcie
+- - fsl,ls1043a-pcie
+- - fsl,ls1012a-pcie
+- - fsl,ls1028a-pcie
+- - fsl,lx2160a-pcie
+-
++ oneOf:
++ - enum:
++ - fsl,ls1012a-pcie
++ - fsl,ls1021a-pcie
++ - fsl,ls1028a-pcie
++ - fsl,ls1043a-pcie
++ - fsl,ls1046a-pcie
++ - fsl,ls1088a-pcie
++ - fsl,ls2080a-pcie
++ - fsl,ls2085a-pcie
++ - fsl,ls2088a-pcie
++ - items:
++ - const: fsl,lx2160ar2-pcie
++ - const: fsl,ls2088a-pcie
+ reg:
+ maxItems: 2
+
+--
+2.43.0
+
--- /dev/null
+From 8f89cef6ed042bfed7513bdc81ac19b89d445e25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:36:56 +0530
+Subject: EDAC/synopsys: Fix error injection on Zynq UltraScale+
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit 35e6dbfe1846caeafabb49b7575adb36b0aa2269 ]
+
+The Zynq UltraScale+ MPSoC DDR has a disjoint memory from 2GB to 32GB.
+The DDR host interface has a contiguous memory so while injecting
+errors, the driver should remove the hole else the injection fails as
+the address translation is incorrect.
+
+Introduce a get_mem_info() function pointer and set it for Zynq
+UltraScale+ platform to return host address.
+
+Fixes: 1a81361f75d8 ("EDAC, synopsys: Add Error Injection support for ZynqMP DDR controller")
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20240711100656.31376-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/synopsys_edac.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
+index ea7a9a342dd30..d7416166fd8a4 100644
+--- a/drivers/edac/synopsys_edac.c
++++ b/drivers/edac/synopsys_edac.c
+@@ -10,6 +10,7 @@
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+ #include <linux/spinlock.h>
++#include <linux/sizes.h>
+ #include <linux/interrupt.h>
+ #include <linux/of.h>
+
+@@ -337,6 +338,7 @@ struct synps_edac_priv {
+ * @get_mtype: Get mtype.
+ * @get_dtype: Get dtype.
+ * @get_ecc_state: Get ECC state.
++ * @get_mem_info: Get EDAC memory info
+ * @quirks: To differentiate IPs.
+ */
+ struct synps_platform_data {
+@@ -344,6 +346,9 @@ struct synps_platform_data {
+ enum mem_type (*get_mtype)(const void __iomem *base);
+ enum dev_type (*get_dtype)(const void __iomem *base);
+ bool (*get_ecc_state)(void __iomem *base);
++#ifdef CONFIG_EDAC_DEBUG
++ u64 (*get_mem_info)(struct synps_edac_priv *priv);
++#endif
+ int quirks;
+ };
+
+@@ -402,6 +407,25 @@ static int zynq_get_error_info(struct synps_edac_priv *priv)
+ return 0;
+ }
+
++#ifdef CONFIG_EDAC_DEBUG
++/**
++ * zynqmp_get_mem_info - Get the current memory info.
++ * @priv: DDR memory controller private instance data.
++ *
++ * Return: host interface address.
++ */
++static u64 zynqmp_get_mem_info(struct synps_edac_priv *priv)
++{
++ u64 hif_addr = 0, linear_addr;
++
++ linear_addr = priv->poison_addr;
++ if (linear_addr >= SZ_32G)
++ linear_addr = linear_addr - SZ_32G + SZ_2G;
++ hif_addr = linear_addr >> 3;
++ return hif_addr;
++}
++#endif
++
+ /**
+ * zynqmp_get_error_info - Get the current ECC error info.
+ * @priv: DDR memory controller private instance data.
+@@ -922,6 +946,9 @@ static const struct synps_platform_data zynqmp_edac_def = {
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+ .get_ecc_state = zynqmp_get_ecc_state,
++#ifdef CONFIG_EDAC_DEBUG
++ .get_mem_info = zynqmp_get_mem_info,
++#endif
+ .quirks = (DDR_ECC_INTR_SUPPORT
+ #ifdef CONFIG_EDAC_DEBUG
+ | DDR_ECC_DATA_POISON_SUPPORT
+@@ -975,10 +1002,16 @@ MODULE_DEVICE_TABLE(of, synps_edac_match);
+ static void ddr_poison_setup(struct synps_edac_priv *priv)
+ {
+ int col = 0, row = 0, bank = 0, bankgrp = 0, rank = 0, regval;
++ const struct synps_platform_data *p_data;
+ int index;
+ ulong hif_addr = 0;
+
+- hif_addr = priv->poison_addr >> 3;
++ p_data = priv->p_data;
++
++ if (p_data->get_mem_info)
++ hif_addr = p_data->get_mem_info(priv);
++ else
++ hif_addr = priv->poison_addr >> 3;
+
+ for (index = 0; index < DDR_MAX_ROW_SHIFT; index++) {
+ if (priv->row_shift[index])
+--
+2.43.0
+
--- /dev/null
+From ab0d116de02178d9bfae40f420589c0b51214437 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:39:15 +0300
+Subject: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()
+
+From: Dan Carpenter <alexander.sverdlin@gmail.com>
+
+[ Upstream commit c7f06284a6427475e3df742215535ec3f6cd9662 ]
+
+The psc->div[] array has psc->num_div elements. These values come from
+when we call clk_hw_register_div(). It's adc_divisors and
+ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >=
+instead of > to prevent an out of bounds read.
+
+Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Reviewed-by: Nikita Shubin <nikita.shubin@maquefel.me>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Link: https://lore.kernel.org/r/1caf01ad4c0a8069535813c26c7f0b8ea011155e.camel@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-ep93xx/clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c
+index 85a496ddc6197..e9f72a529b508 100644
+--- a/arch/arm/mach-ep93xx/clock.c
++++ b/arch/arm/mach-ep93xx/clock.c
+@@ -359,7 +359,7 @@ static unsigned long ep93xx_div_recalc_rate(struct clk_hw *hw,
+ u32 val = __raw_readl(psc->reg);
+ u8 index = (val & psc->mask) >> psc->shift;
+
+- if (index > psc->num_div)
++ if (index >= psc->num_div)
+ return 0;
+
+ return DIV_ROUND_UP_ULL(parent_rate, psc->div[index]);
+--
+2.43.0
+
--- /dev/null
+From 840d196f6fffab31bd7b90d3602b4ed8b47efa71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 11:19:11 +0800
+Subject: erofs: fix incorrect symlink detection in fast symlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 9ed50b8231e37b1ae863f5dec8153b98d9f389b4 ]
+
+Fast symlink can be used if the on-disk symlink data is stored
+in the same block as the on-disk inode, so we don’t need to trigger
+another I/O for symlink data. However, currently fs correction could be
+reported _incorrectly_ if inode xattrs are too large.
+
+In fact, these should be valid images although they cannot be handled as
+fast symlinks.
+
+Many thanks to Colin for reporting this!
+
+Reported-by: Colin Walters <walters@verbum.org>
+Reported-by: https://honggfuzz.dev/
+Link: https://lore.kernel.org/r/bb2dd430-7de0-47da-ae5b-82ab2dd4d945@app.fastmail.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+[ Note that it's a runtime misbehavior instead of a security issue. ]
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240909031911.1174718-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/inode.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
+index 5f6439a63af79..f2cab9e4f3bcd 100644
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -178,12 +178,14 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr,
+ unsigned int m_pofs)
+ {
+ struct erofs_inode *vi = EROFS_I(inode);
+- unsigned int bsz = i_blocksize(inode);
++ loff_t off;
+ char *lnk;
+
+- /* if it cannot be handled with fast symlink scheme */
+- if (vi->datalayout != EROFS_INODE_FLAT_INLINE ||
+- inode->i_size >= bsz || inode->i_size < 0) {
++ m_pofs += vi->xattr_isize;
++ /* check if it cannot be handled with fast symlink scheme */
++ if (vi->datalayout != EROFS_INODE_FLAT_INLINE || inode->i_size < 0 ||
++ check_add_overflow(m_pofs, inode->i_size, &off) ||
++ off > i_blocksize(inode)) {
+ inode->i_op = &erofs_symlink_iops;
+ return 0;
+ }
+@@ -192,16 +194,6 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr,
+ if (!lnk)
+ return -ENOMEM;
+
+- m_pofs += vi->xattr_isize;
+- /* inline symlink data shouldn't cross block boundary */
+- if (m_pofs + inode->i_size > bsz) {
+- kfree(lnk);
+- erofs_err(inode->i_sb,
+- "inline data cross block boundary @ nid %llu",
+- vi->nid);
+- DBG_BUGON(1);
+- return -EFSCORRUPTED;
+- }
+ memcpy(lnk, kaddr + m_pofs, inode->i_size);
+ lnk[inode->i_size] = '\0';
+
+--
+2.43.0
+
--- /dev/null
+From b1eb5ec8e4f2b1239be2d9e728c19b9531d41687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:08:47 +0800
+Subject: erofs: handle overlapped pclusters out of crafted images properly
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 ]
+
+syzbot reported a task hang issue due to a deadlock case where it is
+waiting for the folio lock of a cached folio that will be used for
+cache I/Os.
+
+After looking into the crafted fuzzed image, I found it's formed with
+several overlapped big pclusters as below:
+
+ Ext: logical offset | length : physical offset | length
+ 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384
+ 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384
+ 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384
+...
+
+Here, extent 0/1 are physically overlapped although it's entirely
+_impossible_ for normal filesystem images generated by mkfs.
+
+First, managed folios containing compressed data will be marked as
+up-to-date and then unlocked immediately (unlike in-place folios) when
+compressed I/Os are complete. If physical blocks are not submitted in
+the incremental order, there should be separate BIOs to avoid dependency
+issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
+and BIO submission which causes unexpected BIO waits.
+
+Second, managed folios will be connected to their own pclusters for
+efficient inter-queries. However, this is somewhat hard to implement
+easily if overlapped big pclusters exist. Again, these only appear in
+fuzzed images so let's simply fall back to temporary short-lived pages
+for correctness.
+
+Additionally, it justifies that referenced managed folios cannot be
+truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
+up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
+difference.
+
+Reported-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com
+Reported-by: syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com
+Reported-by: syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com
+Tested-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com
+Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature")
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 71 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 38 insertions(+), 33 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index d269b092c477f..2535479fb82db 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1416,6 +1416,7 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ struct z_erofs_bvec zbv;
+ struct address_space *mapping;
+ struct folio *folio;
++ struct page *page;
+ int bs = i_blocksize(f->inode);
+
+ /* Except for inplace folios, the entire folio can be used for I/Os */
+@@ -1438,7 +1439,6 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ * file-backed folios will be used instead.
+ */
+ if (folio->private == (void *)Z_EROFS_PREALLOCATED_PAGE) {
+- folio->private = 0;
+ tocache = true;
+ goto out_tocache;
+ }
+@@ -1456,7 +1456,7 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ }
+
+ folio_lock(folio);
+- if (folio->mapping == mc) {
++ if (likely(folio->mapping == mc)) {
+ /*
+ * The cached folio is still in managed cache but without
+ * a valid `->private` pcluster hint. Let's reconnect them.
+@@ -1466,41 +1466,44 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ /* compressed_bvecs[] already takes a ref before */
+ folio_put(folio);
+ }
+-
+- /* no need to submit if it is already up-to-date */
+- if (folio_test_uptodate(folio)) {
+- folio_unlock(folio);
+- bvec->bv_page = NULL;
++ if (likely(folio->private == pcl)) {
++ /* don't submit cache I/Os again if already uptodate */
++ if (folio_test_uptodate(folio)) {
++ folio_unlock(folio);
++ bvec->bv_page = NULL;
++ }
++ return;
+ }
+- return;
++ /*
++ * Already linked with another pcluster, which only appears in
++ * crafted images by fuzzers for now. But handle this anyway.
++ */
++ tocache = false; /* use temporary short-lived pages */
++ } else {
++ DBG_BUGON(1); /* referenced managed folios can't be truncated */
++ tocache = true;
+ }
+-
+- /*
+- * It has been truncated, so it's unsafe to reuse this one. Let's
+- * allocate a new page for compressed data.
+- */
+- DBG_BUGON(folio->mapping);
+- tocache = true;
+ folio_unlock(folio);
+ folio_put(folio);
+ out_allocfolio:
+- zbv.page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
++ page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
+ spin_lock(&pcl->obj.lockref.lock);
+- if (pcl->compressed_bvecs[nr].page) {
+- erofs_pagepool_add(&f->pagepool, zbv.page);
++ if (unlikely(pcl->compressed_bvecs[nr].page != zbv.page)) {
++ erofs_pagepool_add(&f->pagepool, page);
+ spin_unlock(&pcl->obj.lockref.lock);
+ cond_resched();
+ goto repeat;
+ }
+- bvec->bv_page = pcl->compressed_bvecs[nr].page = zbv.page;
+- folio = page_folio(zbv.page);
+- /* first mark it as a temporary shortlived folio (now 1 ref) */
+- folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
++ bvec->bv_page = pcl->compressed_bvecs[nr].page = page;
++ folio = page_folio(page);
+ spin_unlock(&pcl->obj.lockref.lock);
+ out_tocache:
+ if (!tocache || bs != PAGE_SIZE ||
+- filemap_add_folio(mc, folio, pcl->obj.index + nr, gfp))
++ filemap_add_folio(mc, folio, pcl->obj.index + nr, gfp)) {
++ /* turn into a temporary shortlived folio (1 ref) */
++ folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
+ return;
++ }
+ folio_attach_private(folio, pcl);
+ /* drop a refcount added by allocpage (then 2 refs in total here) */
+ folio_put(folio);
+@@ -1635,13 +1638,10 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ cur = mdev.m_pa;
+ end = cur + pcl->pclustersize;
+ do {
+- z_erofs_fill_bio_vec(&bvec, f, pcl, i++, mc);
+- if (!bvec.bv_page)
+- continue;
+-
++ bvec.bv_page = NULL;
+ if (bio && (cur != last_pa ||
+ bio->bi_bdev != mdev.m_bdev)) {
+-io_retry:
++drain_io:
+ if (!erofs_is_fscache_mode(sb))
+ submit_bio(bio);
+ else
+@@ -1654,6 +1654,15 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ bio = NULL;
+ }
+
++ if (!bvec.bv_page) {
++ z_erofs_fill_bio_vec(&bvec, f, pcl, i++, mc);
++ if (!bvec.bv_page)
++ continue;
++ if (cur + bvec.bv_len > end)
++ bvec.bv_len = end - cur;
++ DBG_BUGON(bvec.bv_len < sb->s_blocksize);
++ }
++
+ if (unlikely(PageWorkingset(bvec.bv_page)) &&
+ !memstall) {
+ psi_memstall_enter(&pflags);
+@@ -1673,13 +1682,9 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ ++nr_bios;
+ }
+
+- if (cur + bvec.bv_len > end)
+- bvec.bv_len = end - cur;
+- DBG_BUGON(bvec.bv_len < sb->s_blocksize);
+ if (!bio_add_page(bio, bvec.bv_page, bvec.bv_len,
+ bvec.bv_offset))
+- goto io_retry;
+-
++ goto drain_io;
+ last_pa = cur + bvec.bv_len;
+ bypass = false;
+ } while ((cur += bvec.bv_len) < end);
+--
+2.43.0
+
--- /dev/null
+From 7dc89109c643d46e1f46c67b6cea4a996a05ac63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 20:00:51 +0800
+Subject: erofs: tidy up `struct z_erofs_bvec`
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 2080ca1ed3e43233c4e8480c0b9d2840886de01e ]
+
+After revisiting the design, I believe `struct z_erofs_bvec` should
+be page-based instead of folio-based due to the reasons below:
+
+ - The minimized memory mapping block is a page;
+
+ - Under the certain circumstances, only temporary pages needs to be
+ used instead of folios since refcount, mapcount for such pages are
+ unnecessary;
+
+ - Decompressors handle all types of pages including temporary pages,
+ not only folios.
+
+When handling `struct z_erofs_bvec`, all folio-related information
+is now accessed using the page_folio() helper.
+
+The final goal of this round adaptation is to eliminate direct
+accesses to `struct page` in the EROFS codebase, except for some
+exceptions like `z_erofs_is_shortlived_page()` and
+`z_erofs_page_is_invalidated()`, which require a new helper to
+determine the memdesc type of an arbitrary page.
+
+Actually large folios of compressed files seem to work now, yet I tend
+to conduct more tests before officially enabling this for all scenarios.
+
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240703120051.3653452-4-hsiangkao@linux.alibaba.com
+Stable-dep-of: 9e2f9d34dd12 ("erofs: handle overlapped pclusters out of crafted images properly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 101 +++++++++++++++++++++++------------------------
+ 1 file changed, 49 insertions(+), 52 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index d6fe002a4a719..d269b092c477f 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -19,10 +19,7 @@
+ typedef void *z_erofs_next_pcluster_t;
+
+ struct z_erofs_bvec {
+- union {
+- struct page *page;
+- struct folio *folio;
+- };
++ struct page *page;
+ int offset;
+ unsigned int end;
+ };
+@@ -617,32 +614,31 @@ static void z_erofs_bind_cache(struct z_erofs_decompress_frontend *fe)
+ fe->mode = Z_EROFS_PCLUSTER_FOLLOWED_NOINPLACE;
+ }
+
+-/* called by erofs_shrinker to get rid of all cached compressed bvecs */
++/* (erofs_shrinker) disconnect cached encoded data with pclusters */
+ int erofs_try_to_free_all_cached_folios(struct erofs_sb_info *sbi,
+ struct erofs_workgroup *grp)
+ {
+ struct z_erofs_pcluster *const pcl =
+ container_of(grp, struct z_erofs_pcluster, obj);
+ unsigned int pclusterpages = z_erofs_pclusterpages(pcl);
++ struct folio *folio;
+ int i;
+
+ DBG_BUGON(z_erofs_is_inline_pcluster(pcl));
+- /* There is no actice user since the pcluster is now freezed */
++ /* Each cached folio contains one page unless bs > ps is supported */
+ for (i = 0; i < pclusterpages; ++i) {
+- struct folio *folio = pcl->compressed_bvecs[i].folio;
++ if (pcl->compressed_bvecs[i].page) {
++ folio = page_folio(pcl->compressed_bvecs[i].page);
++ /* Avoid reclaiming or migrating this folio */
++ if (!folio_trylock(folio))
++ return -EBUSY;
+
+- if (!folio)
+- continue;
+-
+- /* Avoid reclaiming or migrating this folio */
+- if (!folio_trylock(folio))
+- return -EBUSY;
+-
+- if (!erofs_folio_is_managed(sbi, folio))
+- continue;
+- pcl->compressed_bvecs[i].folio = NULL;
+- folio_detach_private(folio);
+- folio_unlock(folio);
++ if (!erofs_folio_is_managed(sbi, folio))
++ continue;
++ pcl->compressed_bvecs[i].page = NULL;
++ folio_detach_private(folio);
++ folio_unlock(folio);
++ }
+ }
+ return 0;
+ }
+@@ -650,9 +646,9 @@ int erofs_try_to_free_all_cached_folios(struct erofs_sb_info *sbi,
+ static bool z_erofs_cache_release_folio(struct folio *folio, gfp_t gfp)
+ {
+ struct z_erofs_pcluster *pcl = folio_get_private(folio);
+- unsigned int pclusterpages = z_erofs_pclusterpages(pcl);
++ struct z_erofs_bvec *bvec = pcl->compressed_bvecs;
++ struct z_erofs_bvec *end = bvec + z_erofs_pclusterpages(pcl);
+ bool ret;
+- int i;
+
+ if (!folio_test_private(folio))
+ return true;
+@@ -661,9 +657,9 @@ static bool z_erofs_cache_release_folio(struct folio *folio, gfp_t gfp)
+ spin_lock(&pcl->obj.lockref.lock);
+ if (pcl->obj.lockref.count <= 0) {
+ DBG_BUGON(z_erofs_is_inline_pcluster(pcl));
+- for (i = 0; i < pclusterpages; ++i) {
+- if (pcl->compressed_bvecs[i].folio == folio) {
+- pcl->compressed_bvecs[i].folio = NULL;
++ for (; bvec < end; ++bvec) {
++ if (bvec->page && page_folio(bvec->page) == folio) {
++ bvec->page = NULL;
+ folio_detach_private(folio);
+ ret = true;
+ break;
+@@ -1066,7 +1062,7 @@ static bool z_erofs_is_sync_decompress(struct erofs_sb_info *sbi,
+
+ static bool z_erofs_page_is_invalidated(struct page *page)
+ {
+- return !page->mapping && !z_erofs_is_shortlived_page(page);
++ return !page_folio(page)->mapping && !z_erofs_is_shortlived_page(page);
+ }
+
+ struct z_erofs_decompress_backend {
+@@ -1419,7 +1415,7 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ bool tocache = false;
+ struct z_erofs_bvec zbv;
+ struct address_space *mapping;
+- struct page *page;
++ struct folio *folio;
+ int bs = i_blocksize(f->inode);
+
+ /* Except for inplace folios, the entire folio can be used for I/Os */
+@@ -1429,23 +1425,25 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ spin_lock(&pcl->obj.lockref.lock);
+ zbv = pcl->compressed_bvecs[nr];
+ spin_unlock(&pcl->obj.lockref.lock);
+- if (!zbv.folio)
++ if (!zbv.page)
+ goto out_allocfolio;
+
+- bvec->bv_page = &zbv.folio->page;
++ bvec->bv_page = zbv.page;
+ DBG_BUGON(z_erofs_is_shortlived_page(bvec->bv_page));
++
++ folio = page_folio(zbv.page);
+ /*
+ * Handle preallocated cached folios. We tried to allocate such folios
+ * without triggering direct reclaim. If allocation failed, inplace
+ * file-backed folios will be used instead.
+ */
+- if (zbv.folio->private == (void *)Z_EROFS_PREALLOCATED_PAGE) {
+- zbv.folio->private = 0;
++ if (folio->private == (void *)Z_EROFS_PREALLOCATED_PAGE) {
++ folio->private = 0;
+ tocache = true;
+ goto out_tocache;
+ }
+
+- mapping = READ_ONCE(zbv.folio->mapping);
++ mapping = READ_ONCE(folio->mapping);
+ /*
+ * File-backed folios for inplace I/Os are all locked steady,
+ * therefore it is impossible for `mapping` to be NULL.
+@@ -1457,21 +1455,21 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ return;
+ }
+
+- folio_lock(zbv.folio);
+- if (zbv.folio->mapping == mc) {
++ folio_lock(folio);
++ if (folio->mapping == mc) {
+ /*
+ * The cached folio is still in managed cache but without
+ * a valid `->private` pcluster hint. Let's reconnect them.
+ */
+- if (!folio_test_private(zbv.folio)) {
+- folio_attach_private(zbv.folio, pcl);
++ if (!folio_test_private(folio)) {
++ folio_attach_private(folio, pcl);
+ /* compressed_bvecs[] already takes a ref before */
+- folio_put(zbv.folio);
++ folio_put(folio);
+ }
+
+ /* no need to submit if it is already up-to-date */
+- if (folio_test_uptodate(zbv.folio)) {
+- folio_unlock(zbv.folio);
++ if (folio_test_uptodate(folio)) {
++ folio_unlock(folio);
+ bvec->bv_page = NULL;
+ }
+ return;
+@@ -1481,32 +1479,31 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ * It has been truncated, so it's unsafe to reuse this one. Let's
+ * allocate a new page for compressed data.
+ */
+- DBG_BUGON(zbv.folio->mapping);
++ DBG_BUGON(folio->mapping);
+ tocache = true;
+- folio_unlock(zbv.folio);
+- folio_put(zbv.folio);
++ folio_unlock(folio);
++ folio_put(folio);
+ out_allocfolio:
+- page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
++ zbv.page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
+ spin_lock(&pcl->obj.lockref.lock);
+- if (pcl->compressed_bvecs[nr].folio) {
+- erofs_pagepool_add(&f->pagepool, page);
++ if (pcl->compressed_bvecs[nr].page) {
++ erofs_pagepool_add(&f->pagepool, zbv.page);
+ spin_unlock(&pcl->obj.lockref.lock);
+ cond_resched();
+ goto repeat;
+ }
+- pcl->compressed_bvecs[nr].folio = zbv.folio = page_folio(page);
++ bvec->bv_page = pcl->compressed_bvecs[nr].page = zbv.page;
++ folio = page_folio(zbv.page);
++ /* first mark it as a temporary shortlived folio (now 1 ref) */
++ folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
+ spin_unlock(&pcl->obj.lockref.lock);
+- bvec->bv_page = page;
+ out_tocache:
+ if (!tocache || bs != PAGE_SIZE ||
+- filemap_add_folio(mc, zbv.folio, pcl->obj.index + nr, gfp)) {
+- /* turn into a temporary shortlived folio (1 ref) */
+- zbv.folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
++ filemap_add_folio(mc, folio, pcl->obj.index + nr, gfp))
+ return;
+- }
+- folio_attach_private(zbv.folio, pcl);
++ folio_attach_private(folio, pcl);
+ /* drop a refcount added by allocpage (then 2 refs in total here) */
+- folio_put(zbv.folio);
++ folio_put(folio);
+ }
+
+ static struct z_erofs_decompressqueue *jobqueue_init(struct super_block *sb,
+--
+2.43.0
+
--- /dev/null
+From bed9656c2d9a8475fa70fbb90e8a92bbf29e7f0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:28 +0800
+Subject: ext4: avoid buffer_head leak in ext4_mark_inode_used()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 5e5b2a56c57def1b41efd49596621504d7bcc61c ]
+
+Release inode_bitmap_bh from ext4_read_inode_bitmap() in
+ext4_mark_inode_used() to avoid buffer_head leak.
+By the way, remove unneeded goto for invalid ino when inode_bitmap_bh
+is NULL.
+
+Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-2-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index e9bbb1da2d0a2..bf14450da35f4 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -755,10 +755,10 @@ int ext4_mark_inode_used(struct super_block *sb, int ino)
+ struct ext4_group_desc *gdp;
+ ext4_group_t group;
+ int bit;
+- int err = -EFSCORRUPTED;
++ int err;
+
+ if (ino < EXT4_FIRST_INO(sb) || ino > max_ino)
+- goto out;
++ return -EFSCORRUPTED;
+
+ group = (ino - 1) / EXT4_INODES_PER_GROUP(sb);
+ bit = (ino - 1) % EXT4_INODES_PER_GROUP(sb);
+@@ -860,6 +860,7 @@ int ext4_mark_inode_used(struct super_block *sb, int ino)
+ err = ext4_handle_dirty_metadata(NULL, NULL, group_desc_bh);
+ sync_dirty_buffer(group_desc_bh);
+ out:
++ brelse(inode_bitmap_bh);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a85fb51d50dc936ce9adaa093fe95477fe84ea13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:30 +0800
+Subject: ext4: avoid negative min_clusters in find_group_orlov()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ]
+
+min_clusters is signed integer and will be converted to unsigned
+integer when compared with unsigned number stats.free_clusters.
+If min_clusters is negative, it will be converted to a huge unsigned
+value in which case all groups may not meet the actual desired free
+clusters.
+Set negative min_clusters to 0 to avoid unexpected behavior.
+
+Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index de04f4400d926..5a3b4bc124149 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -514,6 +514,8 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
+ if (min_inodes < 1)
+ min_inodes = 1;
+ min_clusters = avefreec - EXT4_CLUSTERS_PER_GROUP(sb)*flex_size / 4;
++ if (min_clusters < 0)
++ min_clusters = 0;
+
+ /*
+ * Start looking in the flex group where we last allocated an
+--
+2.43.0
+
--- /dev/null
+From 1afd13a891ac90567dd1033d7eb71c92517c62a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:24 -0300
+Subject: ext4: avoid OOB when system.data xattr changes underneath the
+ filesystem
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
+
+When looking up for an entry in an inlined directory, if e_value_offs is
+changed underneath the filesystem by some change in the block device, it
+will lead to an out-of-bounds access that KASAN detects as an UAF.
+
+EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
+loop0: detected capacity change from 2048 to 2047
+==================================================================
+BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
+
+CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+ ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
+ __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
+ ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
+ ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
+ lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
+ filename_create+0x297/0x540 fs/namei.c:3980
+ do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
+ __do_sys_symlinkat fs/namei.c:4610 [inline]
+ __se_sys_symlinkat fs/namei.c:4607 [inline]
+ __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f3e73ced469
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
+RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
+RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
+RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
+R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
+R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
+ </TASK>
+
+Calling ext4_xattr_ibody_find right after reading the inode with
+ext4_get_inode_loc will lead to a check of the validity of the xattrs,
+avoiding this problem.
+
+Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
+Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 7b98b1bf1dc94..44a5f6df59ecd 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1664,25 +1664,36 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ struct ext4_dir_entry_2 **res_dir,
+ int *has_inline_data)
+ {
++ struct ext4_xattr_ibody_find is = {
++ .s = { .not_found = -ENODATA, },
++ };
++ struct ext4_xattr_info i = {
++ .name_index = EXT4_XATTR_INDEX_SYSTEM,
++ .name = EXT4_XATTR_SYSTEM_DATA,
++ };
+ int ret;
+- struct ext4_iloc iloc;
+ void *inline_start;
+ int inline_size;
+
+- ret = ext4_get_inode_loc(dir, &iloc);
++ ret = ext4_get_inode_loc(dir, &is.iloc);
+ if (ret)
+ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
++
++ ret = ext4_xattr_ibody_find(dir, &i, &is);
++ if (ret)
++ goto out;
++
+ if (!ext4_has_inline_data(dir)) {
+ *has_inline_data = 0;
+ goto out;
+ }
+
+- inline_start = (void *)ext4_raw_inode(&iloc)->i_block +
++ inline_start = (void *)ext4_raw_inode(&is.iloc)->i_block +
+ EXT4_INLINE_DOTDOT_SIZE;
+ inline_size = EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE;
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+@@ -1692,23 +1703,23 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE)
+ goto out;
+
+- inline_start = ext4_get_inline_xattr_pos(dir, &iloc);
++ inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
+ inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
+
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+
+ out:
+- brelse(iloc.bh);
++ brelse(is.iloc.bh);
+ if (ret < 0)
+- iloc.bh = ERR_PTR(ret);
++ is.iloc.bh = ERR_PTR(ret);
+ else
+- iloc.bh = NULL;
++ is.iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+- return iloc.bh;
++ return is.iloc.bh;
+ }
+
+ int ext4_delete_inline_entry(handle_t *handle,
+--
+2.43.0
+
--- /dev/null
+From 7cd582340013d47c5ba761c52e9f07c0fab7d428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:29 +0800
+Subject: ext4: avoid potential buffer_head leak in __ext4_new_inode()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 227d31b9214d1b9513383cf6c7180628d4b3b61f ]
+
+If a group is marked EXT4_GROUP_INFO_IBITMAP_CORRUPT after it's inode
+bitmap buffer_head was successfully verified, then __ext4_new_inode()
+will get a valid inode_bitmap_bh of a corrupted group from
+ext4_read_inode_bitmap() in which case inode_bitmap_bh misses a release.
+Hnadle "IS_ERR(inode_bitmap_bh)" and group corruption separately like
+how ext4_free_inode() does to avoid buffer_head leak.
+
+Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-3-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index bf14450da35f4..de04f4400d926 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1054,12 +1054,13 @@ struct inode *__ext4_new_inode(struct mnt_idmap *idmap,
+ brelse(inode_bitmap_bh);
+ inode_bitmap_bh = ext4_read_inode_bitmap(sb, group);
+ /* Skip groups with suspicious inode tables */
+- if (((!(sbi->s_mount_state & EXT4_FC_REPLAY))
+- && EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ||
+- IS_ERR(inode_bitmap_bh)) {
++ if (IS_ERR(inode_bitmap_bh)) {
+ inode_bitmap_bh = NULL;
+ goto next_group;
+ }
++ if (!(sbi->s_mount_state & EXT4_FC_REPLAY) &&
++ EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
++ goto next_group;
+
+ repeat_in_this_group:
+ ret2 = find_inode_bit(sb, group, inode_bitmap_bh, &ino);
+--
+2.43.0
+
--- /dev/null
+From 340578ef71c423f546c380f91b2c10c92731ceaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 12:50:57 +0530
+Subject: ext4: check stripe size compatibility on remount as well
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit ee85e0938aa8f9846d21e4d302c3cf6a2a75110d ]
+
+We disable stripe size in __ext4_fill_super if it is not a multiple of
+the cluster ratio however this check is missed when trying to remount.
+This can leave us with cases where stripe < cluster_ratio after
+remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some
+unforeseen bugs like divide by 0.
+
+Fix that by adding the check in remount path as well.
+
+Reported-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com
+Tested-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com
+Reviewed-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Fixes: c3defd99d58c ("ext4: treat stripe in block unit")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://patch.msgid.link/3a493bb503c3598e25dcfbed2936bb2dff3fece7.1725002410.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index c682fb927b64b..edc692984404d 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5177,6 +5177,18 @@ static int ext4_block_group_meta_init(struct super_block *sb, int silent)
+ return 0;
+ }
+
++/*
++ * It's hard to get stripe aligned blocks if stripe is not aligned with
++ * cluster, just disable stripe and alert user to simplify code and avoid
++ * stripe aligned allocation which will rarely succeed.
++ */
++static bool ext4_is_stripe_incompatible(struct super_block *sb, unsigned long stripe)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ return (stripe > 0 && sbi->s_cluster_ratio > 1 &&
++ stripe % sbi->s_cluster_ratio != 0);
++}
++
+ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
+ {
+ struct ext4_super_block *es = NULL;
+@@ -5284,13 +5296,7 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
+ goto failed_mount3;
+
+ sbi->s_stripe = ext4_get_stripe_size(sbi);
+- /*
+- * It's hard to get stripe aligned blocks if stripe is not aligned with
+- * cluster, just disable stripe and alert user to simpfy code and avoid
+- * stripe aligned allocation which will rarely successes.
+- */
+- if (sbi->s_stripe > 0 && sbi->s_cluster_ratio > 1 &&
+- sbi->s_stripe % sbi->s_cluster_ratio != 0) {
++ if (ext4_is_stripe_incompatible(sb, sbi->s_stripe)) {
+ ext4_msg(sb, KERN_WARNING,
+ "stripe (%lu) is not aligned with cluster size (%u), "
+ "stripe is disabled",
+@@ -6453,6 +6459,15 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb)
+
+ }
+
++ if ((ctx->spec & EXT4_SPEC_s_stripe) &&
++ ext4_is_stripe_incompatible(sb, ctx->s_stripe)) {
++ ext4_msg(sb, KERN_WARNING,
++ "stripe (%lu) is not aligned with cluster size (%u), "
++ "stripe is disabled",
++ ctx->s_stripe, sbi->s_cluster_ratio);
++ ctx->s_stripe = 0;
++ }
++
+ /*
+ * Changing the DIOREAD_NOLOCK or DELALLOC mount options may cause
+ * two calls to ext4_should_dioread_nolock() to return inconsistent
+--
+2.43.0
+
--- /dev/null
+From 389105ce83ac4e8a912b36703733dcae43ff613f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 16:55:10 +0800
+Subject: ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ]
+
+Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in
+ext4_group_info") speed up fstrim by skipping trim trimmed group. We
+also has the chance to clear trimmed once there exists some block free
+for this group(mount without discard), and the next trim for this group
+will work well too.
+
+For mount with discard, we will issue dicard when we free blocks, so
+leave trimmed flag keep alive to skip useless trim trigger from
+userspace seems reasonable. But for some case like ext4 build on
+dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4
+maybe unaligned for dm thinpool, and thinpool will just finish this
+discard(see process_discard_bio when begein equals to end) without
+actually process discard. For this case, trim from userspace can really
+help us to free some thinpool block.
+
+So convert to clear trimmed flag for all case no matter mounted with
+discard or not.
+
+Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info")
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 9dda9cd68ab2f..dfecd25cee4ea 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3887,11 +3887,8 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
+ /*
+ * Clear the trimmed flag for the group so that the next
+ * ext4_trim_fs can trim it.
+- * If the volume is mounted with -o discard, online discard
+- * is supported and the free blocks will be trimmed online.
+ */
+- if (!test_opt(sb, DISCARD))
+- EXT4_MB_GRP_CLEAR_TRIMMED(db);
++ EXT4_MB_GRP_CLEAR_TRIMMED(db);
+
+ if (!db->bb_free_root.rb_node) {
+ /* No more items in the per group rb tree
+@@ -6515,8 +6512,9 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode,
+ " group:%u block:%d count:%lu failed"
+ " with %d", block_group, bit, count,
+ err);
+- } else
+- EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
++ }
++
++ EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
+
+ ext4_lock_group(sb, block_group);
+ mb_free_blocks(inode, &e4b, bit, count_clusters);
+--
+2.43.0
+
--- /dev/null
+From fd3a969cbc7921e47ab312335d9e01111c0a8cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:22 -0300
+Subject: ext4: return error on ext4_find_inline_entry
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ]
+
+In case of errors when reading an inode from disk or traversing inline
+directory entries, return an error-encoded ERR_PTR instead of returning
+NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns
+such encoded errors.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index e7a09a99837b9..7b98b1bf1dc94 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1669,8 +1669,9 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ void *inline_start;
+ int inline_size;
+
+- if (ext4_get_inode_loc(dir, &iloc))
+- return NULL;
++ ret = ext4_get_inode_loc(dir, &iloc);
++ if (ret)
++ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
+ if (!ext4_has_inline_data(dir)) {
+@@ -1701,7 +1702,10 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+
+ out:
+ brelse(iloc.bh);
+- iloc.bh = NULL;
++ if (ret < 0)
++ iloc.bh = ERR_PTR(ret);
++ else
++ iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+ return iloc.bh;
+--
+2.43.0
+
--- /dev/null
+From 7ec4bd8a381e485ac956456b90714b937bed953d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jun 2024 11:13:48 +0800
+Subject: f2fs: atomic: fix to avoid racing w/ GC
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1a0bd289a5db1df8df8fab949633a0b8d3f235ee ]
+
+Case #1:
+SQLite App GC Thread Kworker Shrinker
+- f2fs_ioc_start_atomic_write
+
+- f2fs_ioc_commit_atomic_write
+ - f2fs_commit_atomic_write
+ - filemap_write_and_wait_range
+ : write atomic_file's data to cow_inode
+ echo 3 > drop_caches
+ to drop atomic_file's
+ cache.
+ - f2fs_gc
+ - gc_data_segment
+ - move_data_page
+ - set_page_dirty
+
+ - writepages
+ - f2fs_do_write_data_page
+ : overwrite atomic_file's data
+ to cow_inode
+ - f2fs_down_write(&fi->i_gc_rwsem[WRITE])
+ - __f2fs_commit_atomic_write
+ - f2fs_up_write(&fi->i_gc_rwsem[WRITE])
+
+Case #2:
+SQLite App GC Thread Kworker
+- f2fs_ioc_start_atomic_write
+
+ - __writeback_single_inode
+ - do_writepages
+ - f2fs_write_cache_pages
+ - f2fs_write_single_data_page
+ - f2fs_do_write_data_page
+ : write atomic_file's data to cow_inode
+ - f2fs_gc
+ - gc_data_segment
+ - move_data_page
+ - set_page_dirty
+
+ - writepages
+ - f2fs_do_write_data_page
+ : overwrite atomic_file's data to cow_inode
+- f2fs_ioc_commit_atomic_write
+
+In above cases racing in between atomic_write and GC, previous
+data in atomic_file may be overwrited to cow_file, result in
+data corruption.
+
+This patch introduces PAGE_PRIVATE_ATOMIC_WRITE bit flag in page.private,
+and use it to indicate that there is last dirty data in atomic file,
+and the data should be writebacked into cow_file, if the flag is not
+tagged in page, we should never write data across files.
+
+Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 10 +++++++++-
+ fs/f2fs/f2fs.h | 8 +++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 467f67cf2b380..825f6bcb7fc2e 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2645,10 +2645,13 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
+ struct dnode_of_data dn;
+ struct node_info ni;
+ bool ipu_force = false;
++ bool atomic_commit;
+ int err = 0;
+
+ /* Use COW inode to make dnode_of_data for atomic write */
+- if (f2fs_is_atomic_file(inode))
++ atomic_commit = f2fs_is_atomic_file(inode) &&
++ page_private_atomic(fio->page);
++ if (atomic_commit)
+ set_new_dnode(&dn, F2FS_I(inode)->cow_inode, NULL, NULL, 0);
+ else
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+@@ -2747,6 +2750,8 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
+ f2fs_outplace_write_data(&dn, fio);
+ trace_f2fs_do_write_data_page(page_folio(page), OPU);
+ set_inode_flag(inode, FI_APPEND_WRITE);
++ if (atomic_commit)
++ clear_page_private_atomic(page);
+ out_writepage:
+ f2fs_put_dnode(&dn);
+ out:
+@@ -3716,6 +3721,9 @@ static int f2fs_write_end(struct file *file,
+
+ set_page_dirty(page);
+
++ if (f2fs_is_atomic_file(inode))
++ set_page_private_atomic(page);
++
+ if (pos + copied > i_size_read(inode) &&
+ !f2fs_verity_in_progress(inode)) {
+ f2fs_i_size_write(inode, pos + copied);
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 92fda31c68cdc..ba2b9f2db10e6 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1418,7 +1418,8 @@ static inline void f2fs_clear_bit(unsigned int nr, char *addr);
+ * bit 1 PAGE_PRIVATE_ONGOING_MIGRATION
+ * bit 2 PAGE_PRIVATE_INLINE_INODE
+ * bit 3 PAGE_PRIVATE_REF_RESOURCE
+- * bit 4- f2fs private data
++ * bit 4 PAGE_PRIVATE_ATOMIC_WRITE
++ * bit 5- f2fs private data
+ *
+ * Layout B: lowest bit should be 0
+ * page.private is a wrapped pointer.
+@@ -1428,6 +1429,7 @@ enum {
+ PAGE_PRIVATE_ONGOING_MIGRATION, /* data page which is on-going migrating */
+ PAGE_PRIVATE_INLINE_INODE, /* inode page contains inline data */
+ PAGE_PRIVATE_REF_RESOURCE, /* dirty page has referenced resources */
++ PAGE_PRIVATE_ATOMIC_WRITE, /* data page from atomic write path */
+ PAGE_PRIVATE_MAX
+ };
+
+@@ -2396,14 +2398,17 @@ static inline void clear_page_private_##name(struct page *page) \
+ PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER);
+ PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE);
+
+ PAGE_PRIVATE_SET_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_SET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_SET_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_SET_FUNC(atomic, ATOMIC_WRITE);
+
+ PAGE_PRIVATE_CLEAR_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_CLEAR_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_CLEAR_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_CLEAR_FUNC(atomic, ATOMIC_WRITE);
+
+ static inline unsigned long get_page_private_data(struct page *page)
+ {
+@@ -2435,6 +2440,7 @@ static inline void clear_page_private_all(struct page *page)
+ clear_page_private_reference(page);
+ clear_page_private_gcing(page);
+ clear_page_private_inline(page);
++ clear_page_private_atomic(page);
+
+ f2fs_bug_on(F2FS_P_SB(page), page_private(page));
+ }
+--
+2.43.0
+
--- /dev/null
+From f508f6e7e97961b139669be5b63ab4be77c5c06f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 18:24:35 +0800
+Subject: f2fs: atomic: fix to truncate pagecache before on-disk metadata
+ truncation
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ebd3309aec6271c4616573b0cb83ea25e623070a ]
+
+We should always truncate pagecache while truncating on-disk data.
+
+Fixes: a46bebd502fe ("f2fs: synchronize atomic write aborts")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 8425fc33ea403..b2763cde3f582 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2185,6 +2185,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ F2FS_I(fi->cow_inode)->atomic_inode = inode;
+ } else {
+ /* Reuse the already created COW inode */
++ f2fs_bug_on(sbi, get_dirty_pages(fi->cow_inode));
++
++ invalidate_mapping_pages(fi->cow_inode->i_mapping, 0, -1);
++
+ ret = f2fs_do_truncate_blocks(fi->cow_inode, 0, true);
+ if (ret) {
+ f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+--
+2.43.0
+
--- /dev/null
+From 907963427b4c3d24de694236accdb024f62714b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 17:34:30 +0900
+Subject: f2fs: compress: don't redirty sparse cluster during {,de}compress
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+[ Upstream commit f785cec298c95d00058560c0715233294a04b8f3 ]
+
+In f2fs_do_write_data_page, when the data block is NULL_ADDR, it skips
+writepage considering that it has been already truncated.
+This results in an infinite loop as the PAGECACHE_TAG_TOWRITE tag is not
+cleared during the writeback process for a compressed file including
+NULL_ADDR in compress_mode=user.
+
+This is the reproduction process:
+
+1. dd if=/dev/zero bs=4096 count=1024 seek=1024 of=testfile
+2. f2fs_io compress testfile
+3. dd if=/dev/zero bs=4096 count=1 conv=notrunc of=testfile
+4. f2fs_io decompress testfile
+
+To prevent the problem, let's check whether the cluster is fully
+allocated before redirty its pages.
+
+Fixes: 5fdb322ff2c2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Tested-by: Jaewook Kim <jw5454.kim@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/compress.c | 36 ++++++++++++++++++++++++++++--------
+ fs/f2fs/f2fs.h | 12 ++++++++++++
+ fs/f2fs/file.c | 39 +++++++++++++++++++++------------------
+ 3 files changed, 61 insertions(+), 26 deletions(-)
+
+diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
+index 1ef82a5463910..b0506745adab7 100644
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -945,7 +945,7 @@ static int __f2fs_get_cluster_blocks(struct inode *inode,
+ unsigned int cluster_size = F2FS_I(inode)->i_cluster_size;
+ int count, i;
+
+- for (i = 1, count = 1; i < cluster_size; i++) {
++ for (i = 0, count = 0; i < cluster_size; i++) {
+ block_t blkaddr = data_blkaddr(dn->inode, dn->node_page,
+ dn->ofs_in_node + i);
+
+@@ -956,8 +956,8 @@ static int __f2fs_get_cluster_blocks(struct inode *inode,
+ return count;
+ }
+
+-static int __f2fs_cluster_blocks(struct inode *inode,
+- unsigned int cluster_idx, bool compr_blks)
++static int __f2fs_cluster_blocks(struct inode *inode, unsigned int cluster_idx,
++ enum cluster_check_type type)
+ {
+ struct dnode_of_data dn;
+ unsigned int start_idx = cluster_idx <<
+@@ -978,10 +978,12 @@ static int __f2fs_cluster_blocks(struct inode *inode,
+ }
+
+ if (dn.data_blkaddr == COMPRESS_ADDR) {
+- if (compr_blks)
+- ret = __f2fs_get_cluster_blocks(inode, &dn);
+- else
++ if (type == CLUSTER_COMPR_BLKS)
++ ret = 1 + __f2fs_get_cluster_blocks(inode, &dn);
++ else if (type == CLUSTER_IS_COMPR)
+ ret = 1;
++ } else if (type == CLUSTER_RAW_BLKS) {
++ ret = __f2fs_get_cluster_blocks(inode, &dn);
+ }
+ fail:
+ f2fs_put_dnode(&dn);
+@@ -991,7 +993,16 @@ static int __f2fs_cluster_blocks(struct inode *inode,
+ /* return # of compressed blocks in compressed cluster */
+ static int f2fs_compressed_blocks(struct compress_ctx *cc)
+ {
+- return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx, true);
++ return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx,
++ CLUSTER_COMPR_BLKS);
++}
++
++/* return # of raw blocks in non-compressed cluster */
++static int f2fs_decompressed_blocks(struct inode *inode,
++ unsigned int cluster_idx)
++{
++ return __f2fs_cluster_blocks(inode, cluster_idx,
++ CLUSTER_RAW_BLKS);
+ }
+
+ /* return whether cluster is compressed one or not */
+@@ -999,7 +1010,16 @@ int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index)
+ {
+ return __f2fs_cluster_blocks(inode,
+ index >> F2FS_I(inode)->i_log_cluster_size,
+- false);
++ CLUSTER_IS_COMPR);
++}
++
++/* return whether cluster contains non raw blocks or not */
++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index)
++{
++ unsigned int cluster_idx = index >> F2FS_I(inode)->i_log_cluster_size;
++
++ return f2fs_decompressed_blocks(inode, cluster_idx) !=
++ F2FS_I(inode)->i_cluster_size;
+ }
+
+ static bool cluster_may_compress(struct compress_ctx *cc)
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index e2867036af9f5..dbae5d4417910 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -4288,6 +4288,11 @@ static inline bool f2fs_meta_inode_gc_required(struct inode *inode)
+ * compress.c
+ */
+ #ifdef CONFIG_F2FS_FS_COMPRESSION
++enum cluster_check_type {
++ CLUSTER_IS_COMPR, /* check only if compressed cluster */
++ CLUSTER_COMPR_BLKS, /* return # of compressed blocks in a cluster */
++ CLUSTER_RAW_BLKS /* return # of raw blocks in a cluster */
++};
+ bool f2fs_is_compressed_page(struct page *page);
+ struct page *f2fs_compress_control_page(struct page *page);
+ int f2fs_prepare_compress_overwrite(struct inode *inode,
+@@ -4314,6 +4319,7 @@ int f2fs_write_multi_pages(struct compress_ctx *cc,
+ struct writeback_control *wbc,
+ enum iostat_type io_type);
+ int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index);
++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index);
+ void f2fs_update_read_extent_tree_range_compressed(struct inode *inode,
+ pgoff_t fofs, block_t blkaddr,
+ unsigned int llen, unsigned int c_len);
+@@ -4400,6 +4406,12 @@ static inline bool f2fs_load_compressed_page(struct f2fs_sb_info *sbi,
+ static inline void f2fs_invalidate_compress_pages(struct f2fs_sb_info *sbi,
+ nid_t ino) { }
+ #define inc_compr_inode_stat(inode) do { } while (0)
++static inline int f2fs_is_compressed_cluster(
++ struct inode *inode,
++ pgoff_t index) { return 0; }
++static inline bool f2fs_is_sparse_cluster(
++ struct inode *inode,
++ pgoff_t index) { return true; }
+ static inline void f2fs_update_read_extent_tree_range_compressed(
+ struct inode *inode,
+ pgoff_t fofs, block_t blkaddr,
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 17a771bc85729..5a9c5652776c2 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -4213,9 +4213,8 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ struct inode *inode = file_inode(filp);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct f2fs_inode_info *fi = F2FS_I(inode);
+- pgoff_t page_idx = 0, last_idx;
+- int cluster_size = fi->i_cluster_size;
+- int count, ret;
++ pgoff_t page_idx = 0, last_idx, cluster_idx;
++ int ret;
+
+ if (!f2fs_sb_has_compression(sbi) ||
+ F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER)
+@@ -4248,10 +4247,15 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ goto out;
+
+ last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ last_idx >>= fi->i_log_cluster_size;
++
++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) {
++ page_idx = cluster_idx << fi->i_log_cluster_size;
++
++ if (!f2fs_is_compressed_cluster(inode, page_idx))
++ continue;
+
+- count = last_idx - page_idx;
+- while (count && count >= cluster_size) {
+- ret = redirty_blocks(inode, page_idx, cluster_size);
++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size);
+ if (ret < 0)
+ break;
+
+@@ -4261,9 +4265,6 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ break;
+ }
+
+- count -= cluster_size;
+- page_idx += cluster_size;
+-
+ cond_resched();
+ if (fatal_signal_pending(current)) {
+ ret = -EINTR;
+@@ -4290,9 +4291,9 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ {
+ struct inode *inode = file_inode(filp);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+- pgoff_t page_idx = 0, last_idx;
+- int cluster_size = F2FS_I(inode)->i_cluster_size;
+- int count, ret;
++ struct f2fs_inode_info *fi = F2FS_I(inode);
++ pgoff_t page_idx = 0, last_idx, cluster_idx;
++ int ret;
+
+ if (!f2fs_sb_has_compression(sbi) ||
+ F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER)
+@@ -4324,10 +4325,15 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ set_inode_flag(inode, FI_ENABLE_COMPRESS);
+
+ last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ last_idx >>= fi->i_log_cluster_size;
+
+- count = last_idx - page_idx;
+- while (count && count >= cluster_size) {
+- ret = redirty_blocks(inode, page_idx, cluster_size);
++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) {
++ page_idx = cluster_idx << fi->i_log_cluster_size;
++
++ if (f2fs_is_sparse_cluster(inode, page_idx))
++ continue;
++
++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size);
+ if (ret < 0)
+ break;
+
+@@ -4337,9 +4343,6 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ break;
+ }
+
+- count -= cluster_size;
+- page_idx += cluster_size;
+-
+ cond_resched();
+ if (fatal_signal_pending(current)) {
+ ret = -EINTR;
+--
+2.43.0
+
--- /dev/null
+From 61b3054a4db169ad29cff4be5d508437437f1194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 16:32:44 +0900
+Subject: f2fs: Create COW inode from parent dentry for atomic write
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+[ Upstream commit 8c1b787938fd86bab27a1492fa887408c75fec2b ]
+
+The i_pino in f2fs_inode_info has the previous parent's i_ino when inode
+was renamed, which may cause f2fs_ioc_start_atomic_write to fail.
+If file_wrong_pino is true and i_nlink is 1, then to find a valid pino,
+we should refer to the dentry from inode.
+
+To resolve this issue, let's get parent inode using parent dentry
+directly.
+
+Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index ad326c0ab5bd7..19da00ab31aeb 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2120,7 +2120,6 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ struct mnt_idmap *idmap = file_mnt_idmap(filp);
+ struct f2fs_inode_info *fi = F2FS_I(inode);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+- struct inode *pinode;
+ loff_t isize;
+ int ret;
+
+@@ -2170,15 +2169,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ /* Check if the inode already has a COW inode */
+ if (fi->cow_inode == NULL) {
+ /* Create a COW inode for atomic write */
+- pinode = f2fs_iget(inode->i_sb, fi->i_pino);
+- if (IS_ERR(pinode)) {
+- f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+- ret = PTR_ERR(pinode);
+- goto out;
+- }
++ struct dentry *dentry = file_dentry(filp);
++ struct inode *dir = d_inode(dentry->d_parent);
+
+- ret = f2fs_get_tmpfile(idmap, pinode, &fi->cow_inode);
+- iput(pinode);
++ ret = f2fs_get_tmpfile(idmap, dir, &fi->cow_inode);
+ if (ret) {
+ f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 30a84ff265b7511eafd4101252d3d779a7754275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 15:15:21 +0800
+Subject: f2fs: fix to avoid racing in between read and OPU dio write
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0cac51185e65dc2a20686184e02f3cafc99eb202 ]
+
+If lfs mode is on, buffered read may race w/ OPU dio write as below,
+it may cause buffered read hits unwritten data unexpectly, and for
+dio read, the race condition exists as well.
+
+Thread A Thread B
+- f2fs_file_write_iter
+ - f2fs_dio_write_iter
+ - __iomap_dio_rw
+ - f2fs_iomap_begin
+ - f2fs_map_blocks
+ - __allocate_data_block
+ - allocated blkaddr #x
+ - iomap_dio_submit_bio
+ - f2fs_file_read_iter
+ - filemap_read
+ - f2fs_read_data_folio
+ - f2fs_mpage_readpages
+ - f2fs_map_blocks
+ : get blkaddr #x
+ - f2fs_submit_read_bio
+ IRQ
+ - f2fs_read_end_io
+ : read IO on blkaddr #x complete
+IRQ
+- iomap_dio_bio_end_io
+ : direct write IO on blkaddr #x complete
+
+In LFS mode, if there is inflight dio, let's wait for its completion,
+this policy won't cover all race cases, however it is a tradeoff which
+avoids abusing lock around IO paths.
+
+Fixes: f847c699cff3 ("f2fs: allow out-place-update for direct IO in LFS mode")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index fa6299a88492f..ad326c0ab5bd7 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -4590,6 +4590,10 @@ static ssize_t f2fs_file_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ f2fs_trace_rw_file_path(iocb->ki_filp, iocb->ki_pos,
+ iov_iter_count(to), READ);
+
++ /* In LFS mode, if there is inflight dio, wait for its completion */
++ if (f2fs_lfs_mode(F2FS_I_SB(inode)))
++ inode_dio_wait(inode);
++
+ if (f2fs_should_use_dio(inode, iocb, to)) {
+ ret = f2fs_dio_read_iter(iocb, to);
+ } else {
+--
+2.43.0
+
--- /dev/null
+From edb0fad56242068b4e1f0cc7b22caae1ef9172ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 09:08:55 +0800
+Subject: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit c7f114d864ac91515bb07ac271e9824a20f5ed95 ]
+
+syzbot reports a f2fs bug as below:
+
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ print_report+0xe8/0x550 mm/kasan/report.c:491
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+ atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
+ __refcount_add include/linux/refcount.h:184 [inline]
+ __refcount_inc include/linux/refcount.h:241 [inline]
+ refcount_inc include/linux/refcount.h:258 [inline]
+ get_task_struct include/linux/sched/task.h:118 [inline]
+ kthread_stop+0xca/0x630 kernel/kthread.c:704
+ f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
+ f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
+ f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
+ __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is below race condition, it may cause use-after-free
+issue in sbi->gc_th pointer.
+
+- remount
+ - f2fs_remount
+ - f2fs_stop_gc_thread
+ - kfree(gc_th)
+ - f2fs_ioc_shutdown
+ - f2fs_do_shutdown
+ - f2fs_stop_gc_thread
+ - kthread_stop(gc_th->f2fs_gc_task)
+ : sbi->gc_thread = NULL;
+
+We will call f2fs_do_shutdown() in two paths:
+- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
+for fixing.
+- for f2fs_shutdown() path, it's safe since caller has already grabbed
+sb->s_umount semaphore.
+
+Reported-by: syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000005c7ccb061e032b9b@google.com
+Fixes: 7950e9ac638e ("f2fs: stop gc/discard thread after fs shutdown")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/file.c | 11 +++++++++--
+ fs/f2fs/super.c | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index c7bc3ba59a31f..e2867036af9f5 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3509,7 +3509,7 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ int f2fs_truncate_hole(struct inode *inode, pgoff_t pg_start, pgoff_t pg_end);
+ void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count);
+ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+- bool readonly);
++ bool readonly, bool need_lock);
+ int f2fs_precache_extents(struct inode *inode);
+ int f2fs_fileattr_get(struct dentry *dentry, struct fileattr *fa);
+ int f2fs_fileattr_set(struct mnt_idmap *idmap,
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index b2763cde3f582..17a771bc85729 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2281,7 +2281,7 @@ static int f2fs_ioc_abort_atomic_write(struct file *filp)
+ }
+
+ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+- bool readonly)
++ bool readonly, bool need_lock)
+ {
+ struct super_block *sb = sbi->sb;
+ int ret = 0;
+@@ -2328,12 +2328,19 @@ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+ if (readonly)
+ goto out;
+
++ /* grab sb->s_umount to avoid racing w/ remount() */
++ if (need_lock)
++ down_read(&sbi->sb->s_umount);
++
+ f2fs_stop_gc_thread(sbi);
+ f2fs_stop_discard_thread(sbi);
+
+ f2fs_drop_discard_cmd(sbi);
+ clear_opt(sbi, DISCARD);
+
++ if (need_lock)
++ up_read(&sbi->sb->s_umount);
++
+ f2fs_update_time(sbi, REQ_TIME);
+ out:
+
+@@ -2370,7 +2377,7 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg)
+ }
+ }
+
+- ret = f2fs_do_shutdown(sbi, in, readonly);
++ ret = f2fs_do_shutdown(sbi, in, readonly, true);
+
+ if (need_drop)
+ mnt_drop_write_file(filp);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 1f1b3647a998c..832c052dd94bc 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2571,7 +2571,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data)
+
+ static void f2fs_shutdown(struct super_block *sb)
+ {
+- f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false);
++ f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false, false);
+ }
+
+ #ifdef CONFIG_QUOTA
+--
+2.43.0
+
--- /dev/null
+From db2a69b4cec2949c7f9178ff9ef9913dfef0b810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 11:07:13 +0800
+Subject: f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 930c6ab93492c4b15436524e704950b364b2930c ]
+
+syzbot reports a f2fs bug as below:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
+CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
+Workqueue: events destroy_super_work
+RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
+Call Trace:
+ percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
+ destroy_super_work+0xec/0x130 fs/super.c:282
+ process_one_work kernel/workqueue.c:3231 [inline]
+ process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
+ worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+As Christian Brauner pointed out [1]: the root cause is f2fs sets
+SB_RDONLY flag in internal function, rather than setting the flag
+covered w/ sb->s_umount semaphore via remount procedure, then below
+race condition causes this bug:
+
+- freeze_super()
+ - sb_wait_write(sb, SB_FREEZE_WRITE)
+ - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
+ - sb_wait_write(sb, SB_FREEZE_FS)
+ - f2fs_handle_critical_error
+ - sb->s_flags |= SB_RDONLY
+- thaw_super
+ - thaw_super_locked
+ - sb_rdonly() is true, so it skips
+ sb_freeze_unlock(sb, SB_FREEZE_FS)
+ - deactivate_locked_super
+
+Since f2fs has almost the same logic as ext4 [2] when handling critical
+error in filesystem if it mounts w/ errors=remount-ro option:
+- set CP_ERROR_FLAG flag which indicates filesystem is stopped
+- record errors to superblock
+- set SB_RDONLY falg
+Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
+flag and stop any further updates on filesystem. So, it is safe to not
+set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].
+
+[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
+[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
+[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz
+
+Fixes: b62e71be2110 ("f2fs: support errors=remount-ro|continue|panic mountoption")
+Reported-by: syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com/
+Cc: Jan Kara <jack@suse.cz>
+Cc: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 832c052dd94bc..f897e416b7e6d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4183,12 +4183,14 @@ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason,
+ }
+
+ f2fs_warn(sbi, "Remounting filesystem read-only");
++
+ /*
+- * Make sure updated value of ->s_mount_flags will be visible before
+- * ->s_flags update
++ * We have already set CP_ERROR_FLAG flag to stop all updates
++ * to filesystem, so it doesn't need to set SB_RDONLY flag here
++ * because the flag should be set covered w/ sb->s_umount semaphore
++ * via remount procedure, otherwise, it will confuse code like
++ * freeze_super() which will lead to deadlocks and other problems.
+ */
+- smp_wmb();
+- sb->s_flags |= SB_RDONLY;
+ }
+
+ static void f2fs_record_error_work(struct work_struct *work)
+--
+2.43.0
+
--- /dev/null
+From 48eae27623165f69b42c00893102c9cc4a5570cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 22:12:42 +0800
+Subject: f2fs: fix to wait page writeback before setting gcing flag
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a4d7f2b3238fd5f76b9e6434a0bd5d2e29049cff ]
+
+Soft IRQ Thread
+- f2fs_write_end_io
+ - f2fs_defragment_range
+ - set_page_private_gcing
+ - type = WB_DATA_TYPE(page, false);
+ : assign type w/ F2FS_WB_CP_DATA
+ due to page_private_gcing() is true
+ - dec_page_count() w/ wrong type
+ - end_page_writeback()
+
+Value of F2FS_WB_CP_DATA reference count may become negative under above
+race condition, the root cause is we missed to wait page writeback before
+setting gcing page private flag, let's fix it.
+
+Fixes: 2d1fe8a86bf5 ("f2fs: fix to tag gcing flag on page during file defragment")
+Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 19da00ab31aeb..8425fc33ea403 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2791,6 +2791,8 @@ static int f2fs_defragment_range(struct f2fs_sb_info *sbi,
+ goto clear_out;
+ }
+
++ f2fs_wait_on_page_writeback(page, DATA, true, true);
++
+ set_page_dirty(page);
+ set_page_private_gcing(page);
+ f2fs_put_page(page, 1);
+@@ -4184,6 +4186,8 @@ static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len)
+ /* It will never fail, when page has pinned above */
+ f2fs_bug_on(F2FS_I_SB(inode), !page);
+
++ f2fs_wait_on_page_writeback(page, DATA, true, true);
++
+ set_page_dirty(page);
+ set_page_private_gcing(page);
+ f2fs_put_page(page, 1);
+--
+2.43.0
+
--- /dev/null
+From 859b261288805336800548eb12738f907d7e1306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 14:27:24 +0800
+Subject: f2fs: get rid of online repaire on corrupted directory
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 884ee6dc85b959bc152f15bca80c30f06069e6c4 ]
+
+syzbot reports a f2fs bug as below:
+
+kernel BUG at fs/f2fs/inode.c:896!
+RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
+Call Trace:
+ evict+0x532/0x950 fs/inode.c:704
+ dispose_list fs/inode.c:747 [inline]
+ evict_inodes+0x5f9/0x690 fs/inode.c:797
+ generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
+ kill_block_super+0x44/0x90 fs/super.c:1696
+ kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
+ deactivate_locked_super+0xc4/0x130 fs/super.c:473
+ cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
+ ptrace_report_syscall include/linux/ptrace.h:415 [inline]
+ ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
+ syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
+ syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
+ syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
+ do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
+
+Online repaire on corrupted directory in f2fs_lookup() can generate
+dirty data/meta while racing w/ readonly remount, it may leave dirty
+inode after filesystem becomes readonly, however, checkpoint() will
+skips flushing dirty inode in a state of readonly mode, result in
+above panic.
+
+Let's get rid of online repaire in f2fs_lookup(), and leave the work
+to fsck.f2fs.
+
+Fixes: 510022a85839 ("f2fs: add F2FS_INLINE_DOTS to recover missing dot dentries")
+Reported-by: syzbot+ebea2790904673d7c618@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a7b20f061ff2d56a@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 11 -------
+ fs/f2fs/namei.c | 68 -----------------------------------------
+ include/linux/f2fs_fs.h | 2 +-
+ 3 files changed, 1 insertion(+), 80 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 88ca80afffd3d..9c8acb98f4dbf 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -785,7 +785,6 @@ enum {
+ FI_NEED_IPU, /* used for ipu per file */
+ FI_ATOMIC_FILE, /* indicate atomic file */
+ FI_DATA_EXIST, /* indicate data exists */
+- FI_INLINE_DOTS, /* indicate inline dot dentries */
+ FI_SKIP_WRITES, /* should skip data page writeback */
+ FI_OPU_WRITE, /* used for opu per file */
+ FI_DIRTY_FILE, /* indicate regular/symlink has dirty pages */
+@@ -3047,7 +3046,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
+ return;
+ fallthrough;
+ case FI_DATA_EXIST:
+- case FI_INLINE_DOTS:
+ case FI_PIN_FILE:
+ case FI_COMPRESS_RELEASED:
+ f2fs_mark_inode_dirty_sync(inode, true);
+@@ -3171,8 +3169,6 @@ static inline void get_inline_info(struct inode *inode, struct f2fs_inode *ri)
+ set_bit(FI_INLINE_DENTRY, fi->flags);
+ if (ri->i_inline & F2FS_DATA_EXIST)
+ set_bit(FI_DATA_EXIST, fi->flags);
+- if (ri->i_inline & F2FS_INLINE_DOTS)
+- set_bit(FI_INLINE_DOTS, fi->flags);
+ if (ri->i_inline & F2FS_EXTRA_ATTR)
+ set_bit(FI_EXTRA_ATTR, fi->flags);
+ if (ri->i_inline & F2FS_PIN_FILE)
+@@ -3193,8 +3189,6 @@ static inline void set_raw_inline(struct inode *inode, struct f2fs_inode *ri)
+ ri->i_inline |= F2FS_INLINE_DENTRY;
+ if (is_inode_flag_set(inode, FI_DATA_EXIST))
+ ri->i_inline |= F2FS_DATA_EXIST;
+- if (is_inode_flag_set(inode, FI_INLINE_DOTS))
+- ri->i_inline |= F2FS_INLINE_DOTS;
+ if (is_inode_flag_set(inode, FI_EXTRA_ATTR))
+ ri->i_inline |= F2FS_EXTRA_ATTR;
+ if (is_inode_flag_set(inode, FI_PIN_FILE))
+@@ -3281,11 +3275,6 @@ static inline int f2fs_exist_data(struct inode *inode)
+ return is_inode_flag_set(inode, FI_DATA_EXIST);
+ }
+
+-static inline int f2fs_has_inline_dots(struct inode *inode)
+-{
+- return is_inode_flag_set(inode, FI_INLINE_DOTS);
+-}
+-
+ static inline int f2fs_is_mmap_file(struct inode *inode)
+ {
+ return is_inode_flag_set(inode, FI_MMAP_FILE);
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index e54f8c08bda83..a2c4091fca6fa 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -455,62 +455,6 @@ struct dentry *f2fs_get_parent(struct dentry *child)
+ return d_obtain_alias(f2fs_iget(child->d_sb, ino));
+ }
+
+-static int __recover_dot_dentries(struct inode *dir, nid_t pino)
+-{
+- struct f2fs_sb_info *sbi = F2FS_I_SB(dir);
+- struct qstr dot = QSTR_INIT(".", 1);
+- struct f2fs_dir_entry *de;
+- struct page *page;
+- int err = 0;
+-
+- if (f2fs_readonly(sbi->sb)) {
+- f2fs_info(sbi, "skip recovering inline_dots inode (ino:%lu, pino:%u) in readonly mountpoint",
+- dir->i_ino, pino);
+- return 0;
+- }
+-
+- if (!S_ISDIR(dir->i_mode)) {
+- f2fs_err(sbi, "inconsistent inode status, skip recovering inline_dots inode (ino:%lu, i_mode:%u, pino:%u)",
+- dir->i_ino, dir->i_mode, pino);
+- set_sbi_flag(sbi, SBI_NEED_FSCK);
+- return -ENOTDIR;
+- }
+-
+- err = f2fs_dquot_initialize(dir);
+- if (err)
+- return err;
+-
+- f2fs_balance_fs(sbi, true);
+-
+- f2fs_lock_op(sbi);
+-
+- de = f2fs_find_entry(dir, &dot, &page);
+- if (de) {
+- f2fs_put_page(page, 0);
+- } else if (IS_ERR(page)) {
+- err = PTR_ERR(page);
+- goto out;
+- } else {
+- err = f2fs_do_add_link(dir, &dot, NULL, dir->i_ino, S_IFDIR);
+- if (err)
+- goto out;
+- }
+-
+- de = f2fs_find_entry(dir, &dotdot_name, &page);
+- if (de)
+- f2fs_put_page(page, 0);
+- else if (IS_ERR(page))
+- err = PTR_ERR(page);
+- else
+- err = f2fs_do_add_link(dir, &dotdot_name, NULL, pino, S_IFDIR);
+-out:
+- if (!err)
+- clear_inode_flag(dir, FI_INLINE_DOTS);
+-
+- f2fs_unlock_op(sbi);
+- return err;
+-}
+-
+ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ unsigned int flags)
+ {
+@@ -520,7 +464,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ struct dentry *new;
+ nid_t ino = -1;
+ int err = 0;
+- unsigned int root_ino = F2FS_ROOT_INO(F2FS_I_SB(dir));
+ struct f2fs_filename fname;
+
+ trace_f2fs_lookup_start(dir, dentry, flags);
+@@ -556,17 +499,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ goto out;
+ }
+
+- if ((dir->i_ino == root_ino) && f2fs_has_inline_dots(dir)) {
+- err = __recover_dot_dentries(dir, root_ino);
+- if (err)
+- goto out_iput;
+- }
+-
+- if (f2fs_has_inline_dots(inode)) {
+- err = __recover_dot_dentries(inode, dir->i_ino);
+- if (err)
+- goto out_iput;
+- }
+ if (IS_ENCRYPTED(dir) &&
+ (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) &&
+ !fscrypt_has_permitted_context(dir, inode)) {
+diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
+index 41d1d71c36ff5..eee8577bcc543 100644
+--- a/include/linux/f2fs_fs.h
++++ b/include/linux/f2fs_fs.h
+@@ -279,7 +279,7 @@ struct node_footer {
+ #define F2FS_INLINE_DATA 0x02 /* file inline data flag */
+ #define F2FS_INLINE_DENTRY 0x04 /* file inline dentry flag */
+ #define F2FS_DATA_EXIST 0x08 /* file inline data exist flag */
+-#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries */
++#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries (obsolete) */
+ #define F2FS_EXTRA_ATTR 0x20 /* file having extra attribute */
+ #define F2FS_PIN_FILE 0x40 /* file should not be gced */
+ #define F2FS_COMPRESS_RELEASED 0x80 /* file released compressed blocks */
+--
+2.43.0
+
--- /dev/null
+From 24d099ce9ff0f829d999b92caf8d4be7e8661b17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 08:33:06 -0700
+Subject: f2fs: prevent atomic file from being dirtied before commit
+
+From: Daeho Jeong <daehojeong@google.com>
+
+[ Upstream commit fccaa81de87e80b1809906f7e438e5766fbdc172 ]
+
+Keep atomic file clean while updating and make it dirtied during commit
+in order to avoid unnecessary and excessive inode updates in the previous
+fix.
+
+Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
+Signed-off-by: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/inode.c | 5 +++++
+ fs/f2fs/segment.c | 8 ++++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index dbae5d4417910..88ca80afffd3d 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -803,6 +803,7 @@ enum {
+ FI_ALIGNED_WRITE, /* enable aligned write */
+ FI_COW_FILE, /* indicate COW file */
+ FI_ATOMIC_COMMITTED, /* indicate atomic commit completed except disk sync */
++ FI_ATOMIC_DIRTIED, /* indicate atomic file is dirtied */
+ FI_ATOMIC_REPLACE, /* indicate atomic replace */
+ FI_OPENED_FILE, /* indicate file has been opened */
+ FI_MAX, /* max flag, never be used */
+@@ -3049,7 +3050,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
+ case FI_INLINE_DOTS:
+ case FI_PIN_FILE:
+ case FI_COMPRESS_RELEASED:
+- case FI_ATOMIC_COMMITTED:
+ f2fs_mark_inode_dirty_sync(inode, true);
+ }
+ }
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 57da02bfa823e..0b23a0cb438fd 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -35,6 +35,11 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync)
+ if (f2fs_inode_dirtied(inode, sync))
+ return;
+
++ if (f2fs_is_atomic_file(inode)) {
++ set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ return;
++ }
++
+ mark_inode_dirty_sync(inode);
+ }
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 601825785226d..06ddc80aa5e0d 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -199,6 +199,10 @@ void f2fs_abort_atomic_write(struct inode *inode, bool clean)
+ clear_inode_flag(inode, FI_ATOMIC_COMMITTED);
+ clear_inode_flag(inode, FI_ATOMIC_REPLACE);
+ clear_inode_flag(inode, FI_ATOMIC_FILE);
++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) {
++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ f2fs_mark_inode_dirty_sync(inode, true);
++ }
+ stat_dec_atomic_inode(inode);
+
+ F2FS_I(inode)->atomic_write_task = NULL;
+@@ -366,6 +370,10 @@ static int __f2fs_commit_atomic_write(struct inode *inode)
+ } else {
+ sbi->committed_atomic_block += fi->atomic_write_cnt;
+ set_inode_flag(inode, FI_ATOMIC_COMMITTED);
++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) {
++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ f2fs_mark_inode_dirty_sync(inode, true);
++ }
+ }
+
+ __complete_revoke_list(inode, &revoke_list, ret ? true : false);
+--
+2.43.0
+
--- /dev/null
+From f8208d1279f5cdf3527f6b35a076212f5211398a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 09:47:27 +0800
+Subject: f2fs: reduce expensive checkpoint trigger frequency
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ]
+
+We may trigger high frequent checkpoint for below case:
+1. mkdir /mnt/dir1; set dir1 encrypted
+2. touch /mnt/file1; fsync /mnt/file1
+3. mkdir /mnt/dir2; set dir2 encrypted
+4. touch /mnt/file2; fsync /mnt/file2
+...
+
+Although, newly created dir and file are not related, due to
+commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will
+trigger checkpoint whenever fsync() comes after a new encrypted dir
+created.
+
+In order to avoid such performance regression issue, let's record an
+entry including directory's ino in global cache whenever we update
+directory's xattr data, and then triggerring checkpoint() only if
+xattr metadata of target file's parent was updated.
+
+This patch updates to cover below no encryption case as well:
+1) parent is checkpointed
+2) set_xattr(dir) w/ new xnid
+3) create(file)
+4) fsync(file)
+
+Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories")
+Reported-by: wangzijie <wangzijie1@honor.com>
+Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reported-by: Yunlei He <heyunlei@hihonor.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 ++
+ fs/f2fs/file.c | 3 +++
+ fs/f2fs/xattr.c | 14 ++++++++++++--
+ include/trace/events/f2fs.h | 3 ++-
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index ba2b9f2db10e6..c7bc3ba59a31f 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -285,6 +285,7 @@ enum {
+ APPEND_INO, /* for append ino list */
+ UPDATE_INO, /* for update ino list */
+ TRANS_DIR_INO, /* for transactions dir ino list */
++ XATTR_DIR_INO, /* for xattr updated dir ino list */
+ FLUSH_INO, /* for multiple device flushing */
+ MAX_INO_ENTRY, /* max. list */
+ };
+@@ -1155,6 +1156,7 @@ enum cp_reason_type {
+ CP_FASTBOOT_MODE,
+ CP_SPEC_LOG_NUM,
+ CP_RECOVER_DIR,
++ CP_XATTR_DIR,
+ };
+
+ enum iostat_type {
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 387ce167dda1b..fa6299a88492f 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -218,6 +218,9 @@ static inline enum cp_reason_type need_do_checkpoint(struct inode *inode)
+ f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
+ TRANS_DIR_INO))
+ cp_reason = CP_RECOVER_DIR;
++ else if (f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
++ XATTR_DIR_INO))
++ cp_reason = CP_XATTR_DIR;
+
+ return cp_reason;
+ }
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index f290fe9327c49..3f38749436796 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -629,6 +629,7 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ const char *name, const void *value, size_t size,
+ struct page *ipage, int flags)
+ {
++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct f2fs_xattr_entry *here, *last;
+ void *base_addr, *last_base_addr;
+ int found, newsize;
+@@ -772,9 +773,18 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+- if (S_ISDIR(inode->i_mode))
+- set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
+
++ if (!S_ISDIR(inode->i_mode))
++ goto same;
++ /*
++ * In restrict mode, fsync() always try to trigger checkpoint for all
++ * metadata consistency, in other mode, it triggers checkpoint when
++ * parent's xattr metadata was updated.
++ */
++ if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
++ set_sbi_flag(sbi, SBI_NEED_CP);
++ else
++ f2fs_add_ino_entry(sbi, inode->i_ino, XATTR_DIR_INO);
+ same:
+ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
+ inode->i_mode = F2FS_I(inode)->i_acl_mode;
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index ed794b5fefbe3..2851c823095bc 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -139,7 +139,8 @@ TRACE_DEFINE_ENUM(EX_BLOCK_AGE);
+ { CP_NODE_NEED_CP, "node needs cp" }, \
+ { CP_FASTBOOT_MODE, "fastboot mode" }, \
+ { CP_SPEC_LOG_NUM, "log type is 2" }, \
+- { CP_RECOVER_DIR, "dir needs recovery" })
++ { CP_RECOVER_DIR, "dir needs recovery" }, \
++ { CP_XATTR_DIR, "dir's xattr updated" })
+
+ #define show_shutdown_mode(type) \
+ __print_symbolic(type, \
+--
+2.43.0
+
--- /dev/null
+From 7d8191db082ce3fe7ee73ba06b255a743f47249c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 22:34:39 +0200
+Subject: fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ]
+
+If an error occurs after request_mem_region(), a corresponding
+release_mem_region() should be called, as already done in the remove
+function.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/hpfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/hpfb.c b/drivers/video/fbdev/hpfb.c
+index 66fac8e5393e0..a1144b1509826 100644
+--- a/drivers/video/fbdev/hpfb.c
++++ b/drivers/video/fbdev/hpfb.c
+@@ -345,6 +345,7 @@ static int hpfb_dio_probe(struct dio_dev *d, const struct dio_device_id *ent)
+ if (hpfb_init_one(paddr, vaddr)) {
+ if (d->scode >= DIOII_SCBASE)
+ iounmap((void *)vaddr);
++ release_mem_region(d->resource.start, resource_size(&d->resource));
+ return -ENOMEM;
+ }
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From f3f34e43b4e338161b9eb8885fd34518cd9dd28b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 16:04:03 +0900
+Subject: firewire: core: correct range of block for case of switch statement
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit ebb9d3ca8f7efc1b6a2f1750d1058eda444883d0 ]
+
+A commit d8527cab6c31 ("firewire: cdev: implement new event to notify
+response subaction with time stamp") adds an additional case,
+FW_CDEV_EVENT_RESPONSE2, into switch statement in complete_transaction().
+However, the range of block is beyond to the case label and reaches
+neibour default label.
+
+This commit corrects the range of block. Fortunately, it has few impacts
+in practice since the local variable in the scope under the label is not
+used in codes under default label.
+
+Fixes: d8527cab6c31 ("firewire: cdev: implement new event to notify response subaction with time stamp")
+Link: https://lore.kernel.org/r/20240810070403.36801-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/core-cdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
+index 9a7dc90330a35..a888a001bedb1 100644
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -599,11 +599,11 @@ static void complete_transaction(struct fw_card *card, int rcode, u32 request_ts
+ queue_event(client, &e->event, rsp, sizeof(*rsp) + rsp->length, NULL, 0);
+
+ break;
++ }
+ default:
+ WARN_ON(1);
+ break;
+ }
+- }
+
+ /* Drop the idr's reference */
+ client_put(client);
+--
+2.43.0
+
--- /dev/null
+From eec5c835b375334dfd3a37e5ba4bdbf14473dc8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 18:33:32 +0100
+Subject: firmware: arm_scmi: Fix double free in OPTEE transport
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit e98dba934b2fc587eafb83f47ad64d9053b18ae0 ]
+
+Channels can be shared between protocols, avoid freeing the same channel
+descriptors twice when unloading the stack.
+
+Fixes: 5f90f189a052 ("firmware: arm_scmi: Add optee transport")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Tested-by: Peng Fan <peng.fan@nxp.com> #i.MX95 19x19 EVK
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Message-Id: <20240812173340.3912830-2-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/optee.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/firmware/arm_scmi/optee.c b/drivers/firmware/arm_scmi/optee.c
+index 4e7944b91e385..0c8908d3b1d67 100644
+--- a/drivers/firmware/arm_scmi/optee.c
++++ b/drivers/firmware/arm_scmi/optee.c
+@@ -473,6 +473,13 @@ static int scmi_optee_chan_free(int id, void *p, void *data)
+ struct scmi_chan_info *cinfo = p;
+ struct scmi_optee_channel *channel = cinfo->transport_info;
+
++ /*
++ * Different protocols might share the same chan info, so a previous
++ * call might have already freed the structure.
++ */
++ if (!channel)
++ return 0;
++
+ mutex_lock(&scmi_optee_private->mu);
+ list_del(&channel->link);
+ mutex_unlock(&scmi_optee_private->mu);
+--
+2.43.0
+
--- /dev/null
+From e99b6c309b3529253d4650379e24b148962b66f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 21:23:32 +0530
+Subject: firmware: qcom: scm: Disable SDI and write no dump to dump mode
+
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+
+[ Upstream commit 79cb2cb8d89b7eca87e8dac031dadea4aeafeaa7 ]
+
+SDI is enabled for most of the Qualcomm SoCs and as per commit
+ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required")
+it was recommended to disable SDI by mentioning it in device tree
+to avoid hang during watchdog or during reboot.
+
+However, for some cases if download mode tcsr register already
+configured from boot firmware to collect dumps and if SDI is
+disabled via means of mentioning it in device tree we could
+still end up with dump collection. Disabling SDI alone is
+not completely enough to disable dump mode and we also need to
+zero out the bits download bits from tcsr register.
+
+Current commit now, unconditionally call qcom_scm_set_download_mode()
+based on download_mode flag, at max if TCSR register is not mentioned
+or available for a SoC it will fallback to legacy way of setting
+download mode through command which may be no-ops or return error
+in case current firmware does not implements QCOM_SCM_INFO_IS_CALL_AVAIL
+so, at worst it does nothing if it fails.
+
+It also does to call SDI disable call if dload mode is disabled, which
+looks fine to do as intention is to disable dump collection even if
+system crashes.
+
+Fixes: ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required")
+Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Link: https://lore.kernel.org/r/20240708155332.4056479-1-quic_mojha@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/qcom/qcom_scm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
+index 68f4df7e6c3c7..77dd831febf5b 100644
+--- a/drivers/firmware/qcom/qcom_scm.c
++++ b/drivers/firmware/qcom/qcom_scm.c
+@@ -1875,14 +1875,12 @@ static int qcom_scm_probe(struct platform_device *pdev)
+ * will cause the boot stages to enter download mode, unless
+ * disabled below by a clean shutdown/reboot.
+ */
+- if (download_mode)
+- qcom_scm_set_download_mode(true);
+-
++ qcom_scm_set_download_mode(download_mode);
+
+ /*
+ * Disable SDI if indicated by DT that it is enabled by default.
+ */
+- if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled"))
++ if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled") || !download_mode)
+ qcom_scm_disable_sdi();
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From aac5d8acc49e30af86a9680af2158c13d0271af7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 13:32:08 -0700
+Subject: HID: wacom: Do not warn about dropped packets for first packet
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+[ Upstream commit 84aecf2d251a3359bc78b7c8e58f54b9fc966e89 ]
+
+The driver currently assumes that the first sequence number it will see
+is going to be 0. This is not a realiable assumption and can break if,
+for example, the tablet has already been running for some time prior to
+the kernel driver connecting to the device. This commit initializes the
+expected sequence number to -1 and will only print the "Dropped" warning
+the it has been updated to a non-negative value.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Joshua Dickens <joshua.dickens@wacom.com>
+Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages")
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 6 +++++-
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 8cf82a5f3a5bf..7660f62e6c1f2 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2368,6 +2368,9 @@ static void wacom_wac_pen_usage_mapping(struct hid_device *hdev,
+ wacom_map_usage(input, usage, field, EV_KEY, BTN_STYLUS3, 0);
+ features->quirks &= ~WACOM_QUIRK_PEN_BUTTON3;
+ break;
++ case WACOM_HID_WD_SEQUENCENUMBER:
++ wacom_wac->hid_data.sequence_number = -1;
++ break;
+ }
+ }
+
+@@ -2492,7 +2495,8 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
+ wacom_wac->hid_data.barrelswitch3 = value;
+ return;
+ case WACOM_HID_WD_SEQUENCENUMBER:
+- if (wacom_wac->hid_data.sequence_number != value) {
++ if (wacom_wac->hid_data.sequence_number != value &&
++ wacom_wac->hid_data.sequence_number >= 0) {
+ int sequence_size = field->logical_maximum - field->logical_minimum + 1;
+ int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size;
+ hid_warn(hdev, "Dropped %d packets", drop_count);
+diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
+index 6ec499841f709..e6443740b462f 100644
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -324,7 +324,7 @@ struct hid_data {
+ int bat_connected;
+ int ps_connected;
+ bool pad_input_event_flag;
+- unsigned short sequence_number;
++ int sequence_number;
+ ktime_t time_delayed;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 5eca967178474947d2abf70177121667ab2d3349 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 13:32:07 -0700
+Subject: HID: wacom: Support sequence numbers smaller than 16-bit
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+[ Upstream commit 359673ea3a203611b4f6d0f28922a4b9d2cfbcc8 ]
+
+The current dropped packet reporting assumes that all sequence numbers
+are 16 bits in length. This results in misleading "Dropped" messages if
+the hardware uses fewer bits. For example, if a tablet uses only 8 bits
+to store its sequence number, once it rolls over from 255 -> 0, the
+driver will still be expecting a packet "256". This patch adjusts the
+logic to reset the next expected packet to logical_minimum whenever
+it overflows beyond logical_maximum.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Joshua Dickens <joshua.dickens@wacom.com>
+Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages")
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index d84740be96426..8cf82a5f3a5bf 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2492,9 +2492,14 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
+ wacom_wac->hid_data.barrelswitch3 = value;
+ return;
+ case WACOM_HID_WD_SEQUENCENUMBER:
+- if (wacom_wac->hid_data.sequence_number != value)
+- hid_warn(hdev, "Dropped %hu packets", (unsigned short)(value - wacom_wac->hid_data.sequence_number));
++ if (wacom_wac->hid_data.sequence_number != value) {
++ int sequence_size = field->logical_maximum - field->logical_minimum + 1;
++ int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size;
++ hid_warn(hdev, "Dropped %d packets", drop_count);
++ }
+ wacom_wac->hid_data.sequence_number = value + 1;
++ if (wacom_wac->hid_data.sequence_number > field->logical_maximum)
++ wacom_wac->hid_data.sequence_number = field->logical_minimum;
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 778249e19a2bfd83335c0f99ae93f0581f636fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 06:41:17 -0700
+Subject: hwmon: (max16065) Fix alarm attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 119abf7d1815f098f7f91ae7abc84324a19943d7 ]
+
+Chips reporting overcurrent alarms report it in the second alarm register.
+That means the second alarm register has to be read, even if the chip only
+supports 8 or fewer ADC channels.
+
+MAX16067 and MAX16068 report undervoltage and overvoltage alarms in
+separate registers. Fold register contents together to report both with
+the existing alarm attribute. This requires actually storing the chip type
+in struct max16065_data. Rename the variable 'chip' to match the variable
+name used in the probe function.
+
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index 5b2a174c6bad3..0ccb5eb596fc4 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -79,7 +79,7 @@ static const bool max16065_have_current[] = {
+ };
+
+ struct max16065_data {
+- enum chips type;
++ enum chips chip;
+ struct i2c_client *client;
+ const struct attribute_group *groups[4];
+ struct mutex update_lock;
+@@ -162,10 +162,17 @@ static struct max16065_data *max16065_update_device(struct device *dev)
+ MAX16065_CURR_SENSE);
+ }
+
+- for (i = 0; i < DIV_ROUND_UP(data->num_adc, 8); i++)
++ for (i = 0; i < 2; i++)
+ data->fault[i]
+ = i2c_smbus_read_byte_data(client, MAX16065_FAULT(i));
+
++ /*
++ * MAX16067 and MAX16068 have separate undervoltage and
++ * overvoltage alarm bits. Squash them together.
++ */
++ if (data->chip == max16067 || data->chip == max16068)
++ data->fault[0] |= data->fault[1];
++
+ data->last_updated = jiffies;
+ data->valid = true;
+ }
+@@ -514,6 +521,7 @@ static int max16065_probe(struct i2c_client *client)
+ if (unlikely(!data))
+ return -ENOMEM;
+
++ data->chip = chip;
+ data->client = client;
+ mutex_init(&data->update_lock);
+
+--
+2.43.0
+
--- /dev/null
+From 47bfb7fa6a8976b991ab74f0ae6263dcb0e5094b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 09:52:01 -0700
+Subject: hwmon: (max16065) Fix overflows seen when writing limits
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ]
+
+Writing large limits resulted in overflows as reported by module tests.
+
+in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_min: Suspected overflow: [max=5538, read 0, written 2147483647]
+
+Fix the problem by clamping prior to multiplications and the use of
+DIV_ROUND_CLOSEST, and by using consistent variable types.
+
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index aa38c45adc09e..e392529de098e 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -114,9 +114,10 @@ static inline int LIMIT_TO_MV(int limit, int range)
+ return limit * range / 256;
+ }
+
+-static inline int MV_TO_LIMIT(int mv, int range)
++static inline int MV_TO_LIMIT(unsigned long mv, int range)
+ {
+- return clamp_val(DIV_ROUND_CLOSEST(mv * 256, range), 0, 255);
++ mv = clamp_val(mv, 0, ULONG_MAX / 256);
++ return DIV_ROUND_CLOSEST(clamp_val(mv * 256, 0, range * 255), range);
+ }
+
+ static inline int ADC_TO_CURR(int adc, int gain)
+--
+2.43.0
+
--- /dev/null
+From b03537e12b598117113f89684dfd31654cc5e5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 15:36:21 -0500
+Subject: hwmon: (max16065) Remove use of i2c_match_id()
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 5a71654b398e3471f0169c266a3587cf09e1200c ]
+
+The function i2c_match_id() is used to fetch the matching ID from
+the i2c_device_id table. This is often used to then retrieve the
+matching driver_data. This can be done in one step with the helper
+i2c_get_match_data().
+
+This helper has a couple other benefits:
+ * It doesn't need the i2c_device_id passed in so we do not need
+ to have that forward declared, allowing us to remove those or
+ move the i2c_device_id table down to its more natural spot
+ with the other module info.
+ * It also checks for device match data, which allows for OF and
+ ACPI based probing. That means we do not have to manually check
+ those first and can remove those checks.
+
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240403203633.914389-20-afd@ti.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Stable-dep-of: 119abf7d1815 ("hwmon: (max16065) Fix alarm attributes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index e392529de098e..5b2a174c6bad3 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -494,8 +494,6 @@ static const struct attribute_group max16065_max_group = {
+ .is_visible = max16065_secondary_is_visible,
+ };
+
+-static const struct i2c_device_id max16065_id[];
+-
+ static int max16065_probe(struct i2c_client *client)
+ {
+ struct i2c_adapter *adapter = client->adapter;
+@@ -506,7 +504,7 @@ static int max16065_probe(struct i2c_client *client)
+ bool have_secondary; /* true if chip has secondary limits */
+ bool secondary_is_max = false; /* secondary limits reflect max */
+ int groups = 0;
+- const struct i2c_device_id *id = i2c_match_id(max16065_id, client);
++ enum chips chip = (uintptr_t)i2c_get_match_data(client);
+
+ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA
+ | I2C_FUNC_SMBUS_READ_WORD_DATA))
+@@ -519,9 +517,9 @@ static int max16065_probe(struct i2c_client *client)
+ data->client = client;
+ mutex_init(&data->update_lock);
+
+- data->num_adc = max16065_num_adc[id->driver_data];
+- data->have_current = max16065_have_current[id->driver_data];
+- have_secondary = max16065_have_secondary[id->driver_data];
++ data->num_adc = max16065_num_adc[chip];
++ data->have_current = max16065_have_current[chip];
++ have_secondary = max16065_have_secondary[chip];
+
+ if (have_secondary) {
+ val = i2c_smbus_read_byte_data(client, MAX16065_SW_ENABLE);
+--
+2.43.0
+
--- /dev/null
+From a9a48dad62288deccce0adfa7ec22ae112181d75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 08:30:21 +0000
+Subject: hwmon: (ntc_thermistor) fix module autoloading
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from of_device_id table.
+
+Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ntc_thermistor.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ntc_thermistor.c b/drivers/hwmon/ntc_thermistor.c
+index ef75b63f5894e..b5352900463fb 100644
+--- a/drivers/hwmon/ntc_thermistor.c
++++ b/drivers/hwmon/ntc_thermistor.c
+@@ -62,6 +62,7 @@ static const struct platform_device_id ntc_thermistor_id[] = {
+ [NTC_SSG1404001221] = { "ssg1404_001221", TYPE_NCPXXWB473 },
+ [NTC_LAST] = { },
+ };
++MODULE_DEVICE_TABLE(platform, ntc_thermistor_id);
+
+ /*
+ * A compensation table should be sorted by the values of .ohm
+--
+2.43.0
+
--- /dev/null
+From ca478d92e76424d10f460a5ce4a5032e546e8903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 13:36:33 +0300
+Subject: IB/core: Fix ib_cache_setup_one error flow cleanup
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 1403c8b14765eab805377dd3b75e96ace8747aed ]
+
+When ib_cache_update return an error, we exit ib_cache_setup_one
+instantly with no proper cleanup, even though before this we had
+already successfully done gid_table_setup_one, that results in
+the kernel WARN below.
+
+Do proper cleanup using gid_table_cleanup_one before returning
+the err in order to fix the issue.
