--- /dev/null
+From e48ae43693642be400887df75c9802143019950a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 01:41:58 +0100
+Subject: ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit e18afcb7b2a12b635ac10081f943fcf84ddacc51 ]
+
+After unregistering the CPU idle device, the memory associated with
+it is not freed, leading to a memory leak:
+
+unreferenced object 0xffff896282f6c000 (size 1024):
+ comm "swapper/0", pid 1, jiffies 4294893170
+ hex dump (first 32 bytes):
+ 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 8836a742):
+ [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340
+ [<ffffffff9972f3b3>] acpi_processor_power_init+0xf3/0x1c0
+ [<ffffffff9972d263>] __acpi_processor_start+0xd3/0xf0
+ [<ffffffff9972d2bc>] acpi_processor_start+0x2c/0x50
+ [<ffffffff99805872>] really_probe+0xe2/0x480
+ [<ffffffff99805c98>] __driver_probe_device+0x78/0x160
+ [<ffffffff99805daf>] driver_probe_device+0x1f/0x90
+ [<ffffffff9980601e>] __driver_attach+0xce/0x1c0
+ [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0
+ [<ffffffff99804822>] bus_add_driver+0x112/0x210
+ [<ffffffff99807245>] driver_register+0x55/0x100
+ [<ffffffff9aee4acb>] acpi_processor_driver_init+0x3b/0xc0
+ [<ffffffff990012d1>] do_one_initcall+0x41/0x300
+ [<ffffffff9ae7c4b0>] kernel_init_freeable+0x320/0x470
+ [<ffffffff99b231f6>] kernel_init+0x16/0x1b0
+ [<ffffffff99042e6d>] ret_from_fork+0x2d/0x50
+
+Fix this by freeing the CPU idle device after unregistering it.
+
+Fixes: 3d339dcbb56d ("cpuidle / ACPI : move cpuidle_device field out of the acpi_processor_power structure")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index 59781e765e0e2..3deeabb273940 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -1427,6 +1427,8 @@ int acpi_processor_power_exit(struct acpi_processor *pr)
+ acpi_processor_registered--;
+ if (acpi_processor_registered == 0)
+ cpuidle_unregister_driver(&acpi_idle_driver);
++
++ kfree(dev);
+ }
+
+ pr->flags.power_setup_done = 0;
+--
+2.43.0
+
--- /dev/null
+From 7fb7ad326007a12c2906d78ef78760837c66ddf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 17:35:27 +0100
+Subject: ACPI: scan: Fix device check notification handling
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 793551c965116d9dfaf0550dacae1396a20efa69 ]
+
+It is generally invalid to fail a Device Check notification if the scan
+handler has not been attached to the given device after a bus rescan,
+because there may be valid reasons for the scan handler to refuse
+attaching to the device (for example, the device is not ready).
+
+For this reason, modify acpi_scan_device_check() to return 0 in that
+case without printing a warning.
+
+While at it, reduce the log level of the "already enumerated" message
+in the same function, because it is only interesting when debugging
+notification handling
+
+Fixes: 443fc8202272 ("ACPI / hotplug: Rework generic code to handle suprise removals")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/scan.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 67a5ee2fedfd3..f17f48bc13bc0 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -321,18 +321,14 @@ static int acpi_scan_device_check(struct acpi_device *adev)
+ * again).
+ */
+ if (adev->handler) {
+- dev_warn(&adev->dev, "Already enumerated\n");
+- return -EALREADY;
++ dev_dbg(&adev->dev, "Already enumerated\n");
++ return 0;
+ }
+ error = acpi_bus_scan(adev->handle);
+ if (error) {
+ dev_warn(&adev->dev, "Namespace scan failure\n");
+ return error;
+ }
+- if (!adev->handler) {
+- dev_warn(&adev->dev, "Enumeration failure\n");
+- error = -ENODEV;
+- }
+ } else {
+ error = acpi_scan_device_not_present(adev);
+ }
+--
+2.43.0
+
--- /dev/null
+From 7ab34d8988c8085a8b98a9a6fca9515a071ca126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 09:08:52 -0800
+Subject: af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 31e03207119a535d0b0e3b3a7f91983aeb2cb14d ]
+
+gc_in_progress is changed under spin_lock(&unix_gc_lock),
+but wait_for_unix_gc() reads it locklessly.
+
+Let's use READ_ONCE().
+
+Fixes: 5f23b734963e ("net: Fix soft lockups/OOM issues w/ unix garbage collector")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240123170856.41348-2-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/garbage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index dc27635403932..9121a4d5436d5 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -198,7 +198,7 @@ void wait_for_unix_gc(void)
+ if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC &&
+ !READ_ONCE(gc_in_progress))
+ unix_gc();
+- wait_event(unix_gc_wait, gc_in_progress == false);
++ wait_event(unix_gc_wait, !READ_ONCE(gc_in_progress));
+ }
+
+ /* The external entry point: unix_gc() */
+--
+2.43.0
+
--- /dev/null
+From 877f2899f35dd7e21f14ebe114078a4106c3f6c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 11:08:41 +0000
+Subject: afs: Revert "afs: Hide silly-rename files from userspace"
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 0aec3847d044273733285dcff90afda89ad461d2 ]
+
+This reverts commit 57e9d49c54528c49b8bffe6d99d782ea051ea534.
+
+This undoes the hiding of .__afsXXXX silly-rename files. The problem with
+hiding them is that rm can't then manually delete them.
+
+This also reverts commit 5f7a07646655fb4108da527565dcdc80124b14c4 ("afs: Fix
+endless loop in directory parsing") as that's a bugfix for the above.
+
+Fixes: 57e9d49c5452 ("afs: Hide silly-rename files from userspace")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Link: https://lists.infradead.org/pipermail/linux-afs/2024-February/008102.html
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/3085695.1710328121@warthog.procyon.org.uk
+Reviewed-by: Jeffrey E Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index 88f0e719c6ac0..a59d6293a32b2 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -418,16 +418,6 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode,
+ continue;
+ }
+
+- /* Don't expose silly rename entries to userspace. */
+- if (nlen > 6 &&
+- dire->u.name[0] == '.' &&
+- ctx->actor != afs_lookup_filldir &&
+- ctx->actor != afs_lookup_one_filldir &&
+- memcmp(dire->u.name, ".__afs", 6) == 0) {
+- ctx->pos = blkoff + next * sizeof(union afs_xdr_dirent);
+- continue;
+- }
+-
+ /* found the next entry */
+ if (!dir_emit(ctx, dire->u.name, nlen,
+ ntohl(dire->u.vnode),
+--
+2.43.0
+
--- /dev/null
+From 798cdcd86d8bef61daa89e980540d78de703b59e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Mar 2024 20:58:44 +0700
+Subject: ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops
+
+From: Athaariq Ardhiansyah <foss@athaariq.my.id>
+
+[ Upstream commit c062166995c9e57d5cd508b332898f79da319802 ]
+
+Realtek codec on HP Envy laptop series are heavily modified by vendor.
+Therefore, need intervention to make it work properly. The patch fixes:
+
+- B&O soundbar speakers (between lid and keyboard) activation
+- Enable LED on mute button
+- Add missing process coefficient which affects the output amplifier
+- Volume control synchronization between B&O soundbar and side speakers
+- Unmute headset output on several HP Envy models
+- Auto-enable headset mic when plugged
+
+This patch was tested on HP Envy x360 13-AR0107AU with Realtek ALC285
+
+The only unsolved problem is output amplifier of all built-in speakers
+is too weak, which causes volume of built-in speakers cannot be loud
+as vendor's proprietary driver due to missing _DSD parameter in the
+firmware. The solution is currently on research. Expected to has another
+patch in the future.
+
+Potential fix to related issues, need test before close those issues:
+
+- https://bugzilla.kernel.org/show_bug.cgi?id=189331
+- https://bugzilla.kernel.org/show_bug.cgi?id=216632
+- https://bugzilla.kernel.org/show_bug.cgi?id=216311
+- https://bugzilla.kernel.org/show_bug.cgi?id=213507
+
+Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
+Message-ID: <20240310140249.3695-1-foss@athaariq.my.id>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 63 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 63 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 233449d982370..038837481c27c 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6612,6 +6612,60 @@ static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec,
+ }
+ }
+
++static void alc285_fixup_hp_envy_x360(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ static const struct coef_fw coefs[] = {
++ WRITE_COEF(0x08, 0x6a0c), WRITE_COEF(0x0d, 0xa023),
++ WRITE_COEF(0x10, 0x0320), WRITE_COEF(0x1a, 0x8c03),
++ WRITE_COEF(0x25, 0x1800), WRITE_COEF(0x26, 0x003a),
++ WRITE_COEF(0x28, 0x1dfe), WRITE_COEF(0x29, 0xb014),
++ WRITE_COEF(0x2b, 0x1dfe), WRITE_COEF(0x37, 0xfe15),
++ WRITE_COEF(0x38, 0x7909), WRITE_COEF(0x45, 0xd489),
++ WRITE_COEF(0x46, 0x00f4), WRITE_COEF(0x4a, 0x21e0),
++ WRITE_COEF(0x66, 0x03f0), WRITE_COEF(0x67, 0x1000),
++ WRITE_COEF(0x6e, 0x1005), { }
++ };
++
++ static const struct hda_pintbl pincfgs[] = {
++ { 0x12, 0xb7a60130 }, /* Internal microphone*/
++ { 0x14, 0x90170150 }, /* B&O soundbar speakers */
++ { 0x17, 0x90170153 }, /* Side speakers */
++ { 0x19, 0x03a11040 }, /* Headset microphone */
++ { }
++ };
++
++ switch (action) {
++ case HDA_FIXUP_ACT_PRE_PROBE:
++ snd_hda_apply_pincfgs(codec, pincfgs);
++
++ /* Fixes volume control problem for side speakers */
++ alc295_fixup_disable_dac3(codec, fix, action);
++
++ /* Fixes no sound from headset speaker */
++ snd_hda_codec_amp_stereo(codec, 0x21, HDA_OUTPUT, 0, -1, 0);
++
++ /* Auto-enable headset mic when plugged */
++ snd_hda_jack_set_gating_jack(codec, 0x19, 0x21);
++
++ /* Headset mic volume enhancement */
++ snd_hda_codec_set_pin_target(codec, 0x19, PIN_VREF50);
++ break;
++ case HDA_FIXUP_ACT_INIT:
++ alc_process_coef_fw(codec, coefs);
++ break;
++ case HDA_FIXUP_ACT_BUILD:
++ rename_ctl(codec, "Bass Speaker Playback Volume",
++ "B&O-Tuned Playback Volume");
++ rename_ctl(codec, "Front Playback Switch",
++ "B&O Soundbar Playback Switch");
++ rename_ctl(codec, "Bass Speaker Playback Switch",
++ "Side Speaker Playback Switch");
++ break;
++ }
++}
++
+ /* for hda_fixup_thinkpad_acpi() */
+ #include "thinkpad_helper.c"
+
+@@ -6819,6 +6873,7 @@ enum {
+ ALC280_FIXUP_HP_9480M,
+ ALC245_FIXUP_HP_X360_AMP,
+ ALC285_FIXUP_HP_SPECTRE_X360_EB1,
++ ALC285_FIXUP_HP_ENVY_X360,
+ ALC288_FIXUP_DELL_HEADSET_MODE,
+ ALC288_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC288_FIXUP_DELL_XPS_13,
+@@ -8614,6 +8669,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc285_fixup_hp_spectre_x360_eb1
+ },
++ [ALC285_FIXUP_HP_ENVY_X360] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_envy_x360,
++ .chained = true,
++ .chain_id = ALC285_FIXUP_HP_GPIO_AMP_INIT,
++ },
+ [ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc285_fixup_ideapad_s740_coef,
+@@ -9001,6 +9062,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
+ SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
+ SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+@@ -9517,6 +9579,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {.id = ALC295_FIXUP_HP_OMEN, .name = "alc295-hp-omen"},
+ {.id = ALC285_FIXUP_HP_SPECTRE_X360, .name = "alc285-hp-spectre-x360"},
+ {.id = ALC285_FIXUP_HP_SPECTRE_X360_EB1, .name = "alc285-hp-spectre-x360-eb1"},
++ {.id = ALC285_FIXUP_HP_ENVY_X360, .name = "alc285-hp-envy-x360"},
+ {.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"},
+ {.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"},
+ {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"},
+--
+2.43.0
+
--- /dev/null
+From 44f0259e04910d1292749eea851dc2a18b908c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 14:53:43 +0100
+Subject: ALSA: seq: fix function cast warnings
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit d7bf73809849463f76de42aad62c850305dd6c5d ]
+
+clang-16 points out a control flow integrity (kcfi) issue when event
+callbacks get converted to incompatible types:
+
+sound/core/seq/seq_midi.c:135:30: error: cast from 'int (*)(struct snd_rawmidi_substream *, const char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 135 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+sound/core/seq/seq_virmidi.c:83:31: error: cast from 'int (*)(struct snd_rawmidi_substream *, const unsigned char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 83 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For addressing those errors, introduce wrapper functions that are used
+for callbacks and bridge to the actual function call with pointer
+cast.
