--- /dev/null
+From 4179320c66a9d5d3e3847acd9cfede9f51bbb78c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2024 16:00:55 +0200
+Subject: ACPI: disable -Wstringop-truncation
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a3403d304708f60565582d60af4316289d0316a0 ]
+
+gcc -Wstringop-truncation warns about copying a string that results in a
+missing nul termination:
+
+drivers/acpi/acpica/tbfind.c: In function 'acpi_tb_find_table':
+drivers/acpi/acpica/tbfind.c:60:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation]
+ 60 | strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/acpi/acpica/tbfind.c:61:9: error: 'strncpy' specified bound 8 equals destination size [-Werror=stringop-truncation]
+ 61 | strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The code works as intended, and the warning could be addressed by using
+a memcpy(), but turning the warning off for this file works equally well
+and may be easier to merge.
+
+Fixes: 47c08729bf1c ("ACPICA: Fix for LoadTable operator, input strings")
+Link: https://lore.kernel.org/lkml/CAJZ5v0hoUfv54KW7y4223Mn9E7D4xvR7whRFNLTBqCZMUxT50Q@mail.gmail.com/#t
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile
+index f919811156b1f..b6cf9c9bd6396 100644
+--- a/drivers/acpi/acpica/Makefile
++++ b/drivers/acpi/acpica/Makefile
+@@ -5,6 +5,7 @@
+
+ ccflags-y := -D_LINUX -DBUILDING_ACPICA
+ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
++CFLAGS_tbfind.o += $(call cc-disable-warning, stringop-truncation)
+
+ # use acpi.o to put all files here into acpi.o modparam namespace
+ obj-y += acpi.o
+--
+2.43.0
+
--- /dev/null
+From c9ea327c099b72eb712a9fb6188bfaadd5f99fe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 May 2024 16:33:58 +0000
+Subject: af_packet: do not call packet_read_pending() from
+ tpacket_destruct_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ]
+
+trafgen performance considerably sank on hosts with many cores
+after the blamed commit.
+
+packet_read_pending() is very expensive, and calling it
+in af_packet fast path defeats Daniel intent in commit
+b013840810c2 ("packet: use percpu mmap tx frame pending refcount")
+
+tpacket_destruct_skb() makes room for one packet, we can immediately
+wakeup a producer, no need to completely drain the tx ring.
+
+Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20240515163358.4105915-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index db5d16c5d5b11..8e52f09493053 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2487,8 +2487,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
+ ts = __packet_set_timestamp(po, ph, skb);
+ __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts);
+
+- if (!packet_read_pending(&po->tx_ring))
+- complete(&po->skb_completion);
++ complete(&po->skb_completion);
+ }
+
+ sock_wfree(skb);
+--
+2.43.0
+
--- /dev/null
+From b13f66bef859e5ac7a8a58b34f18d05d172c6822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 01:14:46 -0700
+Subject: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ]
+
+A data-race condition has been identified in af_unix. In one data path,
+the write function unix_release_sock() atomically writes to
+sk->sk_shutdown using WRITE_ONCE. However, on the reader side,
+unix_stream_sendmsg() does not read it atomically. Consequently, this
+issue is causing the following KCSAN splat to occur:
+
+ BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg
+
+ write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:
+ unix_release_sock (net/unix/af_unix.c:640)
+ unix_release (net/unix/af_unix.c:1050)
+ sock_close (net/socket.c:659 net/socket.c:1421)
+ __fput (fs/file_table.c:422)
+ __fput_sync (fs/file_table.c:508)
+ __se_sys_close (fs/open.c:1559 fs/open.c:1541)
+ __x64_sys_close (fs/open.c:1541)
+ x64_sys_call (arch/x86/entry/syscall_64.c:33)
+ do_syscall_64 (arch/x86/entry/common.c:?)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+ read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:
+ unix_stream_sendmsg (net/unix/af_unix.c:2273)
+ __sock_sendmsg (net/socket.c:730 net/socket.c:745)
+ ____sys_sendmsg (net/socket.c:2584)
+ __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)
+ __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)
+ x64_sys_call (arch/x86/entry/syscall_64.c:33)
+ do_syscall_64 (arch/x86/entry/common.c:?)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+ value changed: 0x01 -> 0x03
+
+The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7").
+
+Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.")
+addressed a comparable issue in the past regarding sk->sk_shutdown.
+However, it overlooked resolving this particular data path.
+This patch only offending unix_stream_sendmsg() function, since the
+other reads seem to be protected by unix_state_lock() as discussed in
+Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 224b1fdc82279..3ab726a668e8a 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1918,7 +1918,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto out_err;
+ }
+
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ goto pipe_err;
+
+ while (sent < len) {
+--
+2.43.0
+
--- /dev/null
+From 7c22c4d5671d07dad3625366b9488ccbd88b377c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 10:30:33 -0500
+Subject: ASoC: da7219-aad: fix usage of device_get_named_child_node()
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 ]
+
+The documentation for device_get_named_child_node() mentions this
+important point:
+
+"
+The caller is responsible for calling fwnode_handle_put() on the
+returned fwnode pointer.
+"
+
+Add fwnode_handle_put() to avoid a leaked reference.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20240426153033.38500-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/da7219-aad.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/da7219-aad.c b/sound/soc/codecs/da7219-aad.c
+index b6030709b6b6d..2fb26dd84bc72 100644
+--- a/sound/soc/codecs/da7219-aad.c
++++ b/sound/soc/codecs/da7219-aad.c
+@@ -629,8 +629,10 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct device *dev)
+ return NULL;
+
+ aad_pdata = devm_kzalloc(dev, sizeof(*aad_pdata), GFP_KERNEL);
+- if (!aad_pdata)
++ if (!aad_pdata) {
++ fwnode_handle_put(aad_np);
+ return NULL;
++ }
+
+ aad_pdata->irq = i2c->irq;
+
+@@ -705,6 +707,8 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct device *dev)
+ else
+ aad_pdata->adc_1bit_rpt = DA7219_AAD_ADC_1BIT_RPT_1;
+
++ fwnode_handle_put(aad_np);
++
+ return aad_pdata;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From c15fffd910ccef8aed63b8a23eb44f466c5b4d5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 17:10:57 +0800
+Subject: ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
+
+From: Derek Fang <derek.fang@realtek.com>
+
+[ Upstream commit 306b38e3fa727d22454a148a364123709e356600 ]
+
+Add an optional gpio property to control external CBJ circuits
+to avoid some electric noise caused by sleeve/ring2 contacts floating.
+
+Signed-off-by: Derek Fang <derek.fang@realtek.com>
+
+Link: https://msgid.link/r/20240408091057.14165-2-derek.fang@realtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/sound/rt5645.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/sound/rt5645.txt b/Documentation/devicetree/bindings/sound/rt5645.txt
+index 41a62fd2ae1ff..c1fa379f5f3ea 100644
+--- a/Documentation/devicetree/bindings/sound/rt5645.txt
++++ b/Documentation/devicetree/bindings/sound/rt5645.txt
+@@ -20,6 +20,11 @@ Optional properties:
+ a GPIO spec for the external headphone detect pin. If jd-mode = 0,
+ we will get the JD status by getting the value of hp-detect-gpios.
+
++- cbj-sleeve-gpios:
++ a GPIO spec to control the external combo jack circuit to tie the sleeve/ring2
++ contacts to the ground or floating. It could avoid some electric noise from the
++ active speaker jacks.
++
+ - realtek,in2-differential
+ Boolean. Indicate MIC2 input are differential, rather than single-ended.
+
+@@ -68,6 +73,7 @@ codec: rt5650@1a {
+ compatible = "realtek,rt5650";
+ reg = <0x1a>;
+ hp-detect-gpios = <&gpio 19 0>;
++ cbj-sleeve-gpios = <&gpio 20 0>;
+ interrupt-parent = <&gpio>;
+ interrupts = <7 IRQ_TYPE_EDGE_FALLING>;
+ realtek,dmic-en = "true";
+--
+2.43.0
+
--- /dev/null
+From 51a7c042779893360900d243c41b804431cecab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 10:04:58 +0100
+Subject: ASoC: Intel: Disable route checks for Skylake boards
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 0cb3b7fd530b8c107443218ce6db5cb6e7b5dbe1 ]
+
+Topology files that are propagated to the world and utilized by the
+skylake-driver carry shortcomings in their SectionGraphs.
+
+Since commit daa480bde6b3 ("ASoC: soc-core: tidyup for
+snd_soc_dapm_add_routes()") route checks are no longer permissive. Probe
+failures for Intel boards have been partially addressed by commit
+a22ae72b86a4 ("ASoC: soc-core: disable route checks for legacy devices")
+and its follow up but only skl_nau88l25_ssm4567.c is patched. Fix the
+problem for the rest of the boards.
+
+Link: https://lore.kernel.org/all/20200309192744.18380-1-pierre-louis.bossart@linux.intel.com/
+Fixes: daa480bde6b3 ("ASoC: soc-core: tidyup for snd_soc_dapm_add_routes()")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://msgid.link/r/20240308090502.2136760-2-cezary.rojewski@intel.com
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bxt_da7219_max98357a.c | 1 +
+ sound/soc/intel/boards/bxt_rt298.c | 1 +
+ sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 ++
+ sound/soc/intel/boards/kbl_da7219_max98357a.c | 1 +
+ sound/soc/intel/boards/kbl_da7219_max98927.c | 4 ++++
+ sound/soc/intel/boards/kbl_rt5660.c | 1 +
+ sound/soc/intel/boards/kbl_rt5663_max98927.c | 2 ++
+ sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 1 +
+ sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 ++
+ sound/soc/intel/boards/skl_nau88l25_max98357a.c | 1 +
+ sound/soc/intel/boards/skl_rt286.c | 1 +
+ 11 files changed, 17 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bxt_da7219_max98357a.c b/sound/soc/intel/boards/bxt_da7219_max98357a.c
+index 0c0a717823c40..1a24c44db6dda 100644
+--- a/sound/soc/intel/boards/bxt_da7219_max98357a.c
++++ b/sound/soc/intel/boards/bxt_da7219_max98357a.c
+@@ -750,6 +750,7 @@ static struct snd_soc_card broxton_audio_card = {
+ .dapm_routes = audio_map,
+ .num_dapm_routes = ARRAY_SIZE(audio_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = bxt_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c
+index 0f3157dfa8384..13c41338003f1 100644
+--- a/sound/soc/intel/boards/bxt_rt298.c
++++ b/sound/soc/intel/boards/bxt_rt298.c
+@@ -575,6 +575,7 @@ static struct snd_soc_card broxton_rt298 = {
+ .dapm_routes = broxton_rt298_map,
+ .num_dapm_routes = ARRAY_SIZE(broxton_rt298_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = bxt_card_late_probe,
+
+ };
+diff --git a/sound/soc/intel/boards/glk_rt5682_max98357a.c b/sound/soc/intel/boards/glk_rt5682_max98357a.c
+index 62cca511522ea..c1b789ac6d500 100644
+--- a/sound/soc/intel/boards/glk_rt5682_max98357a.c
++++ b/sound/soc/intel/boards/glk_rt5682_max98357a.c
+@@ -603,6 +603,8 @@ static int geminilake_audio_probe(struct platform_device *pdev)
+ card = &glk_audio_card_rt5682_m98357a;
+ card->dev = &pdev->dev;
+ snd_soc_card_set_drvdata(card, ctx);
++ if (!snd_soc_acpi_sof_parent(&pdev->dev))
++ card->disable_route_checks = true;
+
+ /* override plaform name, if required */
+ mach = pdev->dev.platform_data;
+diff --git a/sound/soc/intel/boards/kbl_da7219_max98357a.c b/sound/soc/intel/boards/kbl_da7219_max98357a.c
+index 36f1f49e0b76b..4ecef661f8834 100644
+--- a/sound/soc/intel/boards/kbl_da7219_max98357a.c
++++ b/sound/soc/intel/boards/kbl_da7219_max98357a.c
+@@ -571,6 +571,7 @@ static struct snd_soc_card kabylake_audio_card_da7219_m98357a = {
+ .dapm_routes = kabylake_map,
+ .num_dapm_routes = ARRAY_SIZE(kabylake_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/kbl_da7219_max98927.c b/sound/soc/intel/boards/kbl_da7219_max98927.c
+index 884741aa48335..80c343fe7f658 100644
+--- a/sound/soc/intel/boards/kbl_da7219_max98927.c
++++ b/sound/soc/intel/boards/kbl_da7219_max98927.c
+@@ -1016,6 +1016,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98927 = {
+ .codec_conf = max98927_codec_conf,
+ .num_configs = ARRAY_SIZE(max98927_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+@@ -1034,6 +1035,7 @@ static struct snd_soc_card kbl_audio_card_max98927 = {
+ .codec_conf = max98927_codec_conf,
+ .num_configs = ARRAY_SIZE(max98927_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+@@ -1051,6 +1053,7 @@ static struct snd_soc_card kbl_audio_card_da7219_m98373 = {
+ .codec_conf = max98373_codec_conf,
+ .num_configs = ARRAY_SIZE(max98373_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+@@ -1068,6 +1071,7 @@ static struct snd_soc_card kbl_audio_card_max98373 = {
+ .codec_conf = max98373_codec_conf,
+ .num_configs = ARRAY_SIZE(max98373_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/kbl_rt5660.c b/sound/soc/intel/boards/kbl_rt5660.c
+index 3a9f91b58e113..2bffd2b6b3618 100644
+--- a/sound/soc/intel/boards/kbl_rt5660.c
++++ b/sound/soc/intel/boards/kbl_rt5660.c
+@@ -519,6 +519,7 @@ static struct snd_soc_card kabylake_audio_card_rt5660 = {
+ .dapm_routes = kabylake_rt5660_map,
+ .num_dapm_routes = ARRAY_SIZE(kabylake_rt5660_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+index 9a4b3d0973f65..be76c71eca679 100644
+--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c
++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+@@ -948,6 +948,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663_m98927 = {
+ .codec_conf = max98927_codec_conf,
+ .num_configs = ARRAY_SIZE(max98927_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+@@ -964,6 +965,7 @@ static struct snd_soc_card kabylake_audio_card_rt5663 = {
+ .dapm_routes = kabylake_5663_map,
+ .num_dapm_routes = ARRAY_SIZE(kabylake_5663_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c
+index f95546c184aae..291f56f79cd36 100644
+--- a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c
++++ b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c
+@@ -779,6 +779,7 @@ static struct snd_soc_card kabylake_audio_card = {
+ .codec_conf = max98927_codec_conf,
+ .num_configs = ARRAY_SIZE(max98927_codec_conf),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = kabylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/skl_hda_dsp_generic.c b/sound/soc/intel/boards/skl_hda_dsp_generic.c
+index bc50eda297ab7..c2ff59e9a8cf7 100644
+--- a/sound/soc/intel/boards/skl_hda_dsp_generic.c
++++ b/sound/soc/intel/boards/skl_hda_dsp_generic.c
+@@ -229,6 +229,8 @@ static int skl_hda_audio_probe(struct platform_device *pdev)
+ ctx->common_hdmi_codec_drv = mach->mach_params.common_hdmi_codec_drv;
+
+ hda_soc_card.dev = &pdev->dev;
++ if (!snd_soc_acpi_sof_parent(&pdev->dev))
++ hda_soc_card.disable_route_checks = true;
+
+ if (mach->mach_params.dmic_num > 0) {
+ snprintf(hda_soc_components, sizeof(hda_soc_components),
+diff --git a/sound/soc/intel/boards/skl_nau88l25_max98357a.c b/sound/soc/intel/boards/skl_nau88l25_max98357a.c
+index 55802900069a2..d976636f5a495 100644
+--- a/sound/soc/intel/boards/skl_nau88l25_max98357a.c
++++ b/sound/soc/intel/boards/skl_nau88l25_max98357a.c
+@@ -643,6 +643,7 @@ static struct snd_soc_card skylake_audio_card = {
+ .dapm_routes = skylake_map,
+ .num_dapm_routes = ARRAY_SIZE(skylake_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = skylake_card_late_probe,
+ };
+
+diff --git a/sound/soc/intel/boards/skl_rt286.c b/sound/soc/intel/boards/skl_rt286.c
+index 5a0c64a831465..4ff3e5fb9b7d0 100644
+--- a/sound/soc/intel/boards/skl_rt286.c
++++ b/sound/soc/intel/boards/skl_rt286.c
+@@ -524,6 +524,7 @@ static struct snd_soc_card skylake_rt286 = {
+ .dapm_routes = skylake_rt286_map,
+ .num_dapm_routes = ARRAY_SIZE(skylake_rt286_map),
+ .fully_routed = true,
++ .disable_route_checks = true,
+ .late_probe = skylake_card_late_probe,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 43a5cdde587cb3d6cab1e78e41e00e5c1c9e3b0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 17:10:56 +0800
+Subject: ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
+
+From: Derek Fang <derek.fang@realtek.com>
+
+[ Upstream commit 103abab975087e1f01b76fcb54c91dbb65dbc249 ]
+
+The codec leaves tie combo jack's sleeve/ring2 to floating status
+default. It would cause electric noise while connecting the active
+speaker jack during boot or shutdown.
+This patch requests a gpio to control the additional jack circuit
+to tie the contacts to the ground or floating.
+
+Signed-off-by: Derek Fang <derek.fang@realtek.com>
+
+Link: https://msgid.link/r/20240408091057.14165-1-derek.fang@realtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5645.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c
+index 5db63ef33f1a2..ac403827a2290 100644
+--- a/sound/soc/codecs/rt5645.c
++++ b/sound/soc/codecs/rt5645.c
+@@ -414,6 +414,7 @@ struct rt5645_priv {
+ struct regmap *regmap;
+ struct i2c_client *i2c;
+ struct gpio_desc *gpiod_hp_det;
++ struct gpio_desc *gpiod_cbj_sleeve;
+ struct snd_soc_jack *hp_jack;
+ struct snd_soc_jack *mic_jack;
+ struct snd_soc_jack *btn_jack;
+@@ -3169,6 +3170,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse
+ regmap_update_bits(rt5645->regmap, RT5645_IN1_CTRL2,
+ RT5645_CBJ_MN_JD, 0);
+
++ if (rt5645->gpiod_cbj_sleeve)
++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 1);
++
+ msleep(600);
+ regmap_read(rt5645->regmap, RT5645_IN1_CTRL3, &val);
+ val &= 0x7;
+@@ -3185,6 +3189,8 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse
+ snd_soc_dapm_disable_pin(dapm, "Mic Det Power");
+ snd_soc_dapm_sync(dapm);
+ rt5645->jack_type = SND_JACK_HEADPHONE;
++ if (rt5645->gpiod_cbj_sleeve)
++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0);
+ }
+ if (rt5645->pdata.level_trigger_irq)
+ regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2,
+@@ -3210,6 +3216,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse
+ if (rt5645->pdata.level_trigger_irq)
+ regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2,
+ RT5645_JD_1_1_MASK, RT5645_JD_1_1_INV);
++
++ if (rt5645->gpiod_cbj_sleeve)
++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0);
+ }
+
+ return rt5645->jack_type;
+@@ -3882,6 +3891,16 @@ static int rt5645_i2c_probe(struct i2c_client *i2c,
+ return ret;
+ }
+
++ rt5645->gpiod_cbj_sleeve = devm_gpiod_get_optional(&i2c->dev, "cbj-sleeve",
++ GPIOD_OUT_LOW);
++
++ if (IS_ERR(rt5645->gpiod_cbj_sleeve)) {
++ ret = PTR_ERR(rt5645->gpiod_cbj_sleeve);
++ dev_info(&i2c->dev, "failed to initialize gpiod, ret=%d\n", ret);
++ if (ret != -ENOENT)
++ return ret;
++ }
++
+ for (i = 0; i < ARRAY_SIZE(rt5645->supplies); i++)
+ rt5645->supplies[i].supply = rt5645_supply_names[i];
+
+@@ -4125,6 +4144,9 @@ static int rt5645_i2c_remove(struct i2c_client *i2c)
+ cancel_delayed_work_sync(&rt5645->jack_detect_work);
+ cancel_delayed_work_sync(&rt5645->rcclock_work);
+
++ if (rt5645->gpiod_cbj_sleeve)
++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0);
++
+ regulator_bulk_disable(ARRAY_SIZE(rt5645->supplies), rt5645->supplies);
+
+ return 0;
+@@ -4142,6 +4164,9 @@ static void rt5645_i2c_shutdown(struct i2c_client *i2c)
+ 0);
+ msleep(20);
+ regmap_write(rt5645->regmap, RT5645_RESET, 0);
++
++ if (rt5645->gpiod_cbj_sleeve)
++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0);
+ }
+
+ static struct i2c_driver rt5645_i2c_driver = {
+--
+2.43.0
+
--- /dev/null
+From 837ec84dbd552b262789feede1e2c4261a428df6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 06:27:23 +0000
+Subject: ASoC: rt715: add vendor clear control register
+
+From: Jack Yu <jack.yu@realtek.com>
+
+[ Upstream commit cebfbc89ae2552dbb58cd9b8206a5c8e0e6301e9 ]
+
+Add vendor clear control register in readable register's
+callback function. This prevents an access failure reported
+in Intel CI tests.
+
+Signed-off-by: Jack Yu <jack.yu@realtek.com>
+Closes: https://github.com/thesofproject/linux/issues/4860
+Tested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/6a103ce9134d49d8b3941172c87a7bd4@realtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt715-sdw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/rt715-sdw.c b/sound/soc/codecs/rt715-sdw.c
+index 361a90ae594cd..c0f09c3bcb6e3 100644
+--- a/sound/soc/codecs/rt715-sdw.c
++++ b/sound/soc/codecs/rt715-sdw.c
+@@ -110,6 +110,7 @@ static bool rt715_readable_register(struct device *dev, unsigned int reg)
+ case 0x839d:
+ case 0x83a7:
+ case 0x83a9:
++ case 0x752001:
+ case 0x752039:
+ return true;
+ default:
+--
+2.43.0
+
--- /dev/null
+From 206e3f5f29eb40f8eebffffb0f7a25603f8fe351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Nov 2020 16:38:15 -0600
+Subject: ASoC: soc-acpi: add helper to identify parent driver.
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 644eebdbbf1154c995d6319c133d7d5b898c5ed2 ]
+
+Intel machine drivers are used by parent platform drivers based on
+closed-source firmware (Atom/SST and catpt) and SOF-based ones.
+
+In some cases for ACPI-based platforms, the behavior of machine
+drivers needs to be modified depending on the parent type, typically
+for card names and power management.
+
+An initial solution based on passing a boolean flag as a platform
+device parameter was tested earlier. Since it looked overkill, this
+patch suggests instead a simple string comparison to identify an SOF
+parent device/driver.
+
+Suggested-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Rander Wang <rander.wang@linux.intel.com>
+Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Link: https://lore.kernel.org/r/20201112223825.39765-5-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 0cb3b7fd530b ("ASoC: Intel: Disable route checks for Skylake boards")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/soc-acpi.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/include/sound/soc-acpi.h b/include/sound/soc-acpi.h
+index b16a844d16ef9..9a43c44dcbbba 100644
+--- a/include/sound/soc-acpi.h
++++ b/include/sound/soc-acpi.h
+@@ -171,4 +171,10 @@ struct snd_soc_acpi_codecs {
+ u8 codecs[SND_SOC_ACPI_MAX_CODECS][ACPI_ID_LEN];
+ };
+
++static inline bool snd_soc_acpi_sof_parent(struct device *dev)
++{
++ return dev->parent && dev->parent->driver && dev->parent->driver->name &&
++ !strcmp(dev->parent->driver->name, "sof-audio-acpi");
++}
++
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 3ae43015d5d5579e98653a0cadc956c7d5bf3f8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 00:03:03 -0400
+Subject: ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 58300f8d6a48e58d1843199be743f819e2791ea3 ]
+
+The string SND_SOC_DAPM_DIR_OUT is printed in the snd_soc_dapm_path trace
+event instead of its value:
+
+ (((REC->path_dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-")
+
+User space cannot parse this, as it has no idea what SND_SOC_DAPM_DIR_OUT
+is. Use TRACE_DEFINE_ENUM() to convert it to its value:
+
+ (((REC->path_dir) == 1) ? "->" : "<-")
+
+So that user space tools, such as perf and trace-cmd, can parse it
+correctly.
+
+Reported-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Fixes: 6e588a0d839b5 ("ASoC: dapm: Consolidate path trace events")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/r/20240416000303.04670cdf@rorschach.local.home
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/asoc.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/trace/events/asoc.h b/include/trace/events/asoc.h
+index 40c300fe704da..f62d5b7024261 100644
+--- a/include/trace/events/asoc.h
++++ b/include/trace/events/asoc.h
+@@ -11,6 +11,8 @@
+ #define DAPM_DIRECT "(direct)"
+ #define DAPM_ARROW(dir) (((dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-")
+
++TRACE_DEFINE_ENUM(SND_SOC_DAPM_DIR_OUT);
++
+ struct snd_soc_jack;
+ struct snd_soc_card;
+ struct snd_soc_dapm_widget;
+--
+2.43.0
+
--- /dev/null
+From f840e1efe0a52a46682630c3419c67531d12072f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 17:07:07 +0200
+Subject: clk: qcom: mmcc-msm8998: fix venus clock issue
+
+From: Marc Gonzalez <mgonzalez@freebox.fr>
+
+[ Upstream commit e20ae5ae9f0c843aded4f06f3d1cab7384789e92 ]
+
+Right now, msm8998 video decoder (venus) is non-functional:
+
+$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm
+ (+) Video --vid=1 (*) (vp9 854x480 29.970fps)
+ Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz)
+[ffmpeg/video] vp9_v4l2m2m: output VIDIOC_REQBUFS failed: Connection timed out
+[ffmpeg/video] vp9_v4l2m2m: no v4l2 output context's buffers
+[ffmpeg/video] vp9_v4l2m2m: can't configure decoder
+Could not open codec.
+Software decoding fallback is disabled.
+Exiting... (Quit)
+
+Bryan O'Donoghue suggested the proper fix:
+- Set required register offsets in venus GDSC structs.
+- Set HW_CTRL flag.
+
+$ time mpv --hwdec=v4l2m2m-copy --vd-lavc-software-fallback=no --vo=null --no-audio --untimed --length=30 --quiet demo-480.webm
+ (+) Video --vid=1 (*) (vp9 854x480 29.970fps)
+ Audio --aid=1 --alang=eng (*) (opus 2ch 48000Hz)
+[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl
+[ffmpeg/video] vp9_v4l2m2m: VIDIOC_G_FMT ioctl
+...
+Using hardware decoding (v4l2m2m-copy).
+VO: [null] 854x480 nv12
+Exiting... (End of file)
+real 0m3.315s
+user 0m1.277s
+sys 0m0.453s
+
+NOTES:
+
+GDSC = Globally Distributed Switch Controller
+
+Use same code as mmcc-msm8996 with:
+s/venus_gdsc/video_top_gdsc/
+s/venus_core0_gdsc/video_subcore0_gdsc/
+s/venus_core1_gdsc/video_subcore1_gdsc/
+
+https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8996.h
+https://git.codelinaro.org/clo/la/kernel/msm-4.4/-/blob/caf_migration/kernel.lnx.4.4.r38-rel/include/dt-bindings/clock/msm-clocks-hwio-8998.h
+
+0x1024 = MMSS_VIDEO GDSCR (undocumented)
+0x1028 = MMSS_VIDEO_CORE_CBCR
+0x1030 = MMSS_VIDEO_AHB_CBCR
+0x1034 = MMSS_VIDEO_AXI_CBCR
+0x1038 = MMSS_VIDEO_MAXI_CBCR
+0x1040 = MMSS_VIDEO_SUBCORE0 GDSCR (undocumented)
+0x1044 = MMSS_VIDEO_SUBCORE1 GDSCR (undocumented)
+0x1048 = MMSS_VIDEO_SUBCORE0_CBCR
+0x104c = MMSS_VIDEO_SUBCORE1_CBCR
+
+Fixes: d14b15b5931c2b ("clk: qcom: Add MSM8998 Multimedia Clock Controller (MMCC) driver")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Marc Gonzalez <mgonzalez@freebox.fr>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://lore.kernel.org/r/ff4e2e34-a677-4c39-8c29-83655c5512ae@freebox.fr
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/mmcc-msm8998.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/clk/qcom/mmcc-msm8998.c b/drivers/clk/qcom/mmcc-msm8998.c
+index a68764cfb7930..5e2e60c1c2283 100644
+--- a/drivers/clk/qcom/mmcc-msm8998.c
++++ b/drivers/clk/qcom/mmcc-msm8998.c
+@@ -2587,6 +2587,8 @@ static struct clk_hw *mmcc_msm8998_hws[] = {
+
+ static struct gdsc video_top_gdsc = {
+ .gdscr = 0x1024,
++ .cxcs = (unsigned int []){ 0x1028, 0x1034, 0x1038 },
++ .cxc_count = 3,
+ .pd = {
+ .name = "video_top",
+ },
+@@ -2595,20 +2597,26 @@ static struct gdsc video_top_gdsc = {
+
+ static struct gdsc video_subcore0_gdsc = {
+ .gdscr = 0x1040,
++ .cxcs = (unsigned int []){ 0x1048 },
++ .cxc_count = 1,
+ .pd = {
+ .name = "video_subcore0",
+ },
+ .parent = &video_top_gdsc.pd,
+ .pwrsts = PWRSTS_OFF_ON,
++ .flags = HW_CTRL,
+ };
+
+ static struct gdsc video_subcore1_gdsc = {
+ .gdscr = 0x1044,
++ .cxcs = (unsigned int []){ 0x104c },
++ .cxc_count = 1,
+ .pd = {
+ .name = "video_subcore1",
+ },
+ .parent = &video_top_gdsc.pd,
+ .pwrsts = PWRSTS_OFF_ON,
++ .flags = HW_CTRL,
+ };
+
+ static struct gdsc mdss_gdsc = {
+--
+2.43.0
+
--- /dev/null
+From e32e155e05fc3ede3902aa5c406cd9f197254479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 11:19:20 +0530
+Subject: cpufreq: exit() callback is optional
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit b8f85833c05730d631576008daaa34096bc7f3ce ]
+
+The exit() callback is optional and shouldn't be called without checking
+a valid pointer first.
+
+Also, we must clear freq_table pointer even if the exit() callback isn't
+present.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs")
+Fixes: f339f3541701 ("cpufreq: Rearrange locking in cpufreq_remove_dev()")
+Reported-by: Lizhe <sensor1010@163.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index cbdea4fa600ab..162de402b1134 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1606,10 +1606,13 @@ static void __cpufreq_offline(unsigned int cpu, struct cpufreq_policy *policy)
+ */
+ if (cpufreq_driver->offline) {
+ cpufreq_driver->offline(policy);
+- } else if (cpufreq_driver->exit) {
+- cpufreq_driver->exit(policy);
+- policy->freq_table = NULL;
++ return;
+ }
++
++ if (cpufreq_driver->exit)
++ cpufreq_driver->exit(policy);
++
++ policy->freq_table = NULL;
+ }
+
+ static int cpufreq_offline(unsigned int cpu)
+@@ -1659,7 +1662,7 @@ static void cpufreq_remove_dev(struct device *dev, struct subsys_interface *sif)
+ }
+
+ /* We did light-weight exit earlier, do full tear down now */
+- if (cpufreq_driver->offline)
++ if (cpufreq_driver->offline && cpufreq_driver->exit)
+ cpufreq_driver->exit(policy);
+
+ up_write(&policy->rwsem);
+--
+2.43.0
+
--- /dev/null
+From 522edc42f14d84649533d149b362b2e8f9b61d4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 17:51:39 +0200
+Subject: cpufreq: Rearrange locking in cpufreq_remove_dev()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f339f3541701d824a0256ad4bf14c26ceb6d79c3 ]
+
+Currently, cpufreq_remove_dev() invokes the ->exit() driver callback
+without holding the policy rwsem which is inconsistent with what
+happens if ->exit() is invoked directly from cpufreq_offline().
+
+It also manipulates the real_cpus mask and removes the CPU device
+symlink without holding the policy rwsem, but cpufreq_offline() holds
+the rwsem around the modifications thereof.
+
+For consistency, modify cpufreq_remove_dev() to hold the policy rwsem
+until the ->exit() callback has been called (or it has been determined
+that it is not necessary to call it).
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: b8f85833c057 ("cpufreq: exit() callback is optional")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index dd1acb55fe717..cbdea4fa600ab 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1645,19 +1645,26 @@ static void cpufreq_remove_dev(struct device *dev, struct subsys_interface *sif)
+ if (!policy)
+ return;
+
++ down_write(&policy->rwsem);
++
+ if (cpu_online(cpu))
+- cpufreq_offline(cpu);
++ __cpufreq_offline(cpu, policy);
+
+ cpumask_clear_cpu(cpu, policy->real_cpus);
+ remove_cpu_dev_symlink(policy, dev);
+
+- if (cpumask_empty(policy->real_cpus)) {
+- /* We did light-weight exit earlier, do full tear down now */
+- if (cpufreq_driver->offline)
+- cpufreq_driver->exit(policy);
+-
+- cpufreq_policy_free(policy);
++ if (!cpumask_empty(policy->real_cpus)) {
++ up_write(&policy->rwsem);
++ return;
+ }
++
++ /* We did light-weight exit earlier, do full tear down now */
++ if (cpufreq_driver->offline)
++ cpufreq_driver->exit(policy);
++
++ up_write(&policy->rwsem);
++
++ cpufreq_policy_free(policy);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 88cd3b2bf298c937726c55dc0a55195534d48024 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 17:48:41 +0200
+Subject: cpufreq: Reorganize checks in cpufreq_offline()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit e1e962c5b9edbc628a335bcdbd010331a12d3e5b ]
+
+Notice that cpufreq_offline() only needs to check policy_is_inactive()
+once and rearrange the code in there to make that happen.
+
+No expected functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: b8f85833c057 ("cpufreq: exit() callback is optional")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 5b4bca71f201d..97999bda188dd 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1573,24 +1573,18 @@ static int cpufreq_offline(unsigned int cpu)
+ }
+
+ down_write(&policy->rwsem);
++
+ if (has_target())
+ cpufreq_stop_governor(policy);
+
+ cpumask_clear_cpu(cpu, policy->cpus);
+
+- if (policy_is_inactive(policy)) {
+- if (has_target())
+- strncpy(policy->last_governor, policy->governor->name,
+- CPUFREQ_NAME_LEN);
+- else
+- policy->last_policy = policy->policy;
+- } else if (cpu == policy->cpu) {
+- /* Nominate new CPU */
+- policy->cpu = cpumask_any(policy->cpus);
+- }
+-
+- /* Start governor again for active policy */
+ if (!policy_is_inactive(policy)) {
++ /* Nominate a new CPU if necessary. */
++ if (cpu == policy->cpu)
++ policy->cpu = cpumask_any(policy->cpus);
++
++ /* Start the governor again for the active policy. */
+ if (has_target()) {
+ ret = cpufreq_start_governor(policy);
+ if (ret)
+@@ -1600,6 +1594,12 @@ static int cpufreq_offline(unsigned int cpu)
+ goto unlock;
+ }
+
++ if (has_target())
++ strncpy(policy->last_governor, policy->governor->name,
++ CPUFREQ_NAME_LEN);
++ else
++ policy->last_policy = policy->policy;
++
+ if (cpufreq_thermal_control_enabled(cpufreq_driver)) {
+ cpufreq_cooling_unregister(policy->cdev);
+ policy->cdev = NULL;
+--
+2.43.0
+
--- /dev/null
+From ab4d0e5c86de2a08dff02961e73ef01670755bfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 17:50:09 +0200
+Subject: cpufreq: Split cpufreq_offline()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit fddd8f86dff4a24742a7f0322ccbb34c6c1c9850 ]
+
+Split the "core" part running under the policy rwsem out of
+cpufreq_offline() to allow the locking in cpufreq_remove_dev() to be
+rearranged more easily.
+
+As a side-effect this eliminates the unlock label that's not needed
+any more.
+
+No expected functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: b8f85833c057 ("cpufreq: exit() callback is optional")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 97999bda188dd..dd1acb55fe717 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1559,21 +1559,10 @@ static int cpufreq_add_dev(struct device *dev, struct subsys_interface *sif)
+ return 0;
+ }
+
+-static int cpufreq_offline(unsigned int cpu)
++static void __cpufreq_offline(unsigned int cpu, struct cpufreq_policy *policy)
+ {
+- struct cpufreq_policy *policy;
+ int ret;
+
+- pr_debug("%s: unregistering CPU %u\n", __func__, cpu);
+-
+- policy = cpufreq_cpu_get_raw(cpu);
+- if (!policy) {
+- pr_debug("%s: No cpu_data found\n", __func__);
+- return 0;
+- }
+-
+- down_write(&policy->rwsem);
+-
+ if (has_target())
+ cpufreq_stop_governor(policy);
+
+@@ -1591,7 +1580,7 @@ static int cpufreq_offline(unsigned int cpu)
+ pr_err("%s: Failed to start governor\n", __func__);
+ }
+
+- goto unlock;
++ return;
+ }
+
+ if (has_target())
+@@ -1621,8 +1610,24 @@ static int cpufreq_offline(unsigned int cpu)
+ cpufreq_driver->exit(policy);
+ policy->freq_table = NULL;
+ }
++}
++
++static int cpufreq_offline(unsigned int cpu)
++{
++ struct cpufreq_policy *policy;
++
++ pr_debug("%s: unregistering CPU %u\n", __func__, cpu);
++
++ policy = cpufreq_cpu_get_raw(cpu);
++ if (!policy) {
++ pr_debug("%s: No cpu_data found\n", __func__);
++ return 0;
++ }
++
++ down_write(&policy->rwsem);
++
++ __cpufreq_offline(cpu, policy);
+
+-unlock:
+ up_write(&policy->rwsem);
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 8a1be21b9363ea3a3207af543f5a0a05b6e06ded Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Mar 2024 23:59:15 +0300
+Subject: crypto: bcm - Fix pointer arithmetic
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ]
+
+In spu2_dump_omd() value of ptr is increased by ciph_key_len
+instead of hash_iv_len which could lead to going beyond the
+buffer boundaries.
+Fix this bug by changing ciph_key_len to hash_iv_len.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/bcm/spu2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c
+index c860ffb0b4c38..670d439f204c5 100644
+--- a/drivers/crypto/bcm/spu2.c
++++ b/drivers/crypto/bcm/spu2.c
+@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,
+ if (hash_iv_len) {
+ packet_log(" Hash IV Length %u bytes\n", hash_iv_len);
+ packet_dump(" hash IV: ", ptr, hash_iv_len);
+- ptr += ciph_key_len;
++ ptr += hash_iv_len;
+ }
+
+ if (ciph_iv_len) {
+--
+2.43.0
+
--- /dev/null
+From b39b2afec7654914609b83b4e2ba1a7be8308ea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 10:06:42 +0200
+Subject: crypto: ccp - drop platform ifdef checks
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab ]
+
+When both ACPI and OF are disabled, the dev_vdata variable is unused:
+
+drivers/crypto/ccp/sp-platform.c:33:34: error: unused variable 'dev_vdata' [-Werror,-Wunused-const-variable]
+
+This is not a useful configuration, and there is not much point in saving
+a few bytes when only one of the two is enabled, so just remove all
+these ifdef checks and rely on of_match_node() and acpi_match_device()
+returning NULL when these subsystems are disabled.
