--- /dev/null
+From 6e159fd653d7ebf6290358e0330a0cb8a75cf73b Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:03 -0700
+Subject: ethernet: Add helper for assigning packet type when dest address does not match device address
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 6e159fd653d7ebf6290358e0330a0cb8a75cf73b upstream.
+
+Enable reuse of logic in eth_type_trans for determining packet type.
+
+Suggested-by: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-3-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/etherdevice.h | 25 +++++++++++++++++++++++++
+ net/ethernet/eth.c | 12 +-----------
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -608,6 +608,31 @@ static inline void eth_hw_addr_gen(struc
+ }
+
+ /**
++ * eth_skb_pkt_type - Assign packet type if destination address does not match
++ * @skb: Assigned a packet type if address does not match @dev address
++ * @dev: Network device used to compare packet address against
++ *
++ * If the destination MAC address of the packet does not match the network
++ * device address, assign an appropriate packet type.
++ */
++static inline void eth_skb_pkt_type(struct sk_buff *skb,
++ const struct net_device *dev)
++{
++ const struct ethhdr *eth = eth_hdr(skb);
++
++ if (unlikely(!ether_addr_equal_64bits(eth->h_dest, dev->dev_addr))) {
++ if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
++ if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
++ skb->pkt_type = PACKET_BROADCAST;
++ else
++ skb->pkt_type = PACKET_MULTICAST;
++ } else {
++ skb->pkt_type = PACKET_OTHERHOST;
++ }
++ }
++}
++
++/**
+ * eth_skb_pad - Pad buffer to mininum number of octets for Ethernet frame
+ * @skb: Buffer to pad
+ *
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -164,17 +164,7 @@ __be16 eth_type_trans(struct sk_buff *sk
+ eth = (struct ethhdr *)skb->data;
+ skb_pull_inline(skb, ETH_HLEN);
+
+- if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
+- dev->dev_addr))) {
+- if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
+- if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
+- skb->pkt_type = PACKET_BROADCAST;
+- else
+- skb->pkt_type = PACKET_MULTICAST;
+- } else {
+- skb->pkt_type = PACKET_OTHERHOST;
+- }
+- }
++ eth_skb_pkt_type(skb, dev);
+
+ /*
+ * Some variants of DSA tagging don't have an ethertype field
--- /dev/null
+From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Tue, 23 Apr 2024 13:50:53 +0200
+Subject: fbdev: fix incorrect address computation in deferred IO
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream.
+
+With deferred IO enabled, a page fault happens when data is written to the
+framebuffer device. Then driver determines which page is being updated by
+calculating the offset of the written virtual address within the virtual
+memory area, and uses this offset to get the updated page within the
+internal buffer. This page is later copied to hardware (thus the name
+"deferred IO").
+
+This offset calculation is only correct if the virtual memory area is
+mapped to the beginning of the internal buffer. Otherwise this is wrong.
+For example, if users do:
+ mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
+
+Then the virtual memory area will mapped at offset 0xff000 within the
+internal buffer. This offset 0xff000 is not accounted for, and wrong page
+is updated.
+
+Correct the calculation by using vmf->pgoff instead. With this change, the
+variable "offset" will no longer hold the exact offset value, but it is
+rounded down to multiples of PAGE_SIZE. But this is still correct, because
+this variable is only used to calculate the page offset.
+
+Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com
+Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fb_defio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/fb_defio.c
++++ b/drivers/video/fbdev/core/fb_defio.c
+@@ -196,7 +196,7 @@ err_mutex_unlock:
+ */
+ static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
+ {
+- unsigned long offset = vmf->address - vmf->vma->vm_start;
++ unsigned long offset = vmf->pgoff << PAGE_SHIFT;
+ struct page *page = vmf->page;
+
+ file_update_time(vmf->vma->vm_file);
--- /dev/null
+From ed09f81eeaa8f9265e1787282cb283f10285c259 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Sat, 6 Apr 2024 15:01:09 +0200
+Subject: firmware: qcom: uefisecapp: Fix memory related IO errors and crashes
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+commit ed09f81eeaa8f9265e1787282cb283f10285c259 upstream.
+
+It turns out that while the QSEECOM APP_SEND command has specific fields
+for request and response buffers, uefisecapp expects them both to be in
+a single memory region. Failure to adhere to this has (so far) resulted
+in either no response being written to the response buffer (causing an
+EIO to be emitted down the line), the SCM call to fail with EINVAL
+(i.e., directly from TZ/firmware), or the device to be hard-reset.
+
+While this issue can be triggered deterministically, in the current form
+it seems to happen rather sporadically (which is why it has gone
+unnoticed during earlier testing). This is likely due to the two
+kzalloc() calls (for request and response) being directly after each
+other. Which means that those likely return consecutive regions most of
+the time, especially when not much else is going on in the system.
+
+Fix this by allocating a single memory region for both request and
+response buffers, properly aligning both structs inside it. This
+unfortunately also means that the qcom_scm_qseecom_app_send() interface
+needs to be restructured, as it should no longer map the DMA regions
+separately. Therefore, move the responsibility of DMA allocation (or
+mapping) to the caller.
+
+Fixes: 759e7a2b62eb ("firmware: Add support for Qualcomm UEFI Secure Application")
+Cc: stable@vger.kernel.org # 6.7
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Konrad Dybcio <konrad.dybcio@linaro.org> # X13s
+Link: https://lore.kernel.org/r/20240406130125.1047436-1-luzmaximilian@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../firmware/qcom/qcom_qseecom_uefisecapp.c | 137 ++++++++++++------
+ drivers/firmware/qcom/qcom_scm.c | 37 +----
+ include/linux/firmware/qcom/qcom_qseecom.h | 55 ++++++-
+ include/linux/firmware/qcom/qcom_scm.h | 10 +-
+ 4 files changed, 153 insertions(+), 86 deletions(-)
+
+diff --git a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
+index 32188f098ef3..bc550ad0dbe0 100644
+--- a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
++++ b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
+@@ -221,6 +221,19 @@ struct qsee_rsp_uefi_query_variable_info {
+ * alignment of 8 bytes (64 bits) for GUIDs. Our definition of efi_guid_t,
+ * however, has an alignment of 4 byte (32 bits). So far, this seems to work
+ * fine here. See also the comment on the typedef of efi_guid_t.