+
+The code was originally added with the initial ALSA merge in linux-2.5.4.
+
+[ the patch description shamelessly copied from Arnd's original patch
+ -- tiwai ]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240213101020.459183-1-arnd@kernel.org
+Link: https://lore.kernel.org/r/20240213135343.16411-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_midi.c | 8 +++++++-
+ sound/core/seq/seq_virmidi.c | 9 ++++++++-
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_midi.c b/sound/core/seq/seq_midi.c
+index 6825940ea2cf8..a741d1ae6639a 100644
+--- a/sound/core/seq/seq_midi.c
++++ b/sound/core/seq/seq_midi.c
+@@ -111,6 +111,12 @@ static int dump_midi(struct snd_rawmidi_substream *substream, const char *buf, i
+ return 0;
+ }
+
++/* callback for snd_seq_dump_var_event(), bridging to dump_midi() */
++static int __dump_midi(void *ptr, void *buf, int count)
++{
++ return dump_midi(ptr, buf, count);
++}
++
+ static int event_process_midi(struct snd_seq_event *ev, int direct,
+ void *private_data, int atomic, int hop)
+ {
+@@ -130,7 +136,7 @@ static int event_process_midi(struct snd_seq_event *ev, int direct,
+ pr_debug("ALSA: seq_midi: invalid sysex event flags = 0x%x\n", ev->flags);
+ return 0;
+ }
+- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream);
++ snd_seq_dump_var_event(ev, __dump_midi, substream);
+ snd_midi_event_reset_decode(msynth->parser);
+ } else {
+ if (msynth->parser == NULL)
+diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c
+index 77d7037d1476f..82396b8c885a5 100644
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -62,6 +62,13 @@ static void snd_virmidi_init_event(struct snd_virmidi *vmidi,
+ /*
+ * decode input event and put to read buffer of each opened file
+ */
++
++/* callback for snd_seq_dump_var_event(), bridging to snd_rawmidi_receive() */
++static int dump_to_rawmidi(void *ptr, void *buf, int count)
++{
++ return snd_rawmidi_receive(ptr, buf, count);
++}
++
+ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
+ struct snd_seq_event *ev,
+ bool atomic)
+@@ -80,7 +87,7 @@ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
+ if (ev->type == SNDRV_SEQ_EVENT_SYSEX) {
+ if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
+ continue;
+- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream);
++ snd_seq_dump_var_event(ev, dump_to_rawmidi, vmidi->substream);
+ snd_midi_event_reset_decode(vmidi->parser);
+ } else {
+ len = snd_midi_event_decode(vmidi->parser, msg, sizeof(msg), ev);
+--
+2.43.0
+
--- /dev/null
+From 1ce8790a429c40e792a4f6280bb5540492022773 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 09:15:09 +0100
+Subject: ALSA: usb-audio: Stop parsing channels bits when all channels are
+ found.
+
+From: Johan Carlsson <johan.carlsson@teenage.engineering>
+
+[ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ]
+
+If a usb audio device sets more bits than the amount of channels
+it could write outside of the map array.
+
+Signed-off-by: Johan Carlsson <johan.carlsson@teenage.engineering>
+Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support")
+Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/stream.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/stream.c b/sound/usb/stream.c
+index c4f4585f9b851..f51e901a9689e 100644
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -301,9 +301,12 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
+ c = 0;
+
+ if (bits) {
+- for (; bits && *maps; maps++, bits >>= 1)
++ for (; bits && *maps; maps++, bits >>= 1) {
+ if (bits & 1)
+ chmap->map[c++] = *maps;
++ if (c == chmap->channels)
++ break;
++ }
+ } else {
+ /* If we're missing wChannelConfig, then guess something
+ to make sure the channel map is not skipped entirely */
+--
+2.43.0
+
--- /dev/null
+From 123d3ee286b386f3d82352ce6bd1286aa4cd8c4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 16:20:48 +0800
+Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
+
+From: Chun-Yi Lee <jlee@suse.com>
+
+[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]
+
+This patch is against CVE-2023-6270. The description of cve is:
+
+ A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
+ kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
+ `struct net_device`, and a use-after-free can be triggered by racing
+ between the free on the struct and the access through the `skbtxq`
+ global queue. This could lead to a denial of service condition or
+ potential code execution.
+
+In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
+code is finished. But the net_device ifp will still be used in
+later tx()->dev_queue_xmit() in kthread. Which means that the
+dev_put(ifp) should NOT be called in the success path of skb
+initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
+use-after-free because the net_device is freed.
+
+This patch removed the dev_put(ifp) in the success path in
+aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
+
+Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
+Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
+Signed-off-by: Chun-Yi Lee <jlee@suse.com>
+Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/aoe/aoecmd.c | 12 ++++++------
+ drivers/block/aoe/aoenet.c | 1 +
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
+index 313f0b946fe2b..c805909c8e775 100644
+--- a/drivers/block/aoe/aoecmd.c
++++ b/drivers/block/aoe/aoecmd.c
+@@ -420,13 +420,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
+ rcu_read_lock();
+ for_each_netdev_rcu(&init_net, ifp) {
+ dev_hold(ifp);
+- if (!is_aoe_netif(ifp))
+- goto cont;
++ if (!is_aoe_netif(ifp)) {
++ dev_put(ifp);
++ continue;
++ }
+
+ skb = new_skb(sizeof *h + sizeof *ch);
+ if (skb == NULL) {
+ printk(KERN_INFO "aoe: skb alloc failure\n");
+- goto cont;
++ dev_put(ifp);
++ continue;
+ }
+ skb_put(skb, sizeof *h + sizeof *ch);
+ skb->dev = ifp;
+@@ -441,9 +444,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
+ h->major = cpu_to_be16(aoemajor);
+ h->minor = aoeminor;
+ h->cmd = AOECMD_CFG;
+-
+-cont:
+- dev_put(ifp);
+ }
+ rcu_read_unlock();
+ }
+diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
+index 63773a90581dd..1e66c7a188a12 100644
+--- a/drivers/block/aoe/aoenet.c
++++ b/drivers/block/aoe/aoenet.c
+@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock)
+ pr_warn("aoe: packet could not be sent on %s. %s\n",
+ ifp ? ifp->name : "netif",
+ "consider increasing tx_queue_len");
++ dev_put(ifp);
+ spin_lock_irq(&txlock);
+ }
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 33f2ce1065b52243bda6f434c6ae14f1dad18067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 13:28:20 +0100
+Subject: arch/powerpc: Remove <linux/fb.h> from backlight code
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 838f865802b9f26135ea7df4e30f89ac2f50c23e ]
+
+Replace <linux/fb.h> with a forward declaration in <asm/backlight.h> to
+resolve an unnecessary dependency. Remove pmac_backlight_curve_lookup()
+and struct fb_info from source and header files. The function and the
+framebuffer struct are unused. No functional changes.
+
+v3:
+ * Add Fixes tag (Christophe)
+ * fix typos in commit message (Jani)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: d565dd3b0824 ("[PATCH] powerpc: More via-pmu backlight fixes")
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> # (powerpc)
+Link: https://patchwork.freedesktop.org/patch/msgid/20240306122935.10626-4-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/backlight.h | 5 ++--
+ arch/powerpc/platforms/powermac/backlight.c | 26 ---------------------
+ 2 files changed, 2 insertions(+), 29 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/backlight.h b/arch/powerpc/include/asm/backlight.h
+index 1b5eab62ed047..061a910d74929 100644
+--- a/arch/powerpc/include/asm/backlight.h
++++ b/arch/powerpc/include/asm/backlight.h
+@@ -10,15 +10,14 @@
+ #define __ASM_POWERPC_BACKLIGHT_H
+ #ifdef __KERNEL__
+
+-#include <linux/fb.h>
+ #include <linux/mutex.h>
+
++struct backlight_device;
++
+ /* For locking instructions, see the implementation file */
+ extern struct backlight_device *pmac_backlight;
+ extern struct mutex pmac_backlight_mutex;
+
+-extern int pmac_backlight_curve_lookup(struct fb_info *info, int value);
+-
+ extern int pmac_has_backlight_type(const char *type);
+
+ extern void pmac_backlight_key(int direction);
+diff --git a/arch/powerpc/platforms/powermac/backlight.c b/arch/powerpc/platforms/powermac/backlight.c
+index 32224cb489d75..eab339d2059d5 100644
+--- a/arch/powerpc/platforms/powermac/backlight.c
++++ b/arch/powerpc/platforms/powermac/backlight.c
+@@ -9,7 +9,6 @@
+ */
+
+ #include <linux/kernel.h>
+-#include <linux/fb.h>
+ #include <linux/backlight.h>
+ #include <linux/adb.h>
+ #include <linux/pmu.h>
+@@ -73,31 +72,6 @@ int pmac_has_backlight_type(const char *type)
+ return 0;
+ }
+
+-int pmac_backlight_curve_lookup(struct fb_info *info, int value)
+-{
+- int level = (FB_BACKLIGHT_LEVELS - 1);
+-
+- if (info && info->bl_dev) {
+- int i, max = 0;
+-
+- /* Look for biggest value */
+- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++)
+- max = max((int)info->bl_curve[i], max);
+-
+- /* Look for nearest value */
+- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++) {
+- int diff = abs(info->bl_curve[i] - value);
+- if (diff < max) {
+- max = diff;
+- level = i;
+- }
+- }
+-
+- }
+-
+- return level;
+-}
+-
+ static void pmac_backlight_key_worker(struct work_struct *work)
+ {
+ if (atomic_read(&kernel_backlight_disabled))
+--
+2.43.0
+
--- /dev/null
+From 998b8a4ecf4d1e82ee07cc90be6393696222938c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 17:03:04 +0200
+Subject: ARM: dts: arm: realview: Fix development chip ROM compatible value
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 ]
+
+When the development chip ROM was added, the "direct-mapped" compatible
+value was already obsolete. In addition, the device node lacked the
+accompanying "probe-type" property, causing the old physmap_of_core
+driver to fall back to trying all available probe types.
+Unfortunately this fallback was lost when the DT and pdata cases were
+merged.
+
+Fix this by using the modern "mtd-rom" compatible value instead.
+
+Fixes: 5c3f5edbe0a1dff3 ("ARM: realview: add flash devices to the PB1176 DTS")
+Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/arm-realview-pb1176.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/arm-realview-pb1176.dts b/arch/arm/boot/dts/arm-realview-pb1176.dts
+index f925782f85604..f0be83eebb09d 100644
+--- a/arch/arm/boot/dts/arm-realview-pb1176.dts
++++ b/arch/arm/boot/dts/arm-realview-pb1176.dts
+@@ -435,7 +435,7 @@ pb1176_serial3: serial@1010f000 {
+
+ /* Direct-mapped development chip ROM */
+ pb1176_rom@10200000 {
+- compatible = "direct-mapped";
++ compatible = "mtd-rom";
+ reg = <0x10200000 0x4000>;
+ bank-width = <1>;
+ };
+--
+2.43.0
+
--- /dev/null
+From b2a22bcab1f96508551fcf85176786b9085d9006 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 10:03:27 +0100
+Subject: ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+[ Upstream commit 023bd910d3ab735459f84b22bb99fb9e00bd9d76 ]
+
+This change does not have any functional effect. The switch works just
+fine without this patch as it has full access to all the addresses
+on the bus. This is simply a clean-up to set the node name address
+and reg address to the same value.