+
+Fixes: 6c5063434098 ("crypto: ccp - Add ACPI support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sp-platform.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c
+index 9dba52fbee997..121f9d0cb608e 100644
+--- a/drivers/crypto/ccp/sp-platform.c
++++ b/drivers/crypto/ccp/sp-platform.c
+@@ -39,44 +39,38 @@ static const struct sp_dev_vdata dev_vdata[] = {
+ },
+ };
+
+-#ifdef CONFIG_ACPI
+ static const struct acpi_device_id sp_acpi_match[] = {
+ { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] },
+ { },
+ };
+ MODULE_DEVICE_TABLE(acpi, sp_acpi_match);
+-#endif
+
+-#ifdef CONFIG_OF
+ static const struct of_device_id sp_of_match[] = {
+ { .compatible = "amd,ccp-seattle-v1a",
+ .data = (const void *)&dev_vdata[0] },
+ { },
+ };
+ MODULE_DEVICE_TABLE(of, sp_of_match);
+-#endif
+
+ static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev)
+ {
+-#ifdef CONFIG_OF
+ const struct of_device_id *match;
+
+ match = of_match_node(sp_of_match, pdev->dev.of_node);
+ if (match && match->data)
+ return (struct sp_dev_vdata *)match->data;
+-#endif
++
+ return NULL;
+ }
+
+ static struct sp_dev_vdata *sp_get_acpi_version(struct platform_device *pdev)
+ {
+-#ifdef CONFIG_ACPI
+ const struct acpi_device_id *match;
+
+ match = acpi_match_device(sp_acpi_match, &pdev->dev);
+ if (match && match->driver_data)
+ return (struct sp_dev_vdata *)match->driver_data;
+-#endif
++
+ return NULL;
+ }
+
+@@ -222,12 +216,8 @@ static int sp_platform_resume(struct platform_device *pdev)
+ static struct platform_driver sp_platform_driver = {
+ .driver = {
+ .name = "ccp",
+-#ifdef CONFIG_ACPI
+ .acpi_match_table = sp_acpi_match,
+-#endif
+-#ifdef CONFIG_OF
+ .of_match_table = sp_of_match,
+-#endif
+ },
+ .probe = sp_platform_probe,
+ .remove = sp_platform_remove,
+--
+2.43.0
+
--- /dev/null
+From cb74e2a21276bfd31f1c82184f87f34fb463c260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 20:26:08 -0400
+Subject: crypto: x86/nh-avx2 - add missing vzeroupper
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 4ad096cca942959871d8ff73826d30f81f856f6e ]
+
+Since nh_avx2() uses ymm registers, execute vzeroupper before returning
+from it. This is necessary to avoid reducing the performance of SSE
+code.
+
+Fixes: 0f961f9f670e ("crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/crypto/nh-avx2-x86_64.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/crypto/nh-avx2-x86_64.S b/arch/x86/crypto/nh-avx2-x86_64.S
+index 6a0b15e7196a8..54c0ee41209d5 100644
+--- a/arch/x86/crypto/nh-avx2-x86_64.S
++++ b/arch/x86/crypto/nh-avx2-x86_64.S
+@@ -153,5 +153,6 @@ SYM_FUNC_START(nh_avx2)
+ vpaddq T1, T0, T0
+ vpaddq T4, T0, T0
+ vmovdqu T0, (HASH)
++ vzeroupper
+ RET
+ SYM_FUNC_END(nh_avx2)
+--
+2.43.0
+
--- /dev/null
+From 8c5c43a1787898c168018f649c11c10e14fa15f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 20:26:09 -0400
+Subject: crypto: x86/sha256-avx2 - add missing vzeroupper
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 57ce8a4e162599cf9adafef1f29763160a8e5564 ]
+
+Since sha256_transform_rorx() uses ymm registers, execute vzeroupper
+before returning from it. This is necessary to avoid reducing the
+performance of SSE code.
+
+Fixes: d34a460092d8 ("crypto: sha256 - Optimized sha256 x86_64 routine using AVX2's RORX instructions")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/crypto/sha256-avx2-asm.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
+index 3439aaf4295d2..81c8053152bb9 100644
+--- a/arch/x86/crypto/sha256-avx2-asm.S
++++ b/arch/x86/crypto/sha256-avx2-asm.S
+@@ -711,6 +711,7 @@ done_hash:
+ popq %r13
+ popq %r12
+ popq %rbx
++ vzeroupper
+ RET
+ SYM_FUNC_END(sha256_transform_rorx)
+
+--
+2.43.0
+
--- /dev/null
+From ef2cb7fff785f36697858f712bc3979cb26174ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 18:38:08 +0530
+Subject: drm/amd/display: Fix potential index out of bounds in color
+ transformation function
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ]
+
+Fixes index out of bounds issue in the color transformation function.
+The issue could occur when the index 'i' exceeds the number of transfer
+function points (TRANSFER_FUNC_POINTS).
+
+The fix adds a check to ensure 'i' is within bounds before accessing the
+transfer function points. If 'i' is out of bounds, an error message is
+logged and the function returns false to indicate an error.
+
+Reported by smatch:
+drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
+drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
+drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
+
+Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper")
+Cc: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Cc: Charlene Liu <Charlene.Liu@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
+index 7a00fe525dfba..bd9bc51983fec 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
+@@ -379,6 +379,11 @@ bool cm_helper_translate_curve_to_hw_format(
+ i += increment) {
+ if (j == hw_points - 1)
+ break;
++ if (i >= TRANSFER_FUNC_POINTS) {
++ DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n",
++ i, TRANSFER_FUNC_POINTS);
++ return false;
++ }
+ rgb_resulted[j].red = output_tf->tf_pts.red[i];
+ rgb_resulted[j].green = output_tf->tf_pts.green[i];
+ rgb_resulted[j].blue = output_tf->tf_pts.blue[i];
+--
+2.43.0
+
--- /dev/null
+From ded84bba3e15aebfa0570c183dd1b8f111fb881e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 04:21:55 +0000
+Subject: drm/amd/display: Set color_mgmt_changed to true on unsuspend
+
+From: Joshua Ashton <joshua@froggi.es>
+
+[ Upstream commit 2eb9dd497a698dc384c0dd3e0311d541eb2e13dd ]
+
+Otherwise we can end up with a frame on unsuspend where color management
+is not applied when userspace has not committed themselves.
+
+Fixes re-applying color management on Steam Deck/Gamescope on S3 resume.
+
+Signed-off-by: Joshua Ashton <joshua@froggi.es>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 3578e3b3536e3..29ef0ed44d5f4 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -2099,6 +2099,7 @@ static int dm_resume(void *handle)
+ dc_stream_release(dm_new_crtc_state->stream);
+ dm_new_crtc_state->stream = NULL;
+ }
++ dm_new_crtc_state->base.color_mgmt_changed = true;
+ }
+
+ for_each_new_plane_in_state(dm->cached_state, plane, new_plane_state, i) {
+--
+2.43.0
+
--- /dev/null
+From 847e8e984c49fa91b077fb24b02e2c6b44426d2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Apr 2024 14:14:13 +0100
+Subject: drm/amdkfd: Flush the process wq before creating a kfd_process
+
+From: Lancelot SIX <lancelot.six@amd.com>
+
+[ Upstream commit f5b9053398e70a0c10aa9cb4dd5910ab6bc457c5 ]
+
+There is a race condition when re-creating a kfd_process for a process.
+This has been observed when a process under the debugger executes
+exec(3). In this scenario:
+- The process executes exec.
+ - This will eventually release the process's mm, which will cause the
+ kfd_process object associated with the process to be freed
+ (kfd_process_free_notifier decrements the reference count to the
+ kfd_process to 0). This causes kfd_process_ref_release to enqueue
+ kfd_process_wq_release to the kfd_process_wq.
+- The debugger receives the PTRACE_EVENT_EXEC notification, and tries to
+ re-enable AMDGPU traps (KFD_IOC_DBG_TRAP_ENABLE).
+ - When handling this request, KFD tries to re-create a kfd_process.
+ This eventually calls kfd_create_process and kobject_init_and_add.
+
+At this point the call to kobject_init_and_add can fail because the
+old kfd_process.kobj has not been freed yet by kfd_process_wq_release.
+
+This patch proposes to avoid this race by making sure to drain
+kfd_process_wq before creating a new kfd_process object. This way, we
+know that any cleanup task is done executing when we reach
+kobject_init_and_add.
+
+Signed-off-by: Lancelot SIX <lancelot.six@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+index d243e60c6eef7..534f2dec6356f 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -766,6 +766,14 @@ struct kfd_process *kfd_create_process(struct file *filep)
+ if (process) {
+ pr_debug("Process already found\n");
+ } else {
++ /* If the process just called exec(3), it is possible that the
++ * cleanup of the kfd_process (following the release of the mm
++ * of the old process image) is still in the cleanup work queue.
++ * Make sure to drain any job before trying to recreate any
++ * resource for this process.
++ */
++ flush_workqueue(kfd_process_wq);
++
+ process = create_process(thread);
+ if (IS_ERR(process))
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 8d08b4bc745a1a67130a23bcb36b722014b2ef20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Apr 2024 14:30:53 +0800
+Subject: drm/arm/malidp: fix a possible null pointer dereference
+
+From: Huai-Yuan Liu <qq810974084@gmail.com>
+
+[ Upstream commit a1f95aede6285dba6dd036d907196f35ae3a11ea ]
+
+In malidp_mw_connector_reset, new memory is allocated with kzalloc, but
+no check is performed. In order to prevent null pointer dereferencing,
+ensure that mw_state is checked before calling
+__drm_atomic_helper_connector_reset.
+
+Fixes: 8cbc5caf36ef ("drm: mali-dp: Add writeback connector")
+Signed-off-by: Huai-Yuan Liu <qq810974084@gmail.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240407063053.5481-1-qq810974084@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/arm/malidp_mw.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/arm/malidp_mw.c b/drivers/gpu/drm/arm/malidp_mw.c
+index 7d0e7b031e447..fa5e77ee3af86 100644
+--- a/drivers/gpu/drm/arm/malidp_mw.c
++++ b/drivers/gpu/drm/arm/malidp_mw.c
+@@ -70,7 +70,10 @@ static void malidp_mw_connector_reset(struct drm_connector *connector)
+ __drm_atomic_helper_connector_destroy_state(connector->state);
+
+ kfree(connector->state);
+- __drm_atomic_helper_connector_reset(connector, &mw_state->base);
++ connector->state = NULL;
++
++ if (mw_state)
++ __drm_atomic_helper_connector_reset(connector, &mw_state->base);
+ }
+
+ static enum drm_connector_status
+--
+2.43.0
+
--- /dev/null
+From 31a5a1daf756d2793d09031f32a3a7b35a4de96f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 15:58:10 +0300
+Subject: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ]
+
+In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is
+assigned to mhdp_state->current_mode, and there is a dereference of it in
+drm_mode_set_name(), which will lead to a NULL pointer dereference on
+failure of drm_mode_duplicate().
+
+Fix this bug add a check of mhdp_state->current_mode.
+
+Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishin@t-argos.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+index f56ff97c98990..ae99d04f00456 100644
+--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+@@ -1978,6 +1978,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
+ mhdp_state = to_cdns_mhdp_bridge_state(new_state);
+
+ mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode);
++ if (!mhdp_state->current_mode)
++ return;
++
+ drm_mode_set_name(mhdp_state->current_mode);
+
+ dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name);
+--
+2.43.0
+
--- /dev/null
+From e7ae183db1aa275d39d0f65b004a1fe09b4d1cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 17:49:32 -0400
+Subject: drm/bridge: lt9611: Don't log an error when DSI host can't be found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit cd0a2c6a081ff67007323725b9ff07d9934b1ed8 ]
+
+Given that failing to find a DSI host causes the driver to defer probe,
+make use of dev_err_probe() to log the reason. This makes the defer
+probe reason available and avoids alerting userspace about something
+that is not necessarily an error.
+
+Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge")
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-4-619a28148e5c@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt9611.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c
+index 660e05fa4a704..7f58ceda5b08a 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt9611.c
++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c
+@@ -766,10 +766,8 @@ static struct mipi_dsi_device *lt9611_attach_dsi(struct lt9611 *lt9611,
+ int ret;
+
+ host = of_find_mipi_dsi_host_by_node(dsi_node);
+- if (!host) {
+- dev_err(lt9611->dev, "failed to find dsi host\n");
+- return ERR_PTR(-EPROBE_DEFER);
+- }
++ if (!host)
++ return ERR_PTR(dev_err_probe(lt9611->dev, -EPROBE_DEFER, "failed to find dsi host\n"));
+
+ dsi = mipi_dsi_device_register_full(host, &info);
+ if (IS_ERR(dsi)) {
+--
+2.43.0
+
--- /dev/null
+From f649d39062f1a3d3f98304bd0560f916c8ef1ecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 17:49:34 -0400
+Subject: drm/bridge: tc358775: Don't log an error when DSI host can't be found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit 272377aa0e3dddeec3f568c8bb9d12c7a79d8ef5 ]
+
+Given that failing to find a DSI host causes the driver to defer probe,
+make use of dev_err_probe() to log the reason. This makes the defer
+probe reason available and avoids alerting userspace about something
+that is not necessarily an error.
+
+Fixes: b26975593b17 ("display/drm/bridge: TC358775 DSI/LVDS driver")
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240415-anx7625-defer-log-no-dsi-host-v3-6-619a28148e5c@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358775.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/tc358775.c b/drivers/gpu/drm/bridge/tc358775.c
+index 2272adcc5b4ad..55697fa4d7c8b 100644
+--- a/drivers/gpu/drm/bridge/tc358775.c
++++ b/drivers/gpu/drm/bridge/tc358775.c
+@@ -605,10 +605,8 @@ static int tc_bridge_attach(struct drm_bridge *bridge,
+ };
+
+ host = of_find_mipi_dsi_host_by_node(tc->host_node);
+- if (!host) {
+- dev_err(dev, "failed to find dsi host\n");
+- return -EPROBE_DEFER;
+- }
++ if (!host)
++ return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n");
+
+ dsi = mipi_dsi_device_register_full(host, &info);
+ if (IS_ERR(dsi)) {
+--
+2.43.0
+
--- /dev/null
+From 5340bdf0b97825e6ae5a3a3b14a31337ff832763 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 13:00:51 -0500
+Subject: drm/mediatek: Add 0 size check to mtk_drm_gem_obj
+
+From: Justin Green <greenjustin@chromium.org>
+
+[ Upstream commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 ]
+
+Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object
+of 0 bytes. Currently, no such check exists and the kernel will panic if
+a userspace application attempts to allocate a 0x0 GBM buffer.
+
+Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and
+verifying that we now return EINVAL.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Justin Green <greenjustin@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+index b20ea58907c2a..1dac9cd20d466 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+@@ -21,6 +21,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev,
+
+ size = round_up(size, PAGE_SIZE);
+
++ if (size == 0)
++ return ERR_PTR(-EINVAL);
++
+ mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL);
+ if (!mtk_gem_obj)
+ return ERR_PTR(-ENOMEM);
+--
+2.43.0
+
--- /dev/null
+From f36e5df865c77d4e8a19902d25f52255f9c12086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jan 2024 23:07:04 +0000
+Subject: drm/meson: vclk: fix calculation of 59.94 fractional rates
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit bfbc68e4d8695497f858a45a142665e22a512ea3 ]
+
+Playing 4K media with 59.94 fractional rate (typically VP9) causes the screen to lose
+sync with the following error reported in the system log:
+
+[ 89.610280] Fatal Error, invalid HDMI vclk freq 593406
+
+Modetest shows the following:
+
+3840x2160 59.94 3840 4016 4104 4400 2160 2168 2178 2250 593407 flags: xxxx, xxxx,
+drm calculated value -------------------------------------^
+
+Change the fractional rate calculation to stop DIV_ROUND_CLOSEST rounding down which
+results in vclk freq failing to match correctly.
+
+Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240109230704.4120561-1-christianshewitt@gmail.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240109230704.4120561-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_vclk.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
+index 0eb86943a3588..37127ba40aa97 100644
+--- a/drivers/gpu/drm/meson/meson_vclk.c
++++ b/drivers/gpu/drm/meson/meson_vclk.c
+@@ -790,13 +790,13 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
+ FREQ_1000_1001(params[i].pixel_freq));
+ DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n",
+ i, params[i].phy_freq,
+- FREQ_1000_1001(params[i].phy_freq/10)*10);
++ FREQ_1000_1001(params[i].phy_freq/1000)*1000);
+ /* Match strict frequency */
+ if (phy_freq == params[i].phy_freq &&
+ vclk_freq == params[i].vclk_freq)
+ return MODE_OK;
+ /* Match 1000/1001 variant */
+- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) &&
++ if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/1000)*1000) &&
+ vclk_freq == FREQ_1000_1001(params[i].vclk_freq))
+ return MODE_OK;
+ }
+@@ -1070,7 +1070,7 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
+
+ for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
+ if ((phy_freq == params[freq].phy_freq ||
+- phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) &&
++ phy_freq == FREQ_1000_1001(params[freq].phy_freq/1000)*1000) &&
+ (vclk_freq == params[freq].vclk_freq ||
+ vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) {
+ if (vclk_freq != params[freq].vclk_freq)
+--
+2.43.0
+
--- /dev/null
+From df8e0950737e1957fe1ef78c44092b0f80111c4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 02:53:51 +0300
+Subject: drm/mipi-dsi: use correct return type for the DSC functions
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit de1c705c50326acaceaf1f02bc5bf6f267c572bd ]
+
+The functions mipi_dsi_compression_mode() and
+mipi_dsi_picture_parameter_set() return 0-or-error rather than a buffer
+size. Follow example of other similar MIPI DSI functions and use int
+return type instead of size_t.
+
+Fixes: f4dea1aaa9a1 ("drm/dsi: add helpers for DSI compression mode and PPS packets")
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240408-lg-sw43408-panel-v5-2-4e092da22991@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mipi_dsi.c | 6 +++---
+ include/drm/drm_mipi_dsi.h | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
+index 83918ac1f6086..1e9842aac4dc9 100644
+--- a/drivers/gpu/drm/drm_mipi_dsi.c
++++ b/drivers/gpu/drm/drm_mipi_dsi.c
+@@ -572,7 +572,7 @@ EXPORT_SYMBOL(mipi_dsi_set_maximum_return_packet_size);
+ *
+ * Return: 0 on success or a negative error code on failure.
+ */
+-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable)
++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable)
+ {
+ /* Note: Needs updating for non-default PPS or algorithm */
+ u8 tx[2] = { enable << 0, 0 };
+@@ -597,8 +597,8 @@ EXPORT_SYMBOL(mipi_dsi_compression_mode);
+ *
+ * Return: 0 on success or a negative error code on failure.
+ */
+-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
+- const struct drm_dsc_picture_parameter_set *pps)
++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
++ const struct drm_dsc_picture_parameter_set *pps)
+ {
+ struct mipi_dsi_msg msg = {
+ .channel = dsi->channel,
+diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
+index 3c0d1495c062d..0dbed65c0ca5a 100644
+--- a/include/drm/drm_mipi_dsi.h
++++ b/include/drm/drm_mipi_dsi.h
+@@ -231,9 +231,9 @@ int mipi_dsi_shutdown_peripheral(struct mipi_dsi_device *dsi);
+ int mipi_dsi_turn_on_peripheral(struct mipi_dsi_device *dsi);
+ int mipi_dsi_set_maximum_return_packet_size(struct mipi_dsi_device *dsi,
+ u16 value);
+-ssize_t mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable);
+-ssize_t mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
+- const struct drm_dsc_picture_parameter_set *pps);
++int mipi_dsi_compression_mode(struct mipi_dsi_device *dsi, bool enable);
++int mipi_dsi_picture_parameter_set(struct mipi_dsi_device *dsi,
++ const struct drm_dsc_picture_parameter_set *pps);
+
+ ssize_t mipi_dsi_generic_write(struct mipi_dsi_device *dsi, const void *payload,
+ size_t size);
+--
+2.43.0
+
--- /dev/null
+From afb32f3122c9770da43b6a4b17bfe87d43d7dd9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 11:27:36 +0100
+Subject: drm/panel: simple: Add missing Innolux G121X1-L03 format, flags,
+ connector
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 11ac72d033b9f577e8ba0c7a41d1c312bb232593 ]
+
+The .bpc = 6 implies .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG ,
+add the missing bus_format. Add missing connector type and bus_flags
+as well.
+
+Documentation [1] 1.4 GENERAL SPECIFICATI0NS indicates this panel is
+capable of both RGB 18bit/24bit panel, the current configuration uses
+18bit mode, .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG , .bpc = 6.
+
+Support for the 24bit mode would require another entry in panel-simple
+with .bus_format = MEDIA_BUS_FMT_RGB666_1X7X4_SPWG and .bpc = 8, which
+is out of scope of this fix.
+
+[1] https://www.distec.de/fileadmin/pdf/produkte/TFT-Displays/Innolux/G121X1-L03_Datasheet.pdf
+
+Fixes: f8fa17ba812b ("drm/panel: simple: Add support for Innolux G121X1-L03")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Acked-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240328102746.17868-2-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 51470020ba61d..7797aad592a19 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2235,6 +2235,9 @@ static const struct panel_desc innolux_g121x1_l03 = {
+ .unprepare = 200,
+ .disable = 400,
+ },
++ .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG,
++ .bus_flags = DRM_BUS_FLAG_DE_HIGH,
++ .connector_type = DRM_MODE_CONNECTOR_LVDS,
+ };
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From dfba7b8e7736ffd916e25e1def7769ca78d64d2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2024 10:56:22 +0300
+Subject: drm: vc4: Fix possible null pointer dereference
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit c534b63bede6cb987c2946ed4d0b0013a52c5ba7 ]
+
+In vc4_hdmi_audio_init() of_get_address() may return
+NULL which is later dereferenced. Fix this bug by adding NULL check.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240409075622.11783-1-amishin@t-argos.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 6d01258349faa..0bd49538cb6db 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -1253,6 +1253,8 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi)
+ index = 1;
+
+ addr = of_get_address(dev->of_node, index, NULL, NULL);
++ if (!addr)
++ return -EINVAL;
+
+ vc4_hdmi->audio.dma_data.addr = be32_to_cpup(addr) + mai_data->offset;
+ vc4_hdmi->audio.dma_data.addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--
+2.43.0
+
--- /dev/null
+From fbfce6ee3ad03758b03c634747d36fbb055ef110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Mar 2024 07:46:00 -0700
+Subject: ecryptfs: Fix buffer size for tag 66 packet
+
+From: Brian Kubisiak <brian@kubisiak.com>
+
+[ Upstream commit 85a6a1aff08ec9f5b929d345d066e2830e8818e5 ]
+
+The 'TAG 66 Packet Format' description is missing the cipher code and
+checksum fields that are packed into the message packet. As a result,
+the buffer allocated for the packet is 3 bytes too small and
+write_tag_66_packet() will write up to 3 bytes past the end of the
+buffer.
+
+Fix this by increasing the size of the allocation so the whole packet
+will always fit in the buffer.
+
+This fixes the below kasan slab-out-of-bounds bug:
+
+ BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0
+ Write of size 1 at addr ffff88800afbb2a5 by task touch/181
+
+ CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x4c/0x70
+ print_report+0xc5/0x610
+ ? ecryptfs_generate_key_packet_set+0x7d6/0xde0
+ ? kasan_complete_mode_report_info+0x44/0x210
+ ? ecryptfs_generate_key_packet_set+0x7d6/0xde0
+ kasan_report+0xc2/0x110
+ ? ecryptfs_generate_key_packet_set+0x7d6/0xde0
+ __asan_store1+0x62/0x80
+ ecryptfs_generate_key_packet_set+0x7d6/0xde0
+ ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10
+ ? __alloc_pages+0x2e2/0x540
+ ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]
+ ? dentry_open+0x8f/0xd0
+ ecryptfs_write_metadata+0x30a/0x550
+ ? __pfx_ecryptfs_write_metadata+0x10/0x10
+ ? ecryptfs_get_lower_file+0x6b/0x190
+ ecryptfs_initialize_file+0x77/0x150
+ ecryptfs_create+0x1c2/0x2f0
+ path_openat+0x17cf/0x1ba0
+ ? __pfx_path_openat+0x10/0x10
+ do_filp_open+0x15e/0x290
+ ? __pfx_do_filp_open+0x10/0x10
+ ? __kasan_check_write+0x18/0x30
+ ? _raw_spin_lock+0x86/0xf0
+ ? __pfx__raw_spin_lock+0x10/0x10
+ ? __kasan_check_write+0x18/0x30
+ ? alloc_fd+0xf4/0x330
+ do_sys_openat2+0x122/0x160
+ ? __pfx_do_sys_openat2+0x10/0x10
+ __x64_sys_openat+0xef/0x170
+ ? __pfx___x64_sys_openat+0x10/0x10
+ do_syscall_64+0x60/0xd0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+ RIP: 0033:0x7f00a703fd67
+ Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
+ RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
+ RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67
+ RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c
+ RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000
+ R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941
+ R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040
+ </TASK>
+
+ Allocated by task 181:
+ kasan_save_stack+0x2f/0x60
+ kasan_set_track+0x29/0x40
+ kasan_save_alloc_info+0x25/0x40
+ __kasan_kmalloc+0xc5/0xd0
+ __kmalloc+0x66/0x160
+ ecryptfs_generate_key_packet_set+0x6d2/0xde0
+ ecryptfs_write_metadata+0x30a/0x550
+ ecryptfs_initialize_file+0x77/0x150
+ ecryptfs_create+0x1c2/0x2f0
+ path_openat+0x17cf/0x1ba0
+ do_filp_open+0x15e/0x290
+ do_sys_openat2+0x122/0x160
+ __x64_sys_openat+0xef/0x170
+ do_syscall_64+0x60/0xd0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management")
+Signed-off-by: Brian Kubisiak <brian@kubisiak.com>
+Link: https://lore.kernel.org/r/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ecryptfs/keystore.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index f6a17d259db74..afe51b4be1e73 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -300,9 +300,11 @@ write_tag_66_packet(char *signature, u8 cipher_code,
+ * | Key Identifier Size | 1 or 2 bytes |
+ * | Key Identifier | arbitrary |
+ * | File Encryption Key Size | 1 or 2 bytes |
++ * | Cipher Code | 1 byte |
+ * | File Encryption Key | arbitrary |
++ * | Checksum | 2 bytes |
+ */
+- data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size);
++ data_len = (8 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size);
+ *packet = kmalloc(data_len, GFP_KERNEL);
+ message = *packet;
+ if (!message) {
+--
+2.43.0
+
--- /dev/null
+From 1fec30f5e689d2e5d9a67daee3e7869877e73f76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 06:45:04 -0700
+Subject: eth: sungem: remove .ndo_poll_controller to avoid deadlocks
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ac0a230f719b02432d8c7eba7615ebd691da86f4 ]
+
+Erhard reports netpoll warnings from sungem:
+
+ netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)
+ WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c
+
+gem_poll_controller() disables interrupts, which may sleep.
+We can't sleep in netpoll, it has interrupts disabled completely.
+Strangely, gem_poll_controller() doesn't even poll the completions,
+and instead acts as if an interrupt has fired so it just schedules
+NAPI and exits. None of this has been necessary for years, since
+netpoll invokes NAPI directly.
+
+Fixes: fe09bb619096 ("sungem: Spring cleaning and GRO support")
+Reported-and-tested-by: Erhard Furtner <erhard_f@mailbox.org>
+Link: https://lore.kernel.org/all/20240428125306.2c3080ef@legion
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240508134504.3560956-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/sungem.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c
+index 58f142ee78a30..4d6a9f02c7388 100644
+--- a/drivers/net/ethernet/sun/sungem.c
++++ b/drivers/net/ethernet/sun/sungem.c
+@@ -949,17 +949,6 @@ static irqreturn_t gem_interrupt(int irq, void *dev_id)
+ return IRQ_HANDLED;
+ }
+
+-#ifdef CONFIG_NET_POLL_CONTROLLER
+-static void gem_poll_controller(struct net_device *dev)
+-{
+- struct gem *gp = netdev_priv(dev);
+-
+- disable_irq(gp->pdev->irq);
+- gem_interrupt(gp->pdev->irq, dev);
+- enable_irq(gp->pdev->irq);
+-}
+-#endif
+-
+ static void gem_tx_timeout(struct net_device *dev, unsigned int txqueue)
+ {
+ struct gem *gp = netdev_priv(dev);
+@@ -2836,9 +2825,6 @@ static const struct net_device_ops gem_netdev_ops = {
+ .ndo_change_mtu = gem_change_mtu,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_mac_address = gem_set_mac_address,
+-#ifdef CONFIG_NET_POLL_CONTROLLER
+- .ndo_poll_controller = gem_poll_controller,
+-#endif
+ };
+
+ static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+--
+2.43.0
+
--- /dev/null
+From 1c8dab18c561a778219da8dca5bf1eac224c8e73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 12:53:20 +0100
+Subject: ext4: avoid excessive credit estimate in ext4_tmpfile()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 ]
+
+A user with minimum journal size (1024 blocks these days) complained
+about the following error triggered by generic/697 test in
+ext4_tmpfile():
+
+run fstests generic/697 at 2024-02-28 05:34:46
+JBD2: vfstest wants too many credits credits:260 rsv_credits:0 max:256
+EXT4-fs error (device loop0) in __ext4_new_inode:1083: error 28
+
+Indeed the credit estimate in ext4_tmpfile() is huge.
+EXT4_MAXQUOTAS_INIT_BLOCKS() is 219, then 10 credits from ext4_tmpfile()
+itself and then ext4_xattr_credits_for_new_inode() adds more credits
+needed for security attributes and ACLs. Now the
+EXT4_MAXQUOTAS_INIT_BLOCKS() is in fact unnecessary because we've
+already initialized quotas with dquot_init() shortly before and so
+EXT4_MAXQUOTAS_TRANS_BLOCKS() is enough (which boils down to 3 credits).
+
+Fixes: af51a2ac36d1 ("ext4: ->tmpfile() support")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: Luis Henriques <lhenriques@suse.de>
+Tested-by: Disha Goel <disgoel@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240307115320.28949-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index a50eb4c61ecc6..af0801593abb8 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2748,7 +2748,7 @@ static int ext4_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode)
+ inode = ext4_new_inode_start_handle(dir, mode,
+ NULL, 0, NULL,
+ EXT4_HT_DIR,
+- EXT4_MAXQUOTAS_INIT_BLOCKS(dir->i_sb) +
++ EXT4_MAXQUOTAS_TRANS_BLOCKS(dir->i_sb) +
+ 4 + EXT4_XATTR_TRANS_BLOCKS);
+ handle = ext4_journal_current_handle();
+ err = PTR_ERR(inode);
+--
+2.43.0
+
--- /dev/null
+From 55f658f4852b25665e6e2344d53aa05a844bb621 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Apr 2024 21:10:40 +0300
+Subject: ext4: fix potential unnitialized variable
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 3f4830abd236d0428e50451e1ecb62e14c365e9b ]
+
+Smatch complains "err" can be uninitialized in the caller.
+
+ fs/ext4/indirect.c:349 ext4_alloc_branch()
+ error: uninitialized symbol 'err'.
+
+Set the error to zero on the success path.
+
+Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/363a4673-0fb8-4adf-b4fb-90a499077276@moroto.mountain
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 099007ec774c7..87378d08a414b 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5147,6 +5147,7 @@ ext4_mb_new_blocks_simple(struct ext4_allocation_request *ar, int *errp)
+ ext4_mb_mark_bb(sb, block, 1, 1);
+ ar->len = 1;
+
++ *errp = 0;
+ return block;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7fbeb182e6e4006f326f733e90bde531b7beabd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 23:03:10 +0800
+Subject: ext4: fix unit mismatch in ext4_mb_new_blocks_simple
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 497885f72d930305d8e61b6b616b22b4da1adf90 ]
+
+The "i" returned from mb_find_next_zero_bit is in cluster unit and we
+need offset "block" corresponding to "i" in block unit. Convert "i" to
+block unit to fix the unit mismatch.
+
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230603150327.3596033-3-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 26beaf102ce36..f54f23afd93d2 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5349,6 +5349,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ {
+ struct buffer_head *bitmap_bh;
+ struct super_block *sb = ar->inode->i_sb;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ ext4_group_t group;
+ ext4_grpblk_t blkoff;
+ ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb);
+@@ -5377,7 +5378,8 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ if (i >= max)
+ break;
+ if (ext4_fc_replay_check_excluded(sb,
+- ext4_group_first_block_no(sb, group) + i)) {
++ ext4_group_first_block_no(sb, group) +
++ EXT4_C2B(sbi, i))) {
+ blkoff = i + 1;
+ } else
+ break;
+@@ -5394,7 +5396,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ return 0;
+ }
+
+- block = ext4_group_first_block_no(sb, group) + i;
++ block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i);
+ ext4_mb_mark_bb(sb, block, 1, 1);
+ ar->len = 1;
+
+--
+2.43.0
+
--- /dev/null
+From d46e6f057918e6e4e85c327afc1909443b9ea5e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 23:03:17 +0800
+Subject: ext4: remove unused parameter from ext4_mb_new_blocks_simple()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit ad78b5efe4246e5deba8d44a6ed172b8a00d3113 ]
+
+Two cleanups for ext4_mb_new_blocks_simple:
+Remove unused parameter handle of ext4_mb_new_blocks_simple.
+Move ext4_mb_new_blocks_simple definition before ext4_mb_new_blocks to
+remove unnecessary forward declaration of ext4_mb_new_blocks_simple.
+
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230603150327.3596033-10-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 137 +++++++++++++++++++++++-----------------------
+ 1 file changed, 67 insertions(+), 70 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index de69929495a5a..099007ec774c7 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5083,8 +5083,72 @@ static bool ext4_mb_discard_preallocations_should_retry(struct super_block *sb,
+ return ret;
+ }
+
+-static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+- struct ext4_allocation_request *ar, int *errp);
++/*
++ * Simple allocator for Ext4 fast commit replay path. It searches for blocks
++ * linearly starting at the goal block and also excludes the blocks which
++ * are going to be in use after fast commit replay.
++ */
++static ext4_fsblk_t
++ext4_mb_new_blocks_simple(struct ext4_allocation_request *ar, int *errp)
++{
++ struct buffer_head *bitmap_bh;
++ struct super_block *sb = ar->inode->i_sb;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ ext4_group_t group, nr;
++ ext4_grpblk_t blkoff;
++ ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb);
++ ext4_grpblk_t i = 0;
++ ext4_fsblk_t goal, block;
++ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
++
++ goal = ar->goal;
++ if (goal < le32_to_cpu(es->s_first_data_block) ||
++ goal >= ext4_blocks_count(es))
++ goal = le32_to_cpu(es->s_first_data_block);
++
++ ar->len = 0;
++ ext4_get_group_no_and_offset(sb, goal, &group, &blkoff);
++ for (nr = ext4_get_groups_count(sb); nr > 0; nr--) {
++ bitmap_bh = ext4_read_block_bitmap(sb, group);
++ if (IS_ERR(bitmap_bh)) {
++ *errp = PTR_ERR(bitmap_bh);
++ pr_warn("Failed to read block bitmap\n");
++ return 0;
++ }
++
++ while (1) {
++ i = mb_find_next_zero_bit(bitmap_bh->b_data, max,
++ blkoff);
++ if (i >= max)
++ break;
++ if (ext4_fc_replay_check_excluded(sb,
++ ext4_group_first_block_no(sb, group) +
++ EXT4_C2B(sbi, i))) {
++ blkoff = i + 1;
++ } else
++ break;
++ }
++ brelse(bitmap_bh);
++ if (i < max)
++ break;
++
++ if (++group >= ext4_get_groups_count(sb))
++ group = 0;
++
++ blkoff = 0;
++ }
++
++ if (i >= max) {
++ *errp = -ENOSPC;
++ return 0;
++ }
++
++ block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i);
++ ext4_mb_mark_bb(sb, block, 1, 1);
++ ar->len = 1;
++
++ return block;
++}
+
+ /*
+ * Main entry point into mballoc to allocate blocks
+@@ -5109,7 +5173,7 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle,
+
+ trace_ext4_request_blocks(ar);
+ if (sbi->s_mount_state & EXT4_FC_REPLAY)
+- return ext4_mb_new_blocks_simple(handle, ar, errp);
++ return ext4_mb_new_blocks_simple(ar, errp);
+
+ /* Allow to use superuser reservation for quota file */
+ if (ext4_is_quota_file(ar->inode))
+@@ -5339,73 +5403,6 @@ ext4_mb_free_metadata(handle_t *handle, struct ext4_buddy *e4b,
+ return 0;
+ }
+
+-/*
+- * Simple allocator for Ext4 fast commit replay path. It searches for blocks
+- * linearly starting at the goal block and also excludes the blocks which
+- * are going to be in use after fast commit replay.
+- */
+-static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+- struct ext4_allocation_request *ar, int *errp)
+-{
+- struct buffer_head *bitmap_bh;
+- struct super_block *sb = ar->inode->i_sb;
+- struct ext4_sb_info *sbi = EXT4_SB(sb);
+- ext4_group_t group, nr;
+- ext4_grpblk_t blkoff;
+- ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb);
+- ext4_grpblk_t i = 0;
+- ext4_fsblk_t goal, block;
+- struct ext4_super_block *es = EXT4_SB(sb)->s_es;
+-
+- goal = ar->goal;
+- if (goal < le32_to_cpu(es->s_first_data_block) ||
+- goal >= ext4_blocks_count(es))
+- goal = le32_to_cpu(es->s_first_data_block);
+-
+- ar->len = 0;
+- ext4_get_group_no_and_offset(sb, goal, &group, &blkoff);
+- for (nr = ext4_get_groups_count(sb); nr > 0; nr--) {
+- bitmap_bh = ext4_read_block_bitmap(sb, group);
+- if (IS_ERR(bitmap_bh)) {
+- *errp = PTR_ERR(bitmap_bh);
+- pr_warn("Failed to read block bitmap\n");
+- return 0;
+- }
+-
+- while (1) {
+- i = mb_find_next_zero_bit(bitmap_bh->b_data, max,
+- blkoff);
+- if (i >= max)
+- break;
+- if (ext4_fc_replay_check_excluded(sb,
+- ext4_group_first_block_no(sb, group) +
+- EXT4_C2B(sbi, i))) {
+- blkoff = i + 1;
+- } else
+- break;
+- }
+- brelse(bitmap_bh);
+- if (i < max)
+- break;
+-
+- if (++group >= ext4_get_groups_count(sb))
+- group = 0;
+-
+- blkoff = 0;
+- }
+-
+- if (i >= max) {
+- *errp = -ENOSPC;
+- return 0;
+- }
+-
+- block = ext4_group_first_block_no(sb, group) + EXT4_C2B(sbi, i);
+- ext4_mb_mark_bb(sb, block, 1, 1);
+- ar->len = 1;
+-
+- return block;
+-}
+-
+ static void ext4_free_blocks_simple(struct inode *inode, ext4_fsblk_t block,
+ unsigned long count)
+ {
+--
+2.43.0
+
--- /dev/null
+From c660bd7308ec234e132dc66140a76547826999bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 01:21:20 +0800
+Subject: ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 253cacb0de89235673ad5889d61f275a73dbee79 ]
+
+We try to allocate a block from goal in ext4_mb_new_blocks_simple. We
+only need get blkoff in first group with goal and set blkoff to 0 for
+the rest groups.