++ *
++ * Note: It looks like uefisecapp is quite picky about how the memory passed to
++ * it is structured and aligned. In particular the request/response setup used
++ * for QSEE_CMD_UEFI_GET_VARIABLE. While qcom_qseecom_app_send(), in theory,
++ * accepts separate buffers/addresses for the request and response parts, in
++ * practice, however, it seems to expect them to be both part of a larger
++ * contiguous block. We initially allocated separate buffers for the request
++ * and response but this caused the QSEE_CMD_UEFI_GET_VARIABLE command to
++ * either not write any response to the response buffer or outright crash the
++ * device. Therefore, we now allocate a single contiguous block of DMA memory
++ * for both and properly align the data using the macros below. In particular,
++ * request and response structs are aligned at 8 byte (via __reqdata_offs()),
++ * following the driver that this has been reverse-engineered from.
+ */
+ #define qcuefi_buf_align_fields(fields...) \
+ ({ \
+@@ -244,6 +257,12 @@ struct qsee_rsp_uefi_query_variable_info {
+ #define __array_offs(type, count, offset) \
+ __field_impl(sizeof(type) * (count), __alignof__(type), offset)
+
++#define __array_offs_aligned(type, count, align, offset) \
++ __field_impl(sizeof(type) * (count), align, offset)
++
++#define __reqdata_offs(size, offset) \
++ __array_offs_aligned(u8, size, 8, offset)
++
+ #define __array(type, count) __array_offs(type, count, NULL)
+ #define __field_offs(type, offset) __array_offs(type, 1, offset)
+ #define __field(type) __array_offs(type, 1, NULL)
+@@ -277,10 +296,15 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ unsigned long buffer_size = *data_size;
+ efi_status_t efi_status = EFI_SUCCESS;
+ unsigned long name_length;
++ dma_addr_t cmd_buf_dma;
++ size_t cmd_buf_size;
++ void *cmd_buf;
+ size_t guid_offs;
+ size_t name_offs;
+ size_t req_size;
+ size_t rsp_size;
++ size_t req_offs;
++ size_t rsp_offs;
+ ssize_t status;
+
+ if (!name || !guid)
+@@ -304,17 +328,19 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ __array(u8, buffer_size)
+ );
+
+- req_data = kzalloc(req_size, GFP_KERNEL);
+- if (!req_data) {
++ cmd_buf_size = qcuefi_buf_align_fields(
++ __reqdata_offs(req_size, &req_offs)
++ __reqdata_offs(rsp_size, &rsp_offs)
++ );
++
++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++ if (!cmd_buf) {
+ efi_status = EFI_OUT_OF_RESOURCES;
+ goto out;
+ }
+
+- rsp_data = kzalloc(rsp_size, GFP_KERNEL);
+- if (!rsp_data) {
+- efi_status = EFI_OUT_OF_RESOURCES;
+- goto out_free_req;
+- }
++ req_data = cmd_buf + req_offs;
++ rsp_data = cmd_buf + rsp_offs;
+
+ req_data->command_id = QSEE_CMD_UEFI_GET_VARIABLE;
+ req_data->data_size = buffer_size;
+@@ -332,7 +358,9 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+
+ memcpy(((void *)req_data) + req_data->guid_offset, guid, req_data->guid_size);
+
+- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size);
++ status = qcom_qseecom_app_send(qcuefi->client,
++ cmd_buf_dma + req_offs, req_size,
++ cmd_buf_dma + rsp_offs, rsp_size);
+ if (status) {
+ efi_status = EFI_DEVICE_ERROR;
+ goto out_free;
+@@ -407,9 +435,7 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ memcpy(data, ((void *)rsp_data) + rsp_data->data_offset, rsp_data->data_size);
+
+ out_free:
+- kfree(rsp_data);
+-out_free_req:
+- kfree(req_data);
++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ return efi_status;
+ }
+@@ -422,10 +448,15 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ struct qsee_rsp_uefi_set_variable *rsp_data;
+ efi_status_t efi_status = EFI_SUCCESS;
+ unsigned long name_length;
++ dma_addr_t cmd_buf_dma;
++ size_t cmd_buf_size;
++ void *cmd_buf;
+ size_t name_offs;
+ size_t guid_offs;
+ size_t data_offs;
+ size_t req_size;
++ size_t req_offs;
++ size_t rsp_offs;
+ ssize_t status;
+
+ if (!name || !guid)
+@@ -450,17 +481,19 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ __array_offs(u8, data_size, &data_offs)
+ );
+
+- req_data = kzalloc(req_size, GFP_KERNEL);
+- if (!req_data) {
++ cmd_buf_size = qcuefi_buf_align_fields(
++ __reqdata_offs(req_size, &req_offs)
++ __reqdata_offs(sizeof(*rsp_data), &rsp_offs)
++ );
++
++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++ if (!cmd_buf) {
+ efi_status = EFI_OUT_OF_RESOURCES;
+ goto out;
+ }
+
+- rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL);
+- if (!rsp_data) {
+- efi_status = EFI_OUT_OF_RESOURCES;
+- goto out_free_req;
+- }
++ req_data = cmd_buf + req_offs;
++ rsp_data = cmd_buf + rsp_offs;
+
+ req_data->command_id = QSEE_CMD_UEFI_SET_VARIABLE;
+ req_data->attributes = attributes;
+@@ -483,8 +516,9 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ if (data_size)
+ memcpy(((void *)req_data) + req_data->data_offset, data, req_data->data_size);
+
+- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data,