+
+Fixes: 15b43e497ffd ("ARM: dts: imx6dl-yapp4: Use correct pseudo PHY address for the switch")
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+index f18da2b70fdc9..b636faaddc510 100644
+--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+@@ -125,7 +125,7 @@ phy_port3: phy@2 {
+
+ switch@10 {
+ compatible = "qca,qca8334";
+- reg = <10>;
++ reg = <0x10>;
+ reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
+
+ switch_ports: ports {
+--
+2.43.0
+
--- /dev/null
+From dbccfd3ef4d96cbc9eb0e9113217a5440b2642b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 19:06:04 +0100
+Subject: ARM: dts: imx6dl-yapp4: Move phy reset into switch node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+[ Upstream commit 7da7b84fee58c85a6075022023d31edea40e81a1 ]
+
+Drop the phy-reset-duration and phy-reset-gpios deprecated properties and
+move reset-gpios under the switch node.
+
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Stable-dep-of: 023bd910d3ab ("ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+index ebc0892e37c7a..f18da2b70fdc9 100644
+--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+@@ -103,8 +103,6 @@ &fec {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii-id";
+- phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
+- phy-reset-duration = <20>;
+ phy-supply = <&sw2_reg>;
+ status = "okay";
+
+@@ -128,6 +126,7 @@ phy_port3: phy@2 {
+ switch@10 {
+ compatible = "qca,qca8334";
+ reg = <10>;
++ reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
+
+ switch_ports: ports {
+ #address-cells = <1>;
+--
+2.43.0
+
--- /dev/null
+From d1e1c3b807dc886cd15182ce9c2e4de7ec01b706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Feb 2024 10:03:28 +0100
+Subject: ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the
+ switch node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+[ Upstream commit 79978bff2e4b8e05ebdf5fc3ee6b794002393484 ]
+
+We identified that the PHYs actually do not work since commit 7da7b84fee58
+("ARM: dts: imx6dl-yapp4: Move phy reset into switch node") as
+a coincidence of several circumstances.
+
+The reset signal is kept asserted by a pull-down resistor on the board
+unless it is deasserted by GPIO from the SoC. This is to keep the switch
+dead until it is configured properly by the kernel and user space.
+
+Prior to the referenced commit the switch was reset by the FEC driver
+and the reset GPIO was actively deasserted. The mdio-bus was scanned
+and the attached switch and its PHYs were found and configured.
+
+With the referenced commit the switch is reset by the qca8k driver.
+Because of another bug in the qca8k driver, functionality of the reset
+pin depends on its pre-kernel configuration. See commit c44fc98f0a8f
+("net: dsa: qca8k: fix illegal usage of GPIO")
+
+The problem did not appear until we removed support for the switch
+and configuration of its reset pin from the bootloader.
+
+To fix that, properly describe the internal mdio-bus configuration of
+the qca8334 switch. The PHYs are internal to the switch and sit on its
+internal mdio-bus.
+
+Fixes: 7da7b84fee58 ("ARM: dts: imx6dl-yapp4: Move phy reset into switch node")
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 23 ++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+index b636faaddc510..cbf5a76625e69 100644
+--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+@@ -115,14 +115,6 @@ mdio {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+- phy_port2: phy@1 {
+- reg = <1>;
+- };
+-
+- phy_port3: phy@2 {
+- reg = <2>;
+- };
+-
+ switch@10 {
+ compatible = "qca,qca8334";
+ reg = <0x10>;
+@@ -147,15 +139,30 @@ fixed-link {
+ eth2: port@2 {
+ reg = <2>;
+ label = "eth2";
++ phy-mode = "internal";
+ phy-handle = <&phy_port2>;
+ };
+
+ eth1: port@3 {
+ reg = <3>;
+ label = "eth1";
++ phy-mode = "internal";
+ phy-handle = <&phy_port3>;
+ };
+ };
++
++ mdio {
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ phy_port2: ethernet-phy@1 {
++ reg = <1>;
++ };
++
++ phy_port3: ethernet-phy@2 {
++ reg = <2>;
++ };
++ };
+ };
+ };
+ };
+--
+2.43.0
+
--- /dev/null
+From c5913a6677aab037f904ae4c749e1de0a3f55eb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jan 2024 12:03:03 +0100
+Subject: ARM: dts: renesas: r8a73a4: Fix external clocks and clock rate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 090c4094574705b0afc7d37825cdc5d06f0e7e02 ]
+
+External clocks should be defined as zero-Hz clocks in the SoC .dtsi,
+and overridden in the board .dts when present.
+
+Correct the clock rate of extal1 from 25 to 26 MHz, to match the crystal
+oscillator present on the APE6-EVM board.
+
+Fixes: a76809a329d6ebae ("ARM: shmobile: r8a73a4: Common clock framework DT description")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/1692bc8cd465d62168cbf110522ad62a7af3f606.1705315614.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/r8a73a4-ape6evm.dts | 12 ++++++++++++
+ arch/arm/boot/dts/r8a73a4.dtsi | 9 ++++++---
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/r8a73a4-ape6evm.dts b/arch/arm/boot/dts/r8a73a4-ape6evm.dts
+index b088e8e351d54..1028f721b38b0 100644
+--- a/arch/arm/boot/dts/r8a73a4-ape6evm.dts
++++ b/arch/arm/boot/dts/r8a73a4-ape6evm.dts
+@@ -208,6 +208,18 @@ &cmt1 {
+ status = "okay";
+ };
+
++&extal1_clk {
++ clock-frequency = <26000000>;
++};
++
++&extal2_clk {
++ clock-frequency = <48000000>;
++};
++
++&extalr_clk {
++ clock-frequency = <32768>;
++};
++
+ &pfc {
+ scifa0_pins: scifa0 {
+ groups = "scifa0_data";
+diff --git a/arch/arm/boot/dts/r8a73a4.dtsi b/arch/arm/boot/dts/r8a73a4.dtsi
+index e5fb1ce261f72..bcde8d1005976 100644
+--- a/arch/arm/boot/dts/r8a73a4.dtsi
++++ b/arch/arm/boot/dts/r8a73a4.dtsi
+@@ -494,17 +494,20 @@ clocks {
+ extalr_clk: extalr {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+- clock-frequency = <32768>;
++ /* This value must be overridden by the board. */
++ clock-frequency = <0>;
+ };
+ extal1_clk: extal1 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+- clock-frequency = <25000000>;
++ /* This value must be overridden by the board. */
++ clock-frequency = <0>;
+ };
+ extal2_clk: extal2 {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+- clock-frequency = <48000000>;
++ /* This value must be overridden by the board. */
++ clock-frequency = <0>;
+ };
+ fsiack_clk: fsiack {
+ compatible = "fixed-clock";
+--
+2.43.0
+
--- /dev/null
+From f93267c150cb445c6c756e96d0a09398bd16a51d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 13:22:58 +0100
+Subject: arm64: dts: marvell: reorder crypto interrupts on Armada SoCs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit ec55a22149d64f9ac41845d923b884d4a666bf4d ]
+
+Match order specified in binding documentation. It says "mem" should be
+the last interrupt.
+
+This fixes:
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:0: 'ring0' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:1: 'ring1' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:2: 'ring2' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:3: 'ring3' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:4: 'eip' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:5: 'mem' was expected
+ from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml#
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 10 +++++-----
+ arch/arm64/boot/dts/marvell/armada-cp11x.dtsi | 10 +++++-----
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+index 0f4bcd15d8580..086c3cc7d055c 100644
+--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+@@ -414,14 +414,14 @@ xor11 {
+ crypto: crypto@90000 {
+ compatible = "inside-secure,safexcel-eip97ies";
+ reg = <0x90000 0x20000>;
+- interrupts = <GIC_SPI 19 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 20 IRQ_TYPE_LEVEL_HIGH>,
++ interrupts = <GIC_SPI 20 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 21 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
+- interrupt-names = "mem", "ring0", "ring1",
+- "ring2", "ring3", "eip";
++ <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 19 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-names = "ring0", "ring1", "ring2",
++ "ring3", "eip", "mem";
+ clocks = <&nb_periph_clk 15>;
+ };
+
+diff --git a/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi b/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi
+index 9dcf16beabf5d..da83bfdbe8432 100644
+--- a/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi
+@@ -477,14 +477,14 @@ CP11X_LABEL(sdhci0): sdhci@780000 {
+ CP11X_LABEL(crypto): crypto@800000 {
+ compatible = "inside-secure,safexcel-eip197b";
+ reg = <0x800000 0x200000>;
+- interrupts = <87 IRQ_TYPE_LEVEL_HIGH>,
+- <88 IRQ_TYPE_LEVEL_HIGH>,
++ interrupts = <88 IRQ_TYPE_LEVEL_HIGH>,
+ <89 IRQ_TYPE_LEVEL_HIGH>,
+ <90 IRQ_TYPE_LEVEL_HIGH>,
+ <91 IRQ_TYPE_LEVEL_HIGH>,
+- <92 IRQ_TYPE_LEVEL_HIGH>;
+- interrupt-names = "mem", "ring0", "ring1",
+- "ring2", "ring3", "eip";
++ <92 IRQ_TYPE_LEVEL_HIGH>,
++ <87 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-names = "ring0", "ring1", "ring2", "ring3",
++ "eip", "mem";
+ clock-names = "core", "reg";
+ clocks = <&CP11X_LABEL(clk) 1 26>,
+ <&CP11X_LABEL(clk) 1 17>;
+--
+2.43.0
+
--- /dev/null
+From 682f9aac86a9fa4ba7f721af28a4c5fdb58a7765 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 14:23:57 +0100
+Subject: arm64: dts: mediatek: mt7622: add missing "device_type" to memory
+ nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit 99d100e00144bc01b49a697f4bc4398f2f7e7ce4 ]
+
+This fixes:
+arch/arm64/boot/dts/mediatek/mt7622-rfb1.dtb: /: memory@40000000: 'device_type' is a required property
+ from schema $id: http://devicetree.org/schemas/memory.yaml#
+arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dtb: /: memory@40000000: 'device_type' is a required property
+ from schema $id: http://devicetree.org/schemas/memory.yaml#
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20240122132357.31264-1-zajec5@gmail.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts | 1 +
+ arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts b/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts
+index 7e6cffdc5a551..778174a7d649b 100644
+--- a/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts
++++ b/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts
+@@ -71,6 +71,7 @@ red {
+
+ memory@40000000 {
+ reg = <0 0x40000000 0 0x40000000>;
++ device_type = "memory";
+ };
+
+ reg_1p8v: regulator-1p8v {
+diff --git a/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts b/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts
+index 993f033d0bf04..810575de66702 100644
+--- a/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts
++++ b/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts
+@@ -57,6 +57,7 @@ wps {
+
+ memory@40000000 {
+ reg = <0 0x40000000 0 0x20000000>;
++ device_type = "memory";
+ };
+
+ reg_1p8v: regulator-1p8v {
+--
+2.43.0
+
--- /dev/null
+From 98b893b14388eaa630ac2417cd2ab3f3633675df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 13:39:42 +0000
+Subject: arm64: dts: qcom: msm8996: Define UFS UniPro clock limits
+
+From: Yassine Oudjana <y.oudjana@protonmail.com>
+
+[ Upstream commit 68c4c20848d71b0e69c3403becb5dd23e89e5896 ]
+
+These limits were always defined as 0, but that didn't cause any issue
+since the driver had hardcoded limits. In commit b4e13e1ae95e ("scsi: ufs:
+qcom: Add multiple frequency support for MAX_CORE_CLK_1US_CYCLES") the
+hardcoded limits were removed and the driver started reading them from DT,
+causing UFS to stop working on MSM8996. Add real UniPro clock limits to fix
+UFS.