+
+WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0
+Modules linked in:
+CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:gid_table_release_one+0x181/0x1a0
+Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41
+RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527
+RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001
+RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631
+R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001
+R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001
+FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? show_regs+0x94/0xa0
+ ? __warn+0x9e/0x1c0
+ ? gid_table_release_one+0x181/0x1a0
+ ? report_bug+0x1f9/0x340
+ ? gid_table_release_one+0x181/0x1a0
+ ? handle_bug+0xa2/0x110
+ ? exc_invalid_op+0x31/0xa0
+ ? asm_exc_invalid_op+0x16/0x20
+ ? __warn_printk+0xc7/0x180
+ ? __warn_printk+0xd4/0x180
+ ? gid_table_release_one+0x181/0x1a0
+ ib_device_release+0x71/0xe0
+ ? __pfx_ib_device_release+0x10/0x10
+ device_release+0x44/0xd0
+ kobject_put+0x135/0x3d0
+ put_device+0x20/0x30
+ rxe_net_add+0x7d/0xa0
+ rxe_newlink+0xd7/0x190
+ nldev_newlink+0x1b0/0x2a0
+ ? __pfx_nldev_newlink+0x10/0x10
+ rdma_nl_rcv_msg+0x1ad/0x2e0
+ rdma_nl_rcv_skb.constprop.0+0x176/0x210
+ netlink_unicast+0x2de/0x400
+ netlink_sendmsg+0x306/0x660
+ __sock_sendmsg+0x110/0x120
+ ____sys_sendmsg+0x30e/0x390
+ ___sys_sendmsg+0x9b/0xf0
+ ? kstrtouint+0x6e/0xa0
+ ? kstrtouint_from_user+0x7c/0xb0
+ ? get_pid_task+0xb0/0xd0
+ ? proc_fail_nth_write+0x5b/0x140
+ ? __fget_light+0x9a/0x200
+ ? preempt_count_add+0x47/0xa0
+ __sys_sendmsg+0x61/0xd0
+ do_syscall_64+0x50/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.1725273354.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
+index 6791df64a5fe0..b7c078b7f7cfd 100644
+--- a/drivers/infiniband/core/cache.c
++++ b/drivers/infiniband/core/cache.c
+@@ -1640,8 +1640,10 @@ int ib_cache_setup_one(struct ib_device *device)
+
+ rdma_for_each_port (device, p) {
+ err = ib_cache_update(device, p, true, true, true);
+- if (err)
++ if (err) {
++ gid_table_cleanup_one(device);
+ return err;
++ }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 67c0e8372d688ef0028b2584290a0ac3a04fd6f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 17:34:10 +0000
+Subject: iio: adc: ad7606: fix oversampling gpio array
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit 8dc4594b54dbaaba40dc8884ad3d42083de39434 ]
+
+gpiod_set_array_value was misused here: the implementation relied on the
+assumption that an unsigned long was required for each gpio, while the
+function expects a bit array stored in "as much unsigned long as needed
+for storing one bit per GPIO", i.e it is using a bit field.
+
+This leaded to incorrect parameter passed to gpiod_set_array_value, that
+would set 1 value instead of 3.
+It also prevents to select the software mode correctly for the AD7606B.
+
+Fixes: d2a415c86c6b ("iio: adc: ad7606: Add support for AD7606B ADC")
+Fixes: 41f71e5e7daf ("staging: iio: adc: ad7606: Use find_closest() macro")
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 4 ++--
+ drivers/iio/adc/ad7606_spi.c | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index 1c08c0921ee71..8c66b1e364014 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -215,9 +215,9 @@ static int ad7606_write_os_hw(struct iio_dev *indio_dev, int val)
+ struct ad7606_state *st = iio_priv(indio_dev);
+ DECLARE_BITMAP(values, 3);
+
+- values[0] = val;
++ values[0] = val & GENMASK(2, 0);
+
+- gpiod_set_array_value(ARRAY_SIZE(values), st->gpio_os->desc,
++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc,
+ st->gpio_os->info, values);
+
+ /* AD7616 requires a reset to update value */
+diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c
+index 263a778bcf253..287a0591533b6 100644
+--- a/drivers/iio/adc/ad7606_spi.c
++++ b/drivers/iio/adc/ad7606_spi.c
+@@ -249,8 +249,9 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev)
+ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ {
+ struct ad7606_state *st = iio_priv(indio_dev);
+- unsigned long os[3] = {1};
++ DECLARE_BITMAP(os, 3);
+
++ bitmap_fill(os, 3);
+ /*
+ * Software mode is enabled when all three oversampling
+ * pins are set to high. If oversampling gpios are defined
+@@ -258,7 +259,7 @@ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ * otherwise, they must be hardwired to VDD
+ */
+ if (st->gpio_os) {
+- gpiod_set_array_value(ARRAY_SIZE(os),
++ gpiod_set_array_value(st->gpio_os->ndescs,
+ st->gpio_os->desc, st->gpio_os->info, os);
+ }
+ /* OS of 128 and 256 are available only in software mode */
+--
+2.43.0
+
--- /dev/null
+From fdddbe30b0da8441d037ce6351b6fe3fcb493567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 17:34:11 +0000
+Subject: iio: adc: ad7606: fix standby gpio state to match the documentation
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit 059fe4f8bbdf5cad212e1aeeb3e8968c80b9ff3b ]
+
+The binding's documentation specifies that "As the line is active low, it
+should be marked GPIO_ACTIVE_LOW". However, in the driver, it was handled
+the opposite way. This commit sets the driver's behaviour in sync with the
+documentation
+
+Fixes: 722407a4e8c0 ("staging:iio:ad7606: Use GPIO descriptor API")
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index 8c66b1e364014..4d755ffc3f414 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -422,7 +422,7 @@ static int ad7606_request_gpios(struct ad7606_state *st)
+ return PTR_ERR(st->gpio_range);
+
+ st->gpio_standby = devm_gpiod_get_optional(dev, "standby",
+- GPIOD_OUT_HIGH);
++ GPIOD_OUT_LOW);
+ if (IS_ERR(st->gpio_standby))
+ return PTR_ERR(st->gpio_standby);
+
+@@ -665,7 +665,7 @@ static int ad7606_suspend(struct device *dev)
+
+ if (st->gpio_standby) {
+ gpiod_set_value(st->gpio_range, 1);
+- gpiod_set_value(st->gpio_standby, 0);
++ gpiod_set_value(st->gpio_standby, 1);
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 95c5158911d8ff27cc6edad15da276869b595092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 01:38:12 +0200
+Subject: iio: chemical: bme680: Fix read/write ops to device by adding mutexes
+
+From: Vasileios Amoiridis <vassilisamir@gmail.com>
+
+[ Upstream commit 77641e5a477d428335cd094b88ac54e09ccb70f4 ]
+
+Add mutexes in the {read/write}_raw() functions of the device to guard the
+read/write of data from/to the device. This is necessary because for any
+operation other than temperature, multiple reads need to take place from
+the device. Even though regmap has a locking by itself, it won't protect us
+from multiple applications trying to read at the same time temperature and
+pressure since the pressure reading includes an internal temperature
+reading and there is nothing to ensure that this temperature+pressure
+reading will happen sequentially without any other operation interfering
+in the meantime.
+
+Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
+Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
+Link: https://patch.msgid.link/20240609233826.330516-2-vassilisamir@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/chemical/bme680_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c
+index 500f56834b01f..a6bf689833dad 100644
+--- a/drivers/iio/chemical/bme680_core.c
++++ b/drivers/iio/chemical/bme680_core.c
+@@ -10,6 +10,7 @@
+ */
+ #include <linux/acpi.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/delay.h>
+ #include <linux/device.h>
+ #include <linux/module.h>
+@@ -52,6 +53,7 @@ struct bme680_calib {
+ struct bme680_data {
+ struct regmap *regmap;
+ struct bme680_calib bme680;
++ struct mutex lock; /* Protect multiple serial R/W ops to device. */
+ u8 oversampling_temp;
+ u8 oversampling_press;
+ u8 oversampling_humid;
+@@ -827,6 +829,8 @@ static int bme680_read_raw(struct iio_dev *indio_dev,
+ {
+ struct bme680_data *data = iio_priv(indio_dev);
+
++ guard(mutex)(&data->lock);
++
+ switch (mask) {
+ case IIO_CHAN_INFO_PROCESSED:
+ switch (chan->type) {
+@@ -871,6 +875,8 @@ static int bme680_write_raw(struct iio_dev *indio_dev,
+ {
+ struct bme680_data *data = iio_priv(indio_dev);
+
++ guard(mutex)(&data->lock);
++
+ if (val2 != 0)
+ return -EINVAL;
+
+@@ -967,6 +973,7 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap,
+ name = bme680_match_acpi_device(dev);
+
+ data = iio_priv(indio_dev);
++ mutex_init(&data->lock);
+ dev_set_drvdata(dev, indio_dev);
+ data->regmap = regmap;
+ indio_dev->name = name;
+--
+2.43.0
+
--- /dev/null
+From 21cda6958806eb05d82c8ae5ded51b13d20a244e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 07:30:15 +0200
+Subject: iio: magnetometer: ak8975: drop incorrect AK09116 compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit da6e3160df230692bbd48a6d52318035f19595e2 ]
+
+All compatibles in this binding without prefixes were deprecated, so
+adding a new deprecated one after some time is not allowed, because it
+defies the core logic of deprecating things.
+
+Drop the AK09916 vendorless compatible.
+
+Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/20240806053016.6401-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/ak8975.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
+index dd466c5fa6214..ccbebe5b66cde 100644
+--- a/drivers/iio/magnetometer/ak8975.c
++++ b/drivers/iio/magnetometer/ak8975.c
+@@ -1081,7 +1081,6 @@ static const struct of_device_id ak8975_of_match[] = {
+ { .compatible = "asahi-kasei,ak09912", .data = &ak_def_array[AK09912] },
+ { .compatible = "ak09912", .data = &ak_def_array[AK09912] },
+ { .compatible = "asahi-kasei,ak09916", .data = &ak_def_array[AK09916] },
+- { .compatible = "ak09916", .data = &ak_def_array[AK09916] },
+ {}
+ };
+ MODULE_DEVICE_TABLE(of, ak8975_of_match);
+--
+2.43.0
+
--- /dev/null
+From 2cb99e563fb952c9bd88656ae31184527bb467d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 10:55:11 +0200
+Subject: Input: ilitek_ts_i2c - add report id message validation
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+[ Upstream commit 208989744a6f01bed86968473312d4e650e600b3 ]
+
+Ensure that the touchscreen response has correct "report id" byte
+before processing the touch data and discard other messages.
+
+Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240805085511.43955-3-francesco@dolcini.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ilitek_ts_i2c.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c
+index e1849185e18c7..5a807ad723190 100644
+--- a/drivers/input/touchscreen/ilitek_ts_i2c.c
++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c
+@@ -37,6 +37,8 @@
+ #define ILITEK_TP_CMD_GET_MCU_VER 0x61
+ #define ILITEK_TP_CMD_GET_IC_MODE 0xC0
+
++#define ILITEK_TP_I2C_REPORT_ID 0x48
++
+ #define REPORT_COUNT_ADDRESS 61
+ #define ILITEK_SUPPORT_MAX_POINT 40
+
+@@ -163,6 +165,11 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ return error;
+ }
+
++ if (buf[0] != ILITEK_TP_I2C_REPORT_ID) {
++ dev_err(dev, "get touch info failed. Wrong id: 0x%02X\n", buf[0]);
++ return -EINVAL;
++ }
++
+ report_max_point = buf[REPORT_COUNT_ADDRESS];
+ if (report_max_point > ts->max_tp) {
+ dev_err(dev, "FW report max point:%d > panel info. max:%d\n",
+--
+2.43.0
+
--- /dev/null
+From 21ef58f1d142b7063ac2cb7c41b6ea1b1f67f1b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 10:55:10 +0200
+Subject: Input: ilitek_ts_i2c - avoid wrong input subsystem sync
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+[ Upstream commit 7d0b18cd5dc7429917812963611d961fd93cb44d ]
+
+For different reasons i2c transaction may fail or report id in the
+message may be wrong. Avoid closing the frame in this case as it will
+result in all contacts being dropped, indicating that nothing is
+touching the screen anymore, while usually it is not the case.
+
+Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240805085511.43955-2-francesco@dolcini.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ilitek_ts_i2c.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c
+index 3eb762896345b..e1849185e18c7 100644
+--- a/drivers/input/touchscreen/ilitek_ts_i2c.c
++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c
+@@ -160,15 +160,14 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ error = ilitek_i2c_write_and_read(ts, NULL, 0, 0, buf, 64);
+ if (error) {
+ dev_err(dev, "get touch info failed, err:%d\n", error);
+- goto err_sync_frame;
++ return error;
+ }
+
+ report_max_point = buf[REPORT_COUNT_ADDRESS];
+ if (report_max_point > ts->max_tp) {
+ dev_err(dev, "FW report max point:%d > panel info. max:%d\n",
+ report_max_point, ts->max_tp);
+- error = -EINVAL;
+- goto err_sync_frame;
++ return -EINVAL;
+ }
+
+ count = DIV_ROUND_UP(report_max_point, packet_max_point);
+@@ -178,7 +177,7 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ if (error) {
+ dev_err(dev, "get touch info. failed, cnt:%d, err:%d\n",
+ count, error);
+- goto err_sync_frame;
++ return error;
+ }
+ }
+
+@@ -203,10 +202,10 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ ilitek_touch_down(ts, id, x, y);
+ }
+
+-err_sync_frame:
+ input_mt_sync_frame(input);
+ input_sync(input);
+- return error;
++
++ return 0;
+ }
+
+ /* APIs of cmds for ILITEK Touch IC */
+--
+2.43.0
+
--- /dev/null
+From 2ef42bffa7d31df83f0f11e7f21acca2ab7df82a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:30:13 +0800
+Subject: Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit dcd18a3fb1228409dfc24373c5c6868a655810b0 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 9ee0a0558819 ("Input: PS/2 gpio bit banging driver for serio bus")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://lore.kernel.org/r/20240912033013.2610949-1-ruanjinjie@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/ps2-gpio.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c
+index c3ff60859a035..fc8b7ff4ee086 100644
+--- a/drivers/input/serio/ps2-gpio.c
++++ b/drivers/input/serio/ps2-gpio.c
+@@ -429,16 +429,14 @@ static int ps2_gpio_probe(struct platform_device *pdev)
+ }
+
+ error = devm_request_irq(dev, drvdata->irq, ps2_gpio_irq,
+- IRQF_NO_THREAD, DRIVER_NAME, drvdata);
++ IRQF_NO_THREAD | IRQF_NO_AUTOEN, DRIVER_NAME,
++ drvdata);
+ if (error) {
+ dev_err(dev, "failed to request irq %d: %d\n",
+ drvdata->irq, error);
+ goto err_free_serio;
+ }
+
+- /* Keep irq disabled until serio->open is called. */
+- disable_irq(drvdata->irq);
+-
+ serio->id.type = SERIO_8042;
+ serio->open = ps2_gpio_open;
+ serio->close = ps2_gpio_close;
+--
+2.43.0
+
--- /dev/null
+From 0d1086edd5a962194544b4cd6783a9f7d9f8df29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 14:48:23 -0700
+Subject: interconnect: icc-clk: Add missed num_nodes initialization
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit c801ed86840ec38b2a9bcafeee3d7c9e14c743f3 ]
+
+With the new __counted_by annotation, the "num_nodes" struct member must
+be set before accessing the "nodes" array. This initialization was done
+in other places where a new struct icc_onecell_data is allocated, but this
+case in icc_clk_register() was missed. Set "num_nodes" after allocation.
+
+Fixes: dd4904f3b924 ("interconnect: qcom: Annotate struct icc_onecell_data with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240716214819.work.328-kees@kernel.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/icc-clk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/interconnect/icc-clk.c b/drivers/interconnect/icc-clk.c
+index d787f2ea36d97..a91df709cfb2f 100644
+--- a/drivers/interconnect/icc-clk.c
++++ b/drivers/interconnect/icc-clk.c
+@@ -87,6 +87,7 @@ struct icc_provider *icc_clk_register(struct device *dev,
+ onecell = devm_kzalloc(dev, struct_size(onecell, nodes, 2 * num_clocks), GFP_KERNEL);
+ if (!onecell)
+ return ERR_PTR(-ENOMEM);
++ onecell->num_nodes = 2 * num_clocks;
+
+ qp = devm_kzalloc(dev, struct_size(qp, clocks, num_clocks), GFP_KERNEL);
+ if (!qp)
+@@ -133,8 +134,6 @@ struct icc_provider *icc_clk_register(struct device *dev,
+ onecell->nodes[j++] = node;
+ }
+
+- onecell->num_nodes = j;
+-
+ ret = icc_provider_register(provider);
+ if (ret)
+ goto err;
+--
+2.43.0
+
--- /dev/null
+From 10968f38de8c180e734827609c4a4510388add7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:12 +0300
+Subject: interconnect: qcom: sm8250: Enable sync_state
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit d3681b30214eb5885092ce4586f07237dc3c522f ]
+
+Enable the generic icc sync_state callback to ensure interconnect votes
+are actually taken into account, instead of being forced to the maximum
+value.
+
+Fixes: b95b668eaaa2 ("interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-8-1149dd8399fe@linaro.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sm8350.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/qcom/sm8350.c b/drivers/interconnect/qcom/sm8350.c
+index b321c3009acba..885a9d3f92e4d 100644
+--- a/drivers/interconnect/qcom/sm8350.c
++++ b/drivers/interconnect/qcom/sm8350.c
+@@ -1965,6 +1965,7 @@ static struct platform_driver qnoc_driver = {
+ .driver = {
+ .name = "qnoc-sm8350",
+ .of_match_table = qnoc_of_match,
++ .sync_state = icc_sync_state,
+ },
+ };
+ module_platform_driver(qnoc_driver);
+--
+2.43.0
+
--- /dev/null
+From 29f24f2875c601fbaf4a42a8d4332dd7e71a6c59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 19:11:56 +0200
+Subject: io_uring/io-wq: do not allow pinning outside of cpuset
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+[ Upstream commit 0997aa5497c714edbb349ca366d28bd550ba3408 ]
+
+The io worker threads are userland threads that just never exit to the
+userland. By that, they are also assigned to a cgroup (the group of the
+creating task).
+
+When changing the affinity of the io_wq thread via syscall, we must only
+allow cpumasks within the limits defined by the cpuset controller of the
+cgroup (if enabled).
+
+Fixes: da64d6db3bd3 ("io_uring: One wqe per wq")
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240910171157.166423-2-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io-wq.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
+index 22dac5850327f..e38bbd07563ee 100644
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -13,6 +13,7 @@
+ #include <linux/slab.h>
+ #include <linux/rculist_nulls.h>
+ #include <linux/cpu.h>
++#include <linux/cpuset.h>
+ #include <linux/task_work.h>
+ #include <linux/audit.h>
+ #include <linux/mmu_context.h>
+@@ -1321,17 +1322,29 @@ static int io_wq_cpu_offline(unsigned int cpu, struct hlist_node *node)
+
+ int io_wq_cpu_affinity(struct io_uring_task *tctx, cpumask_var_t mask)
+ {
++ cpumask_var_t allowed_mask;
++ int ret = 0;
++
+ if (!tctx || !tctx->io_wq)
+ return -EINVAL;
+
++ if (!alloc_cpumask_var(&allowed_mask, GFP_KERNEL))
++ return -ENOMEM;
++
+ rcu_read_lock();
+- if (mask)
+- cpumask_copy(tctx->io_wq->cpu_mask, mask);
+- else
+- cpumask_copy(tctx->io_wq->cpu_mask, cpu_possible_mask);
++ cpuset_cpus_allowed(tctx->io_wq->task, allowed_mask);
++ if (mask) {
++ if (cpumask_subset(mask, allowed_mask))
++ cpumask_copy(tctx->io_wq->cpu_mask, mask);
++ else
++ ret = -EINVAL;
++ } else {
++ cpumask_copy(tctx->io_wq->cpu_mask, allowed_mask);
++ }
+ rcu_read_unlock();
+
+- return 0;
++ free_cpumask_var(allowed_mask);
++ return ret;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 15e1f8d3bc8f66996195191a723218718ccced12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 19:11:57 +0200
+Subject: io_uring/io-wq: inherit cpuset of cgroup in io worker
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+[ Upstream commit 84eacf177faa605853c58e5b1c0d9544b88c16fd ]
+
+The io worker threads are userland threads that just never exit to the
+userland. By that, they are also assigned to a cgroup (the group of the
+creating task).
+
+When creating a new io worker, this worker should inherit the cpuset
+of the cgroup.
+
+Fixes: da64d6db3bd3 ("io_uring: One wqe per wq")
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240910171157.166423-3-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io-wq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
+index e38bbd07563ee..b59a1bf844cf9 100644
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1167,7 +1167,7 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
+
+ if (!alloc_cpumask_var(&wq->cpu_mask, GFP_KERNEL))
+ goto err;
+- cpumask_copy(wq->cpu_mask, cpu_possible_mask);
++ cpuset_cpus_allowed(data->task, wq->cpu_mask);
+ wq->acct[IO_WQ_ACCT_BOUND].max_workers = bounded;
+ wq->acct[IO_WQ_ACCT_UNBOUND].max_workers =
+ task_rlimit(current, RLIMIT_NPROC);
+--
+2.43.0
+
--- /dev/null
+From 0fb8d5dfee2c0af002bfef0c861cd8308bf77175 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:11 -0300
+Subject: iommu/amd: Allocate the page table root using GFP_KERNEL
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit b0a6c883bcd42eeb0850135e529b34b64d57673c ]
+
+Domain allocation is always done under a sleepable context, the v1 path
+and other drivers use GFP_KERNEL already. Fix the v2 path to also use
+GFP_KERNEL.
+
+Fixes: 0d571dcbe7c6 ("iommu/amd: Allocate page table using numa locality info")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/2-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable_v2.c b/drivers/iommu/amd/io_pgtable_v2.c
+index 78ac37c5ccc1e..acfe79b326293 100644
+--- a/drivers/iommu/amd/io_pgtable_v2.c
++++ b/drivers/iommu/amd/io_pgtable_v2.c
+@@ -362,7 +362,7 @@ static struct io_pgtable *v2_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo
+ struct protection_domain *pdom = (struct protection_domain *)cookie;
+ int ias = IOMMU_IN_ADDR_BIT_SIZE;
+
+- pgtable->pgd = iommu_alloc_page_node(pdom->nid, GFP_ATOMIC);
++ pgtable->pgd = iommu_alloc_page_node(pdom->nid, GFP_KERNEL);
+ if (!pgtable->pgd)
+ return NULL;
+
+--
+2.43.0
+
--- /dev/null
+From 7a7257ac401dd866056af81e94b511ba84db1d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 15:25:45 +0800
+Subject: iommu/amd: Convert comma to semicolon
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 86c5eac3c4c4a2ee124d202af9a141bd0457ee68 ]
+
+Replace a comma between expression statements by a semicolon.
+
+Fixes: c9b258c6be09 ("iommu/amd: Prepare for generic IO page table framework")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20240716072545.968690-1-nichen@iscas.ac.cn
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 7a41dcb52f9d ("iommu/amd: Set the pgsize_bitmap correctly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
+index 9d9a7fde59e75..1074ee25064d0 100644
+--- a/drivers/iommu/amd/io_pgtable.c
++++ b/drivers/iommu/amd/io_pgtable.c
+@@ -588,9 +588,9 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo
+ {
+ struct amd_io_pgtable *pgtable = io_pgtable_cfg_to_data(cfg);
+
+- cfg->pgsize_bitmap = AMD_IOMMU_PGSIZES,
+- cfg->ias = IOMMU_IN_ADDR_BIT_SIZE,
+- cfg->oas = IOMMU_OUT_ADDR_BIT_SIZE,
++ cfg->pgsize_bitmap = AMD_IOMMU_PGSIZES;
++ cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;
++ cfg->oas = IOMMU_OUT_ADDR_BIT_SIZE;
+ cfg->tlb = &v1_flush_ops;
+
+ pgtable->iop.ops.map_pages = iommu_v1_map_pages;
+--
+2.43.0
+
--- /dev/null
+From 38f396400aeffa92c3bc0c78b678dc62f7fafce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:23 -0300
+Subject: iommu/amd: Do not set the D bit on AMD v2 table entries
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 2910a7fa1be090fc7637cef0b2e70bcd15bf5469 ]
+
+The manual says that bit 6 is IGN for all Page-Table Base Address
+pointers, don't set it.
+
+Fixes: aaac38f61487 ("iommu/amd: Initial support for AMD IOMMU v2 page table")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/14-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable_v2.c b/drivers/iommu/amd/io_pgtable_v2.c
+index acfe79b326293..743f417b281d4 100644
+--- a/drivers/iommu/amd/io_pgtable_v2.c
++++ b/drivers/iommu/amd/io_pgtable_v2.c
+@@ -51,7 +51,7 @@ static inline u64 set_pgtable_attr(u64 *page)
+ u64 prot;
+
+ prot = IOMMU_PAGE_PRESENT | IOMMU_PAGE_RW | IOMMU_PAGE_USER;
+- prot |= IOMMU_PAGE_ACCESS | IOMMU_PAGE_DIRTY;
++ prot |= IOMMU_PAGE_ACCESS;
+
+ return (iommu_virt_to_phys(page) | prot);
+ }
+--
+2.43.0
+
--- /dev/null
+From 570eb0642dacd6712d82b39a35ea3ba932f86a3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 11:10:25 +0000
+Subject: iommu/amd: Handle error path in amd_iommu_probe_device()
+
+From: Vasant Hegde <vasant.hegde@amd.com>
+
+[ Upstream commit 293aa9ec694e633bff83ab93715a2684e15fe214 ]
+
+Do not try to set max_pasids in error path as dev_data is not allocated.
+
+Fixes: a0c47f233e68 ("iommu/amd: Introduce iommu_dev_data.max_pasids")
+Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20240828111029.5429-5-vasant.hegde@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index b19e8c0f48fa2..fc660d4b10ac8 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2185,11 +2185,12 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
+ dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
+ iommu_dev = ERR_PTR(ret);
+ iommu_ignore_device(iommu, dev);
+- } else {
+- amd_iommu_set_pci_msi_domain(dev, iommu);
+- iommu_dev = &iommu->iommu;
++ goto out_err;
+ }
+
++ amd_iommu_set_pci_msi_domain(dev, iommu);
++ iommu_dev = &iommu->iommu;
++
+ /*
+ * If IOMMU and device supports PASID then it will contain max
+ * supported PASIDs, else it will be zero.
+@@ -2201,6 +2202,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
+ pci_max_pasids(to_pci_dev(dev)));
+ }
+
++out_err:
+ iommu_completion_wait(iommu);
+
+ return iommu_dev;
+--
+2.43.0
+
--- /dev/null
+From 3ba4dbaf237be8cdcbcf0bce016cad56df591e13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:10 -0300
+Subject: iommu/amd: Move allocation of the top table into v1_alloc_pgtable
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 8d00b77a52ef4b2091696ca25753d0ab95e4d839 ]
+
+All the page table memory should be allocated/free within the io_pgtable
+struct. The v2 path is already doing this, make it consistent.
+
+It is hard to see but the free of the root in protection_domain_free() is
+a NOP on the success path because v1_free_pgtable() does
+amd_iommu_domain_clr_pt_root().
+
+The root memory is already freed because free_sub_pt() put it on the
+freelist. The free path in protection_domain_free() is only used during
+error unwind of protection_domain_alloc().
+
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/1-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: 7a41dcb52f9d ("iommu/amd: Set the pgsize_bitmap correctly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable.c | 8 ++++++--
+ drivers/iommu/amd/iommu.c | 21 ++-------------------
+ 2 files changed, 8 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
+index 1074ee25064d0..05aed3cb46f1b 100644
+--- a/drivers/iommu/amd/io_pgtable.c
++++ b/drivers/iommu/amd/io_pgtable.c
+@@ -574,20 +574,24 @@ static void v1_free_pgtable(struct io_pgtable *iop)
+ pgtable->mode > PAGE_MODE_6_LEVEL);
+
+ free_sub_pt(pgtable->root, pgtable->mode, &freelist);
++ iommu_put_pages_list(&freelist);
+
+ /* Update data structure */
+ amd_iommu_domain_clr_pt_root(dom);
+
+ /* Make changes visible to IOMMUs */
+ amd_iommu_domain_update(dom);
+-
+- iommu_put_pages_list(&freelist);
+ }
+
+ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *cookie)
+ {
+ struct amd_io_pgtable *pgtable = io_pgtable_cfg_to_data(cfg);
+
++ pgtable->root = iommu_alloc_page(GFP_KERNEL);
++ if (!pgtable->root)
++ return NULL;
++ pgtable->mode = PAGE_MODE_3_LEVEL;
++
+ cfg->pgsize_bitmap = AMD_IOMMU_PGSIZES;
+ cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;
+ cfg->oas = IOMMU_OUT_ADDR_BIT_SIZE;
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index fc660d4b10ac8..edbd4ca1451a8 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -52,8 +52,6 @@
+ #define HT_RANGE_START (0xfd00000000ULL)
+ #define HT_RANGE_END (0xffffffffffULL)
+
+-#define DEFAULT_PGTABLE_LEVEL PAGE_MODE_3_LEVEL
+-
+ static DEFINE_SPINLOCK(pd_bitmap_lock);
+
+ LIST_HEAD(ioapic_map);
+@@ -2267,30 +2265,15 @@ void protection_domain_free(struct protection_domain *domain)
+ if (domain->iop.pgtbl_cfg.tlb)
+ free_io_pgtable_ops(&domain->iop.iop.ops);
+
+- if (domain->iop.root)
+- iommu_free_page(domain->iop.root);
+-
+ if (domain->id)
+ domain_id_free(domain->id);
+
+ kfree(domain);
+ }
+
+-static int protection_domain_init_v1(struct protection_domain *domain, int mode)
++static int protection_domain_init_v1(struct protection_domain *domain)
+ {
+- u64 *pt_root = NULL;
+-
+- BUG_ON(mode < PAGE_MODE_NONE || mode > PAGE_MODE_6_LEVEL);
+-
+- if (mode != PAGE_MODE_NONE) {
+- pt_root = iommu_alloc_page(GFP_KERNEL);
+- if (!pt_root)
+- return -ENOMEM;
+- }
+-
+ domain->pd_mode = PD_MODE_V1;
+- amd_iommu_domain_set_pgtable(domain, pt_root, mode);
+-
+ return 0;
+ }
+
+@@ -2343,7 +2326,7 @@ struct protection_domain *protection_domain_alloc(unsigned int type)
+
+ switch (pgtable) {
+ case AMD_IOMMU_V1:
+- ret = protection_domain_init_v1(domain, DEFAULT_PGTABLE_LEVEL);
++ ret = protection_domain_init_v1(domain);
+ break;
+ case AMD_IOMMU_V2:
+ ret = protection_domain_init_v2(domain);
+--
+2.43.0
+
--- /dev/null
+From 4ec80bf6b5ba4a848cc4828bd6cf64e055c8506c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:12 -0300
+Subject: iommu/amd: Set the pgsize_bitmap correctly
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 7a41dcb52f9de6079621fc31c3b84c7fc290934b ]
+
+When using io_pgtable the correct pgsize_bitmap is stored in the cfg, both
+v1_alloc_pgtable() and v2_alloc_pgtable() set it correctly.
+
+This fixes a bug where the v2 pgtable had the wrong pgsize as
+protection_domain_init_v2() would set it and then do_iommu_domain_alloc()
+immediately resets it.
+
+Remove the confusing ops.pgsize_bitmap since that is not used if the
+driver sets domain.pgsize_bitmap.
+
+Fixes: 134288158a41 ("iommu/amd: Add domain_alloc_user based domain allocation")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/3-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 28 ++++------------------------
+ 1 file changed, 4 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index edbd4ca1451a8..833637ffae39f 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2271,26 +2271,11 @@ void protection_domain_free(struct protection_domain *domain)
+ kfree(domain);
+ }
+
+-static int protection_domain_init_v1(struct protection_domain *domain)
+-{
+- domain->pd_mode = PD_MODE_V1;
+- return 0;
+-}
+-
+-static int protection_domain_init_v2(struct protection_domain *pdom)
+-{
+- pdom->pd_mode = PD_MODE_V2;
+- pdom->domain.pgsize_bitmap = AMD_IOMMU_PGSIZES_V2;
+-
+- return 0;
+-}
+-
+ struct protection_domain *protection_domain_alloc(unsigned int type)
+ {
+ struct io_pgtable_ops *pgtbl_ops;
+ struct protection_domain *domain;
+ int pgtable;
+- int ret;
+
+ domain = kzalloc(sizeof(*domain), GFP_KERNEL);
+ if (!domain)
+@@ -2326,18 +2311,14 @@ struct protection_domain *protection_domain_alloc(unsigned int type)
+
+ switch (pgtable) {
+ case AMD_IOMMU_V1:
+- ret = protection_domain_init_v1(domain);
++ domain->pd_mode = PD_MODE_V1;
+ break;
+ case AMD_IOMMU_V2:
+- ret = protection_domain_init_v2(domain);
++ domain->pd_mode = PD_MODE_V2;
+ break;
+ default:
+- ret = -EINVAL;
+- break;
+- }
+-
+- if (ret)
+ goto out_err;
++ }
+
+ pgtbl_ops = alloc_io_pgtable_ops(pgtable, &domain->iop.pgtbl_cfg, domain);
+ if (!pgtbl_ops)
+@@ -2390,10 +2371,10 @@ static struct iommu_domain *do_iommu_domain_alloc(unsigned int type,
+ domain->domain.geometry.aperture_start = 0;
+ domain->domain.geometry.aperture_end = dma_max_address();
+ domain->domain.geometry.force_aperture = true;
++ domain->domain.pgsize_bitmap = domain->iop.iop.cfg.pgsize_bitmap;
+
+ if (iommu) {
+ domain->domain.type = type;
+- domain->domain.pgsize_bitmap = iommu->iommu.ops->pgsize_bitmap;
+ domain->domain.ops = iommu->iommu.ops->default_domain_ops;
+
+ if (dirty_tracking)
+@@ -2852,7 +2833,6 @@ const struct iommu_ops amd_iommu_ops = {
+ .device_group = amd_iommu_device_group,
+ .get_resv_regions = amd_iommu_get_resv_regions,
+ .is_attach_deferred = amd_iommu_is_attach_deferred,
+- .pgsize_bitmap = AMD_IOMMU_PGSIZES,
+ .def_domain_type = amd_iommu_def_domain_type,
+ .dev_enable_feat = amd_iommu_dev_enable_feature,
+ .dev_disable_feat = amd_iommu_dev_disable_feature,
+--
+2.43.0
+
--- /dev/null
+From 1a6be66c8550d797003b5173137c41aae2bca351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Sep 2024 21:48:12 +0300
+Subject: iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 19eb465c969f3d6ed1b98506d3e470e863b41e16 ]
+
+The Qualcomm SDM630 / SDM660 platform requires the same kind of
+workaround as MSM8998: some IOMMUs have context banks reserved by
+firmware / TZ, touching those banks resets the board.
+
+Apply the num_context_bank workaround to those two SMMU devices in order
+to allow them to be used by Linux.
+
+Fixes: b812834b5329 ("iommu: arm-smmu-qcom: Add sdm630/msm8998 compatibles for qcom quirks")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20240907-sdm660-wifi-v1-1-e316055142f8@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index eff090b1f4fc7..ccca410c94816 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -286,8 +286,15 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ * MSM8998 LPASS SMMU reports 13 context banks, but accessing
+ * the last context bank crashes the system.
+ */
+- if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13)
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") &&
++ smmu->num_context_banks == 13) {
+ smmu->num_context_banks = 12;
++ } else if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2")) {
++ if (smmu->num_context_banks == 21) /* SDM630 / SDM660 A2NOC SMMU */
++ smmu->num_context_banks = 7;
++ else if (smmu->num_context_banks == 14) /* SDM630 / SDM660 LPASS SMMU */
++ smmu->num_context_banks = 13;
++ }
+
+ /*
+ * Some platforms support more than the Arm SMMU architected maximum of
+@@ -350,6 +357,11 @@ static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu)
+ /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */
+ smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K;
+
++ /* TZ protects several last context banks, hide them from Linux */
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2") &&
++ smmu->num_context_banks == 5)
++ smmu->num_context_banks = 2;
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2128ecd897969e788d11c08ac82494de4db96127 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 15:27:19 +0200
+Subject: iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux
+
+From: Marc Gonzalez <mgonzalez@freebox.fr>
+
+[ Upstream commit 3a8990b8a778219327c5f8ecf10b5d81377b925a ]
+
+On qcom msm8998, writing to the last context bank of lpass_q6_smmu
+(base address 0x05100000) produces a system freeze & reboot.
+
+The hardware/hypervisor reports 13 context banks for the LPASS SMMU
+on msm8998, but only the first 12 are accessible...
+Override the number of context banks
+
+[ 2.546101] arm-smmu 5100000.iommu: probing hardware configuration...
+[ 2.552439] arm-smmu 5100000.iommu: SMMUv2 with:
+[ 2.558945] arm-smmu 5100000.iommu: stage 1 translation
+[ 2.563627] arm-smmu 5100000.iommu: address translation ops
+[ 2.568923] arm-smmu 5100000.iommu: non-coherent table walk
+[ 2.574566] arm-smmu 5100000.iommu: (IDR0.CTTW overridden by FW configuration)
+[ 2.580220] arm-smmu 5100000.iommu: stream matching with 12 register groups
+[ 2.587263] arm-smmu 5100000.iommu: 13 context banks (0 stage-2 only)
+[ 2.614447] arm-smmu 5100000.iommu: Supported page sizes: 0x63315000
+[ 2.621358] arm-smmu 5100000.iommu: Stage-1: 36-bit VA -> 36-bit IPA
+[ 2.627772] arm-smmu 5100000.iommu: preserved 0 boot mappings
+
+Specifically, the crashes occur here:
+
+ qsmmu->bypass_cbndx = smmu->num_context_banks - 1;
+ arm_smmu_cb_write(smmu, qsmmu->bypass_cbndx, ARM_SMMU_CB_SCTLR, 0);
+
+and here:
+
+ arm_smmu_write_context_bank(smmu, i);
+ arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_FSR, ARM_SMMU_CB_FSR_FAULT);
+
+It is likely that FW reserves the last context bank for its own use,
+thus a simple work-around is: DON'T USE IT in Linux.
+
+If we decrease the number of context banks, last one will be "hidden".
+
+Signed-off-by: Marc Gonzalez <mgonzalez@freebox.fr>
+Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20240820-smmu-v3-1-2f71483b00ec@freebox.fr
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index 13f3e2efb2ccb..8bc71449aabc3 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -282,6 +282,13 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ u32 smr;
+ int i;
+
++ /*
++ * MSM8998 LPASS SMMU reports 13 context banks, but accessing
++ * the last context bank crashes the system.
++ */
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13)
++ smmu->num_context_banks = 12;
++
+ /*
+ * Some platforms support more than the Arm SMMU architected maximum of
+ * 128 stream matching groups. For unknown reasons, the additional
+--
+2.43.0
+
--- /dev/null
+From e98aa78aaac2ff84bed75641282a70682dfa6083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Aug 2024 01:12:01 +0200
+Subject: iommu/arm-smmu-qcom: Work around SDM845 Adreno SMMU w/ 16K pages
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit 2d42d3ba443706c9164fa0bef4e5fd1c36bc1bd9 ]
+
+SDM845's Adreno SMMU is unique in that it actually advertizes support
+for 16K (and 32M) pages, which doesn't hold for newer SoCs.
+
+This however, seems either broken in the hardware implementation, the
+hypervisor middleware that abstracts the SMMU, or there's a bug in the
+Linux kernel somewhere down the line that nobody managed to track down.
+
+Booting SDM845 with 16K page sizes and drm/msm results in:
+
+*** gpu fault: ttbr0=0000000000000000 iova=000100000000c000 dir=READ
+type=TRANSLATION source=CP (0,0,0,0)
+
+right after loading the firmware. The GPU then starts spitting out
+illegal intstruction errors, as it's quite obvious that it got a
+bogus pointer.
+
+Moreover, it seems like this issue also concerns other implementations
+of SMMUv2 on Qualcomm SoCs, such as the one on SC7180.
+
+Hide 16K support on such instances to work around this.
+
+Reported-by: Sumit Semwal <sumit.semwal@linaro.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240824-topic-845_gpu_smmu-v2-1-a302b8acc052@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index 8bc71449aabc3..eff090b1f4fc7 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -345,6 +345,14 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ return 0;
+ }
+
++static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu)
++{
++ /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */
++ smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K;
++
++ return 0;
++}
++
+ static void qcom_smmu_write_s2cr(struct arm_smmu_device *smmu, int idx)
+ {
+ struct arm_smmu_s2cr *s2cr = smmu->s2crs + idx;
+@@ -443,6 +451,7 @@ static const struct arm_smmu_impl sdm845_smmu_500_impl = {
+
+ static const struct arm_smmu_impl qcom_adreno_smmu_v2_impl = {
+ .init_context = qcom_adreno_smmu_init_context,
++ .cfg_probe = qcom_adreno_smmuv2_cfg_probe,
+ .def_domain_type = qcom_smmu_def_domain_type,
+ .alloc_context_bank = qcom_adreno_smmu_alloc_context_bank,
+ .write_sctlr = qcom_adreno_smmu_write_sctlr,
+--
+2.43.0
+
--- /dev/null
+From 1af9daaec78844b588a655baf73f5b58cbec13e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 10:19:59 -0300
+Subject: iommufd: Check the domain owner of the parent before creating a
+ nesting domain
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 73183ad6ea51029d04b098286dcee98d715015f1 ]
+
+This check was missed, before we can pass a struct iommu_domain to a
+driver callback we need to validate that the domain was created by that
+driver.
+
+Fixes: bd529dbb661d ("iommufd: Add a nested HW pagetable object")
+Link: https://patch.msgid.link/r/0-v1-c8770519edde+1a-iommufd_nesting_ops_jgg@nvidia.com
+Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/hw_pagetable.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/hw_pagetable.c
+index a9f1fe44c4c0b..21f0d8cbd7aad 100644
+--- a/drivers/iommu/iommufd/hw_pagetable.c
++++ b/drivers/iommu/iommufd/hw_pagetable.c
+@@ -215,7 +215,8 @@ iommufd_hwpt_nested_alloc(struct iommufd_ctx *ictx,
+
+ if (flags || !user_data->len || !ops->domain_alloc_user)
+ return ERR_PTR(-EOPNOTSUPP);
+- if (parent->auto_domain || !parent->nest_parent)
++ if (parent->auto_domain || !parent->nest_parent ||
++ parent->common.domain->owner != ops)
+ return ERR_PTR(-EINVAL);
+
+ hwpt_nested = __iommufd_object_alloc(
+--
+2.43.0
+
--- /dev/null
+From 94b71d04a45adb27050dc4f90b2154348f432e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 11:47:09 -0300
+Subject: iommufd/selftest: Fix buffer read overrrun in the dirty test
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 79ea4a496ab5c970a3a793d863ed8893b1af107c ]
+
+test_bit() is used to read the memory storing the bitmap, however
+test_bit() always uses a unsigned long 8 byte access.
+
+If the bitmap is not an aligned size of 64 bits this will now trigger a
+KASAN warning reading past the end of the buffer.
+
+Properly round the buffer allocation to an unsigned long size. Continue to
+copy_from_user() using a byte granularity.
+
+Fixes: 9560393b830b ("iommufd/selftest: Fix iommufd_test_dirty() to handle <u8 bitmaps")
+Link: https://patch.msgid.link/r/0-v1-113e8d9e7861+5ae-iommufd_kasan_jgg@nvidia.com
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/selftest.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
+index 654ed33390957..62bfeb7a35d85 100644
+--- a/drivers/iommu/iommufd/selftest.c
++++ b/drivers/iommu/iommufd/selftest.c
+@@ -1313,7 +1313,7 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
+ unsigned long page_size, void __user *uptr,
+ u32 flags)
+ {
+- unsigned long bitmap_size, i, max;
++ unsigned long i, max;
+ struct iommu_test_cmd *cmd = ucmd->cmd;
+ struct iommufd_hw_pagetable *hwpt;
+ struct mock_iommu_domain *mock;
+@@ -1334,15 +1334,14 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
+ }
+
+ max = length / page_size;
+- bitmap_size = DIV_ROUND_UP(max, BITS_PER_BYTE);
+-
+- tmp = kvzalloc(bitmap_size, GFP_KERNEL_ACCOUNT);
++ tmp = kvzalloc(DIV_ROUND_UP(max, BITS_PER_LONG) * sizeof(unsigned long),
++ GFP_KERNEL_ACCOUNT);
+ if (!tmp) {
+ rc = -ENOMEM;
+ goto out_put;
+ }
+
+- if (copy_from_user(tmp, uptr, bitmap_size)) {
++ if (copy_from_user(tmp, uptr,DIV_ROUND_UP(max, BITS_PER_BYTE))) {
+ rc = -EFAULT;
+ goto out_free;
+ }
+--
+2.43.0
+
--- /dev/null
+From ae72304c24cb19294a817a3e41e9516514ceba40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 11:02:11 +0200
+Subject: ipmi: docs: don't advertise deprecated sysfs entries
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ]
+
+"i2c-adapter" class entries are deprecated since 2009. Switch to the
+proper location.
+
+Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
+Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/driver-api/ipmi.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/driver-api/ipmi.rst b/Documentation/driver-api/ipmi.rst
+index e224e47b6b094..dfa021eacd63c 100644
+--- a/Documentation/driver-api/ipmi.rst
++++ b/Documentation/driver-api/ipmi.rst
+@@ -540,7 +540,7 @@ at module load time (for a module) with::
+ alerts_broken
+
+ The addresses are normal I2C addresses. The adapter is the string
+-name of the adapter, as shown in /sys/class/i2c-adapter/i2c-<n>/name.
++name of the adapter, as shown in /sys/bus/i2c/devices/i2c-<n>/name.
+ It is *NOT* i2c-<n> itself. Also, the comparison is done ignoring
+ spaces, so if the name is "This is an I2C chip" you can say
+ adapter_name=ThisisanI2cchip. This is because it's hard to pass in
+--
+2.43.0
+
--- /dev/null
+From e8b40433a2bc0b0f6cb74f8f6e9cc9ac25b8ff0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 08:31:47 +0000
+Subject: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 04ccecfa959d3b9ae7348780d8e379c6486176ac ]
+
+Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
+as spotted by syzbot:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+ RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
+ RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
+Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
+RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
+RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
+R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
+R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
+FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856
+ addrconf_notify+0x3cb/0x1020
+ notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
+ call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
+ call_netdevice_notifiers net/core/dev.c:2046 [inline]
+ unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352
+ unregister_netdevice_many net/core/dev.c:11414 [inline]
+ unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289
+ unregister_netdevice include/linux/netdevice.h:3129 [inline]
+ __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685
+ tun_detach drivers/net/tun.c:701 [inline]
+ tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510
+ __fput+0x24a/0x8a0 fs/file_table.c:422
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xa2f/0x27f0 kernel/exit.c:882
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1031
+ __do_sys_exit_group kernel/exit.c:1042 [inline]
+ __se_sys_exit_group kernel/exit.c:1040 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f1acc77def9
+Code: Unable to access opcode bytes at 0x7f1acc77decf.
+RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
+RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+ RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
+ RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
+Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
+RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
+RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
+R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
+R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
+FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: e332bc67cf5e ("ipv6: Don't call with rt6_uncached_list_flush_dev")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240913083147.3095442-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index a9644a8edb960..1febd95822c9a 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -175,7 +175,7 @@ static void rt6_uncached_list_flush_dev(struct net_device *dev)
+ struct net_device *rt_dev = rt->dst.dev;
+ bool handled = false;
+
+- if (rt_idev->dev == dev) {
++ if (rt_idev && rt_idev->dev == dev) {
+ rt->rt6i_idev = in6_dev_get(blackhole_netdev);
+ in6_dev_put(rt_idev);
+ handled = true;
+--
+2.43.0
+
--- /dev/null
+From 6d3adbef52305a226a725a79f142907f8662e2f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 13:05:46 +0900
+Subject: jfs: fix out-of-bounds in dbNextAG() and diAlloc()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ]
+
+In dbNextAG() , there is no check for the case where bmp->db_numag is
+greater or same than MAXAG due to a polluted image, which causes an
+out-of-bounds. Therefore, a bounds check should be added in dbMount().
+
+And in dbNextAG(), a check for the case where agpref is greater than
+bmp->db_numag should be added, so an out-of-bounds exception should be
+prevented.
+
+Additionally, a check for the case where agno is greater or same than
+MAXAG should be added in diAlloc() to prevent out-of-bounds.
+
+Reported-by: Jeongjun Park <aha310510@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 ++--
+ fs/jfs/jfs_imap.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 5713994328cbc..0625d1c0d0649 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap)
+ }
+
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+- if (!bmp->db_numag) {
++ if (!bmp->db_numag || bmp->db_numag >= MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap)
+ * average free space.
+ */
+ for (i = 0 ; i < bmp->db_numag; i++, agpref++) {
+- if (agpref == bmp->db_numag)
++ if (agpref >= bmp->db_numag)
+ agpref = 0;
+
+ if (atomic_read(&bmp->db_active[agpref]))
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 1407feccbc2d0..a360b24ed320c 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip)
+ /* get the ag number of this iag */
+ agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
+ dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;
+- if (agno < 0 || agno > dn_numag)
++ if (agno < 0 || agno > dn_numag || agno >= MAXAG)
+ return -EIO;
+
+ if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {
+--
+2.43.0
+
--- /dev/null
+From f3bd304ab215acb5794f37cf78dccc4fe5d59ca7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 18:20:09 +0100
+Subject: kselftest/arm64: Actually test SME vector length changes via
+ sigreturn
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 6f0315330af7a57c1c00587fdfb69c7778bf1c50 ]
+
+The test case for SME vector length changes via sigreturn use a bit too
+much cut'n'paste and only actually changed the SVE vector length in the
+test itself. Andre's recent factoring out of the initialisation code caused
+this to be exposed and the test to start failing. Fix the test to actually
+cover the thing it's supposed to test.
+
+Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Tested-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20240829-arm64-sme-signal-vl-change-test-v1-1-42d7534cb818@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testcases/fake_sigreturn_sme_change_vl.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+index cb8c051b5c8f2..dfd6a2badf9fb 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+@@ -35,30 +35,30 @@ static int fake_sigreturn_ssve_change_vl(struct tdescr *td,
+ {
+ size_t resv_sz, offset;
+ struct _aarch64_ctx *head = GET_SF_RESV_HEAD(sf);
+- struct sve_context *sve;
++ struct za_context *za;
+
+ /* Get a signal context with a SME ZA frame in it */
+ if (!get_current_context(td, &sf.uc, sizeof(sf.uc)))
+ return 1;
+
+ resv_sz = GET_SF_RESV_SIZE(sf);
+- head = get_header(head, SVE_MAGIC, resv_sz, &offset);
++ head = get_header(head, ZA_MAGIC, resv_sz, &offset);
+ if (!head) {
+- fprintf(stderr, "No SVE context\n");
++ fprintf(stderr, "No ZA context\n");
+ return 1;
+ }
+
+- if (head->size != sizeof(struct sve_context)) {
++ if (head->size != sizeof(struct za_context)) {
+ fprintf(stderr, "Register data present, aborting\n");
+ return 1;
+ }
+
+- sve = (struct sve_context *)head;
++ za = (struct za_context *)head;
+
+ /* No changes are supported; init left us at minimum VL so go to max */
+ fprintf(stderr, "Attempting to change VL from %d to %d\n",
+- sve->vl, vls[0]);
+- sve->vl = vls[0];
++ za->vl, vls[0]);
++ za->vl = vls[0];
+
+ fake_sigreturn(&sf, sizeof(sf), 0);
+
+--
+2.43.0
+
--- /dev/null
+From 5ac887103310e65dd7af99b1865beaead451c821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 17:44:01 +0100
+Subject: kselftest/arm64: signal: fix/refactor SVE vector length enumeration
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 5225b6562b9a7dc808d5a1e465aaf5e2ebb220cd ]
+
+Currently a number of SVE/SME related tests have almost identical
+functions to enumerate all supported vector lengths. However over time
+the copy&pasted code has diverged, allowing some bugs to creep in:
+- fake_sigreturn_sme_change_vl reports a failure, not a SKIP if only
+ one vector length is supported (but the SVE version is fine)
+- fake_sigreturn_sme_change_vl tries to set the SVE vector length, not
+ the SME one (but the other SME tests are fine)
+- za_no_regs keeps iterating forever if only one vector length is
+ supported (but za_regs is correct)
+
+Since those bugs seem to be mostly copy&paste ones, let's consolidate
+the enumeration loop into one shared function, and just call that from
+each test. That should fix the above bugs, and prevent similar issues
+from happening again.
+
+Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240821164401.3598545-1-andre.przywara@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/signal/Makefile | 2 +-
+ .../selftests/arm64/signal/sve_helpers.c | 56 +++++++++++++++++++
+ .../selftests/arm64/signal/sve_helpers.h | 21 +++++++
+ .../testcases/fake_sigreturn_sme_change_vl.c | 32 +++--------
+ .../testcases/fake_sigreturn_sve_change_vl.c | 30 ++--------
+ .../arm64/signal/testcases/ssve_regs.c | 36 +++---------
+ .../arm64/signal/testcases/ssve_za_regs.c | 36 +++---------
+ .../arm64/signal/testcases/sve_regs.c | 32 +++--------
+ .../arm64/signal/testcases/za_no_regs.c | 32 +++--------
+ .../arm64/signal/testcases/za_regs.c | 36 +++---------
+ 10 files changed, 132 insertions(+), 181 deletions(-)
+ create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.c
+ create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.h
+
+diff --git a/tools/testing/selftests/arm64/signal/Makefile b/tools/testing/selftests/arm64/signal/Makefile
+index 8f5febaf1a9a2..edb3613513b8a 100644
+--- a/tools/testing/selftests/arm64/signal/Makefile
++++ b/tools/testing/selftests/arm64/signal/Makefile
+@@ -23,7 +23,7 @@ $(TEST_GEN_PROGS): $(PROGS)
+ # Common test-unit targets to build common-layout test-cases executables
+ # Needs secondary expansion to properly include the testcase c-file in pre-reqs
+ COMMON_SOURCES := test_signals.c test_signals_utils.c testcases/testcases.c \
+- signals.S
++ signals.S sve_helpers.c
+ COMMON_HEADERS := test_signals.h test_signals_utils.h testcases/testcases.h
+
+ .SECONDEXPANSION:
+diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.c b/tools/testing/selftests/arm64/signal/sve_helpers.c
+new file mode 100644
+index 0000000000000..0acc121af3062
+--- /dev/null
++++ b/tools/testing/selftests/arm64/signal/sve_helpers.c
+@@ -0,0 +1,56 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2024 ARM Limited
++ *
++ * Common helper functions for SVE and SME functionality.
++ */
++
++#include <stdbool.h>
++#include <kselftest.h>
++#include <asm/sigcontext.h>
++#include <sys/prctl.h>
++
++unsigned int vls[SVE_VQ_MAX];
++unsigned int nvls;
++
++int sve_fill_vls(bool use_sme, int min_vls)
++{
++ int vq, vl;
++ int pr_set_vl = use_sme ? PR_SME_SET_VL : PR_SVE_SET_VL;
++ int len_mask = use_sme ? PR_SME_VL_LEN_MASK : PR_SVE_VL_LEN_MASK;
++
++ /*
++ * Enumerate up to SVE_VQ_MAX vector lengths
++ */
++ for (vq = SVE_VQ_MAX; vq > 0; --vq) {
++ vl = prctl(pr_set_vl, vq * 16);
++ if (vl == -1)
++ return KSFT_FAIL;
++
++ vl &= len_mask;
++
++ /*
++ * Unlike SVE, SME does not require the minimum vector length
++ * to be implemented, or the VLs to be consecutive, so any call
++ * to the prctl might return the single implemented VL, which
++ * might be larger than 16. So to avoid this loop never
++ * terminating, bail out here when we find a higher VL than
++ * we asked for.
++ * See the ARM ARM, DDI 0487K.a, B1.4.2: I_QQRNR and I_NWYBP.
++ */
++ if (vq < sve_vq_from_vl(vl))
++ break;
++
++ /* Skip missing VLs */
++ vq = sve_vq_from_vl(vl);
++
++ vls[nvls++] = vl;
++ }
++
++ if (nvls < min_vls) {
++ fprintf(stderr, "Only %d VL supported\n", nvls);
++ return KSFT_SKIP;
++ }
++
++ return KSFT_PASS;
++}
+diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.h b/tools/testing/selftests/arm64/signal/sve_helpers.h
+new file mode 100644
+index 0000000000000..50948ce471cc6
+--- /dev/null
++++ b/tools/testing/selftests/arm64/signal/sve_helpers.h
+@@ -0,0 +1,21 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Copyright (C) 2024 ARM Limited
++ *
++ * Common helper functions for SVE and SME functionality.
++ */
++
++#ifndef __SVE_HELPERS_H__
++#define __SVE_HELPERS_H__
++
++#include <stdbool.h>
++
++#define VLS_USE_SVE false
++#define VLS_USE_SME true
++
++extern unsigned int vls[];
++extern unsigned int nvls;
++
++int sve_fill_vls(bool use_sme, int min_vls);
++
++#endif
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+index ebd5815b54bba..cb8c051b5c8f2 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+@@ -6,44 +6,28 @@
+ * handler, this is not supported and is expected to segfault.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ struct fake_sigframe sf;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 2);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
++ if (!res)
++ return true;
+
+- vl &= PR_SME_VL_LEN_MASK;
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least two VLs */
+- if (nvls < 2) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
+-
+- return true;
++ return false;
+ }
+
+ static int fake_sigreturn_ssve_change_vl(struct tdescr *td,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
+index e2a452190511f..e1ccf8f85a70c 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
+@@ -12,40 +12,22 @@
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ struct fake_sigframe sf;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sve_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SVE, 2);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
++ if (!res)
++ return true;
+
+- vl &= PR_SVE_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least two VLs */
+- if (nvls < 2) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
++ if (res == KSFT_SKIP)
+ td->result = KSFT_SKIP;
+- return false;
+- }
+
+- return true;
++ return false;
+ }
+
+ static int fake_sigreturn_sve_change_vl(struct tdescr *td,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
+index 3d37daafcff51..6dbe48cf8b09e 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
+@@ -6,51 +6,31 @@
+ * set up as expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 64];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_ssve_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
+index 9dc5f128bbc0d..5557e116e9736 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
+@@ -6,51 +6,31 @@
+ * signal frames is set up as expected when enabled simultaneously.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
+index 8b16eabbb7697..8143eb1c58c18 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
+@@ -6,47 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 64];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sve_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SVE, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SVE_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
++ if (!res)
++ return true;
+
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_sve_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
+index 4d6f94b6178f3..ce26e9c2fa5e3 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
+@@ -6,47 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SME_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
++ if (!res)
++ return true;
+
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static int do_one_sme_vl(struct tdescr *td, siginfo_t *si, ucontext_t *uc,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/za_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_regs.c
+index 174ad66566964..b9e13f27f1f9a 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/za_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/za_regs.c
+@@ -6,51 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SME_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_za_regs(void)
+--
+2.43.0
+
--- /dev/null
+From 629a3aa6d5219003faa87cf419ad0d9441eb0fb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:56:02 -0400
+Subject: kselftest: dt: Ignore nodes that have ancestors disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit 05144ab7b7eaf531fc728fcb79dcf36b621ff42d ]
+
+Filter out nodes that have one of its ancestors disabled as they aren't
+expected to probe.
+
+This removes the following false-positive failures on the
+sc7180-trogdor-lazor-limozeen-nots-r5 platform:
+
+/soc@0/geniqup@8c0000/i2c@894000/proximity@28
+/soc@0/geniqup@ac0000/spi@a90000/ec@0
+/soc@0/remoteproc@62400000/glink-edge/apr
+/soc@0/remoteproc@62400000/glink-edge/apr/service@3
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4/clock-controller
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4/dais
+/soc@0/remoteproc@62400000/glink-edge/apr/service@7
+/soc@0/remoteproc@62400000/glink-edge/apr/service@7/dais
+/soc@0/remoteproc@62400000/glink-edge/apr/service@8
+/soc@0/remoteproc@62400000/glink-edge/apr/service@8/routing
+/soc@0/remoteproc@62400000/glink-edge/fastrpc
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@3
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@4
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@5
+/soc@0/spmi@c440000/pmic@0/pon@800/pwrkey
+
+Fixes: 14571ab1ad21 ("kselftest: Add new test for detecting unprobed Devicetree devices")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20240729-dt-kselftest-parent-disabled-v2-1-d7a001c4930d@collabora.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/dt/test_unprobed_devices.sh | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/dt/test_unprobed_devices.sh b/tools/testing/selftests/dt/test_unprobed_devices.sh
+index 2d7e70c5ad2d3..5e3f42ef249ee 100755
+--- a/tools/testing/selftests/dt/test_unprobed_devices.sh
++++ b/tools/testing/selftests/dt/test_unprobed_devices.sh
+@@ -34,8 +34,21 @@ nodes_compatible=$(
+ # Check if node is available
+ if [[ -e "${node}"/status ]]; then
+ status=$(tr -d '\000' < "${node}"/status)
+- [[ "${status}" != "okay" && "${status}" != "ok" ]] && continue
++ if [[ "${status}" != "okay" && "${status}" != "ok" ]]; then
++ if [ -n "${disabled_nodes_regex}" ]; then
++ disabled_nodes_regex="${disabled_nodes_regex}|${node}"
++ else
++ disabled_nodes_regex="${node}"
++ fi
++ continue
++ fi
+ fi
++
++ # Ignore this node if one of its ancestors was disabled
++ if [ -n "${disabled_nodes_regex}" ]; then
++ echo "${node}" | grep -q -E "${disabled_nodes_regex}" && continue
++ fi
++
+ echo "${node}" | sed -e 's|\/proc\/device-tree||'
+ done | sort
+ )
+--
+2.43.0
+
--- /dev/null
+From c907da0e69ce48607fc0d53eec8e68fccfbadf54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:23:08 +0800
+Subject: kthread: fix task state in kthread worker if being frozen
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ]
+
+When analyzing a kernel waring message, Peter pointed out that there is a
+race condition when the kworker is being frozen and falls into
+try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a
+might_sleep() warning in try_to_freeze(). Although the root cause is not
+related to freeze()[1], it is still worthy to fix this issue ahead.
+
+One possible race scenario:
+
+ CPU 0 CPU 1
+ ----- -----
+
+ // kthread_worker_fn
+ set_current_state(TASK_INTERRUPTIBLE);
+ suspend_freeze_processes()
+ freeze_processes
+ static_branch_inc(&freezer_active);
+ freeze_kernel_threads
+ pm_nosig_freezing = true;
+ if (work) { //false
+ __set_current_state(TASK_RUNNING);
+
+ } else if (!freezing(current)) //false, been frozen
+
+ freezing():
+ if (static_branch_unlikely(&freezer_active))
+ if (pm_nosig_freezing)
+ return true;
+ schedule()
+ }
+
+ // state is still TASK_INTERRUPTIBLE
+ try_to_freeze()
+ might_sleep() <--- warning
+
+Fix this by explicitly set the TASK_RUNNING before entering
+try_to_freeze().
+
+Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1]
+Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com
+Fixes: b56c0d8937e6 ("kthread: implement kthread_worker")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: David Gow <davidgow@google.com>
+Cc: Mateusz Guzik <mjguzik@gmail.com>
+Cc: Mickaël Salaün <mic@digikod.net>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kthread.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index f7be976ff88af..db4ceb0f503cc 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -845,8 +845,16 @@ int kthread_worker_fn(void *worker_ptr)
+ * event only cares about the address.
+ */
+ trace_sched_kthread_work_execute_end(work, func);
+- } else if (!freezing(current))
++ } else if (!freezing(current)) {
+ schedule();
++ } else {
++ /*
++ * Handle the case where the current remains
++ * TASK_INTERRUPTIBLE. try_to_freeze() expects
++ * the current to be TASK_RUNNING.
++ */
++ __set_current_state(TASK_RUNNING);
++ }
+
+ try_to_freeze();
+ cond_resched();
+--
+2.43.0
+
--- /dev/null
+From 9ded405f86e8237e4e28c20248244230371dc593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 17:19:03 +0200
+Subject: leds: bd2606mvv: Fix device child node usage in bd2606mvv_probe()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit ffbf1fcb421429916a861cfc25dfe0c6387dda75 ]
+
+The current implementation accesses the `child` fwnode handle outside of
+fwnode_for_each_available_child_node() without incrementing its
+refcount. Add the missing call to `fwnode_handle_get(child)`.
+
+The cleanup process where `child` is accessed is not right either
+because a single call to `fwnode_handle_put()` is carried out in case of
+an error, ignoring unasigned nodes at the point when the error happens.
+Keep `child` inside of the first loop, and use the helper pointer that
+receives references via `fwnode_handle_get()` to handle the child nodes
+within the second loop.
+
+Moreover, the iterated nodes are direct children of the device node,
+and the `device_for_each_child_node()` macro accounts for child node
+availability. By restricting `child` to live within that loop, the
+scoped version of it can be used to simplify the error handling.
+
+`fwnode_for_each_available_child_node()` is meant to access the child
+nodes of an fwnode, and therefore not direct child nodes of the device
+node.
+
+Use `device_for_each_child_node_scoped()` to indicate device's direct
+child nodes.
+
+Fixes: 8325642d2757 ("leds: bd2606mvv: Driver for the Rohm 6 Channel i2c LED driver")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-bd2606mvv.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/leds/leds-bd2606mvv.c b/drivers/leds/leds-bd2606mvv.c
+index 3fda712d2f809..c1181a35d0f76 100644
+--- a/drivers/leds/leds-bd2606mvv.c
++++ b/drivers/leds/leds-bd2606mvv.c
+@@ -69,16 +69,14 @@ static const struct regmap_config bd2606mvv_regmap = {
+
+ static int bd2606mvv_probe(struct i2c_client *client)
+ {
+- struct fwnode_handle *np, *child;
+ struct device *dev = &client->dev;
+ struct bd2606mvv_priv *priv;
+ struct fwnode_handle *led_fwnodes[BD2606_MAX_LEDS] = { 0 };
+ int active_pairs[BD2606_MAX_LEDS / 2] = { 0 };
+ int err, reg;
+- int i;
++ int i, j;
+
+- np = dev_fwnode(dev);
+- if (!np)
++ if (!dev_fwnode(dev))
+ return -ENODEV;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -94,20 +92,18 @@ static int bd2606mvv_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, priv);
+
+- fwnode_for_each_available_child_node(np, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ struct bd2606mvv_led *led;
+
+ err = fwnode_property_read_u32(child, "reg", ®);
+- if (err) {
+- fwnode_handle_put(child);
++ if (err)
+ return err;
+- }
+- if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg]) {
+- fwnode_handle_put(child);
++
++ if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg])
+ return -EINVAL;
+- }
++
+ led = &priv->leds[reg];
+- led_fwnodes[reg] = child;
++ led_fwnodes[reg] = fwnode_handle_get(child);
+ active_pairs[reg / 2]++;
+ led->priv = priv;
+ led->led_no = reg;
+@@ -130,7 +126,8 @@ static int bd2606mvv_probe(struct i2c_client *client)
+ &priv->leds[i].ldev,
+ &init_data);
+ if (err < 0) {
+- fwnode_handle_put(child);
++ for (j = i; j < BD2606_MAX_LEDS; j++)
++ fwnode_handle_put(led_fwnodes[j]);
+ return dev_err_probe(dev, err,
+ "couldn't register LED %s\n",
+ priv->leds[i].ldev.name);
+--
+2.43.0
+
--- /dev/null
+From eb4b76a3886e29b4bca78c1e5d088e74df6a629f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 14:24:59 -0700
+Subject: leds: gpio: Set num_leds after allocation
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 045391a02bd971d431c83ad03f7cc51b6e2fe331 ]
+
+With the new __counted_by annotation, the "num_leds" variable needs to
+valid for accesses to the "leds" array. This requirement is not met in
+gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
+will not be considered valid (num_leds would need to be "1" to access
+index "0").
+
+Fix this by setting the allocation size after allocation, and then update
+the final count based on how many were actually added to the array.
+
+Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240716212455.work.809-kees@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-gpio.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
+index 83fcd7b6afff7..4d1612d557c84 100644
+--- a/drivers/leds/leds-gpio.c
++++ b/drivers/leds/leds-gpio.c
+@@ -150,7 +150,7 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ {
+ struct fwnode_handle *child;
+ struct gpio_leds_priv *priv;
+- int count, ret;
++ int count, used, ret;
+
+ count = device_get_child_node_count(dev);
+ if (!count)
+@@ -159,9 +159,11 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ priv = devm_kzalloc(dev, struct_size(priv, leds, count), GFP_KERNEL);
+ if (!priv)
+ return ERR_PTR(-ENOMEM);
++ priv->num_leds = count;
++ used = 0;
+
+ device_for_each_child_node(dev, child) {
+- struct gpio_led_data *led_dat = &priv->leds[priv->num_leds];
++ struct gpio_led_data *led_dat = &priv->leds[used];
+ struct gpio_led led = {};
+
+ /*
+@@ -197,8 +199,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ /* Set gpiod label to match the corresponding LED name. */
+ gpiod_set_consumer_name(led_dat->gpiod,
+ led_dat->cdev.dev->kobj.name);
+- priv->num_leds++;
++ used++;
+ }
++ priv->num_leds = used;
+
+ return priv;
+ }
+--
+2.43.0
+
--- /dev/null
+From a316f4f4dff268791381dd4f6a2f2b1023add27e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 14:49:51 +0200
+Subject: leds: leds-pca995x: Add support for NXP PCA9956B
+
+From: Pieterjan Camerlynck <pieterjanca@gmail.com>
+
+[ Upstream commit 68d6520d2e76998cdea58f6dd8782de5ab5b28af ]
+
+Add support for PCA9956B chip, which belongs to the same family.
+
+This chip features 24 instead of 16 outputs, so add a chipdef struct to
+deal with the different register layouts.
+
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Pieterjan Camerlynck <pieterjanca@gmail.com>
+Link: https://lore.kernel.org/r/20240711-pca995x-v4-2-702a67148065@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca995x.c | 59 ++++++++++++++++++++++++-------------
+ 1 file changed, 39 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
+index 78215dff14997..686b77772ccec 100644
+--- a/drivers/leds/leds-pca995x.c
++++ b/drivers/leds/leds-pca995x.c
+@@ -19,10 +19,6 @@
+ #define PCA995X_MODE1 0x00
+ #define PCA995X_MODE2 0x01
+ #define PCA995X_LEDOUT0 0x02
+-#define PCA9955B_PWM0 0x08
+-#define PCA9952_PWM0 0x0A
+-#define PCA9952_IREFALL 0x43
+-#define PCA9955B_IREFALL 0x45
+
+ /* Auto-increment disabled. Normal mode */
+ #define PCA995X_MODE1_CFG 0x00
+@@ -34,17 +30,38 @@
+ #define PCA995X_LDRX_MASK 0x3
+ #define PCA995X_LDRX_BITS 2
+
+-#define PCA995X_MAX_OUTPUTS 16
++#define PCA995X_MAX_OUTPUTS 24
+ #define PCA995X_OUTPUTS_PER_REG 4
+
+ #define PCA995X_IREFALL_FULL_CFG 0xFF
+ #define PCA995X_IREFALL_HALF_CFG (PCA995X_IREFALL_FULL_CFG / 2)
+
+-#define PCA995X_TYPE_NON_B 0
+-#define PCA995X_TYPE_B 1
+-
+ #define ldev_to_led(c) container_of(c, struct pca995x_led, ldev)
+
++struct pca995x_chipdef {
++ unsigned int num_leds;
++ u8 pwm_base;
++ u8 irefall;
++};
++
++static const struct pca995x_chipdef pca9952_chipdef = {
++ .num_leds = 16,
++ .pwm_base = 0x0a,
++ .irefall = 0x43,
++};
++
++static const struct pca995x_chipdef pca9955b_chipdef = {
++ .num_leds = 16,
++ .pwm_base = 0x08,
++ .irefall = 0x45,
++};
++
++static const struct pca995x_chipdef pca9956b_chipdef = {
++ .num_leds = 24,
++ .pwm_base = 0x0a,
++ .irefall = 0x40,
++};
++
+ struct pca995x_led {
+ unsigned int led_no;
+ struct led_classdev ldev;
+@@ -54,7 +71,7 @@ struct pca995x_led {
+ struct pca995x_chip {
+ struct regmap *regmap;
+ struct pca995x_led leds[PCA995X_MAX_OUTPUTS];
+- int btype;
++ const struct pca995x_chipdef *chipdef;
+ };
+
+ static int pca995x_brightness_set(struct led_classdev *led_cdev,
+@@ -62,10 +79,11 @@ static int pca995x_brightness_set(struct led_classdev *led_cdev,
+ {
+ struct pca995x_led *led = ldev_to_led(led_cdev);
+ struct pca995x_chip *chip = led->chip;
++ const struct pca995x_chipdef *chipdef = chip->chipdef;
+ u8 ledout_addr, pwmout_addr;
+ int shift, ret;
+
+- pwmout_addr = (chip->btype ? PCA9955B_PWM0 : PCA9952_PWM0) + led->led_no;
++ pwmout_addr = chipdef->pwm_base + led->led_no;
+ ledout_addr = PCA995X_LEDOUT0 + (led->led_no / PCA995X_OUTPUTS_PER_REG);
+ shift = PCA995X_LDRX_BITS * (led->led_no % PCA995X_OUTPUTS_PER_REG);
+
+@@ -104,11 +122,12 @@ static int pca995x_probe(struct i2c_client *client)
+ struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
+ struct fwnode_handle *np, *child;
+ struct device *dev = &client->dev;
++ const struct pca995x_chipdef *chipdef;
+ struct pca995x_chip *chip;
+ struct pca995x_led *led;
+- int i, btype, reg, ret;
++ int i, reg, ret;
+
+- btype = (unsigned long)device_get_match_data(&client->dev);
++ chipdef = device_get_match_data(&client->dev);
+
+ np = dev_fwnode(dev);
+ if (!np)
+@@ -118,7 +137,7 @@ static int pca995x_probe(struct i2c_client *client)
+ if (!chip)
+ return -ENOMEM;
+
+- chip->btype = btype;
++ chip->chipdef = chipdef;
+ chip->regmap = devm_regmap_init_i2c(client, &pca995x_regmap);
+ if (IS_ERR(chip->regmap))
+ return PTR_ERR(chip->regmap);
+@@ -170,21 +189,21 @@ static int pca995x_probe(struct i2c_client *client)
+ return ret;
+
+ /* IREF Output current value for all LEDn outputs */
+- return regmap_write(chip->regmap,
+- btype ? PCA9955B_IREFALL : PCA9952_IREFALL,
+- PCA995X_IREFALL_HALF_CFG);
++ return regmap_write(chip->regmap, chipdef->irefall, PCA995X_IREFALL_HALF_CFG);
+ }
+
+ static const struct i2c_device_id pca995x_id[] = {
+- { "pca9952", .driver_data = (kernel_ulong_t)PCA995X_TYPE_NON_B },
+- { "pca9955b", .driver_data = (kernel_ulong_t)PCA995X_TYPE_B },
++ { "pca9952", .driver_data = (kernel_ulong_t)&pca9952_chipdef },
++ { "pca9955b", .driver_data = (kernel_ulong_t)&pca9955b_chipdef },
++ { "pca9956b", .driver_data = (kernel_ulong_t)&pca9956b_chipdef },
+ {}
+ };
+ MODULE_DEVICE_TABLE(i2c, pca995x_id);
+
+ static const struct of_device_id pca995x_of_match[] = {
+- { .compatible = "nxp,pca9952", .data = (void *)PCA995X_TYPE_NON_B },
+- { .compatible = "nxp,pca9955b", .data = (void *)PCA995X_TYPE_B },
++ { .compatible = "nxp,pca9952", .data = &pca9952_chipdef },
++ { .compatible = "nxp,pca9955b", . data = &pca9955b_chipdef },
++ { .compatible = "nxp,pca9956b", .data = &pca9956b_chipdef },
+ {},
+ };
+ MODULE_DEVICE_TABLE(of, pca995x_of_match);
+--
+2.43.0
+
--- /dev/null
+From 5fde263c79b7ee379551afd9048ccc77f486788f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 15:37:03 +0200
+Subject: leds: pca995x: Fix device child node usage in pca995x_probe()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 82c5ada1f9d05902a4ccb926c7ce34e2fe699283 ]
+
+The current implementation accesses the `child` fwnode handle outside of
+device_for_each_child_node() without incrementing its refcount.
+
+Add the missing call to `fwnode_handle_get(child)`.
+
+The cleanup process where `child` is accessed is not right either
+because a single call to `fwnode_handle_put()` is carried out in case of
+an error, ignoring unasigned nodes at the point when the error happens.
+
+Keep `child` inside of the first loop, and use the helper pointer that
+receives references via `fwnode_handle_get()` to handle the child nodes
+within the second loop. Keeping `child` inside the first node has also
+the advantage that the scoped version of the loop can be used.
+
+Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20240807-leds-pca995x-fix-fwnode-usage-v1-1-8057c84dc583@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca995x.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
+index 83bc9669544c3..11c7bb69573e8 100644
+--- a/drivers/leds/leds-pca995x.c
++++ b/drivers/leds/leds-pca995x.c
+@@ -120,12 +120,11 @@ static const struct regmap_config pca995x_regmap = {
+ static int pca995x_probe(struct i2c_client *client)
+ {
+ struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
+- struct fwnode_handle *child;
+ struct device *dev = &client->dev;
+ const struct pca995x_chipdef *chipdef;
+ struct pca995x_chip *chip;
+ struct pca995x_led *led;
+- int i, reg, ret;
++ int i, j, reg, ret;
+
+ chipdef = device_get_match_data(&client->dev);
+
+@@ -143,7 +142,7 @@ static int pca995x_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, chip);
+
+- device_for_each_child_node(dev, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ ret = fwnode_property_read_u32(child, "reg", ®);
+ if (ret)
+ return ret;
+@@ -152,7 +151,7 @@ static int pca995x_probe(struct i2c_client *client)
+ return -EINVAL;
+
+ led = &chip->leds[reg];
+- led_fwnodes[reg] = child;
++ led_fwnodes[reg] = fwnode_handle_get(child);
+ led->chip = chip;
+ led->led_no = reg;
+ led->ldev.brightness_set_blocking = pca995x_brightness_set;
+@@ -171,7 +170,8 @@ static int pca995x_probe(struct i2c_client *client)
+ &chip->leds[i].ldev,
+ &init_data);
+ if (ret < 0) {
+- fwnode_handle_put(child);
++ for (j = i; j < PCA995X_MAX_OUTPUTS; j++)
++ fwnode_handle_put(led_fwnodes[j]);
+ return dev_err_probe(dev, ret,
+ "Could not register LED %s\n",
+ chip->leds[i].ldev.name);
+--
+2.43.0
+
--- /dev/null
+From 2834a11d5582bed8814af4ffcf90f8e9effb6734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 16:49:45 +0200
+Subject: leds: pca995x: Use device_for_each_child_node() to access device
+ child nodes
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 6eefd65ba6ae29ab801f6461e59c10f93dd496f8 ]
+
+The iterated nodes are direct children of the device node, and the
+`device_for_each_child_node()` macro accounts for child node
+availability.
+
+`fwnode_for_each_available_child_node()` is meant to access the child
+nodes of an fwnode, and therefore not direct child nodes of the device
+node.
+
+Use `device_for_each_child_node()` to indicate device's direct child
+nodes.
+
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240805-device_for_each_child_node-available-v3-2-48243a4aa5c0@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca995x.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
+index 686b77772ccec..83bc9669544c3 100644
+--- a/drivers/leds/leds-pca995x.c
++++ b/drivers/leds/leds-pca995x.c
+@@ -120,7 +120,7 @@ static const struct regmap_config pca995x_regmap = {
+ static int pca995x_probe(struct i2c_client *client)
+ {
+ struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
+- struct fwnode_handle *np, *child;
++ struct fwnode_handle *child;
+ struct device *dev = &client->dev;
+ const struct pca995x_chipdef *chipdef;
+ struct pca995x_chip *chip;
+@@ -129,8 +129,7 @@ static int pca995x_probe(struct i2c_client *client)
+
+ chipdef = device_get_match_data(&client->dev);
+
+- np = dev_fwnode(dev);
+- if (!np)
++ if (!dev_fwnode(dev))
+ return -ENODEV;
+
+ chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL);
+@@ -144,17 +143,13 @@ static int pca995x_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, chip);
+
+- fwnode_for_each_available_child_node(np, child) {
++ device_for_each_child_node(dev, child) {
+ ret = fwnode_property_read_u32(child, "reg", ®);
+- if (ret) {
+- fwnode_handle_put(child);
++ if (ret)
+ return ret;
+- }
+
+- if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg]) {
+- fwnode_handle_put(child);
++ if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg])
+ return -EINVAL;
+- }
+
+ led = &chip->leds[reg];
+ led_fwnodes[reg] = child;
+--
+2.43.0
+
--- /dev/null
+From 604ec9a8c9c8bd908acd33493289ac5795097820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 10:17:09 +0800
+Subject: lib/sbitmap: define swap_lock as raw_spinlock_t
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 65f666c6203600053478ce8e34a1db269a8701c9 ]
+
+When called from sbitmap_queue_get(), sbitmap_deferred_clear() may be run
+with preempt disabled. In RT kernel, spin_lock() can sleep, then warning
+of "BUG: sleeping function called from invalid context" can be triggered.
+
+Fix it by replacing it with raw_spin_lock.
+
+Cc: Yang Yang <yang.yang@vivo.com>
+Fixes: 72d04bdcf3f7 ("sbitmap: fix io hung due to race on sbitmap_word::cleared")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Yang Yang <yang.yang@vivo.com>
+Link: https://lore.kernel.org/r/20240919021709.511329-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sbitmap.h | 2 +-
+ lib/sbitmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/sbitmap.h b/include/linux/sbitmap.h
+index c09cdcc99471e..189140bf11fc4 100644
+--- a/include/linux/sbitmap.h
++++ b/include/linux/sbitmap.h
+@@ -40,7 +40,7 @@ struct sbitmap_word {
+ /**
+ * @swap_lock: serializes simultaneous updates of ->word and ->cleared
+ */
+- spinlock_t swap_lock;
++ raw_spinlock_t swap_lock;
+ } ____cacheline_aligned_in_smp;
+
+ /**
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 5e2e93307f0d0..d3412984170c0 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -65,7 +65,7 @@ static inline bool sbitmap_deferred_clear(struct sbitmap_word *map,
+ {
+ unsigned long mask, word_mask;
+
+- guard(spinlock_irqsave)(&map->swap_lock);
++ guard(raw_spinlock_irqsave)(&map->swap_lock);
+
+ if (!map->cleared) {
+ if (depth == 0)
+@@ -136,7 +136,7 @@ int sbitmap_init_node(struct sbitmap *sb, unsigned int depth, int shift,
+ }
+
+ for (i = 0; i < sb->map_nr; i++)
+- spin_lock_init(&sb->map[i].swap_lock);
++ raw_spin_lock_init(&sb->map[i].swap_lock);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From c6eb552c5bbf8564fd495981dc01dce7da08ad6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 12:14:58 -0500
+Subject: libbpf: Don't take direct pointers into BTF data from st_ops
+
+From: David Vernet <void@manifault.com>
+
+[ Upstream commit 04a94133f1b3cccb19e056c26f056c50b4e5b3b1 ]
+
+In struct bpf_struct_ops, we have take a pointer to a BTF type name, and
+a struct btf_type. This was presumably done for convenience, but can
+actually result in subtle and confusing bugs given that BTF data can be
+invalidated before a program is loaded. For example, in sched_ext, we
+may sometimes resize a data section after a skeleton has been opened,
+but before the struct_ops scheduler map has been loaded. This may cause
+the BTF data to be realloc'd, which can then cause a UAF when loading
+the program because the struct_ops map has pointers directly into the
+BTF data.
+
+We're already storing the BTF type_id in struct bpf_struct_ops. Because
+type_id is stable, we can therefore just update the places where we were
+looking at those pointers to instead do the lookups we need from the
+type_id.
+
+Fixes: 590a00888250 ("bpf: libbpf: Add STRUCT_OPS support")
+Signed-off-by: David Vernet <void@manifault.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240724171459.281234-1-void@manifault.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 5edb717647847..31f58e3c4059c 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -473,8 +473,6 @@ struct bpf_program {
+ };
+
+ struct bpf_struct_ops {
+- const char *tname;
+- const struct btf_type *type;
+ struct bpf_program **progs;
+ __u32 *kern_func_off;
+ /* e.g. struct tcp_congestion_ops in bpf_prog's btf format */
+@@ -1059,11 +1057,14 @@ static int bpf_object_adjust_struct_ops_autoload(struct bpf_object *obj)
+ continue;
+
+ for (j = 0; j < obj->nr_maps; ++j) {
++ const struct btf_type *type;
++
+ map = &obj->maps[j];
+ if (!bpf_map__is_struct_ops(map))
+ continue;
+
+- vlen = btf_vlen(map->st_ops->type);
++ type = btf__type_by_id(obj->btf, map->st_ops->type_id);
++ vlen = btf_vlen(type);
+ for (k = 0; k < vlen; ++k) {
+ slot_prog = map->st_ops->progs[k];
+ if (prog != slot_prog)
+@@ -1097,8 +1098,8 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map)
+ int err;
+
+ st_ops = map->st_ops;
+- type = st_ops->type;
+- tname = st_ops->tname;
++ type = btf__type_by_id(btf, st_ops->type_id);
++ tname = btf__name_by_offset(btf, type->name_off);
+ err = find_struct_ops_kern_types(obj, tname, &mod_btf,
+ &kern_type, &kern_type_id,
+ &kern_vtype, &kern_vtype_id,
+@@ -1398,8 +1399,6 @@ static int init_struct_ops_maps(struct bpf_object *obj, const char *sec_name,
+ memcpy(st_ops->data,
+ data->d_buf + vsi->offset,
+ type->size);
+- st_ops->tname = tname;
+- st_ops->type = type;
+ st_ops->type_id = type_id;
+
+ pr_debug("struct_ops init: struct %s(type_id=%u) %s found at offset %u\n",
+@@ -8406,11 +8405,13 @@ static int bpf_object__resolve_externs(struct bpf_object *obj,
+
+ static void bpf_map_prepare_vdata(const struct bpf_map *map)
+ {
++ const struct btf_type *type;
+ struct bpf_struct_ops *st_ops;
+ __u32 i;
+
+ st_ops = map->st_ops;
+- for (i = 0; i < btf_vlen(st_ops->type); i++) {
++ type = btf__type_by_id(map->obj->btf, st_ops->type_id);
++ for (i = 0; i < btf_vlen(type); i++) {
+ struct bpf_program *prog = st_ops->progs[i];
+ void *kern_data;
+ int prog_fd;
+@@ -9673,6 +9674,7 @@ static struct bpf_map *find_struct_ops_map_by_offset(struct bpf_object *obj,
+ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj,
+ Elf64_Shdr *shdr, Elf_Data *data)
+ {
++ const struct btf_type *type;
+ const struct btf_member *member;
+ struct bpf_struct_ops *st_ops;
+ struct bpf_program *prog;
+@@ -9732,13 +9734,14 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj,
+ }
+ insn_idx = sym->st_value / BPF_INSN_SZ;
+
+- member = find_member_by_offset(st_ops->type, moff * 8);
++ type = btf__type_by_id(btf, st_ops->type_id);
++ member = find_member_by_offset(type, moff * 8);
+ if (!member) {
+ pr_warn("struct_ops reloc %s: cannot find member at moff %u\n",
+ map->name, moff);
+ return -EINVAL;
+ }
+- member_idx = member - btf_members(st_ops->type);
++ member_idx = member - btf_members(type);
+ name = btf__name_by_offset(btf, member->name_off);
+
+ if (!resolve_func_ptr(btf, member->type, NULL)) {
+--
+2.43.0
+
--- /dev/null
+From 227dab3ebfd4085a7ea3778a30ed3f70f7bdb2e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 13:37:21 -0700
+Subject: libbpf: Fix bpf_object__open_skeleton()'s mishandling of options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit c634d6f4e12d00c954410ba11db45799a8c77b5b ]
+
+We do an ugly copying of options in bpf_object__open_skeleton() just to
+be able to set object name from skeleton's recorded name (while still
+allowing user to override it through opts->object_name).
+
+This is not just ugly, but it also is broken due to memcpy() that
+doesn't take into account potential skel_opts' and user-provided opts'
+sizes differences due to backward and forward compatibility. This leads
+to copying over extra bytes and then failing to validate options
+properly. It could, technically, lead also to SIGSEGV, if we are unlucky.
+
+So just get rid of that memory copy completely and instead pass
+default object name into bpf_object_open() directly, simplifying all
+this significantly. The rule now is that obj_name should be non-NULL for
+bpf_object_open() when called with in-memory buffer, so validate that
+explicitly as well.
+
+We adopt bpf_object__open_mem() to this as well and generate default
+name (based on buffer memory address and size) outside of bpf_object_open().
+
+Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support")
+Reported-by: Daniel Müller <deso@posteo.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Daniel Müller <deso@posteo.net>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20240827203721.1145494-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 52 +++++++++++++++---------------------------
+ 1 file changed, 19 insertions(+), 33 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 31f58e3c4059c..3ecb33188336f 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -7866,16 +7866,19 @@ static int bpf_object_init_progs(struct bpf_object *obj, const struct bpf_object
+ }
+
+ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf, size_t obj_buf_sz,
++ const char *obj_name,
+ const struct bpf_object_open_opts *opts)
+ {
+- const char *obj_name, *kconfig, *btf_tmp_path, *token_path;
++ const char *kconfig, *btf_tmp_path, *token_path;
+ struct bpf_object *obj;
+- char tmp_name[64];
+ int err;
+ char *log_buf;
+ size_t log_size;
+ __u32 log_level;
+
++ if (obj_buf && !obj_name)
++ return ERR_PTR(-EINVAL);
++
+ if (elf_version(EV_CURRENT) == EV_NONE) {
+ pr_warn("failed to init libelf for %s\n",
+ path ? : "(mem buf)");
+@@ -7885,16 +7888,12 @@ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf,
+ if (!OPTS_VALID(opts, bpf_object_open_opts))
+ return ERR_PTR(-EINVAL);
+
+- obj_name = OPTS_GET(opts, object_name, NULL);
++ obj_name = OPTS_GET(opts, object_name, NULL) ?: obj_name;
+ if (obj_buf) {
+- if (!obj_name) {
+- snprintf(tmp_name, sizeof(tmp_name), "%lx-%lx",
+- (unsigned long)obj_buf,
+- (unsigned long)obj_buf_sz);
+- obj_name = tmp_name;
+- }
+ path = obj_name;
+ pr_debug("loading object '%s' from buffer\n", obj_name);
++ } else {
++ pr_debug("loading object from %s\n", path);
+ }
+
+ log_buf = OPTS_GET(opts, kernel_log_buf, NULL);
+@@ -7978,9 +7977,7 @@ bpf_object__open_file(const char *path, const struct bpf_object_open_opts *opts)
+ if (!path)
+ return libbpf_err_ptr(-EINVAL);
+
+- pr_debug("loading %s\n", path);
+-
+- return libbpf_ptr(bpf_object_open(path, NULL, 0, opts));
++ return libbpf_ptr(bpf_object_open(path, NULL, 0, NULL, opts));
+ }
+
+ struct bpf_object *bpf_object__open(const char *path)
+@@ -7992,10 +7989,15 @@ struct bpf_object *
+ bpf_object__open_mem(const void *obj_buf, size_t obj_buf_sz,
+ const struct bpf_object_open_opts *opts)
+ {
++ char tmp_name[64];
++
+ if (!obj_buf || obj_buf_sz == 0)
+ return libbpf_err_ptr(-EINVAL);
+
+- return libbpf_ptr(bpf_object_open(NULL, obj_buf, obj_buf_sz, opts));
++ /* create a (quite useless) default "name" for this memory buffer object */
++ snprintf(tmp_name, sizeof(tmp_name), "%lx-%zx", (unsigned long)obj_buf, obj_buf_sz);
++
++ return libbpf_ptr(bpf_object_open(NULL, obj_buf, obj_buf_sz, tmp_name, opts));
+ }
+
+ static int bpf_object_unload(struct bpf_object *obj)
+@@ -13718,29 +13720,13 @@ static int populate_skeleton_progs(const struct bpf_object *obj,
+ int bpf_object__open_skeleton(struct bpf_object_skeleton *s,
+ const struct bpf_object_open_opts *opts)
+ {
+- DECLARE_LIBBPF_OPTS(bpf_object_open_opts, skel_opts,
+- .object_name = s->name,
+- );
+ struct bpf_object *obj;
+ int err;
+
+- /* Attempt to preserve opts->object_name, unless overriden by user
+- * explicitly. Overwriting object name for skeletons is discouraged,
+- * as it breaks global data maps, because they contain object name
+- * prefix as their own map name prefix. When skeleton is generated,
+- * bpftool is making an assumption that this name will stay the same.
+- */
+- if (opts) {
+- memcpy(&skel_opts, opts, sizeof(*opts));
+- if (!opts->object_name)
+- skel_opts.object_name = s->name;
+- }
+-
+- obj = bpf_object__open_mem(s->data, s->data_sz, &skel_opts);
+- err = libbpf_get_error(obj);
+- if (err) {
+- pr_warn("failed to initialize skeleton BPF object '%s': %d\n",
+- s->name, err);
++ obj = bpf_object_open(NULL, s->data, s->data_sz, s->name, opts);
++ if (IS_ERR(obj)) {
++ err = PTR_ERR(obj);
++ pr_warn("failed to initialize skeleton BPF object '%s': %d\n", s->name, err);
+ return libbpf_err(err);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ba2511ae7327003a27fbe235070dc26723be4e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Aug 2024 10:12:29 +1000
+Subject: m68k: Fix kernel_clone_args.flags in m68k_clone()
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 09b3d870faa7bc3e96c0978ab3cf4e96e4b15571 ]
+
+Stan Johnson recently reported a failure from the 'dump' command:
+
+ DUMP: Date of this level 0 dump: Fri Aug 9 23:37:15 2024
+ DUMP: Dumping /dev/sda (an unlisted file system) to /dev/null
+ DUMP: Label: none
+ DUMP: Writing 10 Kilobyte records
+ DUMP: mapping (Pass I) [regular files]
+ DUMP: mapping (Pass II) [directories]
+ DUMP: estimated 3595695 blocks.
+ DUMP: Context save fork fails in parent 671
+
+The dump program uses the clone syscall with the CLONE_IO flag, that is,
+flags == 0x80000000. When that value is promoted from long int to u64 by
+m68k_clone(), it undergoes sign-extension. The new value includes
+CLONE_INTO_CGROUP so the validation in cgroup_css_set_fork() fails and
+the syscall returns -EBADF. Avoid sign-extension by casting to u32.