+- sizeof(*rsp_data));
++ status = qcom_qseecom_app_send(qcuefi->client,
++ cmd_buf_dma + req_offs, req_size,
++ cmd_buf_dma + rsp_offs, sizeof(*rsp_data));
+ if (status) {
+ efi_status = EFI_DEVICE_ERROR;
+ goto out_free;
+@@ -507,9 +541,7 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ }
+
+ out_free:
+- kfree(rsp_data);
+-out_free_req:
+- kfree(req_data);
++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ return efi_status;
+ }
+@@ -521,10 +553,15 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ struct qsee_req_uefi_get_next_variable *req_data;
+ struct qsee_rsp_uefi_get_next_variable *rsp_data;
+ efi_status_t efi_status = EFI_SUCCESS;
++ dma_addr_t cmd_buf_dma;
++ size_t cmd_buf_size;
++ void *cmd_buf;
+ size_t guid_offs;
+ size_t name_offs;
+ size_t req_size;
+ size_t rsp_size;
++ size_t req_offs;
++ size_t rsp_offs;
+ ssize_t status;
+
+ if (!name_size || !name || !guid)
+@@ -545,17 +582,19 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ __array(*name, *name_size / sizeof(*name))
+ );
+
+- req_data = kzalloc(req_size, GFP_KERNEL);
+- if (!req_data) {
++ cmd_buf_size = qcuefi_buf_align_fields(
++ __reqdata_offs(req_size, &req_offs)
++ __reqdata_offs(rsp_size, &rsp_offs)
++ );
++
++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++ if (!cmd_buf) {
+ efi_status = EFI_OUT_OF_RESOURCES;
+ goto out;
+ }
+
+- rsp_data = kzalloc(rsp_size, GFP_KERNEL);
+- if (!rsp_data) {
+- efi_status = EFI_OUT_OF_RESOURCES;
+- goto out_free_req;
+- }
++ req_data = cmd_buf + req_offs;
++ rsp_data = cmd_buf + rsp_offs;
+
+ req_data->command_id = QSEE_CMD_UEFI_GET_NEXT_VARIABLE;
+ req_data->guid_offset = guid_offs;
+@@ -572,7 +611,9 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ goto out_free;
+ }
+
+- status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size);
++ status = qcom_qseecom_app_send(qcuefi->client,
++ cmd_buf_dma + req_offs, req_size,
++ cmd_buf_dma + rsp_offs, rsp_size);
+ if (status) {
+ efi_status = EFI_DEVICE_ERROR;
+ goto out_free;
+@@ -645,9 +686,7 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ }
+
+ out_free:
+- kfree(rsp_data);
+-out_free_req:
+- kfree(req_data);
++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ return efi_status;
+ }
+@@ -659,26 +698,34 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi,
+ struct qsee_req_uefi_query_variable_info *req_data;
+ struct qsee_rsp_uefi_query_variable_info *rsp_data;
+ efi_status_t efi_status = EFI_SUCCESS;
++ dma_addr_t cmd_buf_dma;
++ size_t cmd_buf_size;
++ void *cmd_buf;
++ size_t req_offs;
++ size_t rsp_offs;
+ int status;
+
+- req_data = kzalloc(sizeof(*req_data), GFP_KERNEL);
+- if (!req_data) {
++ cmd_buf_size = qcuefi_buf_align_fields(
++ __reqdata_offs(sizeof(*req_data), &req_offs)
++ __reqdata_offs(sizeof(*rsp_data), &rsp_offs)
++ );
++
++ cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++ if (!cmd_buf) {
+ efi_status = EFI_OUT_OF_RESOURCES;
+ goto out;
+ }
+
+- rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL);
+- if (!rsp_data) {
+- efi_status = EFI_OUT_OF_RESOURCES;
+- goto out_free_req;
+- }
++ req_data = cmd_buf + req_offs;
++ rsp_data = cmd_buf + rsp_offs;
+
+ req_data->command_id = QSEE_CMD_UEFI_QUERY_VARIABLE_INFO;
+ req_data->attributes = attr;
+ req_data->length = sizeof(*req_data);
+
+- status = qcom_qseecom_app_send(qcuefi->client, req_data, sizeof(*req_data), rsp_data,
+- sizeof(*rsp_data));
++ status = qcom_qseecom_app_send(qcuefi->client,
++ cmd_buf_dma + req_offs, sizeof(*req_data),
++ cmd_buf_dma + rsp_offs, sizeof(*rsp_data));
+ if (status) {
+ efi_status = EFI_DEVICE_ERROR;
+ goto out_free;
+@@ -711,9 +758,7 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi,
+ *max_variable_size = rsp_data->max_variable_size;
+
+ out_free:
+- kfree(rsp_data);
+-out_free_req:
+- kfree(req_data);
++ qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ return efi_status;
+ }
+diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
+index 520de9b5633a..90283f160a22 100644
+--- a/drivers/firmware/qcom/qcom_scm.c
++++ b/drivers/firmware/qcom/qcom_scm.c
+@@ -1576,9 +1576,9 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id);
+ /**
+ * qcom_scm_qseecom_app_send() - Send to and receive data from a given QSEE app.
+ * @app_id: The ID of the target app.
+- * @req: Request buffer sent to the app (must be DMA-mappable).
++ * @req: DMA address of the request buffer sent to the app.
+ * @req_size: Size of the request buffer.
+- * @rsp: Response buffer, written to by the app (must be DMA-mappable).
++ * @rsp: DMA address of the response buffer, written to by the app.
+ * @rsp_size: Size of the response buffer.
+ *
+ * Sends a request to the QSEE app associated with the given ID and read back
+@@ -1589,33 +1589,13 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id);
+ *
+ * Return: Zero on success, nonzero on failure.