+
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://lore.kernel.org/r/20230303172120.3800725-21-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index c1d632725c2c0..26beaf102ce36 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5371,9 +5371,6 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ return 0;
+ }
+
+- ext4_get_group_no_and_offset(sb,
+- max(ext4_group_first_block_no(sb, group), goal),
+- NULL, &blkoff);
+ while (1) {
+ i = mb_find_next_zero_bit(bitmap_bh->b_data, max,
+ blkoff);
+@@ -5388,6 +5385,8 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ brelse(bitmap_bh);
+ if (i < max)
+ break;
++
++ blkoff = 0;
+ }
+
+ if (group >= ext4_get_groups_count(sb) || i >= max) {
+--
+2.43.0
+
--- /dev/null
+From 53165f2420608cf426fac7b85f610295e9d165f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 23:03:15 +0800
+Subject: ext4: try all groups in ext4_mb_new_blocks_simple
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 19a043bb1fd1b5cb2652ca33536c55e6c0a70df0 ]
+
+ext4_mb_new_blocks_simple ignores the group before goal, so it will fail
+if free blocks reside in group before goal. Try all groups to avoid
+unexpected failure.
+Search finishes either if any free block is found or if no available
+blocks are found. Simpliy check "i >= max" to distinguish the above
+cases.
+
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Suggested-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230603150327.3596033-8-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 3f4830abd236 ("ext4: fix potential unnitialized variable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index f54f23afd93d2..de69929495a5a 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5350,7 +5350,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ struct buffer_head *bitmap_bh;
+ struct super_block *sb = ar->inode->i_sb;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+- ext4_group_t group;
++ ext4_group_t group, nr;
+ ext4_grpblk_t blkoff;
+ ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb);
+ ext4_grpblk_t i = 0;
+@@ -5364,7 +5364,7 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+
+ ar->len = 0;
+ ext4_get_group_no_and_offset(sb, goal, &group, &blkoff);
+- for (; group < ext4_get_groups_count(sb); group++) {
++ for (nr = ext4_get_groups_count(sb); nr > 0; nr--) {
+ bitmap_bh = ext4_read_block_bitmap(sb, group);
+ if (IS_ERR(bitmap_bh)) {
+ *errp = PTR_ERR(bitmap_bh);
+@@ -5388,10 +5388,13 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle,
+ if (i < max)
+ break;
+
++ if (++group >= ext4_get_groups_count(sb))
++ group = 0;
++
+ blkoff = 0;
+ }
+
+- if (group >= ext4_get_groups_count(sb) || i >= max) {
++ if (i >= max) {
+ *errp = -ENOSPC;
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 47d913a675b298ab970943723a21836cac1e8f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 21:39:38 -0800
+Subject: fbdev: sh7760fb: allow modular build
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 51084f89d687e14d96278241e5200cde4b0985c7 ]
+
+There is no reason to prohibit sh7760fb from being built as a
+loadable module as suggested by Geert, so change the config symbol
+from bool to tristate to allow that and change the FB dependency as
+needed.
+
+Fixes: f75f71b2c418 ("fbdev/sh7760fb: Depend on FB=y")
+Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Acked-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
+index dd59584630979..9ad3e51578691 100644
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -2013,8 +2013,8 @@ config FB_COBALT
+ depends on FB && MIPS_COBALT
+
+ config FB_SH7760
+- bool "SH7760/SH7763/SH7720/SH7721 LCDC support"
+- depends on FB=y && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \
++ tristate "SH7760/SH7763/SH7720/SH7721 LCDC support"
++ depends on FB && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \
+ || CPU_SUBTYPE_SH7720 || CPU_SUBTYPE_SH7721)
+ select FB_CFB_FILLRECT
+ select FB_CFB_COPYAREA
+--
+2.43.0
+
--- /dev/null
+From be8d1532e0645ea6bddd8d6f6f17654a70657887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 23:38:00 +0100
+Subject: fbdev: shmobile: fix snprintf truncation
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 ]
+
+The name of the overlay does not fit into the fixed-length field:
+
+drivers/video/fbdev/sh_mobile_lcdcfb.c:1577:2: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 25
+
+Make it short enough by changing the string.
+
+Fixes: c5deac3c9b22 ("fbdev: sh_mobile_lcdc: Implement overlays support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
+index c1043420dbd3e..21d13d16f973c 100644
+--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
++++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
+@@ -1580,7 +1580,7 @@ sh_mobile_lcdc_overlay_fb_init(struct sh_mobile_lcdc_overlay *ovl)
+ */
+ info->fix = sh_mobile_lcdc_overlay_fix;
+ snprintf(info->fix.id, sizeof(info->fix.id),
+- "SH Mobile LCDC Overlay %u", ovl->index);
++ "SHMobile ovl %u", ovl->index);
+ info->fix.smem_start = ovl->dma_handle;
+ info->fix.smem_len = ovl->fb_size;
+ info->fix.line_length = ovl->pitch;
+--
+2.43.0
+
--- /dev/null
+From 6ac5a5dfbbb7a6e2583019f2319db61e8f3b38db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 10:06:31 +0200
+Subject: fbdev: sisfb: hide unused variables
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 688cf598665851b9e8cb5083ff1d208ce43d10ff ]
+
+Building with W=1 shows that a couple of variables in this driver are only
+used in certain configurations:
+
+drivers/video/fbdev/sis/init301.c:239:28: error: 'SiS_Part2CLVX_6' defined but not used [-Werror=unused-const-variable=]
+ 239 | static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */
+ | ^~~~~~~~~~~~~~~
+drivers/video/fbdev/sis/init301.c:230:28: error: 'SiS_Part2CLVX_5' defined but not used [-Werror=unused-const-variable=]
+ 230 | static const unsigned char SiS_Part2CLVX_5[] = { /* 750p */
+ | ^~~~~~~~~~~~~~~
+drivers/video/fbdev/sis/init301.c:211:28: error: 'SiS_Part2CLVX_4' defined but not used [-Werror=unused-const-variable=]
+ 211 | static const unsigned char SiS_Part2CLVX_4[] = { /* PAL */
+ | ^~~~~~~~~~~~~~~
+drivers/video/fbdev/sis/init301.c:192:28: error: 'SiS_Part2CLVX_3' defined but not used [-Werror=unused-const-variable=]
+ 192 | static const unsigned char SiS_Part2CLVX_3[] = { /* NTSC, 525i, 525p */
+ | ^~~~~~~~~~~~~~~
+drivers/video/fbdev/sis/init301.c:184:28: error: 'SiS_Part2CLVX_2' defined but not used [-Werror=unused-const-variable=]
+ 184 | static const unsigned char SiS_Part2CLVX_2[] = {
+ | ^~~~~~~~~~~~~~~
+drivers/video/fbdev/sis/init301.c:176:28: error: 'SiS_Part2CLVX_1' defined but not used [-Werror=unused-const-variable=]
+ 176 | static const unsigned char SiS_Part2CLVX_1[] = {
+ | ^~~~~~~~~~~~~~~
+
+This started showing up after the definitions were moved into the
+source file from the header, which was not flagged by the compiler.
+Move the definition into the appropriate #ifdef block that already
+exists next to them.
+
+Fixes: 5908986ef348 ("video: fbdev: sis: avoid mismatched prototypes")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sis/init301.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c
+index a8fb41f1a2580..09329072004f4 100644
+--- a/drivers/video/fbdev/sis/init301.c
++++ b/drivers/video/fbdev/sis/init301.c
+@@ -172,7 +172,7 @@ static const unsigned char SiS_HiTVGroup3_2[] = {
+ };
+
+ /* 301C / 302ELV extended Part2 TV registers (4 tap scaler) */
+-
++#ifdef CONFIG_FB_SIS_315
+ static const unsigned char SiS_Part2CLVX_1[] = {
+ 0x00,0x00,
+ 0x00,0x20,0x00,0x00,0x7F,0x20,0x02,0x7F,0x7D,0x20,0x04,0x7F,0x7D,0x1F,0x06,0x7E,
+@@ -245,7 +245,6 @@ static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */
+ 0xFF,0xFF,
+ };
+
+-#ifdef CONFIG_FB_SIS_315
+ /* 661 et al LCD data structure (2.03.00) */
+ static const unsigned char SiS_LCDStruct661[] = {
+ /* 1024x768 */
+--
+2.43.0
+
--- /dev/null
+From 3f0875dceed6f1a237939da75c5e31eba03326c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 21:58:06 +0200
+Subject: firmware: raspberrypi: Use correct device for DMA mappings
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit df518a0ae1b982a4dcf2235464016c0c4576a34d ]
+
+The buffer used to transfer data over the mailbox interface is mapped
+using the client's device. This is incorrect, as the device performing
+the DMA transfer is the mailbox itself. Fix it by using the mailbox
+controller device instead.
+
+This requires including the mailbox_controller.h header to dereference
+the mbox_chan and mbox_controller structures. The header is not meant to
+be included by clients. This could be fixed by extending the client API
+with a function to access the controller's device.
+
+Fixes: 4e3d60656a72 ("ARM: bcm2835: Add the Raspberry Pi firmware driver")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Tested-by: Ivan T. Ivanov <iivanov@suse.de>
+Link: https://lore.kernel.org/r/20240326195807.15163-3-laurent.pinchart@ideasonboard.com
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/raspberrypi.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c
+index 45ff03da234a6..c8a292df6fea5 100644
+--- a/drivers/firmware/raspberrypi.c
++++ b/drivers/firmware/raspberrypi.c
+@@ -9,6 +9,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/kref.h>
+ #include <linux/mailbox_client.h>
++#include <linux/mailbox_controller.h>
+ #include <linux/module.h>
+ #include <linux/of_platform.h>
+ #include <linux/platform_device.h>
+@@ -96,8 +97,8 @@ int rpi_firmware_property_list(struct rpi_firmware *fw,
+ if (size & 3)
+ return -EINVAL;
+
+- buf = dma_alloc_coherent(fw->cl.dev, PAGE_ALIGN(size), &bus_addr,
+- GFP_ATOMIC);
++ buf = dma_alloc_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size),
++ &bus_addr, GFP_ATOMIC);
+ if (!buf)
+ return -ENOMEM;
+
+@@ -125,7 +126,7 @@ int rpi_firmware_property_list(struct rpi_firmware *fw,
+ ret = -EINVAL;
+ }
+
+- dma_free_coherent(fw->cl.dev, PAGE_ALIGN(size), buf, bus_addr);
++ dma_free_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), buf, bus_addr);
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5d1f2894afef3b710ec60b2822098180943eb75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 13:47:51 +0200
+Subject: gfs2: Fix "ignore unlock failures after withdraw"
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 5d9231111966b6c5a65016d58dcbeab91055bc91 ]
+
+Commit 3e11e53041502 tries to suppress dlm_lock() lock conversion errors
+that occur when the lockspace has already been released.
+
+It does that by setting and checking the SDF_SKIP_DLM_UNLOCK flag. This
+conflicts with the intended meaning of the SDF_SKIP_DLM_UNLOCK flag, so
+check whether the lockspace is still allocated instead.
+
+(Given the current DLM API, checking for this kind of error after the
+fact seems easier that than to make sure that the lockspace is still
+allocated before calling dlm_lock(). Changing the DLM API so that users
+maintain the lockspace references themselves would be an option.)
+
+Fixes: 3e11e53041502 ("GFS2: ignore unlock failures after withdraw")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 4 +++-
+ fs/gfs2/util.c | 1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index dd052101e2266..b0f01a8e37766 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -691,11 +691,13 @@ __acquires(&gl->gl_lockref.lock)
+ }
+
+ if (sdp->sd_lockstruct.ls_ops->lm_lock) {
++ struct lm_lockstruct *ls = &sdp->sd_lockstruct;
++
+ /* lock_dlm */
+ ret = sdp->sd_lockstruct.ls_ops->lm_lock(gl, target, lck_flags);
+ if (ret == -EINVAL && gl->gl_target == LM_ST_UNLOCKED &&
+ target == LM_ST_UNLOCKED &&
+- test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags)) {
++ test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) {
+ finish_xmote(gl, target);
+ gfs2_glock_queue_work(gl, 0);
+ } else if (ret) {
+diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c
+index 3ece99e6490c2..d11152dedb803 100644
+--- a/fs/gfs2/util.c
++++ b/fs/gfs2/util.c
+@@ -348,7 +348,6 @@ int gfs2_withdraw(struct gfs2_sbd *sdp)
+ fs_err(sdp, "telling LM to unmount\n");
+ lm->lm_unmount(sdp);
+ }
+- set_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags);
+ fs_err(sdp, "File system withdrawn\n");
+ dump_stack();
+ clear_bit(SDF_WITHDRAW_IN_PROG, &sdp->sd_flags);
+--
+2.43.0
+
--- /dev/null
+From 0903b064aa0f546a4bb0e0fc971e91d351983f26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:54:22 +0800
+Subject: HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 6baa4524027fd64d7ca524e1717c88c91a354b93 ]
+
+Add a check for the return value of pci_alloc_irq_vectors() and return
+error if it fails.
+
+[jkosina@suse.com: reworded changelog based on Srinivas' suggestion]
+Fixes: 74fbc7d371d9 ("HID: intel-ish-hid: add MSI interrupt support")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+index c6d48a8648b70..4a16ede402ff5 100644
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -164,6 +164,11 @@ static int ish_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* request and enable interrupt */
+ ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES);
++ if (ret < 0) {
++ dev_err(dev, "ISH: Failed to allocate IRQ vectors\n");
++ return ret;
++ }
++
+ if (!pdev->msi_enabled && !pdev->msix_enabled)
+ irq_flag = IRQF_SHARED;
+
+--
+2.43.0
+
--- /dev/null
+From b23b302b26947733d2c79ac51b5e1999e30fff25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 21:18:10 +0800
+Subject: ipv6: sr: add missing seg6_local_exit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ]
+
+Currently, we only call seg6_local_exit() in seg6_init() if
+seg6_local_init() failed. But forgot to call it in seg6_exit().
+
+Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240509131812.1662197-2-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
+index a8439fded12dc..1a7bd85746b3a 100644
+--- a/net/ipv6/seg6.c
++++ b/net/ipv6/seg6.c
+@@ -503,6 +503,7 @@ void seg6_exit(void)
+ seg6_hmac_exit();
+ #endif
+ #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
++ seg6_local_exit();
+ seg6_iptunnel_exit();
+ #endif
+ unregister_pernet_subsys(&ip6_segments_ops);
+--
+2.43.0
+
--- /dev/null
+From f8d209420fec3716b4f6f403e96fc3d75533b935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 21:18:11 +0800
+Subject: ipv6: sr: fix incorrect unregister order
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ]
+
+Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and
+null-ptr-deref") changed the register order in seg6_init(). But the
+unregister order in seg6_exit() is not updated.
+
+Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
+index 1a7bd85746b3a..722bbf4055b02 100644
+--- a/net/ipv6/seg6.c
++++ b/net/ipv6/seg6.c
+@@ -506,6 +506,6 @@ void seg6_exit(void)
+ seg6_local_exit();
+ seg6_iptunnel_exit();
+ #endif
+- unregister_pernet_subsys(&ip6_segments_ops);
+ genl_unregister_family(&seg6_genl_family);
++ unregister_pernet_subsys(&ip6_segments_ops);
+ }
+--
+2.43.0
+
--- /dev/null
+From a3f63c37713490e17a6991d06f706dccc4572115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 21:18:12 +0800
+Subject: ipv6: sr: fix invalid unregister error path
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ]
+
+The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL
+is not defined. In that case if seg6_hmac_init() fails, the
+genl_unregister_family() isn't called.
+
+This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control
+lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible
+use-after-free and null-ptr-deref") replaced unregister_pernet_subsys()
+with genl_unregister_family() in this error path.
+
+Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support")
+Reported-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240509131812.1662197-4-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
+index 722bbf4055b02..77221f27262aa 100644
+--- a/net/ipv6/seg6.c
++++ b/net/ipv6/seg6.c
+@@ -490,6 +490,8 @@ int __init seg6_init(void)
+ #endif
+ #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
+ out_unregister_genl:
++#endif
++#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC)
+ genl_unregister_family(&seg6_genl_family);
+ #endif
+ out_unregister_pernet:
+--
+2.43.0
+
--- /dev/null
+From 9f7e01abb71952cd88f0825b2b82605534bf135f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Mar 2024 22:23:05 +0800
+Subject: irqchip/alpine-msi: Fix off-by-one in allocation error path
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 ]
+
+When alpine_msix_gic_domain_alloc() fails, there is an off-by-one in the
+number of interrupts to be freed.
+
+Fix it by passing the number of successfully allocated interrupts, instead
+of the relative index of the last allocated one.
+
+Fixes: 3841245e8498 ("irqchip/alpine-msi: Fix freeing of interrupts on allocation error path")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20240327142305.1048-1-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-alpine-msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c
+index 1819bb1d27230..aedbc4befcdf0 100644
+--- a/drivers/irqchip/irq-alpine-msi.c
++++ b/drivers/irqchip/irq-alpine-msi.c
+@@ -165,7 +165,7 @@ static int alpine_msix_middle_domain_alloc(struct irq_domain *domain,
+ return 0;
+
+ err_sgi:
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+ alpine_msix_free_sgi(priv, sgi, nr_irqs);
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 85a5e249dea2ac70865325ee991bbb31833b62a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Mar 2024 22:23:34 +0800
+Subject: irqchip/loongson-pch-msi: Fix off-by-one on allocation error path
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit b327708798809328f21da8dc14cc8883d1e8a4b3 ]
+
+When pch_msi_parent_domain_alloc() returns an error, there is an off-by-one
+in the number of interrupts to be freed.
+
+Fix it by passing the number of successfully allocated interrupts, instead of the
+relative index of the last allocated one.
+
+Fixes: 632dcc2c75ef ("irqchip: Add Loongson PCH MSI controller")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Link: https://lore.kernel.org/r/20240327142334.1098-1-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-loongson-pch-msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-loongson-pch-msi.c b/drivers/irqchip/irq-loongson-pch-msi.c
+index 32562b7e681b5..254a58fbb844a 100644
+--- a/drivers/irqchip/irq-loongson-pch-msi.c
++++ b/drivers/irqchip/irq-loongson-pch-msi.c
+@@ -132,7 +132,7 @@ static int pch_msi_middle_domain_alloc(struct irq_domain *domain,
+
+ err_hwirq:
+ pch_msi_free_hwirq(priv, hwirq, nr_irqs);
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 00976a99331dbd085ea5ec70608a7833b29b3c87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 18:53:54 +0300
+Subject: jffs2: prevent xattr node from overflowing the eraseblock
+
+From: Ilya Denisyev <dev@elkcl.ru>
+
+[ Upstream commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 ]
+
+Add a check to make sure that the requested xattr node size is no larger
+than the eraseblock minus the cleanmarker.
+
+Unlike the usual inode nodes, the xattr nodes aren't split into parts
+and spread across multiple eraseblocks, which means that a xattr node
+must not occupy more than one eraseblock. If the requested xattr value is
+too large, the xattr node can spill onto the next eraseblock, overwriting
+the nodes and causing errors such as:
+
+jffs2: argh. node added in wrong place at 0x0000b050(2)
+jffs2: nextblock 0x0000a000, expected at 0000b00c
+jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,
+read=0xfc892c93, calc=0x000000
+jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed
+at 0x01e00c. {848f,2fc4,0fef511f,59a3d171}
+jffs2: Node at 0x0000000c with length 0x00001044 would run over the
+end of the erase block
+jffs2: Perhaps the file system was created with the wrong erase size?
+jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
+at 0x00000010: 0x1044 instead
+
+This breaks the filesystem and can lead to KASAN crashes such as:
+
+BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0
+Read of size 4 at addr ffff88802c31e914 by task repro/830
+CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS Arch Linux 1.16.3-1-1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc6/0x120
+ print_report+0xc4/0x620
+ ? __virt_addr_valid+0x308/0x5b0
+ kasan_report+0xc1/0xf0
+ ? jffs2_sum_add_kvec+0x125e/0x15d0
+ ? jffs2_sum_add_kvec+0x125e/0x15d0
+ jffs2_sum_add_kvec+0x125e/0x15d0
+ jffs2_flash_direct_writev+0xa8/0xd0
+ jffs2_flash_writev+0x9c9/0xef0
+ ? __x64_sys_setxattr+0xc4/0x160
+ ? do_syscall_64+0x69/0x140
+ ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [...]
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
+Signed-off-by: Ilya Denisyev <dev@elkcl.ru>
+Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/xattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c
+index acb4492f5970c..5a31220f96f5f 100644
+--- a/fs/jffs2/xattr.c
++++ b/fs/jffs2/xattr.c
+@@ -1111,6 +1111,9 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname,
+ return rc;
+
+ request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size);
++ if (request > c->sector_size - c->cleanmarker_size)
++ return -ERANGE;
++
+ rc = jffs2_reserve_space(c, request, &length,
+ ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE);
+ if (rc) {
+--
+2.43.0
+
--- /dev/null
+From db26040de84deeba871129c88542299d1e2f50e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 15:36:31 +1200
+Subject: m68k: Fix spinlock race in kernel thread creation
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit da89ce46f02470ef08f0f580755d14d547da59ed ]
+
+Context switching does take care to retain the correct lock owner across
+the switch from 'prev' to 'next' tasks. This does rely on interrupts
+remaining disabled for the entire duration of the switch.
+
+This condition is guaranteed for normal process creation and context
+switching between already running processes, because both 'prev' and
+'next' already have interrupts disabled in their saved copies of the
+status register.
+
+The situation is different for newly created kernel threads. The status
+register is set to PS_S in copy_thread(), which does leave the IPL at 0.
+Upon restoring the 'next' thread's status register in switch_to() aka
+resume(), interrupts then become enabled prematurely. resume() then
+returns via ret_from_kernel_thread() and schedule_tail() where run queue
+lock is released (see finish_task_switch() and finish_lock_switch()).
+
+A timer interrupt calling scheduler_tick() before the lock is released
+in finish_task_switch() will find the lock already taken, with the
+current task as lock owner. This causes a spinlock recursion warning as
+reported by Guenter Roeck.
+
+As far as I can ascertain, this race has been opened in commit
+533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()")
+but I haven't done a detailed study of kernel history so it may well
+predate that commit.
+
+Interrupts cannot be disabled in the saved status register copy for
+kernel threads (init will complain about interrupts disabled when
+finally starting user space). Disable interrupts temporarily when
+switching the tasks' register sets in resume().
+
+Note that a simple oriw 0x700,%sr after restoring sr is not enough here
+- this leaves enough of a race for the 'spinlock recursion' warning to
+still be observed.
+
+Tested on ARAnyM and qemu (Quadra 800 emulation).
+
+Fixes: 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/all/07811b26-677c-4d05-aeb4-996cd880b789@roeck-us.net
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20240411033631.16335-1-schmitzmic@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/entry.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S
+index 546bab6bfc273..d0ca4df435285 100644
+--- a/arch/m68k/kernel/entry.S
++++ b/arch/m68k/kernel/entry.S
+@@ -432,7 +432,9 @@ resume:
+ movec %a0,%dfc
+
+ /* restore status register */
+- movew %a1@(TASK_THREAD+THREAD_SR),%sr
++ movew %a1@(TASK_THREAD+THREAD_SR),%d0
++ oriw #0x0700,%d0
++ movew %d0,%sr
+
+ rts
+
+--
+2.43.0
+
--- /dev/null
+From 80ecb4d9527a8399014174cdcb51a4284e8ee69c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 14:31:12 +1000
+Subject: m68k: mac: Fix reboot hang on Mac IIci
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 265a3b322df9a973ff1fc63da70af456ab6ae1d6 ]
+
+Calling mac_reset() on a Mac IIci does reset the system, but what
+follows is a POST failure that requires a manual reset to resolve.
+Avoid that by using the 68030 asm implementation instead of the C
+implementation.
+
+Apparently the SE/30 has a similar problem as it has used the asm
+implementation since before git. This patch extends that solution to
+other systems with a similar ROM.
+
+After this patch, the only systems still using the C implementation are
+68040 systems where adb_type is either MAC_ADB_IOP or MAC_ADB_II. This
+implies a 1 MiB Quadra ROM.
+
+This now includes the Quadra 900/950, which previously fell through to
+the "should never get here" catch-all.
+
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/480ebd1249d229c6dc1f3f1c6d599b8505483fd8.1714797072.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/misc.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c
+index 90f4e9ca1276b..d3b34dd7590de 100644
+--- a/arch/m68k/mac/misc.c
++++ b/arch/m68k/mac/misc.c
+@@ -452,30 +452,18 @@ void mac_poweroff(void)
+
+ void mac_reset(void)
+ {
+- if (macintosh_config->adb_type == MAC_ADB_II &&
+- macintosh_config->ident != MAC_MODEL_SE30) {
+- /* need ROMBASE in booter */
+- /* indeed, plus need to MAP THE ROM !! */
+-
+- if (mac_bi_data.rombase == 0)
+- mac_bi_data.rombase = 0x40800000;
+-
+- /* works on some */
+- rom_reset = (void *) (mac_bi_data.rombase + 0xa);
+-
+- local_irq_disable();
+- rom_reset();
+ #ifdef CONFIG_ADB_CUDA
+- } else if (macintosh_config->adb_type == MAC_ADB_EGRET ||
+- macintosh_config->adb_type == MAC_ADB_CUDA) {
++ if (macintosh_config->adb_type == MAC_ADB_EGRET ||
++ macintosh_config->adb_type == MAC_ADB_CUDA) {
+ cuda_restart();
++ } else
+ #endif
+ #ifdef CONFIG_ADB_PMU
+- } else if (macintosh_config->adb_type == MAC_ADB_PB2) {
++ if (macintosh_config->adb_type == MAC_ADB_PB2) {
+ pmu_restart();
++ } else
+ #endif
+- } else if (CPU_IS_030) {
+-
++ if (CPU_IS_030) {
+ /* 030-specific reset routine. The idea is general, but the
+ * specific registers to reset are '030-specific. Until I
+ * have a non-030 machine, I can't test anything else.
+@@ -523,6 +511,18 @@ void mac_reset(void)
+ "jmp %/a0@\n\t" /* jump to the reset vector */
+ ".chip 68k"
+ : : "r" (offset), "a" (rombase) : "a0");
++ } else {
++ /* need ROMBASE in booter */
++ /* indeed, plus need to MAP THE ROM !! */
++
++ if (mac_bi_data.rombase == 0)
++ mac_bi_data.rombase = 0x40800000;
++
++ /* works on some */
++ rom_reset = (void *)(mac_bi_data.rombase + 0xa);
++
++ local_irq_disable();
++ rom_reset();
+ }
+
+ /* should never get here */
+--
+2.43.0
+
--- /dev/null
+From b22e1e4cbd517354dc7089790bd07a4a6cf82173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 13:53:41 +1100
+Subject: macintosh/via-macii: Fix "BUG: sleeping function called from invalid
+ context"
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit d301a71c76ee4c384b4e03cdc320a55f5cf1df05 ]
+
+The via-macii ADB driver calls request_irq() after disabling hard
+interrupts. But disabling interrupts isn't necessary here because the
+VIA shift register interrupt was masked during VIA1 initialization.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/419fcc09d0e563b425c419053d02236b044d86b0.1710298421.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/via-macii.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c
+index 060e03f2264bc..6adb34d1e381b 100644
+--- a/drivers/macintosh/via-macii.c
++++ b/drivers/macintosh/via-macii.c
+@@ -142,24 +142,19 @@ static int macii_probe(void)
+ /* Initialize the driver */
+ static int macii_init(void)
+ {
+- unsigned long flags;
+ int err;
+
+- local_irq_save(flags);
+-
+ err = macii_init_via();
+ if (err)
+- goto out;
++ return err;
+
+ err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB",
+ macii_interrupt);
+ if (err)
+- goto out;
++ return err;
+
+ macii_state = idle;
+-out:
+- local_irq_restore(flags);
+- return err;
++ return 0;
+ }
+
+ /* initialize the hardware */
+--
+2.43.0
+
--- /dev/null
+From 9e172ea7e4bcaec095257c1544f7c9ee8187f35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 14:58:24 +0800
+Subject: md: fix resync softlockup when bitmap size is less than array size
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit f0e729af2eb6bee9eb58c4df1087f14ebaefe26b ]
+
+Is is reported that for dm-raid10, lvextend + lvchange --syncaction will
+trigger following softlockup:
+
+kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]
+CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1
+RIP: 0010:_raw_spin_unlock_irq+0x13/0x30
+Call Trace:
+ <TASK>
+ md_bitmap_start_sync+0x6b/0xf0
+ raid10_sync_request+0x25c/0x1b40 [raid10]
+ md_do_sync+0x64b/0x1020
+ md_thread+0xa7/0x170
+ kthread+0xcf/0x100
+ ret_from_fork+0x30/0x50
+ ret_from_fork_asm+0x1a/0x30
+
+And the detailed process is as follows:
+
+md_do_sync
+ j = mddev->resync_min
+ while (j < max_sectors)
+ sectors = raid10_sync_request(mddev, j, &skipped)
+ if (!md_bitmap_start_sync(..., &sync_blocks))
+ // md_bitmap_start_sync set sync_blocks to 0
+ return sync_blocks + sectors_skippe;
+ // sectors = 0;
+ j += sectors;
+ // j never change
+
+Root cause is that commit 301867b1c168 ("md/raid10: check
+slab-out-of-bounds in md_bitmap_get_counter") return early from
+md_bitmap_get_counter(), without setting returned blocks.
+
+Fix this problem by always set returned blocks from
+md_bitmap_get_counter"(), as it used to be.
+
+Noted that this patch just fix the softlockup problem in kernel, the
+case that bitmap size doesn't match array size still need to be fixed.
+
+Fixes: 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter")
+Reported-and-tested-by: Nigel Croxon <ncroxon@redhat.com>
+Closes: https://lore.kernel.org/all/71ba5272-ab07-43ba-8232-d2da642acb4e@redhat.com/
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240422065824.2516-1-yukuai1@huaweicloud.com
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index b28302836b2e9..91bc764a854c6 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -1355,7 +1355,7 @@ __acquires(bitmap->lock)
+ sector_t chunk = offset >> bitmap->chunkshift;
+ unsigned long page = chunk >> PAGE_COUNTER_SHIFT;
+ unsigned long pageoff = (chunk & PAGE_COUNTER_MASK) << COUNTER_BYTE_SHIFT;
+- sector_t csize;
++ sector_t csize = ((sector_t)1) << bitmap->chunkshift;
+ int err;
+
+ if (page >= bitmap->pages) {
+@@ -1364,6 +1364,7 @@ __acquires(bitmap->lock)
+ * End-of-device while looking for a whole page or
+ * user set a huge number to sysfs bitmap_set_bits.
+ */
++ *blocks = csize - (offset & (csize - 1));
+ return NULL;
+ }
+ err = md_bitmap_checkpage(bitmap, page, create, 0);
+@@ -1372,8 +1373,7 @@ __acquires(bitmap->lock)
+ bitmap->bp[page].map == NULL)
+ csize = ((sector_t)1) << (bitmap->chunkshift +
+ PAGE_COUNTER_SHIFT);
+- else
+- csize = ((sector_t)1) << bitmap->chunkshift;
++
+ *blocks = csize - (offset & (csize - 1));
+
+ if (err < 0)
+--
+2.43.0
+
--- /dev/null
+From 35fd3cd236abf08f2d40c55886ba8b223b0a2c0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 16:13:00 +0100
+Subject: media: atomisp: ssh_css: Fix a null-pointer dereference in
+ load_video_binaries
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 3b621e9e9e148c0928ab109ac3d4b81487469acb ]
+
+The allocation failure of mycs->yuv_scaler_binary in load_video_binaries()
+is followed with a dereference of mycs->yuv_scaler_binary after the
+following call chain:
+
+sh_css_pipe_load_binaries()
+ |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)
+ |
+ |-> sh_css_pipe_unload_binaries()
+ |-> unload_video_binaries()
+
+In unload_video_binaries(), it calls to ia_css_binary_unload with argument
+&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the
+same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer
+dereference is triggered.
+
+Link: https://lore.kernel.org/r/20240118151303.3828292-1-alexious@zju.edu.cn
+
+Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
+index 54a18921fbd15..cb03545203602 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css.c
++++ b/drivers/staging/media/atomisp/pci/sh_css.c
+@@ -5477,6 +5477,7 @@ static int load_video_binaries(struct ia_css_pipe *pipe)
+ mycs->yuv_scaler_binary = kzalloc(cas_scaler_descr.num_stage *
+ sizeof(struct ia_css_binary), GFP_KERNEL);
+ if (!mycs->yuv_scaler_binary) {
++ mycs->num_yuv_scaler = 0;
+ err = -ENOMEM;
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 45849eb076896b6523265eeb94b62899e46de1bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 14:15:53 +0300
+Subject: media: ngene: Add dvb_ca_en50221_init return value check
+
+From: Aleksandr Burakov <a.burakov@rosalinux.ru>
+
+[ Upstream commit 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 ]
+
+The return value of dvb_ca_en50221_init() is not checked here that may
+cause undefined behavior in case of nonzero value return.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 25aee3debe04 ("[media] Rename media/dvb as media/pci")
+Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/ngene/ngene-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/ngene/ngene-core.c b/drivers/media/pci/ngene/ngene-core.c
+index e1a8c611d01b4..97cac9770802b 100644
+--- a/drivers/media/pci/ngene/ngene-core.c
++++ b/drivers/media/pci/ngene/ngene-core.c
+@@ -1488,7 +1488,9 @@ static int init_channel(struct ngene_channel *chan)
+ }
+
+ if (dev->ci.en && (io & NGENE_IO_TSOUT)) {
+- dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1);
++ ret = dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1);
++ if (ret != 0)
++ goto err;
+ set_transfer(chan, 1);
+ chan->dev->channel[2].DataFormatFlags = DF_SWAP32;
+ set_transfer(&chan->dev->channel[2], 1);
+--
+2.43.0
+
--- /dev/null
+From 083a145aa4acf13bc623064f8f4a8a5ed31e7a45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 14:50:24 +0000
+Subject: media: radio-shark2: Avoid led_names truncations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 1820e16a3019b6258e6009d34432946a6ddd0a90 ]
+
+Increase the size of led_names so it can fit any valid v4l2 device name.
+
+Fixes:
+drivers/media/radio/radio-shark2.c:197:17: warning: ‘%s’ directive output may be truncated writing up to 35 bytes into a region of size 32 [-Wformat-truncation=]
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/radio-shark2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
+index f1c5c0a6a335c..e3e6aa87fe081 100644
+--- a/drivers/media/radio/radio-shark2.c
++++ b/drivers/media/radio/radio-shark2.c
+@@ -62,7 +62,7 @@ struct shark_device {
+ #ifdef SHARK_USE_LEDS
+ struct work_struct led_work;
+ struct led_classdev leds[NO_LEDS];
+- char led_names[NO_LEDS][32];
++ char led_names[NO_LEDS][64];
+ atomic_t brightness[NO_LEDS];
+ unsigned long brightness_new;
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 465e9d651fbca6e016a3024a1542b142ea7ce686 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 13:27:20 +0300
+Subject: mtd: rawnand: hynix: fixed typo
+
+From: Maxim Korotkov <korotkov.maxim.s@gmail.com>
+
+[ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ]
+
+The function hynix_nand_rr_init() should probably return an error code.
+Judging by the usage, it seems that the return code is passed up
+the call stack.
+Right now, it always returns 0 and the function hynix_nand_cleanup()
+in hynix_nand_init() has never been called.
+
+Found by RASU JSC and Linux Verification Center (linuxtesting.org)
+
+Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs")
+
+Signed-off-by: Maxim Korotkov <korotkov.maxim.s@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_hynix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_hynix.c b/drivers/mtd/nand/raw/nand_hynix.c
+index a9f50c9af1097..856b3d6eceb73 100644
+--- a/drivers/mtd/nand/raw/nand_hynix.c
++++ b/drivers/mtd/nand/raw/nand_hynix.c
+@@ -402,7 +402,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip)
+ if (ret)
+ pr_warn("failed to initialize read-retry infrastructure");
+
+- return 0;
++ return ret;
+ }
+
+ static void hynix_nand_extract_oobsize(struct nand_chip *chip,
+--
+2.43.0
+
--- /dev/null
+From c3e40dbcada350f103b49f72b02d3663308b1a12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 09:44:54 +0200
+Subject: net: ethernet: cortina: Locking fixes
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 812552808f7ff71133fc59768cdc253c5b8ca1bf ]
+
+This fixes a probably long standing problem in the Cortina
+Gemini ethernet driver: there are some paths in the code
+where the IRQ registers are written without taking the proper
+locks.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240509-gemini-ethernet-locking-v1-1-afd00a528b95@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index c78587ddb32fd..fa46854fd697c 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -1109,10 +1109,13 @@ static void gmac_tx_irq_enable(struct net_device *netdev,
+ {
+ struct gemini_ethernet_port *port = netdev_priv(netdev);
+ struct gemini_ethernet *geth = port->geth;
++ unsigned long flags;
+ u32 val, mask;
+
+ netdev_dbg(netdev, "%s device %d\n", __func__, netdev->dev_id);
+
++ spin_lock_irqsave(&geth->irq_lock, flags);
++
+ mask = GMAC0_IRQ0_TXQ0_INTS << (6 * netdev->dev_id + txq);
+
+ if (en)
+@@ -1121,6 +1124,8 @@ static void gmac_tx_irq_enable(struct net_device *netdev,
+ val = readl(geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG);
+ val = en ? val | mask : val & ~mask;
+ writel(val, geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG);
++
++ spin_unlock_irqrestore(&geth->irq_lock, flags);
+ }
+
+ static void gmac_tx_irq(struct net_device *netdev, unsigned int txq_num)
+@@ -1427,15 +1432,19 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget)
+ union gmac_rxdesc_3 word3;
+ struct page *page = NULL;
+ unsigned int page_offs;
++ unsigned long flags;
+ unsigned short r, w;
+ union dma_rwptr rw;
+ dma_addr_t mapping;
+ int frag_nr = 0;
+
++ spin_lock_irqsave(&geth->irq_lock, flags);
+ rw.bits32 = readl(ptr_reg);
+ /* Reset interrupt as all packages until here are taken into account */
+ writel(DEFAULT_Q0_INT_BIT << netdev->dev_id,
+ geth->base + GLOBAL_INTERRUPT_STATUS_1_REG);
++ spin_unlock_irqrestore(&geth->irq_lock, flags);
++
+ r = rw.bits.rptr;
+ w = rw.bits.wptr;
+
+@@ -1738,10 +1747,9 @@ static irqreturn_t gmac_irq(int irq, void *data)
+ gmac_update_hw_stats(netdev);
+
+ if (val & (GMAC0_RX_OVERRUN_INT_BIT << (netdev->dev_id * 8))) {
++ spin_lock(&geth->irq_lock);
+ writel(GMAC0_RXDERR_INT_BIT << (netdev->dev_id * 8),
+ geth->base + GLOBAL_INTERRUPT_STATUS_4_REG);
+-
+- spin_lock(&geth->irq_lock);
+ u64_stats_update_begin(&port->ir_stats_syncp);
+ ++port->stats.rx_fifo_errors;
+ u64_stats_update_end(&port->ir_stats_syncp);
+--
+2.43.0
+
--- /dev/null
+From 2e82e6c4d61c9104ee1c4b6d9dcb377e68b89f2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jul 2023 17:30:07 +0200
+Subject: net: export inet_lookup_reuseport and inet6_lookup_reuseport
+
+From: Lorenz Bauer <lmb@isovalent.com>
+
+[ Upstream commit ce796e60b3b196b61fcc565df195443cbb846ef0 ]
+
+Rename the existing reuseport helpers for IPv4 and IPv6 so that they
+can be invoked in the follow up commit. Export them so that building
+DCCP and IPv6 as a module works.