+
+Reported-by: Stan Johnson <userm57@yahoo.com>
+Closes: https://lists.debian.org/debian-68k/2024/08/msg00000.html
+Fixes: 6aabc1facdb2 ("m68k: Implement copy_thread_tls()")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/3463f1e5d4e95468dc9f3368f2b78ffa7b72199b.1723335149.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/process.c b/arch/m68k/kernel/process.c
+index 2584e94e21346..fda7eac23f872 100644
+--- a/arch/m68k/kernel/process.c
++++ b/arch/m68k/kernel/process.c
+@@ -117,7 +117,7 @@ asmlinkage int m68k_clone(struct pt_regs *regs)
+ {
+ /* regs will be equal to current_pt_regs() */
+ struct kernel_clone_args args = {
+- .flags = regs->d1 & ~CSIGNAL,
++ .flags = (u32)(regs->d1) & ~CSIGNAL,
+ .pidfd = (int __user *)regs->d3,
+ .child_tid = (int __user *)regs->d4,
+ .parent_tid = (int __user *)regs->d3,
+--
+2.43.0
+
--- /dev/null
+From c141a576df098abc8438c1f6b029ec175d52d900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:55 +0800
+Subject: media: mediatek: vcodec: Fix H264 multi stateless decoder smatch
+ warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 9be85491619f1953b8a29590ca630be571941ffa ]
+
+Fix a smatch static checker warning on vdec_h264_req_multi_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 397edc703a10 ("media: mediatek: vcodec: add h264 decoder driver for mt8186")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vcodec/decoder/vdec/vdec_h264_req_multi_if.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
+index 2d4611e7fa0b2..1ed0ccec56655 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
+@@ -724,11 +724,16 @@ static int vdec_h264_slice_single_decode(void *h_vdec, struct mtk_vcodec_mem *bs
+ return vpu_dec_reset(vpu);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
++
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ y_fb_dma = fb->base_y.dma_addr;
++ c_fb_dma = fb->base_c.dma_addr;
+ mtk_vdec_debug(inst->ctx, "[h264-dec] [%d] y_dma=%llx c_dma=%llx",
+ inst->ctx->decoded_frame_cnt, y_fb_dma, c_fb_dma);
+
+--
+2.43.0
+
--- /dev/null
+From 65d55a24d87d68d3c04d1fc0584c846d26b8c77b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:57 +0800
+Subject: media: mediatek: vcodec: Fix H264 stateless decoder smatch warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 7878d3a385efab560dce793b595447867fb163f2 ]
+
+Fix a smatch static checker warning on vdec_h264_req_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 06fa5f757dc5 ("media: mtk-vcodec: vdec: support stateless H.264 decoding")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
+index 73d5cef33b2ab..1e1b32faac77b 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
+@@ -347,11 +347,16 @@ static int vdec_h264_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ return vpu_dec_reset(vpu);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
++
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ y_fb_dma = fb->base_y.dma_addr;
++ c_fb_dma = fb->base_c.dma_addr;
+
+ mtk_vdec_debug(inst->ctx, "+ [%d] FB y_dma=%llx c_dma=%llx va=%p",
+ inst->num_nalu, y_fb_dma, c_fb_dma, fb);
+--
+2.43.0
+
--- /dev/null
+From 6f123a98825d62c7bb6b85b163349107858f9480 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:56 +0800
+Subject: media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44 ]
+
+Fix a smatch static checker warning on vdec_vp8_req_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 7a7ae26fd458 ("media: mediatek: vcodec: support stateless VP8 decoding")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
+index e27e728f392e6..232ef3bd246a3 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
+@@ -334,14 +334,18 @@ static int vdec_vp8_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
+- dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
++ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
++ y_fb_dma = fb->base_y.dma_addr;
+ if (inst->ctx->q_data[MTK_Q_DATA_DST].fmt->num_planes == 1)
+ c_fb_dma = y_fb_dma +
+ inst->ctx->picinfo.buf_w * inst->ctx->picinfo.buf_h;
+ else
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ c_fb_dma = fb->base_c.dma_addr;
+
+ inst->vsi->dec.bs_dma = (u64)bs->dma_addr;
+ inst->vsi->dec.bs_sz = bs->size;
+--
+2.43.0
+
--- /dev/null
+From 537d215f96eb35831c98a33c91d6b708dc73133d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 17:49:32 +0100
+Subject: media: platform: rzg2l-cru: rzg2l-csi2: Add missing
+ MODULE_DEVICE_TABLE
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 07668fb0f867388bfdac0b60dbf51a4ad789f8e7 ]
+
+The rzg2l-csi2 driver can be compiled as a module, but lacks
+MODULE_DEVICE_TABLE() and will therefore not be loaded automatically.
+Fix this.
+
+Fixes: 51e8415e39a9 ("media: platform: Add Renesas RZ/G2L MIPI CSI-2 receiver driver")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240731164935.308994-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
+index e68fcdaea207a..c7fdee347ac8a 100644
+--- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
++++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
+@@ -865,6 +865,7 @@ static const struct of_device_id rzg2l_csi2_of_table[] = {
+ { .compatible = "renesas,rzg2l-csi2", },
+ { /* sentinel */ }
+ };
++MODULE_DEVICE_TABLE(of, rzg2l_csi2_of_table);
+
+ static struct platform_driver rzg2l_csi2_pdrv = {
+ .remove_new = rzg2l_csi2_remove,
+--
+2.43.0
+
--- /dev/null
+From ab118387253c927460dc59aa4ce7f9a80ed2305c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 16:02:48 +0200
+Subject: media: staging: media: starfive: camss: Drop obsolete return value
+ documentation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 044fcf738a56d915514e2d651333395b3f8daa62 ]
+
+Recently the function stfcamss_remove() was changed to not return a
+value. Drop the documentation of the return value in the kernel doc.
+
+Fixes: b1f3677aebe5 ("media: staging: media: starfive: camss: Convert to platform remove callback returning void")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/starfive/camss/stf-camss.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/staging/media/starfive/camss/stf-camss.c b/drivers/staging/media/starfive/camss/stf-camss.c
+index fecd3e67c7a1d..b6d34145bc191 100644
+--- a/drivers/staging/media/starfive/camss/stf-camss.c
++++ b/drivers/staging/media/starfive/camss/stf-camss.c
+@@ -358,8 +358,6 @@ static int stfcamss_probe(struct platform_device *pdev)
+ /*
+ * stfcamss_remove - Remove STFCAMSS platform device
+ * @pdev: Pointer to STFCAMSS platform device
+- *
+- * Always returns 0.
+ */
+ static void stfcamss_remove(struct platform_device *pdev)
+ {
+--
+2.43.0
+
--- /dev/null
+From fde490cde4a72252d65caf7be89966da13102166 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 15:09:07 -0700
+Subject: minmax: avoid overly complex min()/max() macro arguments in xen
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit e8432ac802a028eaee6b1e86383d7cd8e9fb8431 ]
+
+We have some very fancy min/max macros that have tons of sanity checking
+to warn about mixed signedness etc.
+
+This is all things that a sane compiler should warn about, but there are
+no sane compiler interfaces for this, and '-Wsign-compare' is broken [1]
+and not useful.
+
+So then we compensate (some would say over-compensate) by doing the
+checks manually with some truly horrid macro games.
+
+And no, we can't just use __builtin_types_compatible_p(), because the
+whole question of "does it make sense to compare these two values" is a
+lot more complicated than that.
+
+For example, it makes a ton of sense to compare unsigned values with
+simple constants like "5", even if that is indeed a signed type. So we
+have these very strange macros to try to make sensible type checking
+decisions on the arguments to 'min()' and 'max()'.
+
+But that can cause enormous code expansion if the min()/max() macros are
+used with complicated expressions, and particularly if you nest these
+things so that you get the first big expansion then expanded again.
+
+The xen setup.c file ended up ballooning to over 50MB of preprocessed
+noise that takes 15s to compile (obviously depending on the build host),
+largely due to one single line.
+
+So let's split that one single line to just be simpler. I think it ends
+up being more legible to humans too at the same time. Now that single
+file compiles in under a second.
+
+Reported-and-reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Link: https://lore.kernel.org/all/c83c17bb-be75-4c67-979d-54eee38774c6@lucifer.local/
+Link: https://staticthinking.wordpress.com/2023/07/25/wsign-compare-is-garbage/ [1]
+Cc: David Laight <David.Laight@aculab.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index d44d6d8b33195..d2073df5c5624 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -691,6 +691,7 @@ char * __init xen_memory_setup(void)
+ struct xen_memory_map memmap;
+ unsigned long max_pages;
+ unsigned long extra_pages = 0;
++ unsigned long maxmem_pages;
+ int i;
+ int op;
+
+@@ -762,8 +763,8 @@ char * __init xen_memory_setup(void)
+ * Make sure we have no memory above max_pages, as this area
+ * isn't handled by the p2m management.
+ */
+- extra_pages = min3(EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)),
+- extra_pages, max_pages - max_pfn);
++ maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM));
++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn);
+ i = 0;
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+--
+2.43.0
+
--- /dev/null
+From 0f90525545a529a416891534152b78b222111575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 10:58:13 +0200
+Subject: mount: handle OOM on mnt_warn_timestamp_expiry
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ]
+
+If no page could be allocated, an error pointer was used as format
+string in pr_warn.
+
+Rearrange the code to return early in case of OOM. Also add a check
+for the return value of d_path.
+
+Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry")
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Link: https://lore.kernel.org/r/20240730085856.32385-1-olaf@aepfle.de
+[brauner: rewrite commit and commit message]
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index e1ced589d8357..a6675c2a23839 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2801,8 +2801,15 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount *
+ if (!__mnt_is_readonly(mnt) &&
+ (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) &&
+ (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) {
+- char *buf = (char *)__get_free_page(GFP_KERNEL);
+- char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM);
++ char *buf, *mntpath;
++
++ buf = (char *)__get_free_page(GFP_KERNEL);
++ if (buf)
++ mntpath = d_path(mountpoint, buf, PAGE_SIZE);
++ else
++ mntpath = ERR_PTR(-ENOMEM);
++ if (IS_ERR(mntpath))
++ mntpath = "(unknown)";
+
+ pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n",
+ sb->s_type->name,
+@@ -2810,8 +2817,9 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount *
+ mntpath, &sb->s_time_max,
+ (unsigned long long)sb->s_time_max);
+
+- free_page((unsigned long)buf);
+ sb->s_iflags |= SB_I_TS_EXPIRY_WARNED;
++ if (buf)
++ free_page((unsigned long)buf);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9f7c620f31650bdad64694195695c40467deea5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 17:24:27 +0800
+Subject: mtd: powernv: Add check devm_kasprintf() returned value
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 395999829880a106bb95f0ce34e6e4c2b43c6a5d ]
+
+devm_kasprintf() can return a NULL pointer on failure but this
+returned value is not checked.
+
+Fixes: acfe63ec1c59 ("mtd: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240828092427.128177-1-hanchunchao@inspur.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/powernv_flash.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mtd/devices/powernv_flash.c b/drivers/mtd/devices/powernv_flash.c
+index 66044f4f5bade..10cd1d9b48859 100644
+--- a/drivers/mtd/devices/powernv_flash.c
++++ b/drivers/mtd/devices/powernv_flash.c
+@@ -207,6 +207,9 @@ static int powernv_flash_set_driver_info(struct device *dev,
+ * get them
+ */
+ mtd->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node);
++ if (!mtd->name)
++ return -ENOMEM;
++
+ mtd->type = MTD_NORFLASH;
+ mtd->flags = MTD_WRITEABLE;
+ mtd->size = size;
+--
+2.43.0
+
--- /dev/null
+From e282feee15f1c40f1a4149e1c712d526197fa78a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:30:18 +0200
+Subject: mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 81cb3be3261e766a1f8efab9e3154a4f4fd9d03d ]
+
+There are some un-freed resources in one of the error path which would
+benefit from a helper going through all the registered mtk chips one by
+one and perform all the necessary cleanup. This is precisely what the
+remove path does, so let's extract the logic in a helper.
+
+There is no functional change.
+
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Matthias Brugger <matthias.bgg@kernel.org>
+Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-1-miquel.raynal@bootlin.com
+Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index d65e6371675bb..bf845dd167374 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1429,6 +1429,23 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
+ return 0;
+ }
+
++static void mtk_nfc_nand_chips_cleanup(struct mtk_nfc *nfc)
++{
++ struct mtk_nfc_nand_chip *mtk_chip;
++ struct nand_chip *chip;
++ int ret;
++
++ while (!list_empty(&nfc->chips)) {
++ mtk_chip = list_first_entry(&nfc->chips,
++ struct mtk_nfc_nand_chip, node);
++ chip = &mtk_chip->nand;
++ ret = mtd_device_unregister(nand_to_mtd(chip));
++ WARN_ON(ret);
++ nand_cleanup(chip);
++ list_del(&mtk_chip->node);
++ }
++}
++
+ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+ {
+ struct device_node *np = dev->of_node;
+@@ -1567,20 +1584,8 @@ static int mtk_nfc_probe(struct platform_device *pdev)
+ static void mtk_nfc_remove(struct platform_device *pdev)
+ {
+ struct mtk_nfc *nfc = platform_get_drvdata(pdev);
+- struct mtk_nfc_nand_chip *mtk_chip;
+- struct nand_chip *chip;
+- int ret;
+-
+- while (!list_empty(&nfc->chips)) {
+- mtk_chip = list_first_entry(&nfc->chips,
+- struct mtk_nfc_nand_chip, node);
+- chip = &mtk_chip->nand;
+- ret = mtd_device_unregister(nand_to_mtd(chip));
+- WARN_ON(ret);
+- nand_cleanup(chip);
+- list_del(&mtk_chip->node);
+- }
+
++ mtk_nfc_nand_chips_cleanup(nfc);
+ mtk_ecc_release(nfc->ecc);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From cbe2b1886098fe76f2be871a96091639fc780405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:30:19 +0200
+Subject: mtd: rawnand: mtk: Fix init error path
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 2073ae37d550ea32e8545edaa94ef10b4fef7235 ]
+
+Reviewing a series converting the for_each_chil_of_node() loops into
+their _scoped variants made me realize there was no cleanup of the
+already registered NAND devices upon error which may leak memory on
+systems with more than a chip when this error occurs. We should call the
+_nand_chips_cleanup() function when this happens.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Matthias Brugger <matthias.bgg@kernel.org>
+Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-2-miquel.raynal@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index bf845dd167374..586868b4139f5 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1453,8 +1453,10 @@ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+
+ for_each_child_of_node_scoped(np, nand_np) {
+ ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np);
+- if (ret)
++ if (ret) {
++ mtk_nfc_nand_chips_cleanup(nfc);
+ return ret;
++ }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From db54ba2c8bff3747c825c1e6258a256d138f6f54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:43:25 +0800
+Subject: mtd: rawnand: mtk: Use for_each_child_of_node_scoped()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 8795952679494b111b7b2ba08bb54ac408daca3b ]
+
+Avoids the need for manual cleanup of_node_put() in early exits
+from the loop.
+
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240826094328.2991664-8-ruanjinjie@huawei.com
+Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index 17477bb2d48ff..d65e6371675bb 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1432,15 +1432,12 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
+ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+ {
+ struct device_node *np = dev->of_node;
+- struct device_node *nand_np;
+ int ret;
+
+- for_each_child_of_node(np, nand_np) {
++ for_each_child_of_node_scoped(np, nand_np) {
+ ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np);
+- if (ret) {
+- of_node_put(nand_np);
++ if (ret)
+ return ret;
+- }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 48ad2c06e00962f18a5de9d1c1b07b7919fed2ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 01:43:20 +0200
+Subject: mtd: slram: insert break after errors in parsing the map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Todorovac <mtodorovac69@gmail.com>
+
+[ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ]
+
+GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution
+path in which, due to lazy evaluation, devlength isn't initialised with the
+parsed string:
+
+ 289 while (map) {
+ 290 devname = devstart = devlength = NULL;
+ 291
+ 292 if (!(devname = strsep(&map, ","))) {
+ 293 E("slram: No devicename specified.\n");
+ 294 break;
+ 295 }
+ 296 T("slram: devname = %s\n", devname);
+ 297 if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ 298 E("slram: No devicestart specified.\n");
+ 299 }
+ 300 T("slram: devstart = %s\n", devstart);
+ → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ 302 E("slram: No devicelength / -end specified.\n");
+ 303 }
+ → 304 T("slram: devlength = %s\n", devlength);
+ 305 if (parse_cmdline(devname, devstart, devlength) != 0) {
+ 306 return(-EINVAL);
+ 307 }
+
+Parsing should be finished after map == NULL, so a break is best inserted after
+each E("slram: ... \n") error message.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: linux-mtd@lists.infradead.org
+Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/slram.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
+index 28131a127d065..8297b366a0669 100644
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -296,10 +296,12 @@ static int __init init_slram(void)
+ T("slram: devname = %s\n", devname);
+ if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ E("slram: No devicestart specified.\n");
++ break;
+ }
+ T("slram: devstart = %s\n", devstart);
+ if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ E("slram: No devicelength / -end specified.\n");
++ break;
+ }
+ T("slram: devlength = %s\n", devlength);
+ if (parse_cmdline(devname, devstart, devlength) != 0) {
+--
+2.43.0
+
--- /dev/null
+From a47c0f9e8af9aef3628efb82896a598ab09091d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 15:20:42 +0200
+Subject: nbd: correct the maximum value for discard sectors
+
+From: Wouter Verhelst <w@uter.be>
+
+[ Upstream commit 296dbc72d29085d5fc34430d0760423071e9e81d ]
+
+The version of the NBD protocol implemented by the kernel driver
+currently has a 32 bit field for length values. As the NBD protocol uses
+bytes as a unit of length, length values larger than 2^32 bytes cannot
+be expressed.
+
+Update the max_hw_discard_sectors field to match that.
+
+Signed-off-by: Wouter Verhelst <w@uter.be>
+Fixes: 268283244c0f ("nbd: use the atomic queue limits API in nbd_set_size")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Cc: Eric Blake <eblake@redhat.Com>
+Link: https://lore.kernel.org/r/20240812133032.115134-8-w@uter.be
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 0e8ddf30563d0..d4e260d321806 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -350,7 +350,7 @@ static int __nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
+
+ lim = queue_limits_start_update(nbd->disk->queue);
+ if (nbd->config->flags & NBD_FLAG_SEND_TRIM)
+- lim.max_hw_discard_sectors = UINT_MAX;
++ lim.max_hw_discard_sectors = UINT_MAX >> SECTOR_SHIFT;
+ else
+ lim.max_hw_discard_sectors = 0;
+ lim.logical_block_size = blksize;
+--
+2.43.0
+
--- /dev/null
+From 3f8644d330dea27d13c39d6ebf4191bb7f56df16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 11:41:45 +0800
+Subject: nbd: fix race between timeout and normal completion
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 ]
+
+If request timetout is handled by nbd_requeue_cmd(), normal completion
+has to be stopped for avoiding to complete this requeued request, other
+use-after-free can be triggered.
+
+Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime
+make sure that cmd->lock is grabbed for clearing the flag and the
+requeue.
+
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Yu Kuai <yukuai3@huawei.com>
+Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index b87aa80a46dda..0e8ddf30563d0 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -181,6 +181,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd)
+ {
+ struct request *req = blk_mq_rq_from_pdu(cmd);
+
++ lockdep_assert_held(&cmd->lock);
++
++ /*
++ * Clear INFLIGHT flag so that this cmd won't be completed in
++ * normal completion path
++ *
++ * INFLIGHT flag will be set when the cmd is queued to nbd next
++ * time.
++ */
++ __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags);
++
+ if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags))
+ blk_mq_requeue_request(req, true);
+ }
+@@ -480,8 +491,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req)
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+ mutex_unlock(&nsock->tx_lock);
+ }
+- mutex_unlock(&cmd->lock);
+ nbd_requeue_cmd(cmd);
++ mutex_unlock(&cmd->lock);
+ nbd_config_put(nbd);
+ return BLK_EH_DONE;
+ }
+--
+2.43.0
+
--- /dev/null
+From dcc23d81eafdd148eff783b3bfc725fe9ac564b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 17:44:44 +0800
+Subject: net: enetc: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 799a9225997799f7b1b579bc50a93b78b4fb2a01 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: bbb96dc7fa1a ("enetc: Factor out the traffic start/stop procedures")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240911094445.1922476-3-ruanjinjie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index 5c45f42232d32..f04f42ea60c0f 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -2305,12 +2305,11 @@ static int enetc_setup_irqs(struct enetc_ndev_priv *priv)
+
+ snprintf(v->name, sizeof(v->name), "%s-rxtx%d",
+ priv->ndev->name, i);
+- err = request_irq(irq, enetc_msix, 0, v->name, v);
++ err = request_irq(irq, enetc_msix, IRQF_NO_AUTOEN, v->name, v);
+ if (err) {
+ dev_err(priv->dev, "request_irq() failed!\n");
+ goto irq_err;
+ }
+- disable_irq(irq);
+
+ v->tbier_base = hw->reg + ENETC_BDR(TX, 0, ENETC_TBIER);
+ v->rbier = hw->reg + ENETC_BDR(RX, i, ENETC_RBIER);
+--
+2.43.0
+
--- /dev/null
+From 2778cb517368feaa8b089b192f68a19d34081d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:25:31 +0200
+Subject: net: hsr: Use the seqnr lock for frames received via interlink port.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 430d67bdcb04ee8502c2b10dcbaced4253649189 ]
+
+syzbot reported that the seqnr_lock is not acquire for frames received
+over the interlink port. In the interlink case a new seqnr is generated
+and assigned to the frame.
+Frames, which are received over the slave port have already a sequence
+number assigned so the lock is not required.
+
+Acquire the hsr_priv::seqnr_lock during in the invocation of
+hsr_forward_skb() if a packet has been received from the interlink port.
+
+Reported-by: syzbot+3d602af7549af539274e@syzkaller.appspotmail.com
+Closes: https://groups.google.com/g/syzkaller-bugs/c/KppVvGviGg4/m/EItSdCZdBAAJ
+Fixes: 5055cccfc2d1c ("net: hsr: Provide RedBox support (HSR-SAN)")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Lukasz Majewski <lukma@denx.de>
+Tested-by: Lukasz Majewski <lukma@denx.de>
+Link: https://patch.msgid.link/20240906132816.657485-2-bigeasy@linutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_slave.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/hsr/hsr_slave.c b/net/hsr/hsr_slave.c
+index af6cf64a00e08..464f683e016db 100644
+--- a/net/hsr/hsr_slave.c
++++ b/net/hsr/hsr_slave.c
+@@ -67,7 +67,16 @@ static rx_handler_result_t hsr_handle_frame(struct sk_buff **pskb)
+ skb_set_network_header(skb, ETH_HLEN + HSR_HLEN);
+ skb_reset_mac_len(skb);
+
+- hsr_forward_skb(skb, port);
++ /* Only the frames received over the interlink port will assign a
++ * sequence number and require synchronisation vs other sender.
++ */
++ if (port->type == HSR_PT_INTERLINK) {
++ spin_lock_bh(&hsr->seqnr_lock);
++ hsr_forward_skb(skb, port);
++ spin_unlock_bh(&hsr->seqnr_lock);
++ } else {
++ hsr_forward_skb(skb, port);
++ }
+
+ finish_consume:
+ return RX_HANDLER_CONSUMED;
+--
+2.43.0
+
--- /dev/null
+From 5aad97b5ea17241c7dde5e859b4d148df8a455fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 19:45:57 +0200
+Subject: net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input
+
+From: Justin Iurman <justin.iurman@uliege.be>
+
+[ Upstream commit 2c84b0aa28b9e73e8c4b4ce038269469434ae372 ]
+
+Free the skb before returning from rpl_input when skb_cow_head() fails.
+Use a "drop" label and goto instructions.
+
+Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
+Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240911174557.11536-1-justin.iurman@uliege.be
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/rpl_iptunnel.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
+index 2c83b7586422d..db3c19a42e1ca 100644
+--- a/net/ipv6/rpl_iptunnel.c
++++ b/net/ipv6/rpl_iptunnel.c
+@@ -263,10 +263,8 @@ static int rpl_input(struct sk_buff *skb)
+ rlwt = rpl_lwt_lwtunnel(orig_dst->lwtstate);
+
+ err = rpl_do_srh(skb, rlwt);
+- if (unlikely(err)) {
+- kfree_skb(skb);
+- return err;
+- }
++ if (unlikely(err))
++ goto drop;
+
+ local_bh_disable();
+ dst = dst_cache_get(&rlwt->cache);
+@@ -286,9 +284,13 @@ static int rpl_input(struct sk_buff *skb)
+
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+- return err;
++ goto drop;
+
+ return dst_input(skb);
++
++drop:
++ kfree_skb(skb);
++ return err;
+ }
+
+ static int nla_put_rpl_srh(struct sk_buff *skb, int attrtype,
+--
+2.43.0
+
--- /dev/null
+From 7de7ea9cb66614e28e1f8c875f4426eb6e72dc00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 20:57:13 +0200
+Subject: net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 93c21077bb9ba08807c459982d440dbbee4c7af3 ]
+
+The rpl sr tunnel code contains calls to dst_cache_*() which are
+only present when the dst cache is built.
+Select DST_CACHE to build the dst cache, similar to other kconfig
+options in the same file.
+Compiling the rpl sr tunnel without DST_CACHE will lead to linker
+errors.
+
+Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
+index 08d4b7132d4c4..1c9c686d9522f 100644
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -323,6 +323,7 @@ config IPV6_RPL_LWTUNNEL
+ bool "IPv6: RPL Source Routing Header support"
+ depends on IPV6
+ select LWTUNNEL
++ select DST_CACHE
+ help
+ Support for RFC6554 RPL Source Routing Header using the lightweight
+ tunnels mechanism.
+--
+2.43.0
+
--- /dev/null
+From 614d13edaf999f09429089f86adcb0a494b4e8c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 19:08:58 +0200
+Subject: net: qrtr: Update packets cloning when broadcasting
+
+From: Youssef Samir <quic_yabdulra@quicinc.com>
+
+[ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ]
+
+When broadcasting data to multiple nodes via MHI, using skb_clone()
+causes all nodes to receive the same header data. This can result in
+packets being discarded by endpoints, leading to lost data.
+
+This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT
+packet is broadcasted. All nodes receive the same destination node ID,
+causing the node connected to the client to discard the packet and
+remain unaware of the client's deletion.
+
+Replace skb_clone() with pskb_copy(), to create a separate copy of
+the header for each sk_buff.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
+Reviewed-by: Jeffery Hugo <quic_jhugo@quicinc.com>
+Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/af_qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
+index 41ece61eb57ab..00c51cf693f3d 100644
+--- a/net/qrtr/af_qrtr.c
++++ b/net/qrtr/af_qrtr.c
+@@ -884,7 +884,7 @@ static int qrtr_bcast_enqueue(struct qrtr_node *node, struct sk_buff *skb,
+
+ mutex_lock(&qrtr_node_lock);
+ list_for_each_entry(node, &qrtr_all_nodes, item) {
+- skbn = skb_clone(skb, GFP_KERNEL);
++ skbn = pskb_copy(skb, GFP_KERNEL);
+ if (!skbn)
+ break;
+ skb_set_owner_w(skbn, skb->sk);
+--
+2.43.0
+
--- /dev/null
+From 176a475ccceae513062cd94d53e9b2ebf5b8ac66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 09:18:39 +0100
+Subject: net: ravb: Fix R-Car RX frame size limit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Barker <paul.barker.ct@bp.renesas.com>
+
+[ Upstream commit ec8234717db8589078d08b17efa528a235c61f4f ]
+
+The RX frame size limit should not be based on the current MTU setting.
+Instead it should be based on the hardware capabilities.
+
+While we're here, improve the description of the receive frame length
+setting as suggested by Niklas.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 4d100283c30fb..067357b2495cd 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -530,8 +530,16 @@ static void ravb_emac_init_gbeth(struct net_device *ndev)
+
+ static void ravb_emac_init_rcar(struct net_device *ndev)
+ {
+- /* Receive frame limit set register */
+- ravb_write(ndev, ndev->mtu + ETH_HLEN + VLAN_HLEN + ETH_FCS_LEN, RFLR);
++ struct ravb_private *priv = netdev_priv(ndev);
++
++ /* Set receive frame length
++ *
++ * The length set here describes the frame from the destination address
++ * up to and including the CRC data. However only the frame data,
++ * excluding the CRC, are transferred to memory. To allow for the
++ * largest frames add the CRC length to the maximum Rx descriptor size.
++ */
++ ravb_write(ndev, priv->info->rx_max_frame_size + ETH_FCS_LEN, RFLR);
+
+ /* EMAC Mode: PAUSE prohibition; Duplex; RX Checksum; TX; RX */
+ ravb_write(ndev, ECMR_ZPF | ECMR_DM |
+--
+2.43.0
+
--- /dev/null
+From de105271648142987bd805b03b10da40f847a3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 22:40:46 +0800
+Subject: net: seeq: Fix use after free vulnerability in ether3 Driver Due to
+ Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+[ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ]
+
+In the ether3_probe function, a timer is initialized with a callback
+function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
+started, there is a risk of a race condition if the module or device
+is removed, triggering the ether3_remove function to perform cleanup.
+The sequence of operations that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | ether3_ledoff
+ether3_remove |
+ free_netdev(dev); |
+ put_devic |
+ kfree(dev); |
+ | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ | // use dev
+
+Fix it by ensuring that the timer is canceled before proceeding with
+the cleanup in ether3_remove.
+
+Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/seeq/ether3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
+index c672f92d65e97..9319a2675e7b6 100644
+--- a/drivers/net/ethernet/seeq/ether3.c
++++ b/drivers/net/ethernet/seeq/ether3.c
+@@ -847,9 +847,11 @@ static void ether3_remove(struct expansion_card *ec)
+ {
+ struct net_device *dev = ecard_get_drvdata(ec);
+
++ ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ ecard_set_drvdata(ec, NULL);
+
+ unregister_netdev(dev);
++ del_timer_sync(&priv(dev)->timer);
+ free_netdev(dev);
+ ecard_release_resources(ec);
+ }
+--
+2.43.0
+
--- /dev/null
+From b067fbf193161555909e96c4e41fc20410aa3eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 21:48:02 +0800
+Subject: net: stmmac: dwmac-loongson: Init ref and PTP clocks rate
+
+From: Yanteng Si <siyanteng@loongson.cn>
+
+[ Upstream commit c70f3163681381c15686bdd2fe56bf4af9b8aaaa ]
+
+Reference and PTP clocks rate of the Loongson GMAC devices is 125MHz.
+(So is in the GNET devices which support is about to be added.) Set
+the respective plat_stmmacenet_data field up in accordance with that
+so to have the coalesce command and timestamping work correctly.
+
+Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
+Signed-off-by: Feiyang Chen <chenfeiyang@loongson.cn>
+Signed-off-by: Yinggang Gu <guyinggang@loongson.cn>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Acked-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Yanteng Si <siyanteng@loongson.cn>
+Tested-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+index 9e40c28d453ab..ee3604f58def5 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -35,6 +35,9 @@ static int loongson_default_data(struct plat_stmmacenet_data *plat)
+ /* Disable RX queues routing by default */
+ plat->rx_queues_cfg[0].pkt_route = 0x0;
+
++ plat->clk_ref_rate = 125000000;
++ plat->clk_ptp_rate = 125000000;
++
+ /* Default to phy auto-detection */
+ plat->phy_addr = -1;
+
+--
+2.43.0
+
--- /dev/null
+From 17624f901b692da22f23860c979811ea26bad7fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 20:10:28 +0800
+Subject: net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled
+
+From: Furong Xu <0x1207@gmail.com>
+
+[ Upstream commit b514c47ebf41a6536551ed28a05758036e6eca7c ]
+
+Commit 5fabb01207a2 ("net: stmmac: Add initial XDP support") sets
+PP_FLAG_DMA_SYNC_DEV flag for page_pool unconditionally,
+page_pool_recycle_direct() will call page_pool_dma_sync_for_device()
+on every page even the page is not going to be reused by XDP program.
+
+When XDP is not enabled, the page which holds the received buffer
+will be recycled once the buffer is copied into new SKB by
+skb_copy_to_linear_data(), then the MAC core will never reuse this
+page any longer. Always setting PP_FLAG_DMA_SYNC_DEV wastes CPU cycles
+on unnecessary calling of page_pool_dma_sync_for_device().
+
+After this patch, up to 9% noticeable performance improvement was observed
+on certain platforms.
+
+Fixes: 5fabb01207a2 ("net: stmmac: Add initial XDP support")
+Signed-off-by: Furong Xu <0x1207@gmail.com>
+Link: https://patch.msgid.link/20240919121028.1348023-1-0x1207@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 33e2bd5a351ca..3b1bb6aa5b8c8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2025,7 +2025,7 @@ static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv,
+ rx_q->queue_index = queue;
+ rx_q->priv_data = priv;
+
+- pp_params.flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV;
++ pp_params.flags = PP_FLAG_DMA_MAP | (xdp_prog ? PP_FLAG_DMA_SYNC_DEV : 0);
+ pp_params.pool_size = dma_conf->dma_rx_size;
+ num_pages = DIV_ROUND_UP(dma_conf->dma_buf_sz, PAGE_SIZE);
+ pp_params.order = ilog2(num_pages);
+--
+2.43.0
+
--- /dev/null
+From 7262973f1b987af0537e568b4910bb93855c37ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 19:01:20 +0800
+Subject: net: tipc: avoid possible garbage value
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 99655a304e450baaae6b396cb942b9e47659d644 ]
+
+Clang static checker (scan-build) warning:
+net/tipc/bcast.c:305:4:
+The expression is an uninitialized value. The computed value will also
+be garbage [core.uninitialized.Assign]
+ 305 | (*cong_link_cnt)++;
+ | ^~~~~~~~~~~~~~~~~~
+
+tipc_rcast_xmit() will increase cong_link_cnt's value, but cong_link_cnt
+is uninitialized. Although it won't really cause a problem, it's better
+to fix it.
+
+Fixes: dca4a17d24ee ("tipc: fix potential hanging after b/rcast changing")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://patch.msgid.link/20240912110119.2025503-1-suhui@nfschina.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bcast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
+index 593846d252143..114fef65f92ea 100644
+--- a/net/tipc/bcast.c
++++ b/net/tipc/bcast.c
+@@ -320,8 +320,8 @@ static int tipc_mcast_send_sync(struct net *net, struct sk_buff *skb,
+ {
+ struct tipc_msg *hdr, *_hdr;
+ struct sk_buff_head tmpq;
++ u16 cong_link_cnt = 0;
+ struct sk_buff *_skb;
+- u16 cong_link_cnt;
+ int rc = 0;
+
+ /* Is a cluster supporting with new capabilities ? */
+--
+2.43.0
+
--- /dev/null
+From 745f16bfb187f4ee87e7eb8659df35e34aae021e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 10:51:56 -0400
+Subject: net: xilinx: axienet: Fix packet counting
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 5a6caa2cfabb559309b5ce29ee7c8e9ce1a9a9df ]
+
+axienet_free_tx_chain returns the number of DMA descriptors it's
+handled. However, axienet_tx_poll treats the return as the number of
+packets. When scatter-gather SKBs are enabled, a single packet may use
+multiple DMA descriptors, which causes incorrect packet counts. Fix this
+by explicitly keepting track of the number of packets processed as
+separate from the DMA descriptors.
+
+Budget does not affect the number of Tx completions we can process for
+NAPI, so we use the ring size as the limit instead of budget. As we no
+longer return the number of descriptors processed to axienet_tx_poll, we
+now update tx_bd_ci in axienet_free_tx_chain.
+
+Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20240913145156.2283067-1-sean.anderson@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 23 +++++++++++--------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 00b1a4cf7c4be..f1d928644b824 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -674,15 +674,15 @@ static int axienet_device_reset(struct net_device *ndev)
+ *
+ * Would either be called after a successful transmit operation, or after
+ * there was an error when setting up the chain.
+- * Returns the number of descriptors handled.
++ * Returns the number of packets handled.
+ */
+ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ int nr_bds, bool force, u32 *sizep, int budget)
+ {
+ struct axidma_bd *cur_p;
+ unsigned int status;
++ int i, packets = 0;
+ dma_addr_t phys;
+- int i;
+
+ for (i = 0; i < nr_bds; i++) {
+ cur_p = &lp->tx_bd_v[(first_bd + i) % lp->tx_bd_num];
+@@ -701,8 +701,10 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ (cur_p->cntrl & XAXIDMA_BD_CTRL_LENGTH_MASK),
+ DMA_TO_DEVICE);
+
+- if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK))
++ if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK)) {
+ napi_consume_skb(cur_p->skb, budget);
++ packets++;
++ }
+
+ cur_p->app0 = 0;
+ cur_p->app1 = 0;
+@@ -718,7 +720,13 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ *sizep += status & XAXIDMA_BD_STS_ACTUAL_LEN_MASK;
+ }
+
+- return i;
++ if (!force) {
++ lp->tx_bd_ci += i;
++ if (lp->tx_bd_ci >= lp->tx_bd_num)
++ lp->tx_bd_ci %= lp->tx_bd_num;
++ }
++
++ return packets;
+ }
+
+ /**
+@@ -891,13 +899,10 @@ static int axienet_tx_poll(struct napi_struct *napi, int budget)
+ u32 size = 0;
+ int packets;
+
+- packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, budget, false, &size, budget);
++ packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, lp->tx_bd_num, false,
++ &size, budget);
+
+ if (packets) {
+- lp->tx_bd_ci += packets;
+- if (lp->tx_bd_ci >= lp->tx_bd_num)
+- lp->tx_bd_ci %= lp->tx_bd_num;
+-
+ u64_stats_update_begin(&lp->tx_stat_sync);
+ u64_stats_add(&lp->tx_packets, packets);
+ u64_stats_add(&lp->tx_bytes, size);
+--
+2.43.0
+
--- /dev/null
+From 4a3ecca2beeab72a15143ac02131a8d313c32c2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 10:57:11 -0400
+Subject: net: xilinx: axienet: Schedule NAPI in two steps
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit ba0da2dc934ec5ac32bbeecbd0670da16ba03565 ]
+
+As advised by Documentation/networking/napi.rst, masking IRQs after
+calling napi_schedule can be racy. Avoid this by only masking/scheduling
+if napi_schedule_prep returns true.
+
+Fixes: 9e2bc267e780 ("net: axienet: Use NAPI for TX completion path")
+Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240913145711.2284295-1-sean.anderson@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 88d7bc2ea7132..00b1a4cf7c4be 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1222,9 +1222,10 @@ static irqreturn_t axienet_tx_irq(int irq, void *_ndev)
+ u32 cr = lp->tx_dma_cr;
+
+ cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK);
+- axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr);
+-
+- napi_schedule(&lp->napi_tx);
++ if (napi_schedule_prep(&lp->napi_tx)) {
++ axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr);
++ __napi_schedule(&lp->napi_tx);
++ }
+ }
+
+ return IRQ_HANDLED;
+@@ -1266,9 +1267,10 @@ static irqreturn_t axienet_rx_irq(int irq, void *_ndev)
+ u32 cr = lp->rx_dma_cr;
+
+ cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK);
+- axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr);
+-
+- napi_schedule(&lp->napi_rx);
++ if (napi_schedule_prep(&lp->napi_rx)) {
++ axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr);
++ __napi_schedule(&lp->napi_rx);
++ }
+ }
+
+ return IRQ_HANDLED;
+--
+2.43.0
+
--- /dev/null
+From c07ab02e3618c930298f57df44a0548238b27dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 16:14:41 +0100
+Subject: netfilter: ctnetlink: compile ctnetlink_label_size with
+ CONFIG_NF_CONNTRACK_EVENTS
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ]
+
+Only provide ctnetlink_label_size when it is used,
+which is when CONFIG_NF_CONNTRACK_EVENTS is configured.
+
+Flagged by clang-18 W=1 builds as:
+
+.../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function]
+ 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ | ^~~~~~~~~~~~~~~~~~~~
+
+The condition on CONFIG_NF_CONNTRACK_LABELS being removed by
+this patch guards compilation of non-trivial implementations
+of ctnetlink_dump_labels() and ctnetlink_label_size().
+
+However, this is not necessary as each of these functions
+will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined
+as each function starts with the equivalent of:
+
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+
+ if (!labels)
+ return 0;
+
+And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS
+is not enabled. So I believe that the compiler optimises the code away
+in such cases anyway.
+
+Found by inspection.
+Compile tested only.
+
+Originally splitted in two patches, Pablo Neira Ayuso collapsed them and
+added Fixes: tag.
+
+Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace")
+Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 4cbf71d0786b0..c55cf5bc36b2f 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -382,7 +382,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+ #define ctnetlink_dump_secctx(a, b) (0)
+ #endif
+
+-#ifdef CONFIG_NF_CONNTRACK_LABELS
++#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ {
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+@@ -391,6 +391,7 @@ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ return 0;
+ return nla_total_size(sizeof(labels->bits));
+ }
++#endif
+
+ static int
+ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -411,10 +412,6 @@ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+
+ return 0;
+ }
+-#else
+-#define ctnetlink_dump_labels(a, b) (0)
+-#define ctnetlink_label_size(a) (0)
+-#endif
+
+ #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
+
+--
+2.43.0
+
--- /dev/null
+From 7da0d487861c5fbcf78b87aedc9c395b956a9205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 17:06:15 +0000
+Subject: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ]
+
+syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
+garbage on the four reserved tcp bits (th->res1)
+
+Use skb_put_zero() to clear the whole TCP header,
+as done in nf_reject_ip_tcphdr_put()
+
+BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+ do_softirq+0x9a/0x100 kernel/softirq.c:455
+ __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
+ __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
+ dev_queue_xmit include/linux/netdevice.h:3105 [inline]
+ neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
+ __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
+ ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
+ NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
+ dst_output include/net/dst.h:450 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
+ inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
+ __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
+ tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
+ tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
+ tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
+ __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
+ inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
+ __sys_connect_file net/socket.c:2061 [inline]
+ __sys_connect+0x606/0x690 net/socket.c:2078
+ __do_sys_connect net/socket.c:2088 [inline]
+ __se_sys_connect net/socket.c:2085 [inline]
+ __x64_sys_connect+0x91/0xe0 net/socket.c:2085
+ x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3998 [inline]
+ slab_alloc_node mm/slub.c:4041 [inline]
+ kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
+ __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
+ alloc_skb include/linux/skbuff.h:1320 [inline]
+ nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_reject_ipv6.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index dedee264b8f6c..b9457473c176d 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -223,33 +223,23 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
+ const struct tcphdr *oth, unsigned int otcplen)
+ {
+ struct tcphdr *tcph;
+- int needs_ack;
+
+ skb_reset_transport_header(nskb);
+- tcph = skb_put(nskb, sizeof(struct tcphdr));
++ tcph = skb_put_zero(nskb, sizeof(struct tcphdr));
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
+ tcph->source = oth->dest;
+ tcph->dest = oth->source;
+
+ if (oth->ack) {
+- needs_ack = 0;
+ tcph->seq = oth->ack_seq;
+- tcph->ack_seq = 0;
+ } else {
+- needs_ack = 1;
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ otcplen - (oth->doff<<2));
+- tcph->seq = 0;
++ tcph->ack = 1;
+ }
+
+- /* Reset flags */
+- ((u_int8_t *)tcph)[13] = 0;
+ tcph->rst = 1;
+- tcph->ack = needs_ack;
+- tcph->window = 0;
+- tcph->urg_ptr = 0;
+- tcph->check = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+--
+2.43.0
+
--- /dev/null
+From 5502e3b58931e6501f95f874fe12facaffcfe2ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:41 +0200
+Subject: netfilter: nf_tables: elements with timeout below CONFIG_HZ never
+ expire
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ]
+
+Element timeout that is below CONFIG_HZ never expires because the
+timeout extension is not allocated given that nf_msecs_to_jiffies64()
+returns 0. Set timeout to the minimum value to honor timeout.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 41d7faeb101cf..ebf8d4cbbdc35 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4544,7 +4544,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
+ return -ERANGE;
+
+ ms *= NSEC_PER_MSEC;
+- *result = nsecs_to_jiffies64(ms);
++ *result = nsecs_to_jiffies64(ms) ? : !!ms;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5beed251921f9b1912f071eb5c23d4bbc1387673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 14:21:33 +0200
+Subject: netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ]
+
+Documentation of list_del_rcu() warns callers to not immediately free
+the deleted list item. While it seems not necessary to use the
+RCU-variant of list_del() here in the first place, doing so seems to
+require calling kfree_rcu() on the deleted item as well.
+
+Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d4b5f23930c9f..3c19928b359c3 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9137,7 +9137,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
+ flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
+ FLOW_BLOCK_UNBIND);
+ list_del_rcu(&hook->list);
+- kfree(hook);
++ kfree_rcu(hook, rcu);
+ }
+ kfree(flowtable->name);
+ module_put(flowtable->data.type->owner);
+--
+2.43.0
+
--- /dev/null
+From bfe8a23e9a0d70bf8e35c26d89b3832a03d5f9eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 14:19:45 +0200
+Subject: netfilter: nf_tables: missing objects with no memcg accounting
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 69e687cea79fc99a17dfb0116c8644b9391b915e ]
+
+Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for
+memory accounting, update them. This includes:
+
+- catchall elements
+- compat match large info area
+- log prefix
+- meta secctx
+- numgen counters
+- pipapo set backend datastructure
+- tunnel private objects
+
+Fixes: 33758c891479 ("memcg: enable accounting for nft objects")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ net/netfilter/nft_compat.c | 6 +++---
+ net/netfilter/nft_log.c | 2 +-
+ net/netfilter/nft_meta.c | 2 +-
+ net/netfilter/nft_numgen.c | 2 +-
+ net/netfilter/nft_set_pipapo.c | 13 +++++++------
+ net/netfilter/nft_tunnel.c | 5 +++--
+ 7 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 71df3e5cc46d9..465cc43c75e30 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6631,7 +6631,7 @@ static int nft_setelem_catchall_insert(const struct net *net,
+ }
+ }
+
+- catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
++ catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
+ if (!catchall)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index d3d11dede5450..85450f6011426 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -536,7 +536,7 @@ nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ struct xt_match *m = expr->ops->data;
+ int ret;
+
+- priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
++ priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL_ACCOUNT);
+ if (!priv->info)
+ return -ENOMEM;
+
+@@ -810,7 +810,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
+ goto err;
+ }
+
+- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
+ if (!ops) {
+ err = -ENOMEM;
+ goto err;
+@@ -900,7 +900,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
+ goto err;
+ }
+
+- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
+ if (!ops) {
+ err = -ENOMEM;
+ goto err;
+diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
+index 5defe6e4fd982..e355881379957 100644
+--- a/net/netfilter/nft_log.c
++++ b/net/netfilter/nft_log.c
+@@ -163,7 +163,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
+
+ nla = tb[NFTA_LOG_PREFIX];
+ if (nla != NULL) {
+- priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL);
++ priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL_ACCOUNT);
+ if (priv->prefix == NULL)
+ return -ENOMEM;
+ nla_strscpy(priv->prefix, nla, nla_len(nla) + 1);
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index 9139ce38ea7b9..f23faf565b687 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -954,7 +954,7 @@ static int nft_secmark_obj_init(const struct nft_ctx *ctx,
+ if (tb[NFTA_SECMARK_CTX] == NULL)
+ return -EINVAL;
+
+- priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
++ priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL_ACCOUNT);
+ if (!priv->ctx)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
+index 7d29db7c2ac0f..bd058babfc820 100644
+--- a/net/netfilter/nft_numgen.c
++++ b/net/netfilter/nft_numgen.c
+@@ -66,7 +66,7 @@ static int nft_ng_inc_init(const struct nft_ctx *ctx,
+ if (priv->offset + priv->modulus - 1 < priv->offset)
+ return -EOVERFLOW;
+
+- priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL);
++ priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL_ACCOUNT);
+ if (!priv->counter)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index eb4c4a4ac7ace..7be342b495f5f 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -663,7 +663,7 @@ static int pipapo_realloc_mt(struct nft_pipapo_field *f,
+ check_add_overflow(rules, extra, &rules_alloc))
+ return -EOVERFLOW;
+
+- new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL);
++ new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL_ACCOUNT);
+ if (!new_mt)
+ return -ENOMEM;
+
+@@ -936,7 +936,7 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f)
+ return;
+ }
+
+- new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL);
++ new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL_ACCOUNT);
+ if (!new_lt)
+ return;
+
+@@ -1212,7 +1212,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
+ scratch = kzalloc_node(struct_size(scratch, map,
+ bsize_max * 2) +
+ NFT_PIPAPO_ALIGN_HEADROOM,
+- GFP_KERNEL, cpu_to_node(i));
++ GFP_KERNEL_ACCOUNT, cpu_to_node(i));
+ if (!scratch) {
+ /* On failure, there's no need to undo previous
+ * allocations: this means that some scratch maps have
+@@ -1427,7 +1427,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+ struct nft_pipapo_match *new;
+ int i;
+
+- new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL);
++ new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL_ACCOUNT);
+ if (!new)
+ return NULL;
+
+@@ -1457,7 +1457,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+ new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) *
+ src->bsize * sizeof(*dst->lt) +
+ NFT_PIPAPO_ALIGN_HEADROOM,
+- GFP_KERNEL);
++ GFP_KERNEL_ACCOUNT);
+ if (!new_lt)
+ goto out_lt;
+
+@@ -1470,7 +1470,8 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+
+ if (src->rules > 0) {
+ dst->mt = kvmalloc_array(src->rules_alloc,
+- sizeof(*src->mt), GFP_KERNEL);
++ sizeof(*src->mt),
++ GFP_KERNEL_ACCOUNT);
+ if (!dst->mt)
+ goto out_mt;
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index 60a76e6e348e7..5c6ed68cc6e05 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -509,13 +509,14 @@ static int nft_tunnel_obj_init(const struct nft_ctx *ctx,
+ return err;
+ }
+
+- md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, GFP_KERNEL);
++ md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL,
++ GFP_KERNEL_ACCOUNT);
+ if (!md)
+ return -ENOMEM;
+
+ memcpy(&md->u.tun_info, &info, sizeof(info));
+ #ifdef CONFIG_DST_CACHE
+- err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL);
++ err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL_ACCOUNT);
+ if (err < 0) {
+ metadata_dst_free(md);
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 89364e71178a6f8915ec685983018e57c0477871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:49 +0200
+Subject: netfilter: nf_tables: reject element expiration with no timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d2dc429ecb4e79ad164028d965c00f689e6f6d06 ]
+
+If element timeout is unset and set provides no default timeout, the
+element expiration is silently ignored, reject this instead to let user
+know this is unsupported.
+
+Also prepare for supporting timeout that never expire, where zero
+timeout and expiration must be also rejected.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index ebf8d4cbbdc35..e3ac29f75f32e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6874,6 +6874,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+ return -EINVAL;
++ if (timeout == 0)
++ return -EOPNOTSUPP;
++
+ err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
+ &expiration);
+ if (err)
+--
+2.43.0
+
--- /dev/null
+From cf942a98400ed7ea4b957b4ecbebce4a94e0c63b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:58 +0200
+Subject: netfilter: nf_tables: reject expiration higher than timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ]
+
+Report ERANGE to userspace if user specifies an expiration larger than
+the timeout.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index e3ac29f75f32e..fcb68fe818566 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6881,6 +6881,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ &expiration);
+ if (err)
+ return err;
++
++ if (expiration > timeout)
++ return -ERANGE;
+ }
+
+ if (nla[NFTA_SET_ELEM_EXPR]) {
+--
+2.43.0
+
--- /dev/null
+From 2a0c35077c6061e6103667496fd26214e4a010f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:07:06 +0200
+Subject: netfilter: nf_tables: remove annotation to access set timeout while
+ holding lock
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 15d8605c0cf4fc9cf4386cae658c68a0fd4bdb92 ]
+
+Mutex is held when adding an element, no need for READ_ONCE, remove it.
+
+Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index fcb68fe818566..d4b5f23930c9f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6867,7 +6867,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ return err;
+ } else if (set->flags & NFT_SET_TIMEOUT &&
+ !(flags & NFT_SET_ELEM_INTERVAL_END)) {
+- timeout = READ_ONCE(set->timeout);
++ timeout = set->timeout;
+ }
+
+ expiration = 0;
+@@ -6974,7 +6974,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (err < 0)
+ goto err_parse_key_end;
+
+- if (timeout != READ_ONCE(set->timeout)) {
++ if (timeout != set->timeout) {
+ err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
+ if (err < 0)
+ goto err_parse_key_end;
+--
+2.43.0
+
--- /dev/null
+From 58ce2d56c701e7eede74b6af6aee789cf8c69bb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 23:07:46 +0200
+Subject: netfilter: nf_tables: use rcu chain hook list iterator from netlink
+ dump path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4ffcf5ca81c3b83180473eb0d3c010a1a7c6c4de ]
+
+Lockless iteration over hook list is possible from netlink dump path,
+use rcu variant to iterate over the hook list as is done with flowtable
+hooks.
+
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3c19928b359c3..71df3e5cc46d9 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1795,7 +1795,7 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
+ if (!hook_list)
+ hook_list = &basechain->hook_list;
+
+- list_for_each_entry(hook, hook_list, list) {
++ list_for_each_entry_rcu(hook, hook_list, list) {
+ if (!first)
+ first = hook;
+
+--
+2.43.0
+
--- /dev/null
+From 6ab8d3e837f22bf7ebfdbc70e4158bfe94230e5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:08:49 +0200
+Subject: netfilter: nft_dynset: annotate data-races around set timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c5ad8ed61fa8410b272c077ec167c593602b4542 ]
+
+set timeout can be read locklessly while being updated from control
+plane, add annotation.
+
+Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_dynset.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index b4ada3ab21679..489a9b34f1ecc 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -56,7 +56,7 @@ static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
+ if (!atomic_add_unless(&set->nelems, 1, set->size))
+ return NULL;
+
+- timeout = priv->timeout ? : set->timeout;
++ timeout = priv->timeout ? : READ_ONCE(set->timeout);
+ elem_priv = nft_set_elem_init(set, &priv->tmpl,
+ ®s->data[priv->sreg_key], NULL,
+ ®s->data[priv->sreg_data],
+@@ -95,7 +95,7 @@ void nft_dynset_eval(const struct nft_expr *expr,
+ expr, regs, &ext)) {
+ if (priv->op == NFT_DYNSET_OP_UPDATE &&
+ nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
+- timeout = priv->timeout ? : set->timeout;
++ timeout = priv->timeout ? : READ_ONCE(set->timeout);
+ *nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
+ }
+
+@@ -313,7 +313,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ nft_dynset_ext_add_expr(priv);
+
+ if (set->flags & NFT_SET_TIMEOUT) {
+- if (timeout || set->timeout) {
++ if (timeout || READ_ONCE(set->timeout)) {
+ nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
+ nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
+ }
+--
+2.43.0
+
--- /dev/null
+From 834f09989a90f97c52e0dbd8ce0812aafa314dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 22:03:18 +0800
+Subject: nfsd: call cache_put if xdr_reserve_space returns NULL
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]
+
+If not enough buffer space available, but idmap_lookup has triggered
+lookup_fn which calls cache_get and returns successfully. Then we
+missed to call cache_put here which pairs with cache_get.
+
+Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding")
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Reviwed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4idmap.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
+index 7a806ac13e317..8cca1329f3485 100644
+--- a/fs/nfsd/nfs4idmap.c
++++ b/fs/nfsd/nfs4idmap.c
+@@ -581,6 +581,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ .id = id,
+ .type = type,
+ };
++ __be32 status = nfs_ok;
+ __be32 *p;
+ int ret;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+@@ -593,12 +594,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ return nfserrno(ret);
+ ret = strlen(item->name);
+ WARN_ON_ONCE(ret > IDMAP_NAMESZ);
++
+ p = xdr_reserve_space(xdr, ret + 4);
+- if (!p)
+- return nfserr_resource;
+- p = xdr_encode_opaque(p, item->name, ret);
++ if (unlikely(!p)) {
++ status = nfserr_resource;
++ goto out_put;
++ }
++ xdr_encode_opaque(p, item->name, ret);
++out_put:
+ cache_put(&item->h, nn->idtoname_cache);
+- return 0;
++ return status;
+ }
+
+ static bool
+--
+2.43.0
+
--- /dev/null
+From e6994dbe6a2d925ddcc0505392ce5070124fad5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 10:40:53 -0400
+Subject: nfsd: fix initial getattr on write delegation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit bf92e5008b17f935a6de8b708551e02c2294121c ]
+
+At this point in compound processing, currentfh refers to the parent of
+the file, not the file itself. Get the correct dentry from the delegation
+stateid instead.
+
+Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 29c11714ac3db..fe06779ea527a 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5912,6 +5912,28 @@ static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status)
+ }
+ }
+
++static bool
++nfs4_delegation_stat(struct nfs4_delegation *dp, struct svc_fh *currentfh,
++ struct kstat *stat)
++{
++ struct nfsd_file *nf = find_rw_file(dp->dl_stid.sc_file);
++ struct path path;
++ int rc;
++
++ if (!nf)
++ return false;
++
++ path.mnt = currentfh->fh_export->ex_path.mnt;
++ path.dentry = file_dentry(nf->nf_file);
++
++ rc = vfs_getattr(&path, stat,
++ (STATX_SIZE | STATX_CTIME | STATX_CHANGE_COOKIE),
++ AT_STATX_SYNC_AS_STAT);
++
++ nfsd_file_put(nf);
++ return rc == 0;
++}
++
+ /*
+ * The Linux NFS server does not offer write delegations to NFSv4.0
+ * clients in order to avoid conflicts between write delegations and
+@@ -5947,7 +5969,6 @@ nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ int cb_up;
+ int status = 0;
+ struct kstat stat;
+- struct path path;
+
+ cb_up = nfsd4_cb_channel_good(oo->oo_owner.so_client);
+ open->op_recall = false;
+@@ -5983,20 +6004,16 @@ nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ memcpy(&open->op_delegate_stateid, &dp->dl_stid.sc_stateid, sizeof(dp->dl_stid.sc_stateid));
+
+ if (open->op_share_access & NFS4_SHARE_ACCESS_WRITE) {
+- open->op_delegate_type = NFS4_OPEN_DELEGATE_WRITE;
+- trace_nfsd_deleg_write(&dp->dl_stid.sc_stateid);
+- path.mnt = currentfh->fh_export->ex_path.mnt;
+- path.dentry = currentfh->fh_dentry;
+- if (vfs_getattr(&path, &stat,
+- (STATX_SIZE | STATX_CTIME | STATX_CHANGE_COOKIE),
+- AT_STATX_SYNC_AS_STAT)) {
++ if (!nfs4_delegation_stat(dp, currentfh, &stat)) {
+ nfs4_put_stid(&dp->dl_stid);
+ destroy_delegation(dp);
+ goto out_no_deleg;
+ }
++ open->op_delegate_type = NFS4_OPEN_DELEGATE_WRITE;
+ dp->dl_cb_fattr.ncf_cur_fsize = stat.size;
+ dp->dl_cb_fattr.ncf_initial_cinfo =
+ nfsd4_change_attribute(&stat, d_inode(currentfh->fh_dentry));
++ trace_nfsd_deleg_write(&dp->dl_stid.sc_stateid);
+ } else {
+ open->op_delegate_type = NFS4_OPEN_DELEGATE_READ;
+ trace_nfsd_deleg_read(&dp->dl_stid.sc_stateid);
+--
+2.43.0
+
--- /dev/null
+From 47a1587394458a8dbd539d4bd46ea6966480a665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 09:05:32 -0400
+Subject: nfsd: fix refcount leak when file is unhashed after being found
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 8a7926176378460e0d91e02b03f0ff20a8709a60 ]
+
+If we wait_for_construction and find that the file is no longer hashed,
+and we're going to retry the open, the old nfsd_file reference is
+currently leaked. Put the reference before retrying.
+
+Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Youzhong Yang <youzhong@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/filecache.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index f09d96ff20652..e2e248032bfd0 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -1049,6 +1049,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ status = nfserr_jukebox;
+ goto construction_err;
+ }
++ nfsd_file_put(nf);
+ open_retry = false;
+ fh_put(fhp);
+ goto retry;
+--
+2.43.0
+
--- /dev/null
+From b68132706bfa9470b2e92ac27d9e29e72b48d322 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:11:13 -0400
+Subject: nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 81a95c2b1d605743220f28db04b8da13a65c4059 ]
+
+Given that we do the search and insertion while holding the i_lock, I
+don't think it's possible for us to get EEXIST here. Remove this case.
+
+Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Youzhong Yang <youzhong@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/filecache.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index f4704f5d40867..f09d96ff20652 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -1035,8 +1035,6 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ if (likely(ret == 0))
+ goto open_file;
+
+- if (ret == -EEXIST)
+- goto retry;
+ trace_nfsd_file_insert_err(rqstp, inode, may_flags, ret);
+ status = nfserr_jukebox;
+ goto construction_err;
+--
+2.43.0
+
--- /dev/null
+From ab41c810f70071dc3d0bc0cb71873db5c6d415b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 19:14:46 +0800
+Subject: nfsd: return -EINVAL when namelen is 0
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 22451a16b7ab7debefce660672566be887db1637 ]
+
+When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may
+result in namelen being 0, which will cause memdup_user() to return
+ZERO_SIZE_PTR.
+When we access the name.data that has been assigned the value of
+ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is
+triggered.
+
+[ T1205] ==================================================================
+[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205
+[ T1205]
+[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406
+[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
+[ T1205] Call Trace:
+[ T1205] dump_stack+0x9a/0xd0
+[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] __kasan_report.cold+0x34/0x84
+[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] kasan_report+0x3a/0x50
+[ T1205] nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] ? nfsd4_release_lockowner+0x410/0x410
+[ T1205] cld_pipe_downcall+0x5ca/0x760
+[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0
+[ T1205] ? down_write_killable_nested+0x170/0x170
+[ T1205] ? avc_policy_seqno+0x28/0x40
+[ T1205] ? selinux_file_permission+0x1b4/0x1e0
+[ T1205] rpc_pipe_write+0x84/0xb0
+[ T1205] vfs_write+0x143/0x520
+[ T1205] ksys_write+0xc9/0x170
+[ T1205] ? __ia32_sys_read+0x50/0x50
+[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110
+[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110
+[ T1205] do_syscall_64+0x33/0x40
+[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1
+[ T1205] RIP: 0033:0x7fdbdb761bc7
+[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514
+[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7
+[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008
+[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001
+[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b
+[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000
+[ T1205] ==================================================================
+
+Fix it by checking namelen.
+
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Fixes: 74725959c33c ("nfsd: un-deprecate nfsdcld")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Scott Mayhew <smayhew@redhat.com>
+Tested-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4recover.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
+index 67d8673a9391c..69a3a84e159e6 100644
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -809,6 +809,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
+ ci = &cmsg->cm_u.cm_clntinfo;
+ if (get_user(namelen, &ci->cc_name.cn_len))
+ return -EFAULT;
++ if (!namelen) {
++ dprintk("%s: namelen should not be zero", __func__);
++ return -EINVAL;
++ }
+ name.data = memdup_user(&ci->cc_name.cn_id, namelen);
+ if (IS_ERR(name.data))
+ return PTR_ERR(name.data);
+@@ -831,6 +835,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
+ cnm = &cmsg->cm_u.cm_name;
+ if (get_user(namelen, &cnm->cn_len))
+ return -EFAULT;
++ if (!namelen) {
++ dprintk("%s: namelen should not be zero", __func__);
++ return -EINVAL;
++ }
+ name.data = memdup_user(&cnm->cn_id, namelen);
+ if (IS_ERR(name.data))
+ return PTR_ERR(name.data);
+--
+2.43.0
+
--- /dev/null
+From c3106179295598663fb8d27148b23233eee3aae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 09:26:40 -0400
+Subject: nfsd: untangle code in nfsd4_deleg_getattr_conflict()
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit a078a7dc0eaa9db288ae45319f7f7503968af546 ]
+
+The code in nfsd4_deleg_getattr_conflict() is convoluted and buggy.
+
+With this patch we:
+ - properly handle non-nfsd leases. We must not assume flc_owner is a
+ delegation unless fl_lmops == &nfsd_lease_mng_ops
+ - move the main code out of the for loop
+ - have a single exit which calls nfs4_put_stid()
+ (and other exits which don't need to call that)
+
+[ jlayton: refactored on top of Neil's other patch: nfsd: fix
+ nfsd4_deleg_getattr_conflict in presence of third party lease ]
+
+Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 131 +++++++++++++++++++++-----------------------
+ 1 file changed, 62 insertions(+), 69 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index a366fb1c1b9b4..29c11714ac3db 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -8836,6 +8836,7 @@ nfsd4_deleg_getattr_conflict(struct svc_rqst *rqstp, struct dentry *dentry,
+ __be32 status;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+ struct file_lock_context *ctx;
++ struct nfs4_delegation *dp = NULL;
+ struct file_lease *fl;
+ struct iattr attrs;
+ struct nfs4_cb_fattr *ncf;
+@@ -8845,84 +8846,76 @@ nfsd4_deleg_getattr_conflict(struct svc_rqst *rqstp, struct dentry *dentry,
+ ctx = locks_inode_context(inode);
+ if (!ctx)
+ return 0;
++
++#define NON_NFSD_LEASE ((void *)1)
++
+ spin_lock(&ctx->flc_lock);
+ for_each_file_lock(fl, &ctx->flc_lease) {
+- unsigned char type = fl->c.flc_type;
+-
+ if (fl->c.flc_flags == FL_LAYOUT)
+ continue;
+- if (fl->fl_lmops != &nfsd_lease_mng_ops) {
+- /*
+- * non-nfs lease, if it's a lease with F_RDLCK then
+- * we are done; there isn't any write delegation
+- * on this inode
+- */
+- if (type == F_RDLCK)
+- break;
+-
+- nfsd_stats_wdeleg_getattr_inc(nn);
+- spin_unlock(&ctx->flc_lock);
+-
+- status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
++ if (fl->c.flc_type == F_WRLCK) {
++ if (fl->fl_lmops == &nfsd_lease_mng_ops)
++ dp = fl->c.flc_owner;
++ else
++ dp = NON_NFSD_LEASE;
++ }
++ break;
++ }
++ if (dp == NULL || dp == NON_NFSD_LEASE ||
++ dp->dl_recall.cb_clp == *(rqstp->rq_lease_breaker)) {
++ spin_unlock(&ctx->flc_lock);
++ if (dp == NON_NFSD_LEASE) {
++ status = nfserrno(nfsd_open_break_lease(inode,
++ NFSD_MAY_READ));
+ if (status != nfserr_jukebox ||
+ !nfsd_wait_for_delegreturn(rqstp, inode))
+ return status;
+- return 0;
+ }
+- if (type == F_WRLCK) {
+- struct nfs4_delegation *dp = fl->c.flc_owner;
++ return 0;
++ }
+
+- if (dp->dl_recall.cb_clp == *(rqstp->rq_lease_breaker)) {
+- spin_unlock(&ctx->flc_lock);
+- return 0;
+- }
+- nfsd_stats_wdeleg_getattr_inc(nn);
+- dp = fl->c.flc_owner;
+- refcount_inc(&dp->dl_stid.sc_count);
+- ncf = &dp->dl_cb_fattr;
+- nfs4_cb_getattr(&dp->dl_cb_fattr);
+- spin_unlock(&ctx->flc_lock);
+- wait_on_bit_timeout(&ncf->ncf_cb_flags, CB_GETATTR_BUSY,
+- TASK_INTERRUPTIBLE, NFSD_CB_GETATTR_TIMEOUT);
+- if (ncf->ncf_cb_status) {
+- /* Recall delegation only if client didn't respond */
+- status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
+- if (status != nfserr_jukebox ||
+- !nfsd_wait_for_delegreturn(rqstp, inode)) {
+- nfs4_put_stid(&dp->dl_stid);
+- return status;
+- }
+- }
+- if (!ncf->ncf_file_modified &&
+- (ncf->ncf_initial_cinfo != ncf->ncf_cb_change ||
+- ncf->ncf_cur_fsize != ncf->ncf_cb_fsize))
+- ncf->ncf_file_modified = true;
+- if (ncf->ncf_file_modified) {
+- int err;
+-
+- /*
+- * Per section 10.4.3 of RFC 8881, the server would
+- * not update the file's metadata with the client's
+- * modified size
+- */
+- attrs.ia_mtime = attrs.ia_ctime = current_time(inode);
+- attrs.ia_valid = ATTR_MTIME | ATTR_CTIME | ATTR_DELEG;
+- inode_lock(inode);
+- err = notify_change(&nop_mnt_idmap, dentry, &attrs, NULL);
+- inode_unlock(inode);
+- if (err) {
+- nfs4_put_stid(&dp->dl_stid);
+- return nfserrno(err);
+- }
+- ncf->ncf_cur_fsize = ncf->ncf_cb_fsize;
+- *size = ncf->ncf_cur_fsize;
+- *modified = true;
+- }
+- nfs4_put_stid(&dp->dl_stid);
+- return 0;
++ nfsd_stats_wdeleg_getattr_inc(nn);
++ refcount_inc(&dp->dl_stid.sc_count);
++ ncf = &dp->dl_cb_fattr;
++ nfs4_cb_getattr(&dp->dl_cb_fattr);
++ spin_unlock(&ctx->flc_lock);
++
++ wait_on_bit_timeout(&ncf->ncf_cb_flags, CB_GETATTR_BUSY,
++ TASK_INTERRUPTIBLE, NFSD_CB_GETATTR_TIMEOUT);
++ if (ncf->ncf_cb_status) {
++ /* Recall delegation only if client didn't respond */
++ status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
++ if (status != nfserr_jukebox ||
++ !nfsd_wait_for_delegreturn(rqstp, inode))
++ goto out_status;
++ }
++ if (!ncf->ncf_file_modified &&
++ (ncf->ncf_initial_cinfo != ncf->ncf_cb_change ||
++ ncf->ncf_cur_fsize != ncf->ncf_cb_fsize))
++ ncf->ncf_file_modified = true;
++ if (ncf->ncf_file_modified) {
++ int err;
++
++ /*
++ * Per section 10.4.3 of RFC 8881, the server would
++ * not update the file's metadata with the client's
++ * modified size
++ */
++ attrs.ia_mtime = attrs.ia_ctime = current_time(inode);
++ attrs.ia_valid = ATTR_MTIME | ATTR_CTIME | ATTR_DELEG;
++ inode_lock(inode);
++ err = notify_change(&nop_mnt_idmap, dentry, &attrs, NULL);
++ inode_unlock(inode);
++ if (err) {
++ status = nfserrno(err);
++ goto out_status;
+ }
+- break;
++ ncf->ncf_cur_fsize = ncf->ncf_cb_fsize;
++ *size = ncf->ncf_cur_fsize;
++ *modified = true;
+ }
+- spin_unlock(&ctx->flc_lock);
+- return 0;
++ status = 0;
++out_status:
++ nfs4_put_stid(&dp->dl_stid);
++ return status;
+ }
+--
+2.43.0
+
--- /dev/null
+From 7c481a4ede9f723f3bb5c343aebe15b56795f1bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:08 +0900
+Subject: nilfs2: determine empty node blocks as corrupted
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ]
+
+Due to the nature of b-trees, nilfs2 itself and admin tools such as
+mkfs.nilfs2 will never create an intermediate b-tree node block with 0
+child nodes, nor will they delete (key, pointer)-entries that would result
+in such a state. However, it is possible that a b-tree node block is
+corrupted on the backing device and is read with 0 child nodes.
+
+Because operation is not guaranteed if the number of child nodes is 0 for
+intermediate node blocks other than the root node, modify
+nilfs_btree_node_broken(), which performs sanity checks when reading a
+b-tree node block, so that such cases will be judged as metadata
+corruption.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index d390b8ba00d45..dedd3c4808423 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -350,7 +350,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ (flags & NILFS_BTREE_NODE_ROOT) ||
+- nchildren < 0 ||
++ nchildren <= 0 ||
+ nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d",
+--
+2.43.0
+
--- /dev/null
+From 9f999a5b760597fcbb3df1f3f5e2433921d4114c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:07 +0900
+Subject: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ]
+
+Patch series "nilfs2: fix potential issues with empty b-tree nodes".
+
+This series addresses three potential issues with empty b-tree nodes that
+can occur with corrupted filesystem images, including one recently
+discovered by syzbot.
+
+This patch (of 3):
+
+If a b-tree is broken on the device, and the b-tree height is greater than
+2 (the level of the root node is greater than 1) even if the number of
+child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
+nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
+
+This is because, when the number of child nodes of the b-tree root is 0,
+nilfs_btree_do_lookup() does not set the block buffer head in any of
+path[x].bp_bh, leaving it as the initial value of NULL, but if the level
+of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
+which accesses the buffer memory of path[x].bp_bh, is called.
+
+Fix this issue by adding a check to nilfs_btree_root_broken(), which
+performs sanity checks when reading the root node from the device, to
+detect this inconsistency.
+
+Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
+early on.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com
+Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index 862bdf23120e8..d390b8ba00d45 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -381,7 +381,8 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ nchildren < 0 ||
+- nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX ||
++ (nchildren == 0 && level > NILFS_BTREE_LEVEL_NODE_MIN))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d",
+ inode->i_ino, level, flags, nchildren);
+--
+2.43.0
+
--- /dev/null
+From 3968b55d184ccb3430fb1405d2e6b3edbb28f404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:09 +0900
+Subject: nilfs2: fix potential oob read in nilfs_btree_check_delete()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ]
+
+The function nilfs_btree_check_delete(), which checks whether degeneration
+to direct mapping occurs before deleting a b-tree entry, causes memory
+access outside the block buffer when retrieving the maximum key if the
+root node has no entries.
+
+This does not usually happen because b-tree mappings with 0 child nodes
+are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen
+if the b-tree root node read from a device is configured that way, so fix
+this potential issue by adding a check for that case.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index dedd3c4808423..ef5061bb56da1 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -1659,13 +1659,16 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ int nchildren, ret;
+
+ root = nilfs_btree_get_root(btree);
++ nchildren = nilfs_btree_node_get_nchildren(root);
++ if (unlikely(nchildren == 0))
++ return 0;
++
+ switch (nilfs_btree_height(btree)) {
+ case 2:
+ bh = NULL;
+ node = root;
+ break;
+ case 3:
+- nchildren = nilfs_btree_node_get_nchildren(root);
+ if (nchildren > 1)
+ return 0;
+ ptr = nilfs_btree_node_get_ptr(root, nchildren - 1,
+@@ -1674,12 +1677,12 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ if (ret < 0)
+ return ret;
+ node = (struct nilfs_btree_node *)bh->b_data;
++ nchildren = nilfs_btree_node_get_nchildren(node);
+ break;
+ default:
+ return 0;
+ }
+
+- nchildren = nilfs_btree_node_get_nchildren(node);
+ maxkey = nilfs_btree_node_get_key(node, nchildren - 1);
+ nextmaxkey = (nchildren > 1) ?
+ nilfs_btree_node_get_key(node, nchildren - 2) : 0;
+--
+2.43.0
+
--- /dev/null
+From 8a4dc8064ffe5fb1494dde97da21d26a2b1ac451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 14:22:07 -0700
+Subject: ntb: Force physically contiguous allocation of rx ring buffers
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 061a785a114f159e990ea8ed8d1b7dca4b41120f ]
+
+Physical addresses under IOVA on x86 platform are mapped contiguously
+as a side effect before the patch that removed CONFIG_DMA_REMAP. The
+NTB rx buffer ring is a single chunk DMA buffer that is allocated
+against the NTB PCI device. If the receive side is using a DMA device,
+then the buffers are remapped against the DMA device before being
+submitted via the dmaengine API. This scheme becomes a problem when
+the physical memory is discontiguous. When dma_map_page() is called
+on the kernel virtual address from the dma_alloc_coherent() call, the
+new IOVA mapping no longer points to all the physical memory allocated
+due to being discontiguous. Change dma_alloc_coherent() to dma_alloc_attrs()
+in order to force DMA_ATTR_FORCE_CONTIGUOUS attribute. This is the best
+fix for the circumstance. A potential future solution may be having the DMA
+mapping API providing a way to alias an existing IOVA mapping to a new
+device perhaps.
+
+This fix is not to fix the patch pointed to by the fixes tag, but to fix
+the issue arised in the ntb_transport driver on x86 platforms after the
+said patch is applied.
+
+Reported-by: Jerry Dai <jerry.dai@intel.com>
+Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP")
+Tested-by: Jerry Dai <jerry.dai@intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/ntb_transport.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
+index f9e7847a378e7..c84fadfc63c52 100644
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -807,16 +807,29 @@ static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw)
+ }
+
+ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw,
+- struct device *dma_dev, size_t align)
++ struct device *ntb_dev, size_t align)
+ {
+ dma_addr_t dma_addr;
+ void *alloc_addr, *virt_addr;
+ int rc;
+
+- alloc_addr = dma_alloc_coherent(dma_dev, mw->alloc_size,
+- &dma_addr, GFP_KERNEL);
++ /*
++ * The buffer here is allocated against the NTB device. The reason to
++ * use dma_alloc_*() call is to allocate a large IOVA contiguous buffer
++ * backing the NTB BAR for the remote host to write to. During receive
++ * processing, the data is being copied out of the receive buffer to
++ * the kernel skbuff. When a DMA device is being used, dma_map_page()
++ * is called on the kvaddr of the receive buffer (from dma_alloc_*())
++ * and remapped against the DMA device. It appears to be a double
++ * DMA mapping of buffers, but first is mapped to the NTB device and
++ * second is to the DMA device. DMA_ATTR_FORCE_CONTIGUOUS is necessary
++ * in order for the later dma_map_page() to not fail.
++ */
++ alloc_addr = dma_alloc_attrs(ntb_dev, mw->alloc_size,
++ &dma_addr, GFP_KERNEL,
++ DMA_ATTR_FORCE_CONTIGUOUS);
+ if (!alloc_addr) {
+- dev_err(dma_dev, "Unable to alloc MW buff of size %zu\n",
++ dev_err(ntb_dev, "Unable to alloc MW buff of size %zu\n",
+ mw->alloc_size);
+ return -ENOMEM;
+ }
+@@ -845,7 +858,7 @@ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw,
+ return 0;
+
+ err:
+- dma_free_coherent(dma_dev, mw->alloc_size, alloc_addr, dma_addr);
++ dma_free_coherent(ntb_dev, mw->alloc_size, alloc_addr, dma_addr);
+
+ return rc;
+ }
+--
+2.43.0
+
--- /dev/null
+From 61bd40ecb6a654018299b17bbac99507aea18eb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 20:39:27 +0800
+Subject: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ]
+
+The debugfs_create_dir() function returns error pointers.
+It never returns NULL. So use IS_ERR() to check it.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+index 9ab836d0d4f12..079b8cd797857 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+@@ -778,7 +778,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev)
+ ndev->debugfs_dir =
+ debugfs_create_dir(pci_name(ndev->ntb.pdev),
+ debugfs_dir);
+- if (!ndev->debugfs_dir)
++ if (IS_ERR(ndev->debugfs_dir))
+ ndev->debugfs_info = NULL;
+ else
+ ndev->debugfs_info =
+--
+2.43.0
+
--- /dev/null
+From 2c2aa64538b9634450b44a23bd0f64b469526b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 20:45:16 -0700
+Subject: ntb_perf: Fix printk format
+
+From: Max Hawking <maxahawking@sonnenkinder.org>
+
+[ Upstream commit 1501ae7479c8d0f66efdbfdc9ae8d6136cefbd37 ]
+
+The correct printk format is %pa or %pap, but not %pa[p].
+
+Fixes: 99a06056124d ("NTB: ntb_perf: Fix address err in perf_copy_chunk")
+Signed-off-by: Max Hawking <maxahawking@sonnenkinder.org>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/test/ntb_perf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c
+index 553f1f46bc664..72bc1d017a46e 100644
+--- a/drivers/ntb/test/ntb_perf.c
++++ b/drivers/ntb/test/ntb_perf.c
+@@ -1227,7 +1227,7 @@ static ssize_t perf_dbgfs_read_info(struct file *filep, char __user *ubuf,
+ "\tOut buffer addr 0x%pK\n", peer->outbuf);
+
+ pos += scnprintf(buf + pos, buf_size - pos,
+- "\tOut buff phys addr %pa[p]\n", &peer->out_phys_addr);
++ "\tOut buff phys addr %pap\n", &peer->out_phys_addr);
+
+ pos += scnprintf(buf + pos, buf_size - pos,
+ "\tOut buffer size %pa\n", &peer->outbuf_size);
+--
+2.43.0
+
--- /dev/null
+From 5bb9d065fe61da62efe27b8326941f14d0b8c9bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 14:20:44 +0800
+Subject: nvdimm: Fix devs leaks in scan_labels()
+
+From: Li Zhijian <lizhijian@fujitsu.com>
+
+[ Upstream commit 62c2aa6b1f565d2fc1ec11a6e9e8336ce37a6426 ]
+
+scan_labels() leaks memory when label scanning fails and it falls back
+to just creating a default "seed" namespace for userspace to configure.
+Root can force the kernel to leak memory.
+
+Allocate the minimum resources unconditionally and release them when
+unneeded to avoid the memory leak.
+
+A kmemleak reports:
+unreferenced object 0xffff88800dda1980 (size 16):
+ comm "kworker/u10:5", pid 69, jiffies 4294671781
+ hex dump (first 16 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 0):
+ [<00000000c5dea560>] __kmalloc+0x32c/0x470
+ [<000000009ed43c83>] nd_region_register_namespaces+0x6fb/0x1120 [libnvdimm]
+ [<000000000e07a65c>] nd_region_probe+0xfe/0x210 [libnvdimm]
+ [<000000007b79ce5f>] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
+ [<00000000a5f3da2e>] really_probe+0xc6/0x390
+ [<00000000129e2a69>] __driver_probe_device+0x78/0x150
+ [<000000002dfed28b>] driver_probe_device+0x1e/0x90
+ [<00000000e7048de2>] __device_attach_driver+0x85/0x110
+ [<0000000032dca295>] bus_for_each_drv+0x85/0xe0
+ [<00000000391c5a7d>] __device_attach+0xbe/0x1e0
+ [<0000000026dabec0>] bus_probe_device+0x94/0xb0
+ [<00000000c590d936>] device_add+0x656/0x870
+ [<000000003d69bfaa>] nd_async_device_register+0xe/0x50 [libnvdimm]
+ [<000000003f4c52a4>] async_run_entry_fn+0x2e/0x110
+ [<00000000e201f4b0>] process_one_work+0x1ee/0x600
+ [<000000006d90d5a9>] worker_thread+0x183/0x350
+
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Fixes: 1b40e09a1232 ("libnvdimm: blk labels and namespace instantiation")
+Suggested-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Link: https://patch.msgid.link/20240819062045.1481298-1-lizhijian@fujitsu.com
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/namespace_devs.c | 34 ++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
+index d6d558f94d6bb..35d9f3cc2efab 100644
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -1937,12 +1937,16 @@ static int cmp_dpa(const void *a, const void *b)
+ static struct device **scan_labels(struct nd_region *nd_region)
+ {
+ int i, count = 0;
+- struct device *dev, **devs = NULL;
++ struct device *dev, **devs;
+ struct nd_label_ent *label_ent, *e;
+ struct nd_mapping *nd_mapping = &nd_region->mapping[0];
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ resource_size_t map_end = nd_mapping->start + nd_mapping->size - 1;
+
++ devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
++ if (!devs)
++ return NULL;
++
+ /* "safe" because create_namespace_pmem() might list_move() label_ent */
+ list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) {
+ struct nd_namespace_label *nd_label = label_ent->label;
+@@ -1961,12 +1965,14 @@ static struct device **scan_labels(struct nd_region *nd_region)
+ goto err;
+ if (i < count)
+ continue;
+- __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
+- if (!__devs)
+- goto err;
+- memcpy(__devs, devs, sizeof(dev) * count);
+- kfree(devs);
+- devs = __devs;
++ if (count) {
++ __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
++ if (!__devs)
++ goto err;
++ memcpy(__devs, devs, sizeof(dev) * count);
++ kfree(devs);
++ devs = __devs;
++ }
+
+ dev = create_namespace_pmem(nd_region, nd_mapping, nd_label);
+ if (IS_ERR(dev)) {
+@@ -1993,11 +1999,6 @@ static struct device **scan_labels(struct nd_region *nd_region)
+
+ /* Publish a zero-sized namespace for userspace to configure. */
+ nd_mapping_free_labels(nd_mapping);
+-
+- devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
+- if (!devs)
+- goto err;
+-
+ nspm = kzalloc(sizeof(*nspm), GFP_KERNEL);
+ if (!nspm)
+ goto err;
+@@ -2036,11 +2037,10 @@ static struct device **scan_labels(struct nd_region *nd_region)
+ return devs;
+
+ err:
+- if (devs) {
+- for (i = 0; devs[i]; i++)
+- namespace_pmem_release(devs[i]);
+- kfree(devs);
+- }
++ for (i = 0; devs[i]; i++)
++ namespace_pmem_release(devs[i]);
++ kfree(devs);
++
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ee84a6421f79d48a08b0de452f4db19125ba6f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Sep 2024 14:01:22 +0200
+Subject: nvme-multipath: system fails to create generic nvme device
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit 63bcf9014e95a7d279d10d8e2caa5d88db2b1855 ]
+
+NVME_NSHEAD_DISK_LIVE is a flag for struct nvme_ns_head, not nvme_ns.
+The current code has a typo causing NVME_NSHEAD_DISK_LIVE never to
+be cleared once device_add_disk_fails, causing the system never to
+create the 'generic' character device. Even several rescan attempts
+will change the situation and the system has to be rebooted to fix
+the issue.
+
+Fixes: 11384580e332 ("nvme-multipath: add error handling support for add_disk()")
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 03a6868f4dbc1..a47d35102b7ce 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -587,7 +587,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ rc = device_add_disk(&head->subsys->dev, head->disk,
+ nvme_ns_attr_groups);
+ if (rc) {
+- clear_bit(NVME_NSHEAD_DISK_LIVE, &ns->flags);
++ clear_bit(NVME_NSHEAD_DISK_LIVE, &head->flags);
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+--
+2.43.0
+
--- /dev/null
+From 6602dcc8abcf3240f8d3e4622d5a6b4e2a23d6d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 02:32:52 +0530
+Subject: padata: Honor the caller's alignment in case of chunk_size 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kamlesh Gurudasani <kamlesh@ti.com>
+
+[ Upstream commit 24cc57d8faaa4060fd58adf810b858fcfb71a02f ]
+
+In the case where we are forcing the ps.chunk_size to be at least 1,
+we are ignoring the caller's alignment.
+
+Move the forcing of ps.chunk_size to be at least 1 before rounding it
+up to caller's alignment, so that caller's alignment is honored.
+
+While at it, use max() to force the ps.chunk_size to be at least 1 to
+improve readability.
+
+Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()")
+Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 0fa6c28954603..9e98afe72a334 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -512,9 +512,12 @@ void __init padata_do_multithreaded(struct padata_mt_job *job)
+ * thread function. Load balance large jobs between threads by
+ * increasing the number of chunks, guarantee at least the minimum
+ * chunk size from the caller, and honor the caller's alignment.
++ * Ensure chunk_size is at least 1 to prevent divide-by-0
++ * panic in padata_mt_helper().
+ */
+ ps.chunk_size = job->size / (ps.nworks * load_balance_factor);
+ ps.chunk_size = max(ps.chunk_size, job->min_chunk);
++ ps.chunk_size = max(ps.chunk_size, 1ul);
+ ps.chunk_size = roundup(ps.chunk_size, job->align);
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 6657dd83e955ce2d62f1cb13fdb78007f4f98487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 18:53:26 -0500
+Subject: PCI: keystone: Fix if-statement expression in ks_pcie_quirk()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6188a1c762eb9bbd444f47696eda77a5eae6207a ]
+
+This code accidentally uses && where || was intended. It potentially
+results in a NULL dereference.
+
+Thus, fix the if-statement expression to use the correct condition.
+
+Fixes: 86f271f22bbb ("PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)")
+Link: https://lore.kernel.org/linux-pci/1b762a93-e1b2-4af3-8c04-c8843905c279@stanley.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index 483c954065135..d911f0e521da0 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -577,7 +577,7 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+ */
+ if (pci_match_id(am6_pci_devids, bridge)) {
+ bridge_dev = pci_get_host_bridge_device(dev);
+- if (!bridge_dev && !bridge_dev->parent)
++ if (!bridge_dev || !bridge_dev->parent)
+ return;
+
+ ks_pcie = dev_get_drvdata(bridge_dev->parent);
+--
+2.43.0
+
--- /dev/null
+From 693cd9b1bab49c757c6fd80a3774c518c85e911c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:58:23 +0300
+Subject: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+[ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ]
+
+Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
+pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
+to an overflow.
+
+Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
+pcie->num_slots increment below the if-statement to avoid out-of-bounds
+array access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
+Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
+index d5523f3021024..deab1e653b9a3 100644
+--- a/drivers/pci/controller/dwc/pcie-kirin.c
++++ b/drivers/pci/controller/dwc/pcie-kirin.c
+@@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
+ if (pcie->gpio_id_reset[i] < 0)
+ continue;
+
+- pcie->num_slots++;
+- if (pcie->num_slots > MAX_PCI_SLOTS) {
++ if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
+ dev_err(dev, "Too many PCI slots!\n");
+ ret = -EINVAL;
+ goto put_node;
+ }
++ pcie->num_slots++;
+
+ ret = of_pci_get_devfn(child);
+ if (ret < 0) {
+--
+2.43.0
+
--- /dev/null
+From d33681a09efd01eff3d5251d1d313460137d0ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 13:53:19 +0530
+Subject: PCI: qcom-ep: Enable controller resources like PHY only after refclk
+ is available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit d3745e3ae6c0eec517d431be926742b6e8b9b64a ]
+
+qcom_pcie_enable_resources() is called by qcom_pcie_ep_probe() and it
+enables the controller resources like clocks, regulator, PHY. On one of the
+new unreleased Qcom SoC, PHY enablement depends on the active refclk. And
+on all of the supported Qcom endpoint SoCs, refclk comes from the host
+(RC). So calling qcom_pcie_enable_resources() without refclk causes the
+NoC (Network On Chip) error in the endpoint SoC and in turn results in a
+whole SoC crash and rebooting into EDL (Emergency Download) mode which is
+an unrecoverable state.
+
+But qcom_pcie_enable_resources() is already called by
+qcom_pcie_perst_deassert() when PERST# is deasserted, and refclk is
+available at that time.
+
+Hence, remove the unnecessary call to qcom_pcie_enable_resources() from
+qcom_pcie_ep_probe() to prevent the above mentioned crash.
+
+It should be noted that this commit prevents the crash only under normal
+working condition (booting endpoint before host), but the crash may also
+occur if PERST# assert happens at the wrong time. For avoiding the crash
+completely, it is recommended to use SRIS mode which allows the endpoint
+SoC to generate its own refclk. The driver is not supporting SRIS mode
+currently, but will be added in the future.
+
+Fixes: 869bc5253406 ("PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host")
+Link: https://lore.kernel.org/linux-pci/20240830082319.51387-1-manivannan.sadhasivam@linaro.org
+Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom-ep.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-qcom-ep.c b/drivers/pci/controller/dwc/pcie-qcom-ep.c
+index 50b1635e3cbb1..26cab226bccf4 100644
+--- a/drivers/pci/controller/dwc/pcie-qcom-ep.c
++++ b/drivers/pci/controller/dwc/pcie-qcom-ep.c
+@@ -816,21 +816,15 @@ static int qcom_pcie_ep_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- ret = qcom_pcie_enable_resources(pcie_ep);
+- if (ret) {
+- dev_err(dev, "Failed to enable resources: %d\n", ret);
+- return ret;
+- }
+-
+ ret = dw_pcie_ep_init(&pcie_ep->pci.ep);
+ if (ret) {
+ dev_err(dev, "Failed to initialize endpoint: %d\n", ret);
+- goto err_disable_resources;
++ return ret;
+ }
+
+ ret = qcom_pcie_ep_enable_irq_resources(pdev, pcie_ep);
+ if (ret)
+- goto err_disable_resources;
++ goto err_ep_deinit;
+
+ name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node);
+ if (!name) {
+@@ -847,8 +841,8 @@ static int qcom_pcie_ep_probe(struct platform_device *pdev)
+ disable_irq(pcie_ep->global_irq);
+ disable_irq(pcie_ep->perst_irq);
+
+-err_disable_resources:
+- qcom_pcie_disable_resources(pcie_ep);
++err_ep_deinit:
++ dw_pcie_ep_deinit(&pcie_ep->pci.ep);
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2a1bd1733eba80063e859c413e02c29af9d060f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 15:17:07 +0300
+Subject: PCI: Wait for Link before restoring Downstream Buses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 3e40aa29d47e231a54640addf6a09c1f64c5b63f ]
+
+__pci_reset_bus() calls pci_bridge_secondary_bus_reset() to perform the
+reset and also waits for the Secondary Bus to become again accessible.
+__pci_reset_bus() then calls pci_bus_restore_locked() that restores the PCI
+devices connected to the bus, and if necessary, recursively restores also
+the subordinate buses and their devices.
+
+The logic in pci_bus_restore_locked() does not take into account that after
+restoring a device on one level, there might be another Link Downstream
+that can only start to come up after restore has been performed for its
+Downstream Port device. That is, the Link may require additional wait until
+it becomes accessible.
+
+Similarly, pci_slot_restore_locked() lacks wait.
+
+Amend pci_bus_restore_locked() and pci_slot_restore_locked() to wait for
+the Secondary Bus before recursively performing the restore of that bus.
+
+Fixes: 090a3c5322e9 ("PCI: Add pci_reset_slot() and pci_reset_bus()")
+Link: https://lore.kernel.org/r/20240808121708.2523-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 8db214d4b1d46..c20ce49eecc94 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5598,8 +5598,10 @@ static void pci_bus_restore_locked(struct pci_bus *bus)
+
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+ pci_dev_restore(dev);
+- if (dev->subordinate)
++ if (dev->subordinate) {
++ pci_bridge_wait_for_secondary_bus(dev, "bus reset");
+ pci_bus_restore_locked(dev->subordinate);
++ }
+ }
+ }
+
+@@ -5633,8 +5635,10 @@ static void pci_slot_restore_locked(struct pci_slot *slot)
+ if (!dev->slot || dev->slot != slot)
+ continue;
+ pci_dev_restore(dev);
+- if (dev->subordinate)
++ if (dev->subordinate) {
++ pci_bridge_wait_for_secondary_bus(dev, "slot reset");
+ pci_bus_restore_locked(dev->subordinate);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From d0ce9304dc34811ada90add572bcc85d550b6554 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 12:13:35 -0400
+Subject: PCI: xilinx-nwl: Clean up clock on probe failure/removal
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit cfd67903977b13f63340a4eb5a1cc890994f2c62 ]
+
+Make sure we turn off the clock on probe failure and device removal.
+
+Fixes: de0a01f52966 ("PCI: xilinx-nwl: Enable the clock through CCF")
+Link: https://lore.kernel.org/r/20240531161337.864994-6-sean.anderson@linux.dev
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index 1e15852153d6c..2f1bb2e8a840e 100644
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -779,6 +779,7 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ return -ENODEV;
+
+ pcie = pci_host_bridge_priv(bridge);
++ platform_set_drvdata(pdev, pcie);
+
+ pcie->dev = dev;
+
+@@ -801,13 +802,13 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ err = nwl_pcie_bridge_init(pcie);
+ if (err) {
+ dev_err(dev, "HW Initialization failed\n");
+- return err;
++ goto err_clk;
+ }
+
+ err = nwl_pcie_init_irq_domain(pcie);
+ if (err) {
+ dev_err(dev, "Failed creating IRQ Domain\n");
+- return err;
++ goto err_clk;
+ }
+
+ bridge->sysdata = pcie;
+@@ -817,11 +818,24 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ err = nwl_pcie_enable_msi(pcie);
+ if (err < 0) {
+ dev_err(dev, "failed to enable MSI support: %d\n", err);
+- return err;
++ goto err_clk;
+ }
+ }
+
+- return pci_host_probe(bridge);
++ err = pci_host_probe(bridge);
++ if (!err)
++ return 0;
++
++err_clk:
++ clk_disable_unprepare(pcie->clk);
++ return err;
++}
++
++static void nwl_pcie_remove(struct platform_device *pdev)
++{
++ struct nwl_pcie *pcie = platform_get_drvdata(pdev);
++
++ clk_disable_unprepare(pcie->clk);
+ }
+
+ static struct platform_driver nwl_pcie_driver = {
+@@ -831,5 +845,6 @@ static struct platform_driver nwl_pcie_driver = {
+ .of_match_table = nwl_pcie_of_match,
+ },
+ .probe = nwl_pcie_probe,
++ .remove_new = nwl_pcie_remove,
+ };
+ builtin_platform_driver(nwl_pcie_driver);
+--
+2.43.0
+
--- /dev/null
+From e84bfe98a54bf24cde909fdc1ef87aa39911b68d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 12:13:33 -0400
+Subject: PCI: xilinx-nwl: Fix register misspelling
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ]
+
+MSIC -> MISC
+
+Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging")
+Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index 0408f4d612b5a..1e15852153d6c 100644
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -80,8 +80,8 @@
+ #define MSGF_MISC_SR_NON_FATAL_DEV BIT(22)
+ #define MSGF_MISC_SR_FATAL_DEV BIT(23)
+ #define MSGF_MISC_SR_LINK_DOWN BIT(24)
+-#define MSGF_MSIC_SR_LINK_AUTO_BWIDTH BIT(25)
+-#define MSGF_MSIC_SR_LINK_BWIDTH BIT(26)
++#define MSGF_MISC_SR_LINK_AUTO_BWIDTH BIT(25)
++#define MSGF_MISC_SR_LINK_BWIDTH BIT(26)
+
+ #define MSGF_MISC_SR_MASKALL (MSGF_MISC_SR_RXMSG_AVAIL | \
+ MSGF_MISC_SR_RXMSG_OVER | \
+@@ -96,8 +96,8 @@
+ MSGF_MISC_SR_NON_FATAL_DEV | \
+ MSGF_MISC_SR_FATAL_DEV | \
+ MSGF_MISC_SR_LINK_DOWN | \
+- MSGF_MSIC_SR_LINK_AUTO_BWIDTH | \
+- MSGF_MSIC_SR_LINK_BWIDTH)
++ MSGF_MISC_SR_LINK_AUTO_BWIDTH | \
++ MSGF_MISC_SR_LINK_BWIDTH)
+
+ /* Legacy interrupt status mask bits */
+ #define MSGF_LEG_SR_INTA BIT(0)
+@@ -299,10 +299,10 @@ static irqreturn_t nwl_pcie_misc_handler(int irq, void *data)
+ if (misc_stat & MSGF_MISC_SR_FATAL_DEV)
+ dev_err(dev, "Fatal Error Detected\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_AUTO_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_AUTO_BWIDTH)
+ dev_info(dev, "Link Autonomous Bandwidth Management Status bit set\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_BWIDTH)
+ dev_info(dev, "Link Bandwidth Management Status bit set\n");
+
+ /* Clear misc interrupt status */
+--
+2.43.0
+
--- /dev/null
+From cf41db6c3eeb99a2adadf95c3f95ade7fca8eda6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:58:32 -0700
+Subject: perf annotate-data: Fix off-by-one in location range check
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3ab0b8b238b5130ae3fa37ddaa329fc0e93b6b9a ]
+
+The location list will have entries with half-open addressing like
+[start, end) which means it doesn't include the end address. So it
+should skip entries at the end address and match to the next entry.