+ */
+-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+- size_t rsp_size)
++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size,
++ dma_addr_t rsp, size_t rsp_size)
+ {
+ struct qcom_scm_qseecom_resp res = {};
+ struct qcom_scm_desc desc = {};
+- dma_addr_t req_phys;
+- dma_addr_t rsp_phys;
+ int status;
+
+- /* Map request buffer */
+- req_phys = dma_map_single(__scm->dev, req, req_size, DMA_TO_DEVICE);
+- status = dma_mapping_error(__scm->dev, req_phys);
+- if (status) {
+- dev_err(__scm->dev, "qseecom: failed to map request buffer\n");
+- return status;
+- }
+-
+- /* Map response buffer */
+- rsp_phys = dma_map_single(__scm->dev, rsp, rsp_size, DMA_FROM_DEVICE);
+- status = dma_mapping_error(__scm->dev, rsp_phys);
+- if (status) {
+- dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE);
+- dev_err(__scm->dev, "qseecom: failed to map response buffer\n");
+- return status;
+- }
+-
+- /* Set up SCM call data */
+ desc.owner = QSEECOM_TZ_OWNER_TZ_APPS;
+ desc.svc = QSEECOM_TZ_SVC_APP_ID_PLACEHOLDER;
+ desc.cmd = QSEECOM_TZ_CMD_APP_SEND;
+@@ -1623,18 +1603,13 @@ int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+ QCOM_SCM_RW, QCOM_SCM_VAL,
+ QCOM_SCM_RW, QCOM_SCM_VAL);
+ desc.args[0] = app_id;
+- desc.args[1] = req_phys;
++ desc.args[1] = req;
+ desc.args[2] = req_size;
+- desc.args[3] = rsp_phys;
++ desc.args[3] = rsp;
+ desc.args[4] = rsp_size;
+
+- /* Perform call */
+ status = qcom_scm_qseecom_call(&desc, &res);
+
+- /* Unmap buffers */
+- dma_unmap_single(__scm->dev, rsp_phys, rsp_size, DMA_FROM_DEVICE);
+- dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE);
+-
+ if (status)
+ return status;
+
+diff --git a/include/linux/firmware/qcom/qcom_qseecom.h b/include/linux/firmware/qcom/qcom_qseecom.h
+index 5c28298a98be..366243ee9609 100644
+--- a/include/linux/firmware/qcom/qcom_qseecom.h
++++ b/include/linux/firmware/qcom/qcom_qseecom.h
+@@ -10,6 +10,7 @@
+ #define __QCOM_QSEECOM_H
+
+ #include <linux/auxiliary_bus.h>
++#include <linux/dma-mapping.h>
+ #include <linux/types.h>
+
+ #include <linux/firmware/qcom/qcom_scm.h>
+@@ -24,12 +25,57 @@ struct qseecom_client {
+ u32 app_id;
+ };
+
++/**
++ * qseecom_scm_dev() - Get the SCM device associated with the QSEECOM client.
++ * @client: The QSEECOM client device.
++ *
++ * Returns the SCM device under which the provided QSEECOM client device
++ * operates. This function is intended to be used for DMA allocations.
++ */
++static inline struct device *qseecom_scm_dev(struct qseecom_client *client)
++{
++ return client->aux_dev.dev.parent->parent;
++}
++
++/**
++ * qseecom_dma_alloc() - Allocate DMA memory for a QSEECOM client.
++ * @client: The QSEECOM client to allocate the memory for.
++ * @size: The number of bytes to allocate.
++ * @dma_handle: Pointer to where the DMA address should be stored.
++ * @gfp: Allocation flags.
++ *
++ * Wrapper function for dma_alloc_coherent(), allocating DMA memory usable for
++ * TZ/QSEECOM communication. Refer to dma_alloc_coherent() for details.
++ */
++static inline void *qseecom_dma_alloc(struct qseecom_client *client, size_t size,
++ dma_addr_t *dma_handle, gfp_t gfp)
++{
++ return dma_alloc_coherent(qseecom_scm_dev(client), size, dma_handle, gfp);
++}
++
++/**
++ * dma_free_coherent() - Free QSEECOM DMA memory.
++ * @client: The QSEECOM client for which the memory has been allocated.
++ * @size: The number of bytes allocated.
++ * @cpu_addr: Virtual memory address to free.
++ * @dma_handle: DMA memory address to free.
++ *
++ * Wrapper function for dma_free_coherent(), freeing memory previously
++ * allocated with qseecom_dma_alloc(). Refer to dma_free_coherent() for
++ * details.
++ */
++static inline void qseecom_dma_free(struct qseecom_client *client, size_t size,
++ void *cpu_addr, dma_addr_t dma_handle)
++{
++ return dma_free_coherent(qseecom_scm_dev(client), size, cpu_addr, dma_handle);
++}
++
+ /**
+ * qcom_qseecom_app_send() - Send to and receive data from a given QSEE app.
+ * @client: The QSEECOM client associated with the target app.
+- * @req: Request buffer sent to the app (must be DMA-mappable).
++ * @req: DMA address of the request buffer sent to the app.
+ * @req_size: Size of the request buffer.
+- * @rsp: Response buffer, written to by the app (must be DMA-mappable).
++ * @rsp: DMA address of the response buffer, written to by the app.
+ * @rsp_size: Size of the response buffer.
+ *
+ * Sends a request to the QSEE app associated with the given client and read
+@@ -43,8 +89,9 @@ struct qseecom_client {
+ *
+ * Return: Zero on success, nonzero on failure.
+ */
+-static inline int qcom_qseecom_app_send(struct qseecom_client *client, void *req, size_t req_size,
+- void *rsp, size_t rsp_size)
++static inline int qcom_qseecom_app_send(struct qseecom_client *client,
++ dma_addr_t req, size_t req_size,
++ dma_addr_t rsp, size_t rsp_size)
+ {
+ return qcom_scm_qseecom_app_send(client->app_id, req, req_size, rsp, rsp_size);
+ }
+diff --git a/include/linux/firmware/qcom/qcom_scm.h b/include/linux/firmware/qcom/qcom_scm.h
+index ccaf28846054..aaa19f93ac43 100644
+--- a/include/linux/firmware/qcom/qcom_scm.h
++++ b/include/linux/firmware/qcom/qcom_scm.h
+@@ -118,8 +118,8 @@ bool qcom_scm_lmh_dcvsh_available(void);
+ #ifdef CONFIG_QCOM_QSEECOM
+
+ int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id);
+-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+- size_t rsp_size);
++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size,
++ dma_addr_t rsp, size_t rsp_size);
+
+ #else /* CONFIG_QCOM_QSEECOM */
+
+@@ -128,9 +128,9 @@ static inline int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id)
+ return -EINVAL;
+ }
+
+-static inline int qcom_scm_qseecom_app_send(u32 app_id, void *req,
+- size_t req_size, void *rsp,
+- size_t rsp_size)
++static inline int qcom_scm_qseecom_app_send(u32 app_id,
++ dma_addr_t req, size_t req_size,
++ dma_addr_t rsp, size_t rsp_size)
+ {
+ return -EINVAL;
+ }
+--
+2.44.0
+
--- /dev/null
+From 642c984dd0e37dbaec9f87bd1211e5fac1f142bf Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:04 -0700
+Subject: macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
+
+Can now correctly identify where the packets should be delivered by using
+md_dst or its absence on devices that provide it.
+
+This detection is not possible without device drivers that update md_dst. A
+fallback pattern should be used for supporting such device drivers. This
+fallback mode causes multicast messages to be cloned to both the non-macsec
+and macsec ports, independent of whether the multicast message received was
+encrypted over MACsec or not. Other non-macsec traffic may also fail to be
+handled correctly for devices in promiscuous mode.