+
+No change in functionality.
+
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
+Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-3-7021b683cdae@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet6_hashtables.h | 7 +++++++
+ include/net/inet_hashtables.h | 5 +++++
+ net/ipv4/inet_hashtables.c | 15 ++++++++-------
+ net/ipv6/inet6_hashtables.c | 19 ++++++++++---------
+ 4 files changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
+index 56f1286583d3c..032ddab48f8f8 100644
+--- a/include/net/inet6_hashtables.h
++++ b/include/net/inet6_hashtables.h
+@@ -48,6 +48,13 @@ struct sock *__inet6_lookup_established(struct net *net,
+ const u16 hnum, const int dif,
+ const int sdif);
+
++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk,
++ struct sk_buff *skb, int doff,
++ const struct in6_addr *saddr,
++ __be16 sport,
++ const struct in6_addr *daddr,
++ unsigned short hnum);
++
+ struct sock *inet6_lookup_listener(struct net *net,
+ struct inet_hashinfo *hashinfo,
+ struct sk_buff *skb, int doff,
+diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
+index c9e387d174c63..94c418d2e345e 100644
+--- a/include/net/inet_hashtables.h
++++ b/include/net/inet_hashtables.h
+@@ -313,6 +313,11 @@ struct sock *__inet_lookup_established(struct net *net,
+ const __be32 daddr, const u16 hnum,
+ const int dif, const int sdif);
+
++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk,
++ struct sk_buff *skb, int doff,
++ __be32 saddr, __be16 sport,
++ __be32 daddr, unsigned short hnum);
++
+ static inline struct sock *
+ inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo,
+ const __be32 saddr, const __be16 sport,
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index ad050f8476b8e..bea88219d5313 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -252,10 +252,10 @@ static inline int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
+-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+- struct sk_buff *skb, int doff,
+- __be32 saddr, __be16 sport,
+- __be32 daddr, unsigned short hnum)
++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk,
++ struct sk_buff *skb, int doff,
++ __be32 saddr, __be16 sport,
++ __be32 daddr, unsigned short hnum)
+ {
+ struct sock *reuse_sk = NULL;
+ u32 phash;
+@@ -266,6 +266,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+ }
+ return reuse_sk;
+ }
++EXPORT_SYMBOL_GPL(inet_lookup_reuseport);
+
+ /*
+ * Here are some nice properties to exploit here. The BSD API
+@@ -290,8 +291,8 @@ static struct sock *inet_lhash2_lookup(struct net *net,
+ sk = (struct sock *)icsk;
+ score = compute_score(sk, net, hnum, daddr, dif, sdif);
+ if (score > hiscore) {
+- result = lookup_reuseport(net, sk, skb, doff,
+- saddr, sport, daddr, hnum);
++ result = inet_lookup_reuseport(net, sk, skb, doff,
++ saddr, sport, daddr, hnum);
+ if (result)
+ return result;
+
+@@ -320,7 +321,7 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index b4a5e01e12016..2267f973e2df3 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -113,12 +113,12 @@ static inline int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
+-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+- struct sk_buff *skb, int doff,
+- const struct in6_addr *saddr,
+- __be16 sport,
+- const struct in6_addr *daddr,
+- unsigned short hnum)
++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk,
++ struct sk_buff *skb, int doff,
++ const struct in6_addr *saddr,
++ __be16 sport,
++ const struct in6_addr *daddr,
++ unsigned short hnum)
+ {
+ struct sock *reuse_sk = NULL;
+ u32 phash;
+@@ -129,6 +129,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+ }
+ return reuse_sk;
+ }
++EXPORT_SYMBOL_GPL(inet6_lookup_reuseport);
+
+ /* called with rcu_read_lock() */
+ static struct sock *inet6_lhash2_lookup(struct net *net,
+@@ -146,8 +147,8 @@ static struct sock *inet6_lhash2_lookup(struct net *net,
+ sk = (struct sock *)icsk;
+ score = compute_score(sk, net, hnum, daddr, dif, sdif);
+ if (score > hiscore) {
+- result = lookup_reuseport(net, sk, skb, doff,
+- saddr, sport, daddr, hnum);
++ result = inet6_lookup_reuseport(net, sk, skb, doff,
++ saddr, sport, daddr, hnum);
+ if (result)
+ return result;
+
+@@ -178,7 +179,7 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+--
+2.43.0
+
--- /dev/null
+From 19c622fe35007375d631d1ed6165c2d73b2bb40d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 06:42:22 +0000
+Subject: net: give more chances to rcu in netdev_wait_allrefs_any()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cd42ba1c8ac9deb9032add6adf491110e7442040 ]
+
+This came while reviewing commit c4e86b4363ac ("net: add two more
+call_rcu_hurry()").
+
+Paolo asked if adding one synchronize_rcu() would help.
+
+While synchronize_rcu() does not help, making sure to call
+rcu_barrier() before msleep(wait) is definitely helping
+to make sure lazy call_rcu() are completed.
+
+Instead of waiting ~100 seconds in my tests, the ref_tracker
+splats occurs one time only, and netdev_wait_allrefs_any()
+latency is reduced to the strict minimum.
+
+Ideally we should audit our call_rcu() users to make sure
+no refcount (or cascading call_rcu()) is held too long,
+because rcu_barrier() is quite expensive.
+
+Fixes: 0e4be9e57e8c ("net: use exponential backoff in netdev_wait_allrefs")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/all/28bbf698-befb-42f6-b561-851c67f464aa@kernel.org/T/#m76d73ed6b03cd930778ac4d20a777f22a08d6824
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 0e2c433bebcd4..5e91496fd3a36 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -10217,8 +10217,9 @@ static void netdev_wait_allrefs(struct net_device *dev)
+ rebroadcast_time = jiffies;
+ }
+
++ rcu_barrier();
++
+ if (!wait) {
+- rcu_barrier();
+ wait = WAIT_REFS_MIN_MSECS;
+ } else {
+ msleep(wait);
+--
+2.43.0
+
--- /dev/null
+From d6f93c1797cb4c7ce8decc624d50e7fd2847bb0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 17:19:17 +0800
+Subject: net: ipv6: fix wrong start position when receive hop-by-hop fragment
+
+From: gaoxingwang <gaoxingwang1@huawei.com>
+
+[ Upstream commit 1cd354fe1e4864eeaff62f66ee513080ec946f20 ]
+
+In IPv6, ipv6_rcv_core will parse the hop-by-hop type extension header and increase skb->transport_header by one extension header length.
+But if there are more other extension headers like fragment header at this time, the skb->transport_header points to the second extension header,
+not the transport layer header or the first extension header.
+
+This will result in the start and nexthdrp variable not pointing to the same position in ipv6frag_thdr_trunced,
+and ipv6_skip_exthdr returning incorrect offset and frag_off.Sometimes,the length of the last sharded packet is smaller than the calculated incorrect offset, resulting in packet loss.
+We can use network header to offset and calculate the correct position to solve this problem.
+
+Fixes: 9d9e937b1c8b (ipv6/netfilter: Discard first fragment not including all headers)
+Signed-off-by: Gao Xingwang <gaoxingwang1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/reassembly.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
+index 28e44782c94d1..6993675171556 100644
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -363,7 +363,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+ * the source of the fragment, with the Pointer field set to zero.
+ */
+ nexthdr = hdr->nexthdr;
+- if (ipv6frag_thdr_truncated(skb, skb_transport_offset(skb), &nexthdr)) {
++ if (ipv6frag_thdr_truncated(skb, skb_network_offset(skb) + sizeof(struct ipv6hdr), &nexthdr)) {
+ __IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
+ IPSTATS_MIB_INHDRERRORS);
+ icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
+--
+2.43.0
+
--- /dev/null
+From 49e651e7e12861d8b565eeaeb2febd8da0e89fab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 14:29:51 +0300
+Subject: net/mlx5: Discard command completions in internal error
+
+From: Akiva Goldberger <agoldberger@nvidia.com>
+
+[ Upstream commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40 ]
+
+Fix use after free when FW completion arrives while device is in
+internal error state. Avoid calling completion handler in this case,
+since the device will flush the command interface and trigger all
+completions manually.
+
+Kernel log:
+------------[ cut here ]------------
+refcount_t: underflow; use-after-free.
+...
+RIP: 0010:refcount_warn_saturate+0xd8/0xe0
+...
+Call Trace:
+<IRQ>
+? __warn+0x79/0x120
+? refcount_warn_saturate+0xd8/0xe0
+? report_bug+0x17c/0x190
+? handle_bug+0x3c/0x60
+? exc_invalid_op+0x14/0x70
+? asm_exc_invalid_op+0x16/0x20
+? refcount_warn_saturate+0xd8/0xe0
+cmd_ent_put+0x13b/0x160 [mlx5_core]
+mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
+cmd_comp_notifier+0x1f/0x30 [mlx5_core]
+notifier_call_chain+0x35/0xb0
+atomic_notifier_call_chain+0x16/0x20
+mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
+notifier_call_chain+0x35/0xb0
+atomic_notifier_call_chain+0x16/0x20
+irq_int_handler+0x19/0x30 [mlx5_core]
+__handle_irq_event_percpu+0x4b/0x160
+handle_irq_event+0x2e/0x80
+handle_edge_irq+0x98/0x230
+__common_interrupt+0x3b/0xa0
+common_interrupt+0x7b/0xa0
+</IRQ>
+<TASK>
+asm_common_interrupt+0x22/0x40
+
+Fixes: 51d138c2610a ("net/mlx5: Fix health error state handling")
+Signed-off-by: Akiva Goldberger <agoldberger@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/20240509112951.590184-6-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 0ba43c93abb26..42dc76f85c62c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1523,6 +1523,9 @@ static int cmd_comp_notifier(struct notifier_block *nb,
+ dev = container_of(cmd, struct mlx5_core_dev, cmd);
+ eqe = data;
+
++ if (dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
++ return NOTIFY_DONE;
++
+ mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector), false);
+
+ return NOTIFY_OK;
+--
+2.43.0
+
--- /dev/null
+From f4a887a6b4454111467bb8bb4d16ec714d61968b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 11:38:05 +0200
+Subject: net: openvswitch: fix overwriting ct original tuple for ICMPv6
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ]
+
+OVS_PACKET_CMD_EXECUTE has 3 main attributes:
+ - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.
+ - OVS_PACKET_ATTR_PACKET - Binary packet content.
+ - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.
+
+OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure
+with the metadata like conntrack state, input port, recirculation id,
+etc. Then the packet itself gets parsed to populate the rest of the
+keys from the packet headers.
+
+Whenever the packet parsing code starts parsing the ICMPv6 header, it
+first zeroes out fields in the key corresponding to Neighbor Discovery
+information even if it is not an ND packet.
+
+It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares
+the space between 'nd' and 'ct_orig' that holds the original tuple
+conntrack metadata parsed from the OVS_PACKET_ATTR_KEY.
+
+ND packets should not normally have conntrack state, so it's fine to
+share the space, but normal ICMPv6 Echo packets or maybe other types of
+ICMPv6 can have the state attached and it should not be overwritten.
+
+The issue results in all but the last 4 bytes of the destination
+address being wiped from the original conntrack tuple leading to
+incorrect packet matching and potentially executing wrong actions
+in case this packet recirculates within the datapath or goes back
+to userspace.
+
+ND fields should not be accessed in non-ND packets, so not clearing
+them should be fine. Executing memset() only for actual ND packets to
+avoid the issue.
+
+Initializing the whole thing before parsing is needed because ND packet
+may not contain all the options.
+
+The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't
+affect packets entering OVS datapath from network interfaces, because
+in this case CT metadata is populated from skb after the packet is
+already parsed.
+
+Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.")
+Reported-by: Antonin Bas <antonin.bas@broadcom.com>
+Closes: https://github.com/openvswitch/ovs-issues/issues/327
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Link: https://lore.kernel.org/r/20240509094228.1035477-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
+index c9ba61413c98b..9bad601c7fe82 100644
+--- a/net/openvswitch/flow.c
++++ b/net/openvswitch/flow.c
+@@ -412,7 +412,6 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key,
+ */
+ key->tp.src = htons(icmp->icmp6_type);
+ key->tp.dst = htons(icmp->icmp6_code);
+- memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd));
+
+ if (icmp->icmp6_code == 0 &&
+ (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION ||
+@@ -421,6 +420,8 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key,
+ struct nd_msg *nd;
+ int offset;
+
++ memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd));
++
+ /* In order to process neighbor discovery options, we need the
+ * entire packet.
+ */
+--
+2.43.0
+
--- /dev/null
+From 7e61f428c3d0b74fe130f64a848bdb2731f25100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 13:57:54 +0800
+Subject: net: qrtr: fix null-ptr-deref in qrtr_ns_remove
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+[ Upstream commit 4beb17e553b49c3dd74505c9f361e756aaae653e ]
+
+A null-ptr-deref bug is reported by Hulk Robot like this:
+--------------
+KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
+Call Trace:
+qrtr_ns_remove+0x22/0x40 [ns]
+qrtr_proto_fini+0xa/0x31 [qrtr]
+__x64_sys_delete_module+0x337/0x4e0
+do_syscall_64+0x34/0x80
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x468ded
+--------------
+
+When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
+be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
+has been destroyed.
+
+Fix it by making qrtr_ns_init have a return value and adding a check in
+qrtr_proto_init.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: fd76e5ccc48f ("net: qrtr: ns: Fix module refcnt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/af_qrtr.c | 16 +++++++++++-----
+ net/qrtr/ns.c | 7 ++++---
+ net/qrtr/qrtr.h | 2 +-
+ 3 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
+index 71c2295d4a573..29c0886eb9efe 100644
+--- a/net/qrtr/af_qrtr.c
++++ b/net/qrtr/af_qrtr.c
+@@ -1279,13 +1279,19 @@ static int __init qrtr_proto_init(void)
+ return rc;
+
+ rc = sock_register(&qrtr_family);
+- if (rc) {
+- proto_unregister(&qrtr_proto);
+- return rc;
+- }
++ if (rc)
++ goto err_proto;
+
+- qrtr_ns_init();
++ rc = qrtr_ns_init();
++ if (rc)
++ goto err_sock;
+
++ return 0;
++
++err_sock:
++ sock_unregister(qrtr_family.family);
++err_proto:
++ proto_unregister(&qrtr_proto);
+ return rc;
+ }
+ postcore_initcall(qrtr_proto_init);
+diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
+index c92dd960bfefa..3376a656da39f 100644
+--- a/net/qrtr/ns.c
++++ b/net/qrtr/ns.c
+@@ -771,7 +771,7 @@ static void qrtr_ns_data_ready(struct sock *sk)
+ queue_work(qrtr_ns.workqueue, &qrtr_ns.work);
+ }
+
+-void qrtr_ns_init(void)
++int qrtr_ns_init(void)
+ {
+ struct sockaddr_qrtr sq;
+ int ret;
+@@ -782,7 +782,7 @@ void qrtr_ns_init(void)
+ ret = sock_create_kern(&init_net, AF_QIPCRTR, SOCK_DGRAM,
+ PF_QIPCRTR, &qrtr_ns.sock);
+ if (ret < 0)
+- return;
++ return ret;
+
+ ret = kernel_getsockname(qrtr_ns.sock, (struct sockaddr *)&sq);
+ if (ret < 0) {
+@@ -815,12 +815,13 @@ void qrtr_ns_init(void)
+ if (ret < 0)
+ goto err_wq;
+
+- return;
++ return 0;
+
+ err_wq:
+ destroy_workqueue(qrtr_ns.workqueue);
+ err_sock:
+ sock_release(qrtr_ns.sock);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(qrtr_ns_init);
+
+diff --git a/net/qrtr/qrtr.h b/net/qrtr/qrtr.h
+index dc2b67f179271..3f2d28696062a 100644
+--- a/net/qrtr/qrtr.h
++++ b/net/qrtr/qrtr.h
+@@ -29,7 +29,7 @@ void qrtr_endpoint_unregister(struct qrtr_endpoint *ep);
+
+ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len);
+
+-void qrtr_ns_init(void);
++int qrtr_ns_init(void);
+
+ void qrtr_ns_remove(void);
+
+--
+2.43.0
+
--- /dev/null
+From 2371e7117fae178548e14e7f7e189590d31f405e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 10:31:46 -0700
+Subject: net: qrtr: ns: Fix module refcnt
+
+From: Chris Lew <quic_clew@quicinc.com>
+
+[ Upstream commit fd76e5ccc48f9f54eb44909dd7c0b924005f1582 ]
+
+The qrtr protocol core logic and the qrtr nameservice are combined into
+a single module. Neither the core logic or nameservice provide much
+functionality by themselves; combining the two into a single module also
+prevents any possible issues that may stem from client modules loading
+inbetween qrtr and the ns.
+
+Creating a socket takes two references to the module that owns the
+socket protocol. Since the ns needs to create the control socket, this
+creates a scenario where there are always two references to the qrtr
+module. This prevents the execution of 'rmmod' for qrtr.
+
+To resolve this, forcefully put the module refcount for the socket
+opened by the nameservice.
+
+Fixes: a365023a76f2 ("net: qrtr: combine nameservice into main module")
+Reported-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Chris Lew <quic_clew@quicinc.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/ns.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
+index 3376a656da39f..1da34d54092be 100644
+--- a/net/qrtr/ns.c
++++ b/net/qrtr/ns.c
+@@ -815,6 +815,24 @@ int qrtr_ns_init(void)
+ if (ret < 0)
+ goto err_wq;
+
++ /* As the qrtr ns socket owner and creator is the same module, we have
++ * to decrease the qrtr module reference count to guarantee that it
++ * remains zero after the ns socket is created, otherwise, executing
++ * "rmmod" command is unable to make the qrtr module deleted after the
++ * qrtr module is inserted successfully.
++ *
++ * However, the reference count is increased twice in
++ * sock_create_kern(): one is to increase the reference count of owner
++ * of qrtr socket's proto_ops struct; another is to increment the
++ * reference count of owner of qrtr proto struct. Therefore, we must
++ * decrement the module reference count twice to ensure that it keeps
++ * zero after server's listening socket is created. Of course, we
++ * must bump the module reference count twice as well before the socket
++ * is closed.
++ */
++ module_put(qrtr_ns.sock->ops->owner);
++ module_put(qrtr_ns.sock->sk->sk_prot_creator->owner);
++
+ return 0;
+
+ err_wq:
+@@ -829,6 +847,15 @@ void qrtr_ns_remove(void)
+ {
+ cancel_work_sync(&qrtr_ns.work);
+ destroy_workqueue(qrtr_ns.workqueue);
++
++ /* sock_release() expects the two references that were put during
++ * qrtr_ns_init(). This function is only called during module remove,
++ * so try_stop_module() has already set the refcnt to 0. Use
++ * __module_get() instead of try_module_get() to successfully take two
++ * references.
++ */
++ __module_get(qrtr_ns.sock->ops->owner);
++ __module_get(qrtr_ns.sock->sk->sk_prot_creator->owner);
+ sock_release(qrtr_ns.sock);
+ }
+ EXPORT_SYMBOL_GPL(qrtr_ns_remove);
+--
+2.43.0
+
--- /dev/null
+From 13eda0acfbc694e7b296e0da3db6f4523a6477fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jul 2023 17:30:08 +0200
+Subject: net: remove duplicate reuseport_lookup functions
+
+From: Lorenz Bauer <lmb@isovalent.com>
+
+[ Upstream commit 0f495f7617229772403e683033abc473f0f0553c ]
+
+There are currently four copies of reuseport_lookup: one each for
+(TCP, UDP)x(IPv4, IPv6). This forces us to duplicate all callers of
+those functions as well. This is already the case for sk_lookup
+helpers (inet,inet6,udp4,udp6)_lookup_run_bpf.
+
+There are two differences between the reuseport_lookup helpers:
+
+1. They call different hash functions depending on protocol
+2. UDP reuseport_lookup checks that sk_state != TCP_ESTABLISHED
+
+Move the check for sk_state into the caller and use the INDIRECT_CALL
+infrastructure to cut down the helpers to one per IP version.
+
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
+Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-4-7021b683cdae@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Stable-dep-of: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet6_hashtables.h | 11 ++++++++-
+ include/net/inet_hashtables.h | 15 ++++++++-----
+ net/ipv4/inet_hashtables.c | 20 +++++++++++------
+ net/ipv4/udp.c | 34 +++++++++++-----------------
+ net/ipv6/inet6_hashtables.c | 14 ++++++++----
+ net/ipv6/udp.c | 41 +++++++++++++---------------------
+ 6 files changed, 72 insertions(+), 63 deletions(-)
+
+diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
+index 032ddab48f8f8..f89320b6fee31 100644
+--- a/include/net/inet6_hashtables.h
++++ b/include/net/inet6_hashtables.h
+@@ -48,12 +48,21 @@ struct sock *__inet6_lookup_established(struct net *net,
+ const u16 hnum, const int dif,
+ const int sdif);
+
++typedef u32 (inet6_ehashfn_t)(const struct net *net,
++ const struct in6_addr *laddr, const u16 lport,
++ const struct in6_addr *faddr, const __be16 fport);
++
++inet6_ehashfn_t inet6_ehashfn;
++
++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn);
++
+ struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk,
+ struct sk_buff *skb, int doff,
+ const struct in6_addr *saddr,
+ __be16 sport,
+ const struct in6_addr *daddr,
+- unsigned short hnum);
++ unsigned short hnum,
++ inet6_ehashfn_t *ehashfn);
+
+ struct sock *inet6_lookup_listener(struct net *net,
+ struct inet_hashinfo *hashinfo,
+diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
+index 94c418d2e345e..7778422cfac55 100644
+--- a/include/net/inet_hashtables.h
++++ b/include/net/inet_hashtables.h
+@@ -313,10 +313,19 @@ struct sock *__inet_lookup_established(struct net *net,
+ const __be32 daddr, const u16 hnum,
+ const int dif, const int sdif);
+
++typedef u32 (inet_ehashfn_t)(const struct net *net,
++ const __be32 laddr, const __u16 lport,
++ const __be32 faddr, const __be16 fport);
++
++inet_ehashfn_t inet_ehashfn;
++
++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn);
++
+ struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk,
+ struct sk_buff *skb, int doff,
+ __be32 saddr, __be16 sport,
+- __be32 daddr, unsigned short hnum);
++ __be32 daddr, unsigned short hnum,
++ inet_ehashfn_t *ehashfn);
+
+ static inline struct sock *
+ inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo,
+@@ -387,10 +396,6 @@ static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo,
+ refcounted);
+ }
+
+-u32 inet6_ehashfn(const struct net *net,
+- const struct in6_addr *laddr, const u16 lport,
+- const struct in6_addr *faddr, const __be16 fport);
+-
+ static inline void sk_daddr_set(struct sock *sk, __be32 addr)
+ {
+ sk->sk_daddr = addr; /* alias of inet_daddr */
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index bea88219d5313..56deddeac1b0e 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -28,9 +28,9 @@
+ #include <net/tcp.h>
+ #include <net/sock_reuseport.h>
+
+-static u32 inet_ehashfn(const struct net *net, const __be32 laddr,
+- const __u16 lport, const __be32 faddr,
+- const __be16 fport)
++u32 inet_ehashfn(const struct net *net, const __be32 laddr,
++ const __u16 lport, const __be32 faddr,
++ const __be16 fport)
+ {
+ static u32 inet_ehash_secret __read_mostly;
+
+@@ -39,6 +39,7 @@ static u32 inet_ehashfn(const struct net *net, const __be32 laddr,
+ return __inet_ehashfn(laddr, lport, faddr, fport,
+ inet_ehash_secret + net_hash_mix(net));
+ }
++EXPORT_SYMBOL_GPL(inet_ehashfn);
+
+ /* This function handles inet_sock, but also timewait and request sockets
+ * for IPv4/IPv6.
+@@ -252,16 +253,20 @@ static inline int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn);
++
+ struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk,
+ struct sk_buff *skb, int doff,
+ __be32 saddr, __be16 sport,
+- __be32 daddr, unsigned short hnum)
++ __be32 daddr, unsigned short hnum,
++ inet_ehashfn_t *ehashfn)
+ {
+ struct sock *reuse_sk = NULL;
+ u32 phash;
+
+ if (sk->sk_reuseport) {
+- phash = inet_ehashfn(net, daddr, hnum, saddr, sport);
++ phash = INDIRECT_CALL_2(ehashfn, udp_ehashfn, inet_ehashfn,
++ net, daddr, hnum, saddr, sport);
+ reuse_sk = reuseport_select_sock(sk, phash, skb, doff);
+ }
+ return reuse_sk;
+@@ -292,7 +297,7 @@ static struct sock *inet_lhash2_lookup(struct net *net,
+ score = compute_score(sk, net, hnum, daddr, dif, sdif);
+ if (score > hiscore) {
+ result = inet_lookup_reuseport(net, sk, skb, doff,
+- saddr, sport, daddr, hnum);
++ saddr, sport, daddr, hnum, inet_ehashfn);
+ if (result)
+ return result;
+
+@@ -321,7 +326,8 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum,
++ inet_ehashfn);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 16ff3962b24db..127aa7b5ce977 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -398,9 +398,9 @@ static int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
+-static u32 udp_ehashfn(const struct net *net, const __be32 laddr,
+- const __u16 lport, const __be32 faddr,
+- const __be16 fport)
++INDIRECT_CALLABLE_SCOPE
++u32 udp_ehashfn(const struct net *net, const __be32 laddr, const __u16 lport,
++ const __be32 faddr, const __be16 fport)
+ {
+ static u32 udp_ehash_secret __read_mostly;
+
+@@ -410,22 +410,6 @@ static u32 udp_ehashfn(const struct net *net, const __be32 laddr,
+ udp_ehash_secret + net_hash_mix(net));
+ }
+
+-static struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+- struct sk_buff *skb,
+- __be32 saddr, __be16 sport,
+- __be32 daddr, unsigned short hnum)
+-{
+- struct sock *reuse_sk = NULL;
+- u32 hash;
+-
+- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) {
+- hash = udp_ehashfn(net, daddr, hnum, saddr, sport);
+- reuse_sk = reuseport_select_sock(sk, hash, skb,
+- sizeof(struct udphdr));
+- }
+- return reuse_sk;
+-}
+-
+ /* called with rcu_read_lock() */
+ static struct sock *udp4_lib_lookup2(struct net *net,
+ __be32 saddr, __be16 sport,
+@@ -444,7 +428,14 @@ static struct sock *udp4_lib_lookup2(struct net *net,
+ daddr, hnum, dif, sdif);
+ if (score > badness) {
+ badness = score;
+- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum);
++
++ if (sk->sk_state == TCP_ESTABLISHED) {
++ result = sk;
++ continue;
++ }
++
++ result = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr),
++ saddr, sport, daddr, hnum, udp_ehashfn);
+ if (!result) {
+ result = sk;
+ continue;
+@@ -483,7 +474,8 @@ static struct sock *udp4_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum);
++ reuse_sk = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr),
++ saddr, sport, daddr, hnum, udp_ehashfn);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index 2267f973e2df3..21b4fc835487b 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -41,6 +41,7 @@ u32 inet6_ehashfn(const struct net *net,
+ return __inet6_ehashfn(lhash, lport, fhash, fport,
+ inet6_ehash_secret + net_hash_mix(net));
+ }
++EXPORT_SYMBOL_GPL(inet6_ehashfn);
+
+ /*
+ * Sockets in TCP_CLOSE state are _always_ taken out of the hash, so
+@@ -113,18 +114,22 @@ static inline int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn);
++
+ struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk,
+ struct sk_buff *skb, int doff,
+ const struct in6_addr *saddr,
+ __be16 sport,
+ const struct in6_addr *daddr,
+- unsigned short hnum)
++ unsigned short hnum,
++ inet6_ehashfn_t *ehashfn)
+ {
+ struct sock *reuse_sk = NULL;
+ u32 phash;
+
+ if (sk->sk_reuseport) {
+- phash = inet6_ehashfn(net, daddr, hnum, saddr, sport);
++ phash = INDIRECT_CALL_INET(ehashfn, udp6_ehashfn, inet6_ehashfn,
++ net, daddr, hnum, saddr, sport);
+ reuse_sk = reuseport_select_sock(sk, phash, skb, doff);
+ }
+ return reuse_sk;
+@@ -148,7 +153,7 @@ static struct sock *inet6_lhash2_lookup(struct net *net,
+ score = compute_score(sk, net, hnum, daddr, dif, sdif);
+ if (score > hiscore) {
+ result = inet6_lookup_reuseport(net, sk, skb, doff,
+- saddr, sport, daddr, hnum);
++ saddr, sport, daddr, hnum, inet6_ehashfn);
+ if (result)
+ return result;
+
+@@ -179,7 +184,8 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum);
++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff,
++ saddr, sport, daddr, hnum, inet6_ehashfn);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 8c9672e7a7dd6..1632b940347c5 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -67,11 +67,12 @@ int udpv6_init_sock(struct sock *sk)
+ return 0;
+ }
+
+-static u32 udp6_ehashfn(const struct net *net,
+- const struct in6_addr *laddr,
+- const u16 lport,
+- const struct in6_addr *faddr,
+- const __be16 fport)
++INDIRECT_CALLABLE_SCOPE
++u32 udp6_ehashfn(const struct net *net,
++ const struct in6_addr *laddr,
++ const u16 lport,
++ const struct in6_addr *faddr,
++ const __be16 fport)
+ {
+ static u32 udp6_ehash_secret __read_mostly;
+ static u32 udp_ipv6_hash_secret __read_mostly;
+@@ -155,24 +156,6 @@ static int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
+-static struct sock *lookup_reuseport(struct net *net, struct sock *sk,
+- struct sk_buff *skb,
+- const struct in6_addr *saddr,
+- __be16 sport,
+- const struct in6_addr *daddr,
+- unsigned int hnum)
+-{
+- struct sock *reuse_sk = NULL;
+- u32 hash;
+-
+- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) {
+- hash = udp6_ehashfn(net, daddr, hnum, saddr, sport);
+- reuse_sk = reuseport_select_sock(sk, hash, skb,
+- sizeof(struct udphdr));
+- }
+- return reuse_sk;
+-}
+-
+ /* called with rcu_read_lock() */
+ static struct sock *udp6_lib_lookup2(struct net *net,
+ const struct in6_addr *saddr, __be16 sport,
+@@ -190,7 +173,14 @@ static struct sock *udp6_lib_lookup2(struct net *net,
+ daddr, hnum, dif, sdif);
+ if (score > badness) {
+ badness = score;
+- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum);
++
++ if (sk->sk_state == TCP_ESTABLISHED) {
++ result = sk;
++ continue;
++ }
++
++ result = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr),
++ saddr, sport, daddr, hnum, udp6_ehashfn);
+ if (!result) {
+ result = sk;
+ continue;
+@@ -230,7 +220,8 @@ static inline struct sock *udp6_lookup_run_bpf(struct net *net,
+ if (no_reuseport || IS_ERR_OR_NULL(sk))
+ return sk;
+
+- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum);
++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr),
++ saddr, sport, daddr, hnum, udp6_ehashfn);
+ if (reuse_sk)
+ sk = reuse_sk;
+ return sk;
+--
+2.43.0
+
--- /dev/null
+From 37b77b641b4b1e59bf24fa47a513e7fcc5189dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 13:12:07 +0200
+Subject: net: usb: qmi_wwan: add Telit FN920C04 compositions
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 0b8fe5bd73249dc20be2e88a12041f8920797b59 ]
+
+Add the following Telit FN920C04 compositions:
+
+0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
+T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 5 Spd=480 MxCh= 0
+D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10a0 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FN920
+S: SerialNumber=92c4c4d8
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag)
+T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10a4 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FN920
+S: SerialNumber=92c4c4d8
+C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
+T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
+D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=10a9 Rev=05.15
+S: Manufacturer=Telit Cinterion
+S: Product=FN920
+S: SerialNumber=92c4c4d8
+C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index be2761d0bcd91..4dd1a9fb4c8a0 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1301,6 +1301,9 @@ static const struct usb_device_id products[] = {
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+--
+2.43.0
+
--- /dev/null
+From 98fa64997b1c9851d2a78ee669dcd264e49b0e5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 08:33:13 +0000
+Subject: net: usb: smsc95xx: stop lying about skb->truesize
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d50729f1d60bca822ef6d9c1a5fb28d486bd7593 ]
+
+Some usb drivers try to set small skb->truesize and break
+core networking stacks.
+
+In this patch, I removed one of the skb->truesize override.
+
+I also replaced one skb_clone() by an allocation of a fresh
+and small skb, to get minimally sized skbs, like we did
+in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize
+in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a:
+stop lying about skb->truesize")
+
+v3: also fix a sparse error ( https://lore.kernel.org/oe-kbuild-all/202405091310.KvncIecx-lkp@intel.com/ )
+v2: leave the skb_trim() game because smsc95xx_rx_csum_offload()
+ needs the csum part. (Jakub)
+ While we are it, use get_unaligned() in smsc95xx_rx_csum_offload().
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Cc: UNGLinuxDriver@microchip.com
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240509083313.2113832-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 569be01700aa1..2778ad6726f03 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1801,9 +1801,11 @@ static int smsc95xx_reset_resume(struct usb_interface *intf)
+
+ static void smsc95xx_rx_csum_offload(struct sk_buff *skb)
+ {
+- skb->csum = *(u16 *)(skb_tail_pointer(skb) - 2);
++ u16 *csum_ptr = (u16 *)(skb_tail_pointer(skb) - 2);
++
++ skb->csum = (__force __wsum)get_unaligned(csum_ptr);
+ skb->ip_summed = CHECKSUM_COMPLETE;
+- skb_trim(skb, skb->len - 2);
++ skb_trim(skb, skb->len - 2); /* remove csum */
+ }
+
+ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+@@ -1861,25 +1863,22 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ if (dev->net->features & NETIF_F_RXCSUM)
+ smsc95xx_rx_csum_offload(skb);
+ skb_trim(skb, skb->len - 4); /* remove fcs */
+- skb->truesize = size + sizeof(struct sk_buff);
+
+ return 1;
+ }
+
+- ax_skb = skb_clone(skb, GFP_ATOMIC);
++ ax_skb = netdev_alloc_skb_ip_align(dev->net, size);
+ if (unlikely(!ax_skb)) {
+ netdev_warn(dev->net, "Error allocating skb\n");
+ return 0;
+ }
+
+- ax_skb->len = size;
+- ax_skb->data = packet;
+- skb_set_tail_pointer(ax_skb, size);
++ skb_put(ax_skb, size);
++ memcpy(ax_skb->data, packet, size);
+
+ if (dev->net->features & NETIF_F_RXCSUM)
+ smsc95xx_rx_csum_offload(ax_skb);
+ skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */
+- ax_skb->truesize = size + sizeof(struct sk_buff);
+
+ usbnet_skb_return(dev, ax_skb);
+ }
+--
+2.43.0
+
--- /dev/null
+From 453358cf0ca2fd3fb2f9111ba44e3563ba478e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 14:39:39 +0000
+Subject: net: usb: sr9700: stop lying about skb->truesize
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 05417aa9c0c038da2464a0c504b9d4f99814a23b ]
+
+Some usb drivers set small skb->truesize and break
+core networking stacks.
+
+In this patch, I removed one of the skb->truesize override.