+
+An example location list looks like this (from readelf -wo):
+
+ 00237876 ffffffff8110d32b (base address)
+ 0023787f v000000000000000 v000000000000002 views at 00237868 for:
+ ffffffff8110d32b ffffffff8110d4eb (DW_OP_reg3 (rbx)) <<<--- 1
+ 00237885 v000000000000002 v000000000000000 views at 0023786a for:
+ ffffffff8110d4eb ffffffff8110d50b (DW_OP_reg14 (r14)) <<<--- 2
+ 0023788c v000000000000000 v000000000000001 views at 0023786c for:
+ ffffffff8110d50b ffffffff8110d7c4 (DW_OP_reg3 (rbx))
+ 00237893 v000000000000000 v000000000000000 views at 0023786e for:
+ ffffffff8110d806 ffffffff8110d854 (DW_OP_reg3 (rbx))
+ 0023789a v000000000000000 v000000000000000 views at 00237870 for:
+ ffffffff8110d876 ffffffff8110d88e (DW_OP_reg3 (rbx))
+
+The first entry at 0023787f has [8110d32b, 8110d4eb) (omitting the
+ffffffff at the beginning), and the second one has [8110d4eb, 8110d50b).
+
+Fixes: 2bc3cf575a162a2c ("perf annotate-data: Improve debug message with location info")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240816235840.2754937-3-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate-data.c | 2 +-
+ tools/perf/util/dwarf-aux.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/annotate-data.c b/tools/perf/util/annotate-data.c
+index 965da6c0b5427..79c1f2ae7affd 100644
+--- a/tools/perf/util/annotate-data.c
++++ b/tools/perf/util/annotate-data.c
+@@ -104,7 +104,7 @@ static void pr_debug_location(Dwarf_Die *die, u64 pc, int reg)
+ return;
+
+ while ((off = dwarf_getlocations(&attr, off, &base, &start, &end, &ops, &nops)) > 0) {
+- if (reg != DWARF_REG_PC && end < pc)
++ if (reg != DWARF_REG_PC && end <= pc)
+ continue;
+ if (reg != DWARF_REG_PC && start > pc)
+ break;
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index e7de5045c43a7..0e7d2060740df 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1444,7 +1444,7 @@ static int __die_find_var_reg_cb(Dwarf_Die *die_mem, void *arg)
+
+ while ((off = dwarf_getlocations(&attr, off, &base, &start, &end, &ops, &nops)) > 0) {
+ /* Assuming the location list is sorted by address */
+- if (end < data->pc)
++ if (end <= data->pc)
+ continue;
+ if (start > data->pc)
+ break;
+--
+2.43.0
+
--- /dev/null
+From cb8e8bfcf0438ab06ee1ca9c5bcd07ac7a4a4dd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:59 +0100
+Subject: perf/arm-cmn: Ensure dtm_idx is big enough
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 359414b33e00bae91e4eabf3e4ef8e76024c7673 ]
+
+While CMN_MAX_DIMENSION was bumped to 12 for CMN-650, that only supports
+up to a 10x10 mesh, so bumping dtm_idx to 256 bits at the time worked
+out OK in practice. However CMN-700 did finally support up to 144 XPs,
+and thus needs a worst-case 288 bits of dtm_idx for an aggregated XP
+event on a maxed-out config. Oops.
+
+Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/e771b358526a0d7fc06efee2c3a2fdc0c9f51d44.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index f33fd110081c3..058ea798b669b 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -35,6 +35,9 @@
+ #define CMN_MAX_XPS (CMN_MAX_DIMENSION * CMN_MAX_DIMENSION)
+ #define CMN_MAX_DTMS (CMN_MAX_XPS + (CMN_MAX_DIMENSION - 1) * 4)
+
++/* Currently XPs are the node type we can have most of; others top out at 128 */
++#define CMN_MAX_NODES_PER_EVENT CMN_MAX_XPS
++
+ /* The CFG node has various info besides the discovery tree */
+ #define CMN_CFGM_PERIPH_ID_01 0x0008
+ #define CMN_CFGM_PID0_PART_0 GENMASK_ULL(7, 0)
+@@ -565,7 +568,7 @@ static void arm_cmn_debugfs_init(struct arm_cmn *cmn, int id) {}
+
+ struct arm_cmn_hw_event {
+ struct arm_cmn_node *dn;
+- u64 dtm_idx[4];
++ u64 dtm_idx[DIV_ROUND_UP(CMN_MAX_NODES_PER_EVENT * 2, 64)];
+ s8 dtc_idx[CMN_MAX_DTCS];
+ u8 num_dns;
+ u8 dtm_offset;
+--
+2.43.0
+
--- /dev/null
+From 995f92a4531a725e3f7316eba6fb77b1cb1752d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:58 +0100
+Subject: perf/arm-cmn: Fix CCLA register offset
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 88b63a82c84ed9bbcbdefb10cb6f75dd1dd04887 ]
+
+Apparently pmu_event_sel is offset by 8 for all CCLA nodes, not just
+the CCLA_RNI combination type.
+
+Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/6e7bb06fef6046f83e7647aad0e5be544139763f.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index 6cd4fd9667aa6..f33fd110081c3 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -70,7 +70,8 @@
+ /* Technically this is 4 bits wide on DNs, but we only use 2 there anyway */
+ #define CMN__PMU_OCCUP1_ID GENMASK_ULL(34, 32)
+
+-/* HN-Ps are weird... */
++/* Some types are designed to coexist with another device in the same node */
++#define CMN_CCLA_PMU_EVENT_SEL 0x008
+ #define CMN_HNP_PMU_EVENT_SEL 0x008
+
+ /* DTMs live in the PMU space of XP registers */
+@@ -2323,10 +2324,13 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ case CMN_TYPE_CXHA:
+ case CMN_TYPE_CCRA:
+ case CMN_TYPE_CCHA:
+- case CMN_TYPE_CCLA:
+ case CMN_TYPE_HNS:
+ dn++;
+ break;
++ case CMN_TYPE_CCLA:
++ dn->pmu_base += CMN_CCLA_PMU_EVENT_SEL;
++ dn++;
++ break;
+ /* Nothing to see here */
+ case CMN_TYPE_MPAM_S:
+ case CMN_TYPE_MPAM_NS:
+@@ -2344,7 +2348,7 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ case CMN_TYPE_HNP:
+ case CMN_TYPE_CCLA_RNI:
+ dn[1] = dn[0];
+- dn[0].pmu_base += CMN_HNP_PMU_EVENT_SEL;
++ dn[0].pmu_base += CMN_CCLA_PMU_EVENT_SEL;
+ dn[1].type = arm_cmn_subtype(dn->type);
+ dn += 2;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 00358dc54d3d4e170100d50c69d0b10b050d3fbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:57 +0100
+Subject: perf/arm-cmn: Refactor node ID handling. Again.
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e79634b53e398966c49f803c49701bc74dc3ccf8 ]
+
+The scope of the "extra device ports" configuration is not made clear by
+the CMN documentation - so far we've assumed it applies globally, based
+on the sole example which suggests as much. However it transpires that
+this is incorrect, and the format does in fact vary based on each
+individual XP's port configuration. As a consequence, we're currenly
+liable to decode the port/device indices from a node ID incorrectly,
+thus program the wrong event source in the DTM leading to bogus event
+counts, and also show device topology on the wrong ports in debugfs.
+
+To put this right, rework node IDs yet again to carry around the
+additional data necessary to decode them properly per-XP. At this point
+the notion of fully decomposing an ID becomes more impractical than it's
+worth, so unabstracting the XY mesh coordinates (where 2/3 users were
+just debug anyway) ends up leaving things a bit simpler overall.
+
+Fixes: 60d1504070c2 ("perf/arm-cmn: Support new IP features")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/5195f990152fc37adba5fbf5929a6b11063d9f09.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 94 ++++++++++++++++++------------------------
+ 1 file changed, 40 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index e26ad1d3ed0bb..6cd4fd9667aa6 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -24,14 +24,6 @@
+ #define CMN_NI_NODE_ID GENMASK_ULL(31, 16)
+ #define CMN_NI_LOGICAL_ID GENMASK_ULL(47, 32)
+
+-#define CMN_NODEID_DEVID(reg) ((reg) & 3)
+-#define CMN_NODEID_EXT_DEVID(reg) ((reg) & 1)
+-#define CMN_NODEID_PID(reg) (((reg) >> 2) & 1)
+-#define CMN_NODEID_EXT_PID(reg) (((reg) >> 1) & 3)
+-#define CMN_NODEID_1x1_PID(reg) (((reg) >> 2) & 7)
+-#define CMN_NODEID_X(reg, bits) ((reg) >> (3 + (bits)))
+-#define CMN_NODEID_Y(reg, bits) (((reg) >> 3) & ((1U << (bits)) - 1))
+-
+ #define CMN_CHILD_INFO 0x0080
+ #define CMN_CI_CHILD_COUNT GENMASK_ULL(15, 0)
+ #define CMN_CI_CHILD_PTR_OFFSET GENMASK_ULL(31, 16)
+@@ -281,8 +273,11 @@ struct arm_cmn_node {
+ u16 id, logid;
+ enum cmn_node_type type;
+
++ /* XP properties really, but replicated to children for convenience */
+ u8 dtm;
+ s8 dtc;
++ u8 portid_bits:4;
++ u8 deviceid_bits:4;
+ /* DN/HN-F/CXHA */
+ struct {
+ u8 val : 4;
+@@ -358,49 +353,33 @@ struct arm_cmn {
+ static int arm_cmn_hp_state;
+
+ struct arm_cmn_nodeid {
+- u8 x;
+- u8 y;
+ u8 port;
+ u8 dev;
+ };
+
+ static int arm_cmn_xyidbits(const struct arm_cmn *cmn)
+ {
+- return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1) | 2);
++ return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1));
+ }
+
+-static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn *cmn, u16 id)
++static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn_node *dn)
+ {
+ struct arm_cmn_nodeid nid;
+
+- if (cmn->num_xps == 1) {
+- nid.x = 0;
+- nid.y = 0;
+- nid.port = CMN_NODEID_1x1_PID(id);
+- nid.dev = CMN_NODEID_DEVID(id);
+- } else {
+- int bits = arm_cmn_xyidbits(cmn);
+-
+- nid.x = CMN_NODEID_X(id, bits);
+- nid.y = CMN_NODEID_Y(id, bits);
+- if (cmn->ports_used & 0xc) {
+- nid.port = CMN_NODEID_EXT_PID(id);
+- nid.dev = CMN_NODEID_EXT_DEVID(id);
+- } else {
+- nid.port = CMN_NODEID_PID(id);
+- nid.dev = CMN_NODEID_DEVID(id);
+- }
+- }
++ nid.dev = dn->id & ((1U << dn->deviceid_bits) - 1);
++ nid.port = (dn->id >> dn->deviceid_bits) & ((1U << dn->portid_bits) - 1);
+ return nid;
+ }
+
+ static struct arm_cmn_node *arm_cmn_node_to_xp(const struct arm_cmn *cmn,
+ const struct arm_cmn_node *dn)
+ {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
+- int xp_idx = cmn->mesh_x * nid.y + nid.x;
++ int id = dn->id >> (dn->portid_bits + dn->deviceid_bits);
++ int bits = arm_cmn_xyidbits(cmn);
++ int x = id >> bits;
++ int y = id & ((1U << bits) - 1);
+
+- return cmn->xps + xp_idx;
++ return cmn->xps + cmn->mesh_x * y + x;
+ }
+ static struct arm_cmn_node *arm_cmn_node(const struct arm_cmn *cmn,
+ enum cmn_node_type type)
+@@ -486,13 +465,13 @@ static const char *arm_cmn_device_type(u8 type)
+ }
+ }
+
+-static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d)
++static void arm_cmn_show_logid(struct seq_file *s, const struct arm_cmn_node *xp, int p, int d)
+ {
+ struct arm_cmn *cmn = s->private;
+ struct arm_cmn_node *dn;
++ u16 id = xp->id | d | (p << xp->deviceid_bits);
+
+ for (dn = cmn->dns; dn->type; dn++) {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
+ int pad = dn->logid < 10;
+
+ if (dn->type == CMN_TYPE_XP)
+@@ -501,7 +480,7 @@ static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d)
+ if (dn->type < CMN_TYPE_HNI)
+ continue;
+
+- if (nid.x != x || nid.y != y || nid.port != p || nid.dev != d)
++ if (dn->id != id)
+ continue;
+
+ seq_printf(s, " %*c#%-*d |", pad + 1, ' ', 3 - pad, dn->logid);
+@@ -522,6 +501,7 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+ y = cmn->mesh_y;
+ while (y--) {
+ int xp_base = cmn->mesh_x * y;
++ struct arm_cmn_node *xp = cmn->xps + xp_base;
+ u8 port[CMN_MAX_PORTS][CMN_MAX_DIMENSION];
+
+ for (x = 0; x < cmn->mesh_x; x++)
+@@ -529,16 +509,14 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+
+ seq_printf(s, "\n%-2d |", y);
+ for (x = 0; x < cmn->mesh_x; x++) {
+- struct arm_cmn_node *xp = cmn->xps + xp_base + x;
+-
+ for (p = 0; p < CMN_MAX_PORTS; p++)
+- port[p][x] = arm_cmn_device_connect_info(cmn, xp, p);
++ port[p][x] = arm_cmn_device_connect_info(cmn, xp + x, p);
+ seq_printf(s, " XP #%-3d|", xp_base + x);
+ }
+
+ seq_puts(s, "\n |");
+ for (x = 0; x < cmn->mesh_x; x++) {
+- s8 dtc = cmn->xps[xp_base + x].dtc;
++ s8 dtc = xp[x].dtc;
+
+ if (dtc < 0)
+ seq_puts(s, " DTC ?? |");
+@@ -555,10 +533,10 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+ seq_puts(s, arm_cmn_device_type(port[p][x]));
+ seq_puts(s, "\n 0|");
+ for (x = 0; x < cmn->mesh_x; x++)
+- arm_cmn_show_logid(s, x, y, p, 0);
++ arm_cmn_show_logid(s, xp + x, p, 0);
+ seq_puts(s, "\n 1|");
+ for (x = 0; x < cmn->mesh_x; x++)
+- arm_cmn_show_logid(s, x, y, p, 1);
++ arm_cmn_show_logid(s, xp + x, p, 1);
+ }
+ seq_puts(s, "\n-----+");
+ }
+@@ -1753,10 +1731,7 @@ static int arm_cmn_event_init(struct perf_event *event)
+ }
+
+ if (!hw->num_dns) {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, nodeid);
+-
+- dev_dbg(cmn->dev, "invalid node 0x%x (%d,%d,%d,%d) type 0x%x\n",
+- nodeid, nid.x, nid.y, nid.port, nid.dev, type);
++ dev_dbg(cmn->dev, "invalid node 0x%x type 0x%x\n", nodeid, type);
+ return -EINVAL;
+ }
+
+@@ -1851,7 +1826,7 @@ static int arm_cmn_event_add(struct perf_event *event, int flags)
+ dtm->wp_event[wp_idx] = hw->dtc_idx[d];
+ writel_relaxed(cfg, dtm->base + CMN_DTM_WPn_CONFIG(wp_idx));
+ } else {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
++ struct arm_cmn_nodeid nid = arm_cmn_nid(dn);
+
+ if (cmn->multi_dtm)
+ nid.port %= 2;
+@@ -2098,10 +2073,12 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn)
+ continue;
+
+ xp = arm_cmn_node_to_xp(cmn, dn);
++ dn->portid_bits = xp->portid_bits;
++ dn->deviceid_bits = xp->deviceid_bits;
+ dn->dtc = xp->dtc;
+ dn->dtm = xp->dtm;
+ if (cmn->multi_dtm)
+- dn->dtm += arm_cmn_nid(cmn, dn->id).port / 2;
++ dn->dtm += arm_cmn_nid(dn).port / 2;
+
+ if (dn->type == CMN_TYPE_DTC) {
+ int err = arm_cmn_init_dtc(cmn, dn, dtc_idx++);
+@@ -2271,18 +2248,27 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ arm_cmn_init_dtm(dtm++, xp, 0);
+ /*
+ * Keeping track of connected ports will let us filter out
+- * unnecessary XP events easily. We can also reliably infer the
+- * "extra device ports" configuration for the node ID format
+- * from this, since in that case we will see at least one XP
+- * with port 2 connected, for the HN-D.
++ * unnecessary XP events easily, and also infer the per-XP
++ * part of the node ID format.
+ */
+ for (int p = 0; p < CMN_MAX_PORTS; p++)
+ if (arm_cmn_device_connect_info(cmn, xp, p))
+ xp_ports |= BIT(p);
+
+- if (cmn->multi_dtm && (xp_ports & 0xc))
++ if (cmn->num_xps == 1) {
++ xp->portid_bits = 3;
++ xp->deviceid_bits = 2;
++ } else if (xp_ports > 0x3) {
++ xp->portid_bits = 2;
++ xp->deviceid_bits = 1;
++ } else {
++ xp->portid_bits = 1;
++ xp->deviceid_bits = 2;
++ }
++
++ if (cmn->multi_dtm && (xp_ports > 0x3))
+ arm_cmn_init_dtm(dtm++, xp, 1);
+- if (cmn->multi_dtm && (xp_ports & 0x30))
++ if (cmn->multi_dtm && (xp_ports > 0xf))
+ arm_cmn_init_dtm(dtm++, xp, 2);
+
+ cmn->ports_used |= xp_ports;
+--
+2.43.0
+
--- /dev/null
+From dfc8f940a5f28b4c63377c9e149f4651566c5fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 10:36:24 -0300
+Subject: perf build: Fix up broken capstone feature detection fast path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 4c55560f23d19051adc7e76818687a88448bef83 ]
+
+The capstone devel headers define 'struct bpf_insn' in a way that clashes with
+what is in the libbpf devel headers, so we so far need to avoid including both.
+
+This is happening on the tools/build/feature/test-all.c file, where we try
+building all the expected set of libraries to be normally available on a
+system:
+
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ In file included from test-bpf.c:3,
+ from test-all.c:150:
+ /home/acme/git/perf-tools-next/tools/include/uapi/linux/bpf.h:77:8: error: ‘bpf_insn’ defined as wrong kind of tag
+ 77 | struct bpf_insn {
+ | ^~~~~~~~
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+
+When doing so there is a trick where we define main to be
+main_test_libcapstone, then include the individual
+tools/build/feture/test-libcapstone.c capability query test, and then we undef
+'main' because we'll do it all over again with the next expected library to
+be tested (at this time 'lzma').
+
+To complete this mechanism we need to, in test-all.c 'main' routine, to
+call main_test_libcapstone(), which isn't being done, so the effect of
+adding references to capstone in test-all.c are not achieved.
+
+The only thing that is happening is that test-all.c is failing to build and thus
+all the tests will have to be done individually, which nullifies the test-all.c
+single build speedup.
+
+So lets remove references to capstone from test-all.c to see if this makes it
+build again so that we get faster builds or go on fixing up whatever is
+preventing us to get that benefit.
+
+Nothing: after this fix we get a clean test-all.c build and get the build speedup back:
+
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.
+ test-all.bin test-all.d test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/feature/test-all.bin
+ linux-vdso.so.1 (0x00007f13277a1000)
+ libpython3.12.so.1.0 => /lib64/libpython3.12.so.1.0 (0x00007f1326e00000)
+ libm.so.6 => /lib64/libm.so.6 (0x00007f13274be000)
+ libtraceevent.so.1 => /lib64/libtraceevent.so.1 (0x00007f1327496000)
+ libtracefs.so.1 => /lib64/libtracefs.so.1 (0x00007f132746f000)
+ libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f1326800000)
+ libunwind-x86_64.so.8 => /lib64/libunwind-x86_64.so.8 (0x00007f1327452000)
+ libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f1327436000)
+ liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f1327403000)
+ libdw.so.1 => /lib64/libdw.so.1 (0x00007f1326d6f000)
+ libz.so.1 => /lib64/libz.so.1 (0x00007f13273e2000)
+ libelf.so.1 => /lib64/libelf.so.1 (0x00007f1326d53000)
+ libnuma.so.1 => /lib64/libnuma.so.1 (0x00007f13273d4000)
+ libslang.so.2 => /lib64/libslang.so.2 (0x00007f1326400000)
+ libperl.so.5.38 => /lib64/libperl.so.5.38 (0x00007f1326000000)
+ libc.so.6 => /lib64/libc.so.6 (0x00007f1325e0f000)
+ libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f1326741000)
+ /lib64/ld-linux-x86-64.so.2 (0x00007f13277a3000)
+ libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f1326d3f000)
+ libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f1326d07000)
+ ⬢[acme@toolbox perf-tools-next]$
+
+And when having capstone-devel installed we get it detected and linked with
+perf, allowing us to benefit from the features that it enables:
+
+ ⬢[acme@toolbox perf-tools-next]$ rpm -q capstone-devel
+ capstone-devel-5.0.1-3.fc40.x86_64
+ ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/perf | grep capstone
+ libcapstone.so.5 => /lib64/libcapstone.so.5 (0x00007fe6a5c00000)
+ ⬢[acme@toolbox perf-tools-next]$ /tmp/build/perf-tools-next/perf -vv | grep cap
+ libcapstone: [ on ] # HAVE_LIBCAPSTONE_SUPPORT
+ ⬢[acme@toolbox perf-tools-next]$
+
+Fixes: 8b767db3309595a2 ("perf: build: introduce the libcapstone")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/lkml/Zry0sepD5Ppa5YKP@x1
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/build/feature/test-all.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c
+index dd0a18c2ef8fc..6f4bf386a3b5c 100644
+--- a/tools/build/feature/test-all.c
++++ b/tools/build/feature/test-all.c
+@@ -134,10 +134,6 @@
+ #undef main
+ #endif
+
+-#define main main_test_libcapstone
+-# include "test-libcapstone.c"
+-#undef main
+-
+ #define main main_test_lzma
+ # include "test-lzma.c"
+ #undef main
+--
+2.43.0
+
--- /dev/null
+From 6091acf3330051b01657197038f25b295dad43da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 22:46:43 -0700
+Subject: perf callchain: Fix stitch LBR memory leaks
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 599c19397b17d197fc1184bbc950f163a292efc9 ]
+
+The 'struct callchain_cursor_node' has a 'struct map_symbol' whose maps
+and map members are reference counted. Ensure these values use a _get
+routine to increment the reference counts and use map_symbol__exit() to
+release the reference counts.
+
+Do similar for 'struct thread's prev_lbr_cursor, but save the size of
+the prev_lbr_cursor array so that it may be iterated.
+
+Ensure that when stitch_nodes are placed on the free list the
+map_symbols are exited.
+
+Fix resolve_lbr_callchain_sample() by replacing list_replace_init() to
+list_splice_init(), so the whole list is moved and nodes aren't leaked.
+
+A reproduction of the memory leaks is possible with a leak sanitizer
+build in the perf report command of:
+
+ ```
+ $ perf record -e cycles --call-graph lbr perf test -w thloop
+ $ perf report --stitch-lbr
+ ```
+
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Fixes: ff165628d72644e3 ("perf callchain: Stitch LBR call stack")
+Signed-off-by: Ian Rogers <irogers@google.com>
+[ Basic tests after applying the patch, repeating the example above ]
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Anne Macedo <retpolanne@posteo.net>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240808054644.1286065-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 17 +++++++++++++++--
+ tools/perf/util/thread.c | 4 ++++
+ tools/perf/util/thread.h | 1 +
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 8477edefc2997..706be5e4a0761 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2270,8 +2270,12 @@ static void save_lbr_cursor_node(struct thread *thread,
+ cursor->curr = cursor->first;
+ else
+ cursor->curr = cursor->curr->next;
++
++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
+ memcpy(&lbr_stitch->prev_lbr_cursor[idx], cursor->curr,
+ sizeof(struct callchain_cursor_node));
++ lbr_stitch->prev_lbr_cursor[idx].ms.maps = maps__get(cursor->curr->ms.maps);
++ lbr_stitch->prev_lbr_cursor[idx].ms.map = map__get(cursor->curr->ms.map);
+
+ lbr_stitch->prev_lbr_cursor[idx].valid = true;
+ cursor->pos++;
+@@ -2482,6 +2486,9 @@ static bool has_stitched_lbr(struct thread *thread,
+ memcpy(&stitch_node->cursor, &lbr_stitch->prev_lbr_cursor[i],
+ sizeof(struct callchain_cursor_node));
+
++ stitch_node->cursor.ms.maps = maps__get(lbr_stitch->prev_lbr_cursor[i].ms.maps);
++ stitch_node->cursor.ms.map = map__get(lbr_stitch->prev_lbr_cursor[i].ms.map);
++
+ if (callee)
+ list_add(&stitch_node->node, &lbr_stitch->lists);
+ else
+@@ -2505,6 +2512,8 @@ static bool alloc_lbr_stitch(struct thread *thread, unsigned int max_lbr)
+ if (!thread__lbr_stitch(thread)->prev_lbr_cursor)
+ goto free_lbr_stitch;
+
++ thread__lbr_stitch(thread)->prev_lbr_cursor_size = max_lbr + 1;
++
+ INIT_LIST_HEAD(&thread__lbr_stitch(thread)->lists);
+ INIT_LIST_HEAD(&thread__lbr_stitch(thread)->free_lists);
+
+@@ -2560,8 +2569,12 @@ static int resolve_lbr_callchain_sample(struct thread *thread,
+ max_lbr, callee);
+
+ if (!stitched_lbr && !list_empty(&lbr_stitch->lists)) {
+- list_replace_init(&lbr_stitch->lists,
+- &lbr_stitch->free_lists);
++ struct stitch_list *stitch_node;
++
++ list_for_each_entry(stitch_node, &lbr_stitch->lists, node)
++ map_symbol__exit(&stitch_node->cursor.ms);
++
++ list_splice_init(&lbr_stitch->lists, &lbr_stitch->free_lists);
+ }
+ memcpy(&lbr_stitch->prev_sample, sample, sizeof(*sample));
+ }
+diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c
+index 87c59aa9fe38b..0ffdd52d86d70 100644
+--- a/tools/perf/util/thread.c
++++ b/tools/perf/util/thread.c
+@@ -476,6 +476,7 @@ void thread__free_stitch_list(struct thread *thread)
+ return;
+
+ list_for_each_entry_safe(pos, tmp, &lbr_stitch->lists, node) {
++ map_symbol__exit(&pos->cursor.ms);
+ list_del_init(&pos->node);
+ free(pos);
+ }
+@@ -485,6 +486,9 @@ void thread__free_stitch_list(struct thread *thread)
+ free(pos);
+ }
+
++ for (unsigned int i = 0 ; i < lbr_stitch->prev_lbr_cursor_size; i++)
++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[i].ms);
++
+ zfree(&lbr_stitch->prev_lbr_cursor);
+ free(thread__lbr_stitch(thread));
+ thread__set_lbr_stitch(thread, NULL);
+diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h
+index 8b4a3c69bad19..6cbf6eb2812e0 100644
+--- a/tools/perf/util/thread.h
++++ b/tools/perf/util/thread.h
+@@ -26,6 +26,7 @@ struct lbr_stitch {
+ struct list_head free_lists;
+ struct perf_sample prev_sample;
+ struct callchain_cursor_node *prev_lbr_cursor;
++ unsigned int prev_lbr_cursor_size;
+ };
+
+ DECLARE_RC_STRUCT(thread) {
+--
+2.43.0
+
--- /dev/null
+From d7b641a84475a10c013c6097ef80e982040836a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:58:31 -0700
+Subject: perf dwarf-aux: Check allowed location expressions when collecting
+ variables
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e8bb03ed6850c6ed4ce2f1600ea73401fc2ebd95 ]
+
+It missed to call check_allowed_ops() in __die_collect_vars_cb() so it
+can take variables with complex location expression incorrectly.
+
+For example, I found some variable has this expression.
+
+ 015d8df8 ffffffff81aacfb3 (base address)
+ 015d8e01 v000000000000004 v000000000000000 views at 015d8df2 for:
+ ffffffff81aacfb3 ffffffff81aacfd2 (DW_OP_fbreg: -176; DW_OP_deref;
+ DW_OP_plus_uconst: 332; DW_OP_deref_size: 4;
+ DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64;
+ DW_OP_minus; DW_OP_stack_value)
+ 015d8e14 v000000000000000 v000000000000000 views at 015d8df4 for:
+ ffffffff81aacfd2 ffffffff81aacfd7 (DW_OP_reg3 (rbx))
+ 015d8e19 v000000000000000 v000000000000000 views at 015d8df6 for:
+ ffffffff81aacfd7 ffffffff81aad020 (DW_OP_fbreg: -176; DW_OP_deref;
+ DW_OP_plus_uconst: 332; DW_OP_deref_size: 4;
+ DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64;
+ DW_OP_minus; DW_OP_stack_value)
+ 015d8e2c <End of list>
+
+It looks like '((int *)(-176(%rbp) + 332) >> 1) - 64' but the current
+code thought it's just -176(%rbp) and processed the variable incorrectly.
+It should reject such a complex expression if check_allowed_ops()
+doesn't like it. :)
+
+Fixes: 932dcc2c39aedf54 ("perf dwarf-aux: Add die_collect_vars()")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240816235840.2754937-2-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 44ef968a7ad33..e7de5045c43a7 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1598,6 +1598,9 @@ static int __die_collect_vars_cb(Dwarf_Die *die_mem, void *arg)
+ if (dwarf_getlocations(&attr, 0, &base, &start, &end, &ops, &nops) <= 0)
+ return DIE_FIND_CB_SIBLING;
+
++ if (!check_allowed_ops(ops, nops))
++ return DIE_FIND_CB_SIBLING;
++
+ if (die_get_real_type(die_mem, &type_die) == NULL)
+ return DIE_FIND_CB_SIBLING;
+
+--
+2.43.0
+
--- /dev/null
+From 88af328ccb862d7065a262fe4225195284c03459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 16:26:25 -0700
+Subject: perf dwarf-aux: Handle bitfield members from pointer access
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit a11b4222bb579dcf9646f3c4ecd2212ae762a2c8 ]
+
+The __die_find_member_offset_cb() missed to handle bitfield members
+which don't have DW_AT_data_member_location. Like in adding member
+types in __add_member_cb() it should fallback to check the bit offset
+when it resolves the member type for an offset.
+
+Fixes: 437683a9941891c1 ("perf dwarf-aux: Handle type transfer for memory access")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240821232628.353177-2-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 0e7d2060740df..1b0e59f4d8e93 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1977,8 +1977,15 @@ static int __die_find_member_offset_cb(Dwarf_Die *die_mem, void *arg)
+ return DIE_FIND_CB_SIBLING;
+
+ /* Unions might not have location */
+- if (die_get_data_member_location(die_mem, &loc) < 0)
+- loc = 0;
++ if (die_get_data_member_location(die_mem, &loc) < 0) {
++ Dwarf_Attribute attr;
++
++ if (dwarf_attr_integrate(die_mem, DW_AT_data_bit_offset, &attr) &&
++ dwarf_formudata(&attr, &loc) == 0)
++ loc /= 8;
++ else
++ loc = 0;
++ }
+
+ if (offset == loc)
+ return DIE_FIND_CB_END;
+--
+2.43.0
+
--- /dev/null
+From 0953602d34668120a05aa2e2f28cce56497a3e01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 20:47:22 +0530
+Subject: perf/dwc_pcie: Always register for PCIe bus notifier
+
+From: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+
+[ Upstream commit b94b05478fb6a09033bf70c6edd03f8930a0fe24 ]
+
+When the PCIe devices are discovered late, the driver can't find
+the PCIe devices and returns in the init without registering with
+the bus notifier. Due to that the devices which are discovered late
+the driver can't register for this.
+
+Register for bus notifier & driver even if the device is not found
+as part of init.
+
+Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver")
+Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+Reviewed-by: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-3-198b8ab1077c@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/dwc_pcie_pmu.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
+index 85a5155d60180..f205ecad2e4c0 100644
+--- a/drivers/perf/dwc_pcie_pmu.c
++++ b/drivers/perf/dwc_pcie_pmu.c
+@@ -726,7 +726,6 @@ static struct platform_driver dwc_pcie_pmu_driver = {
+ static int __init dwc_pcie_pmu_init(void)
+ {
+ struct pci_dev *pdev = NULL;
+- bool found = false;
+ int ret;
+
+ for_each_pci_dev(pdev) {
+@@ -738,11 +737,7 @@ static int __init dwc_pcie_pmu_init(void)
+ pci_dev_put(pdev);
+ return ret;
+ }
+-
+- found = true;
+ }
+- if (!found)
+- return -ENODEV;
+
+ ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN,
+ "perf/dwc_pcie_pmu:online",
+--
+2.43.0
+
--- /dev/null
+From 5ce62cffbc136de88c84b078771d15523220d7a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 20:47:20 +0530
+Subject: perf/dwc_pcie: Fix registration issue in multi PCIe controller
+ instances
+
+From: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+
+[ Upstream commit e669388537c472142804eb5a0449cc23d5409694 ]
+
+When there are multiple of instances of PCIe controllers, registration
+to perf driver fails with this error.
+sysfs: cannot create duplicate filename '/devices/platform/dwc_pcie_pmu.0'
+CPU: 0 PID: 166 Comm: modprobe Not tainted 6.10.0-rc2-next-20240607-dirty
+Hardware name: Qualcomm SA8775P Ride (DT)
+Call trace:
+ dump_backtrace.part.8+0x98/0xf0
+ show_stack+0x14/0x1c
+ dump_stack_lvl+0x74/0x88
+ dump_stack+0x14/0x1c
+ sysfs_warn_dup+0x60/0x78
+ sysfs_create_dir_ns+0xe8/0x100
+ kobject_add_internal+0x94/0x224
+ kobject_add+0xa8/0x118
+ device_add+0x298/0x7b4
+ platform_device_add+0x1a0/0x228
+ platform_device_register_full+0x11c/0x148
+ dwc_pcie_register_dev+0x74/0xf0 [dwc_pcie_pmu]
+ dwc_pcie_pmu_init+0x7c/0x1000 [dwc_pcie_pmu]
+ do_one_initcall+0x58/0x1c0
+ do_init_module+0x58/0x208
+ load_module+0x1804/0x188c
+ __do_sys_init_module+0x18c/0x1f0
+ __arm64_sys_init_module+0x14/0x1c
+ invoke_syscall+0x40/0xf8
+ el0_svc_common.constprop.1+0x70/0xf4
+ do_el0_svc+0x18/0x20
+ el0_svc+0x28/0xb0
+ el0t_64_sync_handler+0x9c/0xc0
+ el0t_64_sync+0x160/0x164
+kobject: kobject_add_internal failed for dwc_pcie_pmu.0 with -EEXIST,
+don't try to register things with the same name in the same directory.
+
+This is because of having same bdf value for devices under two different
+controllers.
+
+Update the logic to use sbdf which is a unique number in case of
+multi instance also.
+
+Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver")
+Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+Reviewed-by: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-1-198b8ab1077c@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/dwc_pcie_pmu.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
+index c5e328f238419..85a5155d60180 100644
+--- a/drivers/perf/dwc_pcie_pmu.c
++++ b/drivers/perf/dwc_pcie_pmu.c
+@@ -556,10 +556,10 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
+ {
+ struct platform_device *plat_dev;
+ struct dwc_pcie_dev_info *dev_info;
+- u32 bdf;
++ u32 sbdf;
+
+- bdf = PCI_DEVID(pdev->bus->number, pdev->devfn);
+- plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", bdf,
++ sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
++ plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
+ pdev, sizeof(*pdev));
+
+ if (IS_ERR(plat_dev))
+@@ -611,15 +611,15 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+ struct pci_dev *pdev = plat_dev->dev.platform_data;
+ struct dwc_pcie_pmu *pcie_pmu;
+ char *name;
+- u32 bdf, val;
++ u32 sbdf, val;
+ u16 vsec;
+ int ret;
+
+ vsec = pci_find_vsec_capability(pdev, pdev->vendor,
+ DWC_PCIE_VSEC_RAS_DES_ID);
+ pci_read_config_dword(pdev, vsec + PCI_VNDR_HEADER, &val);
+- bdf = PCI_DEVID(pdev->bus->number, pdev->devfn);
+- name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", bdf);
++ sbdf = plat_dev->id;
++ name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
+ if (!name)
+ return -ENOMEM;
+
+@@ -650,7 +650,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+ ret = cpuhp_state_add_instance(dwc_pcie_pmu_hp_state,
+ &pcie_pmu->cpuhp_node);
+ if (ret) {
+- pci_err(pdev, "Error %d registering hotplug @%x\n", ret, bdf);
++ pci_err(pdev, "Error %d registering hotplug @%x\n", ret, sbdf);
+ return ret;
+ }
+
+@@ -663,7 +663,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+
+ ret = perf_pmu_register(&pcie_pmu->pmu, name, -1);
+ if (ret) {
+- pci_err(pdev, "Error %d registering PMU @%x\n", ret, bdf);
++ pci_err(pdev, "Error %d registering PMU @%x\n", ret, sbdf);
+ return ret;
+ }
+ ret = devm_add_action_or_reset(&plat_dev->dev, dwc_pcie_unregister_pmu,
+--
+2.43.0
+
--- /dev/null
+From 060849dfa774704bf7d34009a75175207ab57797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 15:06:20 -0700
+Subject: perf inject: Fix leader sampling inserting additional samples
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 79bcd34e0f3da39fda841406ccc957405e724852 ]
+
+The processing of leader samples would turn an individual sample with
+a group of read values into multiple samples. 'perf inject' would pass
+through the additional samples increasing the output data file size:
+
+ $ perf record -g -e "{instructions,cycles}:S" -o perf.orig.data true
+ $ perf script -D -i perf.orig.data | sed -e 's/perf.orig.data/perf.data/g' > orig.txt
+ $ perf inject -i perf.orig.data -o perf.new.data
+ $ perf script -D -i perf.new.data | sed -e 's/perf.new.data/perf.data/g' > new.txt
+ $ diff -u orig.txt new.txt
+ --- orig.txt 2024-07-29 14:29:40.606576769 -0700
+ +++ new.txt 2024-07-29 14:30:04.142737434 -0700
+ ...
+ -0xc550@perf.data [0x30]: event: 3
+ +0xc550@perf.data [0xd0]: event: 9
+ +.
+ +. ... raw event: size 208 bytes
+ +. 0000: 09 00 00 00 01 00 d0 00 fc 72 01 86 ff ff ff ff .........r......
+ +. 0010: 74 7d 2c 00 74 7d 2c 00 fb c3 79 f9 ba d5 05 00 t},.t},...y.....
+ +. 0020: e6 cb 1a 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ +. 0030: 02 00 00 00 00 00 00 00 76 01 00 00 00 00 00 00 ........v.......
+ +. 0040: e6 cb 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ +. 0050: 62 18 00 00 00 00 00 00 f6 cb 1a 00 00 00 00 00 b...............
+ +. 0060: 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 ................
+ +. 0070: 80 ff ff ff ff ff ff ff fc 72 01 86 ff ff ff ff .........r......
+ +. 0080: f3 0e 6e 85 ff ff ff ff 0c cb 7f 85 ff ff ff ff ..n.............
+ +. 0090: bc f2 87 85 ff ff ff ff 44 af 7f 85 ff ff ff ff ........D.......
+ +. 00a0: bd be 7f 85 ff ff ff ff 26 d0 7f 85 ff ff ff ff ........&.......
+ +. 00b0: 6d a4 ff 85 ff ff ff ff ea 00 20 86 ff ff ff ff m......... .....
+ +. 00c0: 00 fe ff ff ff ff ff ff 57 14 4f 43 fc 7e 00 00 ........W.OC.~..
+ +
+ +1642373909693435 0xc550 [0xd0]: PERF_RECORD_SAMPLE(IP, 0x1): 2915700/2915700: 0xffffffff860172fc period: 1 addr: 0
+ +... FP chain: nr:12
+ +..... 0: ffffffffffffff80
+ +..... 1: ffffffff860172fc
+ +..... 2: ffffffff856e0ef3
+ +..... 3: ffffffff857fcb0c
+ +..... 4: ffffffff8587f2bc
+ +..... 5: ffffffff857faf44
+ +..... 6: ffffffff857fbebd
+ +..... 7: ffffffff857fd026
+ +..... 8: ffffffff85ffa46d
+ +..... 9: ffffffff862000ea
+ +..... 10: fffffffffffffe00
+ +..... 11: 00007efc434f1457
+ +... sample_read:
+ +.... group nr 2
+ +..... id 00000000001acbe6, value 0000000000000176, lost 0
+ +..... id 00000000001acbf6, value 0000000000001862, lost 0
+ +
+ +0xc620@perf.data [0x30]: event: 3
+ ...
+
+This behavior is incorrect as in the case above 'perf inject' should
+have done nothing. Fix this behavior by disabling separating samples
+for a tool that requests it. Only request this for `perf inject` so as
+to not affect other perf tools. With the patch and the test above
+there are no differences between the orig.txt and new.txt.
+
+Fixes: e4caec0d1af3d608 ("perf evsel: Add PERF_SAMPLE_READ sample related processing")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240729220620.2957754-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-inject.c | 1 +
+ tools/perf/util/session.c | 3 +++
+ tools/perf/util/tool.h | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
+index a212678d47beb..c80fb0f60e611 100644
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -2204,6 +2204,7 @@ int cmd_inject(int argc, const char **argv)
+ .finished_init = perf_event__repipe_op2_synth,
+ .compressed = perf_event__repipe_op4_synth,
+ .auxtrace = perf_event__repipe_auxtrace,
++ .dont_split_sample_group = true,
+ },
+ .input_name = "-",
+ .samples = LIST_HEAD_INIT(inject.samples),
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index a10343b9dcd41..1457cd5288abc 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -1511,6 +1511,9 @@ static int deliver_sample_group(struct evlist *evlist,
+ int ret = -EINVAL;
+ struct sample_read_value *v = sample->read.group.values;
+
++ if (tool->dont_split_sample_group)
++ return deliver_sample_value(evlist, tool, event, sample, v, machine);
++
+ sample_read_group__for_each(v, sample->read.group.nr, read_format) {
+ ret = deliver_sample_value(evlist, tool, event, sample, v,
+ machine);
+diff --git a/tools/perf/util/tool.h b/tools/perf/util/tool.h
+index c957fb849ac63..62bbc9cec151b 100644
+--- a/tools/perf/util/tool.h
++++ b/tools/perf/util/tool.h
+@@ -85,6 +85,7 @@ struct perf_tool {
+ bool namespace_events;
+ bool cgroup_events;
+ bool no_warn;
++ bool dont_split_sample_group;
+ enum show_feature_header show_feat_hdr;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 7760441d3e6dea392547fcc784206ffe85d0a4d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 10:25:33 -0700
+Subject: perf lock contention: Change stack_id type to s32
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 040c0f887fdcfe747a3f63c94e9cd29e9ed0b872 ]
+
+The bpf_get_stackid() helper returns a signed type to check whether it
+failed to get a stacktrace or not. But it saved the result in u32 and
+checked if the value is negative.
+
+ 376 if (needs_callstack) {
+ 377 pelem->stack_id = bpf_get_stackid(ctx, &stacks,
+ 378 BPF_F_FAST_STACK_CMP | stack_skip);
+ --> 379 if (pelem->stack_id < 0)
+
+ ./tools/perf/util/bpf_skel/lock_contention.bpf.c:379 contention_begin()
+ warn: unsigned 'pelem->stack_id' is never less than zero.
+
+Let's change the type to s32 instead.
+
+Fixes: 6d499a6b3d90277d ("perf lock: Print the number of lost entries for BPF")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240812172533.2015291-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/bpf_skel/lock_data.h | 4 ++--
+ tools/perf/util/bpf_skel/vmlinux/vmlinux.h | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/bpf_skel/lock_data.h b/tools/perf/util/bpf_skel/lock_data.h
+index 36af11faad03c..de12892f992f8 100644
+--- a/tools/perf/util/bpf_skel/lock_data.h
++++ b/tools/perf/util/bpf_skel/lock_data.h
+@@ -7,11 +7,11 @@ struct tstamp_data {
+ u64 timestamp;
+ u64 lock;
+ u32 flags;
+- u32 stack_id;
++ s32 stack_id;
+ };
+
+ struct contention_key {
+- u32 stack_id;
++ s32 stack_id;
+ u32 pid;
+ u64 lock_addr_or_cgroup;
+ };
+diff --git a/tools/perf/util/bpf_skel/vmlinux/vmlinux.h b/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
+index e9028235d7717..d818e30c54571 100644
+--- a/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
++++ b/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
+@@ -15,6 +15,7 @@
+
+ typedef __u8 u8;
+ typedef __u32 u32;
++typedef __s32 s32;
+ typedef __u64 u64;
+ typedef __s64 s64;
+
+--
+2.43.0
+
--- /dev/null
+From 2678496a06355daa7bd50e45ee0fd2fa759c136b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 10:07:35 -0700
+Subject: perf mem: Check mem_events for all eligible PMUs
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 6e05d28ff232cf445cc6ae59336b7f2081ef9b96 ]
+
+The current perf_pmu__mem_events_init() only checks the availability of
+the mem_events for the first eligible PMU. It works for non-hybrid
+machines and hybrid machines that have the same mem_events.
+
+However, it may bring issues if a hybrid machine has a different
+mem_events on different PMU, e.g., Alder Lake and Raptor Lake. A
+mem-loads-aux event is only required for the p-core. The mem_events on
+both e-core and p-core should be checked and marked.
+
+The issue was not found, because it's hidden by another bug, which only
+records the mem-events for the e-core. The wrong check for the p-core
+events didn't yell.
+
+Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240905170737.4070743-1-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-c2c.c | 2 +-
+ tools/perf/builtin-mem.c | 2 +-
+ tools/perf/util/mem-events.c | 14 +++++++++++++-
+ tools/perf/util/mem-events.h | 2 +-
+ 4 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
+index c157bd31f2e5a..0b2cb59212938 100644
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -3266,7 +3266,7 @@ static int perf_c2c__record(int argc, const char **argv)
+ return -1;
+ }
+
+- if (perf_pmu__mem_events_init(pmu)) {
++ if (perf_pmu__mem_events_init()) {
+ pr_err("failed: memory events not supported\n");
+ return -1;
+ }
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 93413cfcd585a..7fdbaaed14af2 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -97,7 +97,7 @@ static int __cmd_record(int argc, const char **argv, struct perf_mem *mem)
+ return -1;
+ }
+
+- if (perf_pmu__mem_events_init(pmu)) {
++ if (perf_pmu__mem_events_init()) {
+ pr_err("failed: memory events not supported\n");
+ return -1;
+ }
+diff --git a/tools/perf/util/mem-events.c b/tools/perf/util/mem-events.c
+index 6dda47bb774fa..c844aca0726ce 100644
+--- a/tools/perf/util/mem-events.c
++++ b/tools/perf/util/mem-events.c
+@@ -191,7 +191,7 @@ static bool perf_pmu__mem_events_supported(const char *mnt, struct perf_pmu *pmu
+ return !stat(path, &st);
+ }
+
+-int perf_pmu__mem_events_init(struct perf_pmu *pmu)
++static int __perf_pmu__mem_events_init(struct perf_pmu *pmu)
+ {
+ const char *mnt = sysfs__mount();
+ bool found = false;
+@@ -218,6 +218,18 @@ int perf_pmu__mem_events_init(struct perf_pmu *pmu)
+ return found ? 0 : -ENOENT;
+ }
+
++int perf_pmu__mem_events_init(void)
++{
++ struct perf_pmu *pmu = NULL;
++
++ while ((pmu = perf_pmus__scan_mem(pmu)) != NULL) {
++ if (__perf_pmu__mem_events_init(pmu))
++ return -ENOENT;
++ }
++
++ return 0;
++}
++
+ void perf_pmu__mem_events_list(struct perf_pmu *pmu)
+ {
+ int j;
+diff --git a/tools/perf/util/mem-events.h b/tools/perf/util/mem-events.h
+index ca31014d7934f..a6fc2a5939388 100644
+--- a/tools/perf/util/mem-events.h
++++ b/tools/perf/util/mem-events.h
+@@ -30,7 +30,7 @@ extern unsigned int perf_mem_events__loads_ldlat;
+ extern struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX];
+
+ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str);
+-int perf_pmu__mem_events_init(struct perf_pmu *pmu);
++int perf_pmu__mem_events_init(void);
+
+ struct perf_mem_event *perf_pmu__mem_events_ptr(struct perf_pmu *pmu, int i);
+ struct perf_pmu *perf_mem_events_find_pmu(void);
+--
+2.43.0
+
--- /dev/null
+From b8bb90a54908213e7aa7066e170a373de64df0c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 10:07:36 -0700
+Subject: perf mem: Fix missed p-core mem events on ADL and RPL
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 5ad7db2c3f941cde3045ce38a9c4c40b0c7d56b9 ]
+
+The p-core mem events are missed when launching 'perf mem record' on ADL
+and RPL.
+
+ root@number:~# perf mem record sleep 1
+ Memory events are enabled on a subset of CPUs: 16-27
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.032 MB perf.data ]
+ root@number:~# perf evlist
+ cpu_atom/mem-loads,ldlat=30/P
+ cpu_atom/mem-stores/P
+ dummy:u
+
+A variable 'record' in the 'struct perf_mem_event' is to indicate
+whether a mem event in a mem_events[] should be recorded. The current
+code only configure the variable for the first eligible PMU.
+
+It's good enough for a non-hybrid machine or a hybrid machine which has
+the same mem_events[].
+
+However, if a different mem_events[] is used for different PMUs on a
+hybrid machine, e.g., ADL or RPL, the 'record' for the second PMU never
+get a chance to be set.
+
+The mem_events[] of the second PMU are always ignored.
+
+'perf mem' doesn't support the per-PMU configuration now. A per-PMU
+mem_events[] 'record' variable doesn't make sense. Make it global.
+
+That could also avoid searching for the per-PMU mem_events[] via
+perf_pmu__mem_events_ptr every time.
+
+Committer testing:
+
+ root@number:~# perf evlist -g
+ cpu_atom/mem-loads,ldlat=30/P
+ cpu_atom/mem-stores/P
+ {cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/}
+ cpu_core/mem-stores/P
+ dummy:u
+ root@number:~#
+
+The :S for '{cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/}' is
+not being added by 'perf evlist -g', to be checked.
+
+Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()")
+Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Closes: https://lore.kernel.org/lkml/Zthu81fA3kLC2CS2@x1/
+Link: https://lore.kernel.org/r/20240905170737.4070743-2-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-c2c.c | 12 ++++--------
+ tools/perf/builtin-mem.c | 17 ++++++-----------
+ tools/perf/util/mem-events.c | 6 ++++--
+ tools/perf/util/mem-events.h | 2 +-
+ 4 files changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
+index 0b2cb59212938..7298f36070622 100644
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -3290,19 +3290,15 @@ static int perf_c2c__record(int argc, const char **argv)
+ * PERF_MEM_EVENTS__LOAD_STORE if it is supported.
+ */
+ if (e->tag) {
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD_STORE] = true;
+ rec_argv[i++] = "-W";
+ } else {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- e->record = true;
+-
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__STORE);
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD] = true;
++ perf_mem_record[PERF_MEM_EVENTS__STORE] = true;
+ }
+ }
+
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- if (e->record)
++ if (perf_mem_record[PERF_MEM_EVENTS__LOAD])
+ rec_argv[i++] = "-W";
+
+ rec_argv[i++] = "-d";
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 7fdbaaed14af2..08724fa508e14 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -126,22 +126,17 @@ static int __cmd_record(int argc, const char **argv, struct perf_mem *mem)
+ if (e->tag &&
+ (mem->operation & MEM_OPERATION_LOAD) &&
+ (mem->operation & MEM_OPERATION_STORE)) {
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD_STORE] = true;
+ rec_argv[i++] = "-W";
+ } else {
+- if (mem->operation & MEM_OPERATION_LOAD) {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- e->record = true;
+- }
++ if (mem->operation & MEM_OPERATION_LOAD)
++ perf_mem_record[PERF_MEM_EVENTS__LOAD] = true;
+
+- if (mem->operation & MEM_OPERATION_STORE) {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__STORE);
+- e->record = true;
+- }
++ if (mem->operation & MEM_OPERATION_STORE)
++ perf_mem_record[PERF_MEM_EVENTS__STORE] = true;
+ }
+
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- if (e->record)
++ if (perf_mem_record[PERF_MEM_EVENTS__LOAD])
+ rec_argv[i++] = "-W";
+
+ rec_argv[i++] = "-d";
+diff --git a/tools/perf/util/mem-events.c b/tools/perf/util/mem-events.c
+index c844aca0726ce..1f1e1063efe37 100644
+--- a/tools/perf/util/mem-events.c
++++ b/tools/perf/util/mem-events.c
+@@ -28,6 +28,8 @@ struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX] = {
+ };
+ #undef E
+
++bool perf_mem_record[PERF_MEM_EVENTS__MAX] = { 0 };
++
+ static char mem_loads_name[100];
+ static char mem_stores_name[100];
+
+@@ -162,7 +164,7 @@ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str)
+ continue;
+
+ if (strstr(e->tag, tok))
+- e->record = found = true;
++ perf_mem_record[j] = found = true;
+ }
+
+ tok = strtok_r(NULL, ",", &saveptr);
+@@ -259,7 +261,7 @@ int perf_mem_events__record_args(const char **rec_argv, int *argv_nr)
+ for (int j = 0; j < PERF_MEM_EVENTS__MAX; j++) {
+ e = perf_pmu__mem_events_ptr(pmu, j);
+
+- if (!e->record)
++ if (!perf_mem_record[j])
+ continue;
+
+ if (!e->supported) {
+diff --git a/tools/perf/util/mem-events.h b/tools/perf/util/mem-events.h
+index a6fc2a5939388..8dc27db9fd52f 100644
+--- a/tools/perf/util/mem-events.h
++++ b/tools/perf/util/mem-events.h
+@@ -6,7 +6,6 @@
+ #include <linux/types.h>
+
+ struct perf_mem_event {
+- bool record;
+ bool supported;
+ bool ldlat;
+ u32 aux_event;
+@@ -28,6 +27,7 @@ struct perf_pmu;
+
+ extern unsigned int perf_mem_events__loads_ldlat;
+ extern struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX];
++extern bool perf_mem_record[PERF_MEM_EVENTS__MAX];
+
+ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str);
+ int perf_pmu__mem_events_init(void);
+--
+2.43.0
+
--- /dev/null
+From 66cfd075ecfc7242e7b0fce9cdc2baa11b631880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 16:55:01 -0700
+Subject: perf mem: Free the allocated sort string, fixing a leak
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3da209bb1177462b6fe8e3021a5527a5a49a9336 ]
+
+The get_sort_order() returns either a new string (from strdup) or NULL
+but it never gets freed.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Fixes: 2e7f545096f954a9 ("perf mem: Factor out a function to generate sort order")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: https://lore.kernel.org/r/20240731235505.710436-3-namhyung@kernel.org
+[ Added Fixes tag ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-mem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 863fcd735daee..93413cfcd585a 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -372,6 +372,7 @@ static int report_events(int argc, const char **argv, struct perf_mem *mem)
+ rep_argv[i] = argv[j];
+
+ ret = cmd_report(i, rep_argv);
++ free(new_sort_order);
+ free(rep_argv);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 4fb4891ba7a9d2f9f52a10fc8a33947552aedb90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 09:02:00 -0700
+Subject: perf report: Fix --total-cycles --stdio output error
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 3ef44458071a19e5b5832cdfe6f75273aa521b6e ]
+
+The --total-cycles may output wrong information with the --stdio.
+
+For example:
+
+ # perf record -e "{cycles,instructions}",cache-misses -b sleep 1
+ # perf report --total-cycles --stdio
+
+The total cycles output of {cycles,instructions} and cache-misses are
+almost the same.
+
+ # Samples: 938 of events 'anon group { cycles, instructions }'
+ # Event count (approx.): 938
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 11.19% 2.6K 0.10% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 0.45% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+ 5.11% 1.2K 0.33% 71 [native_write_msr+0 ->>
+
+ # Samples: 293 of event 'cache-misses'
+ # Event count (approx.): 293
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 11.19% 2.6K 0.13% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 0.59% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+ 5.11% 1.2K 0.43% 71 [native_write_msr+0 ->>
+
+With the symbol_conf.event_group, the 'perf report' should only report the
+block information of the leader event in a group.
+
+However, the current implementation retrieves the next event's block
+information, rather than the next group leader's block information.
+
+Make sure the index is updated even if the event is skipped.
+
+With the patch,
+
+ # Samples: 293 of event 'cache-misses'
+ # Event count (approx.): 293
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 37.98% 9.0K 4.05% 299 [perf_event_addr_filters_exec+0 -> perf_event_a>
+ 11.19% 2.6K 0.28% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 1.32% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+
+Fixes: 6f7164fa231a5f36 ("perf report: Sort by sampled cycles percent per block for stdio")
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: https://lore.kernel.org/r/20240813160208.2493643-2-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 69618fb0110b6..8bebaba56bc3f 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -565,6 +565,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c
+ struct hists *hists = evsel__hists(pos);
+ const char *evname = evsel__name(pos);
+
++ i++;
+ if (symbol_conf.event_group && !evsel__is_group_leader(pos))
+ continue;
+
+@@ -574,7 +575,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c
+ hists__fprintf_nr_sample_events(hists, rep, evname, stdout);
+
+ if (rep->total_cycles_mode) {
+- report__browse_block_hists(&rep->block_reports[i++].hist,
++ report__browse_block_hists(&rep->block_reports[i - 1].hist,
+ rep->min_percent, pos, NULL);
+ continue;
+ }
+--
+2.43.0
+
--- /dev/null
+From 42fb47b664ff466911e2cbf6fd61807c482c2267 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:35:33 +0800
+Subject: perf sched timehist: Fix missing free of session in
+ perf_sched__timehist()
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ]
+
+When perf_time__parse_str() fails in perf_sched__timehist(),
+need to free session that was previously created, fix it.
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 5977c49ae2c76..bb173de716578 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3031,7 +3031,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
+
+ if (perf_time__parse_str(&sched->ptime, sched->time_str) != 0) {
+ pr_err("Invalid time string\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+ if (timehist_check_attr(sched, evlist) != 0)
+--
+2.43.0
+
--- /dev/null
+From 9b346dc0ad11e2e9d7e22a0fa0d5de8b3340f466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:47:20 +0800
+Subject: perf sched timehist: Fixed timestamp error when unable to confirm
+ event sched_in time
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ]
+
+If sched_in event for current task is not recorded, sched_in timestamp
+will be set to end_time of time window interest, causing an error in
+timestamp show. In this case, we choose to ignore this event.
+
+Test scenario:
+
+ perf[1229608] does not record the first sched_in event, run time and sch delay are both 0
+
+ # perf sched timehist
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000
+ 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003
+ 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000
+ 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004
+ 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000
+ 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007
+ 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000
+ 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004
+
+Before:
+
+ arbitrarily specify a time window of interest, timestamp will be set to an incorrect value
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 200.000000 [0000] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0001] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0002] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0003] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0004] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0005] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0006] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0007] perf[1229608] 0.000 0.000 0.000
+
+ After:
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index bb173de716578..ed11a20bc1493 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2596,9 +2596,12 @@ static int timehist_sched_change_event(struct perf_tool *tool,
+ * - previous sched event is out of window - we are done
+ * - sample time is beyond window user cares about - reset it
+ * to close out stats for time window interest
++ * - If tprev is 0, that is, sched_in event for current task is
++ * not recorded, cannot determine whether sched_in event is
++ * within time window interest - ignore it
+ */
+ if (ptime->end) {
+- if (tprev > ptime->end)
++ if (!tprev || tprev > ptime->end)
+ goto out;
+
+ if (t > ptime->end)
+--
+2.43.0
+
--- /dev/null
+From 584d1d6fed5946d4a49d5809c4bedc30344ae42e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 14:28:58 +0100
+Subject: perf scripts python cs-etm: Restore first sample log in verbose mode
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit ae8e4f4048b839c1cb333d9e3d20e634b430139e ]
+
+The linked commit moved the early return on the first sample to before
+the verbose log, so move the log earlier too. Now the first sample is
+also logged and not skipped.
+
+Fixes: 2d98dbb4c9c5b09c ("perf scripts python arm-cs-trace-disasm.py: Do not ignore disam first sample")
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Signed-off-by: James Clark <james.clark@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Benjamin Gray <bgray@linux.ibm.com>
+Cc: coresight@lists.linaro.org
+Cc: gankulkarni@os.amperecomputing.com
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ruidong Tian <tianruidong@linux.alibaba.com>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240723132858.12747-1-james.clark@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/scripts/python/arm-cs-trace-disasm.py | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/scripts/python/arm-cs-trace-disasm.py b/tools/perf/scripts/python/arm-cs-trace-disasm.py
+index d973c2baed1c8..7aff02d84ffb3 100755
+--- a/tools/perf/scripts/python/arm-cs-trace-disasm.py
++++ b/tools/perf/scripts/python/arm-cs-trace-disasm.py
+@@ -192,17 +192,16 @@ def process_event(param_dict):
+ ip = sample["ip"]
+ addr = sample["addr"]
+
++ if (options.verbose == True):
++ print("Event type: %s" % name)
++ print_sample(sample)
++
+ # Initialize CPU data if it's empty, and directly return back
+ # if this is the first tracing event for this CPU.
+ if (cpu_data.get(str(cpu) + 'addr') == None):
+ cpu_data[str(cpu) + 'addr'] = addr
+ return
+
+-
+- if (options.verbose == True):
+- print("Event type: %s" % name)
+- print_sample(sample)
+-
+ # If cannot find dso so cannot dump assembler, bail out
+ if (dso == '[unknown]'):
+ return
+--
+2.43.0
+
--- /dev/null
+From 58d4ee11df8f54132162681ae628931bbd04407c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 14:58:00 +0800
+Subject: perf stat: Display iostat headers correctly
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 2615639352420e6e3115952c5b8f46846e1c6d0e ]
+
+Currently we'll only print metric headers for metric leader in
+aggregration mode. This will make `perf iostat` header not shown
+since it'll aggregrated globally but don't have metric events:
+
+ root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000
+ Performance counter stats for 'system wide':
+ port
+ 0000:00 0 0 0 0
+ 0000:80 0 0 0 0
+ [...]
+
+Fix this by excluding the iostat in the check of printing metric
+headers. Then we can see the headers:
+
+ root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000
+ Performance counter stats for 'system wide':
+ port Inbound Read(MB) Inbound Write(MB) Outbound Read(MB) Outbound Write(MB)
+ 0000:00 0 0 0 0
+ 0000:80 0 0 0 0
+ [...]
+
+Fixes: 193a9e30207f5477 ("perf stat: Don't display metric header for non-leader uncore events")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Cameron <jonathan.cameron@huawei.com>
+Cc: Junhao He <hejunhao3@huawei.com>
+Cc: linuxarm@huawei.com
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>
+Cc: Zeng Tao <prime.zeng@hisilicon.com>
+Link: https://lore.kernel.org/r/20240802065800.48774-1-yangyicong@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index 186305fd2d0ef..ac79ac4ccbe02 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -1226,7 +1226,8 @@ static void print_metric_headers(struct perf_stat_config *config,
+
+ /* Print metrics headers only */
+ evlist__for_each_entry(evlist, counter) {
+- if (config->aggr_mode != AGGR_NONE && counter->metric_leader != counter)
++ if (!config->iostat_run &&
++ config->aggr_mode != AGGR_NONE && counter->metric_leader != counter)
+ continue;
+
+ os.evsel = counter;
+--
+2.43.0
+
--- /dev/null
+From d6a219a6b5570e674da188e7da150726609c6152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 00:04:11 -0700
+Subject: perf time-utils: Fix 32-bit nsec parsing
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ]
+
+The "time utils" test fails in 32-bit builds:
+ ...
+ parse_nsec_time("18446744073.709551615")
+ Failed. ptime 4294967295709551615 expected 18446744073709551615
+ ...
+
+Switch strtoul to strtoull as an unsigned long in 32-bit build isn't
+64-bits.
+
+Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Chaitanya S Prakash <chaitanyas.prakash@arm.com>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Junhao He <hejunhao3@huawei.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Yang Jihong <yangjihong@bytedance.com>
+Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/time-utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/time-utils.c b/tools/perf/util/time-utils.c
+index 3024439216816..1b91ccd4d5234 100644
+--- a/tools/perf/util/time-utils.c
++++ b/tools/perf/util/time-utils.c
+@@ -20,7 +20,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ u64 time_sec, time_nsec;
+ char *end;
+
+- time_sec = strtoul(str, &end, 10);
++ time_sec = strtoull(str, &end, 10);
+ if (*end != '.' && *end != '\0')
+ return -1;
+
+@@ -38,7 +38,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ for (i = strlen(nsec_buf); i < 9; i++)
+ nsec_buf[i] = '0';
+
+- time_nsec = strtoul(nsec_buf, &end, 10);
++ time_nsec = strtoull(nsec_buf, &end, 10);
+ if (*end != '\0')
+ return -1;
+ } else
+--
+2.43.0
+
--- /dev/null
+From 368c6abcd1da720ecf69914ae2c858fd4a44ca9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 03:36:22 +0300
+Subject: phy: phy-rockchip-samsung-hdptx: Explicitly include pm_runtime.h
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 1b369ff94bc36d2e16c8a91c0ea8ebd329555976 ]
+
+Driver makes use of helpers from pm_runtime.h, but relies on the header
+file being implicitly included.
+
+Explicitly pull the header in to avoid potential build failures in some
+configurations.
+
+Fixes: 553be2830c5f ("phy: rockchip: Add Samsung HDMI/eDP Combo PHY driver")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20240620-rk3588-hdmiphy-clkprov-v2-1-6a2d2164e508@collabora.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
+index 946c01210ac8c..3bd9b62b23dcc 100644
+--- a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
++++ b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
+@@ -15,6 +15,7 @@
+ #include <linux/of_platform.h>
+ #include <linux/phy/phy.h>
+ #include <linux/platform_device.h>
++#include <linux/pm_runtime.h>
+ #include <linux/rational.h>
+ #include <linux/regmap.h>
+ #include <linux/reset.h>
+--
+2.43.0
+
--- /dev/null
+From 17e498d4061fac7a180ff0c409fe031eccaff1e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 14:48:23 +0800
+Subject: pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function
+
+From: Wang Jianzheng <wangjianzheng@vivo.com>
+
+[ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ]
+
+When an error occurs during the execution of the function
+__devinit_dove_pinctrl_probe, the clk is not properly disabled.
+
+Fix this by calling clk_disable_unprepare before return.
+
+Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory")
+Signed-off-by: Wang Jianzheng <wangjianzheng@vivo.com>
+Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +++++++++++++++++++---------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c
+index 1947da73e5121..dce601d993728 100644
+--- a/drivers/pinctrl/mvebu/pinctrl-dove.c
++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c
+@@ -767,7 +767,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ struct resource fb_res;
+ struct mvebu_mpp_ctrl_data *mpp_data;
+ void __iomem *base;
+- int i;
++ int i, ret;
+
+ pdev->dev.platform_data = (void *)device_get_match_data(&pdev->dev);
+
+@@ -783,13 +783,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ clk_prepare_enable(clk);
+
+ base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res);
+- if (IS_ERR(base))
+- return PTR_ERR(base);
++ if (IS_ERR(base)) {
++ ret = PTR_ERR(base);
++ goto err_probe;
++ }
+
+ mpp_data = devm_kcalloc(&pdev->dev, dove_pinctrl_info.ncontrols,
+ sizeof(*mpp_data), GFP_KERNEL);
+- if (!mpp_data)
+- return -ENOMEM;
++ if (!mpp_data) {
++ ret = -ENOMEM;
++ goto err_probe;
++ }
+
+ dove_pinctrl_info.control_data = mpp_data;
+ for (i = 0; i < ARRAY_SIZE(dove_mpp_controls); i++)
+@@ -808,8 +812,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ mpp4_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mpp4_base))
+- return PTR_ERR(mpp4_base);
++ if (IS_ERR(mpp4_base)) {
++ ret = PTR_ERR(mpp4_base);
++ goto err_probe;
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 2);
+ if (!res) {
+@@ -820,8 +826,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ pmu_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(pmu_base))
+- return PTR_ERR(pmu_base);
++ if (IS_ERR(pmu_base)) {
++ ret = PTR_ERR(pmu_base);
++ goto err_probe;
++ }
+
+ gconfmap = syscon_regmap_lookup_by_compatible("marvell,dove-global-config");
+ if (IS_ERR(gconfmap)) {
+@@ -831,12 +839,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ adjust_resource(&fb_res,
+ (mpp_res->start & INT_REGS_MASK) + GC_REGS_OFFS, 0x14);
+ gc_base = devm_ioremap_resource(&pdev->dev, &fb_res);
+- if (IS_ERR(gc_base))
+- return PTR_ERR(gc_base);
++ if (IS_ERR(gc_base)) {
++ ret = PTR_ERR(gc_base);
++ goto err_probe;
++ }
++
+ gconfmap = devm_regmap_init_mmio(&pdev->dev,
+ gc_base, &gc_regmap_config);
+- if (IS_ERR(gconfmap))
+- return PTR_ERR(gconfmap);
++ if (IS_ERR(gconfmap)) {
++ ret = PTR_ERR(gconfmap);
++ goto err_probe;
++ }
+ }
+
+ /* Warn on any missing DT resource */
+@@ -844,6 +857,9 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ dev_warn(&pdev->dev, FW_BUG "Missing pinctrl regs in DTB. Please update your firmware.\n");
+
+ return mvebu_pinctrl_probe(pdev);
++err_probe:
++ clk_disable_unprepare(clk);
++ return ret;
+ }
+
+ static struct platform_driver dove_pinctrl_driver = {
+--
+2.43.0
+
--- /dev/null
+From 4657b721288990a52340d1f5b8c2959f2c60430d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:46:25 +0800
+Subject: pinctrl: single: fix missing error code in pcs_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ]
+
+If pinctrl_enable() fails in pcs_probe(), it should return the error code.
+
+Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index 4da3c3f422b69..2ec599e383e4b 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1913,7 +1913,8 @@ static int pcs_probe(struct platform_device *pdev)
+
+ dev_info(pcs->dev, "%i pins, size %u\n", pcs->desc.npins, pcs->size);
+
+- if (pinctrl_enable(pcs->pctl))
++ ret = pinctrl_enable(pcs->pctl);
++ if (ret)
+ goto free;
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 2b7c51e1636c3ee2cf5fe13c5325f29266e1bbed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 21:17:19 +0800
+Subject: pinctrl: ti: iodelay: Use scope based of_node_put() cleanups
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 791a8bb202a85f707c20ef04a471519e35f089dc ]
+
+Use scope based of_node_put() cleanup to simplify code.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/20240627131721.678727-2-peng.fan@oss.nxp.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Stable-dep-of: a9f2b249adee ("pinctrl: ti: ti-iodelay: Fix some error handling paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 43 +++++++++----------------
+ 1 file changed, 15 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+index ef97586385019..f5e5a23d22260 100644
+--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+@@ -822,53 +822,48 @@ MODULE_DEVICE_TABLE(of, ti_iodelay_of_match);
+ static int ti_iodelay_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct device_node *np = of_node_get(dev->of_node);
++ struct device_node *np __free(device_node) = of_node_get(dev->of_node);
+ struct resource *res;
+ struct ti_iodelay_device *iod;
+- int ret = 0;
++ int ret;
+
+ if (!np) {
+- ret = -EINVAL;
+ dev_err(dev, "No OF node\n");
+- goto exit_out;
++ return -EINVAL;
+ }
+
+ iod = devm_kzalloc(dev, sizeof(*iod), GFP_KERNEL);
+- if (!iod) {
+- ret = -ENOMEM;
+- goto exit_out;
+- }
++ if (!iod)
++ return -ENOMEM;
++
+ iod->dev = dev;
+ iod->reg_data = device_get_match_data(dev);
+ if (!iod->reg_data) {
+- ret = -EINVAL;
+ dev_err(dev, "No DATA match\n");
+- goto exit_out;
++ return -EINVAL;
+ }
+
+ /* So far We can assume there is only 1 bank of registers */
+ iod->reg_base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+- if (IS_ERR(iod->reg_base)) {
+- ret = PTR_ERR(iod->reg_base);
+- goto exit_out;
+- }
++ if (IS_ERR(iod->reg_base))
++ return PTR_ERR(iod->reg_base);
++
+ iod->phys_base = res->start;
+
+ iod->regmap = devm_regmap_init_mmio(dev, iod->reg_base,
+ iod->reg_data->regmap_config);
+ if (IS_ERR(iod->regmap)) {
+ dev_err(dev, "Regmap MMIO init failed.\n");
+- ret = PTR_ERR(iod->regmap);
+- goto exit_out;
++ return PTR_ERR(iod->regmap);
+ }
+
+ ret = ti_iodelay_pinconf_init_dev(iod);
+ if (ret)
+- goto exit_out;
++ return ret;
+
+ ret = ti_iodelay_alloc_pins(dev, iod, res->start);
+ if (ret)
+- goto exit_out;
++ return ret;
+
+ iod->desc.pctlops = &ti_iodelay_pinctrl_ops;
+ /* no pinmux ops - we are pinconf */
+@@ -879,20 +874,12 @@ static int ti_iodelay_probe(struct platform_device *pdev)
+ ret = devm_pinctrl_register_and_init(dev, &iod->desc, iod, &iod->pctl);
+ if (ret) {
+ dev_err(dev, "Failed to register pinctrl\n");
+- goto exit_out;
++ return ret;
+ }
+
+ platform_set_drvdata(pdev, iod);
+
+- ret = pinctrl_enable(iod->pctl);
+- if (ret)
+- goto exit_out;
+-
+- return 0;
+-
+-exit_out:
+- of_node_put(np);
+- return ret;
++ return pinctrl_enable(iod->pctl);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From d7c197fc30044aa14bd9b2ed01369f6b957061e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jul 2024 22:37:43 +0200
+Subject: pinctrl: ti: ti-iodelay: Fix some error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a9f2b249adeef2b9744a884355fa8f5e581d507f ]
+
+In the probe, if an error occurs after the ti_iodelay_pinconf_init_dev()
+call, it is likely that ti_iodelay_pinconf_deinit_dev() should be called,
+as already done in the remove function.
+
+Also in ti_iodelay_pinconf_init_dev(), if an error occurs after the first
+regmap_update_bits() call, it is also likely that the deinit() function
+should be called.
+
+The easier way to fix it is to add a devm_add_action_or_reset() at the
+rigtht place to have ti_iodelay_pinconf_deinit_dev() called when needed.
+
+Doing so, the .remove() function can be removed, and the associated
+platform_set_drvdata() call in the probe as well.
+
+Fixes: 003910ebc83b ("pinctrl: Introduce TI IOdelay configuration driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/0220fa5b925bd08e361be8206a5438f6229deaac.1720556038.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 52 ++++++++++---------------
+ 1 file changed, 21 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+index f5e5a23d22260..451801acdc403 100644
+--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+@@ -273,6 +273,22 @@ static int ti_iodelay_pinconf_set(struct ti_iodelay_device *iod,
+ return r;
+ }
+
++/**
++ * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device
++ * @data: IODelay device
++ *
++ * Deinitialize the IODelay device (basically just lock the region back up.
++ */
++static void ti_iodelay_pinconf_deinit_dev(void *data)
++{
++ struct ti_iodelay_device *iod = data;
++ const struct ti_iodelay_reg_data *reg = iod->reg_data;
++
++ /* lock the iodelay region back again */
++ regmap_update_bits(iod->regmap, reg->reg_global_lock_offset,
++ reg->global_lock_mask, reg->global_lock_val);
++}
++
+ /**
+ * ti_iodelay_pinconf_init_dev() - Initialize IODelay device
+ * @iod: iodelay device
+@@ -295,6 +311,11 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod)
+ if (r)
+ return r;
+
++ r = devm_add_action_or_reset(iod->dev, ti_iodelay_pinconf_deinit_dev,
++ iod);
++ if (r)
++ return r;
++
+ /* Read up Recalibration sequence done by bootloader */
+ r = regmap_read(iod->regmap, reg->reg_refclk_offset, &val);
+ if (r)
+@@ -353,21 +374,6 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod)
+ return 0;
+ }
+
+-/**
+- * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device
+- * @iod: IODelay device
+- *
+- * Deinitialize the IODelay device (basically just lock the region back up.
+- */
+-static void ti_iodelay_pinconf_deinit_dev(struct ti_iodelay_device *iod)
+-{
+- const struct ti_iodelay_reg_data *reg = iod->reg_data;
+-
+- /* lock the iodelay region back again */
+- regmap_update_bits(iod->regmap, reg->reg_global_lock_offset,
+- reg->global_lock_mask, reg->global_lock_val);
+-}
+-
+ /**
+ * ti_iodelay_get_pingroup() - Find the group mapped by a group selector
+ * @iod: iodelay device
+@@ -877,27 +883,11 @@ static int ti_iodelay_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- platform_set_drvdata(pdev, iod);
+-
+ return pinctrl_enable(iod->pctl);
+ }
+
+-/**
+- * ti_iodelay_remove() - standard remove
+- * @pdev: platform device
+- */
+-static void ti_iodelay_remove(struct platform_device *pdev)
+-{
+- struct ti_iodelay_device *iod = platform_get_drvdata(pdev);
+-
+- ti_iodelay_pinconf_deinit_dev(iod);
+-
+- /* Expect other allocations to be freed by devm */
+-}
+-
+ static struct platform_driver ti_iodelay_driver = {
+ .probe = ti_iodelay_probe,
+- .remove_new = ti_iodelay_remove,
+ .driver = {
+ .name = DRIVER_NAME,
+ .of_match_table = ti_iodelay_of_match,
+--
+2.43.0
+
--- /dev/null
+From ef28bb689ab08a4dc740d8fedc451ecb41b58170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 19:50:32 +0300
+Subject: platform/x86: ideapad-laptop: Make the scope_guard() clear of its
+ scope
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a093cb667c3ff5eadd4b23ddf996d9ccae9b7ac6 ]
+
+First of all, it's a bit counterintuitive to have something like
+
+ int err;
+ ...
+ scoped_guard(...)
+ err = foo(...);
+ if (err)
+ return err;
+
+Second, with a particular kernel configuration and compiler version in
+one of such cases the objtool is not happy:
+
+ ideapad-laptop.o: warning: objtool: .text.fan_mode_show: unexpected end of section
+
+I'm not an expert on all this, but the theory is that compiler and
+linker in this case can't understand that 'result' variable will be
+always initialized as long as no error has been returned. Assigning
+'result' to a dummy value helps with this. Note, that fixing the
+scoped_guard() scope (as per above) does not make issue gone.
+
+That said, assign dummy value and make the scope_guard() clear of its scope.
+For the sake of consistency do it in the entire file.
+
+Fixes: 7cc06e729460 ("platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202408290219.BrPO8twi-lkp@intel.com/
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240829165105.1609180-1-andriy.shevchenko@linux.intel.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ideapad-laptop.c | 48 +++++++++++++++------------
+ 1 file changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
+index 490815917adec..32293df50bb1c 100644
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -422,13 +422,14 @@ static ssize_t camera_power_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_CAMERA, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return sysfs_emit(buf, "%d\n", !!result);
+ }
+@@ -445,10 +446,11 @@ static ssize_t camera_power_store(struct device *dev,
+ if (err)
+ return err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_CAMERA, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return count;
+ }
+@@ -496,13 +498,14 @@ static ssize_t fan_mode_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_FAN, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return sysfs_emit(buf, "%lu\n", result);
+ }
+@@ -522,10 +525,11 @@ static ssize_t fan_mode_store(struct device *dev,
+ if (state > 4 || state == 3)
+ return -EINVAL;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_FAN, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return count;
+ }
+@@ -605,13 +609,14 @@ static ssize_t touchpad_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_TOUCHPAD, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ priv->r_touchpad_val = result;
+
+@@ -630,10 +635,11 @@ static ssize_t touchpad_store(struct device *dev,
+ if (err)
+ return err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_TOUCHPAD, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ priv->r_touchpad_val = state;
+
+--
+2.43.0
+
--- /dev/null
+From 5dbc521b986873dd788319f02dcc3f99a8d660f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 22:19:08 -0400
+Subject: pm:cpupower: Add missing powercap_set_enabled() stub function
+
+From: John B. Wyatt IV <jwyatt@redhat.com>
+
+[ Upstream commit 4b80294fb53845dc5c98cca0c989da09150f2ca9 ]
+
+There was a symbol listed in the powercap.h file that was not implemented.
+Implement it with a stub return of 0.
+
+Programs like SWIG require that functions that are defined in the
+headers be implemented.
+
+Fixes: c2294c1496b7 ("cpupower: Introduce powercap intel-rapl library and powercap-info command")
+Suggested-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: John B. Wyatt IV <jwyatt@redhat.com>
+Signed-off-by: John B. Wyatt IV <sageofredondo@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/lib/powercap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/power/cpupower/lib/powercap.c b/tools/power/cpupower/lib/powercap.c
+index a7a59c6bacda8..94a0c69e55ef5 100644
+--- a/tools/power/cpupower/lib/powercap.c
++++ b/tools/power/cpupower/lib/powercap.c
+@@ -77,6 +77,14 @@ int powercap_get_enabled(int *mode)
+ return sysfs_get_enabled(path, mode);
+ }
+
++/*
++ * TODO: implement function. Returns dummy 0 for now.
++ */
++int powercap_set_enabled(int mode)
++{
++ return 0;
++}
++
+ /*
+ * Hardcoded, because rapl is the only powercap implementation
+ - * this needs to get more generic if more powercap implementations
+--
+2.43.0
+
--- /dev/null
+From cd11580193bdd2e090113fa103789192cee68e90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 16:30:45 +0200
+Subject: pmdomain: core: Harden inter-column space in debug summary
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 692c20c4d075bd452acfbbc68200fc226c7c9496 ]
+
+The inter-column space in the debug summary is two spaces. However, in
+one case, the extra space is handled implicitly in a field width
+specifier. Make inter-column space explicit to ease future maintenance.
+
+Fixes: 45fbc464b047 ("PM: domains: Add "performance" column to debug summary")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/ae61eb363621b981edde878e1e74d701702a579f.1725459707.git.geert+renesas@glider.be
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
+index 623d15b68707e..0ab6008e863e8 100644
+--- a/drivers/pmdomain/core.c
++++ b/drivers/pmdomain/core.c
+@@ -3153,7 +3153,7 @@ static int genpd_summary_one(struct seq_file *s,
+ else
+ snprintf(state, sizeof(state), "%s",
+ status_lookup[genpd->status]);
+- seq_printf(s, "%-30s %-50s %u", genpd->name, state, genpd->performance_state);
++ seq_printf(s, "%-30s %-49s %u", genpd->name, state, genpd->performance_state);
+
+ /*
+ * Modifications on the list require holding locks on both
+--
+2.43.0
+
--- /dev/null
+From bbacefb5c865acd6452bc131340f7e3013088bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 16:54:43 -0500
+Subject: power: supply: axp20x_battery: Remove design from min and max voltage
+
+From: Chris Morgan <macromorgan@hotmail.com>
+
+[ Upstream commit 61978807b00f8a1817b0e5580981af1cd2f428a5 ]
+
+The POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN and
+POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN values should be immutable
+properties of the battery, but for this driver they are writable values
+and used as the minimum and maximum values for charging. Remove the
+DESIGN designation from these values.
+
+Fixes: 46c202b5f25f ("power: supply: add battery driver for AXP20X and AXP22X PMICs")
+Suggested-by: Chen-Yu Tsai <wens@kernel.org>
+Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240821215456.962564-3-macroalpha82@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/axp20x_battery.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c
+index 6ac5c80cfda21..7520b599eb3d1 100644
+--- a/drivers/power/supply/axp20x_battery.c
++++ b/drivers/power/supply/axp20x_battery.c
+@@ -303,11 +303,11 @@ static int axp20x_battery_get_prop(struct power_supply *psy,
+ val->intval = reg & AXP209_FG_PERCENT;
+ break;
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MAX:
+ return axp20x_batt->data->get_max_voltage(axp20x_batt,
+ &val->intval);
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MIN:
+ ret = regmap_read(axp20x_batt->regmap, AXP20X_V_OFF, ®);
+ if (ret)
+ return ret;
+@@ -455,10 +455,10 @@ static int axp20x_battery_set_prop(struct power_supply *psy,
+ struct axp20x_batt_ps *axp20x_batt = power_supply_get_drvdata(psy);
+
+ switch (psp) {
+- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MIN:
+ return axp20x_set_voltage_min_design(axp20x_batt, val->intval);
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MAX:
+ return axp20x_batt->data->set_max_voltage(axp20x_batt, val->intval);
+
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+@@ -493,8 +493,8 @@ static enum power_supply_property axp20x_battery_props[] = {
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT,
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX,
+ POWER_SUPPLY_PROP_HEALTH,
+- POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN,
+- POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN,
++ POWER_SUPPLY_PROP_VOLTAGE_MAX,
++ POWER_SUPPLY_PROP_VOLTAGE_MIN,
+ POWER_SUPPLY_PROP_CAPACITY,
+ };
+
+@@ -502,8 +502,8 @@ static int axp20x_battery_prop_writeable(struct power_supply *psy,
+ enum power_supply_property psp)
+ {
+ return psp == POWER_SUPPLY_PROP_STATUS ||
+- psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN ||
+- psp == POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN ||
++ psp == POWER_SUPPLY_PROP_VOLTAGE_MIN ||
++ psp == POWER_SUPPLY_PROP_VOLTAGE_MAX ||
+ psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT ||
+ psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0abf3d2ce807b38191ade28e63fa585f4c32f5fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 12:51:14 +0200
+Subject: power: supply: max17042_battery: Fix SOC threshold calc w/ no current
+ sense
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ]
+
+Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for
+capacity when no rsns") made it so that capacity on systems without
+current sensing would be read from VFSOC instead of RepSOC. However,
+the SOC threshold calculation still read RepSOC to get the SOC
+regardless of the current sensing option state.
+
+Fix this by applying the same conditional to determine which register
+should be read.
+
+This also seems to be the intended behavior as per the datasheet - SOC
+alert config value in MiscCFG on setups without current sensing is set
+to a value of 0b11, indicating SOC alerts being generated based on
+VFSOC, instead of 0b00 which indicates SOC alerts being generated based
+on RepSOC.
+
+This fixes an issue on the Galaxy S3/Midas boards, where the alert
+interrupt would be constantly retriggered, causing high CPU usage
+on idle (around ~12%-15%).
+
+Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC")
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Henrik Grimler <henrik@grimler.se>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17042_battery.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
+index e7d37e422c3f6..496c3e1f2ee6d 100644
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -853,7 +853,10 @@ static void max17042_set_soc_threshold(struct max17042_chip *chip, u16 off)
+ /* program interrupt thresholds such that we should
+ * get interrupt for every 'off' perc change in the soc
+ */
+- regmap_read(map, MAX17042_RepSOC, &soc);
++ if (chip->pdata->enable_current_sense)
++ regmap_read(map, MAX17042_RepSOC, &soc);
++ else
++ regmap_read(map, MAX17042_VFSOC, &soc);
+ soc >>= 8;
+ soc_tr = (soc + off) << 8;
+ if (off < soc)
+--
+2.43.0
+
--- /dev/null
+From 7bdaef9849e20ce3f508b012ca140bf35aca5cc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 11:41:34 +0300
+Subject: powercap: intel_rapl: Fix off by one in get_rpi()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 95f6580352a7225e619551febb83595bcb77ab17 ]
+
+The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have
+NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=
+to prevent an off by one access.
+
+Fixes: 98ff639a7289 ("powercap: intel_rapl: Support per Interface primitive information")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://patch.msgid.link/86e3a059-504d-4795-a5ea-4a653f3b41f8@stanley.mountain
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c
+index 8e7f4c0473ab9..9bf9ed9a6a54f 100644
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -740,7 +740,7 @@ static struct rapl_primitive_info *get_rpi(struct rapl_package *rp, int prim)
+ {
+ struct rapl_primitive_info *rpi = rp->priv->rpi;
+
+- if (prim < 0 || prim > NR_RAPL_PRIMITIVES || !rpi)
++ if (prim < 0 || prim >= NR_RAPL_PRIMITIVES || !rpi)
+ return NULL;
+
+ return &rpi[prim];
+--
+2.43.0
+
--- /dev/null
+From 71340b4b832f7494c0a498daea4fc2c1ce09230f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 19:23:45 +0200
+Subject: powerpc/8xx: Fix initial memory mapping
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f9f2bff64c2f0dbee57be3d8c2741357ad3d05e6 ]
+
+Commit cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages")
+introduced an initial mapping of kernel TEXT using PAGE_KERNEL_TEXT,
+but the pages that contain kernel TEXT may also contain kernel RODATA,
+and depending on selected debug options PAGE_KERNEL_TEXT may be either
+RWX or ROX. RODATA must be writable during init because it also
+contains ro_after_init data.
+
+So use PAGE_KERNEL_X instead to be sure it is RWX.
+
+Fixes: cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/dac7a828d8497c4548c91840575a706657baa4f1.1724173828.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/nohash/8xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/nohash/8xx.c b/arch/powerpc/mm/nohash/8xx.c
+index d93433e26dedb..e5cc3b3a259f9 100644
+--- a/arch/powerpc/mm/nohash/8xx.c
++++ b/arch/powerpc/mm/nohash/8xx.c
+@@ -154,11 +154,11 @@ unsigned long __init mmu_mapin_ram(unsigned long base, unsigned long top)
+
+ mmu_mapin_immr();
+
+- mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_TEXT, true);
++ mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_X, true);
+ if (debug_pagealloc_enabled_or_kfence()) {
+ top = boundary;
+ } else {
+- mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_TEXT, true);
++ mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_X, true);
+ mmu_mapin_ram_chunk(einittext8, top, PAGE_KERNEL, true);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6aa9096ccdbfbfd1d582facc6a9a46588a21f5fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 19:23:46 +0200
+Subject: powerpc/8xx: Fix kernel vs user address comparison
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 65a82e117ffeeab0baf6f871a1cab11a28ace183 ]
+
+Since commit 9132a2e82adc ("powerpc/8xx: Define a MODULE area below
+kernel text"), module exec space is below PAGE_OFFSET so not only
+space above PAGE_OFFSET, but space above TASK_SIZE need to be seen
+as kernel space.
+
+Until now the problem went undetected because by default TASK_SIZE
+is 0x8000000 which means address space is determined by just
+checking upper address bit. But when TASK_SIZE is over 0x80000000,
+PAGE_OFFSET is used for comparison, leading to thinking module
+addresses are part of user space.
+
+Fix it by using TASK_SIZE instead of PAGE_OFFSET for address
+comparison.
+
+Fixes: 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/3f574c9845ff0a023b46cb4f38d2c45aecd769bd.1724173828.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/head_8xx.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
+index edc479a7c2bce..0bd317b564752 100644
+--- a/arch/powerpc/kernel/head_8xx.S
++++ b/arch/powerpc/kernel/head_8xx.S
+@@ -41,12 +41,12 @@
+ #include "head_32.h"
+
+ .macro compare_to_kernel_boundary scratch, addr
+-#if CONFIG_TASK_SIZE <= 0x80000000 && CONFIG_PAGE_OFFSET >= 0x80000000
++#if CONFIG_TASK_SIZE <= 0x80000000 && MODULES_VADDR >= 0x80000000
+ /* By simply checking Address >= 0x80000000, we know if its a kernel address */
+ not. \scratch, \addr
+ #else
+ rlwinm \scratch, \addr, 16, 0xfff8
+- cmpli cr0, \scratch, PAGE_OFFSET@h
++ cmpli cr0, \scratch, TASK_SIZE@h
+ #endif
+ .endm
+
+@@ -404,7 +404,7 @@ FixupDAR:/* Entry point for dcbx workaround. */
+ mfspr r10, SPRN_SRR0
+ mtspr SPRN_MD_EPN, r10
+ rlwinm r11, r10, 16, 0xfff8
+- cmpli cr1, r11, PAGE_OFFSET@h
++ cmpli cr1, r11, TASK_SIZE@h
+ mfspr r11, SPRN_M_TWB /* Get level 1 table */
+ blt+ cr1, 3f
+
+--
+2.43.0
+
--- /dev/null
+From 929d5cd7458d50c8de5b59b7e56d379a7852a96c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:33:43 +0200
+Subject: powerpc/vdso: Fix VDSO data access when running in a non-root time
+ namespace
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit c73049389e58c01e2e3bbfae900c8daeee177191 ]
+
+When running in a non-root time namespace, the global VDSO data page
+is replaced by a dedicated namespace data page and the global data
+page is mapped next to it. Detailed explanations can be found at
+commit 660fd04f9317 ("lib/vdso: Prepare for time namespace support").
+
+When it happens, __kernel_get_syscall_map and __kernel_get_tbfreq
+and __kernel_sync_dicache don't work anymore because they read 0
+instead of the data they need.
+
+To address that, clock_mode has to be read. When it is set to
+VDSO_CLOCKMODE_TIMENS, it means it is a dedicated namespace data page
+and the global data is located on the following page.
+
+Add a macro called get_realdatapage which reads clock_mode and add
+PAGE_SIZE to the pointer provided by get_datapage macro when
+clock_mode is equal to VDSO_CLOCKMODE_TIMENS. Use this new macro
+instead of get_datapage macro except for time functions as they handle
+it internally.
+
+Fixes: 74205b3fc2ef ("powerpc/vdso: Add support for time namespaces")
+Reported-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Closes: https://lore.kernel.org/all/ZtnYqZI-nrsNslwy@zx2c4.com/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/vdso_datapage.h | 15 +++++++++++++++
+ arch/powerpc/kernel/asm-offsets.c | 2 ++
+ arch/powerpc/kernel/vdso/cacheflush.S | 2 +-
+ arch/powerpc/kernel/vdso/datapage.S | 4 ++--
+ 4 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
+index a585c8e538ff0..939daf6b695ef 100644
+--- a/arch/powerpc/include/asm/vdso_datapage.h
++++ b/arch/powerpc/include/asm/vdso_datapage.h
+@@ -111,6 +111,21 @@ extern struct vdso_arch_data *vdso_data;
+ addi \ptr, \ptr, (_vdso_datapage - 999b)@l
+ .endm
+
++#include <asm/asm-offsets.h>
++#include <asm/page.h>
++
++.macro get_realdatapage ptr scratch
++ get_datapage \ptr
++#ifdef CONFIG_TIME_NS
++ lwz \scratch, VDSO_CLOCKMODE_OFFSET(\ptr)
++ xoris \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@h
++ xori \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@l
++ cntlzw \scratch, \scratch
++ rlwinm \scratch, \scratch, PAGE_SHIFT - 5, 1 << PAGE_SHIFT
++ add \ptr, \ptr, \scratch
++#endif
++.endm
++
+ #endif /* __ASSEMBLY__ */
+
+ #endif /* __KERNEL__ */
+diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
+index f029755f9e69a..0c5c0fbf62417 100644
+--- a/arch/powerpc/kernel/asm-offsets.c
++++ b/arch/powerpc/kernel/asm-offsets.c
+@@ -346,6 +346,8 @@ int main(void)
+ #else
+ OFFSET(CFG_SYSCALL_MAP32, vdso_arch_data, syscall_map);
+ #endif
++ OFFSET(VDSO_CLOCKMODE_OFFSET, vdso_arch_data, data[0].clock_mode);
++ DEFINE(VDSO_CLOCKMODE_TIMENS, VDSO_CLOCKMODE_TIMENS);
+
+ #ifdef CONFIG_BUG
+ DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry));
+diff --git a/arch/powerpc/kernel/vdso/cacheflush.S b/arch/powerpc/kernel/vdso/cacheflush.S
+index 0085ae464dac9..3b2479bd2f9a1 100644
+--- a/arch/powerpc/kernel/vdso/cacheflush.S
++++ b/arch/powerpc/kernel/vdso/cacheflush.S
+@@ -30,7 +30,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
+ #ifdef CONFIG_PPC64
+ mflr r12
+ .cfi_register lr,r12
+- get_datapage r10
++ get_realdatapage r10, r11
+ mtlr r12
+ .cfi_restore lr
+ #endif
+diff --git a/arch/powerpc/kernel/vdso/datapage.S b/arch/powerpc/kernel/vdso/datapage.S
+index db8e167f01667..2b19b6201a33a 100644
+--- a/arch/powerpc/kernel/vdso/datapage.S
++++ b/arch/powerpc/kernel/vdso/datapage.S
+@@ -28,7 +28,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map)
+ mflr r12
+ .cfi_register lr,r12
+ mr. r4,r3
+- get_datapage r3
++ get_realdatapage r3, r11
+ mtlr r12
+ #ifdef __powerpc64__
+ addi r3,r3,CFG_SYSCALL_MAP64
+@@ -52,7 +52,7 @@ V_FUNCTION_BEGIN(__kernel_get_tbfreq)
+ .cfi_startproc
+ mflr r12
+ .cfi_register lr,r12
+- get_datapage r3
++ get_realdatapage r3, r11
+ #ifndef __powerpc64__
+ lwz r4,(CFG_TB_TICKS_PER_SEC + 4)(r3)
+ #endif
+--
+2.43.0
+
--- /dev/null
+From ee64d8b3f199576b8b3702ee333df78456800bed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 10:00:29 +0200
+Subject: powerpc/vdso: Inconditionally use CFUNC macro
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 65948b0e716a47382731889ee6bbb18642b8b003 ]
+
+During merge of commit 4e991e3c16a3 ("powerpc: add CFUNC assembly
+label annotation") a fallback version of CFUNC macro was added at
+the last minute, so it can be used inconditionally.