+
+Signed-off-by: Yassine Oudjana <y.oudjana@protonmail.com>
+Fixes: 57fc67ef0d35 ("arm64: dts: qcom: msm8996: Add ufs related nodes")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231218133917.78770-1-y.oudjana@protonmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index 1fdb03c86135f..25e56b6ccaf66 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -932,7 +932,7 @@ ufshc: ufshc@624000 {
+ <0 0>,
+ <0 0>,
+ <150000000 300000000>,
+- <0 0>,
++ <75000000 150000000>,
+ <0 0>,
+ <0 0>,
+ <0 0>,
+--
+2.43.0
+
--- /dev/null
+From f9ae001bedcecd607c19b4ec716fd1bb4c42edd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 12:37:28 +0530
+Subject: arm64: dts: qcom: msm8996: Fix UFS PHY clocks
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit c83fdb4335cec507d685ba9661ed7c4ccbaf12ff ]
+
+QMP PHY used in MSM8996 requires 2 clocks:
+
+* ref - 19.2MHz reference clock from RPM
+* qref - QREF clock from GCC
+
+Fixes: 27520210e881 ("arm64: dts: qcom: msm8996: Use generic QMP driver for UFS")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20240131-ufs-phy-clock-v3-5-58a49d2f4605@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+index d766f3b5c03ec..1fdb03c86135f 100644
+--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
+@@ -954,8 +954,8 @@ ufsphy: phy@627000 {
+ #size-cells = <1>;
+ ranges;
+
+- clocks = <&gcc GCC_UFS_CLKREF_CLK>;
+- clock-names = "ref";
++ clocks = <&rpmcc RPM_SMD_LN_BB_CLK>, <&gcc GCC_UFS_CLKREF_CLK>;
++ clock-names = "ref", "qref";
+
+ resets = <&ufshc 0>;
+ reset-names = "ufsphy";
+--
+2.43.0
+
--- /dev/null
+From aab07b9de8aac8b7b3cb3de6d9e4b61d1e094fb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 12:37:29 +0530
+Subject: arm64: dts: qcom: msm8998: Fix UFS PHY clocks
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 5e653a7ff4426242f22dd8bc6af7f29e10ee0d68 ]
+
+QMP PHY used in MSM8998 requires 3 clocks:
+
+* ref - 19.2MHz reference clock from RPM
+* ref_aux - Auxiliary reference clock from GCC
+* qref - QREF clock from GCC
+
+Fixes: cd3dbe2a4e6c ("arm64: dts: qcom: msm8998: Add UFS nodes")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20240131-ufs-phy-clock-v3-6-58a49d2f4605@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8998.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi
+index ca8e7848769a6..cccfef52520cd 100644
+--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi
+@@ -1044,12 +1044,12 @@ ufsphy: phy@1da7000 {
+ #size-cells = <1>;
+ ranges;
+
+- clock-names =
+- "ref",
+- "ref_aux";
+- clocks =
+- <&gcc GCC_UFS_CLKREF_CLK>,
+- <&gcc GCC_UFS_PHY_AUX_CLK>;
++ clocks = <&rpmcc RPM_SMD_LN_BB_CLK1>,
++ <&gcc GCC_UFS_PHY_AUX_CLK>,
++ <&gcc GCC_UFS_CLKREF_CLK>;
++ clock-names = "ref",
++ "ref_aux",
++ "qref";
+
+ reset-names = "ufsphy";
+ resets = <&ufshc 0>;
+--
+2.43.0
+
--- /dev/null
+From 42b9dd419e165860067753fc9abdb914ad2b2417 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 22:58:03 +0100
+Subject: ASoC: meson: aiu: fix function pointer type mismatch
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 98ac85a00f31d2e9d5452b825a9ed0153d934043 ]
+
+clang-16 warns about casting functions to incompatible types, as is done
+here to call clk_disable_unprepare:
+
+sound/soc/meson/aiu.c:243:12: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 243 | (void(*)(void *))clk_disable_unprepare,
+
+The pattern of getting, enabling and setting a disable callback for a
+clock can be replaced with devm_clk_get_enabled(), which also fixes
+this warning.
+
+Fixes: 6ae9ca9ce986 ("ASoC: meson: aiu: add i2s and spdif support")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://msgid.link/r/20240213215807.3326688-2-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/aiu.c | 19 ++++---------------
+ sound/soc/meson/aiu.h | 1 -
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/sound/soc/meson/aiu.c b/sound/soc/meson/aiu.c
+index 386a31a044700..03bc3e5b6cab5 100644
+--- a/sound/soc/meson/aiu.c
++++ b/sound/soc/meson/aiu.c
+@@ -215,11 +215,12 @@ static const char * const aiu_spdif_ids[] = {
+ static int aiu_clk_get(struct device *dev)
+ {
+ struct aiu *aiu = dev_get_drvdata(dev);
++ struct clk *pclk;
+ int ret;
+
+- aiu->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(aiu->pclk))
+- return dev_err_probe(dev, PTR_ERR(aiu->pclk), "Can't get the aiu pclk\n");
++ pclk = devm_clk_get_enabled(dev, "pclk");
++ if (IS_ERR(pclk))
++ return dev_err_probe(dev, PTR_ERR(pclk), "Can't get the aiu pclk\n");
+
+ aiu->spdif_mclk = devm_clk_get(dev, "spdif_mclk");
+ if (IS_ERR(aiu->spdif_mclk))
+@@ -236,18 +237,6 @@ static int aiu_clk_get(struct device *dev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Can't get the spdif clocks\n");
+
+- ret = clk_prepare_enable(aiu->pclk);
+- if (ret) {
+- dev_err(dev, "peripheral clock enable failed\n");
+- return ret;
+- }
+-
+- ret = devm_add_action_or_reset(dev,
+- (void(*)(void *))clk_disable_unprepare,
+- aiu->pclk);
+- if (ret)
+- dev_err(dev, "failed to add reset action on pclk");
+-
+ return ret;
+ }
+
+diff --git a/sound/soc/meson/aiu.h b/sound/soc/meson/aiu.h
+index 87aa19ac4af3a..44f8c213d35a0 100644
+--- a/sound/soc/meson/aiu.h
++++ b/sound/soc/meson/aiu.h
+@@ -33,7 +33,6 @@ struct aiu_platform_data {
+ };
+
+ struct aiu {
+- struct clk *pclk;
+ struct clk *spdif_mclk;
+ struct aiu_interface i2s;
+ struct aiu_interface spdif;
+--
+2.43.0
+
--- /dev/null
+From 0ecb3fad39a35699420b47f03b48115c1295bb73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:51:08 +0100
+Subject: ASoC: meson: axg-tdm-interface: add frame rate constraint
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 59c6a3a43b221cc2a211181b1298e43b2c2df782 ]
+
+According to Amlogic datasheets for the SoCs supported by this driver, the
+maximum bit clock rate is 100MHz.
+
+The tdm interface allows the rates listed by the DAI driver, regardless of
+the number slots or their width. However, these will impact the bit clock
+rate.
+
+Hitting the 100MHz limit is very unlikely for most use cases but it is
+possible.
+
+For example with 32 slots / 32 bits wide, the maximum rate is no longer
+384kHz but ~96kHz.
+
+Add the constraint accordingly if the component is not already active.
+If it is active, the rate is already constrained by the first stream rate.
+
+Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://msgid.link/r/20240223175116.2005407-3-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-interface.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index ac43a7ab7bcf6..60d132ab1ab78 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -12,6 +12,9 @@
+
+ #include "axg-tdm.h"
+
++/* Maximum bit clock frequency according the datasheets */
++#define MAX_SCLK 100000000 /* Hz */
++
+ enum {
+ TDM_IFACE_PAD,
+ TDM_IFACE_LOOPBACK,
+@@ -155,19 +158,27 @@ static int axg_tdm_iface_startup(struct snd_pcm_substream *substream,
+ return -EINVAL;
+ }
+
+- /* Apply component wide rate symmetry */
+ if (snd_soc_component_active(dai->component)) {
++ /* Apply component wide rate symmetry */
+ ret = snd_pcm_hw_constraint_single(substream->runtime,
+ SNDRV_PCM_HW_PARAM_RATE,
+ iface->rate);
+- if (ret < 0) {
+- dev_err(dai->dev,
+- "can't set iface rate constraint\n");
+- return ret;
+- }
++
++ } else {
++ /* Limit rate according to the slot number and width */
++ unsigned int max_rate =
++ MAX_SCLK / (iface->slots * iface->slot_width);
++ ret = snd_pcm_hw_constraint_minmax(substream->runtime,
++ SNDRV_PCM_HW_PARAM_RATE,
++ 0, max_rate);
+ }
+
+- return 0;
++ if (ret < 0)
++ dev_err(dai->dev, "can't set iface rate constraint\n");
++ else
++ ret = 0;
++
++ return ret;
+ }
+
+ static int axg_tdm_iface_set_stream(struct snd_pcm_substream *substream,
+--
+2.43.0
+
--- /dev/null
+From 88643204ca145c5bcfdc44a659b8db6ce03343d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:51:07 +0100
+Subject: ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit e3741a8d28a1137f8b19ae6f3d6e3be69a454a0a ]
+
+By default, when mclk-fs is not provided, the tdm-interface driver
+requests an MCLK that is 4x the bit clock, SCLK.
+
+However there is no justification for this:
+
+* If the codec needs MCLK for its operation, mclk-fs is expected to be set
+ according to the codec requirements.
+* If the codec does not need MCLK the minimum is 2 * SCLK, because this is
+ minimum the divider between SCLK and MCLK can do.
+
+Multiplying by 4 may cause problems because the PLL limit may be reached
+sooner than it should, so use 2x instead.
+
+Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://msgid.link/r/20240223175116.2005407-2-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-interface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index e076ced300257..ac43a7ab7bcf6 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -266,8 +266,8 @@ static int axg_tdm_iface_set_sclk(struct snd_soc_dai *dai,
+ srate = iface->slots * iface->slot_width * params_rate(params);
+
+ if (!iface->mclk_rate) {
+- /* If no specific mclk is requested, default to bit clock * 4 */
+- clk_set_rate(iface->mclk, 4 * srate);
++ /* If no specific mclk is requested, default to bit clock * 2 */
++ clk_set_rate(iface->mclk, 2 * srate);
+ } else {
+ /* Check if we can actually get the bit clock from mclk */
+ if (iface->mclk_rate % srate) {
+--
+2.43.0
+
--- /dev/null
+From 43778655732a877b951aa757617d94df769226a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 22:58:04 +0100
+Subject: ASoC: meson: t9015: fix function pointer type mismatch
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 5ad992c71b6a8e8a547954addc7af9fbde6ca10a ]
+
+clang-16 warns about casting functions to incompatible types, as is done
+here to call clk_disable_unprepare:
+
+sound/soc/meson/t9015.c:274:4: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 274 | (void(*)(void *))clk_disable_unprepare,
+
+The pattern of getting, enabling and setting a disable callback for a
+clock can be replaced with devm_clk_get_enabled(), which also fixes
+this warning.