+
+Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 46 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -999,10 +999,12 @@ static enum rx_handler_result handle_not
+ struct metadata_dst *md_dst;
+ struct macsec_rxh_data *rxd;
+ struct macsec_dev *macsec;
++ bool is_macsec_md_dst;
+
+ rcu_read_lock();
+ rxd = macsec_data_rcu(skb->dev);
+ md_dst = skb_metadata_dst(skb);
++ is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC;
+
+ list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ struct sk_buff *nskb;
+@@ -1013,14 +1015,42 @@ static enum rx_handler_result handle_not
+ * the SecTAG, so we have to deduce which port to deliver to.
+ */
+ if (macsec_is_offloaded(macsec) && netif_running(ndev)) {
+- struct macsec_rx_sc *rx_sc = NULL;
++ const struct macsec_ops *ops;
+
+- if (md_dst && md_dst->type == METADATA_MACSEC)
+- rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci);
++ ops = macsec_get_ops(macsec, NULL);
+
+- if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc)
++ if (ops->rx_uses_md_dst && !is_macsec_md_dst)
+ continue;
+
++ if (is_macsec_md_dst) {
++ struct macsec_rx_sc *rx_sc;
++
++ /* All drivers that implement MACsec offload
++ * support using skb metadata destinations must
++ * indicate that they do so.
++ */
++ DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst);
++ rx_sc = find_rx_sc(&macsec->secy,
++ md_dst->u.macsec_info.sci);
++ if (!rx_sc)
++ continue;
++ /* device indicated macsec offload occurred */
++ skb->dev = ndev;
++ skb->pkt_type = PACKET_HOST;
++ eth_skb_pkt_type(skb, ndev);
++ ret = RX_HANDLER_ANOTHER;
++ goto out;
++ }
++
++ /* This datapath is insecure because it is unable to
++ * enforce isolation of broadcast/multicast traffic and
++ * unicast traffic with promiscuous mode on the macsec
++ * netdev. Since the core stack has no mechanism to
++ * check that the hardware did indeed receive MACsec
++ * traffic, it is possible that the response handling
++ * done by the MACsec port was to a plaintext packet.
++ * This violates the MACsec protocol standard.
++ */
+ if (ether_addr_equal_64bits(hdr->h_dest,
+ ndev->dev_addr)) {
+ /* exact match, divert skb to this port */
+@@ -1036,14 +1066,10 @@ static enum rx_handler_result handle_not
+ break;
+
+ nskb->dev = ndev;
+- if (ether_addr_equal_64bits(hdr->h_dest,
+- ndev->broadcast))
+- nskb->pkt_type = PACKET_BROADCAST;
+- else
+- nskb->pkt_type = PACKET_MULTICAST;
++ eth_skb_pkt_type(nskb, ndev);
+
+ __netif_rx(nskb);
+- } else if (rx_sc || ndev->flags & IFF_PROMISC) {
++ } else if (ndev->flags & IFF_PROMISC) {
+ skb->dev = ndev;
+ skb->pkt_type = PACKET_HOST;
+ ret = RX_HANDLER_ANOTHER;
--- /dev/null
+From 475747a19316b08e856c666a20503e73d7ed67ed Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:02 -0700
+Subject: macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 475747a19316b08e856c666a20503e73d7ed67ed upstream.
+
+Cannot know whether a Rx skb missing md_dst is intended for MACsec or not
+without knowing whether the device is able to update this field during an
+offload. Assume that an offload to a MACsec device cannot support updating
+md_dst by default. Capable devices can advertise that they do indicate that
+an skb is related to a MACsec offloaded packet using the md_dst.
+
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-2-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/macsec.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/net/macsec.h
++++ b/include/net/macsec.h
+@@ -321,6 +321,7 @@ struct macsec_context {
+ * for the TX tag
+ * @needed_tailroom: number of bytes reserved at the end of the sk_buff for the
+ * TX tag
++ * @rx_uses_md_dst: whether MACsec device offload supports sk_buff md_dst
+ */
+ struct macsec_ops {
+ /* Device wide */
+@@ -352,6 +353,7 @@ struct macsec_ops {
+ struct sk_buff *skb);
+ unsigned int needed_headroom;
+ unsigned int needed_tailroom;
++ bool rx_uses_md_dst;
+ };
+
+ void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
--- /dev/null
+From 21c9fb611c25d5cd038f6fe485232e7884bb0b3d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 5 Apr 2024 16:30:04 +0200
+Subject: mtd: diskonchip: work around ubsan link failure
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 21c9fb611c25d5cd038f6fe485232e7884bb0b3d upstream.
+
+I ran into a randconfig build failure with UBSAN using gcc-13.2:
+
+arm-linux-gnueabi-ld: error: unplaced orphan section `.bss..Lubsan_data31' from `drivers/mtd/nand/raw/diskonchip.o'
+
+I'm not entirely sure what is going on here, but I suspect this has something
+to do with the check for the end of the doc_locations[] array that contains
+an (unsigned long)0xffffffff element, which is compared against the signed
+(int)0xffffffff. If this is the case, we should get a runtime check for
+undefined behavior, but we instead get an unexpected build-time error.
+
+I would have expected this to work fine on 32-bit architectures despite the
+signed integer overflow, though on 64-bit architectures this likely won't
+ever work.
+
+Changing the contition to instead check for the size of the array makes the
+code safe everywhere and avoids the ubsan check that leads to the link
+error. The loop code goes back to before 2.6.12.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240405143015.717429-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -53,7 +53,7 @@ static unsigned long doc_locations[] __i
+ 0xe8000, 0xea000, 0xec000, 0xee000,
+ #endif
+ #endif
+- 0xffffffff };
++};
+
+ static struct mtd_info *doclist = NULL;
+
+@@ -1554,7 +1554,7 @@ static int __init init_nanddoc(void)
+ if (ret < 0)
+ return ret;
+ } else {
+- for (i = 0; (doc_locations[i] != 0xffffffff); i++) {
++ for (i = 0; i < ARRAY_SIZE(doc_locations); i++) {
+ doc_probe(doc_locations[i]);
+ }
+ }
--- /dev/null
+From d2d73a6dd17365c43e109263841f7c26da55cfb0 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Fri, 12 Apr 2024 12:50:26 +0200
+Subject: mtd: limit OTP NVMEM cell parse to non-NAND devices
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit d2d73a6dd17365c43e109263841f7c26da55cfb0 upstream.