+
+Fixes: 4e991e3c16a3 ("powerpc: add CFUNC assembly label annotation")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/0fa863f2f69b2ca4094ae066fcf1430fb31110c9.1724313540.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vdso/gettimeofday.S | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/powerpc/kernel/vdso/gettimeofday.S b/arch/powerpc/kernel/vdso/gettimeofday.S
+index 48fc6658053aa..894cb939cd2b3 100644
+--- a/arch/powerpc/kernel/vdso/gettimeofday.S
++++ b/arch/powerpc/kernel/vdso/gettimeofday.S
+@@ -38,11 +38,7 @@
+ .else
+ addi r4, r5, VDSO_DATA_OFFSET
+ .endif
+-#ifdef __powerpc64__
+ bl CFUNC(DOTSYM(\funct))
+-#else
+- bl \funct
+-#endif
+ PPC_LL r0, PPC_MIN_STKFRM + PPC_LR_STKOFF(r1)
+ #ifdef __powerpc64__
+ PPC_LL r2, PPC_MIN_STKFRM + STK_GOT(r1)
+--
+2.43.0
+
--- /dev/null
+From 48a44a17fdb724cbf389bf6deda30cae49074b14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jul 2024 21:05:31 +0800
+Subject: quota: avoid missing put_quota_format when DQUOT_SUSPENDED is passed
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit d16a5f852025be546b6e4ceef15899db3490f4d7 ]
+
+Avoid missing put_quota_format when DQUOT_SUSPENDED is passed to
+dquot_load_quota_sb.
+
+Link: https://patch.msgid.link/20240715130534.2112678-2-shikemeng@huaweicloud.com
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Fixes: d44c57663723 ("quota: Remove BUG_ON in dquot_load_quota_sb()")
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 627eb2f72ef37..23fcf9e9d6c55 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2408,7 +2408,7 @@ static int vfs_setup_quota_inode(struct inode *inode, int type)
+ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id,
+ unsigned int flags)
+ {
+- struct quota_format_type *fmt = find_quota_format(format_id);
++ struct quota_format_type *fmt;
+ struct quota_info *dqopt = sb_dqopt(sb);
+ int error;
+
+@@ -2418,6 +2418,7 @@ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id,
+ if (WARN_ON_ONCE(flags & DQUOT_SUSPENDED))
+ return -EINVAL;
+
++ fmt = find_quota_format(format_id);
+ if (!fmt)
+ return -ESRCH;
+ if (!sb->dq_op || !sb->s_qcop ||
+--
+2.43.0
+
--- /dev/null
+From bc6f9d55ab366f44475c14d0cca28af0d5cdd970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 15:51:11 +0200
+Subject: r8169: disable ALDPS per default for RTL8125
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit b9c7ac4fe22c608acf6153a3329df2b6b6cd416c ]
+
+En-Wei reported that traffic breaks if cable is unplugged for more
+than 3s and then re-plugged. This was supposed to be fixed by
+621735f59064 ("r8169: fix rare issue with broken rx after link-down on
+RTL8125"). But apparently this didn't fix the issue for everybody.
+The 3s threshold rang a bell, as this is the delay after which ALDPS
+kicks in. And indeed disabling ALDPS fixes the issue for this user.
+Maybe this fixes the issue in general. In a follow-up step we could
+remove the first fix attempt and see whether anybody complains.
+
+Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125")
+Tested-by: En-Wei WU <en-wei.wu@canonical.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://patch.msgid.link/778b9d86-05c4-4856-be59-cde4487b9e52@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_phy_config.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_phy_config.c b/drivers/net/ethernet/realtek/r8169_phy_config.c
+index 1f74317beb887..e1e5d9672ae44 100644
+--- a/drivers/net/ethernet/realtek/r8169_phy_config.c
++++ b/drivers/net/ethernet/realtek/r8169_phy_config.c
+@@ -1060,6 +1060,7 @@ static void rtl8125a_2_hw_phy_config(struct rtl8169_private *tp,
+ phy_modify_paged(phydev, 0xa86, 0x15, 0x0001, 0x0000);
+ rtl8168g_enable_gphy_10m(phydev);
+
++ rtl8168g_disable_aldps(phydev);
+ rtl8125a_config_eee_phy(phydev);
+ }
+
+@@ -1099,6 +1100,7 @@ static void rtl8125b_hw_phy_config(struct rtl8169_private *tp,
+ phy_modify_paged(phydev, 0xbf8, 0x12, 0xe000, 0xa000);
+
+ rtl8125_legacy_force_mode(phydev);
++ rtl8168g_disable_aldps(phydev);
+ rtl8125b_config_eee_phy(phydev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8e03e6c1eb4a3279b959ad077652bcba3cc31c3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 00:56:40 +0200
+Subject: rcu/nocb: Fix RT throttling hrtimer armed from offline CPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 9139f93209d1ffd7f489ab19dee01b7c3a1a43d2 ]
+
+After a CPU is marked offline and until it reaches its final trip to
+idle, rcuo has several opportunities to be woken up, either because
+a callback has been queued in the meantime or because
+rcutree_report_cpu_dead() has issued the final deferred NOCB wake up.
+
+If RCU-boosting is enabled, RCU kthreads are set to SCHED_FIFO policy.
+And if RT-bandwidth is enabled, the related hrtimer might be armed.
+However this then happens after hrtimers have been migrated at the
+CPUHP_AP_HRTIMERS_DYING stage, which is broken as reported by the
+following warning:
+
+ Call trace:
+ enqueue_hrtimer+0x7c/0xf8
+ hrtimer_start_range_ns+0x2b8/0x300
+ enqueue_task_rt+0x298/0x3f0
+ enqueue_task+0x94/0x188
+ ttwu_do_activate+0xb4/0x27c
+ try_to_wake_up+0x2d8/0x79c
+ wake_up_process+0x18/0x28
+ __wake_nocb_gp+0x80/0x1a0
+ do_nocb_deferred_wakeup_common+0x3c/0xcc
+ rcu_report_dead+0x68/0x1ac
+ cpuhp_report_idle_dead+0x48/0x9c
+ do_idle+0x288/0x294
+ cpu_startup_entry+0x34/0x3c
+ secondary_start_kernel+0x138/0x158
+
+Fix this with waking up rcuo using an IPI if necessary. Since the
+existing API to deal with this situation only handles swait queue, rcuo
+is only woken up from offline CPUs if it's not already waiting on a
+grace period. In the worst case some callbacks will just wait for a
+grace period to complete before being assigned to a subsequent one.
+
+Reported-by: "Cheng-Jui Wang (王正睿)" <Cheng-Jui.Wang@mediatek.com>
+Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_nocb.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
+index 2d9eed2bf7509..9b485f1060c01 100644
+--- a/kernel/rcu/tree_nocb.h
++++ b/kernel/rcu/tree_nocb.h
+@@ -220,7 +220,10 @@ static bool __wake_nocb_gp(struct rcu_data *rdp_gp,
+ raw_spin_unlock_irqrestore(&rdp_gp->nocb_gp_lock, flags);
+ if (needwake) {
+ trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("DoWake"));
+- wake_up_process(rdp_gp->nocb_gp_kthread);
++ if (cpu_is_offline(raw_smp_processor_id()))
++ swake_up_one_online(&rdp_gp->nocb_gp_wq);
++ else
++ wake_up_process(rdp_gp->nocb_gp_kthread);
+ }
+
+ return needwake;
+--
+2.43.0
+
--- /dev/null
+From 148aa9beffcab979a5503c8269abb4d3d794e698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:58:39 -0400
+Subject: RDMA/cxgb4: Added NULL check for lookup_atid
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ]
+
+The lookup_atid() function can return NULL if the ATID is
+invalid or does not exist in the identifier table, which
+could lead to dereferencing a null pointer without a
+check in the `act_establish()` and `act_open_rpl()` functions.
+Add a NULL check to prevent null pointer dereferencing.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 040ba2224f9ff..b3757c6a0457a 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -1222,6 +1222,8 @@ static int act_establish(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
+
+ pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid,
+ be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn));
+@@ -2279,6 +2281,9 @@ static int act_open_rpl(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret = 0;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
++
+ la = (struct sockaddr_in *)&ep->com.local_addr;
+ ra = (struct sockaddr_in *)&ep->com.remote_addr;
+ la6 = (struct sockaddr_in6 *)&ep->com.local_addr;
+--
+2.43.0
+
--- /dev/null
+From 7704fd5192a16ae46c766e6d03e5cb7a1ed0af08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 19:29:20 +0800
+Subject: RDMA/erdma: Return QP state in erdma_query_qp
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit e77127ff6416b17e0b3e630ac46ee5c9a6570f57 ]
+
+Fix qp_state and cur_qp_state to return correct values in
+struct ib_qp_attr.
+
+Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation")
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Link: https://patch.msgid.link/20240902112920.58749-4-chengyou@linux.alibaba.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_verbs.c | 25 ++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
+index 40c9b6e46b82b..3e3a3e1c241e7 100644
+--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
+@@ -1544,11 +1544,31 @@ int erdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ return ret;
+ }
+
++static enum ib_qp_state query_qp_state(struct erdma_qp *qp)
++{
++ switch (qp->attrs.state) {
++ case ERDMA_QP_STATE_IDLE:
++ return IB_QPS_INIT;
++ case ERDMA_QP_STATE_RTR:
++ return IB_QPS_RTR;
++ case ERDMA_QP_STATE_RTS:
++ return IB_QPS_RTS;
++ case ERDMA_QP_STATE_CLOSING:
++ return IB_QPS_ERR;
++ case ERDMA_QP_STATE_TERMINATE:
++ return IB_QPS_ERR;
++ case ERDMA_QP_STATE_ERROR:
++ return IB_QPS_ERR;
++ default:
++ return IB_QPS_ERR;
++ }
++}
++
+ int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+ int qp_attr_mask, struct ib_qp_init_attr *qp_init_attr)
+ {
+- struct erdma_qp *qp;
+ struct erdma_dev *dev;
++ struct erdma_qp *qp;
+
+ if (ibqp && qp_attr && qp_init_attr) {
+ qp = to_eqp(ibqp);
+@@ -1575,6 +1595,9 @@ int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+
+ qp_init_attr->cap = qp_attr->cap;
+
++ qp_attr->qp_state = query_qp_state(qp);
++ qp_attr->cur_qp_state = query_qp_state(qp);
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From d582d04a90af84f1c2541fe843d9910c6d09d91e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:36 +0800
+Subject: RDMA/hns: Don't modify rq next block addr in HIP09 QPC
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 6928d264e328e0cb5ee7663003a6e46e4cba0a7e ]
+
+The field 'rq next block addr' in QPC can be updated by driver only
+on HIP08. On HIP09 HW updates this field while driver is not allowed.
+
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-2-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 621b057fb9daa..a166b476977f1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4423,12 +4423,14 @@ static int config_qp_rq_buf(struct hns_roce_dev *hr_dev,
+ upper_32_bits(to_hr_hw_page_addr(mtts[0])));
+ hr_reg_clear(qpc_mask, QPC_RQ_CUR_BLK_ADDR_H);
+
+- context->rq_nxt_blk_addr = cpu_to_le32(to_hr_hw_page_addr(mtts[1]));
+- qpc_mask->rq_nxt_blk_addr = 0;
+-
+- hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H,
+- upper_32_bits(to_hr_hw_page_addr(mtts[1])));
+- hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H);
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ context->rq_nxt_blk_addr =
++ cpu_to_le32(to_hr_hw_page_addr(mtts[1]));
++ qpc_mask->rq_nxt_blk_addr = 0;
++ hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H,
++ upper_32_bits(to_hr_hw_page_addr(mtts[1])));
++ hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H);
++ }
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From e2c618cde718a1890e387d1ee18259c923757caa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:42 +0800
+Subject: RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit ce196f6297c7f3ab7780795e40efd6c521f60c8b ]
+
+The 1bit-ECC recovery address read from HW only contain bits 64:12, so
+it should be fixed left-shifted 12 bits when used.
+
+Currently, the driver will shift the address left by PAGE_SHIFT when
+used, which is wrong in non-4K OS.
+
+Fixes: 2de949abd6a5 ("RDMA/hns: Recover 1bit-ECC error of RAM on chip")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-8-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 5483d04b3ab7e..349b68d7e7db6 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -6285,7 +6285,7 @@ static u64 fmea_get_ram_res_addr(u32 res_type, __le64 *data)
+ res_type == ECC_RESOURCE_SCCC)
+ return le64_to_cpu(*data);
+
+- return le64_to_cpu(*data) << PAGE_SHIFT;
++ return le64_to_cpu(*data) << HNS_HW_PAGE_SHIFT;
+ }
+
+ static int fmea_recover_others(struct hns_roce_dev *hr_dev, u32 res_type,
+--
+2.43.0
+
--- /dev/null
+From 40be33e366d83aa266dffa5dff5bff9b396bd01e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 19:57:00 +0800
+Subject: RDMA/hns: Fix ah error counter in sw stat not increasing
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 39c047d4047a1242aeefa87513174b56a91080ab ]
+
+There are several error cases where hns_roce_create_ah() returns
+directly without jumping to sw stat path, thus leading to a problem
+that the ah error counter does not increase.
+
+Fixes: ee20cc17e9d8 ("RDMA/hns: Support DSCP")
+Fixes: eb7854d63db5 ("RDMA/hns: Support SW stats with debugfs")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240912115700.2016443-1-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index 3e02c474f59fe..4fc5b9d5fea87 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -64,8 +64,10 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ u8 tc_mode = 0;
+ int ret;
+
+- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 && udata)
+- return -EOPNOTSUPP;
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 && udata) {
++ ret = -EOPNOTSUPP;
++ goto err_out;
++ }
+
+ ah->av.port = rdma_ah_get_port_num(ah_attr);
+ ah->av.gid_index = grh->sgid_index;
+@@ -83,7 +85,7 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ ret = 0;
+
+ if (ret && grh->sgid_attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP)
+- return ret;
++ goto err_out;
+
+ if (tc_mode == HNAE3_TC_MAP_MODE_DSCP &&
+ grh->sgid_attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP)
+@@ -91,8 +93,10 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ else
+ ah->av.sl = rdma_ah_get_sl(ah_attr);
+
+- if (!check_sl_valid(hr_dev, ah->av.sl))
+- return -EINVAL;
++ if (!check_sl_valid(hr_dev, ah->av.sl)) {
++ ret = -EINVAL;
++ goto err_out;
++ }
+
+ memcpy(ah->av.dgid, grh->dgid.raw, HNS_ROCE_GID_SIZE);
+ memcpy(ah->av.mac, ah_attr->roce.dmac, ETH_ALEN);
+--
+2.43.0
+
--- /dev/null
+From 1fb855ecb988479eea81fb5cb11ce46ec6767d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 14:53:31 +0800
+Subject: RDMA/hns: Fix restricted __le16 degrades to integer issue
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit f4ccc0a2a0c5977540f519588636b5bc81aae2db ]
+
+Fix sparse warnings: restricted __le16 degrades to integer.
+
+Fixes: 5a87279591a1 ("RDMA/hns: Support hns HW stats")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202409080508.g4mNSLwy-lkp@intel.com/
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240909065331.3950268-1-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 349b68d7e7db6..24e906b9d3ae1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -1681,8 +1681,8 @@ static int hns_roce_hw_v2_query_counter(struct hns_roce_dev *hr_dev,
+
+ for (i = 0; i < HNS_ROCE_HW_CNT_TOTAL && i < *num_counters; i++) {
+ bd_idx = i / CNT_PER_DESC;
+- if (!(desc[bd_idx].flag & HNS_ROCE_CMD_FLAG_NEXT) &&
+- bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC)
++ if (bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC &&
++ !(desc[bd_idx].flag & cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT)))
+ break;
+
+ cnt_data = (__le64 *)&desc[bd_idx].data[0];
+--
+2.43.0
+
--- /dev/null
+From 50fb58aa566897bf3c5c154fd6c17518b4b3ec3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:40 +0800
+Subject: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 74d315b5af180220d561684d15897730135733a6 ]
+
+Fix missuse of spin_lock_irq()/spin_unlock_irq() when
+spin_lock_irqsave()/spin_lock_irqrestore() was hold.
+
+This was discovered through the lock debugging, and the corresponding
+log is as follows:
+
+raw_local_irq_restore() called with IRQs enabled
+WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
+...
+Call trace:
+ warn_bogus_irq_restore+0x30/0x40
+ _raw_spin_unlock_irqrestore+0x84/0xc8
+ add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
+ hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
+ hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
+ create_qp+0x138/0x258
+ ib_create_qp_kernel+0x50/0xe8
+ create_mad_qp+0xa8/0x128
+ ib_mad_port_open+0x218/0x448
+ ib_mad_init_device+0x70/0x1f8
+ add_client_context+0xfc/0x220
+ enable_device_and_get+0xd0/0x140
+ ib_register_device.part.0+0xf4/0x1c8
+ ib_register_device+0x34/0x50
+ hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
+ hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
+ __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
+ hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 1de384ce4d0e1..6b03ba671ff8f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -1460,19 +1460,19 @@ void hns_roce_lock_cqs(struct hns_roce_cq *send_cq, struct hns_roce_cq *recv_cq)
+ __acquire(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (unlikely(send_cq != NULL && recv_cq == NULL)) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (unlikely(send_cq == NULL && recv_cq != NULL)) {
+- spin_lock_irq(&recv_cq->lock);
++ spin_lock(&recv_cq->lock);
+ __acquire(&send_cq->lock);
+ } else if (send_cq == recv_cq) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (send_cq->cqn < recv_cq->cqn) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ spin_lock_nested(&recv_cq->lock, SINGLE_DEPTH_NESTING);
+ } else {
+- spin_lock_irq(&recv_cq->lock);
++ spin_lock(&recv_cq->lock);
+ spin_lock_nested(&send_cq->lock, SINGLE_DEPTH_NESTING);
+ }
+ }
+@@ -1492,13 +1492,13 @@ void hns_roce_unlock_cqs(struct hns_roce_cq *send_cq,
+ spin_unlock(&recv_cq->lock);
+ } else if (send_cq == recv_cq) {
+ __release(&recv_cq->lock);
+- spin_unlock_irq(&send_cq->lock);
++ spin_unlock(&send_cq->lock);
+ } else if (send_cq->cqn < recv_cq->cqn) {
+ spin_unlock(&recv_cq->lock);
+- spin_unlock_irq(&send_cq->lock);
++ spin_unlock(&send_cq->lock);
+ } else {
+ spin_unlock(&send_cq->lock);
+- spin_unlock_irq(&recv_cq->lock);
++ spin_unlock(&recv_cq->lock);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e1ffd50ea900b6c3c46837e4b22043dbf02b72c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:39 +0800
+Subject: RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range()
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit d586628b169d14bbf36be64d2b3ec9d9d2fe0432 ]
+
+The max value of 'unit' and 'hop_num' is 2^24 and 2, so the value of
+'step' may exceed the range of u32. Change the type of 'step' to u64.
+
+Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-5-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index 02baa853a76c9..42111f31b3715 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -1041,9 +1041,9 @@ static bool hem_list_is_bottom_bt(int hopnum, int bt_level)
+ * @bt_level: base address table level
+ * @unit: ba entries per bt page
+ */
+-static u32 hem_list_calc_ba_range(int hopnum, int bt_level, int unit)
++static u64 hem_list_calc_ba_range(int hopnum, int bt_level, int unit)
+ {
+- u32 step;
++ u64 step;
+ int max;
+ int i;
+
+@@ -1079,7 +1079,7 @@ int hns_roce_hem_list_calc_root_ba(const struct hns_roce_buf_region *regions,
+ {
+ struct hns_roce_buf_region *r;
+ int total = 0;
+- int step;
++ u64 step;
+ int i;
+
+ for (i = 0; i < region_cnt; i++) {
+@@ -1110,7 +1110,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+ int ret = 0;
+ int max_ofs;
+ int level;
+- u32 step;
++ u64 step;
+ int end;
+
+ if (hopnum <= 1)
+@@ -1147,7 +1147,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+ }
+
+ start_aligned = (distance / step) * step + r->offset;
+- end = min_t(int, start_aligned + step - 1, max_ofs);
++ end = min_t(u64, start_aligned + step - 1, max_ofs);
+ cur = hem_list_alloc_item(hr_dev, start_aligned, end, unit,
+ true);
+ if (!cur) {
+@@ -1235,7 +1235,7 @@ static int setup_middle_bt(struct hns_roce_dev *hr_dev, void *cpu_base,
+ struct hns_roce_hem_item *hem, *temp_hem;
+ int total = 0;
+ int offset;
+- int step;
++ u64 step;
+
+ step = hem_list_calc_ba_range(r->hopnum, 1, unit);
+ if (step < 1)
+--
+2.43.0
+
--- /dev/null
+From 4754e9a299e126ec45b4dc567ec62b40df49f362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:37 +0800
+Subject: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit fd8489294dd2beefb70f12ec4f6132aeec61a4d0 ]
+
+Currently rsv_qp is freed before ib_unregister_device() is called
+on HIP08. During the time interval, users can still dereg MR and
+rsv_qp will be used in this process, leading to a UAF. Move the
+release of rsv_qp after calling ib_unregister_device() to fix it.
+
+Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-3-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index a166b476977f1..2225c9cc63661 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2972,6 +2972,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+
+ static void hns_roce_v2_exit(struct hns_roce_dev *hr_dev)
+ {
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
++ free_mr_exit(hr_dev);
++
+ hns_roce_function_clear(hr_dev);
+
+ if (!hr_dev->is_vf)
+@@ -6951,9 +6954,6 @@ static void __hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle,
+ hr_dev->state = HNS_ROCE_DEVICE_STATE_UNINIT;
+ hns_roce_handle_device_err(hr_dev);
+
+- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
+- free_mr_exit(hr_dev);
+-
+ hns_roce_exit(hr_dev);
+ kfree(hr_dev->priv);
+ ib_dealloc_device(&hr_dev->ib_dev);
+--
+2.43.0
+
--- /dev/null
+From ded8d3e4652f921ed8d7c336c1a202d4341de67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:41 +0800
+Subject: RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 4321feefa5501a746ebf6a7d8b59e6b955ae1860 ]
+
+In abnormal interrupt handler, a PF reset will be triggered even if
+the device is a VF. It should be a VF reset.
+
+Fixes: 2b9acb9a97fe ("RDMA/hns: Add the process of AEQ overflow for hip08")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-7-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 2225c9cc63661..5483d04b3ab7e 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -6198,6 +6198,7 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev,
+ struct pci_dev *pdev = hr_dev->pci_dev;
+ struct hnae3_ae_dev *ae_dev = pci_get_drvdata(pdev);
+ const struct hnae3_ae_ops *ops = ae_dev->ops;
++ enum hnae3_reset_type reset_type;
+ irqreturn_t int_work = IRQ_NONE;
+ u32 int_en;
+
+@@ -6209,10 +6210,12 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev,
+ roce_write(hr_dev, ROCEE_VF_ABN_INT_ST_REG,
+ 1 << HNS_ROCE_V2_VF_INT_ST_AEQ_OVERFLOW_S);
+
++ reset_type = hr_dev->is_vf ?
++ HNAE3_VF_FUNC_RESET : HNAE3_FUNC_RESET;
++
+ /* Set reset level for reset_event() */
+ if (ops->set_default_reset_request)
+- ops->set_default_reset_request(ae_dev,
+- HNAE3_FUNC_RESET);
++ ops->set_default_reset_request(ae_dev, reset_type);
+ if (ops->reset_event)
+ ops->reset_event(pdev, NULL);
+
+--
+2.43.0
+
--- /dev/null
+From ba1f4ea48a3c361f95438a97f0fa738dcf50bf3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:43 +0800
+Subject: RDMA/hns: Optimize hem allocation performance
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit fe51f6254d81f5a69c31df16353d6539b2b51630 ]
+
+When allocating MTT hem, for each hop level of each hem that is being
+allocated, the driver iterates the hem list to find out whether the
+bt page has been allocated in this hop level. If not, allocate a new
+one and splice it to the list. The time complexity is O(n^2) in worst
+cases.
+
+Currently the allocation for-loop uses 'unit' as the step size. This
+actually has taken into account the reuse of last-hop-level MTT bt
+pages by multiple buffer pages. Thus pages of last hop level will
+never have been allocated, so there is no need to iterate the hem list
+in last hop level.
+
+Removing this unnecessary iteration can reduce the time complexity to
+O(n).
+
+Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-9-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index 42111f31b3715..c7c167e2a0451 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -1134,10 +1134,12 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+
+ /* config L1 bt to last bt and link them to corresponding parent */
+ for (level = 1; level < hopnum; level++) {
+- cur = hem_list_search_item(&mid_bt[level], offset);
+- if (cur) {
+- hem_ptrs[level] = cur;
+- continue;
++ if (!hem_list_is_bottom_bt(hopnum, level)) {
++ cur = hem_list_search_item(&mid_bt[level], offset);
++ if (cur) {
++ hem_ptrs[level] = cur;
++ continue;
++ }
+ }
+
+ step = hem_list_calc_ba_range(hopnum, level, unit);
+--
+2.43.0
+
--- /dev/null
+From 164e0237c623a97a14163f0ddd4f02655e6d8532 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 21:58:05 +0500
+Subject: RDMA/irdma: fix error message in irdma_modify_qp_roce()
+
+From: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
+
+[ Upstream commit 9f0eafe86ea0a589676209d0cff1a1ed49a037d3 ]
+
+Use a correct field max_dest_rd_atomic instead of max_rd_atomic for the
+error output.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
+Link: https://lore.kernel.org/stable/20240916165817.14691-1-v.shevtsov%40maxima.ru
+Link: https://patch.msgid.link/20240916165817.14691-1-v.shevtsov@maxima.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 12704efb7b19a..954450195824c 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -1347,7 +1347,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ if (attr->max_dest_rd_atomic > dev->hw_attrs.max_hw_ird) {
+ ibdev_err(&iwdev->ibdev,
+ "rd_atomic = %d, above max_hw_ird=%d\n",
+- attr->max_rd_atomic,
++ attr->max_dest_rd_atomic,
+ dev->hw_attrs.max_hw_ird);
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From a7e2f65f4d689c12d7fd254bc5dfb7b60681ae33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:33:36 +0200
+Subject: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ]
+
+In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
+destroying CM IDs"), the function flush_workqueue is invoked to flush the
+work queue iwcm_wq.
+
+But at that time, the work queue iwcm_wq was created via the function
+alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
+
+Because the current process is trying to flush the whole iwcm_wq, if
+iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
+process is not reclaiming memory or running on a workqueue which doesn't
+have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
+leading to a deadlock.
+
+The call trace is as below:
+
+[ 125.350876][ T1430] Call Trace:
+[ 125.356281][ T1430] <TASK>
+[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
+[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
+[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
+[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
+[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
+[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
+[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
+[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
+[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
+[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
+[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
+[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
+[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
+[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
+[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
+[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
+[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
+[ 125.531837][ T1430] kthread (kernel/kthread.c:389)
+[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
+[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
+[ 125.566487][ T1430] </TASK>
+[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---
+
+Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs")
+Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/iwcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
+index bf3265e678651..7d85fe4100424 100644
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -1190,7 +1190,7 @@ static int __init iw_cm_init(void)
+ if (ret)
+ return ret;
+
+- iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0);
++ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", WQ_MEM_RECLAIM);
+ if (!iwcm_wq)
+ goto err_alloc;
+
+--
+2.43.0
+
--- /dev/null
+From 4624489d63dac4caf0e0afc74537c7832eab9ba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:47 +0300
+Subject: RDMA/mlx5: Drop redundant work canceling from clean_keys()
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 30e6bd8d3b5639f8f4261e5e6c0917ce264b8dc2 ]
+
+The canceling of dealyed work in clean_keys() is a leftover from years
+back and was added to prevent races in the cleanup process of MR cache.
+The cleanup process was rewritten a few years ago and the canceling of
+delayed work and flushing of workqueue was added before the call to
+clean_keys().
+
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/943d21f5a9dba7b98a3e1d531e3561ffe9745d71.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: 7ebb00cea49d ("RDMA/mlx5: Fix MR cache temp entries cleanup")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index b3a8dc9465c04..842e218cd0b5e 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -779,7 +779,6 @@ static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
+ {
+ u32 mkey;
+
+- cancel_delayed_work(&ent->dwork);
+ spin_lock_irq(&ent->mkeys_queue.lock);
+ while (ent->mkeys_queue.ci) {
+ mkey = pop_mkey_locked(ent);
+--
+2.43.0
+
--- /dev/null
+From f5c1353457945fa2f943e97157b535b96dc0d187 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:48 +0300
+Subject: RDMA/mlx5: Fix counter update on MR cache mkey creation
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 6f5cd6ac9a4201e4ba6f10b76a9da8044d6e38b0 ]
+
+After an mkey is created, update the counter for pending mkeys before
+reshceduling the work that is filling the cache.
+
+Rescheduling the work with a full MR cache entry and a wrong 'pending'
+counter will cause us to miss disabling the fill_to_high_water flag.
+Thus leaving the cache full but with an indication that it's still
+needs to be filled up to it's full size (2 * limit).
+Next time an mkey will be taken from the cache, we'll unnecessarily
+continue the process of filling the cache to it's full size.
+
+Fixes: 57e7071683ef ("RDMA/mlx5: Implement mkeys management via LIFO queue")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/0f44f462ba22e45f72cb3d0ec6a748634086b8d0.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index d3c1f63791a2b..a03557c8416e8 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -211,9 +211,9 @@ static void create_mkey_callback(int status, struct mlx5_async_work *context)
+
+ spin_lock_irqsave(&ent->mkeys_queue.lock, flags);
+ push_mkey_locked(ent, mkey_out->mkey);
++ ent->pending--;
+ /* If we are doing fill_to_high_water then keep going. */
+ queue_adjust_cache_locked(ent);
+- ent->pending--;
+ spin_unlock_irqrestore(&ent->mkeys_queue.lock, flags);
+ kfree(mkey_out);
+ }
+--
+2.43.0
+
--- /dev/null
+From e76db97e98ade589b9f69b928bfbc3bece45760d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:50 +0300
+Subject: RDMA/mlx5: Fix MR cache temp entries cleanup
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 7ebb00cea49db641b458edef0ede389f7004821d ]
+
+Fix the cleanup of the temp cache entries that are dynamically created
+in the MR cache.
+
+The cleanup of the temp cache entries is currently scheduled only when a
+new entry is created. Since in the cleanup of the entries only the mkeys
+are destroyed and the cache entry stays in the cache, subsequent
+registrations might reuse the entry and it will eventually be filled with
+new mkeys without cleanup ever getting scheduled again.
+
+On workloads that register and deregister MRs with a wide range of
+properties we see the cache ends up holding many cache entries, each
+holding the max number of mkeys that were ever used through it.
+
+Additionally, as the cleanup work is scheduled to run over the whole
+cache, any mkey that is returned to the cache after the cleanup was
+scheduled will be held for less than the intended 30 seconds timeout.
+
+Solve both issues by dropping the existing remove_ent_work and reusing
+the existing per-entry work to also handle the temp entries cleanup.
+
+Schedule the work to run with a 30 seconds delay every time we push an
+mkey to a clean temp entry.
+This ensures the cleanup runs on each entry only 30 seconds after the
+first mkey was pushed to an empty entry.
+
+As we have already been distinguishing between persistent and temp entries
+when scheduling the cache_work_func, it is not being scheduled in any
+other flows for the temp entries.
+
+Another benefit from moving to a per-entry cleanup is we now not
+required to hold the rb_tree mutex, thus enabling other flow to run
+concurrently.
+
+Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/e4fa4bb03bebf20dceae320f26816cd2dde23a26.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +-
+ drivers/infiniband/hw/mlx5/mr.c | 82 +++++++++++-----------------
+ 2 files changed, 32 insertions(+), 52 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+index f9abdca3493aa..0b2f18c34ee5e 100644
+--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h
++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+@@ -795,6 +795,7 @@ struct mlx5_cache_ent {
+ u8 is_tmp:1;
+ u8 disabled:1;
+ u8 fill_to_high_water:1;
++ u8 tmp_cleanup_scheduled:1;
+
+ /*
+ * - limit is the low water mark for stored mkeys, 2* limit is the
+@@ -826,7 +827,6 @@ struct mlx5_mkey_cache {
+ struct mutex rb_lock;
+ struct dentry *fs_root;
+ unsigned long last_add;
+- struct delayed_work remove_ent_dwork;
+ };
+
+ struct mlx5_ib_port_resources {
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 842e218cd0b5e..59bde614f061f 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -528,6 +528,21 @@ static void queue_adjust_cache_locked(struct mlx5_cache_ent *ent)
+ }
+ }
+
++static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
++{
++ u32 mkey;
++
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ while (ent->mkeys_queue.ci) {
++ mkey = pop_mkey_locked(ent);
++ spin_unlock_irq(&ent->mkeys_queue.lock);
++ mlx5_core_destroy_mkey(dev->mdev, mkey);
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ }
++ ent->tmp_cleanup_scheduled = false;
++ spin_unlock_irq(&ent->mkeys_queue.lock);
++}
++
+ static void __cache_work_func(struct mlx5_cache_ent *ent)
+ {
+ struct mlx5_ib_dev *dev = ent->dev;
+@@ -599,7 +614,11 @@ static void delayed_cache_work_func(struct work_struct *work)
+ struct mlx5_cache_ent *ent;
+
+ ent = container_of(work, struct mlx5_cache_ent, dwork.work);
+- __cache_work_func(ent);
++ /* temp entries are never filled, only cleaned */
++ if (ent->is_tmp)
++ clean_keys(ent->dev, ent);
++ else
++ __cache_work_func(ent);
+ }
+
+ static int cache_ent_key_cmp(struct mlx5r_cache_rb_key key1,
+@@ -775,20 +794,6 @@ struct mlx5_ib_mr *mlx5_mr_cache_alloc(struct mlx5_ib_dev *dev,
+ return _mlx5_mr_cache_alloc(dev, ent, access_flags);
+ }
+
+-static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
+-{
+- u32 mkey;
+-
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- while (ent->mkeys_queue.ci) {
+- mkey = pop_mkey_locked(ent);
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+- mlx5_core_destroy_mkey(dev->mdev, mkey);
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- }
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+-}
+-
+ static void mlx5_mkey_cache_debugfs_cleanup(struct mlx5_ib_dev *dev)
+ {
+ if (!mlx5_debugfs_root || dev->is_rep)
+@@ -901,10 +906,6 @@ mlx5r_cache_create_ent_locked(struct mlx5_ib_dev *dev,
+ ent->limit = 0;
+
+ mlx5_mkey_cache_debugfs_add_ent(dev, ent);
+- } else {
+- mod_delayed_work(ent->dev->cache.wq,
+- &ent->dev->cache.remove_ent_dwork,
+- msecs_to_jiffies(30 * 1000));
+ }
+
+ return ent;
+@@ -915,35 +916,6 @@ mlx5r_cache_create_ent_locked(struct mlx5_ib_dev *dev,
+ return ERR_PTR(ret);
+ }
+
+-static void remove_ent_work_func(struct work_struct *work)
+-{
+- struct mlx5_mkey_cache *cache;
+- struct mlx5_cache_ent *ent;
+- struct rb_node *cur;
+-
+- cache = container_of(work, struct mlx5_mkey_cache,
+- remove_ent_dwork.work);
+- mutex_lock(&cache->rb_lock);
+- cur = rb_last(&cache->rb_root);
+- while (cur) {
+- ent = rb_entry(cur, struct mlx5_cache_ent, node);
+- cur = rb_prev(cur);
+- mutex_unlock(&cache->rb_lock);
+-
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- if (!ent->is_tmp) {
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+- mutex_lock(&cache->rb_lock);
+- continue;
+- }
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+-
+- clean_keys(ent->dev, ent);
+- mutex_lock(&cache->rb_lock);
+- }
+- mutex_unlock(&cache->rb_lock);
+-}
+-
+ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ {
+ struct mlx5_mkey_cache *cache = &dev->cache;
+@@ -959,7 +931,6 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ mutex_init(&dev->slow_path_mutex);
+ mutex_init(&dev->cache.rb_lock);
+ dev->cache.rb_root = RB_ROOT;
+- INIT_DELAYED_WORK(&dev->cache.remove_ent_dwork, remove_ent_work_func);
+ cache->wq = alloc_ordered_workqueue("mkey_cache", WQ_MEM_RECLAIM);
+ if (!cache->wq) {
+ mlx5_ib_warn(dev, "failed to create work queue\n");
+@@ -1010,7 +981,6 @@ void mlx5_mkey_cache_cleanup(struct mlx5_ib_dev *dev)
+ return;
+
+ mutex_lock(&dev->cache.rb_lock);
+- cancel_delayed_work(&dev->cache.remove_ent_dwork);
+ for (node = rb_first(root); node; node = rb_next(node)) {
+ ent = rb_entry(node, struct mlx5_cache_ent, node);
+ spin_lock_irq(&ent->mkeys_queue.lock);
+@@ -1852,8 +1822,18 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+ struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
+ struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
+
+- if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr))
++ if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) {
++ ent = mr->mmkey.cache_ent;
++ /* upon storing to a clean temp entry - schedule its cleanup */
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ if (ent->is_tmp && !ent->tmp_cleanup_scheduled) {
++ mod_delayed_work(ent->dev->cache.wq, &ent->dwork,
++ msecs_to_jiffies(30 * 1000));
++ ent->tmp_cleanup_scheduled = true;
++ }
++ spin_unlock_irq(&ent->mkeys_queue.lock);
+ return 0;
++ }
+
+ if (ent) {
+ spin_lock_irq(&ent->mkeys_queue.lock);
+--
+2.43.0
+
--- /dev/null
+From d989eb619439f2f28b620a57fc95af2d5f63e983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:49 +0300
+Subject: RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit ee6d57a2e13d11ce9050cfc3e3b69ef707a44a63 ]
+
+When searching the MR cache for suitable cache entries, don't use mkeys
+larger than twice the size required for the MR.
+This should ensure the usage of mkeys closer to the minimal required size
+and reduce memory waste.
+
+On driver init we create entries for mkeys with clear attributes and
+powers of 2 sizes from 4 to the max supported size.
+This solves the issue for anyone using mkeys that fit these
+requirements.
+
+In the use case where an MR is registered with different attributes,
+like an access flag we can't UMR, we'll create a new cache entry to store
+it upon dereg.
+Without this fix, any later registration with same attributes and smaller
+size will use the newly created cache entry and it's mkeys, disregarding
+the memory waste of using mkeys larger than required.
+
+For example, one worst-case scenario can be when registering and
+deregistering a 1GB mkey with ATS enabled which will cause the creation of
+a new cache entry to hold those type of mkeys. A user registering a 4k MR
+with ATS will end up using the new cache entry and an mkey that can
+support a 1GB MR, thus wasting x250k memory than actually needed in the HW.
+
+Additionally, allow all small registration to use the smallest size
+cache entry that is initialized on driver load even if size is larger
+than twice the required size.
+
+Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/8ba3a6e3748aace2026de8b83da03aba084f78f4.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index a03557c8416e8..b3a8dc9465c04 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -48,6 +48,7 @@ enum {
+ MAX_PENDING_REG_MR = 8,
+ };
+
++#define MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS 4
+ #define MLX5_UMR_ALIGN 2048
+
+ static void
+@@ -659,6 +660,7 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev,
+ {
+ struct rb_node *node = dev->cache.rb_root.rb_node;
+ struct mlx5_cache_ent *cur, *smallest = NULL;
++ u64 ndescs_limit;
+ int cmp;
+
+ /*
+@@ -677,10 +679,18 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev,
+ return cur;
+ }
+
++ /*
++ * Limit the usage of mkeys larger than twice the required size while
++ * also allowing the usage of smallest cache entry for small MRs.
++ */
++ ndescs_limit = max_t(u64, rb_key.ndescs * 2,
++ MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS);
++
+ return (smallest &&
+ smallest->rb_key.access_mode == rb_key.access_mode &&
+ smallest->rb_key.access_flags == rb_key.access_flags &&
+- smallest->rb_key.ats == rb_key.ats) ?
++ smallest->rb_key.ats == rb_key.ats &&
++ smallest->rb_key.ndescs <= ndescs_limit) ?
+ smallest :
+ NULL;
+ }
+@@ -962,7 +972,7 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ mlx5_mkey_cache_debugfs_init(dev);
+ mutex_lock(&cache->rb_lock);
+ for (i = 0; i <= mkey_cache_max_order(dev); i++) {
+- rb_key.ndescs = 1 << (i + 2);
++ rb_key.ndescs = MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS << i;
+ ent = mlx5r_cache_create_ent_locked(dev, rb_key, true);
+ if (IS_ERR(ent)) {
+ ret = PTR_ERR(ent);
+--
+2.43.0
+
--- /dev/null
+From 9e9ac6f07bd2dedf22a3f7346b93ba8d31a40cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 20:30:20 +0300
+Subject: RDMA/mlx5: Obtain upper net device only when needed
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit 3ed7f9e239938a0cfaf3689e2f545229ecabec06 ]
+
+Report the upper device's state as the RDMA port state only in RoCE LAG or
+switchdev LAG.
+
+Fixes: 27f9e0ccb6da ("net/mlx5: Lag, Add single RDMA device in multiport mode")
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/20240909173025.30422-3-michaelgur@nvidia.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 43660c831b22c..fdb0e62d805b9 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -542,7 +542,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u32 port_num,
+ if (!ndev)
+ goto out;
+
+- if (dev->lag_active) {
++ if (mlx5_lag_is_roce(mdev) || mlx5_lag_is_sriov(mdev)) {
+ rcu_read_lock();
+ upper = netdev_master_upper_dev_get_rcu(ndev);
+ if (upper) {
+--
+2.43.0
+
--- /dev/null
+From 9b01e810bbc287218c417b0a260ac93563559259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 13:22:12 +0200
+Subject: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds
+
+From: Md Haris Iqbal <haris.iqbal@ionos.com>
+
+[ Upstream commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38 ]
+
+In the function init_conns(), after the create_con() and create_cm() for
+loop if something fails. In the cleanup for loop after the destroy tag, we
+access out of bound memory because cid is set to clt_path->s.con_num.
+
+This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds
+in the cleanup loop later.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Grzegorz Prajsner <grzegorz.prajsner@ionos.com>
+Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 9936a3354b478..84d2dfcd20af6 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -2347,6 +2347,12 @@ static int init_conns(struct rtrs_clt_path *clt_path)
+ if (err)
+ goto destroy;
+ }
++
++ /*
++ * Set the cid to con_num - 1, since if we fail later, we want to stay in bounds.
++ */
++ cid = clt_path->s.con_num - 1;
++
+ err = alloc_path_reqs(clt_path);
+ if (err)
+ goto destroy;
+--
+2.43.0
+
--- /dev/null
+From c1e936494d37f6faa299f0fde9072df45586a7a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 13:22:10 +0200
+Subject: RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from
+ peer
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 3258cbbd86deaa2675e1799bc3d18bd1ef472641 ]
+
+Reset hb_missed_cnt after receiving traffic from other peer, so
+hb is more robust again high load on host or network.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Signed-off-by: Grzegorz Prajsner <grzegorz.prajsner@ionos.com>
+Link: https://patch.msgid.link/20240821112217.41827-5-haris.iqbal@ionos.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 3 ++-
+ drivers/infiniband/ulp/rtrs/rtrs-srv.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 88106cf5ce550..9936a3354b478 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -626,6 +626,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ */
+ if (WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done))
+ return;
++ clt_path->s.hb_missed_cnt = 0;
+ rtrs_from_imm(be32_to_cpu(wc->ex.imm_data),
+ &imm_type, &imm_payload);
+ if (imm_type == RTRS_IO_RSP_IMM ||
+@@ -643,7 +644,6 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ return rtrs_clt_recv_done(con, wc);
+ } else if (imm_type == RTRS_HB_ACK_IMM) {
+ WARN_ON(con->c.cid);
+- clt_path->s.hb_missed_cnt = 0;
+ clt_path->s.hb_cur_latency =
+ ktime_sub(ktime_get(), clt_path->s.hb_last_sent);
+ if (clt_path->flags & RTRS_MSG_NEW_RKEY_F)
+@@ -670,6 +670,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ /*
+ * Key invalidations from server side
+ */
++ clt_path->s.hb_missed_cnt = 0;
+ WARN_ON(!(wc->wc_flags & IB_WC_WITH_INVALIDATE ||
+ wc->wc_flags & IB_WC_WITH_IMM));
+ WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done);
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+index 1d33efb8fb03b..94ac99a4f696e 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+@@ -1229,6 +1229,7 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ */
+ if (WARN_ON(wc->wr_cqe != &io_comp_cqe))
+ return;
++ srv_path->s.hb_missed_cnt = 0;
+ err = rtrs_post_recv_empty(&con->c, &io_comp_cqe);
+ if (err) {
+ rtrs_err(s, "rtrs_post_recv(), err: %d\n", err);
+--
+2.43.0
+
--- /dev/null
+From 69f5cf4800e12adea5acc7d379d7cf08312acd8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 15:20:45 +0800
+Subject: regulator: Return actual error in of_regulator_bulk_get_all()
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 395a41a1d3e377462f3eea8a205ee72be8885ff6 ]
+
+If regulator_get() in of_regulator_bulk_get_all() returns an error, that
+error gets overridden and -EINVAL is always passed out. This masks probe
+deferral requests and likely won't work properly in all cases.
+
+Fix this by letting of_regulator_bulk_get_all() return the original
+error code.
+
+Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patch.msgid.link/20240822072047.3097740-3-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/of_regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
+index 03afc160fc72c..86b680adbf01c 100644
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -777,7 +777,7 @@ int of_regulator_bulk_get_all(struct device *dev, struct device_node *np,
+ name[i] = '\0';
+ tmp = regulator_get(dev, name);
+ if (IS_ERR(tmp)) {
+- ret = -EINVAL;
++ ret = PTR_ERR(tmp);
+ goto error;
+ }
+ (*consumers)[n].consumer = tmp;
+--
+2.43.0
+
--- /dev/null
+From bb341d32fe03f2cdc4d0c3f69951b40685380b07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 16:36:11 +0800
+Subject: remoteproc: imx_rproc: Correct ddr alias for i.MX8M
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit c901f817792822eda9cec23814a4621fa3e66695 ]
+
+The DDR Alias address should be 0x40000000 according to RM, so correct
+it.
+
+Fixes: 4ab8f9607aad ("remoteproc: imx_rproc: support i.MX8MQ/M")
+Reported-by: Terry Lv <terry.lv@nxp.com>
+Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-1-10d0268c7eb1@nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 144c8e9a642e8..3c8b64db8823c 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -210,7 +210,7 @@ static const struct imx_rproc_att imx_rproc_att_imx8mq[] = {
+ /* QSPI Code - alias */
+ { 0x08000000, 0x08000000, 0x08000000, 0 },
+ /* DDR (Code) - alias */
+- { 0x10000000, 0x80000000, 0x0FFE0000, 0 },
++ { 0x10000000, 0x40000000, 0x0FFE0000, 0 },
+ /* TCML */
+ { 0x1FFE0000, 0x007E0000, 0x00020000, ATT_OWN | ATT_IOMEM},
+ /* TCMU */
+--
+2.43.0
+
--- /dev/null
+From 2dd8e81126b80ef5da77d83128f437c85b7ce87f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 16:36:13 +0800
+Subject: remoteproc: imx_rproc: Initialize workqueue earlier
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 858e57c1d3dd7b92cc0fa692ba130a0a5d57e49d ]
+
+Initialize workqueue before requesting mailbox channel, otherwise if
+mailbox interrupt comes before workqueue ready, the imx_rproc_rx_callback
+will trigger issue.
+
+Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-3-10d0268c7eb1@nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 3c8b64db8823c..448b9a5438e0b 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -1076,6 +1076,8 @@ static int imx_rproc_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ }
+
++ INIT_WORK(&priv->rproc_work, imx_rproc_vq_work);
++
+ ret = imx_rproc_xtr_mbox_init(rproc);
+ if (ret)
+ goto err_put_wkq;
+@@ -1094,8 +1096,6 @@ static int imx_rproc_probe(struct platform_device *pdev)
+ if (ret)
+ goto err_put_scu;
+
+- INIT_WORK(&priv->rproc_work, imx_rproc_vq_work);
+-
+ if (rproc->state != RPROC_DETACHED)
+ rproc->auto_boot = of_property_read_bool(np, "fsl,auto-boot");
+
+--
+2.43.0
+
--- /dev/null
+From 7bd1dbd1ce218eba6a65f9296c7b7e8bb01b1cad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 16:14:24 +0200
+Subject: reset: berlin: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ]
+
+Driver is leaking OF node reference on memory allocation failure.
+Acquire the OF node reference after memory allocation to fix this and
+keep it simple.
+
+Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/reset-berlin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/reset-berlin.c b/drivers/reset/reset-berlin.c
+index 2537ec05eceef..578fe867080ce 100644
+--- a/drivers/reset/reset-berlin.c
++++ b/drivers/reset/reset-berlin.c
+@@ -68,13 +68,14 @@ static int berlin_reset_xlate(struct reset_controller_dev *rcdev,
+
+ static int berlin2_reset_probe(struct platform_device *pdev)
+ {
+- struct device_node *parent_np = of_get_parent(pdev->dev.of_node);
++ struct device_node *parent_np;
+ struct berlin_reset_priv *priv;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
++ parent_np = of_get_parent(pdev->dev.of_node);
+ priv->regmap = syscon_node_to_regmap(parent_np);
+ of_node_put(parent_np);
+ if (IS_ERR(priv->regmap))
+--
+2.43.0
+
--- /dev/null
+From eef73b187b1bbaf75462e6c9bda5a29500b2546e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 16:14:25 +0200
+Subject: reset: k210: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit b14e40f5dc7cd0dd7e958010e6ca9ad32ff2ddad ]
+
+Driver is leaking OF node reference on memory allocation failure.
+Acquire the OF node reference after memory allocation to fix this and
+keep it simple.
+
+Fixes: 5a2308da9f60 ("riscv: Add Canaan Kendryte K210 reset controller")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-2-03f6d834f8c0@linaro.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/reset-k210.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/reset-k210.c b/drivers/reset/reset-k210.c
+index b62a2fd44e4e4..e77e4cca377dc 100644
+--- a/drivers/reset/reset-k210.c
++++ b/drivers/reset/reset-k210.c
+@@ -90,7 +90,7 @@ static const struct reset_control_ops k210_rst_ops = {
+ static int k210_rst_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct device_node *parent_np = of_get_parent(dev->of_node);
++ struct device_node *parent_np;
+ struct k210_rst *ksr;
+
+ dev_info(dev, "K210 reset controller\n");
+@@ -99,6 +99,7 @@ static int k210_rst_probe(struct platform_device *pdev)
+ if (!ksr)
+ return -ENOMEM;
+
++ parent_np = of_get_parent(dev->of_node);
+ ksr->map = syscon_node_to_regmap(parent_np);
+ of_node_put(parent_np);
+ if (IS_ERR(ksr->map))
+--
+2.43.0
+
--- /dev/null
+From ae2e189cb3df7b71761469b21a774480cb61e130 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 15:05:18 +0200
+Subject: Revert "dm: requeue IO if mapping table not yet available"
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit c8691cd0fc11197515ed148de0780d927bfca38b ]
+
+This reverts commit fa247089de9936a46e290d4724cb5f0b845600f5.
+
+The following sequence of commands causes a livelock - there will be
+workqueue process looping and consuming 100% CPU:
+
+dmsetup create --notable test
+truncate -s 1MiB testdata
+losetup /dev/loop0 testdata
+dmsetup load test --table '0 2048 linear /dev/loop0 0'
+dd if=/dev/zero of=/dev/dm-0 bs=16k count=1 conv=fdatasync
+
+The livelock is caused by the commit fa247089de99. The commit claims that
+it fixes a race condition, however, it is unknown what the actual race
+condition is and what program is involved in the race condition.
+
+When the inactive table is loaded, the nodes /dev/dm-0 and
+/sys/block/dm-0 are created. /dev/dm-0 has zero size at this point. When
+the device is suspended and resumed, the nodes /dev/mapper/test and
+/dev/disk/* are created.
+
+If some program opens a block device before it is created by dmsetup or
+lvm, the program is buggy, so dm could just report an error as it used to
+do before.
+
+Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: fa247089de99 ("dm: requeue IO if mapping table not yet available")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-rq.c | 4 +++-
+ drivers/md/dm.c | 11 ++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c
+index f7e9a3632eb3d..499f8cc8a39fb 100644
+--- a/drivers/md/dm-rq.c
++++ b/drivers/md/dm-rq.c
+@@ -496,8 +496,10 @@ static blk_status_t dm_mq_queue_rq(struct blk_mq_hw_ctx *hctx,
+
+ map = dm_get_live_table(md, &srcu_idx);
+ if (unlikely(!map)) {
++ DMERR_LIMIT("%s: mapping table unavailable, erroring io",
++ dm_device_name(md));
+ dm_put_live_table(md, srcu_idx);
+- return BLK_STS_RESOURCE;
++ return BLK_STS_IOERR;
+ }
+ ti = dm_table_find_target(map, 0);
+ dm_put_live_table(md, srcu_idx);
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 6e15ac4e0845c..a0b4afba8c608 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1880,10 +1880,15 @@ static void dm_submit_bio(struct bio *bio)
+ struct dm_table *map;
+
+ map = dm_get_live_table(md, &srcu_idx);
++ if (unlikely(!map)) {
++ DMERR_LIMIT("%s: mapping table unavailable, erroring io",
++ dm_device_name(md));
++ bio_io_error(bio);
++ goto out;
++ }
+
+- /* If suspended, or map not yet available, queue this IO for later */
+- if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) ||
+- unlikely(!map)) {
++ /* If suspended, queue this IO for later */
++ if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags))) {
+ if (bio->bi_opf & REQ_NOWAIT)
+ bio_wouldblock_error(bio);
+ else if (bio->bi_opf & REQ_RAHEAD)
+--
+2.43.0
+
--- /dev/null
+From f170ace5445495d7391902b12aa133efca3b23ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 00:08:08 -0700
+Subject: RISC-V: KVM: Allow legacy PMU access from guest
+
+From: Atish Patra <atishp@rivosinc.com>
+
+[ Upstream commit 7d1ffc8b087e97dbe1985912c7a2d00e53cea169 ]
+
+Currently, KVM traps & emulates PMU counter access only if SBI PMU
+is available as the guest can only configure/read PMU counters via
+SBI only. However, if SBI PMU is not enabled in the host, the
+guest will fallback to the legacy PMU which will try to access
+cycle/instret and result in an illegal instruction trap which
+is not desired.
+
+KVM can allow dummy emulation of cycle/instret only for the guest
+if SBI PMU is not enabled in the host. The dummy emulation will
+still return zero as we don't to expose the host counter values
+from a guest using legacy PMU.
+
+Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters")
+Signed-off-by: Atish Patra <atishp@rivosinc.com>
+Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-1-cdfce386dd93@rivosinc.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kvm_vcpu_pmu.h | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+index fa0f535bbbf02..c309daa2d75a8 100644
+--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h
++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+@@ -10,6 +10,7 @@
+ #define __KVM_VCPU_RISCV_PMU_H
+
+ #include <linux/perf/riscv_pmu.h>
++#include <asm/kvm_vcpu_insn.h>
+ #include <asm/sbi.h>
+
+ #ifdef CONFIG_RISCV_PMU_SBI
+@@ -104,8 +105,20 @@ void kvm_riscv_vcpu_pmu_reset(struct kvm_vcpu *vcpu);
+ struct kvm_pmu {
+ };
+
++static inline int kvm_riscv_vcpu_pmu_read_legacy(struct kvm_vcpu *vcpu, unsigned int csr_num,
++ unsigned long *val, unsigned long new_val,
++ unsigned long wr_mask)
++{
++ if (csr_num == CSR_CYCLE || csr_num == CSR_INSTRET) {
++ *val = 0;
++ return KVM_INSN_CONTINUE_NEXT_SEPC;
++ } else {
++ return KVM_INSN_ILLEGAL_TRAP;
++ }
++}
++
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = 0, .count = 0, .func = NULL },
++{.base = CSR_CYCLE, .count = 3, .func = kvm_riscv_vcpu_pmu_read_legacy },
+
+ static inline void kvm_riscv_vcpu_pmu_init(struct kvm_vcpu *vcpu) {}
+ static inline int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid)
+--
+2.43.0
+
--- /dev/null
+From 9b6a15d36571c728fedde6a86db430db10c2853b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 22:39:07 +0530
+Subject: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+[ Upstream commit 47d40d93292d9cff8dabb735bed83d930fa03950 ]
+
+With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
+when SBI PMU snapshot is enabled for the guest and the guest is forcefully
+powered-off.
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
+ Oops [#1]
+ Modules linked in: kvm
+ CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
+ Hardware name: riscv-virtio,qemu (DT)
+ epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
+ ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
+ epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
+ gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
+ t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
+ s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
+ a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
+ a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
+ s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
+ s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
+ s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
+ s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
+ t5 : ffffffff814126e0 t6 : ffffffff81412700
+ status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
+ [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
+ [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
+ [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
+ [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
+ [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
+ [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
+ [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
+ [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
+ [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
+ [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
+ [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]
+
+Clearly, the kvm_vcpu_write_guest() function is crashing because it is
+being called from kvm_pmu_clear_snapshot_area() upon guest tear down.
+
+To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
+not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
+the guest is anyway being tore down.
+
+The kvm_pmu_clear_snapshot_area() is also called when guest changes
+PMU snapshot area of a VCPU but even in this case the previous PMU
+snaphsot area must not be zeroed-out because the guest might have
+reclaimed the pervious PMU snapshot area for some other purpose.
+
+Fixes: c2f41ddbcdd7 ("RISC-V: KVM: Implement SBI PMU Snapshot feature")
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Link: https://lore.kernel.org/r/20240815170907.2792229-1-apatel@ventanamicro.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_pmu.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
+index bcf41d6e0df0e..2707a51b082ca 100644
+--- a/arch/riscv/kvm/vcpu_pmu.c
++++ b/arch/riscv/kvm/vcpu_pmu.c
+@@ -391,19 +391,9 @@ int kvm_riscv_vcpu_pmu_read_hpm(struct kvm_vcpu *vcpu, unsigned int csr_num,
+ static void kvm_pmu_clear_snapshot_area(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu);
+- int snapshot_area_size = sizeof(struct riscv_pmu_snapshot_data);
+
+- if (kvpmu->sdata) {
+- if (kvpmu->snapshot_addr != INVALID_GPA) {
+- memset(kvpmu->sdata, 0, snapshot_area_size);
+- kvm_vcpu_write_guest(vcpu, kvpmu->snapshot_addr,
+- kvpmu->sdata, snapshot_area_size);
+- } else {
+- pr_warn("snapshot address invalid\n");
+- }
+- kfree(kvpmu->sdata);
+- kvpmu->sdata = NULL;
+- }
++ kfree(kvpmu->sdata);
++ kvpmu->sdata = NULL;
+ kvpmu->snapshot_addr = INVALID_GPA;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 420a57008b606c36eb708de1e58b0cfc08cfd759 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:49:44 +0200
+Subject: RISC-V: KVM: Fix sbiret init before forwarding to userspace
+
+From: Andrew Jones <ajones@ventanamicro.com>
+
+[ Upstream commit 6b7b282e6baea06ba65b55ae7d38326ceb79cebf ]
+
+When forwarding SBI calls to userspace ensure sbiret.error is
+initialized to SBI_ERR_NOT_SUPPORTED first, in case userspace
+neglects to set it to anything. If userspace neglects it then we
+can't be sure it did anything else either, so we just report it
+didn't do or try anything. Just init sbiret.value to zero, which is
+the preferred value to return when nothing special is specified.
+
+KVM was already initializing both sbiret.error and sbiret.value, but
+the values used appear to come from a copy+paste of the __sbi_ecall()
+implementation, i.e. a0 and a1, which don't apply prior to the call
+being executed, nor at all when forwarding to userspace.
+
+Fixes: dea8ee31a039 ("RISC-V: KVM: Add SBI v0.1 support")
+Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
+Link: https://lore.kernel.org/r/20240807154943.150540-2-ajones@ventanamicro.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_sbi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c
+index 62f409d4176e4..7de128be8db9b 100644
+--- a/arch/riscv/kvm/vcpu_sbi.c
++++ b/arch/riscv/kvm/vcpu_sbi.c
+@@ -127,8 +127,8 @@ void kvm_riscv_vcpu_sbi_forward(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ run->riscv_sbi.args[3] = cp->a3;
+ run->riscv_sbi.args[4] = cp->a4;
+ run->riscv_sbi.args[5] = cp->a5;
+- run->riscv_sbi.ret[0] = cp->a0;
+- run->riscv_sbi.ret[1] = cp->a1;
++ run->riscv_sbi.ret[0] = SBI_ERR_NOT_SUPPORTED;
++ run->riscv_sbi.ret[1] = 0;
+ }
+
+ void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu,
+--
+2.43.0
+
--- /dev/null
+From 9a20082d72dcc3adec218093c89b98bac93d7c4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 00:08:09 -0700
+Subject: RISC-V: KVM: Fix to allow hpmcounter31 from the guest
+
+From: Atish Patra <atishp@rivosinc.com>
+
+[ Upstream commit 5aa09297a3dcc798d038bd7436f8c90f664045a6 ]
+
+The csr_fun defines a count parameter which defines the total number
+CSRs emulated in KVM starting from the base. This value should be
+equal to total number of counters possible for trap/emulation (32).
+
+Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters")
+Signed-off-by: Atish Patra <atishp@rivosinc.com>
+Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-2-cdfce386dd93@rivosinc.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kvm_vcpu_pmu.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+index c309daa2d75a8..1d85b66175088 100644
+--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h
++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+@@ -65,11 +65,11 @@ struct kvm_pmu {
+
+ #if defined(CONFIG_32BIT)
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = CSR_CYCLEH, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm }, \
+-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm },
++{.base = CSR_CYCLEH, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm }, \
++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm },
+ #else
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm },
++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm },
+ #endif
+
+ int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid);
+--
+2.43.0
+
--- /dev/null
+From 74ab8230df2be9723f23481d9587063f095a0494 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 11:28:46 +0800
+Subject: riscv: Fix fp alignment bug in perf_callchain_user()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 22ab08955ea13be04a8efd20cc30890e0afaa49c ]
+
+The standard RISC-V calling convention said:
+ "The stack grows downward and the stack pointer is always
+ kept 16-byte aligned".
+
+So perf_callchain_user() should check whether 16-byte aligned for fp.
+
+Link: https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf
+
+Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Cc: Björn Töpel <bjorn@kernel.org>
+Link: https://lore.kernel.org/r/20240708032847.2998158-2-ruanjinjie@huawei.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/perf_callchain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/perf_callchain.c b/arch/riscv/kernel/perf_callchain.c
+index 3348a61de7d99..2932791e93882 100644
+--- a/arch/riscv/kernel/perf_callchain.c
++++ b/arch/riscv/kernel/perf_callchain.c
+@@ -62,7 +62,7 @@ void perf_callchain_user(struct perf_callchain_entry_ctx *entry,
+ perf_callchain_store(entry, regs->epc);
+
+ fp = user_backtrace(entry, fp, regs->ra);
+- while (fp && !(fp & 0x3) && entry->nr < entry->max_stack)
++ while (fp && !(fp & 0x7) && entry->nr < entry->max_stack)
+ fp = user_backtrace(entry, fp, 0);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From daa1d2512adbc754e19cb1d37132457b5d1dc8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 14:25:08 +0200
+Subject: s390/ap: Fix deadlock caused by recursive lock of the AP bus scan
+ mutex
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 56199bb956c3ea82e39c72d2972ebf8c18c6a8c0 ]
+
+There is a possibility to deadlock with an recursive
+lock of the AP bus scan mutex ap_scan_bus_mutex:
+
+ ... kernel: ============================================
+ ... kernel: WARNING: possible recursive locking detected
+ ... kernel: 5.14.0-496.el9.s390x #3 Not tainted
+ ... kernel: --------------------------------------------
+ ... kernel: kworker/12:1/130 is trying to acquire lock:
+ ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_bus_force_rescan+0x92/0x108
+ ... kernel:
+ but task is already holding lock:
+ ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_scan_bus_wq_callback+0x28/0x60
+ ... kernel:
+ other info that might help us debug this:
+ ... kernel: Possible unsafe locking scenario:
+ ... kernel: CPU0
+ ... kernel: ----
+ ... kernel: lock(ap_scan_bus_mutex);
+ ... kernel: lock(ap_scan_bus_mutex);
+ ... kernel:
+ *** DEADLOCK ***
+
+Here is how the callstack looks like:
+
+ ... [<00000003576fe9ce>] process_one_work+0x2a6/0x748
+ ... [<0000000358150c00>] ap_scan_bus_wq_callback+0x40/0x60 <- mutex locked
+ ... [<00000003581506e2>] ap_scan_bus+0x5a/0x3b0
+ ... [<000000035815037c>] ap_scan_adapter+0x5b4/0x8c0
+ ... [<000000035814fa34>] ap_scan_domains+0x2d4/0x668
+ ... [<0000000357d989b4>] device_add+0x4a4/0x6b8
+ ... [<0000000357d9bb54>] bus_probe_device+0xb4/0xc8
+ ... [<0000000357d9daa8>] __device_attach+0x120/0x1b0
+ ... [<0000000357d9a632>] bus_for_each_drv+0x8a/0xd0
+ ... [<0000000357d9d548>] __device_attach_driver+0xc0/0x140
+ ... [<0000000357d9d3d8>] driver_probe_device+0x40/0xf0
+ ... [<0000000357d9cec2>] really_probe+0xd2/0x460
+ ... [<000000035814d7b0>] ap_device_probe+0x150/0x208
+ ... [<000003ff802a5c46>] zcrypt_cex4_queue_probe+0xb6/0x1c0 [zcrypt_cex4]
+ ... [<000003ff7fb2d36e>] zcrypt_queue_register+0xe6/0x1b0 [zcrypt]
+ ... [<000003ff7fb2c8ac>] zcrypt_rng_device_add+0x94/0xd8 [zcrypt]
+ ... [<0000000357d7bc52>] hwrng_register+0x212/0x228
+ ... [<0000000357d7b8c2>] add_early_randomness+0x102/0x110
+ ... [<000003ff7fb29c94>] zcrypt_rng_data_read+0x94/0xb8 [zcrypt]
+ ... [<0000000358150aca>] ap_bus_force_rescan+0x92/0x108
+ ... [<0000000358177572>] mutex_lock_interruptible_nested+0x32/0x40 <- lock again
+
+Note this only happens when the very first random data providing
+crypto card appears via hot plug in the system AND is in disabled
+state ("deconfig"). Then the initial pull of random data fails and
+a re-scan of the AP bus is triggered while already in the middle
+of an AP bus scan caused by the appearing new hardware.
+
+The fix is relatively simple once the scenario us understood:
+The AP bus force rescan function will immediately return if there
+is currently an AP bus scan running with the very same thread id.
+
+Fixes: eacf5b3651c5 ("s390/ap: introduce mutex to lock the AP bus scan")
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/ap_bus.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
+index 99fadfb4cd9f2..09acc321d0133 100644
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -107,6 +107,7 @@ debug_info_t *ap_dbf_info;
+ static bool ap_scan_bus(void);
+ static bool ap_scan_bus_result; /* result of last ap_scan_bus() */
+ static DEFINE_MUTEX(ap_scan_bus_mutex); /* mutex ap_scan_bus() invocations */
++static struct task_struct *ap_scan_bus_task; /* thread holding the scan mutex */
+ static atomic64_t ap_scan_bus_count; /* counter ap_scan_bus() invocations */
+ static int ap_scan_bus_time = AP_CONFIG_TIME;
+ static struct timer_list ap_scan_bus_timer;
+@@ -1006,11 +1007,25 @@ bool ap_bus_force_rescan(void)
+ if (scan_counter <= 0)
+ goto out;
+
++ /*
++ * There is one unlikely but nevertheless valid scenario where the
++ * thread holding the mutex may try to send some crypto load but
++ * all cards are offline so a rescan is triggered which causes
++ * a recursive call of ap_bus_force_rescan(). A simple return if
++ * the mutex is already locked by this thread solves this.
++ */
++ if (mutex_is_locked(&ap_scan_bus_mutex)) {
++ if (ap_scan_bus_task == current)
++ goto out;
++ }
++
+ /* Try to acquire the AP scan bus mutex */
+ if (mutex_trylock(&ap_scan_bus_mutex)) {
+ /* mutex acquired, run the AP bus scan */
++ ap_scan_bus_task = current;
+ ap_scan_bus_result = ap_scan_bus();
+ rc = ap_scan_bus_result;
++ ap_scan_bus_task = NULL;
+ mutex_unlock(&ap_scan_bus_mutex);
+ goto out;
+ }
+@@ -2284,7 +2299,9 @@ static void ap_scan_bus_wq_callback(struct work_struct *unused)
+ * system_long_wq which invokes this function here again.
+ */
+ if (mutex_trylock(&ap_scan_bus_mutex)) {
++ ap_scan_bus_task = current;
+ ap_scan_bus_result = ap_scan_bus();
++ ap_scan_bus_task = NULL;
+ mutex_unlock(&ap_scan_bus_mutex);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 05bb4a79116b7f632e6c48deddf857d94c41716c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 21:55:24 +0800
+Subject: samples/bpf: Fix compilation errors with cf-protection option
+
+From: Jiangshan Yi <yijiangshan@kylinos.cn>
+
+[ Upstream commit fdf1c728fac541891ef1aa773bfd42728626769c ]
+
+Currently, compiling the bpf programs will result the compilation errors
+with the cf-protection option as follows in arm64 and loongarch64 machine
+when using gcc 12.3.1 and clang 17.0.6. This commit fixes the compilation
+errors by limited the cf-protection option only used in x86 platform.
+
+[root@localhost linux]# make M=samples/bpf
+ ......
+ CLANG-bpf samples/bpf/xdp2skb_meta_kern.o
+error: option 'cf-protection=return' cannot be specified on this target
+error: option 'cf-protection=branch' cannot be specified on this target
+2 errors generated.
+ CLANG-bpf samples/bpf/syscall_tp_kern.o
+error: option 'cf-protection=return' cannot be specified on this target
+error: option 'cf-protection=branch' cannot be specified on this target
+2 errors generated.
+ ......
+
+Fixes: 34f6e38f58db ("samples/bpf: fix warning with ignored-attributes")
+Reported-by: Jiangshan Yi <yijiangshan@kylinos.cn>
+Signed-off-by: Jiangshan Yi <yijiangshan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Qiang Wang <wangqiang1@kylinos.cn>
+Link: https://lore.kernel.org/bpf/20240815135524.140675-1-13667453960@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/Makefile | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
+index 3e003dd6bea09..dca56aa360ff3 100644
+--- a/samples/bpf/Makefile
++++ b/samples/bpf/Makefile
+@@ -169,6 +169,10 @@ BPF_EXTRA_CFLAGS += -I$(srctree)/arch/mips/include/asm/mach-generic
+ endif
+ endif
+
++ifeq ($(ARCH), x86)
++BPF_EXTRA_CFLAGS += -fcf-protection
++endif
++
+ TPROGS_CFLAGS += -Wall -O2
+ TPROGS_CFLAGS += -Wmissing-prototypes
+ TPROGS_CFLAGS += -Wstrict-prototypes
+@@ -405,7 +409,7 @@ $(obj)/%.o: $(src)/%.c
+ -Wno-gnu-variable-sized-type-not-at-end \
+ -Wno-address-of-packed-member -Wno-tautological-compare \
+ -Wno-unknown-warning-option $(CLANG_ARCH_ARGS) \
+- -fno-asynchronous-unwind-tables -fcf-protection \
++ -fno-asynchronous-unwind-tables \
+ -I$(srctree)/samples/bpf/ -include asm_goto_workaround.h \
+ -O2 -emit-llvm -Xclang -disable-llvm-passes -c $< -o - | \
+ $(OPT) -O2 -mtriple=bpf-pc-linux | $(LLVM_DIS) | \
+--
+2.43.0
+
--- /dev/null
+From bdebde18a6375eb5af94a83296cdba93eb4dd18b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 11:11:11 +0800
+Subject: sched/deadline: Fix schedstats vs deadline servers
+
+From: Huang Shijie <shijie@os.amperecomputing.com>
+
+[ Upstream commit 9c602adb799e72ee537c0c7ca7e828c3fe2acad6 ]
+
+In dl_server_start(), when schedstats is enabled, the following
+happens:
+
+ dl_server_start()
+ dl_se->dl_server = 1;
+ enqueue_dl_entity()
+ update_stats_enqueue_dl()
+ __schedstats_from_dl_se()
+ dl_task_of()
+ BUG_ON(dl_server(dl_se));
+
+Since only tasks have schedstats and internal entries do not, avoid
+trying to update stats in this case.
+
+Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers")
+Signed-off-by: Huang Shijie <shijie@os.amperecomputing.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lkml.kernel.org/r/20240829031111.12142-1-shijie@os.amperecomputing.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 38 ++++++++++++++++----------------------
+ 1 file changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 9bedd148f0075..09faca47e90fb 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1599,46 +1599,40 @@ static inline bool __dl_less(struct rb_node *a, const struct rb_node *b)
+ return dl_time_before(__node_2_dle(a)->deadline, __node_2_dle(b)->deadline);
+ }
+
+-static inline struct sched_statistics *
++static __always_inline struct sched_statistics *
+ __schedstats_from_dl_se(struct sched_dl_entity *dl_se)
+ {
++ if (!schedstat_enabled())
++ return NULL;
++
++ if (dl_server(dl_se))
++ return NULL;
++
+ return &dl_task_of(dl_se)->stats;
+ }
+
+ static inline void
+ update_stats_wait_start_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_wait_start(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_wait_start(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+ update_stats_wait_end_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_wait_end(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_wait_end(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+ update_stats_enqueue_sleeper_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_enqueue_sleeper(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_enqueue_sleeper(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+--
+2.43.0
+
--- /dev/null
+From e3a90e226a00ecfab9adaae39fe30ae703a4309c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 10:35:05 +0800
+Subject: sched/fair: Make SCHED_IDLE entity be preempted in strict hierarchy
+
+From: Tianchen Ding <dtcccc@linux.alibaba.com>
+
+[ Upstream commit faa42d29419def58d3c3e5b14ad4037f0af3b496 ]
+
+Consider the following cgroup:
+
+ root
+ |
+ ------------------------
+ | |
+ normal_cgroup idle_cgroup
+ | |
+ SCHED_IDLE task_A SCHED_NORMAL task_B
+
+According to the cgroup hierarchy, A should preempt B. But current
+check_preempt_wakeup_fair() treats cgroup se and task separately, so B
+will preempt A unexpectedly.
+Unify the wakeup logic by {c,p}se_is_idle only. This makes SCHED_IDLE of
+a task a relative policy that is effective only within its own cgroup,
+similar to the behavior of NICE.
+
+Also fix se_is_idle() definition when !CONFIG_FAIR_GROUP_SCHED.
+
+Fixes: 304000390f88 ("sched: Cgroup SCHED_IDLE support")
+Signed-off-by: Tianchen Ding <dtcccc@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Josh Don <joshdon@google.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20240626023505.1332596-1-dtcccc@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 483c137b9d3d7..3f631816c8fbb 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -511,7 +511,7 @@ static int cfs_rq_is_idle(struct cfs_rq *cfs_rq)
+
+ static int se_is_idle(struct sched_entity *se)
+ {
+- return 0;
++ return task_has_idle_policy(task_of(se));
+ }
+
+ #endif /* CONFIG_FAIR_GROUP_SCHED */
+@@ -8381,16 +8381,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ if (test_tsk_need_resched(curr))
+ return;
+
+- /* Idle tasks are by definition preempted by non-idle tasks. */
+- if (unlikely(task_has_idle_policy(curr)) &&
+- likely(!task_has_idle_policy(p)))
+- goto preempt;
+-
+- /*
+- * Batch and idle tasks do not preempt non-idle tasks (their preemption
+- * is driven by the tick):
+- */
+- if (unlikely(p->policy != SCHED_NORMAL) || !sched_feat(WAKEUP_PREEMPTION))
++ if (!sched_feat(WAKEUP_PREEMPTION))
+ return;
+
+ find_matching_se(&se, &pse);
+@@ -8400,7 +8391,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ pse_is_idle = se_is_idle(pse);
+
+ /*
+- * Preempt an idle group in favor of a non-idle group (and don't preempt
++ * Preempt an idle entity in favor of a non-idle entity (and don't preempt
+ * in the inverse case).
+ */
+ if (cse_is_idle && !pse_is_idle)
+@@ -8408,9 +8399,14 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ if (cse_is_idle != pse_is_idle)
+ return;
+
++ /*
++ * BATCH and IDLE tasks do not preempt others.
++ */
++ if (unlikely(p->policy != SCHED_NORMAL))
++ return;
++
+ cfs_rq = cfs_rq_of(se);
+ update_curr(cfs_rq);
+-
+ /*
+ * XXX pick_eevdf(cfs_rq) != se ?
+ */
+--
+2.43.0
+
--- /dev/null
+From 7445197b0562cacadeddaba6c03dbd53e3c7324b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:29:58 +0800
+Subject: sched/numa: Fix the vma scan starving issue
+
+From: Yujie Liu <yujie.liu@intel.com>
+
+[ Upstream commit f22cde4371f3c624e947a35b075c06c771442a43 ]
+
+Problem statement:
+Since commit fc137c0ddab2 ("sched/numa: enhance vma scanning logic"), the
+Numa vma scan overhead has been reduced a lot. Meanwhile, the reducing of
+the vma scan might create less Numa page fault information. The
+insufficient information makes it harder for the Numa balancer to make
+decision. Later, commit b7a5b537c55c08 ("sched/numa: Complete scanning of
+partial VMAs regardless of PID activity") and commit 84db47ca7146d7
+("sched/numa: Fix mm numa_scan_seq based unconditional scan") are found to
+bring back part of the performance.
+
+Recently when running SPECcpu omnetpp_r on a 320 CPUs/2 Sockets system, a
+long duration of remote Numa node read was observed by PMU events: A few
+cores having ~500MB/s remote memory access for ~20 seconds. It causes
+high core-to-core variance and performance penalty. After the
+investigation, it is found that many vmas are skipped due to the active
+PID check. According to the trace events, in most cases,
+vma_is_accessed() returns false because the history access info stored in
+pids_active array has been cleared.
+
+Proposal:
+The main idea is to adjust vma_is_accessed() to let it return true easier.
+Thus compare the diff between mm->numa_scan_seq and
+vma->numab_state->prev_scan_seq. If the diff has exceeded the threshold,
+scan the vma.
+
+This patch especially helps the cases where there are small number of
+threads, like the process-based SPECcpu. Without this patch, if the
+SPECcpu process access the vma at the beginning, then sleeps for a long
+time, the pid_active array will be cleared. A a result, if this process
+is woken up again, it never has a chance to set prot_none anymore.
+Because only the first 2 times of access is granted for vma scan:
+(current->mm->numa_scan_seq) - vma->numab_state->start_scan_seq) < 2 to be
+worse, no other threads within the task can help set the prot_none. This
+causes information lost.
+
+Raghavendra helped test current patch and got the positive result
+on the AMD platform:
+
+autonumabench NUMA01
+ base patched
+Amean syst-NUMA01 194.05 ( 0.00%) 165.11 * 14.92%*
+Amean elsp-NUMA01 324.86 ( 0.00%) 315.58 * 2.86%*
+
+Duration User 380345.36 368252.04
+Duration System 1358.89 1156.23
+Duration Elapsed 2277.45 2213.25
+
+autonumabench NUMA02
+
+Amean syst-NUMA02 1.12 ( 0.00%) 1.09 * 2.93%*
+Amean elsp-NUMA02 3.50 ( 0.00%) 3.56 * -1.84%*
+
+Duration User 1513.23 1575.48
+Duration System 8.33 8.13
+Duration Elapsed 28.59 29.71
+
+kernbench
+
+Amean user-256 22935.42 ( 0.00%) 22535.19 * 1.75%*
+Amean syst-256 7284.16 ( 0.00%) 7608.72 * -4.46%*
+Amean elsp-256 159.01 ( 0.00%) 158.17 * 0.53%*
+
+Duration User 68816.41 67615.74
+Duration System 21873.94 22848.08
+Duration Elapsed 506.66 504.55
+
+Intel 256 CPUs/2 Sockets:
+autonuma benchmark also shows improvements:
+
+ v6.10-rc5 v6.10-rc5
+ +patch
+Amean syst-NUMA01 245.85 ( 0.00%) 230.84 * 6.11%*
+Amean syst-NUMA01_THREADLOCAL 205.27 ( 0.00%) 191.86 * 6.53%*
+Amean syst-NUMA02 18.57 ( 0.00%) 18.09 * 2.58%*
+Amean syst-NUMA02_SMT 2.63 ( 0.00%) 2.54 * 3.47%*
+Amean elsp-NUMA01 517.17 ( 0.00%) 526.34 * -1.77%*
+Amean elsp-NUMA01_THREADLOCAL 99.92 ( 0.00%) 100.59 * -0.67%*
+Amean elsp-NUMA02 15.81 ( 0.00%) 15.72 * 0.59%*
+Amean elsp-NUMA02_SMT 13.23 ( 0.00%) 12.89 * 2.53%*
+
+ v6.10-rc5 v6.10-rc5
+ +patch
+Duration User 1064010.16 1075416.23
+Duration System 3307.64 3104.66
+Duration Elapsed 4537.54 4604.73
+
+The SPECcpu remote node access issue disappears with the patch applied.
+
+Link: https://lkml.kernel.org/r/20240827112958.181388-1-yu.c.chen@intel.com
+Fixes: fc137c0ddab2 ("sched/numa: enhance vma scanning logic")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Co-developed-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Yujie Liu <yujie.liu@intel.com>
+Reported-by: Xiaoping Zhou <xiaoping.zhou@intel.com>
+Reviewed-and-tested-by: Raghavendra K T <raghavendra.kt@amd.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: "Chen, Tim C" <tim.c.chen@intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Raghavendra K T <raghavendra.kt@amd.com>
+Cc: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 3f631816c8fbb..3c59f2b34a779 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3188,6 +3188,15 @@ static bool vma_is_accessed(struct mm_struct *mm, struct vm_area_struct *vma)
+ return true;
+ }
+
++ /*
++ * This vma has not been accessed for a while, and if the number
++ * the threads in the same process is low, which means no other
++ * threads can help scan this vma, force a vma scan.
++ */
++ if (READ_ONCE(mm->numa_scan_seq) >
++ (vma->numab_state->prev_scan_seq + get_nr_threads(current)))
++ return true;
++
+ return false;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6020e1bb0bf44b98631fcf826626fc2c22fb64fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:26:07 +0800
+Subject: sched/pelt: Use rq_clock_task() for hw_pressure
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit 84d265281d6cea65353fc24146280e0d86ac50cb ]
+
+commit 97450eb90965 ("sched/pelt: Remove shift of thermal clock")
+removed the decay_shift for hw_pressure. This commit uses the
+sched_clock_task() in sched_tick() while it replaces the
+sched_clock_task() with rq_clock_pelt() in __update_blocked_others().
+This could bring inconsistence. One possible scenario I can think of
+is in ___update_load_sum():
+
+ u64 delta = now - sa->last_update_time
+
+'now' could be calculated by rq_clock_pelt() from
+__update_blocked_others(), and last_update_time was calculated by
+rq_clock_task() previously from sched_tick(). Usually the former
+chases after the latter, it cause a very large 'delta' and brings
+unexpected behavior.
+
+Fixes: 97450eb90965 ("sched/pelt: Remove shift of thermal clock")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Hongyan Xia <hongyan.xia2@arm.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20240827112607.181206-1-yu.c.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 3c59f2b34a779..5e4162d02afc1 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -9365,9 +9365,10 @@ static bool __update_blocked_others(struct rq *rq, bool *done)
+
+ hw_pressure = arch_scale_hw_pressure(cpu_of(rq));
+
++ /* hw_pressure doesn't care about invariance */
+ decayed = update_rt_rq_load_avg(now, rq, curr_class == &rt_sched_class) |
+ update_dl_rq_load_avg(now, rq, curr_class == &dl_sched_class) |
+- update_hw_load_avg(now, rq, hw_pressure) |
++ update_hw_load_avg(rq_clock_task(rq), rq, hw_pressure) |
+ update_irq_load_avg(rq, 0);
+
+ if (others_have_blocked(rq))
+--
+2.43.0
+
--- /dev/null
+From 3cdaf693efaeb7b0974e5e7892c09031b3d5efc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 14:29:05 +0300
+Subject: scsi: elx: libefc: Fix potential use after free in
+ efc_nport_vport_del()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2e4b02fad094976763af08fec2c620f4f8edd9ae ]
+
+The kref_put() function will call nport->release if the refcount drops to
+zero. The nport->release release function is _efc_nport_free() which frees
+"nport". But then we dereference "nport" on the next line which is a use
+after free. Re-order these lines to avoid the use after free.
+
+Fixes: fcd427303eb9 ("scsi: elx: libefc: SLI and FC PORT state machine interfaces")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/b666ab26-6581-4213-9a3d-32a9147f0399@stanley.mountain
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/libefc/efc_nport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/elx/libefc/efc_nport.c b/drivers/scsi/elx/libefc/efc_nport.c
+index 2e83a667901fe..1a7437f4328e8 100644
+--- a/drivers/scsi/elx/libefc/efc_nport.c
++++ b/drivers/scsi/elx/libefc/efc_nport.c
+@@ -705,9 +705,9 @@ efc_nport_vport_del(struct efc *efc, struct efc_domain *domain,
+ spin_lock_irqsave(&efc->lock, flags);
+ list_for_each_entry(nport, &domain->nport_list, list_entry) {
+ if (nport->wwpn == wwpn && nport->wwnn == wwnn) {
+- kref_put(&nport->ref, nport->release);
+ /* Shutdown this NPORT */
+ efc_sm_post_event(&nport->sm, EFC_EVT_SHUTDOWN, NULL);
++ kref_put(&nport->ref, nport->release);
+ break;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From a66ad297856f4398783c4e26faab86de6e88c88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:36:28 +1000
+Subject: scsi: NCR5380: Check for phase match during PDMA fixup
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 5768718da9417331803fc4bc090544c2a93b88dc ]
+
+It's not an error for a target to change the bus phase during a transfer.
+Unfortunately, the FLAG_DMA_FIXUP workaround does not allow for that -- a
+phase change produces a DRQ timeout error and the device borken flag will
+be set.
+
+Check the phase match bit during FLAG_DMA_FIXUP processing. Don't forget to
+decrement the command residual. While we are here, change shost_printk()
+into scmd_printk() for better consistency with other DMA error messages.
+
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 55181be8ced1 ("ncr5380: Replace redundant flags with FLAG_NO_DMA_FIXUP")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/99dc7d1f4c825621b5b120963a69f6cd3e9ca659.1723001788.git.fthain@linux-m68k.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/NCR5380.c | 78 +++++++++++++++++++++---------------------
+ 1 file changed, 39 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
+index cea3a79d538e4..00e245173320c 100644
+--- a/drivers/scsi/NCR5380.c
++++ b/drivers/scsi/NCR5380.c
+@@ -1485,6 +1485,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ unsigned char **data)
+ {
+ struct NCR5380_hostdata *hostdata = shost_priv(instance);
++ struct NCR5380_cmd *ncmd = NCR5380_to_ncmd(hostdata->connected);
+ int c = *count;
+ unsigned char p = *phase;
+ unsigned char *d = *data;
+@@ -1496,7 +1497,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ return -1;
+ }
+
+- NCR5380_to_ncmd(hostdata->connected)->phase = p;
++ ncmd->phase = p;
+
+ if (p & SR_IO) {
+ if (hostdata->read_overruns)
+@@ -1608,45 +1609,44 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ * request.
+ */
+
+- if (hostdata->flags & FLAG_DMA_FIXUP) {
+- if (p & SR_IO) {
+- /*
+- * The workaround was to transfer fewer bytes than we
+- * intended to with the pseudo-DMA read function, wait for
+- * the chip to latch the last byte, read it, and then disable
+- * pseudo-DMA mode.
+- *
+- * After REQ is asserted, the NCR5380 asserts DRQ and ACK.
+- * REQ is deasserted when ACK is asserted, and not reasserted
+- * until ACK goes false. Since the NCR5380 won't lower ACK
+- * until DACK is asserted, which won't happen unless we twiddle
+- * the DMA port or we take the NCR5380 out of DMA mode, we
+- * can guarantee that we won't handshake another extra
+- * byte.
+- */
+-
+- if (NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG,
+- BASR_DRQ, BASR_DRQ, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA read: DRQ timeout\n");
+- }
+- if (NCR5380_poll_politely(hostdata, STATUS_REG,
+- SR_REQ, 0, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA read: !REQ timeout\n");
+- }
+- d[*count - 1] = NCR5380_read(INPUT_DATA_REG);
+- } else {
+- /*
+- * Wait for the last byte to be sent. If REQ is being asserted for
+- * the byte we're interested, we'll ACK it and it will go false.
+- */
+- if (NCR5380_poll_politely2(hostdata,
+- BUS_AND_STATUS_REG, BASR_DRQ, BASR_DRQ,
+- BUS_AND_STATUS_REG, BASR_PHASE_MATCH, 0, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA write: DRQ and phase timeout\n");
++ if ((hostdata->flags & FLAG_DMA_FIXUP) &&
++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) {
++ /*
++ * The workaround was to transfer fewer bytes than we
++ * intended to with the pseudo-DMA receive function, wait for
++ * the chip to latch the last byte, read it, and then disable
++ * DMA mode.
++ *
++ * After REQ is asserted, the NCR5380 asserts DRQ and ACK.
++ * REQ is deasserted when ACK is asserted, and not reasserted
++ * until ACK goes false. Since the NCR5380 won't lower ACK
++ * until DACK is asserted, which won't happen unless we twiddle
++ * the DMA port or we take the NCR5380 out of DMA mode, we
++ * can guarantee that we won't handshake another extra
++ * byte.
++ *
++ * If sending, wait for the last byte to be sent. If REQ is
++ * being asserted for the byte we're interested, we'll ACK it
++ * and it will go false.
++ */
++ if (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG,
++ BASR_DRQ, BASR_DRQ, 0)) {
++ if ((p & SR_IO) &&
++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) {
++ if (!NCR5380_poll_politely(hostdata, STATUS_REG,
++ SR_REQ, 0, 0)) {
++ d[c] = NCR5380_read(INPUT_DATA_REG);
++ --ncmd->this_residual;
++ } else {
++ result = -1;
++ scmd_printk(KERN_ERR, hostdata->connected,
++ "PDMA fixup: !REQ timeout\n");
++ }
+ }
++ } else if (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH) {
++ result = -1;
++ scmd_printk(KERN_ERR, hostdata->connected,
++ "PDMA fixup: DRQ timeout\n");
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 0995df8e7db6357d06cbfca01f0f44bbeb7623bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 14:47:02 -0500
+Subject: scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly
+
+From: Gilbert Wu <Gilbert.Wu@microchip.com>
+
+[ Upstream commit f1393d52e6cda9c20f12643cbecf1e1dc357e0e2 ]
+
+Correct a rare multipath failure issue by reverting commit 94a68c814328
+("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") [1].
+
+Reason for revert: The patch propagated the path failure to SML quickly
+when one of the path fails during IO and AIO path gets disabled for a
+multipath device.
+
+But it created a new issue: when creating a volume on an encryption-enabled
+controller, the firmware reports the AIO path is disabled, which cause the
+driver to report a path failure to SML for a multipath device.
+
+There will be a new fix to handle "Illegal request" and "Invalid field in
+parameter list" on RAID path when the AIO path is disabled on a multipath
+device.
+
+[1] https://lore.kernel.org/all/164375209313.440833.9992416628621839233.stgit@brunhilda.pdev.net/
+
+Fixes: 94a68c814328 ("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer")
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Reviewed-by: Mike McGowen <mike.mcgowen@microchip.com>
+Signed-off-by: Gilbert Wu <Gilbert.Wu@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Link: https://lore.kernel.org/r/20240711194704.982400-4-don.brace@microchip.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 20 ++------------------
+ 1 file changed, 2 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 24c7cb285dca0..c1524fb334eb5 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -2354,14 +2354,6 @@ static inline void pqi_mask_device(u8 *scsi3addr)
+ scsi3addr[3] |= 0xc0;
+ }
+
+-static inline bool pqi_is_multipath_device(struct pqi_scsi_dev *device)
+-{
+- if (pqi_is_logical_device(device))
+- return false;
+-
+- return (device->path_map & (device->path_map - 1)) != 0;
+-}
+-
+ static inline bool pqi_expose_device(struct pqi_scsi_dev *device)
+ {
+ return !device->is_physical_device || !pqi_skip_device(device->scsi3addr);
+@@ -3258,14 +3250,12 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request)
+ int residual_count;
+ int xfer_count;
+ bool device_offline;
+- struct pqi_scsi_dev *device;
+
+ scmd = io_request->scmd;
+ error_info = io_request->error_info;
+ host_byte = DID_OK;
+ sense_data_length = 0;
+ device_offline = false;
+- device = scmd->device->hostdata;
+
+ switch (error_info->service_response) {
+ case PQI_AIO_SERV_RESPONSE_COMPLETE:
+@@ -3290,14 +3280,8 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request)
+ break;
+ case PQI_AIO_STATUS_AIO_PATH_DISABLED:
+ pqi_aio_path_disabled(io_request);
+- if (pqi_is_multipath_device(device)) {
+- pqi_device_remove_start(device);
+- host_byte = DID_NO_CONNECT;
+- scsi_status = SAM_STAT_CHECK_CONDITION;
+- } else {
+- scsi_status = SAM_STAT_GOOD;
+- io_request->status = -EAGAIN;
+- }
++ scsi_status = SAM_STAT_GOOD;
++ io_request->status = -EAGAIN;
+ break;
+ case PQI_AIO_STATUS_NO_PATH_TO_DEVICE:
+ case PQI_AIO_STATUS_INVALID_DEVICE:
+--
+2.43.0
+
--- /dev/null
+From 30154eda47c84ddd2ef380e9e9c77d10497f9026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:43 -0700
+Subject: selftests/bpf: __arch_* macro to limit test cases to specific archs
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit ee7fe84468b1732fe65c5af3836437d54ac4c419 ]
+
+Add annotations __arch_x86_64, __arch_arm64, __arch_riscv64
+to specify on which architecture the test case should be tested.