+
+Fixes: 33901f5b9b16 ("ASoC: meson: add t9015 internal DAC driver")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://msgid.link/r/20240213215807.3326688-3-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/t9015.c | 20 ++++----------------
+ 1 file changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/sound/soc/meson/t9015.c b/sound/soc/meson/t9015.c
+index cb1eaf678fc3f..b085aa65c688c 100644
+--- a/sound/soc/meson/t9015.c
++++ b/sound/soc/meson/t9015.c
+@@ -48,7 +48,6 @@
+ #define POWER_CFG 0x10
+
+ struct t9015 {
+- struct clk *pclk;
+ struct regulator *avdd;
+ };
+
+@@ -250,6 +249,7 @@ static int t9015_probe(struct platform_device *pdev)
+ struct t9015 *priv;
+ void __iomem *regs;
+ struct regmap *regmap;
++ struct clk *pclk;
+ int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -257,26 +257,14 @@ static int t9015_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ platform_set_drvdata(pdev, priv);
+
+- priv->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(priv->pclk))
+- return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get core clock\n");
++ pclk = devm_clk_get_enabled(dev, "pclk");
++ if (IS_ERR(pclk))
++ return dev_err_probe(dev, PTR_ERR(pclk), "failed to get core clock\n");
+
+ priv->avdd = devm_regulator_get(dev, "AVDD");
+ if (IS_ERR(priv->avdd))
+ return dev_err_probe(dev, PTR_ERR(priv->avdd), "failed to AVDD\n");
+
+- ret = clk_prepare_enable(priv->pclk);
+- if (ret) {
+- dev_err(dev, "core clock enable failed\n");
+- return ret;
+- }
+-
+- ret = devm_add_action_or_reset(dev,
+- (void(*)(void *))clk_disable_unprepare,
+- priv->pclk);
+- if (ret)
+- return ret;
+-
+ ret = device_reset(dev);
+ if (ret) {
+ dev_err(dev, "reset failed\n");
+--
+2.43.0
+
--- /dev/null
+From f2712da341a75b54211499a421b5477d7c45a957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 11:08:37 +0900
+Subject: ASoC: meson: Use dev_err_probe() helper
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 2ff4e003e8e105fb65c682c876a5cb0e00f854bf ]
+
+Use the dev_err_probe() helper, instead of open-coding the same
+operation.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20211214020843.2225831-17-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 98ac85a00f31 ("ASoC: meson: aiu: fix function pointer type mismatch")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/aiu.c | 36 +++++++--------------
+ sound/soc/meson/axg-fifo.c | 16 +++------
+ sound/soc/meson/axg-pdm.c | 25 ++++-----------
+ sound/soc/meson/axg-spdifin.c | 17 +++-------
+ sound/soc/meson/axg-spdifout.c | 17 +++-------
+ sound/soc/meson/axg-tdm-formatter.c | 50 ++++++++---------------------
+ sound/soc/meson/axg-tdm-interface.c | 25 ++++-----------
+ sound/soc/meson/meson-card-utils.c | 8 ++---
+ sound/soc/meson/t9015.c | 14 +++-----
+ 9 files changed, 56 insertions(+), 152 deletions(-)
+
+diff --git a/sound/soc/meson/aiu.c b/sound/soc/meson/aiu.c
+index dc35ca79021c5..386a31a044700 100644
+--- a/sound/soc/meson/aiu.c
++++ b/sound/soc/meson/aiu.c
+@@ -218,34 +218,23 @@ static int aiu_clk_get(struct device *dev)
+ int ret;
+
+ aiu->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(aiu->pclk)) {
+- if (PTR_ERR(aiu->pclk) != -EPROBE_DEFER)
+- dev_err(dev, "Can't get the aiu pclk\n");
+- return PTR_ERR(aiu->pclk);
+- }
++ if (IS_ERR(aiu->pclk))
++ return dev_err_probe(dev, PTR_ERR(aiu->pclk), "Can't get the aiu pclk\n");
+
+ aiu->spdif_mclk = devm_clk_get(dev, "spdif_mclk");
+- if (IS_ERR(aiu->spdif_mclk)) {
+- if (PTR_ERR(aiu->spdif_mclk) != -EPROBE_DEFER)
+- dev_err(dev, "Can't get the aiu spdif master clock\n");
+- return PTR_ERR(aiu->spdif_mclk);
+- }
++ if (IS_ERR(aiu->spdif_mclk))
++ return dev_err_probe(dev, PTR_ERR(aiu->spdif_mclk),
++ "Can't get the aiu spdif master clock\n");
+
+ ret = aiu_clk_bulk_get(dev, aiu_i2s_ids, ARRAY_SIZE(aiu_i2s_ids),
+ &aiu->i2s);
+- if (ret) {
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "Can't get the i2s clocks\n");
+- return ret;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "Can't get the i2s clocks\n");
+
+ ret = aiu_clk_bulk_get(dev, aiu_spdif_ids, ARRAY_SIZE(aiu_spdif_ids),
+ &aiu->spdif);
+- if (ret) {
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "Can't get the spdif clocks\n");
+- return ret;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "Can't get the spdif clocks\n");
+
+ ret = clk_prepare_enable(aiu->pclk);
+ if (ret) {
+@@ -281,11 +270,8 @@ static int aiu_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, aiu);
+
+ ret = device_reset(dev);
+- if (ret) {
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "Failed to reset device\n");
+- return ret;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to reset device\n");
+
+ regs = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(regs))
+diff --git a/sound/soc/meson/axg-fifo.c b/sound/soc/meson/axg-fifo.c
+index b2e867113226b..295c0fc30745e 100644
+--- a/sound/soc/meson/axg-fifo.c
++++ b/sound/soc/meson/axg-fifo.c
+@@ -350,20 +350,12 @@ int axg_fifo_probe(struct platform_device *pdev)
+ }
+
+ fifo->pclk = devm_clk_get(dev, NULL);
+- if (IS_ERR(fifo->pclk)) {
+- if (PTR_ERR(fifo->pclk) != -EPROBE_DEFER)
+- dev_err(dev, "failed to get pclk: %ld\n",
+- PTR_ERR(fifo->pclk));
+- return PTR_ERR(fifo->pclk);
+- }
++ if (IS_ERR(fifo->pclk))
++ return dev_err_probe(dev, PTR_ERR(fifo->pclk), "failed to get pclk\n");
+
+ fifo->arb = devm_reset_control_get_exclusive(dev, NULL);
+- if (IS_ERR(fifo->arb)) {
+- if (PTR_ERR(fifo->arb) != -EPROBE_DEFER)
+- dev_err(dev, "failed to get arb reset: %ld\n",
+- PTR_ERR(fifo->arb));
+- return PTR_ERR(fifo->arb);
+- }
++ if (IS_ERR(fifo->arb))
++ return dev_err_probe(dev, PTR_ERR(fifo->arb), "failed to get arb reset\n");
+
+ fifo->irq = of_irq_get(dev->of_node, 0);
+ if (fifo->irq <= 0) {
+diff --git a/sound/soc/meson/axg-pdm.c b/sound/soc/meson/axg-pdm.c
+index bfd37d49a73ef..672e43a9729dc 100644
+--- a/sound/soc/meson/axg-pdm.c
++++ b/sound/soc/meson/axg-pdm.c
+@@ -586,7 +586,6 @@ static int axg_pdm_probe(struct platform_device *pdev)
+ struct device *dev = &pdev->dev;
+ struct axg_pdm *priv;
+ void __iomem *regs;
+- int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+@@ -611,28 +610,16 @@ static int axg_pdm_probe(struct platform_device *pdev)
+ }
+
+ priv->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(priv->pclk)) {
+- ret = PTR_ERR(priv->pclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get pclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->pclk))
++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n");
+
+ priv->dclk = devm_clk_get(dev, "dclk");
+- if (IS_ERR(priv->dclk)) {
+- ret = PTR_ERR(priv->dclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get dclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->dclk))
++ return dev_err_probe(dev, PTR_ERR(priv->dclk), "failed to get dclk\n");
+
+ priv->sysclk = devm_clk_get(dev, "sysclk");
+- if (IS_ERR(priv->sysclk)) {
+- ret = PTR_ERR(priv->sysclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get dclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->sysclk))
++ return dev_err_probe(dev, PTR_ERR(priv->sysclk), "failed to get dclk\n");
+
+ return devm_snd_soc_register_component(dev, &axg_pdm_component_drv,
+ &axg_pdm_dai_drv, 1);
+diff --git a/sound/soc/meson/axg-spdifin.c b/sound/soc/meson/axg-spdifin.c
+index 7aaded1fc376b..245189d2ee95f 100644
+--- a/sound/soc/meson/axg-spdifin.c
++++ b/sound/soc/meson/axg-spdifin.c
+@@ -439,7 +439,6 @@ static int axg_spdifin_probe(struct platform_device *pdev)
+ struct axg_spdifin *priv;
+ struct snd_soc_dai_driver *dai_drv;
+ void __iomem *regs;
+- int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+@@ -464,20 +463,12 @@ static int axg_spdifin_probe(struct platform_device *pdev)
+ }
+
+ priv->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(priv->pclk)) {
+- ret = PTR_ERR(priv->pclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get pclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->pclk))
++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n");
+
+ priv->refclk = devm_clk_get(dev, "refclk");
+- if (IS_ERR(priv->refclk)) {
+- ret = PTR_ERR(priv->refclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get mclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->refclk))
++ return dev_err_probe(dev, PTR_ERR(priv->refclk), "failed to get mclk\n");
+
+ dai_drv = axg_spdifin_get_dai_drv(dev, priv);
+ if (IS_ERR(dai_drv)) {
+diff --git a/sound/soc/meson/axg-spdifout.c b/sound/soc/meson/axg-spdifout.c
+index e769a5ee6e27e..3960d082e1436 100644
+--- a/sound/soc/meson/axg-spdifout.c
++++ b/sound/soc/meson/axg-spdifout.c
+@@ -403,7 +403,6 @@ static int axg_spdifout_probe(struct platform_device *pdev)
+ struct device *dev = &pdev->dev;
+ struct axg_spdifout *priv;
+ void __iomem *regs;
+- int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+@@ -422,20 +421,12 @@ static int axg_spdifout_probe(struct platform_device *pdev)
+ }
+
+ priv->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(priv->pclk)) {
+- ret = PTR_ERR(priv->pclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get pclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->pclk))
++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n");
+
+ priv->mclk = devm_clk_get(dev, "mclk");
+- if (IS_ERR(priv->mclk)) {
+- ret = PTR_ERR(priv->mclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get mclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(priv->mclk))
++ return dev_err_probe(dev, PTR_ERR(priv->mclk), "failed to get mclk\n");
+
+ return devm_snd_soc_register_component(dev, &axg_spdifout_component_drv,
+ axg_spdifout_dai_drv, ARRAY_SIZE(axg_spdifout_dai_drv));
+diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c
+index 4834cfd163c03..63333a2b0a9c3 100644
+--- a/sound/soc/meson/axg-tdm-formatter.c
++++ b/sound/soc/meson/axg-tdm-formatter.c
+@@ -265,7 +265,6 @@ int axg_tdm_formatter_probe(struct platform_device *pdev)
+ const struct axg_tdm_formatter_driver *drv;
+ struct axg_tdm_formatter *formatter;
+ void __iomem *regs;
+- int ret;
+
+ drv = of_device_get_match_data(dev);
+ if (!drv) {
+@@ -292,57 +291,34 @@ int axg_tdm_formatter_probe(struct platform_device *pdev)
+
+ /* Peripharal clock */
+ formatter->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(formatter->pclk)) {
+- ret = PTR_ERR(formatter->pclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get pclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->pclk))
++ return dev_err_probe(dev, PTR_ERR(formatter->pclk), "failed to get pclk\n");
+
+ /* Formatter bit clock */
+ formatter->sclk = devm_clk_get(dev, "sclk");
+- if (IS_ERR(formatter->sclk)) {
+- ret = PTR_ERR(formatter->sclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get sclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->sclk))
++ return dev_err_probe(dev, PTR_ERR(formatter->sclk), "failed to get sclk\n");