+
+MTD OTP logic is very fragile on parsing NVMEM cell and can be
+problematic with some specific kind of devices.
+
+The problem was discovered by e87161321a40 ("mtd: rawnand: macronix:
+OTP access for MX30LFxG18AC") where OTP support was added to a NAND
+device. With the case of NAND devices, it does require a node where ECC
+info are declared and all the fixed partitions, and this cause the OTP
+codepath to parse this node as OTP NVMEM cells, making probe fail and
+the NAND device registration fail.
+
+MTD OTP parsing should have been limited to always using compatible to
+prevent this error by using node with compatible "otp-user" or
+"otp-factory".
+
+NVMEM across the years had various iteration on how cells could be
+declared in DT, in some old implementation, no_of_node should have been
+enabled but now add_legacy_fixed_of_cells should be used to disable
+NVMEM to parse child node as NVMEM cell.
+
+To fix this and limit any regression with other MTD that makes use of
+declaring OTP as direct child of the dev node, disable
+add_legacy_fixed_of_cells if we detect the MTD type is Nand.
+
+With the following logic, the OTP NVMEM entry is correctly created with
+no cells and the MTD Nand is correctly probed and partitions are
+correctly exposed.
+
+Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support")
+Cc: <stable@vger.kernel.org> # v6.7+
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240412105030.1598-1-ansuelsmth@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdcore.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -900,7 +900,7 @@ static struct nvmem_device *mtd_otp_nvme
+ config.name = compatible;
+ config.id = NVMEM_DEVID_AUTO;
+ config.owner = THIS_MODULE;
+- config.add_legacy_fixed_of_cells = true;
++ config.add_legacy_fixed_of_cells = !mtd_type_is_nand(mtd);
+ config.type = NVMEM_TYPE_OTP;
+ config.root_only = true;
+ config.ignore_wp = true;
--- /dev/null
+From e3eb7dd47bd4806f00e104eb6da092c435f9fb21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Peter=20M=C3=BCnster?= <pm@a16n.net>
+Date: Wed, 24 Apr 2024 15:51:52 +0200
+Subject: net: b44: set pause params only when interface is up
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Münster <pm@a16n.net>
+
+commit e3eb7dd47bd4806f00e104eb6da092c435f9fb21 upstream.
+
+b44_free_rings() accesses b44::rx_buffers (and ::tx_buffers)
+unconditionally, but b44::rx_buffers is only valid when the
+device is up (they get allocated in b44_open(), and deallocated
+again in b44_close()), any other time these are just a NULL pointers.
+
+So if you try to change the pause params while the network interface
+is disabled/administratively down, everything explodes (which likely
+netifd tries to do).
+
+Link: https://github.com/openwrt/openwrt/issues/13789
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Cc: stable@vger.kernel.org
+Reported-by: Peter Münster <pm@a16n.net>
+Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Vaclav Svoboda <svoboda@neng.cz>
+Tested-by: Peter Münster <pm@a16n.net>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Peter Münster <pm@a16n.net>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://lore.kernel.org/r/87y192oolj.fsf@a16n.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/b44.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/b44.c
++++ b/drivers/net/ethernet/broadcom/b44.c
+@@ -2009,12 +2009,14 @@ static int b44_set_pauseparam(struct net
+ bp->flags |= B44_FLAG_TX_PAUSE;
+ else
+ bp->flags &= ~B44_FLAG_TX_PAUSE;
+- if (bp->flags & B44_FLAG_PAUSE_AUTO) {
+- b44_halt(bp);
+- b44_init_rings(bp);
+- b44_init_hw(bp, B44_FULL_RESET);
+- } else {
+- __b44_set_flow_ctrl(bp, bp->flags);
++ if (netif_running(dev)) {
++ if (bp->flags & B44_FLAG_PAUSE_AUTO) {
++ b44_halt(bp);
++ b44_init_rings(bp);
++ b44_init_hw(bp, B44_FULL_RESET);
++ } else {
++ __b44_set_flow_ctrl(bp, bp->flags);
++ }
+ }
+ spin_unlock_irq(&bp->lock);
+
--- /dev/null
+From 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:05 -0700
+Subject: net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff upstream.
+
+mlx5 Rx flow steering and CQE handling enable the driver to be able to
+update an skb's md_dst attribute as MACsec when MACsec traffic arrives when
+a device is configured for offloading. Advertise this to the core stack to
+take advantage of this capability.
+
+Cc: stable@vger.kernel.org
+Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-5-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -1640,6 +1640,7 @@ static const struct macsec_ops macsec_of
+ .mdo_add_secy = mlx5e_macsec_add_secy,
+ .mdo_upd_secy = mlx5e_macsec_upd_secy,
+ .mdo_del_secy = mlx5e_macsec_del_secy,
++ .rx_uses_md_dst = true,
+ };
+
+ bool mlx5e_macsec_handle_tx_skb(struct mlx5e_macsec *macsec, struct sk_buff *skb)
--- /dev/null
+From ee13e1f3c72b9464a4d73017c060ab503eed653a Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 4 Apr 2024 17:01:03 -0700
+Subject: phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit ee13e1f3c72b9464a4d73017c060ab503eed653a upstream.
+
+The register base that was used to write to the QSERDES_DP_PHY_MODE
+register was 'dp_dp_phy' before commit 815891eee668 ("phy:
+qcom-qmp-combo: Introduce orientation variable"). There isn't any
+explanation in the commit why this is changed, so I suspect it was an
+oversight or happened while being extracted from some other series.
+Oddly the value being 0x4c or 0x5c doesn't seem to matter for me, so I
+suspect this is dead code, but that can be fixed in another patch. It's
+not good to write to the wrong register space, and maybe some other
+version of this phy relies on this.