+Several __arch_* annotations could be specified at once.
+When test case is not run on current arch it is marked as skipped.
+
+For example, the following would be tested only on arm64 and riscv64:
+
+ SEC("raw_tp")
+ __arch_arm64
+ __arch_riscv64
+ __xlated("1: *(u64 *)(r10 - 16) = r1")
+ __xlated("2: call")
+ __xlated("3: r1 = *(u64 *)(r10 - 16);")
+ __success
+ __naked void canary_arm64_riscv64(void)
+ {
+ asm volatile (
+ "r1 = 1;"
+ "*(u64 *)(r10 - 16) = r1;"
+ "call %[bpf_get_smp_processor_id];"
+ "r1 = *(u64 *)(r10 - 16);"
+ "exit;"
+ :
+ : __imm(bpf_get_smp_processor_id)
+ : __clobber_all);
+ }
+
+On x86 it would be skipped:
+
+ #467/2 verifier_nocsr/canary_arm64_riscv64:SKIP
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-10-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 8 ++++
+ tools/testing/selftests/bpf/test_loader.c | 43 ++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index 6c24e09df7d2b..078268a19b773 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -63,6 +63,10 @@
+ * __auxiliary Annotated program is not a separate test, but used as auxiliary
+ * for some other test cases and should always be loaded.
+ * __auxiliary_unpriv Same, but load program in unprivileged mode.
++ *
++ * __arch_* Specify on which architecture the test case should be tested.
++ * Several __arch_* annotations could be specified at once.
++ * When test case is not run on current arch it is marked as skipped.
+ */
+ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+ #define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
+@@ -82,6 +86,10 @@
+ #define __auxiliary __attribute__((btf_decl_tag("comment:test_auxiliary")))
+ #define __auxiliary_unpriv __attribute__((btf_decl_tag("comment:test_auxiliary_unpriv")))
+ #define __btf_path(path) __attribute__((btf_decl_tag("comment:test_btf_path=" path)))
++#define __arch(arch) __attribute__((btf_decl_tag("comment:test_arch=" arch)))
++#define __arch_x86_64 __arch("X86_64")
++#define __arch_arm64 __arch("ARM64")
++#define __arch_riscv64 __arch("RISCV64")
+
+ /* Convenience macro for use with 'asm volatile' blocks */
+ #define __naked __attribute__((naked))
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index b44b6a2fc82ce..12b0c41e8d64c 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -34,6 +34,7 @@
+ #define TEST_TAG_AUXILIARY "comment:test_auxiliary"
+ #define TEST_TAG_AUXILIARY_UNPRIV "comment:test_auxiliary_unpriv"
+ #define TEST_BTF_PATH "comment:test_btf_path="
++#define TEST_TAG_ARCH "comment:test_arch="
+
+ /* Warning: duplicated in bpf_misc.h */
+ #define POINTER_VALUE 0xcafe4all
+@@ -80,6 +81,7 @@ struct test_spec {
+ int log_level;
+ int prog_flags;
+ int mode_mask;
++ int arch_mask;
+ bool auxiliary;
+ bool valid;
+ };
+@@ -213,6 +215,12 @@ static void update_flags(int *flags, int flag, bool clear)
+ *flags |= flag;
+ }
+
++enum arch {
++ ARCH_X86_64 = 0x1,
++ ARCH_ARM64 = 0x2,
++ ARCH_RISCV64 = 0x4,
++};
++
+ /* Uses btf_decl_tag attributes to describe the expected test
+ * behavior, see bpf_misc.h for detailed description of each attribute
+ * and attribute combinations.
+@@ -226,6 +234,7 @@ static int parse_test_spec(struct test_loader *tester,
+ bool has_unpriv_result = false;
+ bool has_unpriv_retval = false;
+ int func_id, i, err = 0;
++ u32 arch_mask = 0;
+ struct btf *btf;
+
+ memset(spec, 0, sizeof(*spec));
+@@ -364,11 +373,26 @@ static int parse_test_spec(struct test_loader *tester,
+ goto cleanup;
+ update_flags(&spec->prog_flags, flags, clear);
+ }
++ } else if (str_has_pfx(s, TEST_TAG_ARCH)) {
++ val = s + sizeof(TEST_TAG_ARCH) - 1;
++ if (strcmp(val, "X86_64") == 0) {
++ arch_mask |= ARCH_X86_64;
++ } else if (strcmp(val, "ARM64") == 0) {
++ arch_mask |= ARCH_ARM64;
++ } else if (strcmp(val, "RISCV64") == 0) {
++ arch_mask |= ARCH_RISCV64;
++ } else {
++ PRINT_FAIL("bad arch spec: '%s'", val);
++ err = -EINVAL;
++ goto cleanup;
++ }
+ } else if (str_has_pfx(s, TEST_BTF_PATH)) {
+ spec->btf_custom_path = s + sizeof(TEST_BTF_PATH) - 1;
+ }
+ }
+
++ spec->arch_mask = arch_mask;
++
+ if (spec->mode_mask == 0)
+ spec->mode_mask = PRIV;
+
+@@ -677,6 +701,20 @@ static int get_xlated_program_text(int prog_fd, char *text, size_t text_sz)
+ return err;
+ }
+
++static bool run_on_current_arch(int arch_mask)
++{
++ if (arch_mask == 0)
++ return true;
++#if defined(__x86_64__)
++ return arch_mask & ARCH_X86_64;
++#elif defined(__aarch64__)
++ return arch_mask & ARCH_ARM64;
++#elif defined(__riscv) && __riscv_xlen == 64
++ return arch_mask & ARCH_RISCV64;
++#endif
++ return false;
++}
++
+ /* this function is forced noinline and has short generic name to look better
+ * in test_progs output (in case of a failure)
+ */
+@@ -701,6 +739,11 @@ void run_subtest(struct test_loader *tester,
+ if (!test__start_subtest(subspec->name))
+ return;
+
++ if (!run_on_current_arch(spec->arch_mask)) {
++ test__skip();
++ return;
++ }
++
+ if (unpriv) {
+ if (!can_execute_unpriv(tester, spec)) {
+ test__skip();
+--
+2.43.0
+
--- /dev/null
+From 7deeabd677590e3379fe17f23517576db753c0c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:42 -0700
+Subject: selftests/bpf: allow checking xlated programs in verifier_* tests
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 9c9f7339131030949a8ef111080427ff1a8085b5 ]
+
+Add a macro __xlated("...") for use with test_loader tests.
+
+When such annotations are present for the test case:
+- bpf_prog_get_info_by_fd() is used to get BPF program after all
+ rewrites are applied by verifier.
+- the program is disassembled and patterns specified in __xlated are
+ searched for in the disassembly text.
+
+__xlated matching follows the same mechanics as __msg:
+each subsequent pattern is matched from the point where
+previous pattern ended.
+
+This allows to write tests like below, where the goal is to verify the
+behavior of one of the of the transformations applied by verifier:
+
+ SEC("raw_tp")
+ __xlated("1: w0 = ")
+ __xlated("2: r0 = &(void __percpu *)(r0)")
+ __xlated("3: r0 = *(u32 *)(r0 +0)")
+ __xlated("4: exit")
+ __success __naked void simple(void)
+ {
+ asm volatile (
+ "call %[bpf_get_smp_processor_id];"
+ "exit;"
+ :
+ : __imm(bpf_get_smp_processor_id)
+ : __clobber_all);
+ }
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-9-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 5 ++
+ tools/testing/selftests/bpf/test_loader.c | 82 +++++++++++++++++++-
+ 2 files changed, 84 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index c0280bd2f340d..6c24e09df7d2b 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -26,6 +26,9 @@
+ *
+ * __regex Same as __msg, but using a regular expression.
+ * __regex_unpriv Same as __msg_unpriv but using a regular expression.
++ * __xlated Expect a line in a disassembly log after verifier applies rewrites.
++ * Multiple __xlated attributes could be specified.
++ * __xlated_unpriv Same as __xlated but for unprivileged mode.
+ *
+ * __success Expect program load success in privileged mode.
+ * __success_unpriv Expect program load success in unprivileged mode.
+@@ -63,11 +66,13 @@
+ */
+ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+ #define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
++#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" msg)))
+ #define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+ #define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+ #define __description(desc) __attribute__((btf_decl_tag("comment:test_description=" desc)))
+ #define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" msg)))
+ #define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" regex)))
++#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" msg)))
+ #define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
+ #define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
+ #define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 3f84903558dd8..b44b6a2fc82ce 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -7,6 +7,7 @@
+ #include <bpf/btf.h>
+
+ #include "autoconf_helper.h"
++#include "disasm_helpers.h"
+ #include "unpriv_helpers.h"
+ #include "cap_helpers.h"
+
+@@ -19,10 +20,12 @@
+ #define TEST_TAG_EXPECT_SUCCESS "comment:test_expect_success"
+ #define TEST_TAG_EXPECT_MSG_PFX "comment:test_expect_msg="
+ #define TEST_TAG_EXPECT_REGEX_PFX "comment:test_expect_regex="
++#define TEST_TAG_EXPECT_XLATED_PFX "comment:test_expect_xlated="
+ #define TEST_TAG_EXPECT_FAILURE_UNPRIV "comment:test_expect_failure_unpriv"
+ #define TEST_TAG_EXPECT_SUCCESS_UNPRIV "comment:test_expect_success_unpriv"
+ #define TEST_TAG_EXPECT_MSG_PFX_UNPRIV "comment:test_expect_msg_unpriv="
+ #define TEST_TAG_EXPECT_REGEX_PFX_UNPRIV "comment:test_expect_regex_unpriv="
++#define TEST_TAG_EXPECT_XLATED_PFX_UNPRIV "comment:test_expect_xlated_unpriv="
+ #define TEST_TAG_LOG_LEVEL_PFX "comment:test_log_level="
+ #define TEST_TAG_PROG_FLAGS_PFX "comment:test_prog_flags="
+ #define TEST_TAG_DESCRIPTION_PFX "comment:test_description="
+@@ -64,6 +67,7 @@ struct test_subspec {
+ char *name;
+ bool expect_failure;
+ struct expected_msgs expect_msgs;
++ struct expected_msgs expect_xlated;
+ int retval;
+ bool execute;
+ };
+@@ -117,6 +121,8 @@ static void free_test_spec(struct test_spec *spec)
+ /* Deallocate expect_msgs arrays. */
+ free_msgs(&spec->priv.expect_msgs);
+ free_msgs(&spec->unpriv.expect_msgs);
++ free_msgs(&spec->priv.expect_xlated);
++ free_msgs(&spec->unpriv.expect_xlated);
+
+ free(spec->priv.name);
+ free(spec->unpriv.name);
+@@ -299,6 +305,18 @@ static int parse_test_spec(struct test_loader *tester,
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX) - 1;
++ err = push_msg(msg, NULL, &spec->priv.expect_xlated);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= PRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX_UNPRIV) - 1;
++ err = push_msg(msg, NULL, &spec->unpriv.expect_xlated);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_RETVAL_PFX)) {
+ val = s + sizeof(TEST_TAG_RETVAL_PFX) - 1;
+ err = parse_retval(val, &spec->priv.retval, "__retval");
+@@ -402,6 +420,16 @@ static int parse_test_spec(struct test_loader *tester,
+ goto cleanup;
+ }
+ }
++ if (spec->unpriv.expect_xlated.cnt == 0) {
++ for (i = 0; i < spec->priv.expect_xlated.cnt; i++) {
++ struct expect_msg *msg = &spec->priv.expect_xlated.patterns[i];
++
++ err = push_msg(msg->substr, msg->regex_str,
++ &spec->unpriv.expect_xlated);
++ if (err)
++ goto cleanup;
++ }
++ }
+ }
+
+ spec->valid = true;
+@@ -449,7 +477,15 @@ static void emit_verifier_log(const char *log_buf, bool force)
+ fprintf(stdout, "VERIFIER LOG:\n=============\n%s=============\n", log_buf);
+ }
+
+-static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
++static void emit_xlated(const char *xlated, bool force)
++{
++ if (!force && env.verbosity == VERBOSE_NONE)
++ return;
++ fprintf(stdout, "XLATED:\n=============\n%s=============\n", xlated);
++}
++
++static void validate_msgs(char *log_buf, struct expected_msgs *msgs,
++ void (*emit_fn)(const char *buf, bool force))
+ {
+ regmatch_t reg_match[1];
+ const char *log = log_buf;
+@@ -473,7 +509,7 @@ static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
+
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+ if (env.verbosity == VERBOSE_NONE)
+- emit_verifier_log(log_buf, true /*force*/);
++ emit_fn(log_buf, true /*force*/);
+ for (j = 0; j <= i; j++) {
+ msg = &msgs->patterns[j];
+ fprintf(stderr, "%s %s: '%s'\n",
+@@ -610,6 +646,37 @@ static bool should_do_test_run(struct test_spec *spec, struct test_subspec *subs
+ return true;
+ }
+
++/* Get a disassembly of BPF program after verifier applies all rewrites */
++static int get_xlated_program_text(int prog_fd, char *text, size_t text_sz)
++{
++ struct bpf_insn *insn_start = NULL, *insn, *insn_end;
++ __u32 insns_cnt = 0, i;
++ char buf[64];
++ FILE *out = NULL;
++ int err;
++
++ err = get_xlated_program(prog_fd, &insn_start, &insns_cnt);
++ if (!ASSERT_OK(err, "get_xlated_program"))
++ goto out;
++ out = fmemopen(text, text_sz, "w");
++ if (!ASSERT_OK_PTR(out, "open_memstream"))
++ goto out;
++ insn_end = insn_start + insns_cnt;
++ insn = insn_start;
++ while (insn < insn_end) {
++ i = insn - insn_start;
++ insn = disasm_insn(insn, buf, sizeof(buf));
++ fprintf(out, "%d: %s\n", i, buf);
++ }
++ fflush(out);
++
++out:
++ free(insn_start);
++ if (out)
++ fclose(out);
++ return err;
++}
++
+ /* this function is forced noinline and has short generic name to look better
+ * in test_progs output (in case of a failure)
+ */
+@@ -695,7 +762,16 @@ void run_subtest(struct test_loader *tester,
+ }
+ }
+ emit_verifier_log(tester->log_buf, false /*force*/);
+- validate_msgs(tester->log_buf, &subspec->expect_msgs);
++ validate_msgs(tester->log_buf, &subspec->expect_msgs, emit_verifier_log);
++
++ if (subspec->expect_xlated.cnt) {
++ err = get_xlated_program_text(bpf_program__fd(tprog),
++ tester->log_buf, tester->log_buf_sz);
++ if (err)
++ goto tobj_cleanup;
++ emit_xlated(tester->log_buf, false /*force*/);
++ validate_msgs(tester->log_buf, &subspec->expect_xlated, emit_xlated);
++ }
+
+ if (should_do_test_run(spec, subspec)) {
+ /* For some reason test_verifier executes programs
+--
+2.43.0
+
--- /dev/null
+From b587d44e6c1dc4bf4889e02157774d0c5a572675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:31 -0700
+Subject: selftests/bpf: Drop unneeded error.h includes
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 69f409469c9b1515a5db40d5a36fda372376fa2d ]
+
+The addition of general support for unprivileged tests in test_loader.c
+breaks building test_verifier on non-glibc (e.g. musl) systems, due to the
+inclusion of glibc extension '<error.h>' in 'unpriv_helpers.c'. However,
+the header is actually not needed, so remove it to restore building.
+
+Similarly for sk_lookup.c and flow_dissector.c, error.h is not necessary
+and causes problems, so drop them.
+
+Fixes: 1d56ade032a4 ("selftests/bpf: Unprivileged tests for test_loader.c")
+Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point")
+Fixes: 0905beec9f52 ("selftests/bpf: run flow dissector tests in skb-less mode")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/5664367edf5fea4f3f4b4aec3b182bcfc6edff9c.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 -
+ tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 1 -
+ tools/testing/selftests/bpf/unpriv_helpers.c | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+index 9e5f38739104b..9625e6d217913 100644
+--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+@@ -1,7 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <test_progs.h>
+ #include <network_helpers.h>
+-#include <error.h>
+ #include <linux/if_tun.h>
+ #include <sys/uio.h>
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+index de2466547efe0..a1ab0af004549 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+@@ -18,7 +18,6 @@
+ #include <arpa/inet.h>
+ #include <assert.h>
+ #include <errno.h>
+-#include <error.h>
+ #include <fcntl.h>
+ #include <sched.h>
+ #include <stdio.h>
+diff --git a/tools/testing/selftests/bpf/unpriv_helpers.c b/tools/testing/selftests/bpf/unpriv_helpers.c
+index b6d016461fb02..220f6a9638134 100644
+--- a/tools/testing/selftests/bpf/unpriv_helpers.c
++++ b/tools/testing/selftests/bpf/unpriv_helpers.c
+@@ -2,7 +2,6 @@
+
+ #include <stdbool.h>
+ #include <stdlib.h>
+-#include <error.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
+--
+2.43.0
+
--- /dev/null
+From ffe60011c2bf1fbdd6b42856df14b08d142c4712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:41 -0700
+Subject: selftests/bpf: extract test_loader->expect_msgs as a data structure
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 64f01e935ddb26f48baec71883c27878ac4231dc ]
+
+Non-functional change: use a separate data structure to represented
+expected messages in test_loader.
+This would allow to use the same functionality for expected set of
+disassembled instructions in the follow-up commit.
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-8-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_loader.c | 81 ++++++++++++-----------
+ 1 file changed, 41 insertions(+), 40 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 47508cf66e896..3f84903558dd8 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -55,11 +55,15 @@ struct expect_msg {
+ regex_t regex;
+ };
+
++struct expected_msgs {
++ struct expect_msg *patterns;
++ size_t cnt;
++};
++
+ struct test_subspec {
+ char *name;
+ bool expect_failure;
+- struct expect_msg *expect_msgs;
+- size_t expect_msg_cnt;
++ struct expected_msgs expect_msgs;
+ int retval;
+ bool execute;
+ };
+@@ -96,44 +100,45 @@ void test_loader_fini(struct test_loader *tester)
+ free(tester->log_buf);
+ }
+
+-static void free_test_spec(struct test_spec *spec)
++static void free_msgs(struct expected_msgs *msgs)
+ {
+ int i;
+
++ for (i = 0; i < msgs->cnt; i++)
++ if (msgs->patterns[i].regex_str)
++ regfree(&msgs->patterns[i].regex);
++ free(msgs->patterns);
++ msgs->patterns = NULL;
++ msgs->cnt = 0;
++}
++
++static void free_test_spec(struct test_spec *spec)
++{
+ /* Deallocate expect_msgs arrays. */
+- for (i = 0; i < spec->priv.expect_msg_cnt; i++)
+- if (spec->priv.expect_msgs[i].regex_str)
+- regfree(&spec->priv.expect_msgs[i].regex);
+- for (i = 0; i < spec->unpriv.expect_msg_cnt; i++)
+- if (spec->unpriv.expect_msgs[i].regex_str)
+- regfree(&spec->unpriv.expect_msgs[i].regex);
++ free_msgs(&spec->priv.expect_msgs);
++ free_msgs(&spec->unpriv.expect_msgs);
+
+ free(spec->priv.name);
+ free(spec->unpriv.name);
+- free(spec->priv.expect_msgs);
+- free(spec->unpriv.expect_msgs);
+-
+ spec->priv.name = NULL;
+ spec->unpriv.name = NULL;
+- spec->priv.expect_msgs = NULL;
+- spec->unpriv.expect_msgs = NULL;
+ }
+
+-static int push_msg(const char *substr, const char *regex_str, struct test_subspec *subspec)
++static int push_msg(const char *substr, const char *regex_str, struct expected_msgs *msgs)
+ {
+ void *tmp;
+ int regcomp_res;
+ char error_msg[100];
+ struct expect_msg *msg;
+
+- tmp = realloc(subspec->expect_msgs,
+- (1 + subspec->expect_msg_cnt) * sizeof(struct expect_msg));
++ tmp = realloc(msgs->patterns,
++ (1 + msgs->cnt) * sizeof(struct expect_msg));
+ if (!tmp) {
+ ASSERT_FAIL("failed to realloc memory for messages\n");
+ return -ENOMEM;
+ }
+- subspec->expect_msgs = tmp;
+- msg = &subspec->expect_msgs[subspec->expect_msg_cnt];
++ msgs->patterns = tmp;
++ msg = &msgs->patterns[msgs->cnt];
+
+ if (substr) {
+ msg->substr = substr;
+@@ -150,7 +155,7 @@ static int push_msg(const char *substr, const char *regex_str, struct test_subsp
+ }
+ }
+
+- subspec->expect_msg_cnt += 1;
++ msgs->cnt += 1;
+ return 0;
+ }
+
+@@ -272,25 +277,25 @@ static int parse_test_spec(struct test_loader *tester,
+ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
+- err = push_msg(msg, NULL, &spec->priv);
++ err = push_msg(msg, NULL, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX_UNPRIV) - 1;
+- err = push_msg(msg, NULL, &spec->unpriv);
++ err = push_msg(msg, NULL, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX) - 1;
+- err = push_msg(NULL, msg, &spec->priv);
++ err = push_msg(NULL, msg, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX_UNPRIV) - 1;
+- err = push_msg(NULL, msg, &spec->unpriv);
++ err = push_msg(NULL, msg, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+@@ -387,11 +392,12 @@ static int parse_test_spec(struct test_loader *tester,
+ spec->unpriv.execute = spec->priv.execute;
+ }
+
+- if (!spec->unpriv.expect_msgs) {
+- for (i = 0; i < spec->priv.expect_msg_cnt; i++) {
+- struct expect_msg *msg = &spec->priv.expect_msgs[i];
++ if (spec->unpriv.expect_msgs.cnt == 0) {
++ for (i = 0; i < spec->priv.expect_msgs.cnt; i++) {
++ struct expect_msg *msg = &spec->priv.expect_msgs.patterns[i];
+
+- err = push_msg(msg->substr, msg->regex_str, &spec->unpriv);
++ err = push_msg(msg->substr, msg->regex_str,
++ &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ }
+@@ -443,18 +449,14 @@ static void emit_verifier_log(const char *log_buf, bool force)
+ fprintf(stdout, "VERIFIER LOG:\n=============\n%s=============\n", log_buf);
+ }
+
+-static void validate_case(struct test_loader *tester,
+- struct test_subspec *subspec,
+- struct bpf_object *obj,
+- struct bpf_program *prog,
+- int load_err)
++static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
+ {
+ regmatch_t reg_match[1];
+- const char *log = tester->log_buf;
++ const char *log = log_buf;
+ int i, j, err;
+
+- for (i = 0; i < subspec->expect_msg_cnt; i++) {
+- struct expect_msg *msg = &subspec->expect_msgs[i];
++ for (i = 0; i < msgs->cnt; i++) {
++ struct expect_msg *msg = &msgs->patterns[i];
+ const char *match = NULL;
+
+ if (msg->substr) {
+@@ -471,9 +473,9 @@ static void validate_case(struct test_loader *tester,
+
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+ if (env.verbosity == VERBOSE_NONE)
+- emit_verifier_log(tester->log_buf, true /*force*/);
++ emit_verifier_log(log_buf, true /*force*/);
+ for (j = 0; j <= i; j++) {
+- msg = &subspec->expect_msgs[j];
++ msg = &msgs->patterns[j];
+ fprintf(stderr, "%s %s: '%s'\n",
+ j < i ? "MATCHED " : "EXPECTED",
+ msg->substr ? "SUBSTR" : " REGEX",
+@@ -692,9 +694,8 @@ void run_subtest(struct test_loader *tester,
+ goto tobj_cleanup;
+ }
+ }
+-
+ emit_verifier_log(tester->log_buf, false /*force*/);
+- validate_case(tester, subspec, tobj, tprog, err);
++ validate_msgs(tester->log_buf, &subspec->expect_msgs);
+
+ if (should_do_test_run(spec, subspec)) {
+ /* For some reason test_verifier executes programs
+--
+2.43.0
+
--- /dev/null
+From 7b2172fa147e4f62d192b7fb0c640a9043a7da3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:18 -0700
+Subject: selftests/bpf: Fix arg parsing in veristat, test_progs
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 03bfcda1fbc37ef34aa21d2b9e09138335afc6ee ]
+
+Current code parses arguments with strtok_r() using a construct like
+
+ char *state = NULL;
+ while ((next = strtok_r(state ? NULL : input, ",", &state))) {
+ ...
+ }
+
+where logic assumes the 'state' var can distinguish between first and
+subsequent strtok_r() calls, and adjusts parameters accordingly. However,
+'state' is strictly internal context for strtok_r() and no such assumptions
+are supported in the man page. Moreover, the exact behaviour of 'state'
+depends on the libc implementation, making the above code fragile.
+
+Indeed, invoking "./test_progs -t <test_name>" on mips64el/musl will hang,
+with the above code in an infinite loop.
+
+Similarly, we see strange behaviour running 'veristat' on mips64el/musl:
+
+ $ ./veristat -e file,prog,verdict,insns -C two-ok add-failure
+ Can't specify more than 9 stats
+
+Rewrite code using a counter to distinguish between strtok_r() calls.
+
+Fixes: 61ddff373ffa ("selftests/bpf: Improve by-name subtest selection logic in prog_tests")
+Fixes: 394169b079b5 ("selftests/bpf: add comparison mode to veristat")
+Fixes: c8bc5e050976 ("selftests/bpf: Add veristat tool for mass-verifying BPF object files")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/392d8bf5559f85fa37926c1494e62312ef252c3d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/testing_helpers.c | 4 ++--
+ tools/testing/selftests/bpf/veristat.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c
+index d5379a0e6da80..4230420ef2940 100644
+--- a/tools/testing/selftests/bpf/testing_helpers.c
++++ b/tools/testing/selftests/bpf/testing_helpers.c
+@@ -220,13 +220,13 @@ int parse_test_list(const char *s,
+ bool is_glob_pattern)
+ {
+ char *input, *state = NULL, *test_spec;
+- int err = 0;
++ int err = 0, cnt = 0;
+
+ input = strdup(s);
+ if (!input)
+ return -ENOMEM;
+
+- while ((test_spec = strtok_r(state ? NULL : input, ",", &state))) {
++ while ((test_spec = strtok_r(cnt++ ? NULL : input, ",", &state))) {
+ err = insert_test(set, test_spec, is_glob_pattern);
+ if (err)
+ break;
+diff --git a/tools/testing/selftests/bpf/veristat.c b/tools/testing/selftests/bpf/veristat.c
+index b2854238d4a0e..fd9780082ff48 100644
+--- a/tools/testing/selftests/bpf/veristat.c
++++ b/tools/testing/selftests/bpf/veristat.c
+@@ -784,13 +784,13 @@ static int parse_stat(const char *stat_name, struct stat_specs *specs)
+ static int parse_stats(const char *stats_str, struct stat_specs *specs)
+ {
+ char *input, *state = NULL, *next;
+- int err;
++ int err, cnt = 0;
+
+ input = strdup(stats_str);
+ if (!input)
+ return -ENOMEM;
+
+- while ((next = strtok_r(state ? NULL : input, ",", &state))) {
++ while ((next = strtok_r(cnt++ ? NULL : input, ",", &state))) {
+ err = parse_stat(next, specs);
+ if (err) {
+ free(input);
+@@ -1493,7 +1493,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs,
+ while (fgets(line, sizeof(line), f)) {
+ char *input = line, *state = NULL, *next;
+ struct verif_stats *st = NULL;
+- int col = 0;
++ int col = 0, cnt = 0;
+
+ if (!header) {
+ void *tmp;
+@@ -1511,7 +1511,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs,
+ *stat_cntp += 1;
+ }
+
+- while ((next = strtok_r(state ? NULL : input, ",\n", &state))) {
++ while ((next = strtok_r(cnt++ ? NULL : input, ",\n", &state))) {
+ if (header) {
+ /* for the first line, set up spec stats */
+ err = parse_stat(next, specs);
+--
+2.43.0
+
--- /dev/null
+From ce0f9708c3fd333ce89806ba5656247c5c419c75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:20 -0700
+Subject: selftests/bpf: Fix C++ compile error from missing _Bool type
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit aa95073fd290b5b3e45f067fa22bb25e59e1ff7c ]
+
+While building, bpftool makes a skeleton from test_core_extern.c, which
+itself includes <stdbool.h> and uses the 'bool' type. However, the skeleton
+test_core_extern.skel.h generated *does not* include <stdbool.h> or use the
+'bool' type, instead using the C-only '_Bool' type. Compiling test_cpp.cpp
+with g++ 12.3 for mips64el/musl-libc then fails with error:
+
+ In file included from test_cpp.cpp:9:
+ test_core_extern.skel.h:45:17: error: '_Bool' does not name a type
+ 45 | _Bool CONFIG_BOOL;
+ | ^~~~~
+
+This was likely missed previously because glibc uses a GNU extension for
+<stdbool.h> with C++ (#define _Bool bool), not supported by musl libc.
+
+Normally, a C fragment would include <stdbool.h> and use the 'bool' type,
+and thus cleanly work after import by C++. The ideal fix would be for
+'bpftool gen skeleton' to output the correct type/include supporting C++,
+but in the meantime add a conditional define as above.
+
+Fixes: 7c8dce4b1661 ("bpftool: Make skeleton C code compilable with C++ compiler")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/6fc1dd28b8bda49e51e4f610bdc9d22f4455632d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_cpp.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_cpp.cpp b/tools/testing/selftests/bpf/test_cpp.cpp
+index dde0bb16e782e..abc2a56ab2616 100644
+--- a/tools/testing/selftests/bpf/test_cpp.cpp
++++ b/tools/testing/selftests/bpf/test_cpp.cpp
+@@ -6,6 +6,10 @@
+ #include <bpf/libbpf.h>
+ #include <bpf/bpf.h>
+ #include <bpf/btf.h>
++
++#ifndef _Bool
++#define _Bool bool
++#endif
+ #include "test_core_extern.skel.h"
+ #include "struct_ops_module.skel.h"
+
+--
+2.43.0
+
--- /dev/null
+From 11f224b85f3fefe1213d22c256afbac74d4e3597 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:29 -0700
+Subject: selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit d393f9479d4aaab0fa4c3caf513f28685e831f13 ]
+
+Cast 'rlim_t' argument to match expected type of printf() format and avoid
+compile errors seen building for mips64el/musl-libc:
+
+ In file included from map_tests/sk_storage_map.c:20:
+ map_tests/sk_storage_map.c: In function 'test_sk_storage_map_stress_free':
+ map_tests/sk_storage_map.c:414:56: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rlim_t' {aka 'long long unsigned int'} [-Werror=format=]
+ 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+ | ^~~~~~~~~~~~~~~~~~~~~~~
+ 415 | rlim_new.rlim_cur, errno);
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | rlim_t {aka long long unsigned int}
+ ./test_maps.h:12:24: note: in definition of macro 'CHECK'
+ 12 | printf(format); \
+ | ^~~~~~
+ map_tests/sk_storage_map.c:414:68: note: format string is defined here
+ 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+ | ~~^
+ | |
+ | long unsigned int
+ | %llu
+ cc1: all warnings being treated as errors
+
+Fixes: 51a0e301a563 ("bpf: Add BPF_MAP_TYPE_SK_STORAGE test to test_maps")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/1e00a1fa7acf91b4ca135c4102dc796d518bad86.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/map_tests/sk_storage_map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
+index 18405c3b7cee9..af10c309359a7 100644
+--- a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
++++ b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
+@@ -412,7 +412,7 @@ static void test_sk_storage_map_stress_free(void)
+ rlim_new.rlim_max = rlim_new.rlim_cur + 128;
+ err = setrlimit(RLIMIT_NOFILE, &rlim_new);
+ CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+- rlim_new.rlim_cur, errno);
++ (unsigned long) rlim_new.rlim_cur, errno);
+ }
+
+ err = do_sk_storage_map_stress_free();
+--
+2.43.0
+
--- /dev/null
+From 67840aa7805965cebc400fab74088560b40f461f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:22 -0700
+Subject: selftests/bpf: Fix compile if backtrace support missing in libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit c9a83e76b5a96801a2c7ea0a79ca77c356d8b38d ]
+
+Include GNU <execinfo.h> header only with glibc and provide weak, stubbed
+backtrace functions as a fallback in test_progs.c. This allows for non-GNU
+replacements while avoiding compile errors (e.g. with musl libc) like:
+
+ test_progs.c:13:10: fatal error: execinfo.h: No such file or directory
+ 13 | #include <execinfo.h> /* backtrace */
+ | ^~~~~~~~~~~~
+ test_progs.c: In function 'crash_handler':
+ test_progs.c:1034:14: error: implicit declaration of function 'backtrace' [-Werror=implicit-function-declaration]
+ 1034 | sz = backtrace(bt, ARRAY_SIZE(bt));
+ | ^~~~~~~~~
+ test_progs.c:1045:9: error: implicit declaration of function 'backtrace_symbols_fd' [-Werror=implicit-function-declaration]
+ 1045 | backtrace_symbols_fd(bt, sz, STDERR_FILENO);
+ | ^~~~~~~~~~~~~~~~~~~~
+
+Fixes: 9fb156bb82a3 ("selftests/bpf: Print backtrace on SIGSEGV in test_progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/aa6dc8e23710cb457b278039d0081de7e7b4847d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 60c5ec0f6abf6..d5d0cb4eb1975 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -10,7 +10,6 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <string.h>
+-#include <execinfo.h> /* backtrace */
+ #include <sys/sysinfo.h> /* get_nprocs */
+ #include <netinet/in.h>
+ #include <sys/select.h>
+@@ -19,6 +18,21 @@
+ #include <bpf/btf.h>
+ #include "json_writer.h"
+
++#ifdef __GLIBC__
++#include <execinfo.h> /* backtrace */
++#endif
++
++/* Default backtrace funcs if missing at link */
++__weak int backtrace(void **buffer, int size)
++{
++ return 0;
++}
++
++__weak void backtrace_symbols_fd(void *const *buffer, int size, int fd)
++{
++ dprintf(fd, "<backtrace not supported>\n");
++}
++
+ static bool verbose(void)
+ {
+ return env.verbosity > VERBOSE_NONE;
+--
+2.43.0
+
--- /dev/null
+From dffe4e6305ab53682f86ca14fb222a9f1f3e6ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:42 -0700
+Subject: selftests/bpf: Fix compiling core_reloc.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit debfa4f628f271f72933bf38d581cc53cfe1def5 ]
+
+The type 'loff_t' is a GNU extension and not exposed by the musl 'fcntl.h'
+header unless _GNU_SOURCE is defined. Add this definition to fix errors
+seen compiling for mips64el/musl-libc:
+
+ In file included from tools/testing/selftests/bpf/prog_tests/core_reloc.c:4:
+ ./bpf_testmod/bpf_testmod.h:10:9: error: unknown type name 'loff_t'
+ 10 | loff_t off;
+ | ^~~~~~
+ ./bpf_testmod/bpf_testmod.h:16:9: error: unknown type name 'loff_t'
+ 16 | loff_t off;
+ | ^~~~~~
+
+Fixes: 6bcd39d366b6 ("selftests/bpf: Add CO-RE relocs selftest relying on kernel module BTF")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/11c3af75a7eb6bcb7ad9acfae6a6f470c572eb82.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/core_reloc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/core_reloc.c b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+index 47f42e6801056..26019313e1fc2 100644
+--- a/tools/testing/selftests/bpf/prog_tests/core_reloc.c
++++ b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include "progs/core_reloc_types.h"
+ #include "bpf_testmod/bpf_testmod.h"
+--
+2.43.0
+
--- /dev/null
+From ccd1ab6d11a41feb48690005fde5a7665121b1df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:40 -0700
+Subject: selftests/bpf: Fix compiling flow_dissector.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 5e4c43bcb85973243d7274e0058b6e8f5810e4f7 ]
+
+The GNU version of 'struct tcphdr' has members 'doff', 'source' and 'dest',
+which are not exposed by musl libc headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ flow_dissector.c:118:30: error: 'struct tcphdr' has no member named 'doff'
+ 118 | .tcp.doff = 5,
+ | ^~~~
+ flow_dissector.c:119:30: error: 'struct tcphdr' has no member named 'source'
+ 119 | .tcp.source = 80,
+ | ^~~~~~
+ flow_dissector.c:120:30: error: 'struct tcphdr' has no member named 'dest'
+ 120 | .tcp.dest = 8080,
+ | ^~~~
+
+Fixes: ae173a915785 ("selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8f7ab21a73f678f9cebd32b26c444a686e57414d.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+index 9625e6d217913..3171047414a7d 100644
+--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include <linux/if_tun.h>
+--
+2.43.0
+
--- /dev/null
+From 6ecbfacd3cfbf3592f7a9a9b1e0b41f3de4388c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:39 -0700
+Subject: selftests/bpf: Fix compiling kfree_skb.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit bae9a5ce7d3a9b3a9e07b31ab9e9c58450e3e9fd ]
+
+The GNU version of 'struct tcphdr' with member 'doff' is not exposed by
+musl headers unless _GNU_SOURCE is defined. Add this definition to fix
+errors seen compiling for mips64el/musl-libc:
+
+ In file included from kfree_skb.c:2:
+ kfree_skb.c: In function 'on_sample':
+ kfree_skb.c:45:30: error: 'struct tcphdr' has no member named 'doff'
+ 45 | if (CHECK(pkt_v6->tcp.doff != 5, "check_tcp",
+ | ^
+
+Fixes: 580d656d80cf ("selftests/bpf: Add kfree_skb raw_tp test")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/e2d8cedc790959c10d6822a51f01a7a3616bea1b.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
+index c07991544a789..34f8822fd2219 100644
+--- a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
++++ b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include "kfree_skb.skel.h"
+--
+2.43.0
+
--- /dev/null
+From b26b5ba92215fde667114a3b4e55ab69692c9efe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:38 -0700
+Subject: selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 4c329b99ef9c118343379bde9f97e8ce5cac9fc9 ]
+
+The GNU version of 'struct tcphdr', with members 'doff' and 'urg_ptr', is
+not exposed by musl headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ parse_tcp_hdr_opt.c:18:21: error: 'struct tcphdr' has no member named 'urg_ptr'
+ 18 | .pk6_v6.tcp.urg_ptr = 123,
+ | ^~~~~~~
+ parse_tcp_hdr_opt.c:19:21: error: 'struct tcphdr' has no member named 'doff'
+ 19 | .pk6_v6.tcp.doff = 9, /* 16 bytes of options */
+ | ^~~~
+
+Fixes: cfa7b011894d ("selftests/bpf: tests for using dynptrs to parse skb and xdp buffers")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/ac5440213c242c62cb4e0d9e0a9cd5058b6a31f6.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
+index daa952711d8fd..e9c07d561ded6 100644
+--- a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
++++ b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include "test_parse_tcp_hdr_opt.skel.h"
+--
+2.43.0
+
--- /dev/null
+From 6d75db958781a1b21c890fa3debb8fc5e0b18ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:41 -0700
+Subject: selftests/bpf: Fix compiling tcp_rtt.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 18826fb0b79c3c3cd1fe765d85f9c6f1a902c722 ]
+
+The GNU version of 'struct tcp_info' in 'netinet/tcp.h' is not exposed by
+musl headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ tcp_rtt.c: In function 'wait_for_ack':
+ tcp_rtt.c:24:25: error: storage size of 'info' isn't known
+ 24 | struct tcp_info info;
+ | ^~~~
+ tcp_rtt.c:24:25: error: unused variable 'info' [-Werror=unused-variable]
+ cc1: all warnings being treated as errors
+
+Fixes: 1f4f80fed217 ("selftests/bpf: test_progs: convert test_tcp_rtt")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/f2329767b15df206f08a5776d35a47c37da855ae.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
+index f2b99d95d9160..c38784c1c066e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
++++ b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include "cgroup_helpers.h"
+ #include "network_helpers.h"
+--
+2.43.0
+
--- /dev/null
+From ec3f809ff56af414ff4768bdba23dc79a1caeea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:30 -0700
+Subject: selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl
+ libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 7b10f0c227ce3fa055d601f058dc411092a62a78 ]
+
+Existing code calls getsockname() with a 'struct sockaddr_in6 *' argument
+where a 'struct sockaddr *' argument is declared, yielding compile errors
+when building for mips64el/musl-libc:
+
+ bpf_iter_setsockopt.c: In function 'get_local_port':
+ bpf_iter_setsockopt.c:98:30: error: passing argument 2 of 'getsockname' from incompatible pointer type [-Werror=incompatible-pointer-types]
+ 98 | if (!getsockname(fd, &addr, &addrlen))
+ | ^~~~~
+ | |
+ | struct sockaddr_in6 *
+ In file included from .../netinet/in.h:10,
+ from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from bpf_iter_setsockopt.c:5:
+ .../sys/socket.h:391:23: note: expected 'struct sockaddr * restrict' but argument is of type 'struct sockaddr_in6 *'
+ 391 | int getsockname (int, struct sockaddr *__restrict, socklen_t *__restrict);
+ | ^
+ cc1: all warnings being treated as errors
+
+This compiled under glibc only because the argument is declared to be a
+"funky" transparent union which includes both types above. Explicitly cast
+the argument to allow compiling for both musl and glibc.
+
+Fixes: eed92afdd14c ("bpf: selftest: Test batching and bpf_(get|set)sockopt in bpf tcp iter")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Geliang Tang <geliang@kernel.org>
+Link: https://lore.kernel.org/bpf/f41def0f17b27a23b1709080e4e3f37f4cc11ca9.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
+index b52ff8ce34db8..16bed9dd8e6a3 100644
+--- a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
++++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
+@@ -95,7 +95,7 @@ static unsigned short get_local_port(int fd)
+ struct sockaddr_in6 addr;
+ socklen_t addrlen = sizeof(addr);
+
+- if (!getsockname(fd, &addr, &addrlen))
++ if (!getsockname(fd, (struct sockaddr *)&addr, &addrlen))
+ return ntohs(addr.sin6_port);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 10d909ef56b04f3d117e14f76c0f5dc5b61e06ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:24 -0700
+Subject: selftests/bpf: Fix error compiling tc_redirect.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 21c5f4f55da759c7444a1ef13e90b6e6f674eeeb ]
+
+Linux 5.1 implemented 64-bit time types and related syscalls to address the
+Y2038 problem generally across archs. Userspace handling of Y2038 varies
+with the libc however. While musl libc uses 64-bit time across all 32-bit
+and 64-bit platforms, GNU glibc uses 64-bit time on 64-bit platforms but
+defaults to 32-bit time on 32-bit platforms unless they "opt-in" to 64-bit
+time or explicitly use 64-bit syscalls and time structures.
+
+One specific area is the standard setsockopt() call, SO_TIMESTAMPNS option
+used for timestamping, and the related output 'struct timespec'. GNU glibc
+defaults as above, also exposing the SO_TIMESTAMPNS_NEW flag to explicitly
+use a 64-bit call and 'struct __kernel_timespec'. Since these are not
+exposed or needed with musl libc, their use in tc_redirect.c leads to
+compile errors building for mips64el/musl:
+
+ tc_redirect.c: In function 'rcv_tstamp':
+ tc_redirect.c:425:32: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'?
+ 425 | cmsg->cmsg_type == SO_TIMESTAMPNS_NEW)
+ | ^~~~~~~~~~~~~~~~~~
+ | SO_TIMESTAMPNS
+ tc_redirect.c:425:32: note: each undeclared identifier is reported only once for each function it appears in
+ tc_redirect.c: In function 'test_inet_dtime':
+ tc_redirect.c:491:49: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'?
+ 491 | err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
+ | ^~~~~~~~~~~~~~~~~~
+ | SO_TIMESTAMPNS
+
+However, using SO_TIMESTAMPNS_NEW isn't strictly needed, nor is Y2038 being
+explicitly tested. The timestamp checks in tc_redirect.c are simple: the
+packet receive timestamp is non-zero and processed/handled in less than 5
+seconds.
+
+Switch to using the standard setsockopt() call and SO_TIMESTAMPNS option to
+ensure compatibility across glibc and musl libc. In the worst-case, there
+is a 5-second window 14 years from now where tc_redirect tests may fail on
+32-bit systems. However, we should reasonably expect glibc to adopt a
+64-bit mandate rather than the current "opt-in" policy before the Y2038
+roll-over.
+
+Fixes: ce6f6cffaeaa ("selftests/bpf: Wait for the netstamp_needed_key static key to be turned on")
+Fixes: c803475fd8dd ("bpf: selftests: test skb->tstamp in redirect_neigh")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/031d656c058b4e55ceae56ef49c4e1729b5090f3.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/tc_redirect.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+index b1073d36d77ac..a80a83e0440e3 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+@@ -471,7 +471,7 @@ static int set_forwarding(bool enable)
+
+ static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp)
+ {
+- struct __kernel_timespec pkt_ts = {};
++ struct timespec pkt_ts = {};
+ char ctl[CMSG_SPACE(sizeof(pkt_ts))];
+ struct timespec now_ts;
+ struct msghdr msg = {};
+@@ -495,7 +495,7 @@ static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp)
+
+ cmsg = CMSG_FIRSTHDR(&msg);
+ if (cmsg && cmsg->cmsg_level == SOL_SOCKET &&
+- cmsg->cmsg_type == SO_TIMESTAMPNS_NEW)
++ cmsg->cmsg_type == SO_TIMESTAMPNS)
+ memcpy(&pkt_ts, CMSG_DATA(cmsg), sizeof(pkt_ts));
+
+ pkt_ns = pkt_ts.tv_sec * NSEC_PER_SEC + pkt_ts.tv_nsec;
+@@ -537,9 +537,9 @@ static int wait_netstamp_needed_key(void)
+ if (!ASSERT_GE(srv_fd, 0, "start_server"))
+ goto done;
+
+- err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
++ err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS,
+ &opt, sizeof(opt));
+- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)"))
++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)"))
+ goto done;
+
+ cli_fd = connect_to_fd(srv_fd, TIMEOUT_MILLIS);
+@@ -621,9 +621,9 @@ static void test_inet_dtime(int family, int type, const char *addr, __u16 port)
+ return;
+
+ /* Ensure the kernel puts the (rcv) timestamp for all skb */
+- err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
++ err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS,
+ &opt, sizeof(opt));
+- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)"))
++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)"))
+ goto done;
+
+ if (type == SOCK_STREAM) {
+--
+2.43.0
+
--- /dev/null
+From 88e4ba9eb92cb5a83ac236e13e818f7dbc7a73e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:19 -0700
+Subject: selftests/bpf: Fix error compiling test_lru_map.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ]
+
+Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe,
+the sequencing can raise compile errors, so move the increment outside the
+macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc:
+
+ In file included from test_lru_map.c:11:
+ test_lru_map.c: In function 'sched_next_online':
+ test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point]
+ 129 | CPU_SET(next++, &cpuset);
+ | ^
+ cc1: all warnings being treated as errors
+
+Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_lru_map.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c
+index 4d0650cfb5cd8..fda7589c50236 100644
+--- a/tools/testing/selftests/bpf/test_lru_map.c
++++ b/tools/testing/selftests/bpf/test_lru_map.c
+@@ -126,7 +126,8 @@ static int sched_next_online(int pid, int *next_to_try)
+
+ while (next < nr_cpus) {
+ CPU_ZERO(&cpuset);
+- CPU_SET(next++, &cpuset);
++ CPU_SET(next, &cpuset);
++ next++;
+ if (!sched_setaffinity(pid, sizeof(cpuset), &cpuset)) {
+ ret = 0;
+ break;
+--
+2.43.0
+
--- /dev/null
+From c3e9c9185a41a2378f04274de80fc9b4b342fa6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:13:29 -0700
+Subject: selftests/bpf: Fix error linking uprobe_multi on mips
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit a5f40d596bff182b4b47547712f540885e8fb17b ]
+
+Linking uprobe_multi.c on mips64el fails due to relocation overflows, when
+the GOT entries required exceeds the default maximum. Add a specific CFLAGS
+(-mxgot) for uprobe_multi.c on MIPS that allows using a larger GOT and
+avoids errors such as:
+
+ /tmp/ccBTNQzv.o: in function `bench':
+ uprobe_multi.c:49:(.text+0x1d7720): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08188'
+ uprobe_multi.c:49:(.text+0x1d7730): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08189'
+ ...
+ collect2: error: ld returned 1 exit status
+
+Fixes: 519dfeaf5119 ("selftests/bpf: Add uprobe_multi test program")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/14eb7b70f8ccef9834874d75eb373cb9292129da.1721692479.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index dd49c1d23a604..2cca4913f2d45 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -762,6 +762,8 @@ $(OUTPUT)/veristat: $(OUTPUT)/veristat.o
+ $(call msg,BINARY,,$@)
+ $(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(filter %.a %.o,$^) $(LDLIBS) -o $@
+
++# Linking uprobe_multi can fail due to relocation overflows on mips.
++$(OUTPUT)/uprobe_multi: CFLAGS += $(if $(filter mips, $(ARCH)),-mxgot)
+ $(OUTPUT)/uprobe_multi: uprobe_multi.c
+ $(call msg,BINARY,,$@)
+ $(Q)$(CC) $(CFLAGS) -O0 $(LDFLAGS) $^ $(LDLIBS) -o $@
+--
+2.43.0
+
--- /dev/null
+From 8ca6c7d1a64b8cc866809023ed019fd54356d956 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:46 -0700
+Subject: selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 730561d3c08d4a327cceaabf11365958a1c00cec ]
+
+Remove a redundant include of '<asm/types.h>', whose needed definitions are
+already included (via '<linux/types.h>') in cg_storage_multi_egress_only.c,
+cg_storage_multi_isolated.c, and cg_storage_multi_shared.c. This avoids
+redefinition errors seen compiling for mips64el/musl-libc like:
+
+ In file included from progs/cg_storage_multi_egress_only.c:13:
+ In file included from progs/cg_storage_multi.h:6:
+ In file included from /usr/mips64el-linux-gnuabi64/include/asm/types.h:23:
+ /usr/include/asm-generic/int-l64.h:29:25: error: typedef redefinition with different types ('long' vs 'long long')
+ 29 | typedef __signed__ long __s64;
+ | ^
+ /usr/include/asm-generic/int-ll64.h:30:44: note: previous definition is here
+ 30 | __extension__ typedef __signed__ long long __s64;
+ | ^
+
+Fixes: 9e5bd1f7633b ("selftests/bpf: Test CGROUP_STORAGE map can't be used by multiple progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/4f4702e9f6115b7f84fea01b2326ca24c6df7ba8.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/cg_storage_multi.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/cg_storage_multi.h b/tools/testing/selftests/bpf/progs/cg_storage_multi.h
+index a0778fe7857a1..41d59f0ee606c 100644
+--- a/tools/testing/selftests/bpf/progs/cg_storage_multi.h
++++ b/tools/testing/selftests/bpf/progs/cg_storage_multi.h
+@@ -3,8 +3,6 @@
+ #ifndef __PROGS_CG_STORAGE_MULTI_H
+ #define __PROGS_CG_STORAGE_MULTI_H
+
+-#include <asm/types.h>
+-
+ struct cgroup_value {
+ __u32 egress_pkts;
+ __u32 ingress_pkts;
+--
+2.43.0
+
--- /dev/null
+From a475c448ec0632e119f3e70210fa0c9602c5b212 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:45 -0700
+Subject: selftests/bpf: Fix errors compiling crypto_sanity.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 9822be702fe6e1c3e0933ef4b68a8c56683d930d ]
+
+Remove a redundant include of '<linux/in6.h>', whose needed definitions are
+already provided by 'test_progs.h'. This avoids errors seen compiling for
+mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from prog_tests/crypto_sanity.c:10:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from crypto_sanity.c:7:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 91541ab192fc ("selftests: bpf: crypto skcipher algo selftests")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://lore.kernel.org/bpf/911293968f424ad7b462d8805aeb3baee8f4985b.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/crypto_sanity.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c b/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
+index b1a3a49a822a7..42bd07f7218dc 100644
+--- a/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
++++ b/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
+@@ -4,7 +4,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <net/if.h>
+-#include <linux/in6.h>
+ #include <linux/if_alg.h>
+
+ #include "test_progs.h"
+--
+2.43.0
+
--- /dev/null
+From a99c527e6b38a11d718d626473916e58ee41baf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:44 -0700
+Subject: selftests/bpf: Fix errors compiling decap_sanity.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 1b00f355130a5dfc38a01ad02458ae2cb2ebe609 ]
+
+Remove a redundant include of '<linux/in6.h>', whose needed definitions are
+already provided by 'test_progs.h'. This avoids errors seen compiling for
+mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from prog_tests/decap_sanity.c:9:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from decap_sanity.c:7:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 70a00e2f1dba ("selftests/bpf: Test bpf_skb_adjust_room on CHECKSUM_PARTIAL")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/e986ba2d7edccd254b54f7cd049b98f10bafa8c3.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/decap_sanity.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
+index dcb9e5070cc3d..d79f398ec6b7c 100644
+--- a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
++++ b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
+@@ -4,7 +4,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <net/if.h>
+-#include <linux/in6.h>
+
+ #include "test_progs.h"
+ #include "network_helpers.h"
+--
+2.43.0
+
--- /dev/null
+From da31805513c3464c7fb598d13ea383ccde8b8db2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:43 -0700
+Subject: selftests/bpf: Fix errors compiling lwt_redirect.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 27c4797ce51c8dd51e35e68e9024a892f62d78b2 ]
+
+Remove a redundant include of '<linux/icmp.h>' which is already provided in
+'lwt_helpers.h'. This avoids errors seen compiling for mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from lwt_redirect.c:51:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from .../linux/icmp.h:24,
+ from lwt_redirect.c:50:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 43a7c3ef8a15 ("selftests/bpf: Add lwt_xmit tests for BPF_REDIRECT")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/3869dda876d5206d2f8d4dd67331c739ceb0c7f8.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/lwt_redirect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
+index 835a1d756c166..b6e8d822e8e95 100644
+--- a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
+@@ -47,7 +47,6 @@
+ #include <linux/if_ether.h>
+ #include <linux/if_packet.h>
+ #include <linux/if_tun.h>
+-#include <linux/icmp.h>
+ #include <arpa/inet.h>
+ #include <unistd.h>
+ #include <errno.h>
+--
+2.43.0
+
--- /dev/null
+From a6aa7df1012c6e4c2e75f701c67989e98a6ad996 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:37 -0700
+Subject: selftests/bpf: Fix include of <sys/fcntl.h>
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 21f0b0af977203220ad58aff95e372151288ec47 ]
+
+Update ns_current_pid_tgid.c to use '#include <fcntl.h>' and avoid compile
+error against mips64el/musl libc:
+
+ In file included from .../prog_tests/ns_current_pid_tgid.c:14:
+ .../include/sys/fcntl.h:1:2: error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
+ 1 | #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h>
+ | ^~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 09c02d553c49 ("bpf, selftests: Fold test_current_pid_tgid_new_ns into test_progs.")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8bdc869749177b575025bf69600a4ce591822609.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+index e72d75d6baa71..c29787e092d66 100644
+--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+@@ -11,7 +11,7 @@
+ #include <sched.h>
+ #include <sys/wait.h>
+ #include <sys/mount.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include "network_helpers.h"
+
+ #define STACK_SIZE (1024 * 1024)
+--
+2.43.0
+
--- /dev/null
+From 0da748aff43be4e6e24faf47000fa60be7cfdc32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 10:36:22 +0800
+Subject: selftests/bpf: Fix incorrect parameters in NULL pointer checking
+
+From: Hao Ge <gehao@kylinos.cn>
+
+[ Upstream commit c264487e5410e5a72db8a414566ab7d144223e6c ]
+
+Smatch reported the following warning:
+ ./tools/testing/selftests/bpf/testing_helpers.c:455 get_xlated_program()
+ warn: variable dereferenced before check 'buf' (see line 454)
+
+It seems correct,so let's modify it based on it's suggestion.
+
+Actually,commit b23ed4d74c4d ("selftests/bpf: Fix invalid pointer
+check in get_xlated_program()") fixed an issue in the test_verifier.c
+once,but it was reverted this time.
+
+Let's solve this issue with the minimal changes possible.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/1eb3732f-605a-479d-ba64-cd14250cbf91@stanley.mountain/
+Fixes: b4b7a4099b8c ("selftests/bpf: Factor out get_xlated_program() helper")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Link: https://lore.kernel.org/r/20240820023622.29190-1-hao.ge@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/testing_helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c
+index 4230420ef2940..680e452583a78 100644
+--- a/tools/testing/selftests/bpf/testing_helpers.c
++++ b/tools/testing/selftests/bpf/testing_helpers.c
+@@ -451,7 +451,7 @@ int get_xlated_program(int fd_prog, struct bpf_insn **buf, __u32 *cnt)
+
+ *cnt = xlated_prog_len / buf_element_size;
+ *buf = calloc(*cnt, buf_element_size);
+- if (!buf) {
++ if (!*buf) {
+ perror("can't allocate xlated program buffer");
+ return -ENOMEM;
+ }
+--
+2.43.0
+
--- /dev/null
+From a1b2ea92ec5cc902031a43b2796f21df184d275f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:34 -0700
+Subject: selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit d44c93fc2f5a0c47b23fa03d374e45259abd92d2 ]
+
+Add a "bpf_util.h" include to avoid the following error seen compiling for
+mips64el with musl libc:
+
+ bench.c: In function 'find_benchmark':
+ bench.c:590:25: error: implicit declaration of function 'ARRAY_SIZE' [-Werror=implicit-function-declaration]
+ 590 | for (i = 0; i < ARRAY_SIZE(benchs); i++) {
+ | ^~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 8e7c2a023ac0 ("selftests/bpf: Add benchmark runner infrastructure")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/bc4dde77dfcd17a825d8f28f72f3292341966810.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bench.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/bench.c b/tools/testing/selftests/bpf/bench.c
+index 627b74ae041b5..90dc3aca32bd8 100644
+--- a/tools/testing/selftests/bpf/bench.c
++++ b/tools/testing/selftests/bpf/bench.c
+@@ -10,6 +10,7 @@
+ #include <sys/sysinfo.h>
+ #include <signal.h>
+ #include "bench.h"
++#include "bpf_util.h"
+ #include "testing_helpers.h"
+
+ struct env env = {
+--
+2.43.0
+
--- /dev/null
+From a3225c4213dda438f0aaa9557f7b9529b6d397f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:36 -0700
+Subject: selftests/bpf: Fix missing BUILD_BUG_ON() declaration
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 6495eb79ca7d15bd87c38d77307e8f9b6b7bf4ef ]
+
+Explicitly include '<linux/build_bug.h>' to fix errors seen compiling with
+gcc targeting mips64el/musl-libc:
+
+ user_ringbuf.c: In function 'test_user_ringbuf_loop':
+ user_ringbuf.c:426:9: error: implicit declaration of function 'BUILD_BUG_ON' [-Werror=implicit-function-declaration]
+ 426 | BUILD_BUG_ON(total_samples <= c_max_entries);
+ | ^~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: e5a9df51c746 ("selftests/bpf: Add selftests validating the user ringbuf")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/b28575f9221ec54871c46a2e87612bb4bbf46ccd.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+index e51721df14fc1..dfff6feac12c3 100644
+--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
++++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+@@ -4,6 +4,7 @@
+ #define _GNU_SOURCE
+ #include <linux/compiler.h>
+ #include <linux/ring_buffer.h>
++#include <linux/build_bug.h>
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+--
+2.43.0
+
--- /dev/null
+From 52aa4012be3583681e1c655f28fab415f3a013fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:35 -0700
+Subject: selftests/bpf: Fix missing UINT_MAX definitions in benchmarks
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit a2c155131b710959beb508ca6a54769b6b1bd488 ]
+
+Include <limits.h> in 'bench.h' to provide a UINT_MAX definition and avoid
+multiple compile errors against mips64el/musl-libc like:
+
+ benchs/bench_local_storage.c: In function 'parse_arg':
+ benchs/bench_local_storage.c:40:38: error: 'UINT_MAX' undeclared (first use in this function)
+ 40 | if (ret < 1 || ret > UINT_MAX) {
+ | ^~~~~~~~
+ benchs/bench_local_storage.c:11:1: note: 'UINT_MAX' is defined in header '<limits.h>'; did you forget to '#include <limits.h>'?
+ 10 | #include <test_btf.h>
+ +++ |+#include <limits.h>
+ 11 |
+
+seen with bench_local_storage.c, bench_local_storage_rcu_tasks_trace.c, and
+bench_bpf_hashmap_lookup.c.
+
+Fixes: 73087489250d ("selftests/bpf: Add benchmark for local_storage get")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8f64a9d9fcff40a7fca090a65a68a9b62a468e16.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bench.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/bench.h b/tools/testing/selftests/bpf/bench.h
+index 68180d8f8558e..005c401b3e227 100644
+--- a/tools/testing/selftests/bpf/bench.h
++++ b/tools/testing/selftests/bpf/bench.h
+@@ -10,6 +10,7 @@
+ #include <math.h>
+ #include <time.h>
+ #include <sys/syscall.h>
++#include <limits.h>
+
+ struct cpu_set {
+ bool *cpus;
+--
+2.43.0
+
--- /dev/null
+From 58a3e93dde42a9cf403ea27c83780ea3b7e259ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:21 -0700
+Subject: selftests/bpf: Fix redefinition errors compiling lwt_reroute.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 16b795cc59528cf280abc79af3c70bda42f715b9 ]
+
+Compiling lwt_reroute.c with GCC 12.3 for mips64el/musl-libc yields errors:
+
+In file included from .../include/arpa/inet.h:9,
+ from ./test_progs.h:18,
+ from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:11,
+ from tools/testing/selftests/bpf/prog_tests/lwt_reroute.c:52:
+.../include/netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+In file included from .../include/linux/icmp.h:24,
+ from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:9:
+.../include/linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+.../include/netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+.../include/linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+.../include/netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+.../include/linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+These errors occur because <linux/in6.h> is included before <netinet/in.h>,
+bypassing the Linux uapi/libc compat mechanism's partial musl support. As
+described in [1] and [2], fix these errors by including <netinet/in.h> in
+lwt_reroute.c before any uapi headers.
+
+[1]: commit c0bace798436 ("uapi libc compat: add fallback for unsupported libcs")
+[2]: https://git.musl-libc.org/cgit/musl/commit/?id=04983f227238
+
+Fixes: 6c77997bc639 ("selftests/bpf: Add lwt_xmit tests for BPF_REROUTE")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/bd2908aec0755ba8b75f5dc41848b00585f5c73e.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/lwt_reroute.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
+index 03825d2b45a8b..6c50c0f63f436 100644
+--- a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
++++ b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
+@@ -49,6 +49,7 @@
+ * is not crashed, it is considered successful.
+ */
+ #define NETNS "ns_lwt_reroute"
++#include <netinet/in.h>
+ #include "lwt_helpers.h"
+ #include "network_helpers.h"
+ #include <linux/net_tstamp.h>
+--
+2.43.0
+
--- /dev/null
+From 91f0f57baea9745e781dd76fa675a6def4485458 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 03:23:51 -0700
+Subject: selftests/bpf: fix to avoid __msg tag de-duplication by clang
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit f00bb757ed630affc951691ddaff206039cbb7ee ]
+
+__msg, __regex and __xlated tags are based on
+__attribute__((btf_decl_tag("..."))) annotations.
+
+Clang de-duplicates such annotations, e.g. the following
+two sequences of tags are identical in final BTF:
+
+ /* seq A */ /* seq B */
+ __tag("foo") __tag("foo")
+ __tag("bar") __tag("bar")
+ __tag("foo")
+
+Fix this by adding a unique suffix for each tag using __COUNTER__
+pre-processor macro. E.g. here is a new definition for __msg:
+
+ #define __msg(msg) \
+ __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg)))
+
+Using this definition the "seq A" from example above is translated to
+BTF as follows:
+
+ [..] DECL_TAG 'comment:test_expect_msg=0=foo' type_id=X component_idx=-1
+ [..] DECL_TAG 'comment:test_expect_msg=1=bar' type_id=X component_idx=-1
+ [..] DECL_TAG 'comment:test_expect_msg=2=foo' type_id=X component_idx=-1
+
+Surprisingly, this bug affects a single existing test:
+verifier_spill_fill/old_stack_misc_vs_cur_ctx_ptr,
+where sequence of identical messages was expected in the log.
+
+Fixes: 537c3f66eac1 ("selftests/bpf: add generic BPF program tester-loader")
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240820102357.3372779-4-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 15 +++---
+ .../selftests/bpf/progs/verifier_spill_fill.c | 8 ++--
+ tools/testing/selftests/bpf/test_loader.c | 47 ++++++++++++++-----
+ 3 files changed, 48 insertions(+), 22 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index 078268a19b773..20541a7cd8070 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -2,6 +2,9 @@
+ #ifndef __BPF_MISC_H__
+ #define __BPF_MISC_H__
+
++#define XSTR(s) STR(s)
++#define STR(s) #s
++
+ /* This set of attributes controls behavior of the
+ * test_loader.c:test_loader__run_subtests().
+ *
+@@ -68,15 +71,15 @@
+ * Several __arch_* annotations could be specified at once.
+ * When test case is not run on current arch it is marked as skipped.
+ */
+-#define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+-#define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
+-#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" msg)))
++#define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg)))
++#define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" XSTR(__COUNTER__) "=" regex)))
++#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" XSTR(__COUNTER__) "=" msg)))
+ #define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+ #define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+ #define __description(desc) __attribute__((btf_decl_tag("comment:test_description=" desc)))
+-#define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" msg)))
+-#define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" regex)))
+-#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" msg)))
++#define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" XSTR(__COUNTER__) "=" msg)))
++#define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" XSTR(__COUNTER__) "=" regex)))
++#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" XSTR(__COUNTER__) "=" msg)))
+ #define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
+ #define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
+ #define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+index 85e48069c9e61..d4b99c3b4719b 100644
+--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
++++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+@@ -1213,10 +1213,10 @@ __success __log_level(2)
+ * - once for path entry - label 2;
+ * - once for path entry - label 1 - label 2.
+ */
+-__msg("r1 = *(u64 *)(r10 -8)")
+-__msg("exit")
+-__msg("r1 = *(u64 *)(r10 -8)")
+-__msg("exit")
++__msg("8: (79) r1 = *(u64 *)(r10 -8)")
++__msg("9: (95) exit")
++__msg("from 2 to 7")
++__msg("8: safe")
+ __msg("processed 11 insns")
+ __flag(BPF_F_TEST_STATE_FREQ)
+ __naked void old_stack_misc_vs_cur_ctx_ptr(void)
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 12b0c41e8d64c..0f59bc33a666c 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -215,6 +215,35 @@ static void update_flags(int *flags, int flag, bool clear)
+ *flags |= flag;
+ }
+
++/* Matches a string of form '<pfx>[^=]=.*' and returns it's suffix.
++ * Used to parse btf_decl_tag values.
++ * Such values require unique prefix because compiler does not add
++ * same __attribute__((btf_decl_tag(...))) twice.
++ * Test suite uses two-component tags for such cases:
++ *
++ * <pfx> __COUNTER__ '='
++ *
++ * For example, two consecutive __msg tags '__msg("foo") __msg("foo")'
++ * would be encoded as:
++ *
++ * [18] DECL_TAG 'comment:test_expect_msg=0=foo' type_id=15 component_idx=-1
++ * [19] DECL_TAG 'comment:test_expect_msg=1=foo' type_id=15 component_idx=-1
++ *
++ * And the purpose of this function is to extract 'foo' from the above.
++ */
++static const char *skip_dynamic_pfx(const char *s, const char *pfx)
++{
++ const char *msg;
++
++ if (strncmp(s, pfx, strlen(pfx)) != 0)
++ return NULL;
++ msg = s + strlen(pfx);
++ msg = strchr(msg, '=');
++ if (!msg)
++ return NULL;
++ return msg + 1;
++}
++
+ enum arch {
+ ARCH_X86_64 = 0x1,
+ ARCH_ARM64 = 0x2,
+@@ -290,38 +319,32 @@ static int parse_test_spec(struct test_loader *tester,
+ } else if (strcmp(s, TEST_TAG_AUXILIARY_UNPRIV) == 0) {
+ spec->auxiliary = true;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_MSG_PFX))) {
+ err = push_msg(msg, NULL, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV))) {
+ err = push_msg(msg, NULL, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_REGEX_PFX))) {
+ err = push_msg(NULL, msg, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV))) {
+ err = push_msg(NULL, msg, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_XLATED_PFX))) {
+ err = push_msg(msg, NULL, &spec->priv.expect_xlated);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV))) {
+ err = push_msg(msg, NULL, &spec->unpriv.expect_xlated);
+ if (err)
+ goto cleanup;
+--
+2.43.0
+
--- /dev/null
+From 44c4e69470d5922b27984062aa2c1a83f5c5811a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 22:25:35 -0700
+Subject: selftests/bpf: Fix wrong binary in Makefile log output
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 3ece93a4087b2db7b99ebb2412bd60cf26bbbb51 ]
+
+Make log output incorrectly shows 'test_maps' as the binary name for every
+'CLNG-BPF' build step, apparently picking up the last value defined for the
+$(TRUNNER_BINARY) variable. Update the 'CLANG_BPF_BUILD_RULE' variants to
+fix this confusing output.
+
+Current output:
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h
+
+After fix:
+ CLNG-BPF [test_progs] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_progs-no_alu32] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_progs-cpuv4] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h
+
+Fixes: a5d0c26a2784 ("selftests/bpf: Add a cpuv4 test runner for cpu=v4 testing")
+Fixes: 89ad7420b25c ("selftests/bpf: Drop the need for LLVM's llc")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20240720052535.2185967-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 2cca4913f2d45..88e8a316e7686 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -427,23 +427,24 @@ $(OUTPUT)/cgroup_getset_retval_hooks.o: cgroup_getset_retval_hooks.h
+ # $1 - input .c file
+ # $2 - output .o file
+ # $3 - CFLAGS
++# $4 - binary name
+ define CLANG_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v3 -o $2
+ endef
+ # Similar to CLANG_BPF_BUILD_RULE, but with disabled alu32
+ define CLANG_NOALU32_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v2 -o $2
+ endef
+ # Similar to CLANG_BPF_BUILD_RULE, but with cpu-v4
+ define CLANG_CPUV4_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v4 -o $2
+ endef
+ # Build BPF object using GCC
+ define GCC_BPF_BUILD_RULE
+- $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,GCC-BPF,$4,$2)
+ $(Q)$(BPF_GCC) $3 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $1 -o $2
+ endef
+
+@@ -535,7 +536,7 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \
+ $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \
+ $(TRUNNER_BPF_CFLAGS) \
+ $$($$<-CFLAGS) \
+- $$($$<-$2-CFLAGS))
++ $$($$<-$2-CFLAGS),$(TRUNNER_BINARY))
+
+ $(TRUNNER_BPF_SKELS): %.skel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT)
+ $$(call msg,GEN-SKEL,$(TRUNNER_BINARY),$$@)
+--
+2.43.0
+
--- /dev/null
+From 0b776675872f7464faf257370bef505dc5380c59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:40 -0700
+Subject: selftests/bpf: no need to track next_match_pos in struct test_loader
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 4ef5d6af493558124b7a6c13cace58b938fe27d4 ]
+
+The call stack for validate_case() function looks as follows:
+- test_loader__run_subtests()
+ - process_subtest()
+ - run_subtest()
+ - prepare_case(), which does 'tester->next_match_pos = 0';
+ - validate_case(), which increments tester->next_match_pos.
+
+Hence, each subtest is run with next_match_pos freshly set to zero.
+Meaning that there is no need to persist this variable in the
+struct test_loader, use local variable instead.
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-7-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_loader.c | 19 ++++++++-----------
+ tools/testing/selftests/bpf/test_progs.h | 1 -
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index f14e10b0de96e..47508cf66e896 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -434,7 +434,6 @@ static void prepare_case(struct test_loader *tester,
+ bpf_program__set_flags(prog, prog_flags | spec->prog_flags);
+
+ tester->log_buf[0] = '\0';
+- tester->next_match_pos = 0;
+ }
+
+ static void emit_verifier_log(const char *log_buf, bool force)
+@@ -450,25 +449,23 @@ static void validate_case(struct test_loader *tester,
+ struct bpf_program *prog,
+ int load_err)
+ {
+- int i, j, err;
+- char *match;
+ regmatch_t reg_match[1];
++ const char *log = tester->log_buf;
++ int i, j, err;
+
+ for (i = 0; i < subspec->expect_msg_cnt; i++) {
+ struct expect_msg *msg = &subspec->expect_msgs[i];
++ const char *match = NULL;
+
+ if (msg->substr) {
+- match = strstr(tester->log_buf + tester->next_match_pos, msg->substr);
++ match = strstr(log, msg->substr);
+ if (match)
+- tester->next_match_pos = match - tester->log_buf + strlen(msg->substr);
++ log += strlen(msg->substr);
+ } else {
+- err = regexec(&msg->regex,
+- tester->log_buf + tester->next_match_pos, 1, reg_match, 0);
++ err = regexec(&msg->regex, log, 1, reg_match, 0);
+ if (err == 0) {
+- match = tester->log_buf + tester->next_match_pos + reg_match[0].rm_so;
+- tester->next_match_pos += reg_match[0].rm_eo;
+- } else {
+- match = NULL;
++ match = log + reg_match[0].rm_so;
++ log += reg_match[0].rm_eo;
+ }
+ }
+
+diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h
+index 0ba5a20b19ba8..8e997de596db0 100644
+--- a/tools/testing/selftests/bpf/test_progs.h
++++ b/tools/testing/selftests/bpf/test_progs.h
+@@ -438,7 +438,6 @@ typedef int (*pre_execution_cb)(struct bpf_object *obj);
+ struct test_loader {
+ char *log_buf;
+ size_t log_buf_sz;
+- size_t next_match_pos;
+ pre_execution_cb pre_execution_cb;
+
+ struct bpf_object *obj;
+--
+2.43.0
+
--- /dev/null
+From 2886f3bb7190cfb9aac724ec35776a137a61f9b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 15:14:57 +0100
+Subject: selftests/bpf: Support checks against a regular expression
+
+From: Cupertino Miranda <cupertino.miranda@oracle.com>
+
+[ Upstream commit f06ae6194f278444201e0b041a00192d794f83b6 ]
+
+Add support for __regex and __regex_unpriv macros to check the test
+execution output against a regular expression. This is similar to __msg
+and __msg_unpriv, however those expect do substring matching.
+
+Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20240617141458.471620-2-cupertino.miranda@oracle.com
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 11 +-
+ tools/testing/selftests/bpf/test_loader.c | 115 ++++++++++++++-----
+ 2 files changed, 96 insertions(+), 30 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index fb2f5513e29e1..c0280bd2f340d 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -7,9 +7,9 @@
+ *
+ * The test_loader sequentially loads each program in a skeleton.
+ * Programs could be loaded in privileged and unprivileged modes.
+- * - __success, __failure, __msg imply privileged mode;
+- * - __success_unpriv, __failure_unpriv, __msg_unpriv imply
+- * unprivileged mode.
++ * - __success, __failure, __msg, __regex imply privileged mode;
++ * - __success_unpriv, __failure_unpriv, __msg_unpriv, __regex_unpriv
++ * imply unprivileged mode.
+ * If combination of privileged and unprivileged attributes is present
+ * both modes are used. If none are present privileged mode is implied.
+ *
+@@ -24,6 +24,9 @@
+ * Multiple __msg attributes could be specified.
+ * __msg_unpriv Same as __msg but for unprivileged mode.
+ *
++ * __regex Same as __msg, but using a regular expression.
++ * __regex_unpriv Same as __msg_unpriv but using a regular expression.
++ *
+ * __success Expect program load success in privileged mode.
+ * __success_unpriv Expect program load success in unprivileged mode.
+ *
+@@ -59,10 +62,12 @@
+ * __auxiliary_unpriv Same, but load program in unprivileged mode.
+ */
+ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
++#define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
+ #define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+ #define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+ #define __description(desc) __attribute__((btf_decl_tag("comment:test_description=" desc)))
+ #define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" msg)))
++#define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" regex)))
+ #define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
+ #define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
+ #define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 524c38e9cde48..f14e10b0de96e 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -2,6 +2,7 @@
+ /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
+ #include <linux/capability.h>
+ #include <stdlib.h>
++#include <regex.h>
+ #include <test_progs.h>
+ #include <bpf/btf.h>
+
+@@ -17,9 +18,11 @@
+ #define TEST_TAG_EXPECT_FAILURE "comment:test_expect_failure"
+ #define TEST_TAG_EXPECT_SUCCESS "comment:test_expect_success"
+ #define TEST_TAG_EXPECT_MSG_PFX "comment:test_expect_msg="
++#define TEST_TAG_EXPECT_REGEX_PFX "comment:test_expect_regex="
+ #define TEST_TAG_EXPECT_FAILURE_UNPRIV "comment:test_expect_failure_unpriv"
+ #define TEST_TAG_EXPECT_SUCCESS_UNPRIV "comment:test_expect_success_unpriv"
+ #define TEST_TAG_EXPECT_MSG_PFX_UNPRIV "comment:test_expect_msg_unpriv="
++#define TEST_TAG_EXPECT_REGEX_PFX_UNPRIV "comment:test_expect_regex_unpriv="
+ #define TEST_TAG_LOG_LEVEL_PFX "comment:test_log_level="
+ #define TEST_TAG_PROG_FLAGS_PFX "comment:test_prog_flags="
+ #define TEST_TAG_DESCRIPTION_PFX "comment:test_description="
+@@ -46,10 +49,16 @@ enum mode {
+ UNPRIV = 2
+ };
+
++struct expect_msg {
++ const char *substr; /* substring match */
++ const char *regex_str; /* regex-based match */
++ regex_t regex;
++};
++
+ struct test_subspec {
+ char *name;
+ bool expect_failure;
+- const char **expect_msgs;
++ struct expect_msg *expect_msgs;
+ size_t expect_msg_cnt;
+ int retval;
+ bool execute;
+@@ -89,6 +98,16 @@ void test_loader_fini(struct test_loader *tester)
+
+ static void free_test_spec(struct test_spec *spec)
+ {
++ int i;
++
++ /* Deallocate expect_msgs arrays. */
++ for (i = 0; i < spec->priv.expect_msg_cnt; i++)
++ if (spec->priv.expect_msgs[i].regex_str)
++ regfree(&spec->priv.expect_msgs[i].regex);
++ for (i = 0; i < spec->unpriv.expect_msg_cnt; i++)
++ if (spec->unpriv.expect_msgs[i].regex_str)
++ regfree(&spec->unpriv.expect_msgs[i].regex);
++
+ free(spec->priv.name);
+ free(spec->unpriv.name);
+ free(spec->priv.expect_msgs);
+@@ -100,18 +119,38 @@ static void free_test_spec(struct test_spec *spec)
+ spec->unpriv.expect_msgs = NULL;
+ }
+
+-static int push_msg(const char *msg, struct test_subspec *subspec)
++static int push_msg(const char *substr, const char *regex_str, struct test_subspec *subspec)
+ {
+ void *tmp;
++ int regcomp_res;
++ char error_msg[100];
++ struct expect_msg *msg;
+
+- tmp = realloc(subspec->expect_msgs, (1 + subspec->expect_msg_cnt) * sizeof(void *));
++ tmp = realloc(subspec->expect_msgs,
++ (1 + subspec->expect_msg_cnt) * sizeof(struct expect_msg));
+ if (!tmp) {
+ ASSERT_FAIL("failed to realloc memory for messages\n");
+ return -ENOMEM;
+ }
+ subspec->expect_msgs = tmp;
+- subspec->expect_msgs[subspec->expect_msg_cnt++] = msg;
++ msg = &subspec->expect_msgs[subspec->expect_msg_cnt];
++
++ if (substr) {
++ msg->substr = substr;
++ msg->regex_str = NULL;
++ } else {
++ msg->regex_str = regex_str;
++ msg->substr = NULL;
++ regcomp_res = regcomp(&msg->regex, regex_str, REG_EXTENDED|REG_NEWLINE);
++ if (regcomp_res != 0) {
++ regerror(regcomp_res, &msg->regex, error_msg, sizeof(error_msg));
++ PRINT_FAIL("Regexp compilation error in '%s': '%s'\n",
++ regex_str, error_msg);
++ return -EINVAL;
++ }
++ }
+
++ subspec->expect_msg_cnt += 1;
+ return 0;
+ }
+
+@@ -233,13 +272,25 @@ static int parse_test_spec(struct test_loader *tester,
+ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
+- err = push_msg(msg, &spec->priv);
++ err = push_msg(msg, NULL, &spec->priv);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX_UNPRIV) - 1;
+- err = push_msg(msg, &spec->unpriv);
++ err = push_msg(msg, NULL, &spec->unpriv);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= UNPRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX) - 1;
++ err = push_msg(NULL, msg, &spec->priv);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= PRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX_UNPRIV) - 1;
++ err = push_msg(NULL, msg, &spec->unpriv);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+@@ -337,16 +388,13 @@ static int parse_test_spec(struct test_loader *tester,
+ }
+
+ if (!spec->unpriv.expect_msgs) {
+- size_t sz = spec->priv.expect_msg_cnt * sizeof(void *);
++ for (i = 0; i < spec->priv.expect_msg_cnt; i++) {
++ struct expect_msg *msg = &spec->priv.expect_msgs[i];
+
+- spec->unpriv.expect_msgs = malloc(sz);
+- if (!spec->unpriv.expect_msgs) {
+- PRINT_FAIL("failed to allocate memory for unpriv.expect_msgs\n");
+- err = -ENOMEM;
+- goto cleanup;
++ err = push_msg(msg->substr, msg->regex_str, &spec->unpriv);
++ if (err)
++ goto cleanup;
+ }
+- memcpy(spec->unpriv.expect_msgs, spec->priv.expect_msgs, sz);
+- spec->unpriv.expect_msg_cnt = spec->priv.expect_msg_cnt;
+ }
+ }
+
+@@ -402,27 +450,40 @@ static void validate_case(struct test_loader *tester,
+ struct bpf_program *prog,
+ int load_err)
+ {
+- int i, j;
++ int i, j, err;
++ char *match;
++ regmatch_t reg_match[1];
+
+ for (i = 0; i < subspec->expect_msg_cnt; i++) {
+- char *match;
+- const char *expect_msg;
+-
+- expect_msg = subspec->expect_msgs[i];
++ struct expect_msg *msg = &subspec->expect_msgs[i];
++
++ if (msg->substr) {
++ match = strstr(tester->log_buf + tester->next_match_pos, msg->substr);
++ if (match)
++ tester->next_match_pos = match - tester->log_buf + strlen(msg->substr);
++ } else {
++ err = regexec(&msg->regex,
++ tester->log_buf + tester->next_match_pos, 1, reg_match, 0);
++ if (err == 0) {
++ match = tester->log_buf + tester->next_match_pos + reg_match[0].rm_so;
++ tester->next_match_pos += reg_match[0].rm_eo;
++ } else {
++ match = NULL;
++ }
++ }
+
+- match = strstr(tester->log_buf + tester->next_match_pos, expect_msg);
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+- /* if we are in verbose mode, we've already emitted log */
+ if (env.verbosity == VERBOSE_NONE)
+ emit_verifier_log(tester->log_buf, true /*force*/);
+- for (j = 0; j < i; j++)
+- fprintf(stderr,
+- "MATCHED MSG: '%s'\n", subspec->expect_msgs[j]);
+- fprintf(stderr, "EXPECTED MSG: '%s'\n", expect_msg);
++ for (j = 0; j <= i; j++) {
++ msg = &subspec->expect_msgs[j];
++ fprintf(stderr, "%s %s: '%s'\n",
++ j < i ? "MATCHED " : "EXPECTED",
++ msg->substr ? "SUBSTR" : " REGEX",
++ msg->substr ?: msg->regex_str);
++ }
+ return;
+ }
+-
+- tester->next_match_pos = match - tester->log_buf + strlen(expect_msg);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 57cf67fca2a221eb63a96bde5040b4559c30a384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:28 -0700
+Subject: selftests/bpf: Use pid_t consistently in test_progs.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit ec4fe2f0fa12fd2d0115df7e58414dc26899cc5e ]
+
+Use pid_t rather than __pid_t when allocating memory for 'worker_pids' in
+'struct test_env', as this is its declared type and also avoids compile
+errors seen building against musl libc on mipsel64:
+
+ test_progs.c:1738:49: error: '__pid_t' undeclared (first use in this function); did you mean 'pid_t'?
+ 1738 | env.worker_pids = calloc(sizeof(__pid_t), env.workers);
+ | ^~~~~~~
+ | pid_t
+ test_progs.c:1738:49: note: each undeclared identifier is reported only once for each function it appears in
+
+Fixes: 91b2c0afd00c ("selftests/bpf: Add parallelism to test_progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Geliang Tang <geliang@kernel.org>
+Link: https://lore.kernel.org/bpf/c6447da51a94babc1931711a43e2ceecb135c93d.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 89ff704e9dad5..60c5ec0f6abf6 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -1731,7 +1731,7 @@ int main(int argc, char **argv)
+ /* launch workers if requested */
+ env.worker_id = -1; /* main process */
+ if (env.workers) {
+- env.worker_pids = calloc(sizeof(__pid_t), env.workers);
++ env.worker_pids = calloc(sizeof(pid_t), env.workers);
+ env.worker_socks = calloc(sizeof(int), env.workers);
+ if (env.debug)
+ fprintf(stdout, "Launching %d workers.\n", env.workers);
+--
+2.43.0
+
--- /dev/null
+From 1dc1a438af7ac0336987e6d51cb8cd21497547b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 19:08:15 -0700
+Subject: selftests/bpf: Workaround strict bpf_lsm return value check.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit aa8ebb270c66cea1f56a25d0f938036e91ad085a ]
+
+test_progs-no_alu32 -t libbpf_get_fd_by_id_opts
+is being rejected by the verifier with the following error
+due to compiler optimization:
+
+6: (67) r0 <<= 62 ; R0_w=scalar(smax=0x4000000000000000,umax=0xc000000000000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xc000000000000000))
+7: (c7) r0 s>>= 63 ; R0_w=scalar(smin=smin32=-1,smax=smax32=0)
+; @ test_libbpf_get_fd_by_id_opts.c:0
+8: (57) r0 &= -13 ; R0_w=scalar(smax=0x7ffffffffffffff3,umax=0xfffffffffffffff3,smax32=0x7ffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3))
+; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @ test_libbpf_get_fd_by_id_opts.c:27
+9: (95) exit
+At program exit the register R0 has smax=9223372036854775795 should have been in [-4095, 0]
+
+Workaround by adding barrier().
+Eventually the verifier will be able to recognize it.
+
+Fixes: 5d99e198be27 ("bpf, lsm: Add check for BPF LSM return value")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+index f5ac5f3e89196..568816307f712 100644
+--- a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
++++ b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+@@ -31,6 +31,7 @@ int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode)
+
+ if (fmode & FMODE_WRITE)
+ return -EACCES;
++ barrier();
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From a74531fd6861771e680bbb63ba68fb61e227e68b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 07:12:10 +0900
+Subject: selftests/ftrace: Add required dependency for kprobe tests
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit 41f37c852ac3fbfd072a00281b60dc7ba056be8c ]
+
+kprobe_args_{char,string}.tc are using available_filter_functions file
+which is provided by function tracer. Thus if function tracer is disabled,
+these tests are failed on recent kernels because tracefs_create_dir is
+not raised events by adding a dynamic event.
+Add available_filter_functions to requires line.
+
+Fixes: 7c1130ea5cae ("test: ftrace: Fix kprobe test for eventfs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc | 2 +-
+ .../selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
+index e21c9c27ece47..77f4c07cdcb89 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ # description: Kprobe event char type argument
+-# requires: kprobe_events
++# requires: kprobe_events available_filter_functions
+
+ case `uname -m` in
+ x86_64)
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+index 93217d4595563..39001073f7ed5 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ # description: Kprobe event string type argument
+-# requires: kprobe_events
++# requires: kprobe_events available_filter_functions
+
+ case `uname -m` in
+ x86_64)
+--
+2.43.0
+
--- /dev/null
+From 3dab0a66a7dacab71f0b481a0fa47617bf071827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 00:30:21 +0900
+Subject: selftests/ftrace: Fix eventfs ownership testcase to find mount point
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit f0a6ecebd858658df213d114b0530f8f0b96e396 ]
+
+Fix eventfs ownership testcase to find mount point if stat -c "%m" failed.
+This can happen on the system based on busybox. In this case, this will
+try to use the current working directory, which should be a tracefs top
+directory (and eventfs is mounted as a part of tracefs.)
+If it does not work, the test is skipped as UNRESOLVED because of
+the environmental problem.
+
+Fixes: ee9793be08b1 ("tracing/selftests: Add ownership modification tests for eventfs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/00basic/test_ownership.tc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc b/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
+index c45094d1e1d2d..803efd7b56c77 100644
+--- a/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
++++ b/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
+@@ -6,6 +6,18 @@ original_group=`stat -c "%g" .`
+ original_owner=`stat -c "%u" .`
+
+ mount_point=`stat -c '%m' .`
++
++# If stat -c '%m' does not work (e.g. busybox) or failed, try to use the
++# current working directory (which should be a tracefs) as the mount point.
++if [ ! -d "$mount_point" ]; then
++ if mount | grep -qw $PWD ; then
++ mount_point=$PWD
++ else
++ # If PWD doesn't work, that is an environmental problem.
++ exit_unresolved
++ fi
++fi
++
+ mount_options=`mount | grep "$mount_point" | sed -e 's/.*(\(.*\)).*/\1/'`
+
+ # find another owner and group that is not the original
+--
+2.43.0
+
--- /dev/null
+From 30b841c82f8bcc71ff0d73391a8fe598785b0692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 May 2024 01:36:20 -0400
+Subject: selftests/ftrace: Fix test to handle both old and new kernels
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit c049acee3c71cfc26c739f82617a84e13e471a45 ]
+
+The function "scheduler_tick" was renamed to "sched_tick" and a selftest
+that used that function for testing function trace filtering used that
+function as part of the test.
+
+But the change causes it to fail when run on older kernels. As tests
+should not fail on older kernels, add a check to see which name is
+available before testing.
+
+Fixes: 86dd6c04ef9f ("sched/balancing: Rename scheduler_tick() => sched_tick()")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_set_ftrace_file.tc | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
+index 073a748b9380a..263f6b798c853 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
+@@ -19,7 +19,14 @@ fail() { # mesg
+
+ FILTER=set_ftrace_filter
+ FUNC1="schedule"
+-FUNC2="sched_tick"
++if grep '^sched_tick\b' available_filter_functions; then
++ FUNC2="sched_tick"
++elif grep '^scheduler_tick\b' available_filter_functions; then
++ FUNC2="scheduler_tick"
++else
++ exit_unresolved
++fi
++
+
+ ALL_FUNCS="#### all functions enabled ####"
+
+--
+2.43.0
+
--- /dev/null
+From 0d28b23af10f8288e95d1a21d0f99008fa830742 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 14:40:00 +0200
+Subject: selftests: netfilter: Avoid hanging ipvs.sh
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit fc786304ad9803e8bb86b8599bc64d1c1746c75f ]
+
+If the client can't reach the server, the latter remains listening
+forever. Kill it after 5s of waiting.
+
+Fixes: 867d2190799a ("selftests: netfilter: add ipvs test script")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/netfilter/ipvs.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/ipvs.sh b/tools/testing/selftests/net/netfilter/ipvs.sh
+index 4ceee9fb39495..d3edb16cd4b3f 100755
+--- a/tools/testing/selftests/net/netfilter/ipvs.sh
++++ b/tools/testing/selftests/net/netfilter/ipvs.sh
+@@ -97,7 +97,7 @@ cleanup() {
+ }
+
+ server_listen() {
+- ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
++ ip netns exec "$ns2" timeout 5 socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
+ server_pid=$!
+ sleep 0.2
+ }
+--
+2.43.0
+
--- /dev/null
+From bb327a26431b7b4942b97d6cca8026c3073556ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:02:31 -0600
+Subject: selftests:resctrl: Fix build failure on archs without __cpuid_count()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 7beaf1da074f7ea25454d6c11da142c3892d3c4e ]
+
+When resctrl is built on architectures without __cpuid_count()
+support, build fails. resctrl uses __cpuid_count() defined in
+kselftest.h.
+
+Even though the problem is seen while building resctrl on aarch64,
+this error can be seen on any platform that doesn't support CPUID.
+
+CPUID is a x86/x86-64 feature and code paths with CPUID asm commands
+will fail to build on all other architectures.
+
+All others tests call __cpuid_count() do so from x86/x86_64 code paths
+when _i386__ or __x86_64__ are defined. resctrl is an exception.
+
+Fix the problem by defining __cpuid_count() only when __i386__ or
+__x86_64__ are defined in kselftest.h and changing resctrl to call
+__cpuid_count() only when __i386__ or __x86_64__ are defined.
+
+In file included from resctrl.h:24,
+ from cat_test.c:11:
+In function ‘arch_supports_noncont_cat’,
+ inlined from ‘noncont_cat_run_test’ at cat_test.c:326:6:
+../kselftest.h:74:9: error: impossible constraint in ‘asm’
+ 74 | __asm__ __volatile__ ("cpuid\n\t" \
+ | ^~~~~~~
+cat_test.c:304:17: note: in expansion of macro ‘__cpuid_count’
+ 304 | __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
+ | ^~~~~~~~~~~~~
+../kselftest.h:74:9: error: impossible constraint in ‘asm’
+ 74 | __asm__ __volatile__ ("cpuid\n\t" \
+ | ^~~~~~~
+cat_test.c:306:17: note: in expansion of macro ‘__cpuid_count’
+ 306 | __cpuid_count(0x10, 2, eax, ebx, ecx, edx);
+
+Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test")
+Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Closes: https://lore.kernel.org/lkml/20240809071059.265914-1-usama.anjum@collabora.com/
+Reported-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest.h | 2 ++
+ tools/testing/selftests/resctrl/cat_test.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/kselftest.h b/tools/testing/selftests/kselftest.h
+index 76c2a6945d3e8..f9214e7cdd134 100644
+--- a/tools/testing/selftests/kselftest.h
++++ b/tools/testing/selftests/kselftest.h
+@@ -61,6 +61,7 @@
+ #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
+ #endif
+
++#if defined(__i386__) || defined(__x86_64__) /* arch */
+ /*
+ * gcc cpuid.h provides __cpuid_count() since v4.4.
+ * Clang/LLVM cpuid.h provides __cpuid_count() since v3.4.0.
+@@ -75,6 +76,7 @@
+ : "=a" (a), "=b" (b), "=c" (c), "=d" (d) \
+ : "0" (level), "2" (count))
+ #endif
++#endif /* end arch */
+
+ /* define kselftest exit codes */
+ #define KSFT_PASS 0
+diff --git a/tools/testing/selftests/resctrl/cat_test.c b/tools/testing/selftests/resctrl/cat_test.c
+index 55315ed695f47..18565f02163e7 100644
+--- a/tools/testing/selftests/resctrl/cat_test.c
++++ b/tools/testing/selftests/resctrl/cat_test.c
+@@ -293,12 +293,12 @@ static int cat_run_test(const struct resctrl_test *test, const struct user_param
+
+ static bool arch_supports_noncont_cat(const struct resctrl_test *test)
+ {
+- unsigned int eax, ebx, ecx, edx;
+-
+ /* AMD always supports non-contiguous CBM. */
+ if (get_vendor() == ARCH_AMD)
+ return true;
+
++#if defined(__i386__) || defined(__x86_64__) /* arch */
++ unsigned int eax, ebx, ecx, edx;
+ /* Intel support for non-contiguous CBM needs to be discovered. */
+ if (!strcmp(test->resource, "L3"))
+ __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
+@@ -308,6 +308,9 @@ static bool arch_supports_noncont_cat(const struct resctrl_test *test)
+ return false;
+
+ return ((ecx >> 3) & 1);
++#endif /* end arch */
++
++ return false;
+ }
+
+ static int noncont_cat_run_test(const struct resctrl_test *test,
+--
+2.43.0
+
--- /dev/null
+From 0c7a5802d289530b44f3023fcead22ecff5e24f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:50:14 +0200
+Subject: selftests: vDSO: fix ELF hash table entry size for s390x
+
+From: Jens Remus <jremus@linux.ibm.com>
+
+[ Upstream commit 14be4e6f35221c4731b004553ecf7cbc6dc1d2d8 ]
+
+The vDSO self tests fail on s390x for a vDSO linked with the GNU linker
+ld as follows:
+
+ # ./vdso_test_gettimeofday
+ Floating point exception (core dumped)
+
+On s390x the ELF hash table entries are 64 bits instead of 32 bits in
+size (see Glibc sysdeps/unix/sysv/linux/s390/bits/elfclass.h).