+
+I also replaced one skb_clone() by an allocation of a fresh
+and small skb, to get minimally sized skbs, like we did
+in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize
+in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a:
+stop lying about skb->truesize")
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240506143939.3673865-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9700.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index 811c8751308c6..3fac642bec772 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -418,19 +418,15 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ skb_pull(skb, 3);
+ skb->len = len;
+ skb_set_tail_pointer(skb, len);
+- skb->truesize = len + sizeof(struct sk_buff);
+ return 2;
+ }
+
+- /* skb_clone is used for address align */
+- sr_skb = skb_clone(skb, GFP_ATOMIC);
++ sr_skb = netdev_alloc_skb_ip_align(dev->net, len);
+ if (!sr_skb)
+ return 0;
+
+- sr_skb->len = len;
+- sr_skb->data = skb->data + 3;
+- skb_set_tail_pointer(sr_skb, len);
+- sr_skb->truesize = len + sizeof(struct sk_buff);
++ skb_put(sr_skb, len);
++ memcpy(sr_skb->data, skb->data + 3, len);
+ usbnet_skb_return(dev, sr_skb);
+
+ skb_pull(skb, len + SR_RX_OVERHEAD);
+--
+2.43.0
+
--- /dev/null
+From 64b040df059cceeac5d2d42e11630887f0065be9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 May 2024 14:29:34 +0000
+Subject: netrom: fix possible dead-lock in nr_rt_ioctl()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ]
+
+syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]
+
+Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)
+
+[1]
+WARNING: possible circular locking dependency detected
+6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted
+------------------------------------------------------
+syz-executor350/5129 is trying to acquire lock:
+ ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
+ ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]
+ ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]
+ ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
+
+but task is already holding lock:
+ ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
+ ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
+ ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (nr_node_list_lock){+...}-{2:2}:
+ lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
+ __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
+ _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ nr_remove_node net/netrom/nr_route.c:299 [inline]
+ nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355
+ nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683
+ sock_do_ioctl+0x158/0x460 net/socket.c:1222
+ sock_ioctl+0x629/0x8e0 net/socket.c:1341
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+-> #0 (&nr_node->node_lock){+...}-{2:2}:
+ check_prev_add kernel/locking/lockdep.c:3134 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3253 [inline]
+ validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
+ __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
+ lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
+ __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
+ _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ nr_node_lock include/net/netrom.h:152 [inline]
+ nr_dec_obs net/netrom/nr_route.c:464 [inline]
+ nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
+ sock_do_ioctl+0x158/0x460 net/socket.c:1222
+ sock_ioctl+0x629/0x8e0 net/socket.c:1341
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(nr_node_list_lock);
+ lock(&nr_node->node_lock);
+ lock(nr_node_list_lock);
+ lock(&nr_node->node_lock);
+
+ *** DEADLOCK ***
+
+1 lock held by syz-executor350/5129:
+ #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
+ #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]
+ #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697
+
+stack backtrace:
+CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
+ check_prev_add kernel/locking/lockdep.c:3134 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3253 [inline]
+ validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
+ __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
+ lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
+ __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
+ _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
+ spin_lock_bh include/linux/spinlock.h:356 [inline]
+ nr_node_lock include/net/netrom.h:152 [inline]
+ nr_dec_obs net/netrom/nr_route.c:464 [inline]
+ nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697
+ sock_do_ioctl+0x158/0x460 net/socket.c:1222
+ sock_ioctl+0x629/0x8e0 net/socket.c:1341
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240515142934.3708038-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 895702337c92e..9269b5e69b9a5 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -284,22 +284,14 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
+ return 0;
+ }
+
+-static inline void __nr_remove_node(struct nr_node *nr_node)
++static void nr_remove_node_locked(struct nr_node *nr_node)
+ {
++ lockdep_assert_held(&nr_node_list_lock);
++
+ hlist_del_init(&nr_node->node_node);
+ nr_node_put(nr_node);
+ }
+
+-#define nr_remove_node_locked(__node) \
+- __nr_remove_node(__node)
+-
+-static void nr_remove_node(struct nr_node *nr_node)
+-{
+- spin_lock_bh(&nr_node_list_lock);
+- __nr_remove_node(nr_node);
+- spin_unlock_bh(&nr_node_list_lock);
+-}
+-
+ static inline void __nr_remove_neigh(struct nr_neigh *nr_neigh)
+ {
+ hlist_del_init(&nr_neigh->neigh_node);
+@@ -338,6 +330,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n
+ return -EINVAL;
+ }
+
++ spin_lock_bh(&nr_node_list_lock);
+ nr_node_lock(nr_node);
+ for (i = 0; i < nr_node->count; i++) {
+ if (nr_node->routes[i].neighbour == nr_neigh) {
+@@ -351,7 +344,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n
+ nr_node->count--;
+
+ if (nr_node->count == 0) {
+- nr_remove_node(nr_node);
++ nr_remove_node_locked(nr_node);
+ } else {
+ switch (i) {
+ case 0:
+@@ -365,12 +358,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n
+ nr_node_put(nr_node);
+ }
+ nr_node_unlock(nr_node);
++ spin_unlock_bh(&nr_node_list_lock);
+
+ return 0;
+ }
+ }
+ nr_neigh_put(nr_neigh);
+ nr_node_unlock(nr_node);
++ spin_unlock_bh(&nr_node_list_lock);
+ nr_node_put(nr_node);
+
+ return -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From b72fb8f9135f5eeb0d9789c32c65cf1ff659fff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 15:30:44 +0100
+Subject: nilfs2: fix out-of-range warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ]
+
+clang-14 points out that v_size is always smaller than a 64KB
+page size if that is configured by the CPU architecture:
+
+fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
+ if (argv->v_size > PAGE_SIZE)
+ ~~~~~~~~~~~~ ^ ~~~~~~~~~
+
+This is ok, so just shut up that warning with a cast.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org
+Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl")
+Acked-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
+index 01235fac5971f..668c1b28a940e 100644
+--- a/fs/nilfs2/ioctl.c
++++ b/fs/nilfs2/ioctl.c
+@@ -59,7 +59,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
+ if (argv->v_nmembs == 0)
+ return 0;
+
+- if (argv->v_size > PAGE_SIZE)
++ if ((size_t)argv->v_size > PAGE_SIZE)
+ return -EINVAL;
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 68a5daf97e695bb65e3950d9647b08223b91ce45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 19:16:35 +0200
+Subject: null_blk: Fix missing mutex_destroy() at module removal
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 ]
+
+When a mutex lock is not used any more, the function mutex_destroy
+should be called to mark the mutex lock uninitialized.
+
+Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://lore.kernel.org/r/20240425171635.4227-1-yanjun.zhu@linux.dev
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index 35b390a785dd4..ee1c3f476a3a0 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -2032,6 +2032,8 @@ static void __exit null_exit(void)
+
+ if (g_queue_mode == NULL_Q_MQ && shared_tags)
+ blk_mq_free_tag_set(&tag_set);
++
++ mutex_destroy(&lock);
+ }
+
+ module_init(null_init);
+--
+2.43.0
+
--- /dev/null
+From 380f99279207ca100c173c2adffc9750a55f95de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 13:49:23 +0530
+Subject: nvme: find numa distance only if controller has valid numa id
+
+From: Nilay Shroff <nilay@linux.ibm.com>
+
+[ Upstream commit 863fe60ed27f2c85172654a63c5b827e72c8b2e6 ]
+
+On system where native nvme multipath is configured and iopolicy
+is set to numa but the nvme controller numa node id is undefined
+or -1 (NUMA_NO_NODE) then avoid calculating node distance for
+finding optimal io path. In such case we may access numa distance
+table with invalid index and that may potentially refer to incorrect
+memory. So this patch ensures that if the nvme controller numa node
+id is -1 then instead of calculating node distance for finding optimal
+io path, we set the numa node distance of such controller to default 10
+(LOCAL_DISTANCE).
+
+Link: https://lore.kernel.org/all/20240413090614.678353-1-nilay@linux.ibm.com/
+Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 379d6818a0635..9f59f93b70e26 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -168,7 +168,8 @@ static struct nvme_ns *__nvme_find_path(struct nvme_ns_head *head, int node)
+ if (nvme_path_is_disabled(ns))
+ continue;
+
+- if (READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_NUMA)
++ if (ns->ctrl->numa_node != NUMA_NO_NODE &&
++ READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_NUMA)
+ distance = node_distance(node, ns->ctrl->numa_node);
+ else
+ distance = LOCAL_DISTANCE;
+--
+2.43.0
+
--- /dev/null
+From 95992cbdbf688edde949d74060af5064ac115463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 16:33:11 -0600
+Subject: openpromfs: finish conversion to the new mount API
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 8f27829974b025d4df2e78894105d75e3bf349f0 ]
+
+The original mount API conversion inexplicably left out the change
+from ->remount_fs to ->reconfigure; do that now.
+
+Fixes: 7ab2fa7693c3 ("vfs: Convert openpromfs to use the new mount API")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Link: https://lore.kernel.org/r/90b968aa-c979-420f-ba37-5acc3391b28f@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/openpromfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/openpromfs/inode.c b/fs/openpromfs/inode.c
+index 40c8c2e32fa3e..1e22344be5e54 100644
+--- a/fs/openpromfs/inode.c
++++ b/fs/openpromfs/inode.c
+@@ -362,10 +362,10 @@ static struct inode *openprom_iget(struct super_block *sb, ino_t ino)
+ return inode;
+ }
+
+-static int openprom_remount(struct super_block *sb, int *flags, char *data)
++static int openpromfs_reconfigure(struct fs_context *fc)
+ {
+- sync_filesystem(sb);
+- *flags |= SB_NOATIME;
++ sync_filesystem(fc->root->d_sb);
++ fc->sb_flags |= SB_NOATIME;
+ return 0;
+ }
+
+@@ -373,7 +373,6 @@ static const struct super_operations openprom_sops = {
+ .alloc_inode = openprom_alloc_inode,
+ .free_inode = openprom_free_inode,
+ .statfs = simple_statfs,
+- .remount_fs = openprom_remount,
+ };
+
+ static int openprom_fill_super(struct super_block *s, struct fs_context *fc)
+@@ -417,6 +416,7 @@ static int openpromfs_get_tree(struct fs_context *fc)
+
+ static const struct fs_context_operations openpromfs_context_ops = {
+ .get_tree = openpromfs_get_tree,
++ .reconfigure = openpromfs_reconfigure,
+ };
+
+ static int openpromfs_init_fs_context(struct fs_context *fc)
+--
+2.43.0
+
--- /dev/null
+From 9ad1de342cc5002740c2183168de2ae0aba98cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 22:35:54 -0400
+Subject: parisc: add missing export of __cmpxchg_u8()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit c57e5dccb06decf3cb6c272ab138c033727149b5 ]
+
+__cmpxchg_u8() had been added (initially) for the sake of
+drivers/phy/ti/phy-tusb1210.c; the thing is, that drivers is
+modular, so we need an export
+
+Fixes: b344d6a83d01 "parisc: add support for cmpxchg on u8 pointers"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/parisc_ksyms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c
+index e8a6a751dfd8e..07418f11a964f 100644
+--- a/arch/parisc/kernel/parisc_ksyms.c
++++ b/arch/parisc/kernel/parisc_ksyms.c
+@@ -21,6 +21,7 @@ EXPORT_SYMBOL(memset);
+ #include <linux/atomic.h>
+ EXPORT_SYMBOL(__xchg8);
+ EXPORT_SYMBOL(__xchg32);
++EXPORT_SYMBOL(__cmpxchg_u8);
+ EXPORT_SYMBOL(__cmpxchg_u32);
+ EXPORT_SYMBOL(__cmpxchg_u64);
+ #ifdef CONFIG_SMP
+--
+2.43.0
+
--- /dev/null
+From 6f4e7901c3ed3c0bd3da7af5854dbb765fad2e00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 16:30:57 +0200
+Subject: platform/x86: xiaomi-wmi: Fix race condition when reporting key
+ events
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 290680c2da8061e410bcaec4b21584ed951479af ]
+
+Multiple WMI events can be received concurrently, so multiple instances
+of xiaomi_wmi_notify() can be active at the same time. Since the input
+device is shared between those handlers, the key input sequence can be
+disturbed.
+
+Fix this by protecting the key input sequence with a mutex.
+
+Compile-tested only.
+
+Fixes: edb73f4f0247 ("platform/x86: wmi: add Xiaomi WMI key driver")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20240402143059.8456-2-W_Armin@gmx.de
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/xiaomi-wmi.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/platform/x86/xiaomi-wmi.c b/drivers/platform/x86/xiaomi-wmi.c
+index 54a2546bb93bf..be80f0bda9484 100644
+--- a/drivers/platform/x86/xiaomi-wmi.c
++++ b/drivers/platform/x86/xiaomi-wmi.c
+@@ -2,8 +2,10 @@
+ /* WMI driver for Xiaomi Laptops */
+
+ #include <linux/acpi.h>
++#include <linux/device.h>
+ #include <linux/input.h>
+ #include <linux/module.h>
++#include <linux/mutex.h>
+ #include <linux/wmi.h>
+
+ #include <uapi/linux/input-event-codes.h>
+@@ -20,12 +22,21 @@
+
+ struct xiaomi_wmi {
+ struct input_dev *input_dev;
++ struct mutex key_lock; /* Protects the key event sequence */
+ unsigned int key_code;
+ };
+
++static void xiaomi_mutex_destroy(void *data)
++{
++ struct mutex *lock = data;
++
++ mutex_destroy(lock);
++}
++
+ static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context)
+ {
+ struct xiaomi_wmi *data;
++ int ret;
+
+ if (wdev == NULL || context == NULL)
+ return -EINVAL;
+@@ -35,6 +46,11 @@ static int xiaomi_wmi_probe(struct wmi_device *wdev, const void *context)
+ return -ENOMEM;
+ dev_set_drvdata(&wdev->dev, data);
+
++ mutex_init(&data->key_lock);
++ ret = devm_add_action_or_reset(&wdev->dev, xiaomi_mutex_destroy, &data->key_lock);
++ if (ret < 0)
++ return ret;
++
+ data->input_dev = devm_input_allocate_device(&wdev->dev);
+ if (data->input_dev == NULL)
+ return -ENOMEM;
+@@ -59,10 +75,12 @@ static void xiaomi_wmi_notify(struct wmi_device *wdev, union acpi_object *dummy)
+ if (data == NULL)
+ return;
+
++ mutex_lock(&data->key_lock);
+ input_report_key(data->input_dev, data->key_code, 1);
+ input_sync(data->input_dev);
+ input_report_key(data->input_dev, data->key_code, 0);
+ input_sync(data->input_dev);
++ mutex_unlock(&data->key_lock);
+ }
+
+ static const struct wmi_device_id xiaomi_wmi_id_table[] = {
+--
+2.43.0
+
--- /dev/null
+From 35abd238e82bfc5b301936e0ff07f3fd20979f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 10:06:19 +0200
+Subject: powerpc/fsl-soc: hide unused const variable
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 ]
+
+vmpic_msi_feature is only used conditionally, which triggers a rare
+-Werror=unused-const-variable= warning with gcc:
+
+arch/powerpc/sysdev/fsl_msi.c:567:37: error: 'vmpic_msi_feature' defined but not used [-Werror=unused-const-variable=]
+ 567 | static const struct fsl_msi_feature vmpic_msi_feature =
+
+Hide this one in the same #ifdef as the reference so we can turn on
+the warning by default.
+
+Fixes: 305bcf26128e ("powerpc/fsl-soc: use CONFIG_EPAPR_PARAVIRT for hcalls")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240403080702.3509288-2-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/fsl_msi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c
+index d276c5e964458..77aa7a13ab1db 100644
+--- a/arch/powerpc/sysdev/fsl_msi.c
++++ b/arch/powerpc/sysdev/fsl_msi.c
+@@ -573,10 +573,12 @@ static const struct fsl_msi_feature ipic_msi_feature = {
+ .msiir_offset = 0x38,
+ };
+
++#ifdef CONFIG_EPAPR_PARAVIRT
+ static const struct fsl_msi_feature vmpic_msi_feature = {
+ .fsl_pic_ip = FSL_PIC_IP_VMPIC,
+ .msiir_offset = 0,
+ };
++#endif
+
+ static const struct of_device_id fsl_of_msi_ids[] = {
+ {
+--
+2.43.0
+
--- /dev/null
+From 3857552a9545fa433d78b60f78c20aaa1c02aef7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 23:38:02 +0100
+Subject: qed: avoid truncating work queue length
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 954fd908f177604d4cce77e2a88cc50b29bad5ff ]
+
+clang complains that the temporary string for the name passed into
+alloc_workqueue() is too short for its contents:
+
+drivers/net/ethernet/qlogic/qed/qed_main.c:1218:3: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 18 [-Werror,-Wformat-truncation]
+
+There is no need for a temporary buffer, and the actual name of a workqueue
+is 32 bytes (WQ_NAME_LEN), so just use the interface as intended to avoid
+the truncation.
+
+Fixes: 59ccf86fe69a ("qed: Add driver infrastucture for handling mfw requests.")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240326223825.4084412-4-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
+index 41bc31e3f9356..03ede9425889f 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -1234,7 +1234,6 @@ static void qed_slowpath_task(struct work_struct *work)
+ static int qed_slowpath_wq_start(struct qed_dev *cdev)
+ {
+ struct qed_hwfn *hwfn;
+- char name[NAME_SIZE];
+ int i;
+
+ if (IS_VF(cdev))
+@@ -1243,11 +1242,11 @@ static int qed_slowpath_wq_start(struct qed_dev *cdev)
+ for_each_hwfn(cdev, i) {
+ hwfn = &cdev->hwfns[i];
+
+- snprintf(name, NAME_SIZE, "slowpath-%02x:%02x.%02x",
+- cdev->pdev->bus->number,
+- PCI_SLOT(cdev->pdev->devfn), hwfn->abs_pf_id);
++ hwfn->slowpath_wq = alloc_workqueue("slowpath-%02x:%02x.%02x",
++ 0, 0, cdev->pdev->bus->number,
++ PCI_SLOT(cdev->pdev->devfn),
++ hwfn->abs_pf_id);
+
+- hwfn->slowpath_wq = alloc_workqueue(name, 0, 0);
+ if (!hwfn->slowpath_wq) {
+ DP_NOTICE(hwfn, "Cannot create slowpath workqueue\n");
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 35e78f10a28d9677b66661c45258c791bfe9a10d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Nov 2020 20:24:09 +0800
+Subject: RDMA/hns: Create QP with selected QPN for bank load balance
+
+From: Yangyang Li <liyangyang20@huawei.com>
+
+[ Upstream commit 71586dd2001087e89e344e2c7dcee6b4a53bb6de ]
+
+In order to improve performance by balancing the load between different
+banks of cache, the QPC cache is desigend to choose one of 8 banks
+according to lower 3 bits of QPN. The hns driver needs to count the number
+of QP on each bank and then assigns the QP being created to the bank with
+the minimum load first.
+
+Link: https://lore.kernel.org/r/1606220649-1465-1-git-send-email-liweihang@huawei.com
+Signed-off-by: Yangyang Li <liyangyang20@huawei.com>
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: 203b70fda634 ("RDMA/hns: Fix return value in hns_roce_map_mr_sg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_device.h | 15 ++-
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 100 ++++++++++++++++----
+ 2 files changed, 96 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index e1f5b92596824..5f16173566614 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -115,6 +115,8 @@
+ #define HNS_ROCE_IDX_QUE_ENTRY_SZ 4
+ #define SRQ_DB_REG 0x230
+
++#define HNS_ROCE_QP_BANK_NUM 8
++
+ /* The chip implementation of the consumer index is calculated
+ * according to twice the actual EQ depth
+ */
+@@ -520,13 +522,22 @@ struct hns_roce_uar_table {
+ struct hns_roce_bitmap bitmap;
+ };
+
++struct hns_roce_bank {
++ struct ida ida;
++ u32 inuse; /* Number of IDs allocated */
++ u32 min; /* Lowest ID to allocate. */
++ u32 max; /* Highest ID to allocate. */
++ u32 next; /* Next ID to allocate. */
++};
++
+ struct hns_roce_qp_table {
+- struct hns_roce_bitmap bitmap;
+ struct hns_roce_hem_table qp_table;
+ struct hns_roce_hem_table irrl_table;
+ struct hns_roce_hem_table trrl_table;
+ struct hns_roce_hem_table sccc_table;
+ struct mutex scc_mutex;
++ struct hns_roce_bank bank[HNS_ROCE_QP_BANK_NUM];
++ spinlock_t bank_lock;
+ };
+
+ struct hns_roce_cq_table {
+@@ -776,7 +787,7 @@ struct hns_roce_caps {
+ u32 max_rq_sg;
+ u32 max_extend_sg;
+ int num_qps;
+- int reserved_qps;
++ u32 reserved_qps;
+ int num_qpc_timer;
+ int num_cqc_timer;
+ int num_srqs;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index d1c07f1f8fe98..8323de2c4bf9a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -154,9 +154,50 @@ static void hns_roce_ib_qp_event(struct hns_roce_qp *hr_qp,
+ }
+ }
+
++static u8 get_least_load_bankid_for_qp(struct hns_roce_bank *bank)
++{
++ u32 least_load = bank[0].inuse;
++ u8 bankid = 0;
++ u32 bankcnt;
++ u8 i;
++
++ for (i = 1; i < HNS_ROCE_QP_BANK_NUM; i++) {
++ bankcnt = bank[i].inuse;
++ if (bankcnt < least_load) {
++ least_load = bankcnt;
++ bankid = i;
++ }
++ }
++
++ return bankid;
++}
++
++static int alloc_qpn_with_bankid(struct hns_roce_bank *bank, u8 bankid,
++ unsigned long *qpn)
++{
++ int id;
++
++ id = ida_alloc_range(&bank->ida, bank->next, bank->max, GFP_KERNEL);
++ if (id < 0) {
++ id = ida_alloc_range(&bank->ida, bank->min, bank->max,
++ GFP_KERNEL);
++ if (id < 0)
++ return id;
++ }
++
++ /* the QPN should keep increasing until the max value is reached. */
++ bank->next = (id + 1) > bank->max ? bank->min : id + 1;
++
++ /* the lower 3 bits is bankid */
++ *qpn = (id << 3) | bankid;
++
++ return 0;
++}
+ static int alloc_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp)
+ {
++ struct hns_roce_qp_table *qp_table = &hr_dev->qp_table;
+ unsigned long num = 0;
++ u8 bankid;
+ int ret;
+
+ if (hr_qp->ibqp.qp_type == IB_QPT_GSI) {
+@@ -169,13 +210,21 @@ static int alloc_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp)
+
+ hr_qp->doorbell_qpn = 1;
+ } else {
+- ret = hns_roce_bitmap_alloc_range(&hr_dev->qp_table.bitmap,
+- 1, 1, &num);
++ spin_lock(&qp_table->bank_lock);
++ bankid = get_least_load_bankid_for_qp(qp_table->bank);
++
++ ret = alloc_qpn_with_bankid(&qp_table->bank[bankid], bankid,
++ &num);
+ if (ret) {
+- ibdev_err(&hr_dev->ib_dev, "Failed to alloc bitmap\n");
+- return -ENOMEM;
++ ibdev_err(&hr_dev->ib_dev,
++ "failed to alloc QPN, ret = %d\n", ret);
++ spin_unlock(&qp_table->bank_lock);
++ return ret;
+ }
+
++ qp_table->bank[bankid].inuse++;
++ spin_unlock(&qp_table->bank_lock);
++
+ hr_qp->doorbell_qpn = (u32)num;
+ }
+
+@@ -340,9 +389,15 @@ static void free_qpc(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp)
+ hns_roce_table_put(hr_dev, &qp_table->irrl_table, hr_qp->qpn);
+ }
+
++static inline u8 get_qp_bankid(unsigned long qpn)
++{
++ /* The lower 3 bits of QPN are used to hash to different banks */
++ return (u8)(qpn & GENMASK(2, 0));
++}
++
+ static void free_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp)
+ {
+- struct hns_roce_qp_table *qp_table = &hr_dev->qp_table;
++ u8 bankid;
+
+ if (hr_qp->ibqp.qp_type == IB_QPT_GSI)
+ return;
+@@ -350,7 +405,13 @@ static void free_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp)
+ if (hr_qp->qpn < hr_dev->caps.reserved_qps)
+ return;
+
+- hns_roce_bitmap_free_range(&qp_table->bitmap, hr_qp->qpn, 1, BITMAP_RR);
++ bankid = get_qp_bankid(hr_qp->qpn);
++
++ ida_free(&hr_dev->qp_table.bank[bankid].ida, hr_qp->qpn >> 3);
++
++ spin_lock(&hr_dev->qp_table.bank_lock);
++ hr_dev->qp_table.bank[bankid].inuse--;
++ spin_unlock(&hr_dev->qp_table.bank_lock);
+ }
+
+ static int set_rq_size(struct hns_roce_dev *hr_dev, struct ib_qp_cap *cap,
+@@ -1293,22 +1354,24 @@ bool hns_roce_wq_overflow(struct hns_roce_wq *hr_wq, int nreq,
+ int hns_roce_init_qp_table(struct hns_roce_dev *hr_dev)
+ {
+ struct hns_roce_qp_table *qp_table = &hr_dev->qp_table;
+- int reserved_from_top = 0;
+- int reserved_from_bot;
+- int ret;
++ unsigned int reserved_from_bot;
++ unsigned int i;
+
+ mutex_init(&qp_table->scc_mutex);
+ xa_init(&hr_dev->qp_table_xa);
+
+ reserved_from_bot = hr_dev->caps.reserved_qps;
+
+- ret = hns_roce_bitmap_init(&qp_table->bitmap, hr_dev->caps.num_qps,
+- hr_dev->caps.num_qps - 1, reserved_from_bot,
+- reserved_from_top);
+- if (ret) {
+- dev_err(hr_dev->dev, "qp bitmap init failed!error=%d\n",
+- ret);
+- return ret;
++ for (i = 0; i < reserved_from_bot; i++) {
++ hr_dev->qp_table.bank[get_qp_bankid(i)].inuse++;
++ hr_dev->qp_table.bank[get_qp_bankid(i)].min++;
++ }
++
++ for (i = 0; i < HNS_ROCE_QP_BANK_NUM; i++) {
++ ida_init(&hr_dev->qp_table.bank[i].ida);
++ hr_dev->qp_table.bank[i].max = hr_dev->caps.num_qps /
++ HNS_ROCE_QP_BANK_NUM - 1;
++ hr_dev->qp_table.bank[i].next = hr_dev->qp_table.bank[i].min;
+ }
+
+ return 0;
+@@ -1316,5 +1379,8 @@ int hns_roce_init_qp_table(struct hns_roce_dev *hr_dev)
+
+ void hns_roce_cleanup_qp_table(struct hns_roce_dev *hr_dev)
+ {
+- hns_roce_bitmap_cleanup(&hr_dev->qp_table.bitmap);
++ int i;
++
++ for (i = 0; i < HNS_ROCE_QP_BANK_NUM; i++)
++ ida_destroy(&hr_dev->qp_table.bank[i].ida);
+ }
+--
+2.43.0
+
--- /dev/null
+From 9b3e7b7a124a2472d2192920613dc97672822f50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Dec 2020 09:37:35 +0800
+Subject: RDMA/hns: Fix incorrect symbol types
+
+From: Wenpeng Liang <liangwenpeng@huawei.com>
+
+[ Upstream commit dcdc366acf8ffc29f091a09e08b4e46caa0a0f21 ]
+
+Types of some fields, variables and parameters of some functions should be
+unsigned.
+
+Link: https://lore.kernel.org/r/1607650657-35992-10-git-send-email-liweihang@huawei.com
+Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: 203b70fda634 ("RDMA/hns: Fix return value in hns_roce_map_mr_sg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_cmd.c | 10 ++--
+ drivers/infiniband/hw/hns/hns_roce_cmd.h | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_common.h | 14 +++---
+ drivers/infiniband/hw/hns/hns_roce_db.c | 8 ++--
+ drivers/infiniband/hw/hns/hns_roce_device.h | 53 +++++++++++----------
+ drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 8 ++--
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 30 ++++++------
+ drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 11 ++---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 8 ++--
+ 10 files changed, 73 insertions(+), 73 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.c b/drivers/infiniband/hw/hns/hns_roce_cmd.c
+index c493d7644b577..339e3fd98b0b4 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_cmd.c
++++ b/drivers/infiniband/hw/hns/hns_roce_cmd.c
+@@ -60,7 +60,7 @@ static int hns_roce_cmd_mbox_post_hw(struct hns_roce_dev *hr_dev, u64 in_param,
+ static int __hns_roce_cmd_mbox_poll(struct hns_roce_dev *hr_dev, u64 in_param,
+ u64 out_param, unsigned long in_modifier,
+ u8 op_modifier, u16 op,
+- unsigned long timeout)
++ unsigned int timeout)
+ {
+ struct device *dev = hr_dev->dev;
+ int ret;
+@@ -78,7 +78,7 @@ static int __hns_roce_cmd_mbox_poll(struct hns_roce_dev *hr_dev, u64 in_param,
+
+ static int hns_roce_cmd_mbox_poll(struct hns_roce_dev *hr_dev, u64 in_param,
+ u64 out_param, unsigned long in_modifier,
+- u8 op_modifier, u16 op, unsigned long timeout)
++ u8 op_modifier, u16 op, unsigned int timeout)
+ {
+ int ret;
+
+@@ -108,7 +108,7 @@ void hns_roce_cmd_event(struct hns_roce_dev *hr_dev, u16 token, u8 status,
+ static int __hns_roce_cmd_mbox_wait(struct hns_roce_dev *hr_dev, u64 in_param,
+ u64 out_param, unsigned long in_modifier,
+ u8 op_modifier, u16 op,
+- unsigned long timeout)
++ unsigned int timeout)
+ {
+ struct hns_roce_cmdq *cmd = &hr_dev->cmd;
+ struct hns_roce_cmd_context *context;
+@@ -159,7 +159,7 @@ static int __hns_roce_cmd_mbox_wait(struct hns_roce_dev *hr_dev, u64 in_param,
+
+ static int hns_roce_cmd_mbox_wait(struct hns_roce_dev *hr_dev, u64 in_param,
+ u64 out_param, unsigned long in_modifier,
+- u8 op_modifier, u16 op, unsigned long timeout)
++ u8 op_modifier, u16 op, unsigned int timeout)
+ {
+ int ret;
+
+@@ -173,7 +173,7 @@ static int hns_roce_cmd_mbox_wait(struct hns_roce_dev *hr_dev, u64 in_param,
+
+ int hns_roce_cmd_mbox(struct hns_roce_dev *hr_dev, u64 in_param, u64 out_param,
+ unsigned long in_modifier, u8 op_modifier, u16 op,
+- unsigned long timeout)
++ unsigned int timeout)
+ {
+ int ret;
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.h b/drivers/infiniband/hw/hns/hns_roce_cmd.h
+index 8e63b827f28cc..8025e7f657fa6 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_cmd.h
++++ b/drivers/infiniband/hw/hns/hns_roce_cmd.h
+@@ -141,7 +141,7 @@ enum {
+
+ int hns_roce_cmd_mbox(struct hns_roce_dev *hr_dev, u64 in_param, u64 out_param,
+ unsigned long in_modifier, u8 op_modifier, u16 op,
+- unsigned long timeout);
++ unsigned int timeout);
+
+ struct hns_roce_cmd_mailbox *
+ hns_roce_alloc_cmd_mailbox(struct hns_roce_dev *hr_dev);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_common.h b/drivers/infiniband/hw/hns/hns_roce_common.h
+index f5669ff8cfebc..e57e812b1546d 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_common.h
++++ b/drivers/infiniband/hw/hns/hns_roce_common.h
+@@ -38,19 +38,19 @@
+ #define roce_raw_write(value, addr) \
+ __raw_writel((__force u32)cpu_to_le32(value), (addr))
+
+-#define roce_get_field(origin, mask, shift) \
+- (((le32_to_cpu(origin)) & (mask)) >> (shift))
++#define roce_get_field(origin, mask, shift) \
++ ((le32_to_cpu(origin) & (mask)) >> (u32)(shift))
+
+ #define roce_get_bit(origin, shift) \
+ roce_get_field((origin), (1ul << (shift)), (shift))
+
+-#define roce_set_field(origin, mask, shift, val) \
+- do { \
+- (origin) &= ~cpu_to_le32(mask); \
+- (origin) |= cpu_to_le32(((u32)(val) << (shift)) & (mask)); \
++#define roce_set_field(origin, mask, shift, val) \
++ do { \
++ (origin) &= ~cpu_to_le32(mask); \
++ (origin) |= cpu_to_le32(((u32)(val) << (u32)(shift)) & (mask)); \
+ } while (0)
+
+-#define roce_set_bit(origin, shift, val) \
++#define roce_set_bit(origin, shift, val) \
+ roce_set_field((origin), (1ul << (shift)), (shift), (val))
+
+ #define ROCEE_GLB_CFG_ROCEE_DB_SQ_MODE_S 3
+diff --git a/drivers/infiniband/hw/hns/hns_roce_db.c b/drivers/infiniband/hw/hns/hns_roce_db.c
+index bff6abdccfb0c..5cb7376ce9789 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_db.c
++++ b/drivers/infiniband/hw/hns/hns_roce_db.c
+@@ -95,8 +95,8 @@ static struct hns_roce_db_pgdir *hns_roce_alloc_db_pgdir(
+ static int hns_roce_alloc_db_from_pgdir(struct hns_roce_db_pgdir *pgdir,
+ struct hns_roce_db *db, int order)
+ {
+- int o;
+- int i;
++ unsigned long o;
++ unsigned long i;
+
+ for (o = order; o <= 1; ++o) {
+ i = find_first_bit(pgdir->bits[o], HNS_ROCE_DB_PER_PAGE >> o);
+@@ -154,8 +154,8 @@ int hns_roce_alloc_db(struct hns_roce_dev *hr_dev, struct hns_roce_db *db,
+
+ void hns_roce_free_db(struct hns_roce_dev *hr_dev, struct hns_roce_db *db)
+ {
+- int o;
+- int i;
++ unsigned long o;
++ unsigned long i;
+
+ mutex_lock(&hr_dev->pgdir_mutex);
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index 5f16173566614..db78bc2d44c21 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -315,7 +315,7 @@ struct hns_roce_hem_table {
+ };
+
+ struct hns_roce_buf_region {
+- int offset; /* page offset */
++ u32 offset; /* page offset */
+ u32 count; /* page count */
+ int hopnum; /* addressing hop num */
+ };
+@@ -335,10 +335,10 @@ struct hns_roce_buf_attr {
+ size_t size; /* region size */
+ int hopnum; /* multi-hop addressing hop num */
+ } region[HNS_ROCE_MAX_BT_REGION];
+- int region_count; /* valid region count */
++ unsigned int region_count; /* valid region count */
+ unsigned int page_shift; /* buffer page shift */
+ bool fixed_page; /* decide page shift is fixed-size or maximum size */
+- int user_access; /* umem access flag */
++ unsigned int user_access; /* umem access flag */
+ bool mtt_only; /* only alloc buffer-required MTT memory */
+ };
+
+@@ -349,7 +349,7 @@ struct hns_roce_hem_cfg {
+ unsigned int buf_pg_shift; /* buffer page shift */
+ unsigned int buf_pg_count; /* buffer page count */
+ struct hns_roce_buf_region region[HNS_ROCE_MAX_BT_REGION];
+- int region_count;
++ unsigned int region_count;
+ };
+
+ /* memory translate region */
+@@ -397,7 +397,7 @@ struct hns_roce_wq {
+ u64 *wrid; /* Work request ID */
+ spinlock_t lock;
+ u32 wqe_cnt; /* WQE num */
+- int max_gs;
++ u32 max_gs;
+ int offset;
+ int wqe_shift; /* WQE size */
+ u32 head;
+@@ -463,8 +463,8 @@ struct hns_roce_db {
+ } u;
+ dma_addr_t dma;
+ void *virt_addr;
+- int index;
+- int order;
++ unsigned long index;
++ unsigned long order;
+ };
+
+ struct hns_roce_cq {
+@@ -512,8 +512,8 @@ struct hns_roce_srq {
+ u64 *wrid;
+ struct hns_roce_idx_que idx_que;
+ spinlock_t lock;
+- int head;
+- int tail;
++ u16 head;
++ u16 tail;
+ struct mutex mutex;
+ void (*event)(struct hns_roce_srq *srq, enum hns_roce_event event);
+ };
+@@ -751,11 +751,11 @@ struct hns_roce_eq {
+ int type_flag; /* Aeq:1 ceq:0 */
+ int eqn;
+ u32 entries;
+- int log_entries;
++ u32 log_entries;
+ int eqe_size;
+ int irq;
+ int log_page_size;
+- int cons_index;
++ u32 cons_index;
+ struct hns_roce_buf_list *buf_list;
+ int over_ignore;
+ int coalesce;
+@@ -763,7 +763,7 @@ struct hns_roce_eq {
+ int hop_num;
+ struct hns_roce_mtr mtr;
+ u16 eq_max_cnt;
+- int eq_period;
++ u32 eq_period;
+ int shift;
+ int event_type;
+ int sub_type;
+@@ -786,8 +786,8 @@ struct hns_roce_caps {
+ u32 max_sq_inline;
+ u32 max_rq_sg;
+ u32 max_extend_sg;
+- int num_qps;
+- u32 reserved_qps;
++ u32 num_qps;
++ u32 reserved_qps;
+ int num_qpc_timer;
+ int num_cqc_timer;
+ int num_srqs;
+@@ -799,7 +799,7 @@ struct hns_roce_caps {
+ u32 max_srq_desc_sz;
+ int max_qp_init_rdma;
+ int max_qp_dest_rdma;
+- int num_cqs;
++ u32 num_cqs;
+ u32 max_cqes;
+ u32 min_cqes;
+ u32 min_wqes;
+@@ -808,7 +808,7 @@ struct hns_roce_caps {
+ int num_aeq_vectors;
+ int num_comp_vectors;
+ int num_other_vectors;
+- int num_mtpts;
++ u32 num_mtpts;
+ u32 num_mtt_segs;
+ u32 num_cqe_segs;
+ u32 num_srqwqe_segs;
+@@ -919,7 +919,7 @@ struct hns_roce_hw {
+ int (*post_mbox)(struct hns_roce_dev *hr_dev, u64 in_param,
+ u64 out_param, u32 in_modifier, u8 op_modifier, u16 op,
+ u16 token, int event);
+- int (*chk_mbox)(struct hns_roce_dev *hr_dev, unsigned long timeout);
++ int (*chk_mbox)(struct hns_roce_dev *hr_dev, unsigned int timeout);
+ int (*rst_prc_mbox)(struct hns_roce_dev *hr_dev);
+ int (*set_gid)(struct hns_roce_dev *hr_dev, u8 port, int gid_index,
+ const union ib_gid *gid, const struct ib_gid_attr *attr);
+@@ -1090,15 +1090,16 @@ static inline struct hns_roce_qp
+ return xa_load(&hr_dev->qp_table_xa, qpn & (hr_dev->caps.num_qps - 1));
+ }
+
+-static inline void *hns_roce_buf_offset(struct hns_roce_buf *buf, int offset)
++static inline void *hns_roce_buf_offset(struct hns_roce_buf *buf,
++ unsigned int offset)
+ {
+ return (char *)(buf->trunk_list[offset >> buf->trunk_shift].buf) +
+ (offset & ((1 << buf->trunk_shift) - 1));
+ }
+
+-static inline dma_addr_t hns_roce_buf_page(struct hns_roce_buf *buf, int idx)
++static inline dma_addr_t hns_roce_buf_page(struct hns_roce_buf *buf, u32 idx)
+ {
+- int offset = idx << buf->page_shift;
++ unsigned int offset = idx << buf->page_shift;
+
+ return buf->trunk_list[offset >> buf->trunk_shift].map +
+ (offset & ((1 << buf->trunk_shift) - 1));
+@@ -1173,7 +1174,7 @@ int hns_roce_mtr_create(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ void hns_roce_mtr_destroy(struct hns_roce_dev *hr_dev,
+ struct hns_roce_mtr *mtr);
+ int hns_roce_mtr_map(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+- dma_addr_t *pages, int page_cnt);
++ dma_addr_t *pages, unsigned int page_cnt);
+
+ int hns_roce_init_pd_table(struct hns_roce_dev *hr_dev);
+ int hns_roce_init_mr_table(struct hns_roce_dev *hr_dev);
+@@ -1256,10 +1257,10 @@ struct ib_qp *hns_roce_create_qp(struct ib_pd *ib_pd,
+ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ int attr_mask, struct ib_udata *udata);
+ void init_flush_work(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp);
+-void *hns_roce_get_recv_wqe(struct hns_roce_qp *hr_qp, int n);
+-void *hns_roce_get_send_wqe(struct hns_roce_qp *hr_qp, int n);
+-void *hns_roce_get_extend_sge(struct hns_roce_qp *hr_qp, int n);
+-bool hns_roce_wq_overflow(struct hns_roce_wq *hr_wq, int nreq,
++void *hns_roce_get_recv_wqe(struct hns_roce_qp *hr_qp, unsigned int n);
++void *hns_roce_get_send_wqe(struct hns_roce_qp *hr_qp, unsigned int n);
++void *hns_roce_get_extend_sge(struct hns_roce_qp *hr_qp, unsigned int n);
++bool hns_roce_wq_overflow(struct hns_roce_wq *hr_wq, u32 nreq,
+ struct ib_cq *ib_cq);
+ enum hns_roce_qp_state to_hns_roce_state(enum ib_qp_state state);
+ void hns_roce_lock_cqs(struct hns_roce_cq *send_cq,
+@@ -1289,7 +1290,7 @@ void hns_roce_cq_completion(struct hns_roce_dev *hr_dev, u32 cqn);
+ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type);
+ void hns_roce_qp_event(struct hns_roce_dev *hr_dev, u32 qpn, int event_type);
+ void hns_roce_srq_event(struct hns_roce_dev *hr_dev, u32 srqn, int event_type);
+-int hns_get_gid_index(struct hns_roce_dev *hr_dev, u8 port, int gid_index);
++u8 hns_get_gid_index(struct hns_roce_dev *hr_dev, u8 port, int gid_index);
+ void hns_roce_handle_device_err(struct hns_roce_dev *hr_dev);
+ int hns_roce_init(struct hns_roce_dev *hr_dev);
+ void hns_roce_exit(struct hns_roce_dev *hr_dev);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+index 6f9b024d4ff7c..ea8d7154d0e17 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+@@ -288,7 +288,7 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp,
+ ret = -EINVAL;
+ *bad_wr = wr;
+ dev_err(dev, "inline len(1-%d)=%d, illegal",
+- ctrl->msg_length,
++ le32_to_cpu(ctrl->msg_length),
+ hr_dev->caps.max_sq_inline);
+ goto out;
+ }
+@@ -1715,7 +1715,7 @@ static int hns_roce_v1_post_mbox(struct hns_roce_dev *hr_dev, u64 in_param,
+ }
+
+ static int hns_roce_v1_chk_mbox(struct hns_roce_dev *hr_dev,
+- unsigned long timeout)
++ unsigned int timeout)
+ {
+ u8 __iomem *hcr = hr_dev->reg_base + ROCEE_MB1_REG;
+ unsigned long end;
+@@ -3674,10 +3674,10 @@ static int hns_roce_v1_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata)
+ return 0;
+ }
+
+-static void set_eq_cons_index_v1(struct hns_roce_eq *eq, int req_not)
++static void set_eq_cons_index_v1(struct hns_roce_eq *eq, u32 req_not)
+ {
+ roce_raw_write((eq->cons_index & HNS_ROCE_V1_CONS_IDX_M) |
+- (req_not << eq->log_entries), eq->doorbell);
++ (req_not << eq->log_entries), eq->doorbell);
+ }
+
+ static void hns_roce_v1_wq_catas_err_handle(struct hns_roce_dev *hr_dev,
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 518b38e9158d4..10ffad061f94a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -650,7 +650,7 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp,
+ unsigned int sge_idx;
+ unsigned int wqe_idx;
+ void *wqe = NULL;
+- int nreq;
++ u32 nreq;
+ int ret;
+
+ spin_lock_irqsave(&qp->sq.lock, flags);
+@@ -828,7 +828,7 @@ static void *get_srq_wqe(struct hns_roce_srq *srq, int n)
+ return hns_roce_buf_offset(srq->buf_mtr.kmem, n << srq->wqe_shift);
+ }
+
+-static void *get_idx_buf(struct hns_roce_idx_que *idx_que, int n)
++static void *get_idx_buf(struct hns_roce_idx_que *idx_que, unsigned int n)
+ {
+ return hns_roce_buf_offset(idx_que->mtr.kmem,
+ n << idx_que->entry_shift);
+@@ -869,12 +869,12 @@ static int hns_roce_v2_post_srq_recv(struct ib_srq *ibsrq,
+ struct hns_roce_v2_wqe_data_seg *dseg;
+ struct hns_roce_v2_db srq_db;
+ unsigned long flags;
++ unsigned int ind;
+ __le32 *srq_idx;
+ int ret = 0;
+ int wqe_idx;
+ void *wqe;
+ int nreq;
+- int ind;
+ int i;
+
+ spin_lock_irqsave(&srq->lock, flags);
+@@ -1128,7 +1128,7 @@ static void hns_roce_cmq_init_regs(struct hns_roce_dev *hr_dev, bool ring_type)
+ roce_write(hr_dev, ROCEE_TX_CMQ_BASEADDR_H_REG,
+ upper_32_bits(dma));
+ roce_write(hr_dev, ROCEE_TX_CMQ_DEPTH_REG,
+- ring->desc_num >> HNS_ROCE_CMQ_DESC_NUM_S);
++ (u32)ring->desc_num >> HNS_ROCE_CMQ_DESC_NUM_S);
+ roce_write(hr_dev, ROCEE_TX_CMQ_HEAD_REG, 0);
+ roce_write(hr_dev, ROCEE_TX_CMQ_TAIL_REG, 0);
+ } else {
+@@ -1136,7 +1136,7 @@ static void hns_roce_cmq_init_regs(struct hns_roce_dev *hr_dev, bool ring_type)
+ roce_write(hr_dev, ROCEE_RX_CMQ_BASEADDR_H_REG,
+ upper_32_bits(dma));
+ roce_write(hr_dev, ROCEE_RX_CMQ_DEPTH_REG,
+- ring->desc_num >> HNS_ROCE_CMQ_DESC_NUM_S);
++ (u32)ring->desc_num >> HNS_ROCE_CMQ_DESC_NUM_S);
+ roce_write(hr_dev, ROCEE_RX_CMQ_HEAD_REG, 0);
+ roce_write(hr_dev, ROCEE_RX_CMQ_TAIL_REG, 0);
+ }
+@@ -1907,8 +1907,8 @@ static void set_default_caps(struct hns_roce_dev *hr_dev)
+ }
+ }
+
+-static void calc_pg_sz(int obj_num, int obj_size, int hop_num, int ctx_bt_num,
+- int *buf_page_size, int *bt_page_size, u32 hem_type)
++static void calc_pg_sz(u32 obj_num, u32 obj_size, u32 hop_num, u32 ctx_bt_num,
++ u32 *buf_page_size, u32 *bt_page_size, u32 hem_type)
+ {
+ u64 obj_per_chunk;
+ u64 bt_chunk_size = PAGE_SIZE;
+@@ -2382,10 +2382,10 @@ static int hns_roce_init_link_table(struct hns_roce_dev *hr_dev,
+ u32 buf_chk_sz;
+ dma_addr_t t;
+ int func_num = 1;
+- int pg_num_a;
+- int pg_num_b;
+- int pg_num;
+- int size;
++ u32 pg_num_a;
++ u32 pg_num_b;
++ u32 pg_num;
++ u32 size;
+ int i;
+
+ switch (type) {
+@@ -2549,7 +2549,7 @@ static int hns_roce_query_mbox_status(struct hns_roce_dev *hr_dev)
+ struct hns_roce_cmq_desc desc;
+ struct hns_roce_mbox_status *mb_st =
+ (struct hns_roce_mbox_status *)desc.data;
+- enum hns_roce_cmd_return_status status;
++ int status;
+
+ hns_roce_cmq_setup_basic_desc(&desc, HNS_ROCE_OPC_QUERY_MB_ST, true);
+
+@@ -2620,7 +2620,7 @@ static int hns_roce_v2_post_mbox(struct hns_roce_dev *hr_dev, u64 in_param,
+ }
+
+ static int hns_roce_v2_chk_mbox(struct hns_roce_dev *hr_dev,
+- unsigned long timeout)
++ unsigned int timeout)
+ {
+ struct device *dev = hr_dev->dev;
+ unsigned long end;
+@@ -2970,7 +2970,7 @@ static void *get_cqe_v2(struct hns_roce_cq *hr_cq, int n)
+ return hns_roce_buf_offset(hr_cq->mtr.kmem, n * hr_cq->cqe_size);
+ }
+
+-static void *get_sw_cqe_v2(struct hns_roce_cq *hr_cq, int n)
++static void *get_sw_cqe_v2(struct hns_roce_cq *hr_cq, unsigned int n)
+ {
+ struct hns_roce_v2_cqe *cqe = get_cqe_v2(hr_cq, n & hr_cq->ib_cq.cqe);
+
+@@ -3314,7 +3314,7 @@ static int hns_roce_v2_poll_one(struct hns_roce_cq *hr_cq,
+ int is_send;
+ u16 wqe_ctr;
+ u32 opcode;
+- int qpn;
++ u32 qpn;
+ int ret;
+
+ /* Find cqe according to consumer index */
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 90cbd15f64415..f62162771db51 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -53,7 +53,7 @@
+ * GID[0][0], GID[1][0],.....GID[N - 1][0],
+ * And so on
+ */
+-int hns_get_gid_index(struct hns_roce_dev *hr_dev, u8 port, int gid_index)
++u8 hns_get_gid_index(struct hns_roce_dev *hr_dev, u8 port, int gid_index)
+ {
+ return gid_index * hr_dev->caps.num_ports + port;
+ }
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index 13c7ac6ea3127..3d432a6918a78 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -508,7 +508,7 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
+ ibdev_err(ibdev, "failed to map sg mtr, ret = %d.\n", ret);
+ ret = 0;
+ } else {
+- mr->pbl_mtr.hem_cfg.buf_pg_shift = ilog2(ibmr->page_size);
++ mr->pbl_mtr.hem_cfg.buf_pg_shift = (u32)ilog2(ibmr->page_size);
+ ret = mr->npages;
+ }
+
+@@ -827,12 +827,12 @@ static int mtr_get_pages(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ }
+
+ int hns_roce_mtr_map(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+- dma_addr_t *pages, int page_cnt)
++ dma_addr_t *pages, unsigned int page_cnt)
+ {
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+ struct hns_roce_buf_region *r;
++ unsigned int i;
+ int err;
+- int i;
+
+ /*
+ * Only use the first page address as root ba when hopnum is 0, this
+@@ -869,13 +869,12 @@ int hns_roce_mtr_find(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ int offset, u64 *mtt_buf, int mtt_max, u64 *base_addr)
+ {
+ struct hns_roce_hem_cfg *cfg = &mtr->hem_cfg;
++ int mtt_count, left;
+ int start_index;
+- int mtt_count;
+ int total = 0;
+ __le64 *mtts;
+- int npage;
++ u32 npage;
+ u64 addr;
+- int left;
+
+ if (!mtt_buf || mtt_max < 1)
+ goto done;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 8323de2c4bf9a..3ed43a5c7596b 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -1318,22 +1318,22 @@ static inline void *get_wqe(struct hns_roce_qp *hr_qp, int offset)
+ return hns_roce_buf_offset(hr_qp->mtr.kmem, offset);
+ }
+
+-void *hns_roce_get_recv_wqe(struct hns_roce_qp *hr_qp, int n)
++void *hns_roce_get_recv_wqe(struct hns_roce_qp *hr_qp, unsigned int n)
+ {
+ return get_wqe(hr_qp, hr_qp->rq.offset + (n << hr_qp->rq.wqe_shift));
+ }
+
+-void *hns_roce_get_send_wqe(struct hns_roce_qp *hr_qp, int n)
++void *hns_roce_get_send_wqe(struct hns_roce_qp *hr_qp, unsigned int n)
+ {
+ return get_wqe(hr_qp, hr_qp->sq.offset + (n << hr_qp->sq.wqe_shift));
+ }
+
+-void *hns_roce_get_extend_sge(struct hns_roce_qp *hr_qp, int n)
++void *hns_roce_get_extend_sge(struct hns_roce_qp *hr_qp, unsigned int n)
+ {
+ return get_wqe(hr_qp, hr_qp->sge.offset + (n << hr_qp->sge.sge_shift));
+ }
+
+-bool hns_roce_wq_overflow(struct hns_roce_wq *hr_wq, int nreq,
++bool hns_roce_wq_overflow(struct hns_roce_wq *hr_wq, u32 nreq,
+ struct ib_cq *ib_cq)
+ {
+ struct hns_roce_cq *hr_cq;
+--
+2.43.0
+
--- /dev/null
+From 0539b6f282cd821c919b5eb36ca0c78827c5b3e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 11:38:51 +0800
+Subject: RDMA/hns: Fix return value in hns_roce_map_mr_sg
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 203b70fda63425a4eb29f03f9074859afe821a39 ]
+
+As described in the ib_map_mr_sg function comment, it returns the number
+of sg elements that were mapped to the memory region. However,
+hns_roce_map_mr_sg returns the number of pages required for mapping the
+DMA area. Fix it.