+
+ /* Formatter sample clock */
+ formatter->lrclk = devm_clk_get(dev, "lrclk");
+- if (IS_ERR(formatter->lrclk)) {
+- ret = PTR_ERR(formatter->lrclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get lrclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->lrclk))
++ return dev_err_probe(dev, PTR_ERR(formatter->lrclk), "failed to get lrclk\n");
+
+ /* Formatter bit clock input multiplexer */
+ formatter->sclk_sel = devm_clk_get(dev, "sclk_sel");
+- if (IS_ERR(formatter->sclk_sel)) {
+- ret = PTR_ERR(formatter->sclk_sel);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get sclk_sel: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->sclk_sel))
++ return dev_err_probe(dev, PTR_ERR(formatter->sclk_sel), "failed to get sclk_sel\n");
+
+ /* Formatter sample clock input multiplexer */
+ formatter->lrclk_sel = devm_clk_get(dev, "lrclk_sel");
+- if (IS_ERR(formatter->lrclk_sel)) {
+- ret = PTR_ERR(formatter->lrclk_sel);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get lrclk_sel: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->lrclk_sel))
++ return dev_err_probe(dev, PTR_ERR(formatter->lrclk_sel),
++ "failed to get lrclk_sel\n");
+
+ /* Formatter dedicated reset line */
+ formatter->reset = devm_reset_control_get_optional_exclusive(dev, NULL);
+- if (IS_ERR(formatter->reset)) {
+- ret = PTR_ERR(formatter->reset);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get reset: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(formatter->reset))
++ return dev_err_probe(dev, PTR_ERR(formatter->reset), "failed to get reset\n");
+
+ return devm_snd_soc_register_component(dev, drv->component_drv,
+ NULL, 0);
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index 87cac440b3693..e076ced300257 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -517,21 +517,13 @@ static int axg_tdm_iface_probe(struct platform_device *pdev)
+
+ /* Bit clock provided on the pad */
+ iface->sclk = devm_clk_get(dev, "sclk");
+- if (IS_ERR(iface->sclk)) {
+- ret = PTR_ERR(iface->sclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get sclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(iface->sclk))
++ return dev_err_probe(dev, PTR_ERR(iface->sclk), "failed to get sclk\n");
+
+ /* Sample clock provided on the pad */
+ iface->lrclk = devm_clk_get(dev, "lrclk");
+- if (IS_ERR(iface->lrclk)) {
+- ret = PTR_ERR(iface->lrclk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get lrclk: %d\n", ret);
+- return ret;
+- }
++ if (IS_ERR(iface->lrclk))
++ return dev_err_probe(dev, PTR_ERR(iface->lrclk), "failed to get lrclk\n");
+
+ /*
+ * mclk maybe be missing when the cpu dai is in slave mode and
+@@ -542,13 +534,10 @@ static int axg_tdm_iface_probe(struct platform_device *pdev)
+ iface->mclk = devm_clk_get(dev, "mclk");
+ if (IS_ERR(iface->mclk)) {
+ ret = PTR_ERR(iface->mclk);
+- if (ret == -ENOENT) {
++ if (ret == -ENOENT)
+ iface->mclk = NULL;
+- } else {
+- if (ret != -EPROBE_DEFER)
+- dev_err(dev, "failed to get mclk: %d\n", ret);
+- return ret;
+- }
++ else
++ return dev_err_probe(dev, ret, "failed to get mclk\n");
+ }
+
+ return devm_snd_soc_register_component(dev,
+diff --git a/sound/soc/meson/meson-card-utils.c b/sound/soc/meson/meson-card-utils.c
+index 300ac8be46ef8..0e2691f011b7b 100644
+--- a/sound/soc/meson/meson-card-utils.c
++++ b/sound/soc/meson/meson-card-utils.c
+@@ -85,11 +85,9 @@ int meson_card_parse_dai(struct snd_soc_card *card,
+
+ ret = of_parse_phandle_with_args(node, "sound-dai",
+ "#sound-dai-cells", 0, &args);
+- if (ret) {
+- if (ret != -EPROBE_DEFER)
+- dev_err(card->dev, "can't parse dai %d\n", ret);
+- return ret;
+- }
++ if (ret)
++ return dev_err_probe(card->dev, ret, "can't parse dai\n");
++
+ *dai_of_node = args.np;
+
+ return snd_soc_get_dai_name(&args, dai_name);
+diff --git a/sound/soc/meson/t9015.c b/sound/soc/meson/t9015.c
+index 56d2592c16d53..cb1eaf678fc3f 100644
+--- a/sound/soc/meson/t9015.c
++++ b/sound/soc/meson/t9015.c
+@@ -258,18 +258,12 @@ static int t9015_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, priv);
+
+ priv->pclk = devm_clk_get(dev, "pclk");
+- if (IS_ERR(priv->pclk)) {
+- if (PTR_ERR(priv->pclk) != -EPROBE_DEFER)
+- dev_err(dev, "failed to get core clock\n");
+- return PTR_ERR(priv->pclk);
+- }
++ if (IS_ERR(priv->pclk))
++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get core clock\n");
+
+ priv->avdd = devm_regulator_get(dev, "AVDD");
+- if (IS_ERR(priv->avdd)) {
+- if (PTR_ERR(priv->avdd) != -EPROBE_DEFER)
+- dev_err(dev, "failed to AVDD\n");
+- return PTR_ERR(priv->avdd);
+- }
++ if (IS_ERR(priv->avdd))
++ return dev_err_probe(dev, PTR_ERR(priv->avdd), "failed to AVDD\n");
+
+ ret = clk_prepare_enable(priv->pclk);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From d52710c639fb5edb1db04c63a4b77c8e0280cfd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 15:35:24 +0000
+Subject: backlight: da9052: Fully initialize backlight_properties during probe
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit 0285e9efaee8276305db5c52a59baf84e9731556 ]
+
+props is stack allocated and the fields that are not explcitly set
+by the probe function need to be zeroed or we'll get undefined behaviour
+(especially so power/blank states)!
+
+Fixes: 6ede3d832aaa ("backlight: add driver for DA9052/53 PMIC v1")
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20240220153532.76613-2-daniel.thompson@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/da9052_bl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/da9052_bl.c b/drivers/video/backlight/da9052_bl.c
+index 882359dd288c0..aa00379392a0f 100644
+--- a/drivers/video/backlight/da9052_bl.c
++++ b/drivers/video/backlight/da9052_bl.c
+@@ -117,6 +117,7 @@ static int da9052_backlight_probe(struct platform_device *pdev)
+ wleds->led_reg = platform_get_device_id(pdev)->driver_data;
+ wleds->state = DA9052_WLEDS_OFF;
+
++ memset(&props, 0, sizeof(struct backlight_properties));
+ props.type = BACKLIGHT_RAW;
+ props.max_brightness = DA9052_MAX_BRIGHTNESS;
+
+--
+2.43.0
+
--- /dev/null
+From c3de243c72ce1d14f632d745239f3acc2226296b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 00:11:20 +0100
+Subject: backlight: lm3630a: Don't set bl->props.brightness in get_brightness
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 ]
+
+There's no need to set bl->props.brightness, the get_brightness function
+is just supposed to return the current brightness and not touch the
+struct.
+
+With that done we can also remove the 'goto out' and just return the
+value.
+
+Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip")
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-2-9ca62f7e4a33@z3ntu.xyz
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lm3630a_bl.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
+index 2aade66db3cf4..2134342c2c97d 100644
+--- a/drivers/video/backlight/lm3630a_bl.c
++++ b/drivers/video/backlight/lm3630a_bl.c
+@@ -229,7 +229,7 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl)
+ if (rval < 0)
+ goto out_i2c_err;
+ brightness |= rval;
+- goto out;
++ return brightness;
+ }
+
+ /* disable sleep */
+@@ -240,11 +240,8 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl)
+ rval = lm3630a_read(pchip, REG_BRT_A);
+ if (rval < 0)
+ goto out_i2c_err;
+- brightness = rval;
++ return rval;
+
+-out:
+- bl->props.brightness = brightness;
+- return bl->props.brightness;
+ out_i2c_err:
+ dev_err(pchip->dev, "i2c failed to access register\n");
+ return 0;
+@@ -306,7 +303,7 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl)
+ if (rval < 0)
+ goto out_i2c_err;
+ brightness |= rval;
+- goto out;
++ return brightness;
+ }
+
+ /* disable sleep */
+@@ -317,11 +314,8 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl)
+ rval = lm3630a_read(pchip, REG_BRT_B);
+ if (rval < 0)
+ goto out_i2c_err;
+- brightness = rval;
++ return rval;
+
+-out:
+- bl->props.brightness = brightness;
+- return bl->props.brightness;
+ out_i2c_err:
+ dev_err(pchip->dev, "i2c failed to access register\n");
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 71b4a10c51dcabadf06d81300a557cb3cf557502 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 00:11:19 +0100
+Subject: backlight: lm3630a: Initialize backlight_properties on init
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 ]
+
+The backlight_properties struct should be initialized to zero before
+using, otherwise there will be some random values in the struct.
+
+Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip")
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-1-9ca62f7e4a33@z3ntu.xyz
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lm3630a_bl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
+index 419b0334cf087..2aade66db3cf4 100644
+--- a/drivers/video/backlight/lm3630a_bl.c
++++ b/drivers/video/backlight/lm3630a_bl.c
+@@ -339,6 +339,7 @@ static int lm3630a_backlight_register(struct lm3630a_chip *pchip)
+ struct backlight_properties props;
+ const char *label;
+
++ memset(&props, 0, sizeof(struct backlight_properties));
+ props.type = BACKLIGHT_RAW;
+ if (pdata->leda_ctrl != LM3630A_LEDA_DISABLE) {
+ props.brightness = pdata->leda_init_brt;
+--
+2.43.0
+
--- /dev/null
+From 17b6516ff4724474672c3df0046e92111a6f0f34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 15:35:25 +0000
+Subject: backlight: lm3639: Fully initialize backlight_properties during probe
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 ]
+
+props is stack allocated and the fields that are not explcitly set
+by the probe function need to be zeroed or we'll get undefined behaviour
+(especially so power/blank states)!
+
+Fixes: 0f59858d5119 ("backlight: add new lm3639 backlight driver")
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20240220153532.76613-3-daniel.thompson@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lm3639_bl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/lm3639_bl.c b/drivers/video/backlight/lm3639_bl.c
+index 48c04155a5f9d..bb617f4673e94 100644
+--- a/drivers/video/backlight/lm3639_bl.c
++++ b/drivers/video/backlight/lm3639_bl.c
+@@ -339,6 +339,7 @@ static int lm3639_probe(struct i2c_client *client,
+ }
+
+ /* backlight */
++ memset(&props, 0, sizeof(struct backlight_properties));
+ props.type = BACKLIGHT_RAW;
+ props.brightness = pdata->init_brt_led;
+ props.max_brightness = pdata->max_brt_led;
+--
+2.43.0
+
--- /dev/null
+From 265946b5e6b4911b6ef4f9071c7e0adfb6c85cfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 15:35:26 +0000
+Subject: backlight: lp8788: Fully initialize backlight_properties during probe
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit 392346827fbe8a7fd573dfb145170d7949f639a6 ]
+
+props is stack allocated and the fields that are not explcitly set
+by the probe function need to be zeroed or we'll get undefined behaviour
+(especially so power/blank states)!