+
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Cc: Neil Armstrong <neil.armstrong@linaro.org>
+Cc: Abel Vesa <abel.vesa@linaro.org>
+Cc: Steev Klimaszewski <steev@kali.org>
+Cc: Johan Hovold <johan+linaro@kernel.org>
+Cc: Bjorn Andersson <quic_bjorande@quicinc.com>
+Cc: stable@vger.kernel.org # 6.5
+Fixes: 815891eee668 ("phy: qcom-qmp-combo: Introduce orientation variable")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Bjorn Andersson <quic_bjorande@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240405000111.1450598-1-swboyd@chromium.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -2211,9 +2211,9 @@ static bool qmp_combo_configure_dp_mode(
+ writel(val, qmp->dp_dp_phy + QSERDES_DP_PHY_PD_CTL);
+
+ if (reverse)
+- writel(0x4c, qmp->pcs + QSERDES_DP_PHY_MODE);
++ writel(0x4c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE);
+ else
+- writel(0x5c, qmp->pcs + QSERDES_DP_PHY_MODE);
++ writel(0x5c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE);
+
+ return reverse;
+ }
--- /dev/null
+From 5abed58a8bde6d349bde364a160510b5bb904d18 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 4 Apr 2024 16:43:44 -0700
+Subject: phy: qcom: qmp-combo: Fix VCO div offset on v3
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit 5abed58a8bde6d349bde364a160510b5bb904d18 upstream.
+
+Commit ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to
+setup clocks") changed the offset that is used to write to
+DP_PHY_VCO_DIV from QSERDES_V3_DP_PHY_VCO_DIV to
+QSERDES_V4_DP_PHY_VCO_DIV. Unfortunately, this offset is different
+between v3 and v4 phys:
+
+ #define QSERDES_V3_DP_PHY_VCO_DIV 0x064
+ #define QSERDES_V4_DP_PHY_VCO_DIV 0x070
+
+meaning that we write the wrong register on v3 phys now. Add another
+generic register to 'regs' and use it here instead of a version specific
+define to fix this.
+
+This was discovered after Abhinav looked over register dumps with me
+from sc7180 Trogdor devices that started failing to light up the
+external display with v6.6 based kernels. It turns out that some
+monitors are very specific about their link clk frequency and if the
+default power on reset value is still there the monitor will show a
+blank screen or a garbled display. Other monitors are perfectly happy to
+get a bad clock signal.
+
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to setup clocks")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240404234345.1446300-1-swboyd@chromium.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -112,6 +112,7 @@ enum qphy_reg_layout {
+ QPHY_COM_BIAS_EN_CLKBUFLR_EN,
+
+ QPHY_DP_PHY_STATUS,
++ QPHY_DP_PHY_VCO_DIV,
+
+ QPHY_TX_TX_POL_INV,
+ QPHY_TX_TX_DRV_LVL,
+@@ -137,6 +138,7 @@ static const unsigned int qmp_v3_usb3phy
+ [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V3_COM_BIAS_EN_CLKBUFLR_EN,
+
+ [QPHY_DP_PHY_STATUS] = QSERDES_V3_DP_PHY_STATUS,
++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V3_DP_PHY_VCO_DIV,
+
+ [QPHY_TX_TX_POL_INV] = QSERDES_V3_TX_TX_POL_INV,
+ [QPHY_TX_TX_DRV_LVL] = QSERDES_V3_TX_TX_DRV_LVL,
+@@ -161,6 +163,7 @@ static const unsigned int qmp_v45_usb3ph
+ [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V4_COM_BIAS_EN_CLKBUFLR_EN,
+
+ [QPHY_DP_PHY_STATUS] = QSERDES_V4_DP_PHY_STATUS,
++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V4_DP_PHY_VCO_DIV,
+
+ [QPHY_TX_TX_POL_INV] = QSERDES_V4_TX_TX_POL_INV,
+ [QPHY_TX_TX_DRV_LVL] = QSERDES_V4_TX_TX_DRV_LVL,
+@@ -2223,6 +2226,7 @@ static int qmp_combo_configure_dp_clocks
+ const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts;
+ u32 phy_vco_div;
+ unsigned long pixel_freq;
++ const struct qmp_phy_cfg *cfg = qmp->cfg;
+
+ switch (dp_opts->link_rate) {
+ case 1620:
+@@ -2245,7 +2249,7 @@ static int qmp_combo_configure_dp_clocks
+ /* Other link rates aren't supported */
+ return -EINVAL;
+ }
+- writel(phy_vco_div, qmp->dp_dp_phy + QSERDES_V4_DP_PHY_VCO_DIV);
++ writel(phy_vco_div, qmp->dp_dp_phy + cfg->regs[QPHY_DP_PHY_VCO_DIV]);
+
+ clk_set_rate(qmp->dp_link_hw.clk, dp_opts->link_rate * 100000);
+ clk_set_rate(qmp->dp_pixel_hw.clk, pixel_freq);
acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch
acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch
acpi-cppc-fix-access-width-used-for-pcc-registers.patch
+net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
+ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
+net-b44-set-pause-params-only-when-interface-is-up.patch
+macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
+macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
+stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
+fbdev-fix-incorrect-address-computation-in-deferred-io.patch
+udp-preserve-the-connected-status-if-only-udp-cmsg.patch
+wifi-nl80211-don-t-free-null-coalescing-rule.patch
+mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
+mtd-diskonchip-work-around-ubsan-link-failure.patch
+firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
+phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
+phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
--- /dev/null
+From 6fe60465e1d53ea321ee909be26d97529e8f746c Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Date: Thu, 18 Apr 2024 16:11:33 +0200
+Subject: stackdepot: respect __GFP_NOLOCKDEP allocation flag
+
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+
+commit 6fe60465e1d53ea321ee909be26d97529e8f746c upstream.