+
+Fixes: 40723419f407 ("kselftest: Enable vDSO test on non x86 platforms")
+Reported-by: Heiko Carstens <hca@linux.ibm.com>
+Tested-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/parse_vdso.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index d9ccc5acac182..7dd5668ea8a6e 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -36,6 +36,12 @@
+ #define ELF_BITS_XFORM(bits, x) ELF_BITS_XFORM2(bits, x)
+ #define ELF(x) ELF_BITS_XFORM(ELF_BITS, x)
+
++#ifdef __s390x__
++#define ELF_HASH_ENTRY ELF(Xword)
++#else
++#define ELF_HASH_ENTRY ELF(Word)
++#endif
++
+ static struct vdso_info
+ {
+ bool valid;
+@@ -47,8 +53,8 @@ static struct vdso_info
+ /* Symbol table */
+ ELF(Sym) *symtab;
+ const char *symstrings;
+- ELF(Word) *bucket, *chain;
+- ELF(Word) nbucket, nchain;
++ ELF_HASH_ENTRY *bucket, *chain;
++ ELF_HASH_ENTRY nbucket, nchain;
+
+ /* Version table */
+ ELF(Versym) *versym;
+@@ -115,7 +121,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
+ /*
+ * Fish out the useful bits of the dynamic table.
+ */
+- ELF(Word) *hash = 0;
++ ELF_HASH_ENTRY *hash = 0;
+ vdso_info.symstrings = 0;
+ vdso_info.symtab = 0;
+ vdso_info.versym = 0;
+@@ -133,7 +139,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
+ + vdso_info.load_offset);
+ break;
+ case DT_HASH:
+- hash = (ELF(Word) *)
++ hash = (ELF_HASH_ENTRY *)
+ ((uintptr_t)dyn[i].d_un.d_ptr
+ + vdso_info.load_offset);
+ break;
+--
+2.43.0
+
--- /dev/null
+From 86fa3660a5ae159ec4492dfed98c6debb10dc304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:35 +0200
+Subject: selftests: vDSO: fix vDSO name for powerpc
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 59eb856c3ed9b3552befd240c0c339f22eed3fa1 ]
+
+Following error occurs when running vdso_test_correctness on powerpc:
+
+~ # ./vdso_test_correctness
+[WARN] failed to find vDSO
+[SKIP] No vDSO, so skipping clock_gettime() tests
+[SKIP] No vDSO, so skipping clock_gettime64() tests
+[RUN] Testing getcpu...
+[OK] CPU 0: syscall: cpu 0, node 0
+
+On powerpc, vDSO is neither called linux-vdso.so.1 nor linux-gate.so.1
+but linux-vdso32.so.1 or linux-vdso64.so.1.
+
+Also search those two names before giving up.
+
+Fixes: c7e5789b24d3 ("kselftest: Move test_vdso to the vDSO test suite")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_correctness.c b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+index e691a3cf14911..cdb697ae8343c 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_correctness.c
++++ b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+@@ -114,6 +114,12 @@ static void fill_function_pointers()
+ if (!vdso)
+ vdso = dlopen("linux-gate.so.1",
+ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
++ if (!vdso)
++ vdso = dlopen("linux-vdso32.so.1",
++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
++ if (!vdso)
++ vdso = dlopen("linux-vdso64.so.1",
++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+ if (!vdso) {
+ printf("[WARN]\tfailed to find vDSO\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From ce4b83b9beaaad1ef52414ed9ab6760d9a57d48a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:37 +0200
+Subject: selftests: vDSO: fix vDSO symbols lookup for powerpc64
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ]
+
+On powerpc64, following tests fail locating vDSO functions:
+
+ ~ # ./vdso_test_abi
+ TAP version 13
+ 1..16
+ # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15
+ # Couldn't find __kernel_gettimeofday
+ ok 1 # SKIP __kernel_gettimeofday
+ # clock_id: CLOCK_REALTIME
+ # Couldn't find __kernel_clock_gettime
+ ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME
+ # Couldn't find __kernel_clock_getres
+ ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME
+ ...
+ # Couldn't find __kernel_time
+ ok 16 # SKIP __kernel_time
+ # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0
+
+ ~ # ./vdso_test_getrandom
+ __kernel_getrandom is missing!
+
+ ~ # ./vdso_test_gettimeofday
+ Could not find __kernel_gettimeofday
+
+ ~ # ./vdso_test_getcpu
+ Could not find __kernel_getcpu
+
+On powerpc64, as shown below by readelf, vDSO functions symbols have
+type NOTYPE, so also accept that type when looking for symbols.
+
+$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
+ELF Header:
+ Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
+ Class: ELF64
+ Data: 2's complement, big endian
+ Version: 1 (current)
+ OS/ABI: UNIX - System V
+ ABI Version: 0
+ Type: DYN (Shared object file)
+ Machine: PowerPC64
+ Version: 0x1
+...
+
+Symbol table '.dynsym' contains 12 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
+ 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+
+Symbol table '.symtab' contains 56 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+...
+ 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu
+ 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres
+ 48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq
+ 49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday
+ 50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache
+ 51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom
+ 52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...]
+ 53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time
+ 54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...]
+ 55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...]
+
+Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/parse_vdso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index 4ae417372e9eb..d9ccc5acac182 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -216,7 +216,8 @@ void *vdso_sym(const char *version, const char *name)
+ ELF(Sym) *sym = &vdso_info.symtab[chain];
+
+ /* Check for a defined global or weak function w/ right name. */
+- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
++ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
+ continue;
+ if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
+ ELF64_ST_BIND(sym->st_info) != STB_WEAK)
+--
+2.43.0
+
--- /dev/null
+From a0523d2789beb9a6530d45bedd734c426ee104cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:36 +0200
+Subject: selftests: vDSO: fix vdso_config for powerpc
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 7d297c419b08eafa69ce27243ee9bbecab4fcaa4 ]
+
+Running vdso_test_correctness on powerpc64 gives the following warning:
+
+ ~ # ./vdso_test_correctness
+ Warning: failed to find clock_gettime64 in vDSO
+
+This is because vdso_test_correctness was built with VDSO_32BIT defined.
+
+__powerpc__ macro is defined on both powerpc32 and powerpc64 so
+__powerpc64__ needs to be checked first in vdso_config.h
+
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_config.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
+index 7b543e7f04d7b..00bfed6e4922e 100644
+--- a/tools/testing/selftests/vDSO/vdso_config.h
++++ b/tools/testing/selftests/vDSO/vdso_config.h
+@@ -18,13 +18,13 @@
+ #elif defined(__aarch64__)
+ #define VDSO_VERSION 3
+ #define VDSO_NAMES 0
+-#elif defined(__powerpc__)
++#elif defined(__powerpc64__)
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
+-#define VDSO_32BIT 1
+-#elif defined(__powerpc64__)
++#elif defined(__powerpc__)
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
++#define VDSO_32BIT 1
+ #elif defined (__s390__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+--
+2.43.0
+
--- /dev/null
+From d1317e4064c757f6ca152c43a46739d59bff95ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:50:15 +0200
+Subject: selftests: vDSO: fix vdso_config for s390
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit a6e23fb8d3c0e3904da70beaf5d7e840a983c97f ]
+
+Running vdso_test_correctness on s390x (aka s390 64 bit) emits a warning:
+
+Warning: failed to find clock_gettime64 in vDSO
+
+This is caused by the "#elif defined (__s390__)" check in vdso_config.h
+which the defines VDSO_32BIT.
+
+If __s390x__ is defined also __s390__ is defined. Therefore the correct
+check must make sure that only __s390__ is defined.
+
+Therefore add the missing !defined(__s390x__). Also use common
+__s390x__ define instead of __s390X__.
+
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_config.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
+index 00bfed6e4922e..fe0b3ec48c8d8 100644
+--- a/tools/testing/selftests/vDSO/vdso_config.h
++++ b/tools/testing/selftests/vDSO/vdso_config.h
+@@ -25,11 +25,11 @@
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
+ #define VDSO_32BIT 1
+-#elif defined (__s390__)
++#elif defined (__s390__) && !defined(__s390x__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+ #define VDSO_32BIT 1
+-#elif defined (__s390X__)
++#elif defined (__s390x__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+ #elif defined(__mips__)
+--
+2.43.0
+
--- /dev/null
+From 00322fa58e19f7ba3ca71326efc0000a2733d81b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 16:12:25 +0200
+Subject: serial: 8250: omap: Cleanup on error in request_irq
+
+From: Markus Schneider-Pargmann <msp@baylibre.com>
+
+[ Upstream commit 35e648a16018b747897be2ccc3ce95ff23237bb5 ]
+
+If devm_request_irq fails, the code does not cleanup many things that
+were setup before. Instead of directly returning ret we should jump to
+err.
+
+Fixes: fef4f600319e ("serial: 8250: omap: Fix life cycle issues for interrupt handlers")
+Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Link: https://lore.kernel.org/r/20240807141227.1093006-4-msp@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index afef1dd4ddf49..fca5f25d693a7 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1581,7 +1581,7 @@ static int omap8250_probe(struct platform_device *pdev)
+ ret = devm_request_irq(&pdev->dev, up.port.irq, omap8250_irq, 0,
+ dev_name(&pdev->dev), priv);
+ if (ret < 0)
+- return ret;
++ goto err;
+
+ priv->wakeirq = irq_of_parse_and_map(np, 1);
+
+--
+2.43.0
+
--- /dev/null
+wifi-ath11k-use-work-queue-to-process-beacon-tx-even.patch
+edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch
+wifi-rtw88-always-wait-for-both-firmware-loading-att.patch
+crypto-xor-fix-template-benchmarking.patch
+crypto-qat-disable-iov-in-adf_dev_stop.patch
+crypto-qat-fix-recovery-flow-for-vfs.patch
+crypto-qat-ensure-correct-order-in-vf-restarting-han.patch
+crypto-iaa-fix-potential-use-after-free-bug.patch
+acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch
+wifi-brcmfmac-introducing-fwil-query-functions.patch
+wifi-ath9k-remove-error-checks-when-creating-debugfs.patch
+wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch
+wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch
+wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch
+net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch
+arm64-signal-fix-some-under-bracketed-uapi-macros.patch
+wifi-rtw89-remove-unused-c2h-event-id-rtw89_mac_c2h_.patch
+wifi-rtw88-remove-cpt-execution-branch-never-used.patch
+risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch
+risc-v-kvm-don-t-zero-out-pmu-snapshot-area-before-f.patch
+risc-v-kvm-allow-legacy-pmu-access-from-guest.patch
+risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch
+mount-handle-oom-on-mnt_warn_timestamp_expiry.patch
+autofs-fix-missing-fput-for-fsconfig_set_fd.patch
+arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch
+powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch
+kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch
+arm64-smp-smp_send_stop-and-crash_smp_send_stop-shou.patch
+thermal-core-fold-two-functions-into-their-respectiv.patch
+thermal-core-fix-rounding-of-delay-jiffies.patch
+drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch
+perf-dwc_pcie-fix-registration-issue-in-multi-pcie-c.patch
+perf-dwc_pcie-always-register-for-pcie-bus-notifier.patch
+crypto-qat-fix-full-going-true-macro-definition.patch
+acpi-video-force-native-for-some-t2-macbooks.patch
+acpi-video-force-native-for-apple-macbookpro9-2.patch
+wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch
+wifi-iwlwifi-remove-ax101-ax201-and-ax203-support-fr.patch
+wifi-iwlwifi-config-label-gl-devices-as-discrete.patch
+wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch
+wifi-cfg80211-fix-bug-of-mapping-af3x-to-incorrect-u.patch
+wifi-mac80211-fix-the-comeback-long-retry-times.patch
+wifi-iwlwifi-mvm-allow-esr-when-we-the-roc-expires.patch
+wifi-mac80211-check-for-missing-vht-elements-only-fo.patch
+acpica-implement-acpi_warning_once-and-acpi_error_on.patch
+acpica-executer-exsystem-don-t-nag-user-about-every-.patch
+padata-honor-the-caller-s-alignment-in-case-of-chunk.patch
+drivers-perf-hisi_pcie-record-hardware-counts-correc.patch
+drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch
+kselftest-arm64-actually-test-sme-vector-length-chan.patch
+can-j1939-use-correct-function-name-in-comment.patch
+acpi-cppc-fix-mask_val-usage.patch
+netfilter-nf_tables-elements-with-timeout-below-conf.patch
+netfilter-nf_tables-reject-element-expiration-with-n.patch
+netfilter-nf_tables-reject-expiration-higher-than-ti.patch
+netfilter-nf_tables-remove-annotation-to-access-set-.patch
+netfilter-nft_dynset-annotate-data-races-around-set-.patch
+perf-arm-cmn-refactor-node-id-handling.-again.patch
+perf-arm-cmn-fix-ccla-register-offset.patch
+perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch
+cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch
+thermal-gov_bang_bang-adjust-states-of-all-uninitial.patch
+wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch
+wifi-mt76-mt7921-fix-wrong-unii-4-freq-range-check-f.patch
+wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch
+wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch
+wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch
+wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch
+wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch
+x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch
+pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch
+crypto-ccp-do-not-request-interrupt-on-cmd-completio.patch
+crypto-hisilicon-hpre-mask-cluster-timeout-error.patch
+crypto-hisilicon-qm-reset-device-before-enabling-it.patch
+crypto-hisilicon-qm-inject-error-before-stopping-que.patch
+wifi-mt76-mt7996-fix-handling-mbss-enable-disable.patch
+wifi-mt76-connac-fix-checksum-offload-fields-of-conn.patch
+wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch
+wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch
+wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch
+wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch
+wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch
+wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch
+wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch
+bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch
+bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch
+sock_map-add-a-cond_resched-in-sock_hash_free.patch
+net-hsr-use-the-seqnr-lock-for-frames-received-via-i.patch
+can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch
+can-m_can-enable-napi-before-enabling-interrupts.patch
+can-m_can-m_can_close-stop-clocks-after-device-has-b.patch
+bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch
+bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch
+bareudp-pull-inner-ip-header-on-xmit.patch
+net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch
+crypto-n2-set-err-to-einval-if-snprintf-fails-for-hm.patch
+xsk-fix-batch-alloc-api-on-non-coherent-systems.patch
+r8169-disable-aldps-per-default-for-rtl8125.patch
+net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch
+net-tipc-avoid-possible-garbage-value.patch
+ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch
+ublk-move-zone-report-data-out-of-request-pdu.patch
+nbd-fix-race-between-timeout-and-normal-completion.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch
+block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch
+block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch
+cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch
+nbd-correct-the-maximum-value-for-discard-sectors.patch
+erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch
+erofs-tidy-up-struct-z_erofs_bvec.patch
+erofs-handle-overlapped-pclusters-out-of-crafted-ima.patch
+block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch
+block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch
+io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch
+io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch
+block-fix-potential-invalid-pointer-dereference-in-b.patch
+spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch
+arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch
+arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch
+firmware-arm_scmi-fix-double-free-in-optee-transport.patch
+spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch
+firmware-qcom-scm-disable-sdi-and-write-no-dump-to-d.patch
+regulator-return-actual-error-in-of_regulator_bulk_g.patch
+arm64-dts-renesas-r9a08g045-correct-gicd-and-gicr-si.patch
+arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch
+arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch
+arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch
+arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch
+arm64-tegra-correct-location-of-power-sensors-for-ig.patch
+arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch
+arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch
+arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch
+spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch
+arm64-dts-qcom-x1e80100-fix-phy-for-dp2.patch
+arm-dts-microchip-sama7g5-fix-rtt-clock.patch
+arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch
+arm64-dts-ti-k3-am654-idk-fix-dtbs_check-warning-in-.patch
+arm-versatile-fix-of-node-leak-in-cpus-prepare.patch
+reset-berlin-fix-of-node-leak-in-probe-error-path.patch
+reset-k210-fix-of-node-leak-in-probe-error-path.patch
+clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch
+arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch
+x86-mm-use-ipis-to-synchronize-lam-enablement.patch
+asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch
+asoc-tas2781-use-of_property_read_reg.patch
+asoc-tas2781-i2c-drop-weird-gpio-code.patch
+asoc-tas2781-i2c-get-the-right-gpio-line.patch
+selftests-ftrace-add-required-dependency-for-kprobe-.patch
+alsa-hda-cs35l41-fix-module-autoloading.patch
+selftests-ftrace-fix-test-to-handle-both-old-and-new.patch
+x86-boot-64-strip-percpu-address-space-when-setting-.patch
+m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch
+asoc-loongson-fix-error-release.patch
+selftests-ftrace-fix-eventfs-ownership-testcase-to-f.patch
+selftests-resctrl-fix-build-failure-on-archs-without.patch
+hwmon-max16065-fix-overflows-seen-when-writing-limit.patch
+hwmon-max16065-remove-use-of-i2c_match_id.patch
+hwmon-max16065-fix-alarm-attributes.patch
+mtd-slram-insert-break-after-errors-in-parsing-the-m.patch
+hwmon-ntc_thermistor-fix-module-autoloading.patch
+power-supply-axp20x_battery-remove-design-from-min-a.patch
+power-supply-max17042_battery-fix-soc-threshold-calc.patch
+fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch
+iommu-amd-handle-error-path-in-amd_iommu_probe_devic.patch
+iommu-amd-allocate-the-page-table-root-using-gfp_ker.patch
+iommu-amd-convert-comma-to-semicolon.patch
+iommu-amd-move-allocation-of-the-top-table-into-v1_a.patch
+iommu-amd-set-the-pgsize_bitmap-correctly.patch
+iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch
+mtd-powernv-add-check-devm_kasprintf-returned-value.patch
+rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch
+mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch
+mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch
+mtd-rawnand-mtk-fix-init-error-path.patch
+iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch
+iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch
+iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch
+pmdomain-core-harden-inter-column-space-in-debug-sum.patch
+drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch
+drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch
+drm-amd-display-add-null-check-for-set_output_gamma-.patch
+drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch
+drm-radeon-properly-handle-vbios-fake-edid-sizing.patch
+scsi-smartpqi-revert-propagate-the-multipath-failure.patch
+scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch
+drm-amd-amdgpu-properly-tune-the-size-of-struct.patch
+drm-rockchip-vop-allow-4096px-width-scaling.patch
+drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch
+drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch
+drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch
+drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch
+scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch
+jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch
+drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch
+drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch
+powerpc-8xx-fix-initial-memory-mapping.patch
+powerpc-8xx-fix-kernel-vs-user-address-comparison.patch
+powerpc-vdso-inconditionally-use-cfunc-macro.patch
+selftests-vdso-fix-vdso-name-for-powerpc.patch
+selftests-vdso-fix-vdso_config-for-powerpc.patch
+selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch
+drm-msm-use-a7xx-family-directly-in-gpu_state.patch
+drm-msm-dump-correct-dbgahb-clusters-on-a750.patch
+drm-msm-fix-cp_bv_draw_state_addr-name.patch
+drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch
+drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch
+drm-msm-a5xx-properly-clear-preemption-records-on-re.patch
+drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch
+drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch
+ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch
+drm-msm-dp-enable-widebus-on-all-relevant-chipsets.patch
+drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch
+drm-msm-fix-s-null-argument-error.patch
+platform-x86-ideapad-laptop-make-the-scope_guard-cle.patch
+kselftest-dt-ignore-nodes-that-have-ancestors-disabl.patch
+drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch
+drm-amdgpu-fix-invalid-fence-handling-in-amdgpu_vm_t.patch
+xen-use-correct-end-address-of-kernel-for-conflict-c.patch
+hid-wacom-support-sequence-numbers-smaller-than-16-b.patch
+hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch
+ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch
+minmax-avoid-overly-complex-min-max-macro-arguments-.patch
+xen-introduce-generic-helper-checking-for-memory-map.patch
+xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch
+xen-add-capability-to-remap-non-ram-pages-to-differe.patch
+xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch
+powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch
+selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch
+selftests-vdso-fix-vdso_config-for-s390.patch
+xen-swiotlb-add-alignment-check-for-dma-buffers.patch
+xen-swiotlb-fix-allocated-size.patch
+tpm-clean-up-tpm-space-after-command-failure.patch
+sched-fair-make-sched_idle-entity-be-preempted-in-st.patch
+bpf-x64-fix-tailcall-hierarchy.patch
+bpf-arm64-fix-tailcall-hierarchy.patch
+bpf-lsm-add-check-for-bpf-lsm-return-value.patch
+bpf-fix-compare-error-in-function-retval_range_withi.patch
+selftests-bpf-workaround-strict-bpf_lsm-return-value.patch
+selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch
+selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch
+tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch
+bpf-fail-verification-for-sign-extension-of-packet-d.patch
+selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch
+selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch
+selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch
+selftests-bpf-drop-unneeded-error.h-includes.patch
+selftests-bpf-fix-missing-array_size-definition-in-b.patch
+selftests-bpf-fix-missing-uint_max-definitions-in-be.patch
+selftests-bpf-fix-missing-build_bug_on-declaration.patch
+selftests-bpf-fix-include-of-sys-fcntl.h.patch
+selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch
+selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch
+selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch
+selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch
+selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch
+selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch
+selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch
+selftests-bpf-fix-errors-compiling-crypto_sanity.c-w.patch
+selftests-bpf-fix-errors-compiling-cg_storage_multi..patch
+libbpf-don-t-take-direct-pointers-into-btf-data-from.patch
+selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch
+selftests-bpf-fix-error-compiling-test_lru_map.c.patch
+selftests-bpf-fix-c-compile-error-from-missing-_bool.patch
+selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch
+selftests-bpf-fix-compile-if-backtrace-support-missi.patch
+selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch
+samples-bpf-fix-compilation-errors-with-cf-protectio.patch
+selftests-bpf-support-checks-against-a-regular-expre.patch
+selftests-bpf-no-need-to-track-next_match_pos-in-str.patch
+selftests-bpf-extract-test_loader-expect_msgs-as-a-d.patch
+selftests-bpf-allow-checking-xlated-programs-in-veri.patch
+selftests-bpf-__arch_-macro-to-limit-test-cases-to-s.patch
+selftests-bpf-fix-to-avoid-__msg-tag-de-duplication-.patch
+bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch
+selftests-bpf-fix-incorrect-parameters-in-null-point.patch
+libbpf-fix-bpf_object__open_skeleton-s-mishandling-o.patch
+s390-ap-fix-deadlock-caused-by-recursive-lock-of-the.patch
+xz-cleanup-crc32-edits-from-2018.patch
+kthread-fix-task-state-in-kthread-worker-if-being-fr.patch
+ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch
+sched-deadline-fix-schedstats-vs-deadline-servers.patch
+smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch
+ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch
+ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch
+ext4-avoid-negative-min_clusters-in-find_group_orlov.patch
+ext4-return-error-on-ext4_find_inline_entry.patch
+ext4-avoid-oob-when-system.data-xattr-changes-undern.patch
+ext4-check-stripe-size-compatibility-on-remount-as-w.patch
+sched-numa-fix-the-vma-scan-starving-issue.patch
+nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch
+nilfs2-determine-empty-node-blocks-as-corrupted.patch
+nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch
+sched-pelt-use-rq_clock_task-for-hw_pressure.patch
+bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch
+bpf-fix-helper-writes-to-read-only-maps.patch
+bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch
+bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch
+perf-scripts-python-cs-etm-restore-first-sample-log-.patch
+perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch
+perf-callchain-fix-stitch-lbr-memory-leaks.patch
+perf-lock-contention-change-stack_id-type-to-s32.patch
+perf-inject-fix-leader-sampling-inserting-additional.patch
+perf-report-fix-total-cycles-stdio-output-error.patch
+perf-build-fix-up-broken-capstone-feature-detection-.patch
+perf-sched-timehist-fix-missing-free-of-session-in-p.patch
+perf-stat-display-iostat-headers-correctly.patch
+perf-dwarf-aux-check-allowed-location-expressions-wh.patch
+perf-annotate-data-fix-off-by-one-in-location-range-.patch
+perf-dwarf-aux-handle-bitfield-members-from-pointer-.patch
+perf-sched-timehist-fixed-timestamp-error-when-unabl.patch
+perf-time-utils-fix-32-bit-nsec-parsing.patch
+perf-mem-check-mem_events-for-all-eligible-pmus.patch
+perf-mem-fix-missed-p-core-mem-events-on-adl-and-rpl.patch
+clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch
+clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch
+clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch
+clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch
+clk-imx-composite-7ulp-check-the-pcc-present-bit.patch
+clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch
+clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch
+clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch
+clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch
+quota-avoid-missing-put_quota_format-when-dquot_susp.patch
+remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch
+remoteproc-imx_rproc-initialize-workqueue-earlier.patch
+clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch
+clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch
+clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch
+clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch
+clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch
+leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch
+pinctrl-ti-iodelay-use-scope-based-of_node_put-clean.patch
+pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch
+phy-phy-rockchip-samsung-hdptx-explicitly-include-pm.patch
+input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch
+input-ilitek_ts_i2c-add-report-id-message-validation.patch
+drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch
+drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch
+pci-wait-for-link-before-restoring-downstream-buses.patch
+firewire-core-correct-range-of-block-for-case-of-swi.patch
+pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch
+media-staging-media-starfive-camss-drop-obsolete-ret.patch
+clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch
+clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch
+leds-leds-pca995x-add-support-for-nxp-pca9956b.patch
+leds-pca995x-use-device_for_each_child_node-to-acces.patch
+leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch
+x86-pci-check-pcie_find_root_port-return-for-null.patch
+nvdimm-fix-devs-leaks-in-scan_labels.patch
+pci-xilinx-nwl-fix-register-misspelling.patch
+pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch
+leds-gpio-set-num_leds-after-allocation.patch
+media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch
+rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch
+pinctrl-single-fix-missing-error-code-in-pcs_probe.patch
+clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch
+iommufd-selftest-fix-buffer-read-overrrun-in-the-dir.patch
+media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch
+media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch
+media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch
+rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch
+rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch
+clk-ti-dra7-atl-fix-leak-of-of_nodes.patch
+clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch
+clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch
+nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch
+nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch
+pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch
+ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch
+dt-bindings-pci-layerscape-pci-replace-fsl-lx2160a-p.patch
+iommufd-check-the-domain-owner-of-the-parent-before-.patch
+pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch
+rdma-erdma-return-qp-state-in-erdma_query_qp.patch
+rdma-mlx5-fix-counter-update-on-mr-cache-mkey-creati.patch
+rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch
+rdma-mlx5-drop-redundant-work-canceling-from-clean_k.patch
+rdma-mlx5-fix-mr-cache-temp-entries-cleanup.patch
+watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch
+rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch
+rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch
+rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch
+rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch
+rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch
+rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch
+rdma-hns-optimize-hem-allocation-performance.patch
+rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch
+rdma-mlx5-obtain-upper-net-device-only-when-needed.patch
+pci-qcom-ep-enable-controller-resources-like-phy-onl.patch
+input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch
+riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch
+rdma-hns-fix-ah-error-counter-in-sw-stat-not-increas.patch
+rdma-cxgb4-added-null-check-for-lookup_atid.patch
+rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch
+ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch
+ntb_perf-fix-printk-format.patch
+ntb-force-physically-contiguous-allocation-of-rx-rin.patch
+nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch
+nfsd-return-einval-when-namelen-is-0.patch
+nfsd-untangle-code-in-nfsd4_deleg_getattr_conflict.patch
+nfsd-fix-initial-getattr-on-write-delegation.patch
+crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch
+crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch
+f2fs-atomic-fix-to-avoid-racing-w-gc.patch
+f2fs-reduce-expensive-checkpoint-trigger-frequency.patch
+f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch
+f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch
+f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch
+f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch
+f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch
+f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch
+f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch
+f2fs-get-rid-of-online-repaire-on-corrupted-director.patch
+f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch
+spi-airoha-fix-dirmap_-read-write-operations.patch
+spi-airoha-fix-airoha_snand_-write-read-_data-data_l.patch
+spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch
+spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch
+lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch
+spi-airoha-remove-read-cache-in-airoha_snand_dirmap_.patch
+spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch
+nvme-multipath-system-fails-to-create-generic-nvme-d.patch
+iio-adc-ad7606-fix-oversampling-gpio-array.patch
+iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch
+usb-dwc2-skip-clock-gating-on-broadcom-socs.patch
+driver-core-fix-error-handling-in-driver-api-device_.patch
+abi-testing-fix-admv8818-attr-description.patch
+iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch
+iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch
+dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch
+driver-core-fix-a-potential-null-ptr-deref-in-module.patch
+serial-8250-omap-cleanup-on-error-in-request_irq.patch
+coresight-set-correct-cs_mode-for-tpdm-to-fix-disabl.patch
+coresight-set-correct-cs_mode-for-dummy-source-to-fi.patch
+coresight-tmc-sg-do-not-leak-sg_table.patch
+interconnect-icc-clk-add-missed-num_nodes-initializa.patch
+interconnect-qcom-sm8250-enable-sync_state.patch
+cxl-pci-fix-to-record-only-non-zero-ranges.patch
+vdpa-mlx5-fix-invalid-mr-resource-destroy.patch
+vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch
+ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch
+revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch
+net-xilinx-axienet-schedule-napi-in-two-steps.patch
+net-xilinx-axienet-fix-packet-counting.patch
+netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch
+net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch
+net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch
+tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch
+net-qrtr-update-packets-cloning-when-broadcasting.patch
+net-ravb-fix-r-car-rx-frame-size-limit.patch
+bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch
+virtio_net-fix-mismatched-buf-address-when-unmapping.patch
+net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch
+netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch
+netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch
+netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch
+netfilter-nf_tables-missing-objects-with-no-memcg-ac.patch
+selftests-netfilter-avoid-hanging-ipvs.sh.patch
--- /dev/null
+From faa0cf887eb8d761f992bfa0a1187e23d12a2bf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 08:47:26 +0000
+Subject: smackfs: Use rcu_assign_pointer() to ensure safe assignment in
+ smk_set_cipso
+
+From: Jiawei Ye <jiawei.ye@foxmail.com>
+
+[ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ]
+
+In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat`
+field is directly assigned to a new value without using the appropriate
+RCU pointer assignment functions. According to RCU usage rules, this is
+illegal and can lead to unpredictable behavior, including data
+inconsistencies and impossible-to-diagnose memory corruption issues.
+
+This possible bug was identified using a static analysis tool developed
+by myself, specifically designed to detect RCU-related issues.
+
+To address this, the assignment is now done using rcu_assign_pointer(),
+which ensures that the pointer assignment is done safely, with the
+necessary memory barriers and synchronization. This change prevents
+potential RCU dereference issues by ensuring that the `cat` field is
+safely updated while still adhering to RCU's requirements.
+
+Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()")
+Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index e22aad7604e8a..5dd1e164f9b13 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -932,7 +932,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ }
+ if (rc >= 0) {
+ old_cat = skp->smk_netlabel.attr.mls.cat;
+- skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
++ rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat);
+ skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
+ synchronize_rcu();
+ netlbl_catmap_free(old_cat);
+--
+2.43.0
+
--- /dev/null
+From 9868a02ad1fd1edb0ce98acb4d00b42dc50337da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:44:49 +0000
+Subject: sock_map: Add a cond_resched() in sock_hash_free()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b1339be951ad31947ae19bc25cb08769bf255100 ]
+
+Several syzbot soft lockup reports all have in common sock_hash_free()
+
+If a map with a large number of buckets is destroyed, we need to yield
+the cpu when needed.
+
+Fixes: 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20240906154449.3742932-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index d3dbb92153f2f..724b6856fcc3e 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1183,6 +1183,7 @@ static void sock_hash_free(struct bpf_map *map)
+ sock_put(elem->sk);
+ sock_hash_free_elem(htab, elem);
+ }
++ cond_resched();
+ }
+
+ /* wait for psock readers accessing its map link */
+--
+2.43.0
+
--- /dev/null
+From fc65902ee6ddbf2621d047b457b6fb2616ada8b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 23:07:14 +0200
+Subject: spi: airoha: fix airoha_snand_{write,read}_data data_len estimation
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 0e58637eb968c636725dcd6c7055249b4e5326fb ]
+
+Fix data length written and read in airoha_snand_write_data and
+airoha_snand_read_data routines respectively if it is bigger than
+SPI_MAX_TRANSFER_SIZE.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-2-de2e74ed4664@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index be3e4ac42153e..c71be702cf6f6 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -405,7 +405,7 @@ static int airoha_snand_write_data(struct airoha_snand_ctrl *as_ctrl, u8 cmd,
+ for (i = 0; i < len; i += data_len) {
+ int err;
+
+- data_len = min(len, SPI_MAX_TRANSFER_SIZE);
++ data_len = min(len - i, SPI_MAX_TRANSFER_SIZE);
+ err = airoha_snand_set_fifo_op(as_ctrl, cmd, data_len);
+ if (err)
+ return err;
+@@ -427,7 +427,7 @@ static int airoha_snand_read_data(struct airoha_snand_ctrl *as_ctrl, u8 *data,
+ for (i = 0; i < len; i += data_len) {
+ int err;
+
+- data_len = min(len, SPI_MAX_TRANSFER_SIZE);
++ data_len = min(len - i, SPI_MAX_TRANSFER_SIZE);
+ err = airoha_snand_set_fifo_op(as_ctrl, 0xc, data_len);
+ if (err)
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 3aafb7587f961f3fc9a63b67aa348c334619f294 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 23:07:13 +0200
+Subject: spi: airoha: fix dirmap_{read,write} operations
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 2e6bbfe7b0c0607001b784082c2685b134174fac ]
+
+SPI_NFI_READ_FROM_CACHE_DONE bit must be written at the end of
+dirmap_read operation even if it is already set.
+In the same way, SPI_NFI_LOAD_TO_CACHE_DONE bit must be written at the
+end of dirmap_write operation even if it is already set.
+For this reason use regmap_write_bits() instead of regmap_set_bits().
+This patch fixes mtd_pagetest kernel module test.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-1-de2e74ed4664@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index 9d97ec98881cc..be3e4ac42153e 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -739,8 +739,13 @@ static ssize_t airoha_snand_dirmap_read(struct spi_mem_dirmap_desc *desc,
+ if (err)
+ return err;
+
+- err = regmap_set_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
+- SPI_NFI_READ_FROM_CACHE_DONE);
++ /*
++ * SPI_NFI_READ_FROM_CACHE_DONE bit must be written at the end
++ * of dirmap_read operation even if it is already set.
++ */
++ err = regmap_write_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
++ SPI_NFI_READ_FROM_CACHE_DONE,
++ SPI_NFI_READ_FROM_CACHE_DONE);
+ if (err)
+ return err;
+
+@@ -870,8 +875,13 @@ static ssize_t airoha_snand_dirmap_write(struct spi_mem_dirmap_desc *desc,
+ if (err)
+ return err;
+
+- err = regmap_set_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
+- SPI_NFI_LOAD_TO_CACHE_DONE);
++ /*
++ * SPI_NFI_LOAD_TO_CACHE_DONE bit must be written at the end
++ * of dirmap_write operation even if it is already set.
++ */
++ err = regmap_write_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
++ SPI_NFI_LOAD_TO_CACHE_DONE,
++ SPI_NFI_LOAD_TO_CACHE_DONE);
+ if (err)
+ return err;
+
+--
+2.43.0
+
--- /dev/null
+From e9ba57a3fc070b89fbcced9dc9c012adaa0ce54d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 18:57:16 +0200
+Subject: spi: airoha: remove read cache in airoha_snand_dirmap_read()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit fffca269e4f31c3633c6d810833ba1b184407915 ]
+
+Current upstream driver reports errors running mtd_oobtest kernel module
+test:
+
+root@OpenWrt:/# insmod mtd_test.ko
+root@OpenWrt:/# insmod mtd_oobtest.ko dev=5
+[ 7023.730584] =================================================
+[ 7023.736399] mtd_oobtest: MTD device: 5
+[ 7023.740160] mtd_oobtest: MTD device size 3670016, eraseblock size 131072, page size 2048, count of eraseblocks 28, pages per eraseblock 64, OOB size 128
+[ 7023.753837] mtd_test: scanning for bad eraseblocks
+[ 7023.758636] mtd_test: scanned 28 eraseblocks, 0 are bad
+[ 7023.763861] mtd_oobtest: test 1 of 5
+[ 7024.042076] mtd_oobtest: writing OOBs of whole device
+[ 7024.682069] mtd_oobtest: written up to eraseblock 0
+[ 7041.962077] mtd_oobtest: written 28 eraseblocks
+[ 7041.966626] mtd_oobtest: verifying all eraseblocks
+[ 7041.972276] mtd_oobtest: error @addr[0x0:0x0] 0xff -> 0xe diff 0xf1
+[ 7041.978550] mtd_oobtest: error @addr[0x0:0x1] 0xff -> 0x10 diff 0xef
+[ 7041.984932] mtd_oobtest: error @addr[0x0:0x2] 0xff -> 0x82 diff 0x7d
+[ 7041.991293] mtd_oobtest: error @addr[0x0:0x3] 0xff -> 0x10 diff 0xef
+[ 7041.997659] mtd_oobtest: error @addr[0x0:0x4] 0xff -> 0x0 diff 0xff
+[ 7042.003942] mtd_oobtest: error @addr[0x0:0x5] 0xff -> 0x8a diff 0x75
+[ 7042.010294] mtd_oobtest: error @addr[0x0:0x6] 0xff -> 0x20 diff 0xdf
+[ 7042.016659] mtd_oobtest: error @addr[0x0:0x7] 0xff -> 0x1 diff 0xfe
+[ 7042.022935] mtd_oobtest: error @addr[0x0:0x8] 0xff -> 0x2e diff 0xd1
+[ 7042.029295] mtd_oobtest: error @addr[0x0:0x9] 0xff -> 0x40 diff 0xbf
+[ 7042.035661] mtd_oobtest: error @addr[0x0:0xa] 0xff -> 0x0 diff 0xff
+[ 7042.041935] mtd_oobtest: error @addr[0x0:0xb] 0xff -> 0x89 diff 0x76
+[ 7042.048300] mtd_oobtest: error @addr[0x0:0xc] 0xff -> 0x82 diff 0x7d
+[ 7042.054662] mtd_oobtest: error @addr[0x0:0xd] 0xff -> 0x15 diff 0xea
+[ 7042.061014] mtd_oobtest: error @addr[0x0:0xe] 0xff -> 0x90 diff 0x6f
+[ 7042.067380] mtd_oobtest: error @addr[0x0:0xf] 0xff -> 0x0 diff 0xff
+....
+[ 7432.421369] mtd_oobtest: error @addr[0x237800:0x36] 0xff -> 0x5f diff 0xa0
+[ 7432.428242] mtd_oobtest: error @addr[0x237800:0x37] 0xff -> 0x21 diff 0xde
+[ 7432.435118] mtd_oobtest: error: verify failed at 0x237800
+[ 7432.440510] mtd_oobtest: error: too many errors
+[ 7432.445053] mtd_oobtest: error -1 occurred
+
+The above errors are due to the buggy logic in the 'read cache' available
+in airoha_snand_dirmap_read() routine since there are some corner cases
+where we are missing data updates. Since we do not get any read/write speed
+improvement using the cache (according to the mtd_speedtest kernel
+module test), in order to fix the mtd_oobtest test, remove the 'read cache'
+in airoha_snand_dirmap_read routine. Now the driver is passing all the
+tests available in mtd_test suite.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240919-airoha-spi-fixes-v2-1-cb0f0ed9920a@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 21 ---------------------
+ 1 file changed, 21 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index c71be702cf6f6..94458df53eae2 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -211,9 +211,6 @@ struct airoha_snand_dev {
+
+ u8 *txrx_buf;
+ dma_addr_t dma_addr;
+-
+- u64 cur_page_num;
+- bool data_need_update;
+ };
+
+ struct airoha_snand_ctrl {
+@@ -644,11 +641,6 @@ static ssize_t airoha_snand_dirmap_read(struct spi_mem_dirmap_desc *desc,
+ u32 val, rd_mode;
+ int err;
+
+- if (!as_dev->data_need_update)
+- return len;
+-
+- as_dev->data_need_update = false;
+-
+ switch (op->cmd.opcode) {
+ case SPI_NAND_OP_READ_FROM_CACHE_DUAL:
+ rd_mode = 1;
+@@ -895,23 +887,11 @@ static ssize_t airoha_snand_dirmap_write(struct spi_mem_dirmap_desc *desc,
+ static int airoha_snand_exec_op(struct spi_mem *mem,
+ const struct spi_mem_op *op)
+ {
+- struct airoha_snand_dev *as_dev = spi_get_ctldata(mem->spi);
+ u8 data[8], cmd, opcode = op->cmd.opcode;
+ struct airoha_snand_ctrl *as_ctrl;
+ int i, err;
+
+ as_ctrl = spi_controller_get_devdata(mem->spi->controller);
+- if (opcode == SPI_NAND_OP_PROGRAM_EXECUTE &&
+- op->addr.val == as_dev->cur_page_num) {
+- as_dev->data_need_update = true;
+- } else if (opcode == SPI_NAND_OP_PAGE_READ) {
+- if (!as_dev->data_need_update &&
+- op->addr.val == as_dev->cur_page_num)
+- return 0;
+-
+- as_dev->data_need_update = true;
+- as_dev->cur_page_num = op->addr.val;
+- }
+
+ /* switch to manual mode */
+ err = airoha_snand_set_mode(as_ctrl, SPI_MODE_MANUAL);
+@@ -996,7 +976,6 @@ static int airoha_snand_setup(struct spi_device *spi)
+ if (dma_mapping_error(as_ctrl->dev, as_dev->dma_addr))
+ return -ENOMEM;
+
+- as_dev->data_need_update = true;
+ spi_set_ctldata(spi, as_dev);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From aa8d941764d3a2cd5c0a3527e9171a8f3e7950b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 10:27:43 +0200
+Subject: spi: atmel-quadspi: Avoid overwriting delay register settings
+
+From: Alexander Dahl <ada@thorsis.com>
+
+[ Upstream commit 329ca3eed4a9a161515a8714be6ba182321385c7 ]
+
+Previously the MR and SCR registers were just set with the supposedly
+required values, from cached register values (cached reg content
+initialized to zero).
+
+All parts fixed here did not consider the current register (cache)
+content, which would make future support of cs_setup, cs_hold, and
+cs_inactive impossible.
+
+Setting SCBR in atmel_qspi_setup() erases a possible DLYBS setting from
+atmel_qspi_set_cs_timing(). The DLYBS setting is applied by ORing over
+the current setting, without resetting the bits first. All writes to MR
+did not consider possible settings of DLYCS and DLYBCT.
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+Fixes: f732646d0ccd ("spi: atmel-quadspi: Add support for configuring CS timing")
+Link: https://patch.msgid.link/20240918082744.379610-2-ada@thorsis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index 466c01b31123b..b557ce94da209 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -375,9 +375,9 @@ static int atmel_qspi_set_cfg(struct atmel_qspi *aq,
+ * If the QSPI controller is set in regular SPI mode, set it in
+ * Serial Memory Mode (SMM).
+ */
+- if (aq->mr != QSPI_MR_SMM) {
+- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR);
+- aq->mr = QSPI_MR_SMM;
++ if (!(aq->mr & QSPI_MR_SMM)) {
++ aq->mr |= QSPI_MR_SMM;
++ atmel_qspi_write(aq->scr, aq, QSPI_MR);
+ }
+
+ /* Clear pending interrupts */
+@@ -501,7 +501,8 @@ static int atmel_qspi_setup(struct spi_device *spi)
+ if (ret < 0)
+ return ret;
+
+- aq->scr = QSPI_SCR_SCBR(scbr);
++ aq->scr &= ~QSPI_SCR_SCBR_MASK;
++ aq->scr |= QSPI_SCR_SCBR(scbr);
+ atmel_qspi_write(aq->scr, aq, QSPI_SCR);
+
+ pm_runtime_mark_last_busy(ctrl->dev.parent);
+@@ -534,6 +535,7 @@ static int atmel_qspi_set_cs_timing(struct spi_device *spi)
+ if (ret < 0)
+ return ret;
+
++ aq->scr &= ~QSPI_SCR_DLYBS_MASK;
+ aq->scr |= QSPI_SCR_DLYBS(cs_setup);
+ atmel_qspi_write(aq->scr, aq, QSPI_SCR);
+
+@@ -549,8 +551,8 @@ static void atmel_qspi_init(struct atmel_qspi *aq)
+ atmel_qspi_write(QSPI_CR_SWRST, aq, QSPI_CR);
+
+ /* Set the QSPI controller by default in Serial Memory Mode */
+- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR);
+- aq->mr = QSPI_MR_SMM;
++ aq->mr |= QSPI_MR_SMM;
++ atmel_qspi_write(aq->mr, aq, QSPI_MR);
+
+ /* Enable the QSPI controller */
+ atmel_qspi_write(QSPI_CR_QSPIEN, aq, QSPI_CR);
+--
+2.43.0
+
--- /dev/null
+From 0272983f4dc99f93104c70cb3e906303cc838e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:39:56 +0800
+Subject: spi: atmel-quadspi: Undo runtime PM changes at driver exit time
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 438efb23f9581659495b85f1f6c7d5946200660c ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time unless driver
+initially enabled pm_runtime with devm_pm_runtime_enable()
+(which handles it for you).
+
+Hence, call pm_runtime_dont_use_autosuspend() at driver exit time
+to fix it.
+
+Fixes: 4a2f83b7f780 ("spi: atmel-quadspi: add runtime pm support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240906023956.1004440-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index 5aaff3bee1b78..466c01b31123b 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -726,6 +726,7 @@ static void atmel_qspi_remove(struct platform_device *pdev)
+ clk_unprepare(aq->pclk);
+
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 32c7a8c2c003fa96ab400ee94d72fbdfa947c000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 20:49:02 +0800
+Subject: spi: bcmbca-hsspi: Fix missing pm_runtime_disable()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 4439a2e92cb89028b22c5d7ba1b99e75d7d889f6 ]
+
+The pm_runtime_disable() is missing in remove function, use
+devm_pm_runtime_enable() to fix it. So the pm_runtime_disable() in
+the probe error path can also be removed.
+
+Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Link: https://patch.msgid.link/20240826124903.3429235-2-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcmbca-hsspi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-bcmbca-hsspi.c b/drivers/spi/spi-bcmbca-hsspi.c
+index 9f64afd8164ea..4965bc86d7f52 100644
+--- a/drivers/spi/spi-bcmbca-hsspi.c
++++ b/drivers/spi/spi-bcmbca-hsspi.c
+@@ -546,12 +546,14 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev)
+ goto out_put_host;
+ }
+
+- pm_runtime_enable(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
++ if (ret)
++ goto out_put_host;
+
+ ret = sysfs_create_group(&pdev->dev.kobj, &bcmbca_hsspi_group);
+ if (ret) {
+ dev_err(&pdev->dev, "couldn't register sysfs group\n");
+- goto out_pm_disable;
++ goto out_put_host;
+ }
+
+ /* register and we are done */
+@@ -565,8 +567,6 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev)
+
+ out_sysgroup_disable:
+ sysfs_remove_group(&pdev->dev.kobj, &bcmbca_hsspi_group);
+-out_pm_disable:
+- pm_runtime_disable(&pdev->dev);
+ out_put_host:
+ spi_controller_put(host);
+ out_disable_pll_clk:
+--
+2.43.0
+
--- /dev/null
+From bc9d47c70fd6d0688ab5279741bd30aa4ead34f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 17:45:12 +0300
+Subject: spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ]
+
+0 is incorrect error code when failed to parse and map IRQ.
+Replace OF specific old API for IRQ retrieval with a generic
+one to fix this issue.
+
+Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 01fdecbf132d6..8f6309f32de0b 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -27,7 +27,6 @@
+ #include <linux/wait.h>
+ #include <linux/platform_device.h>
+ #include <linux/of_address.h>
+-#include <linux/of_irq.h>
+ #include <linux/of_platform.h>
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+@@ -412,9 +411,10 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+ }
+
+ /* Request IRQ */
+- hw->irqnum = irq_of_parse_and_map(np, 0);
+- if (hw->irqnum <= 0)
++ ret = platform_get_irq(op, 0);
++ if (ret < 0)
+ goto free_host;
++ hw->irqnum = ret;
+
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+--
+2.43.0
+
--- /dev/null
+From 4b1060d6ec7e267c3b1465a2dc5354e060b3426f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 16:40:47 +0800
+Subject: spi: ppc4xx: handle irq_of_parse_and_map() errors
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ]
+
+Zero and negative number is not a valid IRQ for in-kernel code and the
+irq_of_parse_and_map() function returns zero on error. So this check for
+valid IRQs should only accept values > 0.
+
+Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 942c3117ab3a9..01fdecbf132d6 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -413,6 +413,9 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+
+ /* Request IRQ */
+ hw->irqnum = irq_of_parse_and_map(np, 0);
++ if (hw->irqnum <= 0)
++ goto free_host;
++
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From e409a2b224477d358a6df37a83ce367684514018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:12:51 +0800
+Subject: spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 3b577de206d52dbde9428664b6d823d35a803d75 ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time unless driver
+initially enabled pm_runtime with devm_pm_runtime_enable()
+(which handles it for you).
+
+Hence, call pm_runtime_dont_use_autosuspend() at driver exit time
+to fix it.
+
+Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240906021251.610462-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index d2f603e1014cf..e235df4177f96 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -986,6 +986,7 @@ static void fsl_lpspi_remove(struct platform_device *pdev)
+
+ fsl_lpspi_dma_exit(controller);
+
++ pm_runtime_dont_use_autosuspend(fsl_lpspi->dev);
+ pm_runtime_disable(fsl_lpspi->dev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3ebabe76f931aff27d2e9e09ac8d772038ac8fef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:08:22 -0400
+Subject: tcp: check skb is non-NULL in tcp_rto_delta_us()
+
+From: Josh Hunt <johunt@akamai.com>
+
+[ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ]
+
+We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
+kernel that are running ceph and recently hit a null ptr dereference in
+tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
+saw it getting hit from the RACK case as well. Here are examples of the oops
+messages we saw in each of those cases:
+
+Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
+Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
+Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
+Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
+Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
+Jul 26 15:05:02 rx [11061395.916786] Call Trace:
+Jul 26 15:05:02 rx [11061395.919488]
+Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
+Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
+Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
+Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
+Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
+Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
+Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
+Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
+Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
+Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
+Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
+Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
+Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
+Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
+Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
+Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
+Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
+Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
+Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30
+Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0
+Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50
+Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1
+Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40
+Jul 26 15:05:02 rx [11061396.039480]
+Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50
+Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60
+Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20
+Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0
+Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0
+Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50
+Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70
+Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200
+Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0
+Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30
+Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20
+Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0
+Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100
+Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100
+Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0
+Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50
+Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70
+Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70
+Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280
+Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0
+Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0
+Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460
+Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80
+Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80
+Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0
+Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30
+Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190
+Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
+Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d
+Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
+Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d
+Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275
+Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020
+Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b
+Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8
+Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi
+Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020
+Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]---
+Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554
+Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt
+Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal
+ exception in interrupt ]---
+
+After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case:
+
+Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode
+Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page
+Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0
+Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI
+Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246
+Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160
+Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc
+Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000
+Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81
+Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000
+Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0
+Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554
+Aug 7 07:26:16 rx [1006006.399717] Call Trace:
+Aug 7 07:26:16 rx [1006006.402335]
+Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f
+Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9
+Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380
+Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0
+Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30
+Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20
+Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450
+Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90
+Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0
+Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40
+Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30
+Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670
+Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220
+Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450
+Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10
+Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0
+Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20
+Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0
+Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50
+Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250
+Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0
+Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140
+Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250
+Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0
+Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40
+Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130
+Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core]
+Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390
+Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1
+Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0
+Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0
+Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf
+Aug 7 07:26:16 rx [1006006.546421]
+Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10
+Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2
+Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001
+Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082
+Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f
+Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005
+Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000
+Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8
+Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140
+Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20
+Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30
+Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270
+Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30
+Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0
+Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0
+Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid]
+Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020
+Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]---
+
+Prior to seeing the first crash and on other machines we also see the warning in
+tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans
+queues are empty so we know the box is seeing some accounting issue in this area:
+
+Jul 26 09:15:27 kernel: ------------[ cut here ]------------
+Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988
+Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he>
+Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu
+Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286
+Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006
+Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0
+Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004
+Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000
+Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430
+Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000
+Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0
+Jul 26 09:15:27 kernel: PKRU: 55555554
+Jul 26 09:15:27 kernel: Call Trace:
+Jul 26 09:15:27 kernel: <IRQ>
+Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f
+Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0
+Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30
+Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50
+Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1
+Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0
+Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140
+Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20
+Jul 26 09:15:27 kernel: </IRQ>
+Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10
+Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 <c3> 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001
+Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082
+Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225
+Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010
+Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000
+Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8
+Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140
+Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20
+Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30
+Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270
+Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30
+Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0
+Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0
+Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]---
+
+The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb
+off the head of the retransmit queue and then dereferencing that skb to get the
+skb_mstamp_ns value via tcp_skb_timestamp_us(skb).
+
+The crash is the same one that was reported a # of years ago here:
+https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t
+
+and the kernel we're running has the fix which was added to resolve this issue.
+
+Unfortunately we've been unsuccessful so far in reproducing this problem in the
+lab and do not have the luxury of pushing out a new kernel to try and test if
+newer kernels resolve this issue at the moment. I realize this is a report
+against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this
+issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657
+however I feel like since this issue has possibly cropped up again it makes
+sense to build in some protection in this path (even on the latest kernel
+versions) since the code in question just blindly assumes there's a valid skb
+without testing if it's NULL b/f it looks at the timestamp.
+
+Given we have seen crashes in this path before and now this case it seems like
+we should protect ourselves for when packets_out accounting is incorrect.
+While we should fix that root cause we should also just make sure the skb
+is not NULL before dereferencing it. Also add a warn once here to capture
+some information if/when the problem case is hit again.
+
+Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix")
+Signed-off-by: Josh Hunt <johunt@akamai.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 45bbb54e42e85..ac647c952cf0c 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2437,9 +2437,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk)
+ {
+ const struct sk_buff *skb = tcp_rtx_queue_head(sk);
+ u32 rto = inet_csk(sk)->icsk_rto;
+- u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
+
+- return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ if (likely(skb)) {
++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
++
++ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ } else {
++ WARN_ONCE(1,
++ "rtx queue emtpy: "
++ "out:%u sacked:%u lost:%u retrans:%u "
++ "tlp_high_seq:%u sk_state:%u ca_state:%u "
++ "advmss:%u mss_cache:%u pmtu:%u\n",
++ tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out,
++ tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out,
++ tcp_sk(sk)->tlp_high_seq, sk->sk_state,
++ inet_csk(sk)->icsk_ca_state,
++ tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache,
++ inet_csk(sk)->icsk_pmtu_cookie);
++ return jiffies_to_usecs(rto);
++ }
++
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 69d02222411206ba2b0ac4c6e506ec1aa24fbf7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 21:47:36 +0200
+Subject: thermal: core: Fix rounding of delay jiffies
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 8144dbe68c493baa412d78f41a57e90a6461f6c3 ]
+
+Using round_jiffies() in thermal_set_delay_jiffies() is invalid because
+its argument should be time in the future in absolute jiffies and it
+computes the result with respect to the current jiffies value at the
+invocation time. Fortunately, in the majority of cases it does not
+make any difference due to the time_is_after_jiffies() check in
+round_jiffies_common().
+
+While using round_jiffies_relative() instead of round_jiffies() might
+reflect the intent a bit better, it still would not be defensible
+because that function should be called when the timer is about to be
+set and it is not suitable for pre-computation of delay values.
+
+Accordingly, drop thermal_set_delay_jiffies() altogether, simply
+convert polling_delay and passive_delay to jiffies during thermal
+zone initialization and make thermal_zone_device_set_polling() call
+round_jiffies_relative() on the delay if it is greather than 1 second.
+
+Fixes: 17d399cd9c89 ("thermal/core: Precompute the delays from msecs to jiffies")
+Fixes: e5f2cda61d06 ("thermal/core: Move thermal_set_delay_jiffies to static")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/1994438.PYKUYFuaPT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 99a8c06f6964d..d0e71698b3562 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -323,11 +323,15 @@ static void thermal_zone_broken_disable(struct thermal_zone_device *tz)
+ static void thermal_zone_device_set_polling(struct thermal_zone_device *tz,
+ unsigned long delay)
+ {
+- if (delay)
+- mod_delayed_work(system_freezable_power_efficient_wq,
+- &tz->poll_queue, delay);
+- else
++ if (!delay) {
+ cancel_delayed_work(&tz->poll_queue);
++ return;
++ }
++
++ if (delay > HZ)
++ delay = round_jiffies_relative(delay);
++
++ mod_delayed_work(system_freezable_power_efficient_wq, &tz->poll_queue, delay);
+ }
+
+ static void thermal_zone_recheck(struct thermal_zone_device *tz, int error)
+@@ -1327,13 +1331,6 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev)
+ }
+ EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister);
+
+-static void thermal_set_delay_jiffies(unsigned long *delay_jiffies, int delay_ms)
+-{
+- *delay_jiffies = msecs_to_jiffies(delay_ms);
+- if (delay_ms > 1000)
+- *delay_jiffies = round_jiffies(*delay_jiffies);
+-}
+-
+ int thermal_zone_get_crit_temp(struct thermal_zone_device *tz, int *temp)
+ {
+ const struct thermal_trip_desc *td;
+@@ -1470,8 +1467,8 @@ thermal_zone_device_register_with_trips(const char *type,
+ td->threshold = INT_MAX;
+ }
+
+- thermal_set_delay_jiffies(&tz->passive_delay_jiffies, passive_delay);
+- thermal_set_delay_jiffies(&tz->polling_delay_jiffies, polling_delay);
++ tz->polling_delay_jiffies = msecs_to_jiffies(polling_delay);
++ tz->passive_delay_jiffies = msecs_to_jiffies(passive_delay);
+ tz->recheck_delay_jiffies = THERMAL_RECHECK_DELAY;
+
+ /* sys I/F */
+--
+2.43.0
+
--- /dev/null
+From b8f3c795e82e020d6f369e93192c76876eb65f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 17:50:30 +0200
+Subject: thermal: core: Fold two functions into their respective callers
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit a8bbe6f10f78f85243ff821432c5d798a6d99ed4 ]
+
+Fold bind_cdev() into __thermal_cooling_device_register() and bind_tz()
+into thermal_zone_device_register_with_trips() to reduce code bloat and
+make it somewhat easier to follow the code flow.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/2962184.e9J7NaK4W3@rjwysocki.net
+Stable-dep-of: 8144dbe68c49 ("thermal: core: Fix rounding of delay jiffies")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 55 ++++++++++++----------------------
+ 1 file changed, 19 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index b8d889ef4fa5e..99a8c06f6964d 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -988,20 +988,6 @@ void print_bind_err_msg(struct thermal_zone_device *tz,
+ tz->type, cdev->type, ret);
+ }
+
+-static void bind_cdev(struct thermal_cooling_device *cdev)
+-{
+- int ret;
+- struct thermal_zone_device *pos = NULL;
+-
+- list_for_each_entry(pos, &thermal_tz_list, node) {
+- if (pos->ops.bind) {
+- ret = pos->ops.bind(pos, cdev);
+- if (ret)
+- print_bind_err_msg(pos, cdev, ret);
+- }
+- }
+-}
+-
+ /**
+ * __thermal_cooling_device_register() - register a new thermal cooling device
+ * @np: a pointer to a device tree node.
+@@ -1097,7 +1083,13 @@ __thermal_cooling_device_register(struct device_node *np,
+ list_add(&cdev->node, &thermal_cdev_list);
+
+ /* Update binding information for 'this' new cdev */
+- bind_cdev(cdev);
++ list_for_each_entry(pos, &thermal_tz_list, node) {
++ if (pos->ops.bind) {
++ ret = pos->ops.bind(pos, cdev);
++ if (ret)
++ print_bind_err_msg(pos, cdev, ret);
++ }
++ }
+
+ list_for_each_entry(pos, &thermal_tz_list, node)
+ if (atomic_cmpxchg(&pos->need_update, 1, 0))
+@@ -1335,25 +1327,6 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev)
+ }
+ EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister);
+
+-static void bind_tz(struct thermal_zone_device *tz)
+-{
+- int ret;
+- struct thermal_cooling_device *pos = NULL;
+-
+- if (!tz->ops.bind)
+- return;
+-
+- mutex_lock(&thermal_list_lock);
+-
+- list_for_each_entry(pos, &thermal_cdev_list, node) {
+- ret = tz->ops.bind(tz, pos);
+- if (ret)
+- print_bind_err_msg(tz, pos, ret);
+- }
+-
+- mutex_unlock(&thermal_list_lock);
+-}
+-
+ static void thermal_set_delay_jiffies(unsigned long *delay_jiffies, int delay_ms)
+ {
+ *delay_jiffies = msecs_to_jiffies(delay_ms);
+@@ -1542,13 +1515,23 @@ thermal_zone_device_register_with_trips(const char *type,
+ }
+
+ mutex_lock(&thermal_list_lock);
++
+ mutex_lock(&tz->lock);
+ list_add_tail(&tz->node, &thermal_tz_list);
+ mutex_unlock(&tz->lock);
+- mutex_unlock(&thermal_list_lock);
+
+ /* Bind cooling devices for this zone */
+- bind_tz(tz);
++ if (tz->ops.bind) {
++ struct thermal_cooling_device *cdev;
++
++ list_for_each_entry(cdev, &thermal_cdev_list, node) {
++ result = tz->ops.bind(tz, cdev);
++ if (result)
++ print_bind_err_msg(tz, cdev, result);
++ }
++ }
++
++ mutex_unlock(&thermal_list_lock);
+
+ thermal_zone_device_init(tz);
+ /* Update the new thermal zone and mark it as already updated. */
+--
+2.43.0
+
--- /dev/null
+From 60b643849b96ddeb2bbcd07d71ba04cbcc57d1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 18:23:49 +0200
+Subject: thermal: gov_bang_bang: Adjust states of all uninitialized instances
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 15cb56bd529868d9242b22812fc69bd144bfdc94 ]
+
+If a cooling device is registered after a thermal zone it should be
+bound to and the trip point it should be bound to has already been
+crossed by the zone temperature on the way up, the cooling device's
+state may need to be adjusted, but the Bang-bang governor will not
+do that because its .manage() callback only looks at thermal instances
+for trip points whose thresholds are below or at the zone temperature.
+
+Address this by updating bang_bang_manage() to look at all of the
+uninitialized thermal instances and setting their target states in
+accordance with the position of the zone temperature with respect to
+the threshold of the given trip point.
+
+Fixes: 5f64b4a1ab1b ("thermal: gov_bang_bang: Add .manage() callback")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Link: https://patch.msgid.link/6103874.lOV4Wx5bFT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/gov_bang_bang.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/thermal/gov_bang_bang.c b/drivers/thermal/gov_bang_bang.c
+index daed67d19efb8..863e7a4272e66 100644
+--- a/drivers/thermal/gov_bang_bang.c
++++ b/drivers/thermal/gov_bang_bang.c
+@@ -92,23 +92,21 @@ static void bang_bang_manage(struct thermal_zone_device *tz)
+
+ for_each_trip_desc(tz, td) {
+ const struct thermal_trip *trip = &td->trip;
++ bool turn_on;
+
+- if (tz->temperature >= td->threshold ||
+- trip->temperature == THERMAL_TEMP_INVALID ||
++ if (trip->temperature == THERMAL_TEMP_INVALID ||
+ trip->type == THERMAL_TRIP_CRITICAL ||
+ trip->type == THERMAL_TRIP_HOT)
+ continue;
+
+ /*
+- * If the initial cooling device state is "on", but the zone
+- * temperature is not above the trip point, the core will not
+- * call bang_bang_control() until the zone temperature reaches
+- * the trip point temperature which may be never. In those
+- * cases, set the initial state of the cooling device to 0.
++ * Adjust the target states for uninitialized thermal instances
++ * to the thermal zone temperature and the trip point threshold.
+ */
++ turn_on = tz->temperature >= td->threshold;
+ list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ if (!instance->initialized && instance->trip == trip)
+- bang_bang_set_instance_target(instance, 0);
++ bang_bang_set_instance_target(instance, turn_on);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 269515379b65c7a64052ad38b9bebcbb11b77a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:30:45 -0700
+Subject: tools/runqslower: Fix LDFLAGS and add LDLIBS support
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit f86601c3661946721e8f260bdd812b759854ac22 ]
+
+Actually use previously defined LDFLAGS during build and add support for
+LDLIBS to link extra standalone libraries e.g. 'argp' which is not provided
+by musl libc.
+
+Fixes: 585bf4640ebe ("tools: runqslower: Add EXTRA_CFLAGS and EXTRA_LDFLAGS support")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20240723003045.2273499-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/runqslower/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/bpf/runqslower/Makefile b/tools/bpf/runqslower/Makefile
+index d8288936c9120..c4f1f1735af65 100644
+--- a/tools/bpf/runqslower/Makefile
++++ b/tools/bpf/runqslower/Makefile
+@@ -15,6 +15,7 @@ INCLUDES := -I$(OUTPUT) -I$(BPF_INCLUDE) -I$(abspath ../../include/uapi)
+ CFLAGS := -g -Wall $(CLANG_CROSS_FLAGS)
+ CFLAGS += $(EXTRA_CFLAGS)
+ LDFLAGS += $(EXTRA_LDFLAGS)
++LDLIBS += -lelf -lz
+
+ # Try to detect best kernel BTF source
+ KERNEL_REL := $(shell uname -r)
+@@ -51,7 +52,7 @@ clean:
+ libbpf_hdrs: $(BPFOBJ)
+
+ $(OUTPUT)/runqslower: $(OUTPUT)/runqslower.o $(BPFOBJ)
+- $(QUIET_LINK)$(CC) $(CFLAGS) $^ -lelf -lz -o $@
++ $(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $^ $(LDLIBS) -o $@
+
+ $(OUTPUT)/runqslower.o: runqslower.h $(OUTPUT)/runqslower.skel.h \
+ $(OUTPUT)/runqslower.bpf.o | libbpf_hdrs
+--
+2.43.0
+
--- /dev/null
+From 54320d20766cb3f6ed9364f727f5cfa052e495b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 12:55:46 +0100
+Subject: tpm: Clean up TPM space after command failure
+
+From: Jonathan McDowell <noodles@meta.com>
+
+[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ]
+
+tpm_dev_transmit prepares the TPM space before attempting command
+transmission. However if the command fails no rollback of this
+preparation is done. This can result in transient handles being leaked
+if the device is subsequently closed with no further commands performed.
+
+Fix this by flushing the space in the event of command transmission
+failure.
+
+Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
+Signed-off-by: Jonathan McDowell <noodles@meta.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm-dev-common.c | 2 ++
+ drivers/char/tpm/tpm2-space.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
+index 30b4c288c1bbc..c3fbbf4d3db79 100644
+--- a/drivers/char/tpm/tpm-dev-common.c
++++ b/drivers/char/tpm/tpm-dev-common.c
+@@ -47,6 +47,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
+
+ if (!ret)
+ ret = tpm2_commit_space(chip, space, buf, &len);
++ else
++ tpm2_flush_space(chip);
+
+ out_rc:
+ return ret ? ret : len;
+diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
+index 4892d491da8da..25a66870c165c 100644
+--- a/drivers/char/tpm/tpm2-space.c
++++ b/drivers/char/tpm/tpm2-space.c
+@@ -169,6 +169,9 @@ void tpm2_flush_space(struct tpm_chip *chip)
+ struct tpm_space *space = &chip->work_space;
+ int i;
+
++ if (!space)
++ return;
++
+ for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
+ if (space->context_tbl[i] && ~space->context_tbl[i])
+ tpm2_flush_context(chip, space->context_tbl[i]);
+--
+2.43.0
+
--- /dev/null
+From 7970c468a9b9a296be5a60c784e6403f1486ae0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 09:36:24 +0800
+Subject: ublk: move zone report data out of request pdu
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 9327b51c9a9c864f5177127e09851da9d78b4943 ]
+
+ublk zoned takes 16 bytes in each request pdu just for handling REPORT_ZONE
+operation, this way does waste memory since request pdu is allocated
+statically.
+
+Store the transient zone report data into one global xarray, and remove
+it after the report zone request is completed. This way is reasonable
+since report zone is run in slow code path.
+
+Fixes: 29802d7ca33b ("ublk: enable zoned storage support")
+Cc: Damien Le Moal <dlemoal@kernel.org>
+Cc: Andreas Hindborg <a.hindborg@samsung.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20240812013624.587587-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 62 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 46 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index fc001e9f95f61..d06c8ed29620b 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -71,9 +71,6 @@ struct ublk_rq_data {
+ struct llist_node node;
+
+ struct kref ref;
+- __u64 sector;
+- __u32 operation;
+- __u32 nr_zones;
+ };
+
+ struct ublk_uring_cmd_pdu {
+@@ -214,6 +211,33 @@ static inline bool ublk_queue_is_zoned(struct ublk_queue *ubq)
+
+ #ifdef CONFIG_BLK_DEV_ZONED
+
++struct ublk_zoned_report_desc {
++ __u64 sector;
++ __u32 operation;
++ __u32 nr_zones;
++};
++
++static DEFINE_XARRAY(ublk_zoned_report_descs);
++
++static int ublk_zoned_insert_report_desc(const struct request *req,
++ struct ublk_zoned_report_desc *desc)
++{
++ return xa_insert(&ublk_zoned_report_descs, (unsigned long)req,
++ desc, GFP_KERNEL);
++}
++
++static struct ublk_zoned_report_desc *ublk_zoned_erase_report_desc(
++ const struct request *req)
++{
++ return xa_erase(&ublk_zoned_report_descs, (unsigned long)req);
++}
++
++static struct ublk_zoned_report_desc *ublk_zoned_get_report_desc(
++ const struct request *req)
++{
++ return xa_load(&ublk_zoned_report_descs, (unsigned long)req);
++}
++
+ static int ublk_get_nr_zones(const struct ublk_device *ub)
+ {
+ const struct ublk_param_basic *p = &ub->params.basic;
+@@ -310,7 +334,7 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector,
+ unsigned int zones_in_request =
+ min_t(unsigned int, remaining_zones, max_zones_per_request);
+ struct request *req;
+- struct ublk_rq_data *pdu;
++ struct ublk_zoned_report_desc desc;
+ blk_status_t status;
+
+ memset(buffer, 0, buffer_length);
+@@ -321,20 +345,23 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector,
+ goto out;
+ }
+
+- pdu = blk_mq_rq_to_pdu(req);
+- pdu->operation = UBLK_IO_OP_REPORT_ZONES;
+- pdu->sector = sector;
+- pdu->nr_zones = zones_in_request;
++ desc.operation = UBLK_IO_OP_REPORT_ZONES;
++ desc.sector = sector;
++ desc.nr_zones = zones_in_request;
++ ret = ublk_zoned_insert_report_desc(req, &desc);
++ if (ret)
++ goto free_req;
+
+ ret = blk_rq_map_kern(disk->queue, req, buffer, buffer_length,
+ GFP_KERNEL);
+- if (ret) {
+- blk_mq_free_request(req);
+- goto out;
+- }
++ if (ret)
++ goto erase_desc;
+
+ status = blk_execute_rq(req, 0);
+ ret = blk_status_to_errno(status);
++erase_desc:
++ ublk_zoned_erase_report_desc(req);
++free_req:
+ blk_mq_free_request(req);
+ if (ret)
+ goto out;
+@@ -368,7 +395,7 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq,
+ {
+ struct ublksrv_io_desc *iod = ublk_get_iod(ubq, req->tag);
+ struct ublk_io *io = &ubq->ios[req->tag];
+- struct ublk_rq_data *pdu = blk_mq_rq_to_pdu(req);
++ struct ublk_zoned_report_desc *desc;
+ u32 ublk_op;
+
+ switch (req_op(req)) {
+@@ -391,12 +418,15 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq,
+ ublk_op = UBLK_IO_OP_ZONE_RESET_ALL;
+ break;
+ case REQ_OP_DRV_IN:
+- ublk_op = pdu->operation;
++ desc = ublk_zoned_get_report_desc(req);
++ if (!desc)
++ return BLK_STS_IOERR;
++ ublk_op = desc->operation;
+ switch (ublk_op) {
+ case UBLK_IO_OP_REPORT_ZONES:
+ iod->op_flags = ublk_op | ublk_req_build_flags(req);
+- iod->nr_zones = pdu->nr_zones;
+- iod->start_sector = pdu->sector;
++ iod->nr_zones = desc->nr_zones;
++ iod->start_sector = desc->sector;
+ return BLK_STS_OK;
+ default:
+ return BLK_STS_IOERR;
+--
+2.43.0
+
--- /dev/null
+From 98aa69c56ff38c63def1d3df0f496271f2abd84b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jul 2024 15:00:26 +0200
+Subject: usb: dwc2: Skip clock gating on Broadcom SoCs
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit d483f034f03261c8c8450d106aa243837122b5f0 ]
+
+On resume of the Raspberry Pi the dwc2 driver fails to enable
+HCD_FLAG_HW_ACCESSIBLE before re-enabling the interrupts.
+This causes a situation where both handler ignore a incoming port
+interrupt and force the upper layers to disable the dwc2 interrupt line.
+This leaves the USB interface in a unusable state:
+
+irq 66: nobody cared (try booting with the "irqpoll" option)
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3
+Hardware name: BCM2835
+Call trace:
+unwind_backtrace from show_stack+0x10/0x14
+show_stack from dump_stack_lvl+0x50/0x64
+dump_stack_lvl from __report_bad_irq+0x38/0xc0
+__report_bad_irq from note_interrupt+0x2ac/0x2f4
+note_interrupt from handle_irq_event+0x88/0x8c
+handle_irq_event from handle_level_irq+0xb4/0x1ac
+handle_level_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28
+bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44
+generic_handle_arch_irq from __irq_svc+0x88/0xb0
+Exception stack(0xc1b01f20 to 0xc1b01f68)
+1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8
+1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160
+1f60: 60000013 ffffffff
+__irq_svc from default_idle_call+0x1c/0xb0
+default_idle_call from do_idle+0x21c/0x284
+do_idle from cpu_startup_entry+0x28/0x2c
+cpu_startup_entry from kernel_init+0x0/0x12c
+handlers:
+[<f539e0f4>] dwc2_handle_common_intr
+[<75cd278b>] usb_hcd_irq
+Disabling IRQ #66
+
+Disabling clock gating workaround this issue.
+
+Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.")
+Link: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/
+Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Link: https://lore.kernel.org/r/20240728130029.78279-5-wahrenst@gmx.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/params.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c
+index 5a1500d0bdd94..66580de528821 100644
+--- a/drivers/usb/dwc2/params.c
++++ b/drivers/usb/dwc2/params.c
+@@ -23,6 +23,7 @@ static void dwc2_set_bcm_params(struct dwc2_hsotg *hsotg)
+ p->max_transfer_size = 65535;
+ p->max_packet_count = 511;
+ p->ahbcfg = 0x10;
++ p->no_clock_gating = true;
+ }
+
+ static void dwc2_set_his_params(struct dwc2_hsotg *hsotg)
+--
+2.43.0
+
--- /dev/null
+From 033024b32a9631ade3e39ecbafeac157c5ce49c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:08:08 +0300
+Subject: vdpa/mlx5: Fix invalid mr resource destroy
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit dc12502905b7a3de9097ea6b98870470c2921e09 ]
+
+Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr
+resources which never got initialized in the first place.
+
+This patch adds the missing check in mlx5_vdpa_destroy_mr_resources()
+to block releasing non-initialized mr resources.
+
+Reference trace:
+
+ mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 140216067 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
+ Code: [...]
+ RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246
+ RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000
+ RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670
+ R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000
+ R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea
+ FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+
+ ? show_trace_log_lvl+0x1c4/0x2df
+ ? show_trace_log_lvl+0x1c4/0x2df
+ ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
+ ? __die_body.cold+0x8/0xd
+ ? page_fault_oops+0x134/0x170
+ ? __irq_work_queue_local+0x2b/0xc0
+ ? irq_work_queue+0x2c/0x50
+ ? exc_page_fault+0x62/0x150
+ ? asm_exc_page_fault+0x22/0x30
+ ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]
+ ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
+ mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
+ vdpa_release_dev+0x1e/0x50 [vdpa]
+ device_release+0x31/0x90
+ kobject_cleanup+0x37/0x130
+ mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]
+ vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]
+ genl_family_rcv_msg_doit+0xd9/0x130
+ genl_family_rcv_msg+0x14d/0x220
+ ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]
+ ? _copy_to_user+0x1a/0x30
+ ? move_addr_to_user+0x4b/0xe0
+ genl_rcv_msg+0x47/0xa0
+ ? __import_iovec+0x46/0x150
+ ? __pfx_genl_rcv_msg+0x10/0x10
+ netlink_rcv_skb+0x54/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x245/0x370
+ netlink_sendmsg+0x206/0x440
+ __sys_sendto+0x1dc/0x1f0
+ ? do_read_fault+0x10c/0x1d0
+ ? do_pte_missing+0x10d/0x190
+ __x64_sys_sendto+0x20/0x30
+ do_syscall_64+0x5c/0xf0
+ ? __count_memcg_events+0x4f/0xb0
+ ? mm_account_fault+0x6c/0x100
+ ? handle_mm_fault+0x116/0x270
+ ? do_user_addr_fault+0x1d6/0x6a0
+ ? do_syscall_64+0x6b/0xf0
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+
+Fixes: 512c0cdd80c1 ("vdpa/mlx5: Decouple cvq iotlb handling from hw mapping code")
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Message-Id: <20240827160808.2448017-2-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c
+index 4758914ccf860..bf56f3d696253 100644
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -581,6 +581,9 @@ static void mlx5_vdpa_show_mr_leaks(struct mlx5_vdpa_dev *mvdev)
+
+ void mlx5_vdpa_destroy_mr_resources(struct mlx5_vdpa_dev *mvdev)
+ {
++ if (!mvdev->res.valid)
++ return;
++
+ for (int i = 0; i < MLX5_VDPA_NUM_AS; i++)
+ mlx5_vdpa_update_mr(mvdev, NULL, i);
+
+--
+2.43.0
+
--- /dev/null
+From 76fe84d1b214e45bbd31d17d1ebf710217cefcc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 11:19:00 +0800
+Subject: vhost_vdpa: assign irq bypass producer token correctly
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 02e9e9366fefe461719da5d173385b6685f70319 ]
+
+We used to call irq_bypass_unregister_producer() in
+vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the
+token pointer is still valid or not.
+
+Actually, we use the eventfd_ctx as the token so the life cycle of the
+token should be bound to the VHOST_SET_VRING_CALL instead of
+vhost_vdpa_setup_vq_irq() which could be called by set_status().
+
+Fixing this by setting up irq bypass producer's token when handling
+VHOST_SET_VRING_CALL and un-registering the producer before calling
+vhost_vring_ioctl() to prevent a possible use after free as eventfd
+could have been released in vhost_vring_ioctl(). And such registering
+and unregistering will only be done if DRIVER_OK is set.
+
+Reported-by: Dragos Tatulea <dtatulea@nvidia.com>
+Tested-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Fixes: 2cf1ba9a4d15 ("vhost_vdpa: implement IRQ offloading in vhost_vdpa")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240816031900.18013-1-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vdpa.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
+index 6b9c12acf4381..b3d2a53f9bb77 100644
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -209,11 +209,9 @@ static void vhost_vdpa_setup_vq_irq(struct vhost_vdpa *v, u16 qid)
+ if (irq < 0)
+ return;
+
+- irq_bypass_unregister_producer(&vq->call_ctx.producer);
+ if (!vq->call_ctx.ctx)
+ return;
+
+- vq->call_ctx.producer.token = vq->call_ctx.ctx;
+ vq->call_ctx.producer.irq = irq;
+ ret = irq_bypass_register_producer(&vq->call_ctx.producer);
+ if (unlikely(ret))
+@@ -709,6 +707,14 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
+ vq->last_avail_idx = vq_state.split.avail_index;
+ }
+ break;
++ case VHOST_SET_VRING_CALL:
++ if (vq->call_ctx.ctx) {
++ if (ops->get_status(vdpa) &
++ VIRTIO_CONFIG_S_DRIVER_OK)
++ vhost_vdpa_unsetup_vq_irq(v, idx);
++ vq->call_ctx.producer.token = NULL;
++ }
++ break;
+ }
+
+ r = vhost_vring_ioctl(&v->vdev, cmd, argp);
+@@ -747,13 +753,16 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
+ cb.callback = vhost_vdpa_virtqueue_cb;
+ cb.private = vq;
+ cb.trigger = vq->call_ctx.ctx;
++ vq->call_ctx.producer.token = vq->call_ctx.ctx;
++ if (ops->get_status(vdpa) &
++ VIRTIO_CONFIG_S_DRIVER_OK)
++ vhost_vdpa_setup_vq_irq(v, idx);
+ } else {
+ cb.callback = NULL;
+ cb.private = NULL;
+ cb.trigger = NULL;
+ }
+ ops->set_vq_cb(vdpa, idx, &cb);
+- vhost_vdpa_setup_vq_irq(v, idx);
+ break;
+
+ case VHOST_SET_VRING_NUM:
+@@ -1421,6 +1430,7 @@ static int vhost_vdpa_open(struct inode *inode, struct file *filep)
+ for (i = 0; i < nvqs; i++) {
+ vqs[i] = &v->vqs[i];
+ vqs[i]->handle_kick = handle_vq_kick;
++ vqs[i]->call_ctx.ctx = NULL;
+ }
+ vhost_dev_init(dev, vqs, nvqs, 0, 0, 0, false,
+ vhost_vdpa_process_iotlb_msg);
+--
+2.43.0
+
--- /dev/null
+From c5fbbd9c262a683e254c40f2d80fbe442e3aaf43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 16:13:51 +0800
+Subject: virtio_net: Fix mismatched buf address when unmapping for small
+ packets
+
+From: Wenbo Li <liwenbo.martin@bytedance.com>
+
+[ Upstream commit c11a49d58ad229a1be1ebe08a2b68fedf83db6c8 ]
+
+Currently, the virtio-net driver will perform a pre-dma-mapping for
+small or mergeable RX buffer. But for small packets, a mismatched address
+without VIRTNET_RX_PAD and xdp_headroom is used for unmapping.
+
+That will result in unsynchronized buffers when SWIOTLB is enabled, for
+example, when running as a TDX guest.
+
+This patch unifies the address passed to the virtio core as the address of
+the virtnet header and fixes the mismatched buffer address.
+
+Changes from v2: unify the buf that passed to the virtio core in small
+and merge mode.
+Changes from v1: Use ctx to get xdp_headroom.
+
+Fixes: 295525e29a5b ("virtio_net: merge dma operations when filling mergeable buffers")
+Signed-off-by: Wenbo Li <liwenbo.martin@bytedance.com>
+Signed-off-by: Jiahui Cen <cenjiahui@bytedance.com>
+Signed-off-by: Ying Fang <fangying.tommy@bytedance.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://patch.msgid.link/20240919081351.51772-1-liwenbo.martin@bytedance.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 21bd0c127b05a..0b1630bb173a5 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1439,6 +1439,11 @@ static struct sk_buff *receive_small(struct net_device *dev,
+ struct page *page = virt_to_head_page(buf);
+ struct sk_buff *skb;
+
++ /* We passed the address of virtnet header to virtio-core,
++ * so truncate the padding.
++ */
++ buf -= VIRTNET_RX_PAD + xdp_headroom;
++
+ len -= vi->hdr_len;
+ u64_stats_add(&stats->bytes, len);
+
+@@ -2029,8 +2034,9 @@ static int add_recvbuf_small(struct virtnet_info *vi, struct receive_queue *rq,
+ if (unlikely(!buf))
+ return -ENOMEM;
+
+- virtnet_rq_init_one_sg(rq, buf + VIRTNET_RX_PAD + xdp_headroom,
+- vi->hdr_len + GOOD_PACKET_LEN);
++ buf += VIRTNET_RX_PAD + xdp_headroom;
++
++ virtnet_rq_init_one_sg(rq, buf, vi->hdr_len + GOOD_PACKET_LEN);
+
+ err = virtqueue_add_inbuf_ctx(rq->vq, rq->sg, 1, buf, ctx, gfp);
+ if (err < 0) {
+--
+2.43.0
+
--- /dev/null
+From c22506d4163fcb25b1953df05aaeeaa8e3668c2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 14:18:45 +0200
+Subject: watchdog: imx_sc_wdt: Don't disable WDT in suspend
+
+From: Jonas Blixt <jonas.blixt@actia.se>
+
+[ Upstream commit 2d9d6d300fb0a4ae4431bb308027ac9385746d42 ]
+
+Parts of the suspend and resume chain is left unprotected if we disable
+the WDT here.
+
+>From experiments we can see that the SCU disables and re-enables the WDT
+when we enter and leave suspend to ram. By not touching the WDT here we
+are protected by the WDT all the way to the SCU.
+
+Signed-off-by: Jonas Blixt <jonas.blixt@actia.se>
+CC: Anson Huang <anson.huang@nxp.com>
+Fixes: 986857acbc9a ("watchdog: imx_sc: Add i.MX system controller watchdog support")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20240801121845.1465765-1-jonas.blixt@actia.se
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/imx_sc_wdt.c | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/drivers/watchdog/imx_sc_wdt.c b/drivers/watchdog/imx_sc_wdt.c
+index e51fe1b78518f..d73076b686d8c 100644
+--- a/drivers/watchdog/imx_sc_wdt.c
++++ b/drivers/watchdog/imx_sc_wdt.c
+@@ -216,29 +216,6 @@ static int imx_sc_wdt_probe(struct platform_device *pdev)
+ return devm_watchdog_register_device(dev, wdog);
+ }
+
+-static int __maybe_unused imx_sc_wdt_suspend(struct device *dev)
+-{
+- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev);
+-
+- if (watchdog_active(&imx_sc_wdd->wdd))
+- imx_sc_wdt_stop(&imx_sc_wdd->wdd);
+-
+- return 0;
+-}
+-
+-static int __maybe_unused imx_sc_wdt_resume(struct device *dev)
+-{
+- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev);
+-
+- if (watchdog_active(&imx_sc_wdd->wdd))
+- imx_sc_wdt_start(&imx_sc_wdd->wdd);
+-
+- return 0;
+-}
+-
+-static SIMPLE_DEV_PM_OPS(imx_sc_wdt_pm_ops,
+- imx_sc_wdt_suspend, imx_sc_wdt_resume);
+-
+ static const struct of_device_id imx_sc_wdt_dt_ids[] = {
+ { .compatible = "fsl,imx-sc-wdt", },
+ { /* sentinel */ }
+@@ -250,7 +227,6 @@ static struct platform_driver imx_sc_wdt_driver = {
+ .driver = {
+ .name = "imx-sc-wdt",
+ .of_match_table = imx_sc_wdt_dt_ids,
+- .pm = &imx_sc_wdt_pm_ops,
+ },
+ };
+ module_platform_driver(imx_sc_wdt_driver);
+--
+2.43.0
+
--- /dev/null
+From 51a9782a92903051d2cbc86257512785eaa34c73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 17:40:49 +0300
+Subject: wifi: ath11k: use work queue to process beacon tx event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kang Yang <quic_kangyang@quicinc.com>
+
+[ Upstream commit 177b49dbf9c1d8f9f25a22ffafa416fc2c8aa6a3 ]
+
+Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
+from Feb 28, 2024 (linux-next), leads to the following Smatch static
+checker warning:
+
+drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()
+warn: sleeping in atomic context
+
+The reason is that ath11k_bcn_tx_status_event() will directly call might
+sleep function ath11k_wmi_cmd_send() during RCU read-side critical
+sections. The call trace is like:
+
+ath11k_bcn_tx_status_event()
+-> rcu_read_lock()
+-> ath11k_mac_bcn_tx_event()
+ -> ath11k_mac_setup_bcn_tmpl()
+ ……
+ -> ath11k_wmi_bcn_tmpl()
+ -> ath11k_wmi_cmd_send()
+-> rcu_read_unlock()
+
+Commit 886433a98425 ("ath11k: add support for BSS color change") added the
+ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning
+of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock
+to avoid warning but also introduced this BUG.
+
+Use work queue to avoid directly calling ath11k_mac_bcn_tx_event()
+during RCU critical sections. No need to worry about the deletion of vif
+because cancel_work_sync() will drop the work if it doesn't start or
+block vif deletion until the running work is done.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
+
+Fixes: 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/2d277abd-5e7b-4da0-80e0-52bd96337f6e@moroto.mountain/
+Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240626053543.1946-1-quic_kangyang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 1 +
+ drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++++++++
+ drivers/net/wireless/ath/ath11k/wmi.c | 4 +++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 141ba4487cb42..9d2d3a86abf17 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -396,6 +396,7 @@ struct ath11k_vif {
+ u8 bssid[ETH_ALEN];
+ struct cfg80211_bitrate_mask bitrate_mask;
+ struct delayed_work connection_loss_work;
++ struct work_struct bcn_tx_work;
+ int num_legacy_stations;
+ int rtscts_prot_mode;
+ int txpower;
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index eaa53bc39ab2c..74719cb78888b 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -6599,6 +6599,16 @@ static int ath11k_mac_vdev_delete(struct ath11k *ar, struct ath11k_vif *arvif)
+ return ret;
+ }
+
++static void ath11k_mac_bcn_tx_work(struct work_struct *work)
++{
++ struct ath11k_vif *arvif = container_of(work, struct ath11k_vif,
++ bcn_tx_work);
++
++ mutex_lock(&arvif->ar->conf_mutex);
++ ath11k_mac_bcn_tx_event(arvif);
++ mutex_unlock(&arvif->ar->conf_mutex);
++}
++
+ static int ath11k_mac_op_add_interface(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif)
+ {
+@@ -6637,6 +6647,7 @@ static int ath11k_mac_op_add_interface(struct ieee80211_hw *hw,
+ arvif->vif = vif;
+
+ INIT_LIST_HEAD(&arvif->list);
++ INIT_WORK(&arvif->bcn_tx_work, ath11k_mac_bcn_tx_work);
+ INIT_DELAYED_WORK(&arvif->connection_loss_work,
+ ath11k_mac_vif_sta_connection_loss_work);
+
+@@ -6879,6 +6890,7 @@ static void ath11k_mac_op_remove_interface(struct ieee80211_hw *hw,
+ int i;
+
+ cancel_delayed_work_sync(&arvif->connection_loss_work);
++ cancel_work_sync(&arvif->bcn_tx_work);
+
+ mutex_lock(&ar->conf_mutex);
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 6ff01c45f1659..f50a4c0d4b2ba 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -7404,7 +7404,9 @@ static void ath11k_bcn_tx_status_event(struct ath11k_base *ab, struct sk_buff *s
+ rcu_read_unlock();
+ return;
+ }
+- ath11k_mac_bcn_tx_event(arvif);
++
++ queue_work(ab->workqueue, &arvif->bcn_tx_work);
++
+ rcu_read_unlock();
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6f19ab4ecafb7e9cdda012d446f2a82bfde07720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 00:02:31 +0530
+Subject: wifi: ath12k: fix BSS chan info request WMI command
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+[ Upstream commit 59529c982f85047650fd473db903b23006a796c6 ]
+
+Currently, the firmware returns incorrect pdev_id information in
+WMI_PDEV_BSS_CHAN_INFO_EVENTID, leading to incorrect filling of
+the pdev's survey information.
+
+To prevent this issue, when requesting BSS channel information
+through WMI_PDEV_BSS_CHAN_INFO_REQUEST_CMDID, firmware expects
+pdev_id as one of the arguments in this WMI command.
+
+Add pdev_id to the struct wmi_pdev_bss_chan_info_req_cmd and fill it
+during ath12k_wmi_pdev_bss_chan_info_request(). This resolves the
+issue of sending the correct pdev_id in WMI_PDEV_BSS_CHAN_INFO_EVENTID.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240331183232.2158756-2-quic_kathirve@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 1 +
+ drivers/net/wireless/ath/ath12k/wmi.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index ef775af25093c..55230dd00d0c7 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -1528,6 +1528,7 @@ int ath12k_wmi_pdev_bss_chan_info_request(struct ath12k *ar,
+ cmd->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_PDEV_BSS_CHAN_INFO_REQUEST,
+ sizeof(*cmd));
+ cmd->req_type = cpu_to_le32(type);
++ cmd->pdev_id = cpu_to_le32(ar->pdev->pdev_id);
+
+ ath12k_dbg(ar->ab, ATH12K_DBG_WMI,
+ "WMI bss chan info req type %d\n", type);
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h
+index 742fe0b36cf20..e26fe504ce28b 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.h
++++ b/drivers/net/wireless/ath/ath12k/wmi.h
+@@ -3104,6 +3104,7 @@ struct wmi_pdev_bss_chan_info_req_cmd {
+ __le32 tlv_header;
+ /* ref wmi_bss_chan_info_req_type */
+ __le32 req_type;
++ __le32 pdev_id;
+ } __packed;
+
+ struct wmi_ap_ps_peer_cmd {
+--
+2.43.0
+
--- /dev/null
+From 5a7fde34fede8e3f5afb8cf404028bb232003fb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 10:18:19 +0800
+Subject: wifi: ath12k: fix invalid AMPDU factor calculation in
+ ath12k_peer_assoc_h_he()
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit a66de2d0f22b1740f3f9777776ad98c4bee62dff ]
+
+Currently ampdu_factor is wrongly calculated in ath12k_peer_assoc_h_he(), fix it.
+
+This is found during code review.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240710021819.87216-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 7037004ce9771..818ee74cf7a05 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -1948,9 +1948,8 @@ static void ath12k_peer_assoc_h_he(struct ath12k *ar,
+ * request, then use MAX_AMPDU_LEN_FACTOR as 16 to calculate max_ampdu
+ * length.
+ */
+- ampdu_factor = (he_cap->he_cap_elem.mac_cap_info[3] &
+- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK) >>
+- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK;
++ ampdu_factor = u8_get_bits(he_cap->he_cap_elem.mac_cap_info[3],
++ IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK);
+
+ if (ampdu_factor) {
+ if (sta->deflink.vht_cap.vht_supported)
+--
+2.43.0
+
--- /dev/null
+From 9af64cb27fed9460e75ca372f615680a6b09a9da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 00:02:32 +0530
+Subject: wifi: ath12k: match WMI BSS chan info structure with firmware
+ definition
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+[ Upstream commit dd98d54db29fb553839f43ade5f547baa93392c8 ]
+
+struct wmi_pdev_bss_chan_info_event is not similar to the firmware
+struct definition, this will cause some random failures.
+
+Fix by matching the struct wmi_pdev_bss_chan_info_event with the
+firmware structure definition.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240331183232.2158756-3-quic_kathirve@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h
+index e26fe504ce28b..e947d646353c3 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.h
++++ b/drivers/net/wireless/ath/ath12k/wmi.h
+@@ -4054,7 +4054,6 @@ struct wmi_vdev_stopped_event {
+ } __packed;
+
+ struct wmi_pdev_bss_chan_info_event {
+- __le32 pdev_id;
+ __le32 freq; /* Units in MHz */
+ __le32 noise_floor; /* units are dBm */
+ /* rx clear - how often the channel was unused */
+@@ -4072,6 +4071,7 @@ struct wmi_pdev_bss_chan_info_event {
+ /*rx_cycle cnt for my bss in 64bits format */
+ __le32 rx_bss_cycle_count_low;
+ __le32 rx_bss_cycle_count_high;
++ __le32 pdev_id;
+ } __packed;
+
+ #define WMI_VDEV_INSTALL_KEY_COMPL_STATUS_SUCCESS 0
+--
+2.43.0
+
--- /dev/null
+From ed7375f13133d0df789e03bc06234f55b905deba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 13:02:22 +0200
+Subject: wifi: ath9k: Remove error checks when creating debugfs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ]
+
+We should not be checking the return values from debugfs creation at all: the
+debugfs functions are designed to handle errors of previously called functions
+and just transparently abort the creation of debugfs entries when debugfs is
+disabled. If we check the return value and abort driver initialisation, we break
+the driver if debugfs is disabled (such as when booting with debugfs=off).
+
+Earlier versions of ath9k accidentally did the right thing by checking the
+return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two
+commits referenced below, breaking ath9k with debugfs=off starting from the 6.6
+kernel (as reported in the Bugzilla linked below).