+
+Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20240411033851.2884771-1-shaozhengchao@huawei.com
+Reviewed-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index 3d432a6918a78..c038ed7d94962 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -484,18 +484,18 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+ struct hns_roce_mr *mr = to_hr_mr(ibmr);
+ struct hns_roce_mtr *mtr = &mr->pbl_mtr;
+- int ret = 0;
++ int ret, sg_num = 0;
+
+ mr->npages = 0;
+ mr->page_list = kvcalloc(mr->pbl_mtr.hem_cfg.buf_pg_count,
+ sizeof(dma_addr_t), GFP_KERNEL);
+ if (!mr->page_list)
+- return ret;
++ return sg_num;
+
+- ret = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page);
+- if (ret < 1) {
++ sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page);
++ if (sg_num < 1) {
+ ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n",
+- mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, ret);
++ mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num);
+ goto err_page_list;
+ }
+
+@@ -506,17 +506,16 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
+ ret = hns_roce_mtr_map(hr_dev, mtr, mr->page_list, mr->npages);
+ if (ret) {
+ ibdev_err(ibdev, "failed to map sg mtr, ret = %d.\n", ret);
+- ret = 0;
++ sg_num = 0;
+ } else {
+ mr->pbl_mtr.hem_cfg.buf_pg_shift = (u32)ilog2(ibmr->page_size);
+- ret = mr->npages;
+ }
+
+ err_page_list:
+ kvfree(mr->page_list);
+ mr->page_list = NULL;
+
+- return ret;
++ return sg_num;
+ }
+
+ static void hns_roce_mw_free(struct hns_roce_dev *hr_dev,
+--
+2.43.0
+
--- /dev/null
+From b80191539462cd495812b548d62186d3f5855259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 17:16:16 +0800
+Subject: RDMA/hns: Modify the print level of CQE error
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 349e859952285ab9689779fb46de163f13f18f43 ]
+
+Too much print may lead to a panic in kernel. Change ibdev_err() to
+ibdev_err_ratelimited(), and change the printing level of cqe dump
+to debug level.
+
+Fixes: 7c044adca272 ("RDMA/hns: Simplify the cqe code of poll cq")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://lore.kernel.org/r/20240412091616.370789-11-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 10ffad061f94a..13aa8dd42f7d6 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -3278,8 +3278,9 @@ static void get_cqe_status(struct hns_roce_dev *hr_dev, struct hns_roce_qp *qp,
+ wc->status == IB_WC_WR_FLUSH_ERR))
+ return;
+
+- ibdev_err(&hr_dev->ib_dev, "error cqe status 0x%x:\n", cqe_status);
+- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_NONE, 16, 4, cqe,
++ ibdev_err_ratelimited(&hr_dev->ib_dev, "error cqe status 0x%x:\n",
++ cqe_status);
++ print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_NONE, 16, 4, cqe,
+ cq->cqe_size, false);
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 383bef51807e45503c52bb03d3b8b2ac02ade06f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Nov 2020 17:58:36 +0800
+Subject: RDMA/hns: Refactor the hns_roce_buf allocation flow
+
+From: Xi Wang <wangxi11@huawei.com>
+
+[ Upstream commit 6f6e2dcbb82b9b2ea304fe32635789fedd4e9868 ]
+
+Add a group of flags to control the 'struct hns_roce_buf' allocation
+flow, this is used to support the caller running in atomic context.
+
+Link: https://lore.kernel.org/r/1605347916-15964-1-git-send-email-liweihang@huawei.com
+Signed-off-by: Xi Wang <wangxi11@huawei.com>
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: 203b70fda634 ("RDMA/hns: Fix return value in hns_roce_map_mr_sg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_alloc.c | 128 +++++++++++---------
+ drivers/infiniband/hw/hns/hns_roce_device.h | 51 ++++----
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 39 ++----
+ 3 files changed, 113 insertions(+), 105 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_alloc.c b/drivers/infiniband/hw/hns/hns_roce_alloc.c
+index 5b2baf89d1109..4bcaaa0524b12 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_alloc.c
++++ b/drivers/infiniband/hw/hns/hns_roce_alloc.c
+@@ -159,76 +159,96 @@ void hns_roce_bitmap_cleanup(struct hns_roce_bitmap *bitmap)
+
+ void hns_roce_buf_free(struct hns_roce_dev *hr_dev, struct hns_roce_buf *buf)
+ {
+- struct device *dev = hr_dev->dev;
+- u32 size = buf->size;
+- int i;
++ struct hns_roce_buf_list *trunks;
++ u32 i;
+
+- if (size == 0)
++ if (!buf)
+ return;
+
+- buf->size = 0;
++ trunks = buf->trunk_list;
++ if (trunks) {
++ buf->trunk_list = NULL;
++ for (i = 0; i < buf->ntrunks; i++)
++ dma_free_coherent(hr_dev->dev, 1 << buf->trunk_shift,
++ trunks[i].buf, trunks[i].map);
+
+- if (hns_roce_buf_is_direct(buf)) {
+- dma_free_coherent(dev, size, buf->direct.buf, buf->direct.map);
+- } else {
+- for (i = 0; i < buf->npages; ++i)
+- if (buf->page_list[i].buf)
+- dma_free_coherent(dev, 1 << buf->page_shift,
+- buf->page_list[i].buf,
+- buf->page_list[i].map);
+- kfree(buf->page_list);
+- buf->page_list = NULL;
++ kfree(trunks);
+ }
++
++ kfree(buf);
+ }
+
+-int hns_roce_buf_alloc(struct hns_roce_dev *hr_dev, u32 size, u32 max_direct,
+- struct hns_roce_buf *buf, u32 page_shift)
++/*
++ * Allocate the dma buffer for storing ROCEE table entries
++ *
++ * @size: required size
++ * @page_shift: the unit size in a continuous dma address range
++ * @flags: HNS_ROCE_BUF_ flags to control the allocation flow.
++ */
++struct hns_roce_buf *hns_roce_buf_alloc(struct hns_roce_dev *hr_dev, u32 size,
++ u32 page_shift, u32 flags)
+ {
+- struct hns_roce_buf_list *buf_list;
+- struct device *dev = hr_dev->dev;
+- u32 page_size;
+- int i;
++ u32 trunk_size, page_size, alloced_size;
++ struct hns_roce_buf_list *trunks;
++ struct hns_roce_buf *buf;
++ gfp_t gfp_flags;
++ u32 ntrunk, i;
+
+ /* The minimum shift of the page accessed by hw is HNS_HW_PAGE_SHIFT */
+- buf->page_shift = max_t(int, HNS_HW_PAGE_SHIFT, page_shift);
++ if (WARN_ON(page_shift < HNS_HW_PAGE_SHIFT))
++ return ERR_PTR(-EINVAL);
++
++ gfp_flags = (flags & HNS_ROCE_BUF_NOSLEEP) ? GFP_ATOMIC : GFP_KERNEL;
++ buf = kzalloc(sizeof(*buf), gfp_flags);
++ if (!buf)
++ return ERR_PTR(-ENOMEM);
+
++ buf->page_shift = page_shift;
+ page_size = 1 << buf->page_shift;
+- buf->npages = DIV_ROUND_UP(size, page_size);
+-
+- /* required size is not bigger than one trunk size */
+- if (size <= max_direct) {
+- buf->page_list = NULL;
+- buf->direct.buf = dma_alloc_coherent(dev, size,
+- &buf->direct.map,
+- GFP_KERNEL);
+- if (!buf->direct.buf)
+- return -ENOMEM;
++
++ /* Calc the trunk size and num by required size and page_shift */
++ if (flags & HNS_ROCE_BUF_DIRECT) {
++ buf->trunk_shift = ilog2(ALIGN(size, PAGE_SIZE));
++ ntrunk = 1;
+ } else {
+- buf_list = kcalloc(buf->npages, sizeof(*buf_list), GFP_KERNEL);
+- if (!buf_list)
+- return -ENOMEM;
+-
+- for (i = 0; i < buf->npages; i++) {
+- buf_list[i].buf = dma_alloc_coherent(dev, page_size,
+- &buf_list[i].map,
+- GFP_KERNEL);
+- if (!buf_list[i].buf)
+- break;
+- }
++ buf->trunk_shift = ilog2(ALIGN(page_size, PAGE_SIZE));
++ ntrunk = DIV_ROUND_UP(size, 1 << buf->trunk_shift);
++ }
+
+- if (i != buf->npages && i > 0) {
+- while (i-- > 0)
+- dma_free_coherent(dev, page_size,
+- buf_list[i].buf,
+- buf_list[i].map);
+- kfree(buf_list);
+- return -ENOMEM;
+- }
+- buf->page_list = buf_list;
++ trunks = kcalloc(ntrunk, sizeof(*trunks), gfp_flags);
++ if (!trunks) {
++ kfree(buf);
++ return ERR_PTR(-ENOMEM);
+ }
+- buf->size = size;
+
+- return 0;
++ trunk_size = 1 << buf->trunk_shift;
++ alloced_size = 0;
++ for (i = 0; i < ntrunk; i++) {
++ trunks[i].buf = dma_alloc_coherent(hr_dev->dev, trunk_size,
++ &trunks[i].map, gfp_flags);
++ if (!trunks[i].buf)
++ break;
++
++ alloced_size += trunk_size;
++ }
++
++ buf->ntrunks = i;
++
++ /* In nofail mode, it's only failed when the alloced size is 0 */
++ if ((flags & HNS_ROCE_BUF_NOFAIL) ? i == 0 : i != ntrunk) {
++ for (i = 0; i < buf->ntrunks; i++)
++ dma_free_coherent(hr_dev->dev, trunk_size,
++ trunks[i].buf, trunks[i].map);
++
++ kfree(trunks);
++ kfree(buf);
++ return ERR_PTR(-ENOMEM);
++ }
++
++ buf->npages = DIV_ROUND_UP(alloced_size, page_size);
++ buf->trunk_list = trunks;
++
++ return buf;
+ }
+
+ int hns_roce_get_kmem_bufs(struct hns_roce_dev *hr_dev, dma_addr_t *bufs,
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index 09b5e4935c2ca..e1f5b92596824 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -263,9 +263,6 @@ enum {
+ #define HNS_HW_PAGE_SHIFT 12
+ #define HNS_HW_PAGE_SIZE (1 << HNS_HW_PAGE_SHIFT)
+
+-/* The minimum page count for hardware access page directly. */
+-#define HNS_HW_DIRECT_PAGE_COUNT 2
+-
+ struct hns_roce_uar {
+ u64 pfn;
+ unsigned long index;
+@@ -417,11 +414,26 @@ struct hns_roce_buf_list {
+ dma_addr_t map;
+ };
+
++/*
++ * %HNS_ROCE_BUF_DIRECT indicates that the all memory must be in a continuous
++ * dma address range.
++ *
++ * %HNS_ROCE_BUF_NOSLEEP indicates that the caller cannot sleep.
++ *
++ * %HNS_ROCE_BUF_NOFAIL allocation only failed when allocated size is zero, even
++ * the allocated size is smaller than the required size.
++ */
++enum {
++ HNS_ROCE_BUF_DIRECT = BIT(0),
++ HNS_ROCE_BUF_NOSLEEP = BIT(1),
++ HNS_ROCE_BUF_NOFAIL = BIT(2),
++};
++
+ struct hns_roce_buf {
+- struct hns_roce_buf_list direct;
+- struct hns_roce_buf_list *page_list;
++ struct hns_roce_buf_list *trunk_list;
++ u32 ntrunks;
+ u32 npages;
+- u32 size;
++ unsigned int trunk_shift;
+ unsigned int page_shift;
+ };
+
+@@ -1067,29 +1079,18 @@ static inline struct hns_roce_qp
+ return xa_load(&hr_dev->qp_table_xa, qpn & (hr_dev->caps.num_qps - 1));
+ }
+
+-static inline bool hns_roce_buf_is_direct(struct hns_roce_buf *buf)
+-{
+- if (buf->page_list)
+- return false;
+-
+- return true;
+-}
+-
+ static inline void *hns_roce_buf_offset(struct hns_roce_buf *buf, int offset)
+ {
+- if (hns_roce_buf_is_direct(buf))
+- return (char *)(buf->direct.buf) + (offset & (buf->size - 1));
+-
+- return (char *)(buf->page_list[offset >> buf->page_shift].buf) +
+- (offset & ((1 << buf->page_shift) - 1));
++ return (char *)(buf->trunk_list[offset >> buf->trunk_shift].buf) +
++ (offset & ((1 << buf->trunk_shift) - 1));
+ }
+
+ static inline dma_addr_t hns_roce_buf_page(struct hns_roce_buf *buf, int idx)
+ {
+- if (hns_roce_buf_is_direct(buf))
+- return buf->direct.map + ((dma_addr_t)idx << buf->page_shift);
+- else
+- return buf->page_list[idx].map;
++ int offset = idx << buf->page_shift;
++
++ return buf->trunk_list[offset >> buf->trunk_shift].map +
++ (offset & ((1 << buf->trunk_shift) - 1));
+ }
+
+ #define hr_hw_page_align(x) ALIGN(x, 1 << HNS_HW_PAGE_SHIFT)
+@@ -1221,8 +1222,8 @@ int hns_roce_alloc_mw(struct ib_mw *mw, struct ib_udata *udata);
+ int hns_roce_dealloc_mw(struct ib_mw *ibmw);
+
+ void hns_roce_buf_free(struct hns_roce_dev *hr_dev, struct hns_roce_buf *buf);
+-int hns_roce_buf_alloc(struct hns_roce_dev *hr_dev, u32 size, u32 max_direct,
+- struct hns_roce_buf *buf, u32 page_shift);
++struct hns_roce_buf *hns_roce_buf_alloc(struct hns_roce_dev *hr_dev, u32 size,
++ u32 page_shift, u32 flags);
+
+ int hns_roce_get_kmem_bufs(struct hns_roce_dev *hr_dev, dma_addr_t *bufs,
+ int buf_cnt, int start, struct hns_roce_buf *buf);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index d5b3b10e0a807..13c7ac6ea3127 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -694,15 +694,6 @@ static inline size_t mtr_bufs_size(struct hns_roce_buf_attr *attr)
+ return size;
+ }
+
+-static inline size_t mtr_kmem_direct_size(bool is_direct, size_t alloc_size,
+- unsigned int page_shift)
+-{
+- if (is_direct)
+- return ALIGN(alloc_size, 1 << page_shift);
+- else
+- return HNS_HW_DIRECT_PAGE_COUNT << page_shift;
+-}
+-
+ /*
+ * check the given pages in continuous address space
+ * Returns 0 on success, or the error page num.
+@@ -731,7 +722,6 @@ static void mtr_free_bufs(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr)
+ /* release kernel buffers */
+ if (mtr->kmem) {
+ hns_roce_buf_free(hr_dev, mtr->kmem);
+- kfree(mtr->kmem);
+ mtr->kmem = NULL;
+ }
+ }
+@@ -743,13 +733,12 @@ static int mtr_alloc_bufs(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+ unsigned int best_pg_shift;
+ int all_pg_count = 0;
+- size_t direct_size;
+ size_t total_size;
+ int ret;
+
+ total_size = mtr_bufs_size(buf_attr);
+ if (total_size < 1) {
+- ibdev_err(ibdev, "Failed to check mtr size\n");
++ ibdev_err(ibdev, "failed to check mtr size\n.");
+ return -EINVAL;
+ }
+
+@@ -761,7 +750,7 @@ static int mtr_alloc_bufs(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ mtr->umem = ib_umem_get(ibdev, user_addr, total_size,
+ buf_attr->user_access);
+ if (IS_ERR_OR_NULL(mtr->umem)) {
+- ibdev_err(ibdev, "Failed to get umem, ret %ld\n",
++ ibdev_err(ibdev, "failed to get umem, ret = %ld.\n",
+ PTR_ERR(mtr->umem));
+ return -ENOMEM;
+ }
+@@ -779,19 +768,16 @@ static int mtr_alloc_bufs(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ ret = 0;
+ } else {
+ mtr->umem = NULL;
+- mtr->kmem = kzalloc(sizeof(*mtr->kmem), GFP_KERNEL);
+- if (!mtr->kmem) {
+- ibdev_err(ibdev, "Failed to alloc kmem\n");
+- return -ENOMEM;
+- }
+- direct_size = mtr_kmem_direct_size(is_direct, total_size,
+- buf_attr->page_shift);
+- ret = hns_roce_buf_alloc(hr_dev, total_size, direct_size,
+- mtr->kmem, buf_attr->page_shift);
+- if (ret) {
+- ibdev_err(ibdev, "Failed to alloc kmem, ret %d\n", ret);
+- goto err_alloc_mem;
++ mtr->kmem =
++ hns_roce_buf_alloc(hr_dev, total_size,
++ buf_attr->page_shift,
++ is_direct ? HNS_ROCE_BUF_DIRECT : 0);
++ if (IS_ERR(mtr->kmem)) {
++ ibdev_err(ibdev, "failed to alloc kmem, ret = %ld.\n",
++ PTR_ERR(mtr->kmem));
++ return PTR_ERR(mtr->kmem);
+ }
++
+ best_pg_shift = buf_attr->page_shift;
+ all_pg_count = mtr->kmem->npages;
+ }
+@@ -799,7 +785,8 @@ static int mtr_alloc_bufs(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr,
+ /* must bigger than minimum hardware page shift */
+ if (best_pg_shift < HNS_HW_PAGE_SHIFT || all_pg_count < 1) {
+ ret = -EINVAL;
+- ibdev_err(ibdev, "Failed to check mtr page shift %d count %d\n",
++ ibdev_err(ibdev,
++ "failed to check mtr, page shift = %u count = %d.\n",
+ best_pg_shift, all_pg_count);
+ goto err_alloc_mem;
+ }
+--
+2.43.0
+
--- /dev/null
+From e47759a71f9b54da7c0dde0a26a9b5c0ede49b43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 17:16:15 +0800
+Subject: RDMA/hns: Use complete parentheses in macros
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 4125269bb9b22e1d8cdf4412c81be8074dbc61ca ]
+
+Use complete parentheses to ensure that macro expansion does
+not produce unexpected results.
+
+Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://lore.kernel.org/r/20240412091616.370789-10-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
+index b7617786b1005..5b2162a2b8cef 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
+@@ -60,16 +60,16 @@ enum {
+ (sizeof(struct scatterlist) + sizeof(void *)))
+
+ #define check_whether_bt_num_3(type, hop_num) \
+- (type < HEM_TYPE_MTT && hop_num == 2)
++ ((type) < HEM_TYPE_MTT && (hop_num) == 2)
+
+ #define check_whether_bt_num_2(type, hop_num) \
+- ((type < HEM_TYPE_MTT && hop_num == 1) || \
+- (type >= HEM_TYPE_MTT && hop_num == 2))
++ (((type) < HEM_TYPE_MTT && (hop_num) == 1) || \
++ ((type) >= HEM_TYPE_MTT && (hop_num) == 2))
+
+ #define check_whether_bt_num_1(type, hop_num) \
+- ((type < HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0) || \
+- (type >= HEM_TYPE_MTT && hop_num == 1) || \
+- (type >= HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0))
++ (((type) < HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0) || \
++ ((type) >= HEM_TYPE_MTT && (hop_num) == 1) || \
++ ((type) >= HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0))
+
+ struct hns_roce_hem_chunk {
+ struct list_head list;
+--
+2.43.0
+
--- /dev/null
+From 0d529d76557b88a901f8d5ed33123c4c4056ccd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 10:39:33 +0300
+Subject: RDMA/IPoIB: Fix format truncation compilation errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 49ca2b2ef3d003402584c68ae7b3055ba72e750a ]
+
+Truncate the device name to store IPoIB VLAN name.
+
+[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 allmodconfig
+[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 W=1 drivers/infiniband/ulp/ipoib/
+drivers/infiniband/ulp/ipoib/ipoib_vlan.c: In function ‘ipoib_vlan_add’:
+drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:52: error: ‘%04x’
+directive output may be truncated writing 4 bytes into a region of size
+between 0 and 15 [-Werror=format-truncation=]
+ 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x",
+ | ^~~~
+drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:48: note: directive
+argument in the range [0, 65535]
+ 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x",
+ | ^~~~~~~~~
+drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:9: note: ‘snprintf’ output
+between 6 and 21 bytes into a destination of size 16
+ 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 188 | ppriv->dev->name, pkey);
+ | ~~~~~~~~~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/ulp/ipoib/ipoib_vlan.o] Error 1
+make[6]: *** Waiting for unfinished jobs....
+
+Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
+Link: https://lore.kernel.org/r/e9d3e1fef69df4c9beaf402cc3ac342bad680791.1715240029.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+index 4c50a87ed7cc2..15a7cda44676c 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -185,8 +185,12 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey)
+
+ ppriv = ipoib_priv(pdev);
+
+- snprintf(intf_name, sizeof(intf_name), "%s.%04x",
+- ppriv->dev->name, pkey);
++ /* If you increase IFNAMSIZ, update snprintf below
++ * to allow longer names.
++ */
++ BUILD_BUG_ON(IFNAMSIZ != 16);
++ snprintf(intf_name, sizeof(intf_name), "%.10s.%04x", ppriv->dev->name,
++ pkey);
+
+ ndev = ipoib_intf_alloc(ppriv->ca, ppriv->port, intf_name);
+ if (IS_ERR(ndev)) {
+--
+2.43.0
+
--- /dev/null
+From adb78f9fa55b267ff2b12b13b7ed35bc9e002b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Apr 2024 19:26:15 +0200
+Subject: regulator: vqmmc-ipq4019: fix module autoloading
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 68adb581a39ae63a0ed082c47f01fbbe515efa0e ]
+
+Add MODULE_DEVICE_TABLE(), so the module could be properly autoloaded
+based on the alias from of_device_id table.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://msgid.link/r/20240410172615.255424-2-krzk@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/vqmmc-ipq4019-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/vqmmc-ipq4019-regulator.c b/drivers/regulator/vqmmc-ipq4019-regulator.c
+index 6d5ae25d08d1e..e2a28788d8a22 100644
+--- a/drivers/regulator/vqmmc-ipq4019-regulator.c
++++ b/drivers/regulator/vqmmc-ipq4019-regulator.c
+@@ -86,6 +86,7 @@ static const struct of_device_id regulator_ipq4019_of_match[] = {
+ { .compatible = "qcom,vqmmc-ipq4019-regulator", },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, regulator_ipq4019_of_match);
+
+ static struct platform_driver ipq4019_regulator_driver = {
+ .probe = ipq4019_regulator_probe,
+--
+2.43.0
+
--- /dev/null
+From fd2640fab06fa5b0062585da629b40dd6851c88a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Mar 2024 16:18:04 -0700
+Subject: Revert "sh: Handle calling csum_partial with misaligned data"
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit b5319c96292ff877f6b58d349acf0a9dc8d3b454 ]
+
+This reverts commit cadc4e1a2b4d20d0cc0e81f2c6ba0588775e54e5.
+
+Commit cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned
+data") causes bad checksum calculations on unaligned data. Reverting
+it fixes the problem.
+
+ # Subtest: checksum
+ # module: checksum_kunit
+ 1..5
+ # test_csum_fixed_random_inputs: ASSERTION FAILED at lib/checksum_kunit.c:500
+ Expected ( u64)result == ( u64)expec, but
+ ( u64)result == 53378 (0xd082)
+ ( u64)expec == 33488 (0x82d0)
+ # test_csum_fixed_random_inputs: pass:0 fail:1 skip:0 total:1
+ not ok 1 test_csum_fixed_random_inputs
+ # test_csum_all_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:525
+ Expected ( u64)result == ( u64)expec, but
+ ( u64)result == 65281 (0xff01)
+ ( u64)expec == 65280 (0xff00)
+ # test_csum_all_carry_inputs: pass:0 fail:1 skip:0 total:1
+ not ok 2 test_csum_all_carry_inputs
+ # test_csum_no_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:573
+ Expected ( u64)result == ( u64)expec, but
+ ( u64)result == 65535 (0xffff)
+ ( u64)expec == 65534 (0xfffe)
+ # test_csum_no_carry_inputs: pass:0 fail:1 skip:0 total:1
+ not ok 3 test_csum_no_carry_inputs
+ # test_ip_fast_csum: pass:1 fail:0 skip:0 total:1
+ ok 4 test_ip_fast_csum
+ # test_csum_ipv6_magic: pass:1 fail:0 skip:0 total:1
+ ok 5 test_csum_ipv6_magic
+ # checksum: pass:2 fail:3 skip:0 total:5
+ # Totals: pass:2 fail:3 skip:0 total:5
+not ok 22 checksum
+
+Fixes: cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20240324231804.841099-1-linux@roeck-us.net
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/lib/checksum.S | 67 ++++++++++++------------------------------
+ 1 file changed, 18 insertions(+), 49 deletions(-)
+
+diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S
+index 3e07074e00981..06fed5a21e8ba 100644
+--- a/arch/sh/lib/checksum.S
++++ b/arch/sh/lib/checksum.S
+@@ -33,7 +33,8 @@
+ */
+
+ /*
+- * asmlinkage __wsum csum_partial(const void *buf, int len, __wsum sum);
++ * unsigned int csum_partial(const unsigned char *buf, int len,
++ * unsigned int sum);
+ */
+
+ .text
+@@ -45,31 +46,11 @@ ENTRY(csum_partial)
+ * Fortunately, it is easy to convert 2-byte alignment to 4-byte
+ * alignment for the unrolled loop.
+ */
++ mov r5, r1
+ mov r4, r0
+- tst #3, r0 ! Check alignment.
+- bt/s 2f ! Jump if alignment is ok.
+- mov r4, r7 ! Keep a copy to check for alignment
++ tst #2, r0 ! Check alignment.
++ bt 2f ! Jump if alignment is ok.
+ !
+- tst #1, r0 ! Check alignment.
+- bt 21f ! Jump if alignment is boundary of 2bytes.
+-
+- ! buf is odd
+- tst r5, r5
+- add #-1, r5
+- bt 9f
+- mov.b @r4+, r0
+- extu.b r0, r0
+- addc r0, r6 ! t=0 from previous tst
+- mov r6, r0
+- shll8 r6
+- shlr16 r0
+- shlr8 r0
+- or r0, r6
+- mov r4, r0
+- tst #2, r0
+- bt 2f
+-21:
+- ! buf is 2 byte aligned (len could be 0)
+ add #-2, r5 ! Alignment uses up two bytes.
+ cmp/pz r5 !
+ bt/s 1f ! Jump if we had at least two bytes.
+@@ -77,17 +58,16 @@ ENTRY(csum_partial)
+ bra 6f
+ add #2, r5 ! r5 was < 2. Deal with it.
+ 1:
++ mov r5, r1 ! Save new len for later use.