+
+If stack_depot_save_flags() allocates memory it always drops
+__GFP_NOLOCKDEP flag. So when KASAN tries to track __GFP_NOLOCKDEP
+allocation we may end up with lockdep splat like bellow:
+
+======================================================
+ WARNING: possible circular locking dependency detected
+ 6.9.0-rc3+ #49 Not tainted
+ ------------------------------------------------------
+ kswapd0/149 is trying to acquire lock:
+ ffff88811346a920
+(&xfs_nondir_ilock_class){++++}-{4:4}, at: xfs_reclaim_inode+0x3ac/0x590
+[xfs]
+
+ but task is already holding lock:
+ ffffffff8bb33100 (fs_reclaim){+.+.}-{0:0}, at:
+balance_pgdat+0x5d9/0xad0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+ -> #1 (fs_reclaim){+.+.}-{0:0}:
+ __lock_acquire+0x7da/0x1030
+ lock_acquire+0x15d/0x400
+ fs_reclaim_acquire+0xb5/0x100
+ prepare_alloc_pages.constprop.0+0xc5/0x230
+ __alloc_pages+0x12a/0x3f0
+ alloc_pages_mpol+0x175/0x340
+ stack_depot_save_flags+0x4c5/0x510
+ kasan_save_stack+0x30/0x40
+ kasan_save_track+0x10/0x30
+ __kasan_slab_alloc+0x83/0x90
+ kmem_cache_alloc+0x15e/0x4a0
+ __alloc_object+0x35/0x370
+ __create_object+0x22/0x90
+ __kmalloc_node_track_caller+0x477/0x5b0
+ krealloc+0x5f/0x110
+ xfs_iext_insert_raw+0x4b2/0x6e0 [xfs]
+ xfs_iext_insert+0x2e/0x130 [xfs]
+ xfs_iread_bmbt_block+0x1a9/0x4d0 [xfs]
+ xfs_btree_visit_block+0xfb/0x290 [xfs]
+ xfs_btree_visit_blocks+0x215/0x2c0 [xfs]
+ xfs_iread_extents+0x1a2/0x2e0 [xfs]
+ xfs_buffered_write_iomap_begin+0x376/0x10a0 [xfs]
+ iomap_iter+0x1d1/0x2d0
+ iomap_file_buffered_write+0x120/0x1a0
+ xfs_file_buffered_write+0x128/0x4b0 [xfs]
+ vfs_write+0x675/0x890
+ ksys_write+0xc3/0x160
+ do_syscall_64+0x94/0x170
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+Always preserve __GFP_NOLOCKDEP to fix this.
+
+Link: https://lkml.kernel.org/r/20240418141133.22950-1-ryabinin.a.a@gmail.com
+Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
+Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Reported-by: Xiubo Li <xiubli@redhat.com>
+Closes: https://lore.kernel.org/all/a0caa289-ca02-48eb-9bf2-d86fd47b71f4@redhat.com/
+Reported-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Closes: https://lore.kernel.org/all/f9ff999a-e170-b66b-7caf-293f2b147ac2@opensource.wdc.com/
+Suggested-by: Dave Chinner <david@fromorbit.com>
+Tested-by: Xiubo Li <xiubli@redhat.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/stackdepot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -627,10 +627,10 @@ depot_stack_handle_t stack_depot_save_fl
+ /*
+ * Zero out zone modifiers, as we don't have specific zone
+ * requirements. Keep the flags related to allocation in atomic
+- * contexts and I/O.
++ * contexts, I/O, nolockdep.
+ */
+ alloc_flags &= ~GFP_ZONEMASK;
+- alloc_flags &= (GFP_ATOMIC | GFP_KERNEL);
++ alloc_flags &= (GFP_ATOMIC | GFP_KERNEL | __GFP_NOLOCKDEP);
+ alloc_flags |= __GFP_NOWARN;
+ page = alloc_pages(alloc_flags, DEPOT_POOL_ORDER);
+ if (page)
--- /dev/null
+From 680d11f6e5427b6af1321932286722d24a8b16c1 Mon Sep 17 00:00:00 2001
+From: Yick Xie <yick.xie@gmail.com>
+Date: Fri, 19 Apr 2024 01:06:10 +0800
+Subject: udp: preserve the connected status if only UDP cmsg
+
+From: Yick Xie <yick.xie@gmail.com>
+
+commit 680d11f6e5427b6af1321932286722d24a8b16c1 upstream.
+
+If "udp_cmsg_send()" returned 0 (i.e. only UDP cmsg),
+"connected" should not be set to 0. Otherwise it stops
+the connected socket from using the cached route.
+
+Fixes: 2e8de8576343 ("udp: add gso segment cmsg")
+Signed-off-by: Yick Xie <yick.xie@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20240418170610.867084-1-yick.xie@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 5 +++--
+ net/ipv6/udp.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1125,16 +1125,17 @@ int udp_sendmsg(struct sock *sk, struct
+
+ if (msg->msg_controllen) {
+ err = udp_cmsg_send(sk, msg, &ipc.gso_size);
+- if (err > 0)
++ if (err > 0) {
+ err = ip_cmsg_send(sk, msg, &ipc,
+ sk->sk_family == AF_INET6);
++ connected = 0;
++ }
+ if (unlikely(err < 0)) {
+ kfree(ipc.opt);
+ return err;
+ }
+ if (ipc.opt)
+ free = 1;
+- connected = 0;
+ }
+ if (!ipc.opt) {
+ struct ip_options_rcu *inet_opt;
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1476,9 +1476,11 @@ do_udp_sendmsg:
+ ipc6.opt = opt;
+
+ err = udp_cmsg_send(sk, msg, &ipc6.gso_size);
+- if (err > 0)
++ if (err > 0) {
+ err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, fl6,
+ &ipc6);
++ connected = false;
++ }
+ if (err < 0) {
+ fl6_sock_release(flowlabel);
+ return err;
+@@ -1490,7 +1492,6 @@ do_udp_sendmsg:
+ }
+ if (!(opt->opt_nflen|opt->opt_flen))
+ opt = NULL;
+- connected = false;
+ }
+ if (!opt) {
+ opt = txopt_get(np);
--- /dev/null
+From 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 18 Apr 2024 10:52:23 +0200
+Subject: wifi: nl80211: don't free NULL coalescing rule
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 upstream.
+
+If the parsing fails, we can dereference a NULL pointer here.
+
+Cc: stable@vger.kernel.org
+Fixes: be29b99a9b51 ("cfg80211/nl80211: Add packet coalesce support")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240418105220.b328f80406e7.Id75d961050deb05b3e4e354e024866f350c68103@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -14092,6 +14092,8 @@ static int nl80211_set_coalesce(struct s
+ error:
+ for (i = 0; i < new_coalesce.n_rules; i++) {
+ tmp_rule = &new_coalesce.rules[i];
++ if (!tmp_rule)
++ continue;
+ for (j = 0; j < tmp_rule->n_patterns; j++)
+ kfree(tmp_rule->patterns[j].mask);
+ kfree(tmp_rule->patterns);
projects / thirdparty / kernel / stable-queue.git / commitdiff