+
+Fixes: c5a51053cf3b ("backlight: add new lp8788 backlight driver")
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20240220153532.76613-4-daniel.thompson@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lp8788_bl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/lp8788_bl.c b/drivers/video/backlight/lp8788_bl.c
+index ba42f3fe0c739..d9b95dbd40d30 100644
+--- a/drivers/video/backlight/lp8788_bl.c
++++ b/drivers/video/backlight/lp8788_bl.c
+@@ -191,6 +191,7 @@ static int lp8788_backlight_register(struct lp8788_bl *bl)
+ int init_brt;
+ char *name;
+
++ memset(&props, 0, sizeof(struct backlight_properties));
+ props.type = BACKLIGHT_PLATFORM;
+ props.max_brightness = MAX_BRIGHTNESS;
+
+--
+2.43.0
+
--- /dev/null
+From 033470fd2bd01bb3c90d5f94ca3967c0ebcfc862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 11:00:11 +0100
+Subject: block: add a new set_read_only method
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit e00adcadf3af7a8335026d71ab9f0e0a922191ac ]
+
+Add a new method to allow for driver-specific processing when setting or
+clearing the block device read-only state. This allows to replace the
+cumbersome and error-prone override of the whole ioctl implementation.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/ioctl.c | 5 +++++
+ include/linux/blkdev.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/block/ioctl.c b/block/ioctl.c
+index e7eed7dadb5cf..24f8042f12b60 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -405,6 +405,11 @@ static int blkdev_roset(struct block_device *bdev, fmode_t mode,
+ return ret;
+ if (get_user(n, (int __user *)arg))
+ return -EFAULT;
++ if (bdev->bd_disk->fops->set_read_only) {
++ ret = bdev->bd_disk->fops->set_read_only(bdev, n);
++ if (ret)
++ return ret;
++ }
+ set_device_ro(bdev, n);
+ return 0;
+ }
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 98fdf5a31fd66..583824f111079 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -1883,6 +1883,7 @@ struct block_device_operations {
+ void (*unlock_native_capacity) (struct gendisk *);
+ int (*revalidate_disk) (struct gendisk *);
+ int (*getgeo)(struct block_device *, struct hd_geometry *);
++ int (*set_read_only)(struct block_device *bdev, bool ro);
+ /* this callback is with swap_lock and sometimes page table lock held */
+ void (*swap_slot_free_notify) (struct block_device *, unsigned long);
+ int (*report_zones)(struct gendisk *, sector_t sector,
+--
+2.43.0
+
--- /dev/null
+From 716698ec608f72c255894e06c676bcbc19b7e067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 10:49:26 -0500
+Subject: Bluetooth: hci_core: Fix possible buffer overflow
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ]
+
+struct hci_dev_info has a fixed size name[8] field so in the event that
+hdev->name is bigger than that strcpy would attempt to write past its
+size, so this fixes this problem by switching to use strscpy.
+
+Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 5f1fbf86e0ceb..b9cf5bc9364c1 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2175,7 +2175,7 @@ int hci_get_dev_info(void __user *arg)
+ else
+ flags = hdev->flags;
+
+- strcpy(di.name, hdev->name);
++ strscpy(di.name, hdev->name, sizeof(di.name));
+ di.bdaddr = hdev->bdaddr;
+ di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
+ di.flags = flags;
+--
+2.43.0
+
--- /dev/null
+From 60c4fa71bac2344b91be35ad9a648abc9ed7b7ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jan 2024 23:46:06 +0100
+Subject: Bluetooth: Remove superfluous call to hci_conn_check_pending()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Dreßler <verdre@v0yd.nl>
+
+[ Upstream commit 78e3639fc8031275010c3287ac548c0bc8de83b1 ]
+
+The "pending connections" feature was originally introduced with commit
+4c67bc74f016 ("[Bluetooth] Support concurrent connect requests") and
+6bd57416127e ("[Bluetooth] Handling pending connect attempts after
+inquiry") to handle controllers supporting only a single connection request
+at a time. Later things were extended to also cancel ongoing inquiries on
+connect() with commit 89e65975fea5 ("Bluetooth: Cancel Inquiry before
+Create Connection").
+
+With commit a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only
+opcodes"), hci_conn_check_pending() was introduced as a helper to
+consolidate a few places where we check for pending connections (indicated
+by the BT_CONNECT2 flag) and then try to connect.
+
+This refactoring commit also snuck in two more calls to
+hci_conn_check_pending():
+
+- One is in the failure callback of hci_cs_inquiry(), this one probably
+makes sense: If we send an "HCI Inquiry" command and then immediately
+after a "Create Connection" command, the "Create Connection" command might
+fail before the "HCI Inquiry" command, and then we want to retry the
+"Create Connection" on failure of the "HCI Inquiry".
+
+- The other added call to hci_conn_check_pending() is in the event handler
+for the "Remote Name" event, this seems unrelated and is possibly a
+copy-paste error, so remove that one.
+
+Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes")
+Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 47f37080c0c55..a0d9bc99f4e14 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2979,8 +2979,6 @@ static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
+
+ BT_DBG("%s", hdev->name);
+
+- hci_conn_check_pending(hdev);
+-
+ hci_dev_lock(hdev);
+
+ conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+--
+2.43.0
+
--- /dev/null
+From 0ccde59284e55972fa086e2c82dd6668ee1b5f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Dec 2020 13:58:48 -0800
+Subject: bpf: Eliminate rlimit-based memory accounting for devmap maps
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit 844f157f6c0a905d039d2e20212ab3231f2e5eaf ]
+
+Do not use rlimit-based memory accounting for devmap maps.
+It has been replaced with the memcg-based memory accounting.
+
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20201201215900.3569844-23-guro@fb.com
+Stable-dep-of: 281d464a34f5 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index 01149821ded91..ca2cade2871b8 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -109,8 +109,6 @@ static inline struct hlist_head *dev_map_index_hash(struct bpf_dtab *dtab,
+ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
+ {
+ u32 valsize = attr->value_size;
+- u64 cost = 0;
+- int err;
+
+ /* check sanity of attributes. 2 value sizes supported:
+ * 4 bytes: ifindex
+@@ -135,21 +133,13 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
+
+ if (!dtab->n_buckets) /* Overflow check */
+ return -EINVAL;
+- cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets;
+- } else {
+- cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *);
+ }
+
+- /* if map size is larger than memlock limit, reject it */
+- err = bpf_map_charge_init(&dtab->map.memory, cost);
+- if (err)
+- return -EINVAL;
+-
+ if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
+ dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets,
+ dtab->map.numa_node);
+ if (!dtab->dev_index_head)
+- goto free_charge;
++ return -ENOMEM;
+
+ spin_lock_init(&dtab->index_lock);
+ } else {
+@@ -157,14 +147,10 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
+ sizeof(struct bpf_dtab_netdev *),
+ dtab->map.numa_node);
+ if (!dtab->netdev_map)
+- goto free_charge;
++ return -ENOMEM;
+ }
+
+ return 0;
+-
+-free_charge:
+- bpf_map_charge_finish(&dtab->map.memory);
+- return -ENOMEM;
+ }
+
+ static struct bpf_map *dev_map_alloc(union bpf_attr *attr)
+--
+2.43.0
+
--- /dev/null
+From 28cb1c740d08481e0e277d4e0b863d13d5fec295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:54:08 -0700
+Subject: bpf: Factor out bpf_spin_lock into helpers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit c1b3fed319d32a721d4b9c17afaeb430444ff773 ]
+
+Move ____bpf_spin_lock/unlock into helpers to make it more clear
+that quadruple underscore bpf_spin_lock/unlock are irqsave/restore variants.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/20210715005417.78572-3-alexei.starovoitov@gmail.com
+Stable-dep-of: 178c54666f9c ("bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 0efe7c7bfe5e9..d758641973d6d 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -278,13 +278,18 @@ static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock)
+
+ static DEFINE_PER_CPU(unsigned long, irqsave_flags);
+
+-notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
++static inline void __bpf_spin_lock_irqsave(struct bpf_spin_lock *lock)
+ {
+ unsigned long flags;
+
+ local_irq_save(flags);
+ __bpf_spin_lock(lock);
+ __this_cpu_write(irqsave_flags, flags);
++}
++
++notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
++{
++ __bpf_spin_lock_irqsave(lock);
+ return 0;
+ }
+
+@@ -295,13 +300,18 @@ const struct bpf_func_proto bpf_spin_lock_proto = {
+ .arg1_type = ARG_PTR_TO_SPIN_LOCK,
+ };
+
+-notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
++static inline void __bpf_spin_unlock_irqrestore(struct bpf_spin_lock *lock)
+ {
+ unsigned long flags;
+
+ flags = __this_cpu_read(irqsave_flags);
+ __bpf_spin_unlock(lock);
+ local_irq_restore(flags);
++}
++
++notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
++{
++ __bpf_spin_unlock_irqrestore(lock);
+ return 0;
+ }
+
+@@ -322,9 +332,9 @@ void copy_map_value_locked(struct bpf_map *map, void *dst, void *src,
+ else
+ lock = dst + map->spin_lock_off;
+ preempt_disable();
+- ____bpf_spin_lock(lock);
++ __bpf_spin_lock_irqsave(lock);
+ copy_map_value(map, dst, src);
+- ____bpf_spin_unlock(lock);
++ __bpf_spin_unlock_irqrestore(lock);
+ preempt_enable();
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 92736ec35be1fd638f6dc87fb03751e1dd4e2634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 13:03:35 +0100
+Subject: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ]
+
+The devmap code allocates a number hash buckets equal to the next power
+of two of the max_entries value provided when creating the map. When
+rounding up to the next power of two, the 32-bit variable storing the
+number of buckets can overflow, and the code checks for overflow by
+checking if the truncated 32-bit value is equal to 0. However, on 32-bit
+arches the rounding up itself can overflow mid-way through, because it
+ends up doing a left-shift of 32 bits on an unsigned long value. If the
+size of an unsigned long is four bytes, this is undefined behaviour, so
+there is no guarantee that we'll end up with a nice and tidy 0-value at
+the end.
+
+Syzbot managed to turn this into a crash on arm32 by creating a
+DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.
+Fix this by moving the overflow check to before the rounding up
+operation.
+
+Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index")
+Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com
+Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240307120340.99577-2-toke@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index ca2cade2871b8..07b5edb2c70f5 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -129,13 +129,14 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
+ bpf_map_init_from_attr(&dtab->map, attr);
+
+ if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
+- dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
+-
+- if (!dtab->n_buckets) /* Overflow check */
++ /* hash table size must be power of 2; roundup_pow_of_two() can
++ * overflow into UB on 32-bit arches, so check that first
++ */
++ if (dtab->map.max_entries > 1UL << 31)
+ return -EINVAL;
+- }
+
+- if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
++ dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
++
+ dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets,
+ dtab->map.numa_node);
+ if (!dtab->dev_index_head)
+--
+2.43.0
+
--- /dev/null
+From c140d6b37e3e8653f4687dd3f7f1c1b8507cf2ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 13:03:36 +0100
+Subject: bpf: Fix hashtab overflow check on 32-bit arches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ]
+
+The hashtab code relies on roundup_pow_of_two() to compute the number of
+hash buckets, and contains an overflow check by checking if the
+resulting value is 0. However, on 32-bit arches, the roundup code itself
+can overflow by doing a 32-bit left-shift of an unsigned long value,
+which is undefined behaviour, so it is not guaranteed to truncate
+neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
+contains the same check, copied from the hashtab code. So apply the same
+fix to hashtab, by moving the overflow check to before the roundup.
+
+Fixes: daaf427c6ab3 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks")
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240307120340.99577-3-toke@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index ec84973142725..72bc5f5752543 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -443,7 +443,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
+ num_possible_cpus());
+ }
+
+- /* hash table size must be power of 2 */
++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow
++ * into UB on 32-bit arches, so check that first
++ */
++ err = -E2BIG;
++ if (htab->map.max_entries > 1UL << 31)
++ goto free_htab;
++
+ htab->n_buckets = roundup_pow_of_two(htab->map.max_entries);
+
+ htab->elem_size = sizeof(struct htab_elem) +
+@@ -453,10 +459,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
+ else
+ htab->elem_size += round_up(htab->map.value_size, 8);
+
+- err = -E2BIG;
+- /* prevent zero size kmalloc and check for u32 overflow */
+- if (htab->n_buckets == 0 ||
+- htab->n_buckets > U32_MAX / sizeof(struct bucket))
++ /* check for u32 overflow */
++ if (htab->n_buckets > U32_MAX / sizeof(struct bucket))
+ goto free_htab;
+
+ cost = (u64) htab->n_buckets * sizeof(struct bucket) +
+--
+2.43.0
+
--- /dev/null
+From 099387f027bf018db0b153aeb0ed32fe5191c580 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 13:03:37 +0100
+Subject: bpf: Fix stackmap overflow check on 32-bit arches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ]
+
+The stackmap code relies on roundup_pow_of_two() to compute the number
+of hash buckets, and contains an overflow check by checking if the
+resulting value is 0. However, on 32-bit arches, the roundup code itself
+can overflow by doing a 32-bit left-shift of an unsigned long value,
+which is undefined behaviour, so it is not guaranteed to truncate
+neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
+contains the same check, copied from the hashtab code.