+ mov.w @r4+, r0
+ extu.w r0, r0
+ addc r0, r6
+ bf 2f
+ add #1, r6
+ 2:
+- ! buf is 4 byte aligned (len could be 0)
+- mov r5, r1
+ mov #-5, r0
+- shld r0, r1
+- tst r1, r1
++ shld r0, r5
++ tst r5, r5
+ bt/s 4f ! if it's =0, go to 4f
+ clrt
+ .align 2
+@@ -109,31 +89,30 @@ ENTRY(csum_partial)
+ addc r0, r6
+ addc r2, r6
+ movt r0
+- dt r1
++ dt r5
+ bf/s 3b
+ cmp/eq #1, r0
+- ! here, we know r1==0
+- addc r1, r6 ! add carry to r6
++ ! here, we know r5==0
++ addc r5, r6 ! add carry to r6
+ 4:
+- mov r5, r0
++ mov r1, r0
+ and #0x1c, r0
+ tst r0, r0
+- bt 6f
+- ! 4 bytes or more remaining
+- mov r0, r1
+- shlr2 r1
++ bt/s 6f
++ mov r0, r5
++ shlr2 r5
+ mov #0, r2
+ 5:
+ addc r2, r6
+ mov.l @r4+, r2
+ movt r0
+- dt r1
++ dt r5
+ bf/s 5b
+ cmp/eq #1, r0
+ addc r2, r6
+- addc r1, r6 ! r1==0 here, so it means add carry-bit
++ addc r5, r6 ! r5==0 here, so it means add carry-bit
+ 6:
+- ! 3 bytes or less remaining
++ mov r1, r5
+ mov #3, r0
+ and r0, r5
+ tst r5, r5
+@@ -159,16 +138,6 @@ ENTRY(csum_partial)
+ mov #0, r0
+ addc r0, r6
+ 9:
+- ! Check if the buffer was misaligned, if so realign sum
+- mov r7, r0
+- tst #1, r0
+- bt 10f
+- mov r6, r0
+- shll8 r6
+- shlr16 r0
+- shlr8 r0
+- or r0, r6
+-10:
+ rts
+ mov r6, r0
+
+--
+2.43.0
+
--- /dev/null
+From c9730b0dd7c2a6a32778b712eb9603f10954e72a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 17:04:56 +0100
+Subject: s390/cio: fix tracepoint subchannel type field
+
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+
+[ Upstream commit 8692a24d0fae19f674d51726d179ad04ba95d958 ]
+
+The subchannel-type field "st" of s390_cio_stsch and s390_cio_msch
+tracepoints is incorrectly filled with the subchannel-enabled SCHIB
+value "ena". Fix this by assigning the correct value.
+
+Fixes: d1de8633d96a ("s390 cio: Rewrite trace point class s390_class_schib")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/trace.h b/drivers/s390/cio/trace.h
+index 4803139bce149..4716798b1368a 100644
+--- a/drivers/s390/cio/trace.h
++++ b/drivers/s390/cio/trace.h
+@@ -50,7 +50,7 @@ DECLARE_EVENT_CLASS(s390_class_schib,
+ __entry->devno = schib->pmcw.dev;
+ __entry->schib = *schib;
+ __entry->pmcw_ena = schib->pmcw.ena;
+- __entry->pmcw_st = schib->pmcw.ena;
++ __entry->pmcw_st = schib->pmcw.st;
+ __entry->pmcw_dnv = schib->pmcw.dnv;
+ __entry->pmcw_dev = schib->pmcw.dev;
+ __entry->pmcw_lpm = schib->pmcw.lpm;
+--
+2.43.0
+
--- /dev/null
+From 7def8c75a7adf7be0e97b34408963fb944507fba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 18:05:23 +0300
+Subject: sched/fair: Allow disabling sched_balance_newidle with
+ sched_relax_domain_level
+
+From: Vitalii Bursov <vitaly@bursov.com>
+
+[ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ]
+
+Change relax_domain_level checks so that it would be possible
+to include or exclude all domains from newidle balancing.
+
+This matches the behavior described in the documentation:
+
+ -1 no request. use system default or follow request of others.
+ 0 no search.
+ 1 search siblings (hyperthreads in a core).
+
+"2" enables levels 0 and 1, level_max excludes the last (level_max)
+level, and level_max+1 includes all levels.
+
+Fixes: 1d3504fcf560 ("sched, cpuset: customize sched domains, core")
+Signed-off-by: Vitalii Bursov <vitaly@bursov.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Reviewed-by: Valentin Schneider <vschneid@redhat.com>
+Link: https://lore.kernel.org/r/bd6de28e80073c79466ec6401cdeae78f0d4423d.1714488502.git.vitaly@bursov.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 2 +-
+ kernel/sched/topology.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 195f9cccab20b..9f2a93c829a91 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1901,7 +1901,7 @@ bool current_cpuset_is_being_rebound(void)
+ static int update_relax_domain_level(struct cpuset *cs, s64 val)
+ {
+ #ifdef CONFIG_SMP
+- if (val < -1 || val >= sched_domain_level_max)
++ if (val < -1 || val > sched_domain_level_max + 1)
+ return -EINVAL;
+ #endif
+
+diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
+index ff2c6d3ba6c79..6eb0996ef859f 100644
+--- a/kernel/sched/topology.c
++++ b/kernel/sched/topology.c
+@@ -1217,7 +1217,7 @@ static void set_domain_attribute(struct sched_domain *sd,
+ } else
+ request = attr->relax_domain_level;
+
+- if (sd->level > request) {
++ if (sd->level >= request) {
+ /* Turn off idle balance on this domain: */
+ sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE);
+ }
+--
+2.43.0
+
--- /dev/null
+From eab7129eca3752af14724b35265d24ab618bd787 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 21:44:20 +0700
+Subject: scsi: bfa: Ensure the copied buf is NUL terminated
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ]
+
+Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
+userspace to that buffer. Later, we use sscanf on this buffer but we don't
+ensure that the string is terminated inside the buffer, this can lead to
+OOB read when using sscanf. Fix this issue by using memdup_user_nul instead
+of memdup_user.
+
+Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index fd1b378a263a0..d3c7d4423c514 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
+ unsigned long flags;
+ void *kern_buf;
+
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+@@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf,
+ unsigned long flags;
+ void *kern_buf;
+
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+--
+2.43.0
+
--- /dev/null
+From e2705e096ceefc6498b383760d38aeeba5dd9ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Mar 2024 20:04:47 +0300
+Subject: scsi: hpsa: Fix allocation size for Scsi_Host private data
+
+From: Yuri Karpov <YKarpov@ispras.ru>
+
+[ Upstream commit 504e2bed5d50610c1836046c0c195b0a6dba9c72 ]
+
+struct Scsi_Host private data contains pointer to struct ctlr_info.
+
+Restore allocation of only 8 bytes to store pointer in struct Scsi_Host
+private data area.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: bbbd25499100 ("scsi: hpsa: Fix allocation size for scsi_host_alloc()")
+Signed-off-by: Yuri Karpov <YKarpov@ispras.ru>
+Link: https://lore.kernel.org/r/20240312170447.743709-1-YKarpov@ispras.ru
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a44a098dbb9c7..4e7ec83c07cf6 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -5834,7 +5834,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h)
+ {
+ struct Scsi_Host *sh;
+
+- sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info));
++ sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info *));
+ if (sh == NULL) {
+ dev_err(&h->pdev->dev, "scsi_host_alloc failed\n");
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From bb969431bfd1ff9f9c965c730aa0a8cad4a9d187 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Mar 2024 14:11:03 +0000
+Subject: scsi: libsas: Fix the failure of adding phy with zero-address to port
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit 06036a0a5db34642c5dbe22021a767141f010b7a ]
+
+As of commit 7d1d86518118 ("[SCSI] libsas: fix false positive 'device
+attached' conditions"), reset the phy->entacted_sas_addr address to a
+zero-address when the link rate is less than 1.5G.
+
+Currently we find that when a new device is attached, and the link rate is
+less than 1.5G, but the device type is not NO_DEVICE, for example: the link
+rate is SAS_PHY_RESET_IN_PROGRESS and the device type is stp. After setting
+the phy->entacted_sas_addr address to the zero address, the port will
+continue to be created for the phy with the zero-address, and other phys
+with the zero-address will be tried to be added to the new port:
+
+[562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached: 0000000000000000 (no device)
+// phy19 is deleted but still on the parent port's phy_list
+[562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached
+[562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached: 0000000000000000 (stp)
+[562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's already part of another port
+
+Therefore, it should be the same as sas_get_phy_attached_dev(). Only when
+device_type is SAS_PHY_UNUSED, sas_address is set to the 0 address.
+
+Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions")
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Link: https://lore.kernel.org/r/20240312141103.31358-5-yangxingui@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 8444a4287ac1c..8681e0cdfa5e9 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -256,8 +256,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp)
+ /* help some expanders that fail to zero sas_address in the 'no
+ * device' case
+ */
+- if (phy->attached_dev_type == SAS_PHY_UNUSED ||
+- phy->linkrate < SAS_LINK_RATE_1_5_GBPS)
++ if (phy->attached_dev_type == SAS_PHY_UNUSED)
+ memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
+ else
+ memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
+--
+2.43.0
+
--- /dev/null
+From 6ffd1b0e137a7ff1b9869593bb52af30b810df77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 21:44:21 +0700
+Subject: scsi: qedf: Ensure the copied buf is NUL terminated
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ]
+
+Currently, we allocate a count-sized kernel buffer and copy count from
+userspace to that buffer. Later, we use kstrtouint on this buffer but we
+don't ensure that the string is terminated inside the buffer, this can
+lead to OOB read when using kstrtouint. Fix this issue by using
+memdup_user_nul instead of memdup_user.
+
+Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
+index 451fd236bfd05..96174353e3898 100644
+--- a/drivers/scsi/qedf/qedf_debugfs.c
++++ b/drivers/scsi/qedf/qedf_debugfs.c
+@@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer,
+ if (!count || *ppos)
+ return 0;
+
+- kern_buf = memdup_user(buffer, count);
++ kern_buf = memdup_user_nul(buffer, count);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+--
+2.43.0
+
--- /dev/null
+From b77ff549f5488c5ef9921faf6cc9ddfdfa1f6af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:48 -0500
+Subject: scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit b715c55daf598aac8fa339048e4ca8a0916b332e ]
+
+Currently, HCLKDIV is written to and then completed with an mb().
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring this
+bit has taken effect on the device is to perform a read back to force it to
+make it all the way to the device. This is documented in device-io.rst and
+a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure the bit hits the device. Because the mb()'s purpose
+wasn't to add extra ordering (on top of the ordering guaranteed by
+writel()/readl()), it can safely be removed.
+
+Fixes: d90996dae8e4 ("scsi: ufs: Add UFS platform driver for Cadence UFS")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-6-181252004586@redhat.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/cdns-pltfrm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/cdns-pltfrm.c b/drivers/scsi/ufs/cdns-pltfrm.c
+index da065a259f6e4..408ba52671dec 100644
+--- a/drivers/scsi/ufs/cdns-pltfrm.c
++++ b/drivers/scsi/ufs/cdns-pltfrm.c
+@@ -135,7 +135,7 @@ static int cdns_ufs_set_hclkdiv(struct ufs_hba *hba)
+ * Make sure the register was updated,
+ * UniPro layer will not work with an incorrect value.
+ */
+- mb();
++ ufshcd_readl(hba, CDNS_UFS_REG_HCLKDIV);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From d13b71d3d68f309afbcfab41cfa06c0bb5317038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:50 -0500
+Subject: scsi: ufs: core: Perform read back after disabling interrupts
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit e4a628877119bd40164a651d20321247b6f94a8b ]
+
+Currently, interrupts are cleared and disabled prior to registering the
+interrupt. An mb() is used to complete the clear/disable writes before the
+interrupt is registered.
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring these
+bits have taken effect on the device is to perform a read back to force it
+to make it all the way to the device. This is documented in device-io.rst
+and a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure these bits hit the device. Because the mb()'s
+purpose wasn't to add extra ordering (on top of the ordering guaranteed by
+writel()/readl()), it can safely be removed.
+
+Fixes: 199ef13cac7d ("scsi: ufs: avoid spurious UFS host controller interrupts")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-8-181252004586@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index a432aebd14be6..99b59392626b9 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -9193,7 +9193,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
+ * Make sure that UFS interrupts are disabled and any pending interrupt
+ * status is cleared before registering UFS interrupt handler.
+ */
+- mb();
++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+
+ /* IRQ registration */
+ err = devm_request_irq(dev, irq, ufshcd_intr, IRQF_SHARED, UFSHCD, hba);
+--
+2.43.0
+
--- /dev/null
+From b5c56b1a962240d4d7b30b85f084467519e585f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:51 -0500
+Subject: scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit 4bf3855497b60765ca03b983d064b25e99b97657 ]
+
+Currently, the UIC_COMMAND_COMPL interrupt is disabled and a wmb() is used
+to complete the register write before any following writes.
+
+wmb() ensures the writes complete in that order, but completion doesn't
+mean that it isn't stored in a buffer somewhere. The recommendation for
+ensuring this bit has taken effect on the device is to perform a read back
+to force it to make it all the way to the device. This is documented in
+device-io.rst and a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure the bit hits the device. Because the wmb()'s
+purpose wasn't to add extra ordering (on top of the ordering guaranteed by
+writel()/readl()), it can safely be removed.
+
+Fixes: d75f7fe495cf ("scsi: ufs: reduce the interrupts for power mode change requests")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-9-181252004586@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 99b59392626b9..0b0230b46f28e 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -3819,7 +3819,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ * Make sure UIC command completion interrupt is disabled before
+ * issuing UIC command.
+ */
+- wmb();
++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+ reenable_intr = true;
+ }
+ ret = __ufshcd_send_uic_cmd(hba, cmd, false);
+--
+2.43.0
+
--- /dev/null
+From 7b44a4d063db329f4115083ba843eaa661557a13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jan 2021 18:56:25 +0800
+Subject: scsi: ufs-qcom: Fix ufs RST_n spec violation
+
+From: Ziqi Chen <ziqichen@codeaurora.org>
+
+[ Upstream commit b61d0414136853fc38898829cde837ce5d691a9a ]
+
+According to the spec (JESD220E chapter 7.2), while powering off/on the ufs
+device, RST_n signal should be between VSS(Ground) and VCCQ/VCCQ2.
+
+Link: https://lore.kernel.org/r/1610103385-45755-3-git-send-email-ziqichen@codeaurora.org
+Acked-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Ziqi Chen <ziqichen@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: a862fafa263a ("scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index 08331ecbe91fb..a432c561c3df0 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -578,6 +578,17 @@ static int ufs_qcom_link_startup_notify(struct ufs_hba *hba,
+ return err;
+ }
+
++static void ufs_qcom_device_reset_ctrl(struct ufs_hba *hba, bool asserted)
++{
++ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
++
++ /* reset gpio is optional */
++ if (!host->device_reset)
++ return;
++
++ gpiod_set_value_cansleep(host->device_reset, asserted);
++}
++
+ static int ufs_qcom_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
+ {
+ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+@@ -592,6 +603,9 @@ static int ufs_qcom_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op)
+ ufs_qcom_disable_lane_clks(host);
+ phy_power_off(phy);
+
++ /* reset the connected UFS device during power down */
++ ufs_qcom_device_reset_ctrl(hba, true);
++
+ } else if (!ufs_qcom_is_link_active(hba)) {
+ ufs_qcom_disable_lane_clks(host);
+ }
+@@ -1441,10 +1455,10 @@ static int ufs_qcom_device_reset(struct ufs_hba *hba)
+ * The UFS device shall detect reset pulses of 1us, sleep for 10us to
+ * be on the safe side.
+ */
+- gpiod_set_value_cansleep(host->device_reset, 1);
++ ufs_qcom_device_reset_ctrl(hba, true);
+ usleep_range(10, 15);
+
+- gpiod_set_value_cansleep(host->device_reset, 0);
++ ufs_qcom_device_reset_ctrl(hba, false);
+ usleep_range(10, 15);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 65ff092c2c041d9a9010423ea24ba3b871091541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:47 -0500
+Subject: scsi: ufs: qcom: Perform read back after writing CGC enable
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit d9488511b3ac7eb48a91bc5eded7027525525e03 ]
+
+Currently, the CGC enable bit is written and then an mb() is used to ensure
+that completes before continuing.
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring this
+bit has taken effect on the device is to perform a read back to force it to
+make it all the way to the device. This is documented in device-io.rst and
+a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure the bit hits the device. Because the mb()'s purpose
+wasn't to add extra ordering (on top of the ordering guaranteed by
+writel()/readl()), it can safely be removed.
+
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms")
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-5-181252004586@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index 7b8e591265671..ed0d6ea967e17 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -353,7 +353,7 @@ static void ufs_qcom_enable_hw_clk_gating(struct ufs_hba *hba)
+ REG_UFS_CFG2);
+
+ /* Ensure that HW clock gating is enabled before next operations */
+- mb();
++ ufshcd_readl(hba, REG_UFS_CFG2);
+ }
+
+ static int ufs_qcom_hce_enable_notify(struct ufs_hba *hba,
+--
+2.43.0
+
--- /dev/null
+From bb07dafc92f2d0e9dbdfd3525068988e979a0828 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:44 -0500
+Subject: scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit a862fafa263aea0f427d51aca6ff7fd9eeaaa8bd ]
+
+Currently after writing to REG_UFS_SYS1CLK_1US a mb() is used to ensure
+that write has gone through to the device.
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring this
+bit has taken effect on the device is to perform a read back to force it to
+make it all the way to the device. This is documented in device-io.rst and
+a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure the bit hits the device. Because the mb()'s purpose
+wasn't to add extra ordering (on top of the ordering guaranteed by
+writel()/readl()), it can safely be removed.
+
+Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations")
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-2-181252004586@redhat.com
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index a432c561c3df0..45d21cb80289d 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -449,7 +449,7 @@ static int ufs_qcom_cfg_timers(struct ufs_hba *hba, u32 gear,
+ * make sure above write gets applied before we return from
+ * this function.
+ */
+- mb();
++ ufshcd_readl(hba, REG_UFS_SYS1CLK_1US);
+ }
+
+ if (ufs_qcom_cap_qunipro(host))
+--
+2.43.0
+
--- /dev/null
+From d61f70583221183d8bc1773ba09ea2aea1773aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:43 -0500
+Subject: scsi: ufs: qcom: Perform read back after writing reset bit
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae ]
+
+Currently, the reset bit for the UFS provided reset controller (used by its
+phy) is written to, and then a mb() happens to try and ensure that hit the
+device. Immediately afterwards a usleep_range() occurs.
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring this
+bit has taken effect on the device is to perform a read back to force it to
+make it all the way to the device. This is documented in device-io.rst and
+a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+Let's do that to ensure the bit hits the device. By doing so and
+guaranteeing the ordering against the immediately following usleep_range(),
+the mb() can safely be removed.
+
+Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-1-181252004586@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.h b/drivers/scsi/ufs/ufs-qcom.h
+index 3f4922743b3e3..478134ba80864 100644
+--- a/drivers/scsi/ufs/ufs-qcom.h
++++ b/drivers/scsi/ufs/ufs-qcom.h
+@@ -156,10 +156,10 @@ static inline void ufs_qcom_assert_reset(struct ufs_hba *hba)
+ 1 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1);
+
+ /*
+- * Make sure assertion of ufs phy reset is written to
+- * register before returning
++ * Dummy read to ensure the write takes effect before doing any sort
++ * of delay
+ */
+- mb();
++ ufshcd_readl(hba, REG_UFS_CFG1);
+ }
+
+ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba)
+@@ -168,10 +168,10 @@ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba)
+ 0 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1);
+
+ /*
+- * Make sure de-assertion of ufs phy reset is written to
+- * register before returning
++ * Dummy read to ensure the write takes effect before doing any sort
++ * of delay
+ */
+- mb();
++ ufshcd_readl(hba, REG_UFS_CFG1);
+ }
+
+ /* Host controller hardware version: major.minor.step */
+--
+2.43.0
+
--- /dev/null
+From 049e25bde748ce8c3b34ad22ee1101735921a8eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Mar 2024 15:46:46 -0500
+Subject: scsi: ufs: qcom: Perform read back after writing unipro mode
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit 823150ecf04f958213cf3bf162187cd1a91c885c ]
+
+Currently, the QUNIPRO_SEL bit is written to and then an mb() is used to
+ensure that completes before continuing.
+
+mb() ensures that the write completes, but completion doesn't mean that it
+isn't stored in a buffer somewhere. The recommendation for ensuring this
+bit has taken effect on the device is to perform a read back to force it to
+make it all the way to the device. This is documented in device-io.rst and
+a talk by Will Deacon on this can be seen over here:
+
+ https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678
+
+But, there's really no reason to even ensure completion before
+continuing. The only requirement here is that this write is ordered to this
+endpoint (which readl()/writel() guarantees already). For that reason the
+mb() can be dropped altogether without anything forcing completion.
+
+Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations")
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-4-181252004586@redhat.com
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index ef8d721022da5..7b8e591265671 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -245,9 +245,6 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host)
+
+ if (host->hw_ver.major == 0x05)
+ ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0);
+-
+- /* make sure above configuration is applied before we return */
+- mb();
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3de72f6ae1fe97d59a6984b46bb438ce7684e8e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 17:14:05 +0200
+Subject: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5
+
+From: Abel Vesa <abel.vesa@linaro.org>
+
+[ Upstream commit 9c02aa24bf404a39ec509d9f50539056b9b128f7 ]
+
+On SM8550, depending on the Qunipro, we can run with G5 or G4. For now,
+when the major version is 5 or above, we go with G5. Therefore, we need to
+specifically tell UFS HC that.
+
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 823150ecf04f ("scsi: ufs: qcom: Perform read back after writing unipro mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 8 ++++++--
+ drivers/scsi/ufs/ufs-qcom.h | 6 +++++-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index 45d21cb80289d..ef8d721022da5 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -242,6 +242,10 @@ static void ufs_qcom_select_unipro_mode(struct ufs_qcom_host *host)
+ ufshcd_rmwl(host->hba, QUNIPRO_SEL,
+ ufs_qcom_cap_qunipro(host) ? QUNIPRO_SEL : 0,
+ REG_UFS_CFG1);
++
++ if (host->hw_ver.major == 0x05)
++ ufshcd_rmwl(host->hba, QUNIPRO_G4_SEL, 0, REG_UFS_CFG0);
++
+ /* make sure above configuration is applied before we return */
+ mb();
+ }
+@@ -515,9 +519,9 @@ static int ufs_qcom_cfg_timers(struct ufs_hba *hba, u32 gear,
+ mb();
+ }
+
+- if (update_link_startup_timer) {
++ if (update_link_startup_timer && host->hw_ver.major != 0x5) {
+ ufshcd_writel(hba, ((core_clk_rate / MSEC_PER_SEC) * 100),
+- REG_UFS_PA_LINK_STARTUP_TIMER);
++ REG_UFS_CFG0);
+ /*
+ * make sure that this configuration is applied before
+ * we return
+diff --git a/drivers/scsi/ufs/ufs-qcom.h b/drivers/scsi/ufs/ufs-qcom.h
+index 70bee1d1f1139..742f752d01d61 100644
+--- a/drivers/scsi/ufs/ufs-qcom.h
++++ b/drivers/scsi/ufs/ufs-qcom.h
+@@ -48,7 +48,8 @@ enum {
+ REG_UFS_PA_ERR_CODE = 0xCC,
+ /* On older UFS revisions, this register is called "RETRY_TIMER_REG" */
+ REG_UFS_PARAM0 = 0xD0,
+- REG_UFS_PA_LINK_STARTUP_TIMER = 0xD8,
++ /* On older UFS revisions, this register is called "REG_UFS_PA_LINK_STARTUP_TIMER" */
++ REG_UFS_CFG0 = 0xD8,
+ REG_UFS_CFG1 = 0xDC,
+ REG_UFS_CFG2 = 0xE0,
+ REG_UFS_HW_VERSION = 0xE4,
+@@ -86,6 +87,9 @@ enum {
+ #define UFS_CNTLR_2_x_x_VEN_REGS_OFFSET(x) (0x000 + x)
+ #define UFS_CNTLR_3_x_x_VEN_REGS_OFFSET(x) (0x400 + x)
+
++/* bit definitions for REG_UFS_CFG0 register */
++#define QUNIPRO_G4_SEL BIT(5)
++
+ /* bit definitions for REG_UFS_CFG1 register */
+ #define QUNIPRO_SEL 0x1
+ #define UTP_DBG_RAMS_EN 0x20000
+--
+2.43.0
+
--- /dev/null
+From 43012149346e0c83916afc9cb153d943a801ab36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Dec 2022 19:39:55 +0530
+Subject: scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 7959587f3284bf163e4f1baff3c6fa71fc6a55b1 ]
+
+On newer UFS revisions, the register at offset 0xD0 is called,
+REG_UFS_PARAM0. Since the existing register, RETRY_TIMER_REG is not used
+anywhere, it is safe to use the new name.
+
+Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Asutosh Das <quic_asutoshd@quicinc.com>
+Tested-by: Andrew Halaney <ahalaney@redhat.com> # Qdrive3/sa8540p-ride
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 823150ecf04f ("scsi: ufs: qcom: Perform read back after writing unipro mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.h b/drivers/scsi/ufs/ufs-qcom.h
+index 478134ba80864..70bee1d1f1139 100644
+--- a/drivers/scsi/ufs/ufs-qcom.h
++++ b/drivers/scsi/ufs/ufs-qcom.h
+@@ -46,7 +46,8 @@ enum {
+ REG_UFS_TX_SYMBOL_CLK_NS_US = 0xC4,
+ REG_UFS_LOCAL_PORT_ID_REG = 0xC8,
+ REG_UFS_PA_ERR_CODE = 0xCC,
+- REG_UFS_RETRY_TIMER_REG = 0xD0,
++ /* On older UFS revisions, this register is called "RETRY_TIMER_REG" */
++ REG_UFS_PARAM0 = 0xD0,
+ REG_UFS_PA_LINK_STARTUP_TIMER = 0xD8,
+ REG_UFS_CFG1 = 0xDC,
+ REG_UFS_CFG2 = 0xE0,
+--
+2.43.0
+
--- /dev/null
+From f7896b7d5c82b1fe18b33cc4fbb8ca1710392c20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 18:58:20 -0700
+Subject: selftests/binderfs: use the Makefile's rules, not Make's implicit
+ rules
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+[ Upstream commit 019baf635eb6ffe8d6c1343f81788f02a7e0ed98 ]
+
+First of all, in order to build with clang at all, one must first apply
+Valentin Obst's build fix for LLVM [1]. Once that is done, then when
+building with clang, via:
+
+ make LLVM=1 -C tools/testing/selftests
+
+...the following error occurs:
+
+ clang: error: cannot specify -o when generating multiple output files
+
+This is because clang, unlike gcc, won't accept invocations of this
+form:
+
+ clang file1.c header2.h
+
+While trying to fix this, I noticed that:
+
+a) selftests/lib.mk already avoids the problem, and
+
+b) The binderfs Makefile indavertently bypasses the selftests/lib.mk
+build system, and quitely uses Make's implicit build rules for .c files
+instead.
+
+The Makefile attempts to set up both a dependency and a source file,
+neither of which was needed, because lib.mk is able to automatically
+handle both. This line:
+
+ binderfs_test: binderfs_test.c
+
+...causes Make's implicit rules to run, which builds binderfs_test
+without ever looking at lib.mk.
+
+Fix this by simply deleting the "binderfs_test:" Makefile target and
+letting lib.mk handle it instead.
+
+[1] https://lore.kernel.org/all/20240329-selftests-libmk-llvm-rfc-v1-1-2f9ed7d1c49f@valentinobst.de/
+
+Fixes: 6e29225af902 ("binderfs: port tests to test harness infrastructure")
+Cc: Christian Brauner <brauner@kernel.org>
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/filesystems/binderfs/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/selftests/filesystems/binderfs/Makefile b/tools/testing/selftests/filesystems/binderfs/Makefile
+index 8af25ae960498..24d8910c7ab58 100644
+--- a/tools/testing/selftests/filesystems/binderfs/Makefile
++++ b/tools/testing/selftests/filesystems/binderfs/Makefile
+@@ -3,6 +3,4 @@
+ CFLAGS += -I../../../../../usr/include/ -pthread
+ TEST_GEN_PROGS := binderfs_test
+
+-binderfs_test: binderfs_test.c ../../kselftest.h ../../kselftest_harness.h
+-
+ include ../../lib.mk
+--
+2.43.0
+
--- /dev/null
+From 0c0f0611b51026da53667c20a21a2c2e24391982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2024 13:18:40 +0800
+Subject: selftests/bpf: Fix umount cgroup2 error in test_sockmap
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit d75142dbeb2bd1587b9cc19f841578f541275a64 ]
+
+This patch fixes the following "umount cgroup2" error in test_sockmap.c:
+
+ (cgroup_helpers.c:353: errno: Device or resource busy) umount cgroup2
+
+Cgroup fd cg_fd should be closed before cleanup_cgroup_environment().
+
+Fixes: 13a5f3ffd202 ("bpf: Selftests, sockmap test prog run without setting cgroup")
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/0399983bde729708773416b8488bac2cd5e022b8.1712639568.git.tanggeliang@kylinos.cn
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 427ca00a32177..85d57633c8b65 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -2014,9 +2014,9 @@ int main(int argc, char **argv)
+ free(options.whitelist);
+ if (options.blacklist)
+ free(options.blacklist);
++ close(cg_fd);
+ if (cg_created)
+ cleanup_cgroup_environment();
+- close(cg_fd);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 867e25acc1b493c1aea5a02426071340c590e7ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jun 2022 00:58:22 +0530
+Subject: selftests/kcmp: Make the test output consistent and clear
+
+From: Gautam Menghani <gautammenghani201@gmail.com>
+
+[ Upstream commit ff682226a353d88ffa5db9c2a9b945066776311e ]
+
+Make the output format of this test consistent. Currently the output is
+as follows:
+
++TAP version 13
++1..1
++# selftests: kcmp: kcmp_test
++# pid1: 45814 pid2: 45815 FD: 1 FILES: 1 VM: 2 FS: 1 SIGHAND: 2
++ IO: 0 SYSVSEM: 0 INV: -1
++# PASS: 0 returned as expected
++# PASS: 0 returned as expected
++# PASS: 0 returned as expected
++# # Planned tests != run tests (0 != 3)
++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
++# # Planned tests != run tests (0 != 3)
++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
++# # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0
++ok 1 selftests: kcmp: kcmp_test
+
+With this patch applied the output is as follows:
+
++TAP version 13
++1..1
++# selftests: kcmp: kcmp_test
++# TAP version 13
++# 1..3
++# pid1: 46330 pid2: 46331 FD: 1 FILES: 2 VM: 2 FS: 2 SIGHAND: 1
++ IO: 0 SYSVSEM: 0 INV: -1
++# PASS: 0 returned as expected
++# PASS: 0 returned as expected
++# PASS: 0 returned as expected
++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
++ok 1 selftests: kcmp: kcmp_test
+
+Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Stable-dep-of: eb59a5811371 ("selftests/kcmp: remove unused open mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kcmp/kcmp_test.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c
+index 6ea7b9f37a411..25110c7c0b3ed 100644
+--- a/tools/testing/selftests/kcmp/kcmp_test.c
++++ b/tools/testing/selftests/kcmp/kcmp_test.c
+@@ -88,6 +88,9 @@ int main(int argc, char **argv)
+ int pid2 = getpid();
+ int ret;
+
++ ksft_print_header();
++ ksft_set_plan(3);
++
+ fd2 = open(kpath, O_RDWR, 0644);
+ if (fd2 < 0) {
+ perror("Can't open file");
+@@ -152,7 +155,6 @@ int main(int argc, char **argv)
+ ksft_inc_pass_cnt();
+ }
+
+- ksft_print_cnts();
+
+ if (ret)
+ ksft_exit_fail();
+@@ -162,5 +164,5 @@ int main(int argc, char **argv)
+
+ waitpid(pid2, &status, P_ALL);
+
+- return ksft_exit_pass();
++ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 660d17fe35eb1544e06ce44246c075230e966c54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 23:46:09 +0000
+Subject: selftests/kcmp: remove unused open mode
+
+From: Edward Liaw <edliaw@google.com>
+
+[ Upstream commit eb59a58113717df04b8a8229befd8ab1e5dbf86e ]
+
+Android bionic warns that open modes are ignored if O_CREAT or O_TMPFILE
+aren't specified. The permissions for the file are set above:
+
+ fd1 = open(kpath, O_RDWR | O_CREAT | O_TRUNC, 0644);
+
+Link: https://lkml.kernel.org/r/20240429234610.191144-1-edliaw@google.com
+Fixes: d97b46a64674 ("syscalls, x86: add __NR_kcmp syscall")
+Signed-off-by: Edward Liaw <edliaw@google.com>
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kcmp/kcmp_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c
+index 25110c7c0b3ed..d7a8e321bb16b 100644
+--- a/tools/testing/selftests/kcmp/kcmp_test.c
++++ b/tools/testing/selftests/kcmp/kcmp_test.c
+@@ -91,7 +91,7 @@ int main(int argc, char **argv)
+ ksft_print_header();
+ ksft_set_plan(3);
+
+- fd2 = open(kpath, O_RDWR, 0644);
++ fd2 = open(kpath, O_RDWR);
+ if (fd2 < 0) {
+ perror("Can't open file");
+ ksft_exit_fail();
+--
+2.43.0
+
nilfs2-fix-potential-hang-in-nilfs_detach_log_writer.patch
alsa-core-fix-null-module-pointer-assignment-at-card-init.patch
alsa-timer-set-lower-bound-of-start-tick-time.patch
+wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch
+net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch
+drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch
+asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch
+asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch
+regulator-vqmmc-ipq4019-fix-module-autoloading.patch
+asoc-rt715-add-vendor-clear-control-register.patch
+asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch
+drm-amdkfd-flush-the-process-wq-before-creating-a-kf.patch
+nvme-find-numa-distance-only-if-controller-has-valid.patch
+openpromfs-finish-conversion-to-the-new-mount-api.patch
+crypto-bcm-fix-pointer-arithmetic.patch
+firmware-raspberrypi-use-correct-device-for-dma-mapp.patch
+ecryptfs-fix-buffer-size-for-tag-66-packet.patch
+nilfs2-fix-out-of-range-warning.patch
+parisc-add-missing-export-of-__cmpxchg_u8.patch
+crypto-ccp-drop-platform-ifdef-checks.patch
+crypto-x86-nh-avx2-add-missing-vzeroupper.patch
+crypto-x86-sha256-avx2-add-missing-vzeroupper.patch
+s390-cio-fix-tracepoint-subchannel-type-field.patch
+jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch
+soc-mediatek-cmdq-fix-typo-of-cmdq_jump_relative.patch
+null_blk-fix-missing-mutex_destroy-at-module-removal.patch
+md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch
+wifi-ath10k-poll-service-ready-message-before-failin.patch
+x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch
+qed-avoid-truncating-work-queue-length.patch
+scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch
+scsi-ufs-qcom-fix-ufs-rst_n-spec-violation.patch
+scsi-ufs-qcom-perform-read-back-after-writing-reg_uf.patch
+scsi-ufs-ufs-qcom-fix-the-qcom-register-name-for-off.patch
+scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-versio.patch
+scsi-ufs-qcom-perform-read-back-after-writing-unipro.patch
+scsi-ufs-qcom-perform-read-back-after-writing-cgc-en.patch
+scsi-ufs-cdns-pltfrm-perform-read-back-after-writing.patch
+scsi-ufs-core-perform-read-back-after-disabling-inte.patch
+scsi-ufs-core-perform-read-back-after-disabling-uic_.patch
+irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch
+irqchip-loongson-pch-msi-fix-off-by-one-on-allocatio.patch
+acpi-disable-wstringop-truncation.patch
+gfs2-fix-ignore-unlock-failures-after-withdraw.patch
+selftests-bpf-fix-umount-cgroup2-error-in-test_sockm.patch
+cpufreq-reorganize-checks-in-cpufreq_offline.patch
+cpufreq-split-cpufreq_offline.patch
+cpufreq-rearrange-locking-in-cpufreq_remove_dev.patch
+cpufreq-exit-callback-is-optional.patch
+net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch
+net-remove-duplicate-reuseport_lookup-functions.patch
+udp-avoid-call-to-compute_score-on-multiple-sites.patch
+scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch
+scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch
+x86-purgatory-switch-to-the-position-independent-sma.patch
+wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch
+wifi-ath10k-populate-board-data-for-wcn3990.patch
+tcp-avoid-premature-drops-in-tcp_add_backlog.patch
+net-give-more-chances-to-rcu-in-netdev_wait_allrefs_.patch
+macintosh-via-macii-fix-bug-sleeping-function-called.patch
+wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch
+wifi-ar5523-enable-proper-endpoint-verification.patch
+sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch
+revert-sh-handle-calling-csum_partial-with-misaligne.patch
+selftests-binderfs-use-the-makefile-s-rules-not-make.patch
+hid-intel-ish-hid-ipc-add-check-for-pci_alloc_irq_ve.patch
+scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch
+scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch
+wifi-mwl8k-initialize-cmd-addr-properly.patch
+usb-aqc111-stop-lying-about-skb-truesize.patch
+net-usb-sr9700-stop-lying-about-skb-truesize.patch
+m68k-fix-spinlock-race-in-kernel-thread-creation.patch
+m68k-mac-fix-reboot-hang-on-mac-iici.patch
+net-ipv6-fix-wrong-start-position-when-receive-hop-b.patch
+eth-sungem-remove-.ndo_poll_controller-to-avoid-dead.patch
+net-ethernet-cortina-locking-fixes.patch
+af_unix-fix-data-races-in-unix_release_sock-unix_str.patch
+net-usb-smsc95xx-stop-lying-about-skb-truesize.patch
+net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch
+ipv6-sr-add-missing-seg6_local_exit.patch
+ipv6-sr-fix-incorrect-unregister-order.patch
+ipv6-sr-fix-invalid-unregister-error-path.patch
+net-mlx5-discard-command-completions-in-internal-err.patch
+drm-amd-display-fix-potential-index-out-of-bounds-in.patch
+asoc-soc-acpi-add-helper-to-identify-parent-driver.patch
+asoc-intel-disable-route-checks-for-skylake-boards.patch
+mtd-rawnand-hynix-fixed-typo.patch
+fbdev-shmobile-fix-snprintf-truncation.patch
+drm-meson-vclk-fix-calculation-of-59.94-fractional-r.patch
+drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch
+powerpc-fsl-soc-hide-unused-const-variable.patch
+fbdev-sisfb-hide-unused-variables.patch
+media-ngene-add-dvb_ca_en50221_init-return-value-che.patch
+media-radio-shark2-avoid-led_names-truncations.patch
+drm-bridge-cdns-mhdp8546-fix-possible-null-pointer-d.patch
+platform-x86-xiaomi-wmi-fix-race-condition-when-repo.patch
+fbdev-sh7760fb-allow-modular-build.patch
+media-atomisp-ssh_css-fix-a-null-pointer-dereference.patch
+drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch
+drm-vc4-fix-possible-null-pointer-dereference.patch
+asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch
+drm-bridge-lt9611-don-t-log-an-error-when-dsi-host-c.patch
+drm-bridge-tc358775-don-t-log-an-error-when-dsi-host.patch
+drm-panel-simple-add-missing-innolux-g121x1-l03-form.patch
+drm-mipi-dsi-use-correct-return-type-for-the-dsc-fun.patch
+rdma-hns-refactor-the-hns_roce_buf-allocation-flow.patch
+rdma-hns-create-qp-with-selected-qpn-for-bank-load-b.patch
+rdma-hns-fix-incorrect-symbol-types.patch
+rdma-hns-fix-return-value-in-hns_roce_map_mr_sg.patch
+rdma-hns-use-complete-parentheses-in-macros.patch
+rdma-hns-modify-the-print-level-of-cqe-error.patch
+clk-qcom-mmcc-msm8998-fix-venus-clock-issue.patch
+x86-insn-fix-push-instruction-in-x86-instruction-dec.patch
+ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch
+sunrpc-removed-redundant-procp-check.patch
+ext4-simplify-calculation-of-blkoff-in-ext4_mb_new_b.patch
+ext4-fix-unit-mismatch-in-ext4_mb_new_blocks_simple.patch
+ext4-try-all-groups-in-ext4_mb_new_blocks_simple.patch
+ext4-remove-unused-parameter-from-ext4_mb_new_blocks.patch
+ext4-fix-potential-unnitialized-variable.patch
+sunrpc-fix-gss_free_in_token_pages.patch
+selftests-kcmp-make-the-test-output-consistent-and-c.patch
+selftests-kcmp-remove-unused-open-mode.patch
+rdma-ipoib-fix-format-truncation-compilation-errors.patch
+net-qrtr-fix-null-ptr-deref-in-qrtr_ns_remove.patch
+net-qrtr-ns-fix-module-refcnt.patch
+netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch
+af_packet-do-not-call-packet_read_pending-from-tpack.patch
+sched-fair-allow-disabling-sched_balance_newidle-wit.patch
--- /dev/null
+From 07aeff5b9f209098b8f81f06c7e8870f4aa3539c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 22:02:30 +0100
+Subject: sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 1422ae080b66134fe192082d9b721ab7bd93fcc5 ]
+
+arch/sh/kernel/kprobes.c:52:16: warning: no previous prototype for 'arch_copy_kprobe' [-Wmissing-prototypes]
+
+Although SH kprobes support was only merged in v2.6.28, it missed the
+earlier removal of the arch_copy_kprobe() callback in v2.6.15.