+
+Restore functionality by just getting rid of the return value check entirely.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122
+Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()")
+Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()")
+Reported-by: Daniel Tobias <dan.g.tob@gmail.com>
+Tested-by: Daniel Tobias <dan.g.tob@gmail.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/debug.c | 2 --
+ drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index d84e3ee7b5d90..bf3da631c69fd 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -1380,8 +1380,6 @@ int ath9k_init_debug(struct ath_hw *ah)
+
+ sc->debug.debugfs_phy = debugfs_create_dir("ath9k",
+ sc->hw->wiphy->debugfsdir);
+- if (IS_ERR(sc->debug.debugfs_phy))
+- return -ENOMEM;
+
+ #ifdef CONFIG_ATH_DEBUG
+ debugfs_create_file("debug", 0600, sc->debug.debugfs_phy,
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+index f7c6d9bc93119..9437d69877cc5 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+@@ -486,8 +486,6 @@ int ath9k_htc_init_debug(struct ath_hw *ah)
+
+ priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME,
+ priv->hw->wiphy->debugfsdir);
+- if (IS_ERR(priv->debug.debugfs_phy))
+- return -ENOMEM;
+
+ ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy);
+
+--
+2.43.0
+
--- /dev/null
+From 5379760d2a00ff21f9ca463e769f8354883e0878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jul 2024 20:56:17 +0200
+Subject: wifi: brcmfmac: introducing fwil query functions
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit c6002b6c05f3edfa12fd25990cc637281f200442 ]
+
+When the firmware interface layer was refactored it provided various
+"get" and "set" functions. For the "get" in some cases a parameter
+needed to be passed down to firmware as a key indicating what to
+"get" turning the output parameter of the "get" function into an
+input parameter as well. To accommodate this the "get" function blindly
+copies the parameter which in some places resulted in an uninitialized
+warnings from the compiler. These have been fixed by initializing the
+input parameter in the past. Recently another batch of similar fixes
+were submitted to address clang static checker warnings [1].
+
+Proposing another solution by introducing a "query" variant which is used
+when the (input) parameter is needed by firmware. The "get" variant will
+only fill the (output) parameter with the result received from firmware
+taking care of proper endianess conversion.
+
+[1] https://lore.kernel.org/all/20240702122450.2213833-1-suhui@nfschina.com/
+
+Fixes: 81f5dcb80830 ("brcmfmac: refactor firmware interface layer.")
+Reported-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240727185617.253210-1-arend.vanspriel@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/btcoex.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c | 30 +++++++-------
+ .../broadcom/brcm80211/brcmfmac/core.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/feature.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/fwil.h | 40 ++++++++++++++-----
+ 5 files changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+index 7ea2631b80692..00794086cc7c9 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+@@ -123,7 +123,7 @@ static s32 brcmf_btcoex_params_read(struct brcmf_if *ifp, u32 addr, u32 *data)
+ {
+ *data = addr;
+
+- return brcmf_fil_iovar_int_get(ifp, "btc_params", data);
++ return brcmf_fil_iovar_int_query(ifp, "btc_params", data);
+ }
+
+ /**
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 826b768196e28..ccc069ae5e9d8 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -663,8 +663,8 @@ static int brcmf_cfg80211_request_sta_if(struct brcmf_if *ifp, u8 *macaddr)
+ /* interface_create version 3+ */
+ /* get supported version from firmware side */
+ iface_create_ver = 0;
+- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create",
+- &iface_create_ver);
++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create",
++ &iface_create_ver);
+ if (err) {
+ brcmf_err("fail to get supported version, err=%d\n", err);
+ return -EOPNOTSUPP;
+@@ -756,8 +756,8 @@ static int brcmf_cfg80211_request_ap_if(struct brcmf_if *ifp)
+ /* interface_create version 3+ */
+ /* get supported version from firmware side */
+ iface_create_ver = 0;
+- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create",
+- &iface_create_ver);
++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create",
++ &iface_create_ver);
+ if (err) {
+ brcmf_err("fail to get supported version, err=%d\n", err);
+ return -EOPNOTSUPP;
+@@ -2101,7 +2101,8 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
+ if (!sme->crypto.n_akm_suites)
+ return 0;
+
+- err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev), "wpa_auth", &val);
++ err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev),
++ "wpa_auth", &val);
+ if (err) {
+ bphy_err(drvr, "could not get wpa_auth (%d)\n", err);
+ return err;
+@@ -2680,7 +2681,7 @@ brcmf_cfg80211_get_tx_power(struct wiphy *wiphy, struct wireless_dev *wdev,
+ struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+ struct brcmf_cfg80211_vif *vif = wdev_to_vif(wdev);
+ struct brcmf_pub *drvr = cfg->pub;
+- s32 qdbm = 0;
++ s32 qdbm;
+ s32 err;
+
+ brcmf_dbg(TRACE, "Enter\n");
+@@ -3067,7 +3068,7 @@ brcmf_cfg80211_get_station_ibss(struct brcmf_if *ifp,
+ struct brcmf_scb_val_le scbval;
+ struct brcmf_pktcnt_le pktcnt;
+ s32 err;
+- u32 rate = 0;
++ u32 rate;
+ u32 rssi;
+
+ /* Get the current tx rate */
+@@ -7046,8 +7047,8 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
+ ch.bw = BRCMU_CHAN_BW_20;
+ cfg->d11inf.encchspec(&ch);
+ chaninfo = ch.chspec;
+- err = brcmf_fil_bsscfg_int_get(ifp, "per_chan_info",
+- &chaninfo);
++ err = brcmf_fil_bsscfg_int_query(ifp, "per_chan_info",
++ &chaninfo);
+ if (!err) {
+ if (chaninfo & WL_CHAN_RADAR)
+ channel->flags |=
+@@ -7081,7 +7082,7 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
+
+ /* verify support for bw_cap command */
+ val = WLC_BAND_5G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &val);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &val);
+
+ if (!err) {
+ /* only set 2G bandwidth using bw_cap command */
+@@ -7157,11 +7158,11 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
+ int err;
+
+ band = WLC_BAND_2G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band);
+ if (!err) {
+ bw_cap[NL80211_BAND_2GHZ] = band;
+ band = WLC_BAND_5G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band);
+ if (!err) {
+ bw_cap[NL80211_BAND_5GHZ] = band;
+ return;
+@@ -7170,7 +7171,6 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
+ return;
+ }
+ brcmf_dbg(INFO, "fallback to mimo_bw_cap info\n");
+- mimo_bwcap = 0;
+ err = brcmf_fil_iovar_int_get(ifp, "mimo_bw_cap", &mimo_bwcap);
+ if (err)
+ /* assume 20MHz if firmware does not give a clue */
+@@ -7266,10 +7266,10 @@ static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg)
+ struct brcmf_pub *drvr = cfg->pub;
+ struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
+ struct wiphy *wiphy = cfg_to_wiphy(cfg);
+- u32 nmode = 0;
++ u32 nmode;
+ u32 vhtmode = 0;
+ u32 bw_cap[2] = { WLC_BW_20MHZ_BIT, WLC_BW_20MHZ_BIT };
+- u32 rxchain = 0;
++ u32 rxchain;
+ u32 nchain;
+ int err;
+ s32 i;
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index bf91b1e1368f0..df53dd1d7e748 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -691,7 +691,7 @@ static int brcmf_net_mon_open(struct net_device *ndev)
+ {
+ struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmf_pub *drvr = ifp->drvr;
+- u32 monitor = 0;
++ u32 monitor;
+ int err;
+
+ brcmf_dbg(TRACE, "Enter\n");
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+index f23310a77a5d1..0d9ae197fa1ec 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -184,7 +184,7 @@ static void brcmf_feat_wlc_version_overrides(struct brcmf_pub *drv)
+ static void brcmf_feat_iovar_int_get(struct brcmf_if *ifp,
+ enum brcmf_feat_id id, char *name)
+ {
+- u32 data = 0;
++ u32 data;
+ int err;
+
+ /* we need to know firmware error */
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
+index a315a7fac6a06..31e080e4da669 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
+@@ -96,15 +96,22 @@ static inline
+ s32 brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data)
+ {
+ s32 err;
+- __le32 data_le = cpu_to_le32(*data);
+
+- err = brcmf_fil_cmd_data_get(ifp, cmd, &data_le, sizeof(data_le));
++ err = brcmf_fil_cmd_data_get(ifp, cmd, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data);
+
+ return err;
+ }
++static inline
++s32 brcmf_fil_cmd_int_query(struct brcmf_if *ifp, u32 cmd, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_cmd_int_get(ifp, cmd, data);
++}
+
+ s32 brcmf_fil_iovar_data_set(struct brcmf_if *ifp, const char *name,
+ const void *data, u32 len);
+@@ -120,14 +127,21 @@ s32 brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data)
+ static inline
+ s32 brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data)
+ {
+- __le32 data_le = cpu_to_le32(*data);
+ s32 err;
+
+- err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le));
++ err = brcmf_fil_iovar_data_get(ifp, name, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ return err;
+ }
++static inline
++s32 brcmf_fil_iovar_int_query(struct brcmf_if *ifp, const char *name, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_iovar_int_get(ifp, name, data);
++}
+
+
+ s32 brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name,
+@@ -145,15 +159,21 @@ s32 brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data)
+ static inline
+ s32 brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data)
+ {
+- __le32 data_le = cpu_to_le32(*data);
+ s32 err;
+
+- err = brcmf_fil_bsscfg_data_get(ifp, name, &data_le,
+- sizeof(data_le));
++ err = brcmf_fil_bsscfg_data_get(ifp, name, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ return err;
+ }
++static inline
++s32 brcmf_fil_bsscfg_int_query(struct brcmf_if *ifp, const char *name, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_bsscfg_int_get(ifp, name, data);
++}
+
+ s32 brcmf_fil_xtlv_data_set(struct brcmf_if *ifp, const char *name, u16 id,
+ void *data, u32 len);
+--
+2.43.0
+
--- /dev/null
+From 6cbcebc20e57f32f13e42e7450ff2c661915dd0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 16:22:05 +0800
+Subject: wifi: cfg80211: fix bug of mapping AF3x to incorrect User Priority
+
+From: hhorace <hhoracehsu@gmail.com>
+
+[ Upstream commit a68b22e2905b04f376e2fa116be5e48b948f81c8 ]
+
+According to RFC8325 4.3, Multimedia Streaming: AF31(011010, 26),
+AF32(011100, 28), AF33(011110, 30) maps to User Priority = 4
+and AC_VI (Video).
+
+However, the original code remain the default three Most Significant
+Bits (MSBs) of the DSCP, which makes AF3x map to User Priority = 3
+and AC_BE (Best Effort).
+
+Fixes: 6fdb8b8781d5 ("wifi: cfg80211: Update the default DSCP-to-UP mapping")
+Signed-off-by: hhorace <hhoracehsu@gmail.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20240807082205.1369-1-hhoracehsu@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index af6ec719567fc..f1193aca79bae 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -998,10 +998,10 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
+ * Diffserv Service Classes no update is needed:
+ * - Standard: DF
+ * - Low Priority Data: CS1
+- * - Multimedia Streaming: AF31, AF32, AF33
+ * - Multimedia Conferencing: AF41, AF42, AF43
+ * - Network Control Traffic: CS7
+ * - Real-Time Interactive: CS4
++ * - Signaling: CS5
+ */
+ switch (dscp >> 2) {
+ case 10:
+@@ -1026,9 +1026,11 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
+ /* Broadcasting video: CS3 */
+ ret = 4;
+ break;
+- case 40:
+- /* Signaling: CS5 */
+- ret = 5;
++ case 26:
++ case 28:
++ case 30:
++ /* Multimedia Streaming: AF31, AF32, AF33 */
++ ret = 4;
+ break;
+ case 44:
+ /* Voice Admit: VA */
+--
+2.43.0
+
--- /dev/null
+From 402783d935fab4e0732296d7dab7dd4088a2ef09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 12:08:06 +0300
+Subject: wifi: cfg80211: fix two more possible UBSAN-detected off-by-one
+ errors
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ]
+
+Although not reproduced in practice, these two cases may be
+considered by UBSAN as off-by-one errors. So fix them in the
+same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN
+noise in cfg80211_wext_siwscan()").
+
+Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans")
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 ++-
+ net/wireless/sme.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 967bc4935b4ed..e3bf14e489c5d 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -9658,7 +9658,8 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
+ return ERR_PTR(-ENOMEM);
+
+ if (n_ssids)
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = n_ssids;
+ if (ie_len) {
+ if (n_ssids)
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 1cfe673bc52f3..4b80af0edbe97 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -115,7 +115,8 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
+ n_channels = i;
+ }
+ request->n_channels = n_channels;
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = 1;
+
+ memcpy(request->ssids[0].ssid, wdev->conn->params.ssid,
+--
+2.43.0
+
--- /dev/null
+From de8ca233acd14cabc2812afd7c86c8f3943af5dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 18:04:00 +0300
+Subject: wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ]
+
+Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
+following:
+
+[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
+[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
+<...skipped...>
+[ T4985] Call Trace:
+[ T4985] <TASK>
+[ T4985] dump_stack_lvl+0x1c2/0x2a0
+[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10
+[ T4985] ? __pfx__printk+0x10/0x10
+[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150
+[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260
+<...the rest is not too useful...>
+
+Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
+(void *)&creq->channels[n_channels]', UBSAN treats the latter as
+off-by-one error. Fix this by using pointer arithmetic rather than
+an expression with explicit array indexing and use convenient
+'struct_size()' to simplify the math here and in 'kzalloc()' above.
+
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
+[fix coding style for multi-line calculation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 64c779788a646..44c93b9a9751c 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -3452,8 +3452,8 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ n_channels = ieee80211_get_num_supported_channels(wiphy);
+ }
+
+- creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
+- n_channels * sizeof(void *),
++ creq = kzalloc(struct_size(creq, channels, n_channels) +
++ sizeof(struct cfg80211_ssid),
+ GFP_ATOMIC);
+ if (!creq)
+ return -ENOMEM;
+@@ -3461,7 +3461,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ creq->wiphy = wiphy;
+ creq->wdev = dev->ieee80211_ptr;
+ /* SSIDs come after channels */
+- creq->ssids = (void *)&creq->channels[n_channels];
++ creq->ssids = (void *)creq + struct_size(creq, channels, n_channels);
+ creq->n_channels = n_channels;
+ creq->n_ssids = 1;
+ creq->scan_start = jiffies;
+--
+2.43.0
+
--- /dev/null
+From 2f63013a8e7ec8e10335dfa97c51b0136ce8b126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 20:20:07 +0300
+Subject: wifi: iwlwifi: config: label 'gl' devices as discrete
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8131dd52810dfcdb49fcdc78f5e18e1538b6c441 ]
+
+The 'gl' devices are in the bz family, but they're not,
+integrated, so should have their own trans config struct.
+Fix that, also necessitating the removal of LTR config,
+and while at it remove 0x2727 and 0x272D IDs that were
+only used for test chips.
+
+Fixes: c30a2a64788b ("wifi: iwlwifi: add a new PCI device ID for BZ device")ticket=none
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240729201718.95aed0620080.Ib9129512c95aa57acc9876bdff8b99dd41e1562c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 11 +++++++++++
+ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 +
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 +---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
+index bc98b87cf2a13..02a95bf72740b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
+@@ -148,6 +148,17 @@ const struct iwl_cfg_trans_params iwl_bz_trans_cfg = {
+ .ltr_delay = IWL_CFG_TRANS_LTR_DELAY_2500US,
+ };
+
++const struct iwl_cfg_trans_params iwl_gl_trans_cfg = {
++ .device_family = IWL_DEVICE_FAMILY_BZ,
++ .base_params = &iwl_bz_base_params,
++ .mq_rx_supported = true,
++ .rf_id = true,
++ .gen2 = true,
++ .umac_prph_offset = 0x300000,
++ .xtal_latency = 12000,
++ .low_latency_xtal = true,
++};
++
+ const char iwl_bz_name[] = "Intel(R) TBD Bz device";
+ const char iwl_fm_name[] = "Intel(R) Wi-Fi 7 BE201 320MHz";
+ const char iwl_gl_name[] = "Intel(R) Wi-Fi 7 BE200 320MHz";
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+index 732889f96ca27..29a28b5c28114 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -503,6 +503,7 @@ extern const struct iwl_cfg_trans_params iwl_so_long_latency_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_so_long_latency_imr_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_ma_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_bz_trans_cfg;
++extern const struct iwl_cfg_trans_params iwl_gl_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_sc_trans_cfg;
+ extern const char iwl9162_name[];
+ extern const char iwl9260_name[];
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 9863292fddde7..d93eec242204f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -500,9 +500,7 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x7E40, PCI_ANY_ID, iwl_ma_trans_cfg)},
+
+ /* Bz devices */
+- {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)},
+- {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)},
+- {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_gl_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0000, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0090, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0094, iwl_bz_trans_cfg)},
+--
+2.43.0
+
--- /dev/null
+From e3404e10bfe371eeb46b0873e6b48ebef326215f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 19:17:11 +0300
+Subject: wifi: iwlwifi: mvm: allow ESR when we the ROC expires
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 76364f3edfde60aa2fa20b578ba9b96797d7bff5 ]
+
+We forgot to release the ROC reason for ESR prevention when the remain
+on channel expires.
+Add this.
+
+Fixes: a1efeb823084 ("wifi: iwlwifi: mvm: Block EMLSR when a p2p/softAP vif is active")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240825191257.8f8765f359cc.I16fcd6198072d422ff36dce68070aafaf011f4c1@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/time-event.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index 9d681377cbab3..f40d3e59d694a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -107,16 +107,14 @@ static void iwl_mvm_cleanup_roc(struct iwl_mvm *mvm)
+ iwl_mvm_flush_sta(mvm, mvm->aux_sta.sta_id,
+ mvm->aux_sta.tfd_queue_msk);
+
+- if (mvm->mld_api_is_used) {
+- iwl_mvm_mld_rm_aux_sta(mvm);
+- mutex_unlock(&mvm->mutex);
+- return;
+- }
+-
+ /* In newer version of this command an aux station is added only
+ * in cases of dedicated tx queue and need to be removed in end
+- * of use */
+- if (iwl_mvm_has_new_station_api(mvm->fw))
++ * of use. For the even newer mld api, use the appropriate
++ * function.
++ */
++ if (mvm->mld_api_is_used)
++ iwl_mvm_mld_rm_aux_sta(mvm);
++ else if (iwl_mvm_has_new_station_api(mvm->fw))
+ iwl_mvm_rm_aux_sta(mvm);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a0762fe47f1a00dcbccef231615198af9b0a7512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 20:20:12 +0300
+Subject: wifi: iwlwifi: mvm: increase the time between ranging measurements
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 3a7ee94559dfd640604d0265739e86dec73b64e8 ]
+
+The algo running in fw may take a little longer than 5 milliseconds,
+(e.g. measurement on 80MHz while associated). Increase the minimum
+time between measurements to 7 milliseconds.
+
+Fixes: 830aa3e7d1ca ("iwlwifi: mvm: add support for range request command version 13")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240729201718.d3f3c26e00d9.I09e951290e8a3d73f147b88166fd9a678d1d69ed@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
+index 3cbeaddf43586..4ff643e9db5e3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
+@@ -109,7 +109,7 @@
+ #define IWL_MVM_FTM_INITIATOR_SECURE_LTF false
+ #define IWL_MVM_FTM_RESP_NDP_SUPPORT true
+ #define IWL_MVM_FTM_RESP_LMR_FEEDBACK_SUPPORT true
+-#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 5
++#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 7
+ #define IWL_MVM_FTM_NON_TB_MAX_TIME_BETWEEN_MSR 1000
+ #define IWL_MVM_D3_DEBUG false
+ #define IWL_MVM_USE_TWT true
+--
+2.43.0
+
--- /dev/null
+From 59a51f7083f349f596350dbf8c37d1e507f9ef4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:11:23 +0300
+Subject: wifi: iwlwifi: remove AX101, AX201 and AX203 support from LNL
+
+From: Golan Ben Ami <golan.ben.ami@intel.com>
+
+[ Upstream commit 6adae0b081454393ca5f7363fd3c7379c8e2a7a1 ]
+
+LNL is the codename for the upcoming Series 2 Core Ultra
+processors designed by Intel. AX101, AX201 and AX203 devices
+are not shiped on LNL platforms, so don't support them.
+
+Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240613171043.f24a228dfd96.I989a2d3f1513211bc49ac8143ee4e9e341e1ee67@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 8131dd52810d ("wifi: iwlwifi: config: label 'gl' devices as discrete")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 32 ++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index fed2754be6802..9863292fddde7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -503,7 +503,37 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)},
+- {IWL_PCI_DEVICE(0xA840, PCI_ANY_ID, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0000, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0090, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0094, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0098, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x009C, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00C0, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00C4, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00E0, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00E4, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00E8, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x00EC, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0100, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0110, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0114, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0118, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x011C, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0310, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0314, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0510, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x0A10, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1671, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1672, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1771, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1772, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1791, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x1792, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x4090, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x40C4, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x40E0, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x4110, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0xA840, 0x4314, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0x7740, PCI_ANY_ID, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0x4D40, PCI_ANY_ID, iwl_bz_trans_cfg)},
+
+--
+2.43.0
+
--- /dev/null
+From 5eb7ce6bd25af09d8b7d7e6a5e96997354ec0825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 10:39:20 +0200
+Subject: wifi: mac80211: Check for missing VHT elements only for 5 GHz
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 67bb124cd9ae38870667e4f9c876ef8e0f82ec44 ]
+
+Check for missing VHT Capabilities and VHT Operation elements in
+association response frame only for 5 GHz links.
+
+Fixes: 310c8387c638 ("wifi: mac80211: clean up connection process")
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240827103920.dd711282d543.Iaba245cebc52209b0499d5bab7d8a8ef1df9dd65@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 51b00ff7edf15..1faf4d7c115f0 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4317,7 +4317,7 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ ((assoc_data->wmm && !elems->wmm_param) ||
+ (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
+ (!elems->ht_cap_elem || !elems->ht_operation)) ||
+- (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
++ (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
+ (!elems->vht_cap_elem || !elems->vht_operation)))) {
+ const struct cfg80211_bss_ies *ies;
+ struct ieee802_11_elems *bss_elems;
+@@ -4365,19 +4365,22 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ sdata_info(sdata,
+ "AP bug: HT operation missing from AssocResp\n");
+ }
+- if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
+- link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
+- elems->vht_cap_elem = bss_elems->vht_cap_elem;
+- sdata_info(sdata,
+- "AP bug: VHT capa missing from AssocResp\n");
+- }
+- if (!elems->vht_operation && bss_elems->vht_operation &&
+- link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
+- elems->vht_operation = bss_elems->vht_operation;
+- sdata_info(sdata,
+- "AP bug: VHT operation missing from AssocResp\n");
+- }
+
++ if (is_5ghz) {
++ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
++ link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
++ elems->vht_cap_elem = bss_elems->vht_cap_elem;
++ sdata_info(sdata,
++ "AP bug: VHT capa missing from AssocResp\n");
++ }
++
++ if (!elems->vht_operation && bss_elems->vht_operation &&
++ link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
++ elems->vht_operation = bss_elems->vht_operation;
++ sdata_info(sdata,
++ "AP bug: VHT operation missing from AssocResp\n");
++ }
++ }
+ kfree(bss_elems);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From dd42ea5ff78672fb073cf2f3037c97246c1e37ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 15:48:16 +0800
+Subject: wifi: mac80211: don't use rate mask for offchannel TX either
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit e7a7ef9a0742dbd0818d5b15fba2c5313ace765b ]
+
+Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for
+scanning"), ignore incorrect settings to avoid no supported rate warning
+reported by syzbot.
+
+The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:
+fix default HE tx bitrate mask in 2G band"), which however corrects
+bitmask of HE MCS and recognizes correctly settings of empty legacy rate
+plus HE MCS rate instead of returning -EINVAL.
+
+As suggestions [1], follow the change of SCAN TX to consider this case of
+offchannel TX as well.
+
+[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
+
+Reported-by: syzbot+8dd98a9e98ee28dc484a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-wireless/000000000000fdef8706191a3f7b@google.com/
+Fixes: 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240729074816.20323-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 7 ++++---
+ net/mac80211/offchannel.c | 1 +
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/scan.c | 2 +-
+ net/mac80211/tx.c | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 45ad37adbe328..7b3f56d862de4 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -953,8 +953,9 @@ enum mac80211_tx_info_flags {
+ * of their QoS TID or other priority field values.
+ * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally
+ * for sequence number assignment
+- * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted
+- * due to scanning, not in normal operation on the interface.
++ * @IEEE80211_TX_CTRL_DONT_USE_RATE_MASK: Don't use rate mask for this frame
++ * which is transmitted due to scanning or offchannel TX, not in normal
++ * operation on the interface.
+ * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this
+ * frame should be transmitted on the specific link. This really is
+ * only relevant for frames that do not have data present, and is
+@@ -975,7 +976,7 @@ enum mac80211_tx_control_flags {
+ IEEE80211_TX_CTRL_NO_SEQNO = BIT(7),
+ IEEE80211_TX_CTRL_DONT_REORDER = BIT(8),
+ IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX = BIT(9),
+- IEEE80211_TX_CTRL_SCAN_TX = BIT(10),
++ IEEE80211_TX_CTRL_DONT_USE_RATE_MASK = BIT(10),
+ IEEE80211_TX_CTRL_MLO_LINK = 0xf0000000,
+ };
+
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 65e1e9e971fd6..5810d938edc44 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -964,6 +964,7 @@ int ieee80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ }
+
+ IEEE80211_SKB_CB(skb)->flags = flags;
++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
+
+ skb->dev = sdata->dev;
+
+diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
+index 4dc1def695486..3dc9752188d58 100644
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -890,7 +890,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
+ if (ieee80211_is_tx_data(skb))
+ rate_control_apply_mask(sdata, sta, sband, dest, max_rates);
+
+- if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX))
++ if (!(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
+ mask = sdata->rc_rateidx_mask[info->band];
+
+ if (dest[0].idx < 0)
+diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
+index b5f2df61c7f67..1c5d99975ad04 100644
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -649,7 +649,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata,
+ cpu_to_le16(IEEE80211_SN_TO_SEQ(sn));
+ }
+ IEEE80211_SKB_CB(skb)->flags |= tx_flags;
+- IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX;
++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
+ ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band);
+ }
+ }
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index bca7b341dd772..a9ee869822592 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -699,7 +699,7 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
+ txrc.skb = tx->skb;
+ txrc.reported_rate.idx = -1;
+
+- if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) {
++ if (unlikely(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) {
+ txrc.rate_idx_mask = ~0;
+ } else {
+ txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band];
+--
+2.43.0
+
--- /dev/null
+From 9cc8d3baaee705c02b933fa5bea818aa388fe75b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 11:59:16 +0300
+Subject: wifi: mac80211: fix the comeback long retry times
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 1524173a3745899612c71d9e83ff8fe29dbb2cfb ]
+
+When we had a comeback, we will never use the default timeout values
+again because comeback is never cleared.
+Clear comeback if we send another association request which will allow
+to start a default timer after Tx status.
+
+The problem was seen with iwlwifi where the tx_status on the association
+request is handled before the association response frame (which is the
+usual case).
+
+1) Tx assoc request 1/3
+2) Rx assoc response (comeback, timeout = 1 second)
+3) wait 1 second
+4) Tx assoc request 2/3
+5) Set timer to IEEE80211_ASSOC_TIMEOUT_LONG = 500ms (1 second after
+ round_up)
+6) tx_status on frame sent in 4) is ignored because comeback is still
+ true
+7) AP does not reply with assoc response
+8) wait 1s <= This is where the bug is felt
+9) Tx assoc request 3/3
+
+With this fix, in step 6 we will reset the timer to
+IEEE80211_ASSOC_TIMEOUT_SHORT = 100ms and we will wait only 100ms in
+step 8.
+
+Fixes: b133fdf07db8 ("wifi: mac80211: Skip association timeout update after comeback rejection")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://patch.msgid.link/20240808085916.23519-1-emmanuel.grumbach@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index ad2ce9c92ba8a..51b00ff7edf15 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -7121,6 +7121,7 @@ static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
+ lockdep_assert_wiphy(sdata->local->hw.wiphy);
+
+ assoc_data->tries++;
++ assoc_data->comeback = false;
+ if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
+ sdata_info(sdata, "association with %pM timed out\n",
+ assoc_data->ap_addr);
+--
+2.43.0
+
--- /dev/null
+From cf58a63597d0feab9513544fd738b1de44108d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:31:51 +0300
+Subject: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ]
+
+Since '__dev_queue_xmit()' should be called with interrupts enabled,
+the following backtrace:
+
+ieee80211_do_stop()
+ ...
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
+ ...
+ ieee80211_free_txskb()
+ ieee80211_report_used_skb()
+ ieee80211_report_ack_skb()
+ cfg80211_mgmt_tx_status_ext()
+ nl80211_frame_tx_status()
+ genlmsg_multicast_netns()
+ genlmsg_multicast_netns_filtered()
+ nlmsg_multicast_filtered()
+ netlink_broadcast_filtered()
+ do_one_broadcast()
+ netlink_broadcast_deliver()
+ __netlink_sendskb()
+ netlink_deliver_tap()
+ __netlink_deliver_tap_skb()
+ dev_queue_xmit()
+ __dev_queue_xmit() ; with IRQS disabled
+ ...
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)
+
+issues the warning (as reported by syzbot reproducer):
+
+WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120
+
+Fix this by implementing a two-phase skb reclamation in
+'ieee80211_do_stop()', where actual work is performed
+outside of a section with interrupts disabled.
+
+Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces")
+Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index b935bb5d8ed1f..3e3814076006e 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -462,6 +462,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
+ {
+ struct ieee80211_local *local = sdata->local;
+ unsigned long flags;
++ struct sk_buff_head freeq;
+ struct sk_buff *skb, *tmp;
+ u32 hw_reconf_flags = 0;
+ int i, flushed;
+@@ -641,18 +642,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
+ skb_queue_purge(&sdata->status_queue);
+ }
+
++ /*
++ * Since ieee80211_free_txskb() may issue __dev_queue_xmit()
++ * which should be called with interrupts enabled, reclamation
++ * is done in two phases:
++ */
++ __skb_queue_head_init(&freeq);
++
++ /* unlink from local queues... */
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+ for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
+ skb_queue_walk_safe(&local->pending[i], skb, tmp) {
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ if (info->control.vif == &sdata->vif) {
+ __skb_unlink(skb, &local->pending[i]);
+- ieee80211_free_txskb(&local->hw, skb);
++ __skb_queue_tail(&freeq, skb);
+ }
+ }
+ }
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
+
++ /* ... and perform actual reclamation with interrupts enabled. */
++ skb_queue_walk_safe(&freeq, skb, tmp) {
++ __skb_unlink(skb, &freeq);
++ ieee80211_free_txskb(&local->hw, skb);
++ }
++
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
+--
+2.43.0
+
--- /dev/null
+From 86858107c0287392fef383f54a923ac49daff0f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:50:40 +0800
+Subject: wifi: mt76: connac: fix checksum offload fields of connac3 RXD
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit a04b920fbc707deb699292cdae47006e8ea57d87 ]
+
+Fix incorrect RXD offset and bitfield related to RX checksum offload.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Fixes: 4e9011fcdfc4 ("wifi: mt76: connac: move connac3 definitions in mt76_connac3_mac.h")
+Co-developed-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Link: https://patch.msgid.link/20240816095040.2574-1-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h | 4 ++--
+ drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 ++---
+ drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
+index 353e660698409..ef003d1620a5b 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
+@@ -28,8 +28,6 @@ enum {
+ #define MT_RXD0_MESH BIT(18)
+ #define MT_RXD0_MHCP BIT(19)
+ #define MT_RXD0_NORMAL_ETH_TYPE_OFS GENMASK(22, 16)
+-#define MT_RXD0_NORMAL_IP_SUM BIT(23)
+-#define MT_RXD0_NORMAL_UDP_TCP_SUM BIT(24)
+
+ #define MT_RXD0_SW_PKT_TYPE_MASK GENMASK(31, 16)
+ #define MT_RXD0_SW_PKT_TYPE_MAP 0x380F
+@@ -80,6 +78,8 @@ enum {
+ #define MT_RXD3_NORMAL_BEACON_UC BIT(21)
+ #define MT_RXD3_NORMAL_CO_ANT BIT(22)
+ #define MT_RXD3_NORMAL_FCS_ERR BIT(24)
++#define MT_RXD3_NORMAL_IP_SUM BIT(26)
++#define MT_RXD3_NORMAL_UDP_TCP_SUM BIT(27)
+ #define MT_RXD3_NORMAL_VLAN2ETH BIT(31)
+
+ /* RXD DW4 */
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+index c2460ef4993db..e9d2d0f22a586 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+@@ -350,7 +350,7 @@ mt7925_mac_fill_rx_rate(struct mt792x_dev *dev,
+ static int
+ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ {
+- u32 csum_mask = MT_RXD0_NORMAL_IP_SUM | MT_RXD0_NORMAL_UDP_TCP_SUM;
++ u32 csum_mask = MT_RXD3_NORMAL_IP_SUM | MT_RXD3_NORMAL_UDP_TCP_SUM;
+ struct mt76_rx_status *status = (struct mt76_rx_status *)skb->cb;
+ bool hdr_trans, unicast, insert_ccmp_hdr = false;
+ u8 chfreq, qos_ctl = 0, remove_pad, amsdu_info;
+@@ -360,7 +360,6 @@ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ struct mt792x_phy *phy = &dev->phy;
+ struct ieee80211_supported_band *sband;
+ u32 csum_status = *(u32 *)skb->cb;
+- u32 rxd0 = le32_to_cpu(rxd[0]);
+ u32 rxd1 = le32_to_cpu(rxd[1]);
+ u32 rxd2 = le32_to_cpu(rxd[2]);
+ u32 rxd3 = le32_to_cpu(rxd[3]);
+@@ -418,7 +417,7 @@ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ if (!sband->channels)
+ return -EINVAL;
+
+- if (mt76_is_mmio(&dev->mt76) && (rxd0 & csum_mask) == csum_mask &&
++ if (mt76_is_mmio(&dev->mt76) && (rxd3 & csum_mask) == csum_mask &&
+ !(csum_status & (BIT(0) | BIT(2) | BIT(3))))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+index bc7111a71f98c..fd5fe96c32e3d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+@@ -435,7 +435,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
+ u32 rxd2 = le32_to_cpu(rxd[2]);
+ u32 rxd3 = le32_to_cpu(rxd[3]);
+ u32 rxd4 = le32_to_cpu(rxd[4]);
+- u32 csum_mask = MT_RXD0_NORMAL_IP_SUM | MT_RXD0_NORMAL_UDP_TCP_SUM;
++ u32 csum_mask = MT_RXD3_NORMAL_IP_SUM | MT_RXD3_NORMAL_UDP_TCP_SUM;
+ u32 csum_status = *(u32 *)skb->cb;
+ u32 mesh_mask = MT_RXD0_MESH | MT_RXD0_MHCP;
+ bool is_mesh = (rxd0 & mesh_mask) == mesh_mask;
+@@ -497,7 +497,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
+ if (!sband->channels)
+ return -EINVAL;
+
+- if ((rxd0 & csum_mask) == csum_mask &&
++ if ((rxd3 & csum_mask) == csum_mask &&
+ !(csum_status & (BIT(0) | BIT(2) | BIT(3))))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+--
+2.43.0
+
--- /dev/null
+From 9c4bc0e953c4ce9cf7e6cdda8d5af6baef3f0337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:29:48 +0200
+Subject: wifi: mt76: mt7603: fix mixed declarations and code
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 9b8d932053b8b45d650360b36f701cf0f9b6470e ]
+
+Move the qid variable declaration further up
+
+Fixes: b473c0e47f04 ("wifi: mt76: mt7603: fix tx queue of loopback packets")
+Link: https://patch.msgid.link/20240827093011.18621-1-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7603/dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
+index 14304b0637158..e238161dfaa97 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
+@@ -29,7 +29,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
+ struct ieee80211_sta *sta;
+ struct mt7603_sta *msta;
+ struct mt76_wcid *wcid;
+- u8 tid = 0, hwq = 0;
++ u8 qid, tid = 0, hwq = 0;
+ void *priv;
+ int idx;
+ u32 val;
+@@ -57,7 +57,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
+ if (ieee80211_is_data_qos(hdr->frame_control)) {
+ tid = *ieee80211_get_qos_ctl(hdr) &
+ IEEE80211_QOS_CTL_TAG1D_MASK;
+- u8 qid = tid_to_ac[tid];
++ qid = tid_to_ac[tid];
+ hwq = wmm_queue_map[qid];
+ skb_set_queue_mapping(skb, qid);
+ } else if (ieee80211_is_data(hdr->frame_control)) {
+--
+2.43.0
+
--- /dev/null
+From 185cf8cc74bc4bc17cf5fa478f9b0251096e11c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 15:00:10 +0200
+Subject: wifi: mt76: mt7915: fix oops on non-dbdc mt7986
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit 862bf7cbd772c2bad570ef0c5b5556a1330656dd ]
+
+mt7915_band_config() sets band_idx = 1 on the main phy for mt7986
+with MT7975_ONE_ADIE or MT7976_ONE_ADIE.
+
+Commit 0335c034e726 ("wifi: mt76: fix race condition related to
+checking tx queue fill status") introduced a dereference of the
+phys array indirectly indexed by band_idx via wcid->phy_idx in
+mt76_wcid_cleanup(). This caused the following Oops on affected
+mt7986 devices:
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000024
+ Mem abort info:
+ ESR = 0x0000000096000005
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x05: level 1 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000005
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000
+ [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+ Internal error: Oops: 0000000096000005 [#1] SMP
+ Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...
+ CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0
+ Hardware name: ZyXEL EX5700 (Telenor) (DT)
+ pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : mt76_wcid_cleanup+0x84/0x22c [mt76]
+ lr : mt76_wcid_cleanup+0x64/0x22c [mt76]
+ sp : ffffffc00a803700
+ x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00
+ x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001
+ x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8
+ x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000
+ x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0
+ x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000
+ x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28
+ x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000
+ x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001
+ x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024
+ Call trace:
+ mt76_wcid_cleanup+0x84/0x22c [mt76]
+ __mt76_sta_remove+0x70/0xbc [mt76]
+ mt76_sta_state+0x8c/0x1a4 [mt76]
+ mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]
+ drv_sta_state+0x144/0x274 [mac80211]
+ sta_info_move_state+0x1cc/0x2a4 [mac80211]
+ sta_set_sinfo+0xaf8/0xc24 [mac80211]
+ sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]
+
+ ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]
+ cfg80211_check_station_change+0x1360/0x4710 [cfg80211]
+ genl_family_rcv_msg_doit+0xb4/0x110
+ genl_rcv_msg+0xd0/0x1bc
+ netlink_rcv_skb+0x58/0x120
+ genl_rcv+0x34/0x50
+ netlink_unicast+0x1f0/0x2ec
+ netlink_sendmsg+0x198/0x3d0
+ ____sys_sendmsg+0x1b0/0x210
+ ___sys_sendmsg+0x80/0xf0
+ __sys_sendmsg+0x44/0xa0
+ __arm64_sys_sendmsg+0x20/0x30
+ invoke_syscall.constprop.0+0x4c/0xe0
+ do_el0_svc+0x40/0xd0
+ el0_svc+0x14/0x4c
+ el0t_64_sync_handler+0x100/0x110
+ el0t_64_sync+0x15c/0x160
+ Code: d2800002 910092c0 52800023 f9800011 (885f7c01)
+ ---[ end trace 7e42dd9a39ed2281 ]---
+
+Fix by using mt76_dev_phy() which will map band_idx to the correct phy
+for all hardware combinations.
+
+Fixes: 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status")
+Link: https://github.com/openwrt/openwrt/issues/14548
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Link: https://patch.msgid.link/20240713130010.516037-1-bjorn@mork.no
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index e8ba2e4e8484a..b5dbcf925f922 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1524,7 +1524,7 @@ EXPORT_SYMBOL_GPL(mt76_wcid_init);
+
+ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
+ {
+- struct mt76_phy *phy = dev->phys[wcid->phy_idx];
++ struct mt76_phy *phy = mt76_dev_phy(dev, wcid->phy_idx);
+ struct ieee80211_hw *hw;
+ struct sk_buff_head list;
+ struct sk_buff *skb;
+--
+2.43.0
+
--- /dev/null
+From cc3e41f5279bd667bebcd2f3d526d3607779279a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:30:08 +0200
+Subject: wifi: mt76: mt7915: fix rx filter setting for bfee functionality
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit 6ac80fce713e875a316a58975b830720a3e27721 ]
+
+Fix rx filter setting to prevent dropping NDPA frames. Without this
+change, bfee functionality may behave abnormally.
+
+Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Link: https://patch.msgid.link/20240827093011.18621-21-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+index 2624edbb59a1a..eea41b29f0967 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+@@ -564,8 +564,7 @@ static void mt7915_configure_filter(struct ieee80211_hw *hw,
+
+ MT76_FILTER(CONTROL, MT_WF_RFCR_DROP_CTS |
+ MT_WF_RFCR_DROP_RTS |
+- MT_WF_RFCR_DROP_CTL_RSV |
+- MT_WF_RFCR_DROP_NDPA);
++ MT_WF_RFCR_DROP_CTL_RSV);
+
+ *total_flags = flags;
+ rxfilter = phy->rxfilter;
+--
+2.43.0
+
--- /dev/null
+From dd4191d547c42cababa0c673f410a75aed2214f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 09:34:08 +0800
+Subject: wifi: mt76: mt7921: fix wrong UNII-4 freq range check for the channel
+ usage
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+[ Upstream commit 723762a7a7e6fdb3cc6953f127a3fe9c5162beb7 ]
+
+The check should start from 5845 to 5925, which includes
+channels 169, 173, and 177.
+
+Fixes: 09382d8f8641 ("wifi: mt76: mt7921: update the channel usage when the regd domain changed")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20240806013408.17874-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
+index ef0c721d26e33..57672c69150e4 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
+@@ -83,7 +83,7 @@ mt7921_regd_channel_update(struct wiphy *wiphy, struct mt792x_dev *dev)
+ }
+
+ /* UNII-4 */
+- if (IS_UNII_INVALID(0, 5850, 5925))
++ if (IS_UNII_INVALID(0, 5845, 5925))
+ ch->flags |= IEEE80211_CHAN_DISABLED;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From cfb30b4c15c59001db5a03d79e7fe891e7b757e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:31 +0800
+Subject: wifi: mt76: mt7996: fix EHT beamforming capability check
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit 9ca65757f0a5b393a7737d37f377d5daf91716af ]
+
+If a VIF acts as a beamformer, it should check peer's beamformee
+capability, and vice versa.
+
+Fixes: ba01944adee9 ("wifi: mt76: mt7996: add EHT beamforming support")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-7-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 7220bcee6fae9..656199161e591 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -1429,10 +1429,10 @@ mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif,
+
+ if (bfee)
+ return vif->bss_conf.eht_su_beamformee &&
+- EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
++ EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
+ else
+ return vif->bss_conf.eht_su_beamformer &&
+- EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
++ EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
+ }
+
+ if (sta->deflink.he_cap.has_he) {
+--
+2.43.0
+
--- /dev/null
+From e1b9500f192734377d60d0f6866d41023d4b7ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:33 +0800
+Subject: wifi: mt76: mt7996: fix handling mbss enable/disable
+
+From: Rex Lu <rex.lu@mediatek.com>
+
+[ Upstream commit ded1a6d9e13a32d4e8bef0c63accf49b9415ff5f ]
+
+When mbss was previously enabled, the TLV needs to be included when
+disabling it again, in order to clear the firmware state.
+
+Fixes: a7908d5b61e5 ("wifi: mt76: mt7996: fix non-main BSS no beacon issue for MBSS scenario")
+Signed-off-by: Rex Lu <rex.lu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-9-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 656199161e591..161ebf54a46e3 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -822,7 +822,7 @@ mt7996_mcu_bss_mbssid_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
+ struct bss_info_uni_mbssid *mbssid;
+ struct tlv *tlv;
+
+- if (!vif->bss_conf.bssid_indicator)
++ if (!vif->bss_conf.bssid_indicator && enable)
+ return;
+
+ tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_11V_MBSSID, sizeof(*mbssid));
+--
+2.43.0
+
--- /dev/null
+From eba9409666059759c865d9d7008548aeacead74f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:29 +0800
+Subject: wifi: mt76: mt7996: fix HE and EHT beamforming capabilities
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit e1f4847fdbdf5d44ae60e035c131920e5ab88598 ]
+
+Fix HE and EHT beamforming capabilities for different bands and
+interface types.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Fixes: 348533eb968d ("wifi: mt76: mt7996: add EHT capability init")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-5-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7996/init.c | 65 ++++++++++++-------
+ 1 file changed, 43 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+index 283df84f1b433..a98dcb40490bf 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+@@ -1011,8 +1011,6 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy,
+ return;
+
+ elem->phy_cap_info[3] |= IEEE80211_HE_PHY_CAP3_SU_BEAMFORMER;
+- if (vif == NL80211_IFTYPE_AP)
+- elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER;
+
+ c = FIELD_PREP(IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
+ sts - 1) |
+@@ -1020,6 +1018,11 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy,
+ sts - 1);
+ elem->phy_cap_info[5] |= c;
+
++ if (vif != NL80211_IFTYPE_AP)
++ return;
++
++ elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER;
++
+ c = IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMING_FB |
+ IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB;
+ elem->phy_cap_info[6] |= c;
+@@ -1179,7 +1182,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ IEEE80211_EHT_MAC_CAP0_OM_CONTROL;
+
+ eht_cap_elem->phy_cap_info[0] =
+- IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ |
+ IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI |
+ IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER |
+ IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMEE;
+@@ -1193,30 +1195,36 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ u8_encode_bits(u8_get_bits(val, GENMASK(2, 1)),
+ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_80MHZ_MASK) |
+ u8_encode_bits(val,
+- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK) |
+- u8_encode_bits(val,
+- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK);
++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK);
+
+ eht_cap_elem->phy_cap_info[2] =
+ u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_80MHZ_MASK) |
+- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK) |
+- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK);
++ u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK);
++
++ if (band == NL80211_BAND_6GHZ) {
++ eht_cap_elem->phy_cap_info[0] |=
++ IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ;
++
++ eht_cap_elem->phy_cap_info[1] |=
++ u8_encode_bits(val,
++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK);
++
++ eht_cap_elem->phy_cap_info[2] |=
++ u8_encode_bits(sts - 1,
++ IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK);
++ }
+
+ eht_cap_elem->phy_cap_info[3] =
+ IEEE80211_EHT_PHY_CAP3_NG_16_SU_FEEDBACK |
+ IEEE80211_EHT_PHY_CAP3_NG_16_MU_FEEDBACK |
+ IEEE80211_EHT_PHY_CAP3_CODEBOOK_4_2_SU_FDBK |
+- IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_CQI_FDBK;
++ IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK;
+
+ eht_cap_elem->phy_cap_info[4] =
+ u8_encode_bits(min_t(int, sts - 1, 2),
+ IEEE80211_EHT_PHY_CAP4_MAX_NC_MASK);
+
+ eht_cap_elem->phy_cap_info[5] =
+- IEEE80211_EHT_PHY_CAP5_NON_TRIG_CQI_FEEDBACK |
+ u8_encode_bits(IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_16US,
+ IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_MASK) |
+ u8_encode_bits(u8_get_bits(0x11, GENMASK(1, 0)),
+@@ -1230,14 +1238,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK) |
+ u8_encode_bits(val, IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK);
+
+- eht_cap_elem->phy_cap_info[7] =
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ |
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ |
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ;
+-
+ val = u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_RX) |
+ u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_TX);
+ #define SET_EHT_MAX_NSS(_bw, _val) do { \
+@@ -1248,8 +1248,29 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+
+ SET_EHT_MAX_NSS(80, val);
+ SET_EHT_MAX_NSS(160, val);
+- SET_EHT_MAX_NSS(320, val);
++ if (band == NL80211_BAND_6GHZ)
++ SET_EHT_MAX_NSS(320, val);
+ #undef SET_EHT_MAX_NSS
++
++ if (iftype != NL80211_IFTYPE_AP)
++ return;
++
++ eht_cap_elem->phy_cap_info[3] |=
++ IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK |
++ IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK;
++
++ eht_cap_elem->phy_cap_info[7] =
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ |
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ;
++
++ if (band != NL80211_BAND_6GHZ)
++ return;
++
++ eht_cap_elem->phy_cap_info[7] |=
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ;
+ }
+
+ static void
+--
+2.43.0
+
--- /dev/null
+From e75c2dfc63c331a5e77ad5b7339ea2cc2009f03f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:26 +0800
+Subject: wifi: mt76: mt7996: fix traffic delay when switching back to working
+ channel
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 376200f095d0c3a7096199b336204698d7086279 ]
+
+During scanning, UNI_CHANNEL_RX_PATH tag is necessary for the firmware to
+properly stop and resume MAC TX queue. Without this tag, HW needs more time
+to resume traffic when switching back to working channel.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-2-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index 7c97140d8255a..15d880ef0d922 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -307,6 +307,10 @@ int mt7996_set_channel(struct mt7996_phy *phy)
+ if (ret)
+ goto out;
+
++ ret = mt7996_mcu_set_chan_info(phy, UNI_CHANNEL_RX_PATH);
++ if (ret)
++ goto out;
++
+ ret = mt7996_dfs_init_radar_detector(phy);
+ mt7996_mac_cca_stats_reset(phy);
+
+--
+2.43.0
+
--- /dev/null
+From e168d5be47cd27dc6ed530eef69ecad70a16dfa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:30:10 +0200
+Subject: wifi: mt76: mt7996: fix uninitialized TLV data
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 9e461f4a2329109571f4b10f9bcad28d07e6ebb3 ]
+
+Use skb_put_zero instead of skb_put
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Link: https://patch.msgid.link/20240827093011.18621-23-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 161ebf54a46e3..9176905451b50 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -735,7 +735,7 @@ void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb)
+ static struct tlv *
+ mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len)
+ {
+- struct tlv *ptlv = skb_put(skb, len);
++ struct tlv *ptlv = skb_put_zero(skb, len);
+
+ ptlv->tag = cpu_to_le16(tag);
+ ptlv->len = cpu_to_le16(len);
+--
+2.43.0
+
--- /dev/null
+From f90108c5acdde912dbf6d84d755a03d8f386b19a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:27 +0800
+Subject: wifi: mt76: mt7996: fix wmm set of station interface to 3
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 9265397caacf5c0c2d10c40b2958a474664ebd9e ]
+
+According to connac3 HW design, the WMM index of AP and STA interface
+should be 0 and 3, respectively.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-3-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index 15d880ef0d922..2b094b33ba31a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -206,7 +206,7 @@ static int mt7996_add_interface(struct ieee80211_hw *hw,
+ mvif->mt76.omac_idx = idx;
+ mvif->phy = phy;
+ mvif->mt76.band_idx = band_idx;
+- mvif->mt76.wmm_idx = vif->type != NL80211_IFTYPE_AP;
++ mvif->mt76.wmm_idx = vif->type == NL80211_IFTYPE_AP ? 0 : 3;
+
+ ret = mt7996_mcu_add_dev_info(phy, vif, true);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 857eb8525acdb036fa966200f3209260eb90df8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:25 +0800
+Subject: wifi: mt76: mt7996: use hweight16 to get correct tx antenna
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit f98c3de92bb05dac4a4969df8a4595ed380b4604 ]
+
+The chainmask is u16 so using hweight8 cannot get correct tx_ant.
+Without this patch, the tx_ant of band 2 would be -1 and lead to the
+following issue:
+BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-1-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 2c85786778009..7220bcee6fae9 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -1653,7 +1653,7 @@ mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
+ {
+ struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+ struct mt7996_phy *phy = mvif->phy;
+- int tx_ant = hweight8(phy->mt76->chainmask) - 1;
++ int tx_ant = hweight16(phy->mt76->chainmask) - 1;
+ struct sta_rec_bf *bf;
+ struct tlv *tlv;
+ static const u8 matrix[4][4] = {
+--
+2.43.0
+
--- /dev/null
+From e68b0638b9f8d712d6c7fa02628dd8ab489d0202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 14:46:57 +0300
+Subject: wifi: rtw88: always wait for both firmware loading attempts
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ]
+
+In 'rtw_wait_firmware_completion()', always wait for both (regular and
+wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
+has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
+'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
+the wowlan one) is still in progress, causing UAF detected by KASAN.
+
+Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported")
+Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index 7ab7a988b123f..33a7577557a56 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -1313,20 +1313,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
+ {
+ const struct rtw_chip_info *chip = rtwdev->chip;
+ struct rtw_fw_state *fw;
++ int ret = 0;
+
+ fw = &rtwdev->fw;
+ wait_for_completion(&fw->completion);
+ if (!fw->firmware)
+- return -EINVAL;
++ ret = -EINVAL;
+
+ if (chip->wow_fw_name) {
+ fw = &rtwdev->wow_fw;
+ wait_for_completion(&fw->completion);
+ if (!fw->firmware)
+- return -EINVAL;
++ ret = -EINVAL;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,
+--
+2.43.0
+
--- /dev/null
+From 264412fdefed2f8adf047570d2d218ef068d3c97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 11:53:10 +0300
+Subject: wifi: rtw88: remove CPT execution branch never used
+
+From: Dmitry Kandybka <d.kandybka@gmail.com>
+
+[ Upstream commit 77c977327dfaa9ae2e154964cdb89ceb5c7b7cf1 ]
+
+In 'rtw_coex_action_bt_a2dp_pan', 'wl_cpt_test' and 'bt_cpt_test' are
+hardcoded to false, so corresponding 'table_case' and 'tdma_case'
+assignments are never met.
+Also 'rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1])' is never
+executed. Assuming that CPT was never fully implemented, remove
+lookalike leftovers. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 76f631cb401f ("rtw88: coex: update the mechanism for A2DP + PAN")
+
+Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240809085310.10512-1-d.kandybka@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 38 ++++++-----------------
+ 1 file changed, 10 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
+index de3332eb7a227..a99776af56c27 100644
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -2194,7 +2194,6 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ struct rtw_coex_stat *coex_stat = &coex->stat;
+ struct rtw_efuse *efuse = &rtwdev->efuse;
+ u8 table_case, tdma_case;
+- bool wl_cpt_test = false, bt_cpt_test = false;
+
+ rtw_dbg(rtwdev, RTW_DBG_COEX, "[BTCoex], %s()\n", __func__);
+
+@@ -2202,29 +2201,16 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+ if (efuse->share_ant) {
+ /* Shared-Ant */
+- if (wl_cpt_test) {
+- if (coex_stat->wl_gl_busy) {
+- table_case = 20;
+- tdma_case = 17;
+- } else {
+- table_case = 10;
+- tdma_case = 15;
+- }
+- } else if (bt_cpt_test) {
+- table_case = 26;
+- tdma_case = 26;
+- } else {
+- if (coex_stat->wl_gl_busy &&
+- coex_stat->wl_noisy_level == 0)
+- table_case = 14;
+- else
+- table_case = 10;
++ if (coex_stat->wl_gl_busy &&
++ coex_stat->wl_noisy_level == 0)
++ table_case = 14;
++ else
++ table_case = 10;
+
+- if (coex_stat->wl_gl_busy)
+- tdma_case = 15;
+- else
+- tdma_case = 20;
+- }
++ if (coex_stat->wl_gl_busy)
++ tdma_case = 15;
++ else
++ tdma_case = 20;
+ } else {
+ /* Non-Shared-Ant */
+ table_case = 112;
+@@ -2235,11 +2221,7 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ tdma_case = 120;
+ }
+
+- if (wl_cpt_test)
+- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1]);
+- else
+- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+-
++ rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+ rtw_coex_table(rtwdev, false, table_case);
+ rtw_coex_tdma(rtwdev, false, tdma_case);
+ }
+--
+2.43.0
+
--- /dev/null
+From aed1ed0195306ed0338ef8f06fca9a50b7756c3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 15:20:09 +0800
+Subject: wifi: rtw89: remove unused C2H event ID
+ RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 56310ddb50b190b3390fdc974aec455d0a516bd2 ]
+
+The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't
+implemented, but driver expects number of handlers is
+NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by
+removing ID.
+
+Addresses-Coverity-ID: 1598775 ("Out-of-bounds read")
+
+Fixes: ff53fce5c78b ("wifi: rtw89: wow: update latest PTK GTK info to mac80211 after resume")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240809072012.84152-4-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.h b/drivers/net/wireless/realtek/rtw89/mac.h
+index a580cb7192337..755a55c8bc20b 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.h
++++ b/drivers/net/wireless/realtek/rtw89/mac.h
+@@ -421,7 +421,6 @@ enum rtw89_mac_c2h_mrc_func {
+
+ enum rtw89_mac_c2h_wow_func {
+ RTW89_MAC_C2H_FUNC_AOAC_REPORT,
+- RTW89_MAC_C2H_FUNC_READ_WOW_CAM,
+
+ NUM_OF_RTW89_MAC_C2H_FUNC_WOW,
+ };
+--
+2.43.0
+
--- /dev/null
+From 8e601a2569039ca3b8edac22809683c0214a06c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 08:17:09 +0000
+Subject: wifi: wilc1000: fix potential RCU dereference issue in
+ wilc_parse_join_bss_param
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiawei Ye <jiawei.ye@foxmail.com>
+
+[ Upstream commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8 ]
+
+In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
+structure is accessed after the RCU read-side critical section is
+unlocked. According to RCU usage rules, this is illegal. Reusing this
+pointer can lead to unpredictable behavior, including accessing memory
+that has been updated or causing use-after-free issues.
+
+This possible bug was identified using a static analysis tool developed
+by myself, specifically designed to detect RCU-related issues.
+
+To address this, the TSF value is now stored in a local variable
+`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
+then assigned using this local variable, ensuring that the TSF value is
+safely accessed.
+
+Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
+Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
+Reviewed-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/tencent_466225AA599BA49627FB26F707EE17BC5407@qq.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
+index 7719e4f3e2a23..2ee8c8e365f89 100644
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -384,6 +384,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ struct wilc_join_bss_param *param;
+ u8 rates_len = 0;
+ int ies_len;
++ u64 ies_tsf;
+ int ret;
+
+ param = kzalloc(sizeof(*param), GFP_KERNEL);
+@@ -399,6 +400,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ return NULL;
+ }
+ ies_len = ies->len;
++ ies_tsf = ies->tsf;
+ rcu_read_unlock();
+
+ param->beacon_period = cpu_to_le16(bss->beacon_interval);
+@@ -454,7 +456,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
+ (u8 *)&noa_attr, sizeof(noa_attr));
+ if (ret > 0) {
+- param->tsf_lo = cpu_to_le32(ies->tsf);
++ param->tsf_lo = cpu_to_le32(ies_tsf);
+ param->noa_enabled = 1;
+ param->idx = noa_attr.index;
+ if (noa_attr.oppps_ctwindow & IEEE80211_P2P_OPPPS_ENABLE_BIT) {
+--
+2.43.0
+
--- /dev/null
+From 74110a4b3c7ecb48d357f143262a38ab16bdf3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:33:13 +0200
+Subject: x86/boot/64: Strip percpu address space when setting up GDT
+ descriptors
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit b51207dc02ec3aeaa849e419f79055d7334845b6 ]
+
+init_per_cpu_var() returns a pointer in the percpu address space while
+rip_rel_ptr() expects a pointer in the generic address space.
+
+When strict address space checks are enabled, GCC's named address space
+checks fail:
+
+ asm.h:124:63: error: passing argument 1 of 'rip_rel_ptr' from
+ pointer to non-enclosed address space
+
+Add a explicit cast to remove address space of the returned pointer.
+
+Fixes: 11e36b0f7c21 ("x86/boot/64: Load the final kernel GDT during early boot directly, remove startup_gdt[]")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20240819083334.148536-1-ubizjak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/head64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
+index a817ed0724d1e..4b9d4557fc94a 100644
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -559,10 +559,11 @@ void early_setup_idt(void)
+ */
+ void __head startup_64_setup_gdt_idt(void)
+ {
++ struct desc_struct *gdt = (void *)(__force unsigned long)init_per_cpu_var(gdt_page.gdt);
+ void *handler = NULL;
+
+ struct desc_ptr startup_gdt_descr = {
+- .address = (unsigned long)&RIP_REL_REF(init_per_cpu_var(gdt_page.gdt)),
++ .address = (unsigned long)&RIP_REL_REF(*gdt),
+ .size = GDT_SIZE - 1,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 00561a81824d938f699125df6eaa995abb211746 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 13:21:37 +0000
+Subject: x86/mm: Use IPIs to synchronize LAM enablement
+
+From: Yosry Ahmed <yosryahmed@google.com>
+
+[ Upstream commit 3b299b99556c1753923f8d9bbd9304bcd139282f ]
+
+LAM can only be enabled when a process is single-threaded. But _kernel_
+threads can temporarily use a single-threaded process's mm.
+
+If LAM is enabled by a userspace process while a kthread is using its
+mm, the kthread will not observe LAM enablement (i.e. LAM will be
+disabled in CR3). This could be fine for the kthread itself, as LAM only
+affects userspace addresses. However, if the kthread context switches to
+a thread in the same userspace process, CR3 may or may not be updated
+because the mm_struct doesn't change (based on pending TLB flushes). If
+CR3 is not updated, the userspace thread will run incorrectly with LAM
+disabled, which may cause page faults when using tagged addresses.
+Example scenario:
+
+CPU 1 CPU 2
+/* kthread */
+kthread_use_mm()
+ /* user thread */
+ prctl_enable_tagged_addr()
+ /* LAM enabled on CPU 2 */
+/* LAM disabled on CPU 1 */
+ context_switch() /* to CPU 1 */
+/* Switching to user thread */
+switch_mm_irqs_off()
+/* CR3 not updated */
+/* LAM is still disabled on CPU 1 */
+
+Synchronize LAM enablement by sending an IPI to all CPUs running with
+the mm_struct to enable LAM. This makes sure LAM is enabled on CPU 1
+in the above scenario before prctl_enable_tagged_addr() returns and
+userspace starts using tagged addresses, and before it's possible to
+run the userspace process on CPU 1.
+
+In switch_mm_irqs_off(), move reading the LAM mask until after
+mm_cpumask() is updated. This ensures that if an outdated LAM mask is
+written to CR3, an IPI is received to update it right after IRQs are
+re-enabled.
+
+[ dhansen: Add a LAM enabling helper and comment it ]
+
+Fixes: 82721d8b25d7 ("x86/mm: Handle LAM on context switch")
+Suggested-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Link: https://lore.kernel.org/all/20240702132139.3332013-2-yosryahmed%40google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process_64.c | 29 ++++++++++++++++++++++++++---
+ arch/x86/mm/tlb.c | 7 +++----
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index 6d3d20e3e43a9..d8d582b750d4f 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -798,6 +798,27 @@ static long prctl_map_vdso(const struct vdso_image *image, unsigned long addr)
+
+ #define LAM_U57_BITS 6
+
++static void enable_lam_func(void *__mm)
++{
++ struct mm_struct *mm = __mm;
++
++ if (this_cpu_read(cpu_tlbstate.loaded_mm) == mm) {
++ write_cr3(__read_cr3() | mm->context.lam_cr3_mask);
++ set_tlbstate_lam_mode(mm);
++ }
++}
++
++static void mm_enable_lam(struct mm_struct *mm)
++{
++ /*
++ * Even though the process must still be single-threaded at this
++ * point, kernel threads may be using the mm. IPI those kernel
++ * threads if they exist.
++ */
++ on_each_cpu_mask(mm_cpumask(mm), enable_lam_func, mm, true);
++ set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags);
++}
++
+ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ {
+ if (!cpu_feature_enabled(X86_FEATURE_LAM))
+@@ -814,6 +835,10 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ if (mmap_write_lock_killable(mm))
+ return -EINTR;
+
++ /*
++ * MM_CONTEXT_LOCK_LAM is set on clone. Prevent LAM from
++ * being enabled unless the process is single threaded:
++ */
+ if (test_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags)) {
+ mmap_write_unlock(mm);
+ return -EBUSY;
+@@ -830,9 +855,7 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ return -EINVAL;
+ }
+
+- write_cr3(__read_cr3() | mm->context.lam_cr3_mask);
+- set_tlbstate_lam_mode(mm);
+- set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags);
++ mm_enable_lam(mm);
+
+ mmap_write_unlock(mm);
+
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index 44ac64f3a047c..a041d2ecd8380 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -503,9 +503,9 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ {
+ struct mm_struct *prev = this_cpu_read(cpu_tlbstate.loaded_mm);
+ u16 prev_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid);
+- unsigned long new_lam = mm_lam_cr3_mask(next);
+ bool was_lazy = this_cpu_read(cpu_tlbstate_shared.is_lazy);
+ unsigned cpu = smp_processor_id();
++ unsigned long new_lam;
+ u64 next_tlb_gen;
+ bool need_flush;
+ u16 new_asid;
+@@ -619,9 +619,7 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ cpumask_clear_cpu(cpu, mm_cpumask(prev));
+ }
+
+- /*
+- * Start remote flushes and then read tlb_gen.
+- */
++ /* Start receiving IPIs and then read tlb_gen (and LAM below) */
+ if (next != &init_mm)
+ cpumask_set_cpu(cpu, mm_cpumask(next));
+ next_tlb_gen = atomic64_read(&next->context.tlb_gen);
+@@ -633,6 +631,7 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ barrier();
+ }
+
++ new_lam = mm_lam_cr3_mask(next);
+ set_tlbstate_lam_mode(next);
+ if (need_flush) {
+ this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
+--
+2.43.0
+
--- /dev/null
+From aaf5caf66451a1f17e0c3b3546263222db7c9194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 13:26:59 -0700
+Subject: x86/PCI: Check pcie_find_root_port() return for NULL
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit dbc3171194403d0d40e4bdeae666f6e76e428b53 ]
+
+If pcie_find_root_port() is unable to locate a Root Port, it will return
+NULL. Check the pointer for NULL before dereferencing it.
+
+This particular case is in a quirk for devices that are always below a Root
+Port, so this won't avoid a problem and doesn't need to be backported, but
+check as a matter of style and to prevent copy/paste mistakes.
+
+Link: https://lore.kernel.org/r/20240812202659.1649121-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+[bhelgaas: drop Fixes: and explain why there's no problem in this case]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/fixup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
+index b33afb240601b..98a9bb92d75c8 100644
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -980,7 +980,7 @@ static void amd_rp_pme_suspend(struct pci_dev *dev)
+ return;
+
+ rp = pcie_find_root_port(dev);
+- if (!rp->pm_cap)
++ if (!rp || !rp->pm_cap)
+ return;
+
+ rp->pme_support &= ~((PCI_PM_CAP_PME_D3hot|PCI_PM_CAP_PME_D3cold) >>
+@@ -994,7 +994,7 @@ static void amd_rp_pme_resume(struct pci_dev *dev)
+ u16 pmc;
+
+ rp = pcie_find_root_port(dev);
+- if (!rp->pm_cap)
++ if (!rp || !rp->pm_cap)
+ return;
+
+ pci_read_config_word(rp, rp->pm_cap + PCI_PM_PMC, &pmc);
+--
+2.43.0
+
--- /dev/null
+From 42b2acd7143abc01f20bfe667af9097f51b6cab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 16:08:54 +0800
+Subject: x86/sgx: Fix deadlock in SGX NUMA node search
+
+From: Aaron Lu <aaron.lu@intel.com>
+
+[ Upstream commit 9c936844010466535bd46ea4ce4656ef17653644 ]
+
+When the current node doesn't have an EPC section configured by firmware
+and all other EPC sections are used up, CPU can get stuck inside the
+while loop that looks for an available EPC page from remote nodes
+indefinitely, leading to a soft lockup. Note how nid_of_current will
+never be equal to nid in that while loop because nid_of_current is not
+set in sgx_numa_mask.
+
+Also worth mentioning is that it's perfectly fine for the firmware not
+to setup an EPC section on a node. While setting up an EPC section on
+each node can enhance performance, it is not a requirement for
+functionality.
+
+Rework the loop to start and end on *a* node that has SGX memory. This
+avoids the deadlock looking for the current SGX-lacking node to show up
+in the loop when it never will.
+
+Fixes: 901ddbb9ecf5 ("x86/sgx: Add a basic NUMA allocation scheme to sgx_alloc_epc_page()")
+Reported-by: "Molina Sabido, Gerardo" <gerardo.molina.sabido@intel.com>
+Signed-off-by: Aaron Lu <aaron.lu@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kai Huang <kai.huang@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Zhimin Luo <zhimin.luo@intel.com>
+Link: https://lore.kernel.org/all/20240905080855.1699814-2-aaron.lu%40intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/sgx/main.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
+index 27892e57c4ef9..6aeeb43dd3f6a 100644
+--- a/arch/x86/kernel/cpu/sgx/main.c
++++ b/arch/x86/kernel/cpu/sgx/main.c
+@@ -475,24 +475,25 @@ struct sgx_epc_page *__sgx_alloc_epc_page(void)
+ {
+ struct sgx_epc_page *page;
+ int nid_of_current = numa_node_id();
+- int nid = nid_of_current;
++ int nid_start, nid;
+
+- if (node_isset(nid_of_current, sgx_numa_mask)) {
+- page = __sgx_alloc_epc_page_from_node(nid_of_current);
+- if (page)
+- return page;
+- }
+-
+- /* Fall back to the non-local NUMA nodes: */
+- while (true) {
+- nid = next_node_in(nid, sgx_numa_mask);
+- if (nid == nid_of_current)
+- break;
++ /*
++ * Try local node first. If it doesn't have an EPC section,
++ * fall back to the non-local NUMA nodes.
++ */
++ if (node_isset(nid_of_current, sgx_numa_mask))
++ nid_start = nid_of_current;
++ else
++ nid_start = next_node_in(nid_of_current, sgx_numa_mask);
+
++ nid = nid_start;
++ do {
+ page = __sgx_alloc_epc_page_from_node(nid);
+ if (page)
+ return page;
+- }
++
++ nid = next_node_in(nid, sgx_numa_mask);
++ } while (nid != nid_start);
+
+ return ERR_PTR(-ENOMEM);
+ }
+--
+2.43.0
+
--- /dev/null
+From bb52bc74dba42f9095b33da65b04f71538cf56b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 16:47:25 +0200
+Subject: xen: add capability to remap non-RAM pages to different PFNs
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ]
+
+When running as a Xen PV dom0 it can happen that the kernel is being
+loaded to a guest physical address conflicting with the host memory
+map.
+
+In order to be able to resolve this conflict, add the capability to
+remap non-RAM areas to different guest PFNs. A function to use this
+remapping information for other purposes than doing the remap will be
+added when needed.
+
+As the number of conflicts should be rather low (currently only
+machines with max. 1 conflict are known), save the remap data in a
+small statically allocated array.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/p2m.c | 63 ++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/xen/xen-ops.h | 3 ++
+ 2 files changed, 66 insertions(+)
+
+diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
+index 6bcbdf3b7999f..9a5e6a7c0729e 100644
+--- a/arch/x86/xen/p2m.c
++++ b/arch/x86/xen/p2m.c
+@@ -80,6 +80,7 @@
+ #include <asm/xen/hypervisor.h>
+ #include <xen/balloon.h>
+ #include <xen/grant_table.h>
++#include <xen/hvc-console.h>
+
+ #include "multicalls.h"
+ #include "xen-ops.h"
+@@ -793,6 +794,68 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
+ return ret;
+ }
+
++/* Remapped non-RAM areas */
++#define NR_NONRAM_REMAP 4
++static struct nonram_remap {
++ phys_addr_t maddr;
++ phys_addr_t paddr;
++ size_t size;
++} xen_nonram_remap[NR_NONRAM_REMAP] __ro_after_init;
++static unsigned int nr_nonram_remap __ro_after_init;
++
++/*
++ * Do the real remapping of non-RAM regions as specified in the
++ * xen_nonram_remap[] array.
++ * In case of an error just crash the system.
++ */
++void __init xen_do_remap_nonram(void)
++{
++ unsigned int i;
++ unsigned int remapped = 0;
++ const struct nonram_remap *remap = xen_nonram_remap;
++ unsigned long pfn, mfn, end_pfn;
++
++ for (i = 0; i < nr_nonram_remap; i++) {
++ end_pfn = PFN_UP(remap->paddr + remap->size);
++ pfn = PFN_DOWN(remap->paddr);
++ mfn = PFN_DOWN(remap->maddr);
++ while (pfn < end_pfn) {
++ if (!set_phys_to_machine(pfn, mfn))
++ panic("Failed to set p2m mapping for pfn=%lx mfn=%lx\n",
++ pfn, mfn);
++
++ pfn++;
++ mfn++;
++ remapped++;
++ }
++
++ remap++;
++ }
++
++ pr_info("Remapped %u non-RAM page(s)\n", remapped);
++}
++
++/*
++ * Add a new non-RAM remap entry.
++ * In case of no free entry found, just crash the system.
++ */
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size)
++{
++ BUG_ON((maddr & ~PAGE_MASK) != (paddr & ~PAGE_MASK));
++
++ if (nr_nonram_remap == NR_NONRAM_REMAP) {
++ xen_raw_console_write("Number of required E820 entry remapping actions exceed maximum value\n");
++ BUG();
++ }
++
++ xen_nonram_remap[nr_nonram_remap].maddr = maddr;
++ xen_nonram_remap[nr_nonram_remap].paddr = paddr;
++ xen_nonram_remap[nr_nonram_remap].size = size;
++
++ nr_nonram_remap++;
++}
++
+ #ifdef CONFIG_XEN_DEBUG_FS
+ #include <linux/debugfs.h>
+ #include "debugfs.h"
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index f46a1dd3624da..a6a21dd055270 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -43,6 +43,9 @@ void xen_mm_unpin_all(void);
+ #ifdef CONFIG_X86_64
+ void __init xen_relocate_p2m(void);
+ #endif
++void __init xen_do_remap_nonram(void);
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size);
+
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component);
+--
+2.43.0
+
--- /dev/null
+From 23f07d65e396528cec1e1c48b06e21e22a11dd55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 14:11:06 +0200
+Subject: xen: introduce generic helper checking for memory map conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ]
+
+When booting as a Xen PV dom0 the memory layout of the dom0 is
+modified to match that of the host, as this requires less changes in
+the kernel for supporting Xen.
+
+There are some cases, though, which are problematic, as it is the Xen
+hypervisor selecting the kernel's load address plus some other data,
+which might conflict with the host's memory map.
+
+These conflicts are detected at boot time and result in a boot error.
+In order to support handling at least some of these conflicts in
+future, introduce a generic helper function which will later gain the
+ability to adapt the memory layout when possible.
+
+Add the missing check for the xen_start_info area.
+
+Note that possible p2m map and initrd memory conflicts are handled
+already by copying the data to memory areas not conflicting with the
+memory map. The initial stack allocated by Xen doesn't need to be
+checked, as early boot code is switching to the statically allocated
+initial kernel stack. Initial page tables and the kernel itself will
+be handled later.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 5 +----
+ arch/x86/xen/setup.c | 34 ++++++++++++++++++++++++++++------
+ arch/x86/xen/xen-ops.h | 3 ++-
+ 3 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 54e0d311dcc94..9e9a122c2bcfa 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -2019,10 +2019,7 @@ void __init xen_reserve_special_pages(void)
+
+ void __init xen_pt_check_e820(void)
+ {
+- if (xen_is_e820_reserved(xen_pt_base, xen_pt_size)) {
+- xen_raw_console_write("Xen hypervisor allocated page table memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(xen_pt_base, xen_pt_size, "page table");
+ }
+
+ static unsigned char dummy_mapping[PAGE_SIZE] __page_aligned_bss;
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index d2073df5c5624..84cbc7ec55811 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -568,7 +568,7 @@ static void __init xen_ignore_unusable(void)
+ }
+ }
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
++static bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
+ {
+ struct e820_entry *entry;
+ unsigned mapcnt;
+@@ -625,6 +625,23 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Check for an area in physical memory to be usable for non-movable purposes.
++ * An area is considered to usable if the used E820 map lists it to be RAM.
++ * In case the area is not usable, crash the system with an error message.
++ */
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component)
++{
++ if (!xen_is_e820_reserved(start, size))
++ return;
++
++ xen_raw_console_write("Xen hypervisor allocated ");
++ xen_raw_console_write(component);
++ xen_raw_console_write(" memory conflicts with E820 map\n");
++ BUG();
++}
++
+ /*
+ * Like memcpy, but with physical addresses for dest and src.
+ */
+@@ -825,11 +842,16 @@ char * __init xen_memory_setup(void)
+ * Failing now is better than running into weird problems later due
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+- if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(_end) - __pa_symbol(_text))) {
+- xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(__pa_symbol(_text),
++ __pa_symbol(_end) - __pa_symbol(_text),
++ "kernel");
++
++ /*
++ * Check for a conflict of the xen_start_info memory with the target
++ * E820 map.
++ */
++ xen_chk_is_e820_usable(__pa(xen_start_info), sizeof(*xen_start_info),
++ "xen_start_info");
+
+ /*
+ * Check for a conflict of the hypervisor supplied page tables with
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 79cf93f2c92f1..f46a1dd3624da 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -44,7 +44,8 @@ void xen_mm_unpin_all(void);
+ void __init xen_relocate_p2m(void);
+ #endif
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size);
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component);
+ unsigned long __ref xen_chk_extra_mem(unsigned long pfn);
+ void __init xen_inv_extra_mem(void);
+ void __init xen_remap_memory(void);
+--
+2.43.0
+
--- /dev/null
+From f20c704cce1f5c57fbac9e14ce2b5c970fcafbaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:24:41 +0200
+Subject: xen: move max_pfn in xen_memory_setup() out of function scope
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ]
+
+Instead of having max_pfn as a local variable of xen_memory_setup(),
+make it a static variable in setup.c instead. This avoids having to
+pass it to subfunctions, which will be needed in more cases in future.
+
+Rename it to ini_nr_pages, as the value denotes the currently usable
+number of memory pages as passed from the hypervisor at boot time.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 52 ++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 84cbc7ec55811..112b071bac9d4 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -47,6 +47,9 @@ bool xen_pv_pci_possible;
+ /* E820 map used during setting up memory. */
+ static struct e820_table xen_e820_table __initdata;
+
++/* Number of initially usable memory pages. */
++static unsigned long ini_nr_pages __initdata;
++
+ /*
+ * Buffer used to remap identity mapped pages. We only need the virtual space.
+ * The physical page behind this address is remapped as needed to different
+@@ -213,7 +216,7 @@ static int __init xen_free_mfn(unsigned long mfn)
+ * as a fallback if the remapping fails.
+ */
+ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+- unsigned long end_pfn, unsigned long nr_pages)
++ unsigned long end_pfn)
+ {
+ unsigned long pfn, end;
+ int ret;
+@@ -221,7 +224,7 @@ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+ WARN_ON(start_pfn > end_pfn);
+
+ /* Release pages first. */
+- end = min(end_pfn, nr_pages);
++ end = min(end_pfn, ini_nr_pages);
+ for (pfn = start_pfn; pfn < end; pfn++) {
+ unsigned long mfn = pfn_to_mfn(pfn);
+
+@@ -342,15 +345,14 @@ static void __init xen_do_set_identity_and_remap_chunk(
+ * to Xen and not remapped.
+ */
+ static unsigned long __init xen_set_identity_and_remap_chunk(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
+- unsigned long remap_pfn)
++ unsigned long start_pfn, unsigned long end_pfn, unsigned long remap_pfn)
+ {
+ unsigned long pfn;
+ unsigned long i = 0;
+ unsigned long n = end_pfn - start_pfn;
+
+ if (remap_pfn == 0)
+- remap_pfn = nr_pages;
++ remap_pfn = ini_nr_pages;
+
+ while (i < n) {
+ unsigned long cur_pfn = start_pfn + i;
+@@ -359,19 +361,19 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ unsigned long remap_range_size;
+
+ /* Do not remap pages beyond the current allocation */
+- if (cur_pfn >= nr_pages) {
++ if (cur_pfn >= ini_nr_pages) {
+ /* Identity map remaining pages */
+ set_phys_range_identity(cur_pfn, cur_pfn + size);
+ break;
+ }
+- if (cur_pfn + size > nr_pages)
+- size = nr_pages - cur_pfn;
++ if (cur_pfn + size > ini_nr_pages)
++ size = ini_nr_pages - cur_pfn;
+
+ remap_range_size = xen_find_pfn_range(&remap_pfn);
+ if (!remap_range_size) {
+ pr_warn("Unable to find available pfn range, not remapping identity pages\n");
+ xen_set_identity_and_release_chunk(cur_pfn,
+- cur_pfn + left, nr_pages);
++ cur_pfn + left);
+ break;
+ }
+ /* Adjust size to fit in current e820 RAM region */
+@@ -398,18 +400,18 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ }
+
+ static unsigned long __init xen_count_remap_pages(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
++ unsigned long start_pfn, unsigned long end_pfn,
+ unsigned long remap_pages)
+ {
+- if (start_pfn >= nr_pages)
++ if (start_pfn >= ini_nr_pages)
+ return remap_pages;
+
+- return remap_pages + min(end_pfn, nr_pages) - start_pfn;
++ return remap_pages + min(end_pfn, ini_nr_pages) - start_pfn;
+ }
+
+-static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
++static unsigned long __init xen_foreach_remap_area(
+ unsigned long (*func)(unsigned long start_pfn, unsigned long end_pfn,
+- unsigned long nr_pages, unsigned long last_val))
++ unsigned long last_val))
+ {
+ phys_addr_t start = 0;
+ unsigned long ret_val = 0;
+@@ -437,8 +439,7 @@ static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
+ end_pfn = PFN_UP(entry->addr);
+
+ if (start_pfn < end_pfn)
+- ret_val = func(start_pfn, end_pfn, nr_pages,
+- ret_val);
++ ret_val = func(start_pfn, end_pfn, ret_val);
+ start = end;
+ }
+ }
+@@ -701,7 +702,7 @@ static void __init xen_reserve_xen_mfnlist(void)
+ **/
+ char * __init xen_memory_setup(void)
+ {
+- unsigned long max_pfn, pfn_s, n_pfns;
++ unsigned long pfn_s, n_pfns;
+ phys_addr_t mem_end, addr, size, chunk_size;
+ u32 type;
+ int rc;
+@@ -713,9 +714,8 @@ char * __init xen_memory_setup(void)
+ int op;
+
+ xen_parse_512gb();
+- max_pfn = xen_get_pages_limit();
+- max_pfn = min(max_pfn, xen_start_info->nr_pages);
+- mem_end = PFN_PHYS(max_pfn);
++ ini_nr_pages = min(xen_get_pages_limit(), xen_start_info->nr_pages);
++ mem_end = PFN_PHYS(ini_nr_pages);
+
+ memmap.nr_entries = ARRAY_SIZE(xen_e820_table.entries);
+ set_xen_guest_handle(memmap.buffer, xen_e820_table.entries);
+@@ -768,10 +768,10 @@ char * __init xen_memory_setup(void)
+ max_pages = xen_get_max_pages();
+
+ /* How many extra pages do we need due to remapping? */
+- max_pages += xen_foreach_remap_area(max_pfn, xen_count_remap_pages);
++ max_pages += xen_foreach_remap_area(xen_count_remap_pages);
+
+- if (max_pages > max_pfn)
+- extra_pages += max_pages - max_pfn;
++ if (max_pages > ini_nr_pages)
++ extra_pages += max_pages - ini_nr_pages;
+
+ /*
+ * Clamp the amount of extra memory to a EXTRA_MEM_RATIO
+@@ -780,8 +780,8 @@ char * __init xen_memory_setup(void)
+ * Make sure we have no memory above max_pages, as this area
+ * isn't handled by the p2m management.
+ */
+- maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM));
+- extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn);
++ maxmem_pages = EXTRA_MEM_RATIO * min(ini_nr_pages, PFN_DOWN(MAXMEM));
++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - ini_nr_pages);
+ i = 0;
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+@@ -886,7 +886,7 @@ char * __init xen_memory_setup(void)
+ * Set identity map on non-RAM pages and prepare remapping the
+ * underlying RAM.
+ */
+- xen_foreach_remap_area(max_pfn, xen_set_identity_and_remap_chunk);
++ xen_foreach_remap_area(xen_set_identity_and_remap_chunk);
+
+ pr_info("Released %ld page(s)\n", xen_released_pages);
+
+--
+2.43.0
+
--- /dev/null
+From 4402f8562bd669553603c175cfcc1ed46796b491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 12:05:02 +0200
+Subject: xen/swiotlb: add alignment check for dma buffers
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ]
+
+When checking a memory buffer to be consecutive in machine memory,
+the alignment needs to be checked, too. Failing to do so might result
+in DMA memory not being aligned according to its requested size,
+leading to error messages like:
+
+ 4xxx 0000:2b:00.0: enabling device (0140 -> 0142)
+ 4xxx 0000:2b:00.0: Ring address not aligned
+ 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto
+ 4xxx 0000:2b:00.0: Resetting device qat_dev0
+ 4xxx: probe of 0000:2b:00.0 failed with error -14
+
+Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 6579ae3f6dac2..7a6f1f007527c 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -78,9 +78,15 @@ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+ {
+ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
+ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);
++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT);
+
+ next_bfn = pfn_to_bfn(xen_pfn);
+
++ /* If buffer is physically aligned, ensure DMA alignment. */
++ if (IS_ALIGNED(p, algn) &&
++ !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn))
++ return 1;
++
+ for (i = 1; i < nr_pages; i++)
+ if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
+ return 1;
+--
+2.43.0
+
--- /dev/null
+From 513fc84b682c4fa645ef5ade5bfaa91309e16e98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 13:06:44 +0200
+Subject: xen/swiotlb: fix allocated size
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c3dea3d54f4d399f8044547f0f1abdccbdfb0fee ]
+
+The allocated size in xen_swiotlb_alloc_coherent() and
+xen_swiotlb_free_coherent() is calculated wrong for the case of
+XEN_PAGE_SIZE not matching PAGE_SIZE. Fix that.
+
+Fixes: 7250f422da04 ("xen-swiotlb: use actually allocated size on check physical continuous")
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 7a6f1f007527c..5e83d1e0bd184 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -146,7 +146,7 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size,
+ void *ret;
+
+ /* Align the allocation to the Xen page size */
+- size = 1UL << (order + XEN_PAGE_SHIFT);
++ size = ALIGN(size, XEN_PAGE_SIZE);
+
+ ret = (void *)__get_free_pages(flags, get_order(size));
+ if (!ret)
+@@ -178,7 +178,7 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr,
+ int order = get_order(size);
+
+ /* Convert the size to actually allocated. */
+- size = 1UL << (order + XEN_PAGE_SHIFT);
++ size = ALIGN(size, XEN_PAGE_SIZE);
+
+ if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) ||
+ WARN_ON_ONCE(range_straddles_page_boundary(phys, size)))
+--
+2.43.0
+
--- /dev/null
+From f90ca904b5852266bda085423cc568c7959e94fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 20:14:22 +0200
+Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ]
+
+In order to minimize required special handling for running as Xen PV
+dom0, the memory layout is modified to match that of the host. This
+requires to have only RAM at the locations where Xen allocated memory
+is living. Unfortunately there seem to be some machines, where ACPI
+NVS is located at 64 MB, resulting in a conflict with the loaded
+kernel or the initial page tables built by Xen.
+
+Avoid this conflict by swapping the ACPI NVS area in the memory map
+with unused RAM. This is possible via modification of the dom0 P2M map.
+Accesses to the ACPI NVS area are done either for saving and restoring
+it across suspend operations (this will work the same way as before),
+or by ACPI code when NVS memory is referenced from other ACPI tables.
+The latter case is handled by a Xen specific indirection of
+acpi_os_ioremap().
+
+While the E820 map can (and should) be modified right away, the P2M
+map can be updated only after memory allocation is working, as the P2M
+map might need to be extended.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 91 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 112b071bac9d4..989c14b1ff6c8 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -496,6 +496,8 @@ void __init xen_remap_memory(void)
+ set_pte_mfn(buf, mfn_save, PAGE_KERNEL);
+
+ pr_info("Remapped %ld page(s)\n", remapped);
++
++ xen_do_remap_nonram();
+ }
+
+ static unsigned long __init xen_get_pages_limit(void)
+@@ -626,14 +628,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages.
++ * Note that the E820 map is modified accordingly, but the P2M map isn't yet.
++ * The adaption of the P2M must be deferred until page allocation is possible.
++ */
++static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages);
++ phys_addr_t swap_addr, swap_size, entry_end;
++
++ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr);
++ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size);
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ entry_end = entry->addr + entry->size;
++ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size &&
++ entry_end - swap_size >= mem_end) {
++ /* Reduce RAM entry by needed space (whole pages). */
++ entry->size -= swap_size;
++
++ /* Add new entry at the end of E820 map. */
++ entry = xen_e820_table.entries +
++ xen_e820_table.nr_entries;
++ xen_e820_table.nr_entries++;
++
++ /* Fill new entry (keep size and page offset). */
++ entry->type = swap_entry->type;
++ entry->addr = entry_end - swap_size +
++ swap_addr - swap_entry->addr;
++ entry->size = swap_entry->size;
++
++ /* Convert old entry to RAM, align to pages. */
++ swap_entry->type = E820_TYPE_RAM;
++ swap_entry->addr = swap_addr;
++ swap_entry->size = swap_size;
++
++ /* Remember PFN<->MFN relation for P2M update. */
++ xen_add_remap_nonram(swap_addr, entry_end - swap_size,
++ swap_size);
++
++ /* Order E820 table and merge entries. */
++ e820__update_table(&xen_e820_table);
++
++ return;
++ }
++
++ entry++;
++ }
++
++ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n");
++ BUG();
++}
++
++/*
++ * Look for non-RAM memory types in a specific guest physical area and move
++ * those away if possible (ACPI NVS only for now).
++ */
++static void __init xen_e820_resolve_conflicts(phys_addr_t start,
++ phys_addr_t size)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t end;
++
++ if (!size)
++ return;
++
++ end = start + size;
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ if (entry->addr >= end)
++ return;
++
++ if (entry->addr + entry->size > start &&
++ entry->type == E820_TYPE_NVS)
++ xen_e820_swap_entry_with_ram(entry);
++
++ entry++;
++ }
++}
++
+ /*
+ * Check for an area in physical memory to be usable for non-movable purposes.
+- * An area is considered to usable if the used E820 map lists it to be RAM.
++ * An area is considered to usable if the used E820 map lists it to be RAM or
++ * some other type which can be moved to higher PFNs while keeping the MFNs.
+ * In case the area is not usable, crash the system with an error message.
+ */
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component)
+ {
++ xen_e820_resolve_conflicts(start, size);
++
+ if (!xen_is_e820_reserved(start, size))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 263fce109413ed534fd7361171e4890ad2ef0a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Aug 2024 08:01:22 +0200
+Subject: xen: use correct end address of kernel for conflict checking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ]
+
+When running as a Xen PV dom0 the kernel is loaded by the hypervisor
+using a different memory map than that of the host. In order to
+minimize the required changes in the kernel, the kernel adapts its
+memory map to that of the host. In order to do that it is checking
+for conflicts of its load address with the host memory map.
+
+Unfortunately the tested memory range does not include the .brk
+area, which might result in crashes or memory corruption when this
+area does conflict with the memory map of the host.
+
+Fix the test by using the _end label instead of __bss_stop.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 380591028cb8f..d44d6d8b33195 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -825,7 +825,7 @@ char * __init xen_memory_setup(void)
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+ if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(__bss_stop) - __pa_symbol(_text))) {
++ __pa_symbol(_end) - __pa_symbol(_text))) {
+ xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+ BUG();
+ }
+--
+2.43.0
+
--- /dev/null
+From 26b1f5f954dc101213dd96765f44decb61d233cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 21:10:19 +0200
+Subject: xsk: fix batch alloc API on non-coherent systems
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 4144a1059b47e821c82c3c82eb23a4c7312dce3a ]
+
+In cases when synchronizing DMA operations is necessary,
+xsk_buff_alloc_batch() returns a single buffer instead of the requested
+count. This puts the pressure on drivers that use batch API as they have
+to check for this corner case on their side and take care of allocations
+by themselves, which feels counter productive. Let us improve the core
+by looping over xp_alloc() @max times when slow path needs to be taken.
+
+Another issue with current interface, as spotted and fixed by Dries, was
+that when driver called xsk_buff_alloc_batch() with @max == 0, for slow
+path case it still allocated and returned a single buffer, which should
+not happen. By introducing the logic from first paragraph we kill two
+birds with one stone and address this problem as well.
+
+Fixes: 47e4075df300 ("xsk: Batched buffer allocation for the pool")
+Reported-and-tested-by: Dries De Winter <ddewinter@synamedia.com>
+Co-developed-by: Dries De Winter <ddewinter@synamedia.com>
+Signed-off-by: Dries De Winter <ddewinter@synamedia.com>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://patch.msgid.link/20240911191019.296480-1-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index c0e0204b96304..b0f24ebd05f0b 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -623,20 +623,31 @@ static u32 xp_alloc_reused(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u3
+ return nb_entries;
+ }
+
+-u32 xp_alloc_batch(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u32 max)
++static u32 xp_alloc_slow(struct xsk_buff_pool *pool, struct xdp_buff **xdp,
++ u32 max)
+ {
+- u32 nb_entries1 = 0, nb_entries2;
++ int i;
+
+- if (unlikely(pool->dev && dma_dev_need_sync(pool->dev))) {
++ for (i = 0; i < max; i++) {
+ struct xdp_buff *buff;
+
+- /* Slow path */
+ buff = xp_alloc(pool);
+- if (buff)
+- *xdp = buff;
+- return !!buff;
++ if (unlikely(!buff))
++ return i;
++ *xdp = buff;
++ xdp++;
+ }
+
++ return max;
++}
++
++u32 xp_alloc_batch(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u32 max)
++{
++ u32 nb_entries1 = 0, nb_entries2;
++
++ if (unlikely(pool->dev && dma_dev_need_sync(pool->dev)))
++ return xp_alloc_slow(pool, xdp, max);
++
+ if (unlikely(pool->free_list_cnt)) {
+ nb_entries1 = xp_alloc_reused(pool, xdp, max);
+ if (nb_entries1 == max)
+--
+2.43.0
+
--- /dev/null
+From e5a6da582fb8a0e25991dfb061362daa6e6d2b48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 16:36:24 +0300
+Subject: xz: cleanup CRC32 edits from 2018
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ]
+
+In 2018, a dependency on <linux/crc32poly.h> was added to avoid
+duplicating the same constant in multiple files. Two months later it was
+found to be a bad idea and the definition of CRC32_POLY_LE macro was moved
+into xz_private.h to avoid including <linux/crc32poly.h>.
+
+xz_private.h is a wrong place for it too. Revert back to the upstream
+version which has the poly in xz_crc32_init() in xz_crc32.c.
+
+Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org
+Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
+Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h")
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Reviewed-by: Sam James <sam@gentoo.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Joel Stanley <joel@jms.id.au>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Jubin Zhong <zhongjubin@huawei.com>
+Cc: Jules Maselbas <jmaselbas@zdiv.net>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rui Li <me@lirui.org>
+Cc: Simon Glass <sjg@chromium.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/xz/xz_crc32.c | 2 +-
+ lib/xz/xz_private.h | 4 ----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/lib/xz/xz_crc32.c b/lib/xz/xz_crc32.c
+index 88a2c35e1b597..5627b00fca296 100644
+--- a/lib/xz/xz_crc32.c
++++ b/lib/xz/xz_crc32.c
+@@ -29,7 +29,7 @@ STATIC_RW_DATA uint32_t xz_crc32_table[256];
+
+ XZ_EXTERN void xz_crc32_init(void)
+ {
+- const uint32_t poly = CRC32_POLY_LE;
++ const uint32_t poly = 0xEDB88320;
+
+ uint32_t i;
+ uint32_t j;
+diff --git a/lib/xz/xz_private.h b/lib/xz/xz_private.h
+index bf1e94ec7873c..d9fd49b45fd75 100644
+--- a/lib/xz/xz_private.h
++++ b/lib/xz/xz_private.h
+@@ -105,10 +105,6 @@
+ # endif
+ #endif
+
+-#ifndef CRC32_POLY_LE
+-#define CRC32_POLY_LE 0xedb88320
+-#endif
+-
+ /*
+ * Allocate memory for LZMA2 decoder. xz_dec_lzma2_reset() must be used
+ * before calling xz_dec_lzma2_run().
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