+
+Based on the powerpc part of commit 49a2a1b83ba6fa40 ("[PATCH] kprobes:
+changed from using spinlock to mutex").
+
+Fixes: d39f5450146ff39f ("sh: Add kprobes support.")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/717d47a19689cc944fae6e981a1ad7cae1642c89.1709326528.git.geert+renesas@glider.be
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/kernel/kprobes.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c
+index 756100b01e846..8498013732198 100644
+--- a/arch/sh/kernel/kprobes.c
++++ b/arch/sh/kernel/kprobes.c
+@@ -44,17 +44,12 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
+ if (OPCODE_RTE(opcode))
+ return -EFAULT; /* Bad breakpoint */
+
++ memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
+ p->opcode = opcode;
+
+ return 0;
+ }
+
+-void __kprobes arch_copy_kprobe(struct kprobe *p)
+-{
+- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
+- p->opcode = *p->addr;
+-}
+-
+ void __kprobes arch_arm_kprobe(struct kprobe *p)
+ {
+ *p->addr = BREAKPOINT_INSTRUCTION;
+--
+2.43.0
+
--- /dev/null
+From b5b697996f3b2652b6d08a2a9b78f92d27e6d389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 15:41:09 +0000
+Subject: soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE
+
+From: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+
+[ Upstream commit ed4d5ab179b9f0a60da87c650a31f1816db9b4b4 ]
+
+For cmdq jump command, offset 0 means relative jump and offset 1
+means absolute jump. cmdq_pkt_jump() is absolute jump, so fix the
+typo of CMDQ_JUMP_RELATIVE in cmdq_pkt_jump().
+
+Fixes: 946f1792d3d7 ("soc: mediatek: cmdq: add jump function")
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20240222154120.16959-2-chunkuang.hu@kernel.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/mediatek/mtk-cmdq-helper.c b/drivers/soc/mediatek/mtk-cmdq-helper.c
+index 505651b0d715f..c0b2f9397ea8a 100644
+--- a/drivers/soc/mediatek/mtk-cmdq-helper.c
++++ b/drivers/soc/mediatek/mtk-cmdq-helper.c
+@@ -13,7 +13,8 @@
+ #define CMDQ_POLL_ENABLE_MASK BIT(0)
+ #define CMDQ_EOC_IRQ_EN BIT(0)
+ #define CMDQ_REG_TYPE 1
+-#define CMDQ_JUMP_RELATIVE 1
++#define CMDQ_JUMP_RELATIVE 0
++#define CMDQ_JUMP_ABSOLUTE 1
+
+ struct cmdq_instruction {
+ union {
+@@ -414,7 +415,7 @@ int cmdq_pkt_jump(struct cmdq_pkt *pkt, dma_addr_t addr)
+ struct cmdq_instruction inst = {};
+
+ inst.op = CMDQ_CODE_JUMP;
+- inst.offset = CMDQ_JUMP_RELATIVE;
++ inst.offset = CMDQ_JUMP_ABSOLUTE;
+ inst.value = addr >>
+ cmdq_get_shift_pa(((struct cmdq_client *)pkt->cl)->chan);
+ return cmdq_pkt_append_command(pkt, inst);
+--
+2.43.0
+
--- /dev/null
+From 39e0de3a9676cc060bca58c015c28f9d192b1103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 09:10:41 -0400
+Subject: SUNRPC: Fix gss_free_in_token_pages()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit bafa6b4d95d97877baa61883ff90f7e374427fae ]
+
+Dan Carpenter says:
+> Commit 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") from Oct
+> 24, 2019 (linux-next), leads to the following Smatch static checker
+> warning:
+>
+> net/sunrpc/auth_gss/svcauth_gss.c:1039 gss_free_in_token_pages()
+> warn: iterator 'i' not incremented
+>
+> net/sunrpc/auth_gss/svcauth_gss.c
+> 1034 static void gss_free_in_token_pages(struct gssp_in_token *in_token)
+> 1035 {
+> 1036 u32 inlen;
+> 1037 int i;
+> 1038
+> --> 1039 i = 0;
+> 1040 inlen = in_token->page_len;
+> 1041 while (inlen) {
+> 1042 if (in_token->pages[i])
+> 1043 put_page(in_token->pages[i]);
+> ^
+> This puts page zero over and over.
+>
+> 1044 inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen;
+> 1045 }
+> 1046
+> 1047 kfree(in_token->pages);
+> 1048 in_token->pages = NULL;
+> 1049 }
+
+Based on the way that the ->pages[] array is constructed in
+gss_read_proxy_verf(), we know that once the loop encounters a NULL
+page pointer, the remaining array elements must also be NULL.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
+Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index 406ff7f8b156e..23e6ac9cce113 100644
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1126,17 +1126,11 @@ gss_read_verf(struct rpc_gss_wire_cred *gc,
+
+ static void gss_free_in_token_pages(struct gssp_in_token *in_token)
+ {
+- u32 inlen;
+ int i;
+
+ i = 0;
+- inlen = in_token->page_len;
+- while (inlen) {
+- if (in_token->pages[i])
+- put_page(in_token->pages[i]);
+- inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen;
+- }
+-
++ while (in_token->pages[i])
++ put_page(in_token->pages[i++]);
+ kfree(in_token->pages);
+ in_token->pages = NULL;
+ }
+--
+2.43.0
+
--- /dev/null
+From 62fdec30a4e408e06fbdb0d5ca04e56f7543e76f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Mar 2024 14:10:44 +0700
+Subject: sunrpc: removed redundant procp check
+
+From: Aleksandr Aprelkov <aaprelkov@usergate.com>
+
+[ Upstream commit a576f36971ab4097b6aa76433532aa1fb5ee2d3b ]
+
+since vs_proc pointer is dereferenced before getting it's address there's
+no need to check for NULL.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 8e5b67731d08 ("SUNRPC: Add a callback to initialise server requests")
+Signed-off-by: Aleksandr Aprelkov <aaprelkov@usergate.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index 495ebe7fad6dd..cfe8b911ca013 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1248,8 +1248,6 @@ svc_generic_init_request(struct svc_rqst *rqstp,
+ if (rqstp->rq_proc >= versp->vs_nproc)
+ goto err_bad_proc;
+ rqstp->rq_procinfo = procp = &versp->vs_proc[rqstp->rq_proc];
+- if (!procp)
+- goto err_bad_proc;
+
+ /* Initialize storage for argp and resp */
+ memset(rqstp->rq_argp, 0, procp->pc_argsize);
+--
+2.43.0
+
--- /dev/null
+From a1ff035dbcb227ae9beb47149d7a68cf4a8f2688 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 12:56:20 +0000
+Subject: tcp: avoid premature drops in tcp_add_backlog()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ec00ed472bdb7d0af840da68c8c11bff9f4d9caa ]
+
+While testing TCP performance with latest trees,
+I saw suspect SOCKET_BACKLOG drops.
+
+tcp_add_backlog() computes its limit with :
+
+ limit = (u32)READ_ONCE(sk->sk_rcvbuf) +
+ (u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
+ limit += 64 * 1024;
+
+This does not take into account that sk->sk_backlog.len
+is reset only at the very end of __release_sock().
+
+Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach
+sk_rcvbuf in normal conditions.
+
+We should double sk->sk_rcvbuf contribution in the formula
+to absorb bubbles in the backlog, which happen more often
+for very fast flows.
+
+This change maintains decent protection against abuses.
+
+Fixes: c377411f2494 ("net: sk_add_backlog() take rmem_alloc into account")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240423125620.3309458-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 85d8688933f3c..0e7179a19e224 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1787,7 +1787,7 @@ int tcp_v4_early_demux(struct sk_buff *skb)
+
+ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ {
+- u32 limit, tail_gso_size, tail_gso_segs;
++ u32 tail_gso_size, tail_gso_segs;
+ struct skb_shared_info *shinfo;
+ const struct tcphdr *th;
+ struct tcphdr *thtail;
+@@ -1796,6 +1796,7 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ bool fragstolen;
+ u32 gso_segs;
+ u32 gso_size;
++ u64 limit;
+ int delta;
+
+ /* In case all data was pulled from skb frags (in __pskb_pull_tail()),
+@@ -1891,7 +1892,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ __skb_push(skb, hdrlen);
+
+ no_coalesce:
+- limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
++ /* sk->sk_backlog.len is reset only at the end of __release_sock().
++ * Both sk->sk_backlog.len and sk->sk_rmem_alloc could reach
++ * sk_rcvbuf in normal conditions.
++ */
++ limit = ((u64)READ_ONCE(sk->sk_rcvbuf)) << 1;
++
++ limit += ((u32)READ_ONCE(sk->sk_sndbuf)) >> 1;
+
+ /* Only socket owner can try to collapse/prune rx queues
+ * to reduce memory overhead, so add a little headroom here.
+@@ -1899,6 +1906,8 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ */
+ limit += 64 * 1024;
+
++ limit = min_t(u64, limit, UINT_MAX);
++
+ if (unlikely(sk_add_backlog(sk, skb, limit))) {
+ bh_unlock_sock(sk);
+ __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPBACKLOGDROP);
+--
+2.43.0
+
--- /dev/null
+From 33dec2cdfff19a3993fdda3030fcd4b4e3f8e26b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 17:20:04 -0400
+Subject: udp: Avoid call to compute_score on multiple sites
+
+From: Gabriel Krisman Bertazi <krisman@suse.de>
+
+[ Upstream commit 50aee97d15113b95a68848db1f0cb2a6c09f753a ]
+
+We've observed a 7-12% performance regression in iperf3 UDP ipv4 and
+ipv6 tests with multiple sockets on Zen3 cpus, which we traced back to
+commit f0ea27e7bfe1 ("udp: re-score reuseport groups when connected
+sockets are present"). The failing tests were those that would spawn
+UDP sockets per-cpu on systems that have a high number of cpus.
+
+Unsurprisingly, it is not caused by the extra re-scoring of the reused
+socket, but due to the compiler no longer inlining compute_score, once
+it has the extra call site in udp4_lib_lookup2. This is augmented by
+the "Safe RET" mitigation for SRSO, needed in our Zen3 cpus.
+
+We could just explicitly inline it, but compute_score() is quite a large
+function, around 300b. Inlining in two sites would almost double
+udp4_lib_lookup2, which is a silly thing to do just to workaround a
+mitigation. Instead, this patch shuffles the code a bit to avoid the
+multiple calls to compute_score. Since it is a static function used in
+one spot, the compiler can safely fold it in, as it did before, without
+increasing the text size.
+
+With this patch applied I ran my original iperf3 testcases. The failing
+cases all looked like this (ipv4):
+ iperf3 -c 127.0.0.1 --udp -4 -f K -b $R -l 8920 -t 30 -i 5 -P 64 -O 2
+
+where $R is either 1G/10G/0 (max, unlimited). I ran 3 times each.
+baseline is v6.9-rc3. harmean == harmonic mean; CV == coefficient of
+variation.
+
+ipv4:
+ 1G 10G MAX
+ HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
+baseline 1743852.66(0.0208) 1725933.02(0.0167) 1705203.78(0.0386)
+patched 1968727.61(0.0035) 1962283.22(0.0195) 1923853.50(0.0256)
+
+ipv6:
+ 1G 10G MAX
+ HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
+baseline 1729020.03(0.0028) 1691704.49(0.0243) 1692251.34(0.0083)
+patched 1900422.19(0.0067) 1900968.01(0.0067) 1568532.72(0.1519)
+
+This restores the performance we had before the change above with this
+benchmark. We obviously don't expect any real impact when mitigations
+are disabled, but just to be sure it also doesn't regresses:
+
+mitigations=off ipv4:
+ 1G 10G MAX
+ HARMEAN (CV) HARMEAN (CV) HARMEAN (CV)
+baseline 3230279.97(0.0066) 3229320.91(0.0060) 2605693.19(0.0697)
+patched 3242802.36(0.0073) 3239310.71(0.0035) 2502427.19(0.0882)
+
+Cc: Lorenz Bauer <lmb@isovalent.com>
+Fixes: f0ea27e7bfe1 ("udp: re-score reuseport groups when connected sockets are present")
+Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 21 ++++++++++++++++-----
+ net/ipv6/udp.c | 20 ++++++++++++++++----
+ 2 files changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 127aa7b5ce977..da9015efb45e4 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -420,15 +420,21 @@ static struct sock *udp4_lib_lookup2(struct net *net,
+ {
+ struct sock *sk, *result;
+ int score, badness;
++ bool need_rescore;
+
+ result = NULL;
+ badness = 0;
+ udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) {
+- score = compute_score(sk, net, saddr, sport,
+- daddr, hnum, dif, sdif);
++ need_rescore = false;
++rescore:
++ score = compute_score(need_rescore ? result : sk, net, saddr,
++ sport, daddr, hnum, dif, sdif);
+ if (score > badness) {
+ badness = score;
+
++ if (need_rescore)
++ continue;
++
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ result = sk;
+ continue;
+@@ -449,9 +455,14 @@ static struct sock *udp4_lib_lookup2(struct net *net,
+ if (IS_ERR(result))
+ continue;
+
+- badness = compute_score(result, net, saddr, sport,
+- daddr, hnum, dif, sdif);
+-
++ /* compute_score is too long of a function to be
++ * inlined, and calling it again here yields
++ * measureable overhead for some
++ * workloads. Work around it by jumping
++ * backwards to rescore 'result'.
++ */
++ need_rescore = true;
++ goto rescore;
+ }
+ }
+ return result;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1632b940347c5..203a6d64d7e99 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -165,15 +165,21 @@ static struct sock *udp6_lib_lookup2(struct net *net,
+ {
+ struct sock *sk, *result;
+ int score, badness;
++ bool need_rescore;
+
+ result = NULL;
+ badness = -1;
+ udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) {
+- score = compute_score(sk, net, saddr, sport,
+- daddr, hnum, dif, sdif);
++ need_rescore = false;
++rescore:
++ score = compute_score(need_rescore ? result : sk, net, saddr,
++ sport, daddr, hnum, dif, sdif);
+ if (score > badness) {
+ badness = score;
+
++ if (need_rescore)
++ continue;
++
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ result = sk;
+ continue;
+@@ -194,8 +200,14 @@ static struct sock *udp6_lib_lookup2(struct net *net,
+ if (IS_ERR(result))
+ continue;
+
+- badness = compute_score(sk, net, saddr, sport,
+- daddr, hnum, dif, sdif);
++ /* compute_score is too long of a function to be
++ * inlined, and calling it again here yields
++ * measureable overhead for some
++ * workloads. Work around it by jumping
++ * backwards to rescore 'result'.
++ */
++ need_rescore = true;
++ goto rescore;
+ }
+ }
+ return result;
+--
+2.43.0
+
--- /dev/null
+From 3f23f6d2c8a97f415982705e1997d5a3f97fddae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 13:55:46 +0000
+Subject: usb: aqc111: stop lying about skb->truesize
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9aad6e45c4e7d16b2bb7c3794154b828fb4384b4 ]
+
+Some usb drivers try to set small skb->truesize and break
+core networking stacks.
+
+I replace one skb_clone() by an allocation of a fresh
+and small skb, to get minimally sized skbs, like we did
+in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize
+in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a:
+stop lying about skb->truesize")
+
+Fixes: 361459cd9642 ("net: usb: aqc111: Implement RX data path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240506135546.3641185-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 4ea02116be182..895d4f5166f99 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1141,17 +1141,15 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ continue;
+ }
+
+- /* Clone SKB */
+- new_skb = skb_clone(skb, GFP_ATOMIC);
++ new_skb = netdev_alloc_skb_ip_align(dev->net, pkt_len);
+
+ if (!new_skb)
+ goto err;
+
+- new_skb->len = pkt_len;
++ skb_put(new_skb, pkt_len);
++ memcpy(new_skb->data, skb->data, pkt_len);
+ skb_pull(new_skb, AQ_RX_HW_PAD);
+- skb_set_tail_pointer(new_skb, new_skb->len);
+
+- new_skb->truesize = SKB_TRUESIZE(new_skb->len);
+ if (aqc111_data->rx_checksum)
+ aqc111_rx_checksum(new_skb, pkt_desc);
+
+--
+2.43.0
+
--- /dev/null
+From d805f83ac081b3d86b95c5120ccdfca17d71f762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 05:14:25 -0700
+Subject: wifi: ar5523: enable proper endpoint verification
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ]
+
+Syzkaller reports [1] hitting a warning about an endpoint in use
+not having an expected type to it.
+
+Fix the issue by checking for the existence of all proper
+endpoints with their according types intact.
+
+Sadly, this patch has not been tested on real hardware.
+
+[1] Syzkaller report:
+------------[ cut here ]------------
+usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
+...
+Call Trace:
+ <TASK>
+ ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275
+ ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]
+ ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]
+ ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655
+ usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:560 [inline]
+ really_probe+0x249/0xb90 drivers/base/dd.c:639
+ __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
+ driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
+ __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427
+ __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
+ bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487
+ device_add+0xbd9/0x1e90 drivers/base/core.c:3517
+ usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170
+ usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238
+ usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293
+ call_driver_probe drivers/base/dd.c:560 [inline]
+ really_probe+0x249/0xb90 drivers/base/dd.c:639
+ __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
+ driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
+ __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427
+ __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
+ bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487
+ device_add+0xbd9/0x1e90 drivers/base/core.c:3517
+ usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573
+ hub_port_connect drivers/usb/core/hub.c:5353 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
+ port_event drivers/usb/core/hub.c:5653 [inline]
+ hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com
+Fixes: b7d572e1871d ("ar5523: Add new driver")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
+index efe38b2c1df73..71c2bf8817dc2 100644
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -1590,6 +1590,20 @@ static int ar5523_probe(struct usb_interface *intf,
+ struct ar5523 *ar;
+ int error = -ENOMEM;
+
++ static const u8 bulk_ep_addr[] = {
++ AR5523_CMD_TX_PIPE | USB_DIR_OUT,
++ AR5523_DATA_TX_PIPE | USB_DIR_OUT,
++ AR5523_CMD_RX_PIPE | USB_DIR_IN,
++ AR5523_DATA_RX_PIPE | USB_DIR_IN,
++ 0};
++
++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) {
++ dev_err(&dev->dev,
++ "Could not find all expected endpoints\n");
++ error = -ENODEV;
++ goto out;
++ }
++
+ /*
+ * Load firmware if the device requires it. This will return
+ * -ENXIO on success and we'll get called back afer the usb
+--
+2.43.0
+
--- /dev/null
+From 9375b490a94a656b308c3a935d632ac85bc34184 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 11:42:44 +0800
+Subject: wifi: ath10k: Fix an error code problem in
+ ath10k_dbg_sta_write_peer_debug_trigger()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit c511a9c12674d246916bb16c479d496b76983193 ]
+
+Clang Static Checker (scan-build) warns:
+
+drivers/net/wireless/ath/ath10k/debugfs_sta.c:line 429, column 3
+Value stored to 'ret' is never read.
+
+Return 'ret' rather than 'count' when 'ret' stores an error code.
+
+Fixes: ee8b08a1be82 ("ath10k: add debugfs support to get per peer tids log via tracing")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240422034243.938962-1-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+index 367539f2c3700..f7912c72cba34 100644
+--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c
++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+@@ -438,7 +438,7 @@ ath10k_dbg_sta_write_peer_debug_trigger(struct file *file,
+ }
+ out:
+ mutex_unlock(&ar->conf_mutex);
+- return count;
++ return ret ?: count;
+ }
+
+ static const struct file_operations fops_peer_debug_trigger = {
+--
+2.43.0
+
--- /dev/null
+From 0b72cc45e045cfc62698fc620cf590f14c9cbafa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 07:15:14 +0200
+Subject: wifi: ath10k: poll service ready message before failing
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit e57b7d62a1b2f496caf0beba81cec3c90fad80d5 ]
+
+Currently host relies on CE interrupts to get notified that
+the service ready message is ready. This results in timeout
+issue if the interrupt is not fired, due to some unknown
+reasons. See below logs:
+
+[76321.937866] ath10k_pci 0000:02:00.0: wmi service ready event not received
+...
+[76322.016738] ath10k_pci 0000:02:00.0: Could not init core: -110
+
+And finally it causes WLAN interface bring up failure.
+
+Change to give it one more chance here by polling CE rings,
+before failing directly.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1
+
+Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices")
+Reported-by: James Prestwood <prestwoj@gmail.com>
+Tested-By: James Prestwood <prestwoj@gmail.com> # on QCA6174 hw3.2
+Link: https://lore.kernel.org/linux-wireless/304ce305-fbe6-420e-ac2a-d61ae5e6ca1a@gmail.com/
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240227030409.89702-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 85fe855ece097..9cfd35dc87ba3 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1762,12 +1762,32 @@ void ath10k_wmi_put_wmi_channel(struct ath10k *ar, struct wmi_channel *ch,
+
+ int ath10k_wmi_wait_for_service_ready(struct ath10k *ar)
+ {
+- unsigned long time_left;
++ unsigned long time_left, i;
+
+ time_left = wait_for_completion_timeout(&ar->wmi.service_ready,
+ WMI_SERVICE_READY_TIMEOUT_HZ);
+- if (!time_left)
+- return -ETIMEDOUT;
++ if (!time_left) {
++ /* Sometimes the PCI HIF doesn't receive interrupt
++ * for the service ready message even if the buffer
++ * was completed. PCIe sniffer shows that it's
++ * because the corresponding CE ring doesn't fires
++ * it. Workaround here by polling CE rings once.
++ */
++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n");
++
++ for (i = 0; i < CE_COUNT; i++)
++ ath10k_hif_send_complete_check(ar, i, 1);
++
++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready,
++ WMI_SERVICE_READY_TIMEOUT_HZ);
++ if (!time_left) {
++ ath10k_warn(ar, "polling timed out\n");
++ return -ETIMEDOUT;
++ }
++
++ ath10k_warn(ar, "service ready completion received, continuing normally\n");
++ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e6fd5de569bc716250a92d3e5b23580d77e5459e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jan 2024 08:47:06 +0200
+Subject: wifi: ath10k: populate board data for WCN3990
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit f1f1b5b055c9f27a2f90fd0f0521f5920e9b3c18 ]
+
+Specify board data size (and board.bin filename) for the WCN3990
+platform.
+
+Reported-by: Yongqin Liu <yongqin.liu@linaro.org>
+Fixes: 03a72288c546 ("ath10k: wmi: add hw params entry for wcn3990")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240130-wcn3990-board-fw-v1-1-738f7c19a8c8@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 3 +++
+ drivers/net/wireless/ath/ath10k/hw.h | 1 +
+ drivers/net/wireless/ath/ath10k/targaddrs.h | 3 +++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index 57ac80997319b..d03a36c45f9f3 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -625,6 +625,9 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .max_spatial_stream = 4,
+ .fw = {
+ .dir = WCN3990_HW_1_0_FW_DIR,
++ .board = WCN3990_HW_1_0_BOARD_DATA_FILE,
++ .board_size = WCN3990_BOARD_DATA_SZ,
++ .board_ext_size = WCN3990_BOARD_EXT_DATA_SZ,
+ },
+ .sw_decrypt_mcast_mgmt = true,
+ .hw_ops = &wcn3990_ops,
+diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h
+index d3ef83ad577da..c4df0e4e161b6 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.h
++++ b/drivers/net/wireless/ath/ath10k/hw.h
+@@ -132,6 +132,7 @@ enum qca9377_chip_id_rev {
+ /* WCN3990 1.0 definitions */
+ #define WCN3990_HW_1_0_DEV_VERSION ATH10K_HW_WCN3990
+ #define WCN3990_HW_1_0_FW_DIR ATH10K_FW_DIR "/WCN3990/hw1.0"
++#define WCN3990_HW_1_0_BOARD_DATA_FILE "board.bin"
+
+ #define ATH10K_FW_FILE_BASE "firmware"
+ #define ATH10K_FW_API_MAX 6
+diff --git a/drivers/net/wireless/ath/ath10k/targaddrs.h b/drivers/net/wireless/ath/ath10k/targaddrs.h
+index ec556bb88d658..ba37e6c7ced08 100644
+--- a/drivers/net/wireless/ath/ath10k/targaddrs.h
++++ b/drivers/net/wireless/ath/ath10k/targaddrs.h
+@@ -491,4 +491,7 @@ struct host_interest {
+ #define QCA4019_BOARD_DATA_SZ 12064
+ #define QCA4019_BOARD_EXT_DATA_SZ 0
+
++#define WCN3990_BOARD_DATA_SZ 26328
++#define WCN3990_BOARD_EXT_DATA_SZ 0
++
+ #endif /* __TARGADDRS_H__ */
+--
+2.43.0
+
--- /dev/null
+From 831815c32a31acb236df66b38fb63c8791cbab68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 11:33:55 -0700
+Subject: wifi: carl9170: add a proper sanity check for endpoints
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 ]
+
+Syzkaller reports [1] hitting a warning which is caused by presence
+of a wrong endpoint type at the URB sumbitting stage. While there
+was a check for a specific 4th endpoint, since it can switch types
+between bulk and interrupt, other endpoints are trusted implicitly.
+Similar warning is triggered in a couple of other syzbot issues [2].
+
+Fix the issue by doing a comprehensive check of all endpoints
+taking into account difference between high- and full-speed
+configuration.
+
+[1] Syzkaller report:
+...
+WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
+...
+Call Trace:
+ <TASK>
+ carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504
+ carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]
+ carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]
+ carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028
+ request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+ </TASK>
+
+[2] Related syzkaller crashes:
+Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d
+Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1
+
+Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com
+Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Acked-By: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240422183355.3785-1-n.zhandarovich@fintech.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/carl9170/usb.c | 32 +++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c
+index e4eb666c6eea4..a5265997b5767 100644
+--- a/drivers/net/wireless/ath/carl9170/usb.c
++++ b/drivers/net/wireless/ath/carl9170/usb.c
+@@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf,
+ ar->usb_ep_cmd_is_bulk = true;
+ }
+
++ /* Verify that all expected endpoints are present */
++ if (ar->usb_ep_cmd_is_bulk) {
++ u8 bulk_ep_addr[] = {
++ AR9170_USB_EP_RX | USB_DIR_IN,
++ AR9170_USB_EP_TX | USB_DIR_OUT,
++ AR9170_USB_EP_CMD | USB_DIR_OUT,
++ 0};
++ u8 int_ep_addr[] = {
++ AR9170_USB_EP_IRQ | USB_DIR_IN,
++ 0};
++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
++ !usb_check_int_endpoints(intf, int_ep_addr))
++ err = -ENODEV;
++ } else {
++ u8 bulk_ep_addr[] = {
++ AR9170_USB_EP_RX | USB_DIR_IN,
++ AR9170_USB_EP_TX | USB_DIR_OUT,
++ 0};
++ u8 int_ep_addr[] = {
++ AR9170_USB_EP_IRQ | USB_DIR_IN,
++ AR9170_USB_EP_CMD | USB_DIR_OUT,
++ 0};
++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
++ !usb_check_int_endpoints(intf, int_ep_addr))
++ err = -ENODEV;
++ }
++
++ if (err) {
++ carl9170_free(ar);
++ return err;
++ }
++
+ usb_set_intfdata(intf, ar);
+ SET_IEEE80211_DEV(ar->hw, &intf->dev);
+
+--
+2.43.0
+
--- /dev/null
+From d8ae8137a60dd780360895af04051449a09c067b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 18:24:30 +0300
+Subject: wifi: cfg80211: fix the order of arguments for trace events of the
+ tx_rx_evt class
+
+From: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+
+[ Upstream commit 9ef369973cd2c97cce3388d2c0c7e3c056656e8a ]
+
+The declarations of the tx_rx_evt class and the rdev_set_antenna event
+use the wrong order of arguments in the TP_ARGS macro.
+
+Fix the order of arguments in the TP_ARGS macro.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+Link: https://msgid.link/20240405152431.270267-1-Igor.A.Artemiev@mcst.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/trace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/trace.h b/net/wireless/trace.h
+index edc824c103e83..06e81d1efc921 100644
+--- a/net/wireless/trace.h
++++ b/net/wireless/trace.h
+@@ -1660,7 +1660,7 @@ TRACE_EVENT(rdev_return_void_tx_rx,
+
+ DECLARE_EVENT_CLASS(tx_rx_evt,
+ TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx),
+- TP_ARGS(wiphy, rx, tx),
++ TP_ARGS(wiphy, tx, rx),
+ TP_STRUCT__entry(
+ WIPHY_ENTRY
+ __field(u32, tx)
+@@ -1677,7 +1677,7 @@ DECLARE_EVENT_CLASS(tx_rx_evt,
+
+ DEFINE_EVENT(tx_rx_evt, rdev_set_antenna,
+ TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx),
+- TP_ARGS(wiphy, rx, tx)
++ TP_ARGS(wiphy, tx, rx)
+ );
+
+ DECLARE_EVENT_CLASS(wiphy_netdev_id_evt,
+--
+2.43.0
+
--- /dev/null
+From 94815cacdab3805616ce0baf4147b5093e55efa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 14:38:15 +0300
+Subject: wifi: mwl8k: initialize cmd->addr[] properly
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1d60eabb82694e58543e2b6366dae3e7465892a5 ]
+
+This loop is supposed to copy the mac address to cmd->addr but the
+i++ increment is missing so it copies everything to cmd->addr[0] and
+only the last address is recorded.
+
+Fixes: 22bedad3ce11 ("net: convert multicast list to list_head")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/b788be9a-15f5-4cca-a3fe-79df4c8ce7b2@moroto.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index dc91ac8cbd48b..dd72e9f8b4079 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -2714,7 +2714,7 @@ __mwl8k_cmd_mac_multicast_adr(struct ieee80211_hw *hw, int allmulti,
+ cmd->action |= cpu_to_le16(MWL8K_ENABLE_RX_MULTICAST);
+ cmd->numaddr = cpu_to_le16(mc_count);
+ netdev_hw_addr_list_for_each(ha, mc_list) {
+- memcpy(cmd->addr[i], ha->addr, ETH_ALEN);
++ memcpy(cmd->addr[i++], ha->addr, ETH_ALEN);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 668363113b5b5d9c64d2b97f3665472dca18e195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Mar 2024 23:05:47 +0800
+Subject: x86/boot: Ignore relocations in .notes sections in walk_relocs() too
+
+From: Guixiong Wei <weiguixiong@bytedance.com>
+
+[ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ]
+
+Commit:
+
+ aaa8736370db ("x86, relocs: Ignore relocations in .notes section")
+
+... only started ignoring the .notes sections in print_absolute_relocs(),
+but the same logic should also by applied in walk_relocs() to avoid
+such relocations.
+
+[ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ]
+
+Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section")
+Fixes: 5ead97c84fa7 ("xen: Core Xen implementation")
+Fixes: da1a679cde9b ("Add /sys/kernel/notes")
+Signed-off-by: Guixiong Wei <weiguixiong@bytedance.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/tools/relocs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
+index 0043fd374a62f..f9ec998b7e946 100644
+--- a/arch/x86/tools/relocs.c
++++ b/arch/x86/tools/relocs.c
+@@ -689,6 +689,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
+ if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) {
+ continue;
+ }
++
++ /*
++ * Do not perform relocations in .notes sections; any
++ * values there are meant for pre-boot consumption (e.g.
++ * startup_xen).
++ */
++ if (sec_applies->shdr.sh_type == SHT_NOTE)
++ continue;
++
+ sh_symtab = sec_symtab->symtab;
+ sym_strtab = sec_symtab->link->strtab;
+ for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
+--
+2.43.0
+
--- /dev/null
+From 6ffec4e1dd6f1fb9be3631f46247c8cdd2d44cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 13:58:45 +0300
+Subject: x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 59162e0c11d7257cde15f907d19fefe26da66692 ]
+
+The x86 instruction decoder is used not only for decoding kernel
+instructions. It is also used by perf uprobes (user space probes) and by
+perf tools Intel Processor Trace decoding. Consequently, it needs to
+support instructions executed by user space also.
+
+Opcode 0x68 PUSH instruction is currently defined as 64-bit operand size
+only i.e. (d64). That was based on Intel SDM Opcode Map. However that is
+contradicted by the Instruction Set Reference section for PUSH in the
+same manual.
+
+Remove 64-bit operand size only annotation from opcode 0x68 PUSH
+instruction.
+
+Example:
+
+ $ cat pushw.s
+ .global _start
+ .text
+ _start:
+ pushw $0x1234
+ mov $0x1,%eax # system call number (sys_exit)
+ int $0x80
+ $ as -o pushw.o pushw.s
+ $ ld -s -o pushw pushw.o
+ $ objdump -d pushw | tail -4
+ 0000000000401000 <.text>:
+ 401000: 66 68 34 12 pushw $0x1234
+ 401004: b8 01 00 00 00 mov $0x1,%eax
+ 401009: cd 80 int $0x80
+ $ perf record -e intel_pt//u ./pushw
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.014 MB perf.data ]
+
+ Before:
+
+ $ perf script --insn-trace=disasm
+ Warning:
+ 1 instruction trace errors
+ pushw 10349 [000] 10586.869237014: 401000 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) pushw $0x1234
+ pushw 10349 [000] 10586.869237014: 401006 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %al, (%rax)
+ pushw 10349 [000] 10586.869237014: 401008 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %cl, %ch
+ pushw 10349 [000] 10586.869237014: 40100a [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb $0x2e, (%rax)
+ instruction trace error type 1 time 10586.869237224 cpu 0 pid 10349 tid 10349 ip 0x40100d code 6: Trace doesn't match instruction
+
+ After:
+
+ $ perf script --insn-trace=disasm
+ pushw 10349 [000] 10586.869237014: 401000 [unknown] (./pushw) pushw $0x1234
+ pushw 10349 [000] 10586.869237014: 401004 [unknown] (./pushw) movl $1, %eax
+
+Fixes: eb13296cfaf6 ("x86: Instruction decoder API")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20240502105853.5338-3-adrian.hunter@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/x86-opcode-map.txt | 2 +-
+ tools/arch/x86/lib/x86-opcode-map.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt
+index ec31f5b60323d..1c25c1072a84d 100644
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -148,7 +148,7 @@ AVXcode:
+ 65: SEG=GS (Prefix)
+ 66: Operand-Size (Prefix)
+ 67: Address-Size (Prefix)
+-68: PUSH Iz (d64)
++68: PUSH Iz
+ 69: IMUL Gv,Ev,Iz
+ 6a: PUSH Ib (d64)
+ 6b: IMUL Gv,Ev,Ib
+diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt
+index ec31f5b60323d..1c25c1072a84d 100644
+--- a/tools/arch/x86/lib/x86-opcode-map.txt
++++ b/tools/arch/x86/lib/x86-opcode-map.txt
+@@ -148,7 +148,7 @@ AVXcode:
+ 65: SEG=GS (Prefix)
+ 66: Operand-Size (Prefix)
+ 67: Address-Size (Prefix)
+-68: PUSH Iz (d64)
++68: PUSH Iz
+ 69: IMUL Gv,Ev,Iz
+ 6a: PUSH Ib (d64)
+ 6b: IMUL Gv,Ev,Ib
+--
+2.43.0
+
--- /dev/null
+From 8e8bdf08095426774959f4103ad49bbd93a00b2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 22:17:06 +0200
+Subject: x86/purgatory: Switch to the position-independent small code model
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit cba786af84a0f9716204e09f518ce3b7ada8555e ]
+
+On x86, the ordinary, position dependent small and kernel code models
+only support placement of the executable in 32-bit addressable memory,
+due to the use of 32-bit signed immediates to generate references to
+global variables. For the kernel, this implies that all global variables
+must reside in the top 2 GiB of the kernel virtual address space, where
+the implicit address bits 63:32 are equal to sign bit 31.
+
+This means the kernel code model is not suitable for other bare metal
+executables such as the kexec purgatory, which can be placed arbitrarily
+in the physical address space, where its address may no longer be
+representable as a sign extended 32-bit quantity. For this reason,
+commit
+
+ e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors")
+
+switched to the large code model, which uses 64-bit immediates for all
+symbol references, including function calls, in order to avoid relying
+on any assumptions regarding proximity of symbols in the final
+executable.
+
+The large code model is rarely used, clunky and the least likely to
+operate in a similar fashion when comparing GCC and Clang, so it is best
+avoided. This is especially true now that Clang 18 has started to emit
+executable code in two separate sections (.text and .ltext), which
+triggers an issue in the kexec loading code at runtime.
+
+The SUSE bugzilla fixes tag points to gcc 13 having issues with the
+large model too and that perhaps the large model should simply not be
+used at all.
+
+Instead, use the position independent small code model, which makes no
+assumptions about placement but only about proximity, where all
+referenced symbols must be within -/+ 2 GiB, i.e., in range for a
+RIP-relative reference. Use hidden visibility to suppress the use of a
+GOT, which carries absolute addresses that are not covered by static ELF
+relocations, and is therefore incompatible with the kexec loader's
+relocation logic.
+
+ [ bp: Massage commit message. ]
+
+Fixes: e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors")
+Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1211853
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2016
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Acked-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/all/20240417-x86-fix-kexec-with-llvm-18-v1-0-5383121e8fb7@kernel.org/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/purgatory/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
+index dc0b91c1db04b..7c7bfdf0d0c0f 100644
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -37,7 +37,8 @@ KCOV_INSTRUMENT := n
+ # make up the standalone purgatory.ro
+
+ PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel
+-PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss -g0
++PURGATORY_CFLAGS := -mcmodel=small -ffreestanding -fno-zero-initialized-in-bss -g0
++PURGATORY_CFLAGS += -fpic -fvisibility=hidden
+ PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING
+ PURGATORY_CFLAGS += -fno-stack-protector
+
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