+
+The commit in the fixes tag actually attempted to fix this, but the fix
+did not account for the UB, so the fix only works on CPUs where an
+overflow does result in a neat truncation to zero, which is not
+guaranteed. Checking the value before rounding does not have this
+problem.
+
+Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()")
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Message-ID: <20240307120340.99577-4-toke@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/stackmap.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index b8afea2ceeeb1..3ec76cb5f240d 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -115,11 +115,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr)
+ } else if (value_size / 8 > sysctl_perf_event_max_stack)
+ return ERR_PTR(-EINVAL);
+
+- /* hash table size must be power of 2 */
+- n_buckets = roundup_pow_of_two(attr->max_entries);
+- if (!n_buckets)
++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow
++ * into UB on 32-bit arches, so check that first
++ */
++ if (attr->max_entries > 1UL << 31)
+ return ERR_PTR(-E2BIG);
+
++ n_buckets = roundup_pow_of_two(attr->max_entries);
++
+ cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);
+ err = bpf_map_charge_init(&mem, cost + attr->max_entries *
+ (sizeof(struct stack_map_bucket) + (u64)value_size));
+--
+2.43.0
+
--- /dev/null
+From 084903879e0b55fee422582a2507aa7ba13ee20c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:01:02 -0800
+Subject: bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit 178c54666f9c4d2f49f2ea661d0c11b52f0ed190 ]
+
+Currently tracing is supposed not to allow for bpf_spin_{lock,unlock}()
+helper calls. This is to prevent deadlock for the following cases:
+ - there is a prog (prog-A) calling bpf_spin_{lock,unlock}().
+ - there is a tracing program (prog-B), e.g., fentry, attached
+ to bpf_spin_lock() and/or bpf_spin_unlock().
+ - prog-B calls bpf_spin_{lock,unlock}().
+For such a case, when prog-A calls bpf_spin_{lock,unlock}(),
+a deadlock will happen.
+
+The related source codes are below in kernel/bpf/helpers.c:
+ notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
+ notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
+notrace is supposed to prevent fentry prog from attaching to
+bpf_spin_{lock,unlock}().
+
+But actually this is not the case and fentry prog can successfully
+attached to bpf_spin_lock(). Siddharth Chintamaneni reported
+the issue in [1]. The following is the macro definition for
+above BPF_CALL_1:
+ #define BPF_CALL_x(x, name, ...) \
+ static __always_inline \
+ u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \
+ typedef u64 (*btf_##name)(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \
+ u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \
+ u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \
+ { \
+ return ((btf_##name)____##name)(__BPF_MAP(x,__BPF_CAST,__BPF_N,__VA_ARGS__));\
+ } \
+ static __always_inline \
+ u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__))
+
+ #define BPF_CALL_1(name, ...) BPF_CALL_x(1, name, __VA_ARGS__)
+
+The notrace attribute is actually applied to the static always_inline function
+____bpf_spin_{lock,unlock}(). The actual callback function
+bpf_spin_{lock,unlock}() is not marked with notrace, hence
+allowing fentry prog to attach to two helpers, and this
+may cause the above mentioned deadlock. Siddharth Chintamaneni
+actually has a reproducer in [2].
+
+To fix the issue, a new macro NOTRACE_BPF_CALL_1 is introduced which
+will add notrace attribute to the original function instead of
+the hidden always_inline function and this fixed the problem.
+
+ [1] https://lore.kernel.org/bpf/CAE5sdEigPnoGrzN8WU7Tx-h-iFuMZgW06qp0KHWtpvoXxf1OAQ@mail.gmail.com/
+ [2] https://lore.kernel.org/bpf/CAE5sdEg6yUc_Jz50AnUXEEUh6O73yQ1Z6NV2srJnef0ZrQkZew@mail.gmail.com/
+
+Fixes: d83525ca62cf ("bpf: introduce bpf_spin_lock")
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20240207070102.335167-1-yonghong.song@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 21 ++++++++++++---------
+ kernel/bpf/helpers.c | 4 ++--
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index cd56e53bd42e2..840b2a05c1b9f 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -480,24 +480,27 @@ static inline bool insn_is_zext(const struct bpf_insn *insn)
+ __BPF_MAP(n, __BPF_DECL_ARGS, __BPF_N, u64, __ur_1, u64, __ur_2, \
+ u64, __ur_3, u64, __ur_4, u64, __ur_5)
+
+-#define BPF_CALL_x(x, name, ...) \
++#define BPF_CALL_x(x, attr, name, ...) \
+ static __always_inline \
+ u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \
+ typedef u64 (*btf_##name)(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \
+- u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \
+- u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \
++ attr u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \
++ attr u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \
+ { \
+ return ((btf_##name)____##name)(__BPF_MAP(x,__BPF_CAST,__BPF_N,__VA_ARGS__));\
+ } \
+ static __always_inline \
+ u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__))
+
+-#define BPF_CALL_0(name, ...) BPF_CALL_x(0, name, __VA_ARGS__)
+-#define BPF_CALL_1(name, ...) BPF_CALL_x(1, name, __VA_ARGS__)
+-#define BPF_CALL_2(name, ...) BPF_CALL_x(2, name, __VA_ARGS__)
+-#define BPF_CALL_3(name, ...) BPF_CALL_x(3, name, __VA_ARGS__)
+-#define BPF_CALL_4(name, ...) BPF_CALL_x(4, name, __VA_ARGS__)
+-#define BPF_CALL_5(name, ...) BPF_CALL_x(5, name, __VA_ARGS__)
++#define __NOATTR
++#define BPF_CALL_0(name, ...) BPF_CALL_x(0, __NOATTR, name, __VA_ARGS__)
++#define BPF_CALL_1(name, ...) BPF_CALL_x(1, __NOATTR, name, __VA_ARGS__)
++#define BPF_CALL_2(name, ...) BPF_CALL_x(2, __NOATTR, name, __VA_ARGS__)
++#define BPF_CALL_3(name, ...) BPF_CALL_x(3, __NOATTR, name, __VA_ARGS__)
++#define BPF_CALL_4(name, ...) BPF_CALL_x(4, __NOATTR, name, __VA_ARGS__)
++#define BPF_CALL_5(name, ...) BPF_CALL_x(5, __NOATTR, name, __VA_ARGS__)
++
++#define NOTRACE_BPF_CALL_1(name, ...) BPF_CALL_x(1, notrace, name, __VA_ARGS__)
+
+ #define bpf_ctx_range(TYPE, MEMBER) \
+ offsetof(TYPE, MEMBER) ... offsetofend(TYPE, MEMBER) - 1
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index d758641973d6d..084ac7e429199 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -287,7 +287,7 @@ static inline void __bpf_spin_lock_irqsave(struct bpf_spin_lock *lock)
+ __this_cpu_write(irqsave_flags, flags);
+ }
+
+-notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
++NOTRACE_BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
+ {
+ __bpf_spin_lock_irqsave(lock);
+ return 0;
+@@ -309,7 +309,7 @@ static inline void __bpf_spin_unlock_irqrestore(struct bpf_spin_lock *lock)
+ local_irq_restore(flags);
+ }
+
+-notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
++NOTRACE_BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
+ {
+ __bpf_spin_unlock_irqrestore(lock);
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 057dd7499e3b07ae3bbece5f7a5f442fcd558c86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 17:28:28 -0700
+Subject: bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit 728f064cd7ebea8c182e99e6f152c8b4a0a6b071 ]
+
+Similar to the earlier patch that changes sk_getsockopt() to
+take the sockptr_t argument. This patch also changes
+do_ip_getsockopt() to take the sockptr_t argument such that
+a latter patch can make bpf_getsockopt(SOL_IP) to reuse
+do_ip_getsockopt().
+
+Note on the change in ip_mc_gsfget(). This function is to
+return an array of sockaddr_storage in optval. This function
+is shared between ip_get_mcast_msfilter() and
+compat_ip_get_mcast_msfilter(). However, the sockaddr_storage
+is stored at different offset of the optval because of
+the difference between group_filter and compat_group_filter.
+Thus, a new 'ss_offset' argument is added to ip_mc_gsfget().
+
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/r/20220902002828.2890585-1-kafai@fb.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/igmp.h | 4 +--
+ include/linux/mroute.h | 6 ++--
+ net/ipv4/igmp.c | 22 +++++++-----
+ net/ipv4/ip_sockglue.c | 80 ++++++++++++++++++++++++------------------
+ net/ipv4/ipmr.c | 9 ++---
+ 5 files changed, 68 insertions(+), 53 deletions(-)
+
+diff --git a/include/linux/igmp.h b/include/linux/igmp.h
+index 64ce8cd1cfaf1..4adab8ada85af 100644
+--- a/include/linux/igmp.h
++++ b/include/linux/igmp.h
+@@ -121,9 +121,9 @@ extern int ip_mc_source(int add, int omode, struct sock *sk,
+ struct ip_mreq_source *mreqs, int ifindex);
+ extern int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf,int ifindex);
+ extern int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+- struct ip_msfilter __user *optval, int __user *optlen);
++ sockptr_t optval, sockptr_t optlen);
+ extern int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf,
+- struct sockaddr_storage __user *p);
++ sockptr_t optval, size_t offset);
+ extern int ip_mc_sf_allow(struct sock *sk, __be32 local, __be32 rmt,
+ int dif, int sdif);
+ extern void ip_mc_init_dev(struct in_device *);
+diff --git a/include/linux/mroute.h b/include/linux/mroute.h
+index 6cbbfe94348ce..80b8400ab8b24 100644
+--- a/include/linux/mroute.h
++++ b/include/linux/mroute.h
+@@ -17,7 +17,7 @@ static inline int ip_mroute_opt(int opt)
+ }
+
+ int ip_mroute_setsockopt(struct sock *, int, sockptr_t, unsigned int);
+-int ip_mroute_getsockopt(struct sock *, int, char __user *, int __user *);
++int ip_mroute_getsockopt(struct sock *, int, sockptr_t, sockptr_t);
+ int ipmr_ioctl(struct sock *sk, int cmd, void __user *arg);
+ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg);
+ int ip_mr_init(void);
+@@ -29,8 +29,8 @@ static inline int ip_mroute_setsockopt(struct sock *sock, int optname,
+ return -ENOPROTOOPT;
+ }
+
+-static inline int ip_mroute_getsockopt(struct sock *sock, int optname,
+- char __user *optval, int __user *optlen)
++static inline int ip_mroute_getsockopt(struct sock *sk, int optname,
++ sockptr_t optval, sockptr_t optlen)
+ {
+ return -ENOPROTOOPT;
+ }
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 4ba1c92fb3524..f0a313747b950 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -2526,11 +2526,10 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
+ err = ip_mc_leave_group(sk, &imr);
+ return err;
+ }
+-
+ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+- struct ip_msfilter __user *optval, int __user *optlen)
++ sockptr_t optval, sockptr_t optlen)
+ {
+- int err, len, count, copycount;
++ int err, len, count, copycount, msf_size;
+ struct ip_mreqn imr;
+ __be32 addr = msf->imsf_multiaddr;
+ struct ip_mc_socklist *pmc;
+@@ -2573,12 +2572,15 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+ copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc;
+ len = flex_array_size(psl, sl_addr, copycount);
+ msf->imsf_numsrc = count;
+- if (put_user(IP_MSFILTER_SIZE(copycount), optlen) ||
+- copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) {
++ msf_size = IP_MSFILTER_SIZE(copycount);
++ if (copy_to_sockptr(optlen, &msf_size, sizeof(int)) ||
++ copy_to_sockptr(optval, msf, IP_MSFILTER_SIZE(0))) {
+ return -EFAULT;
+ }
+ if (len &&
+- copy_to_user(&optval->imsf_slist_flex[0], psl->sl_addr, len))
++ copy_to_sockptr_offset(optval,
++ offsetof(struct ip_msfilter, imsf_slist_flex),
++ psl->sl_addr, len))
+ return -EFAULT;
+ return 0;
+ done:
+@@ -2586,7 +2588,7 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+ }
+
+ int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf,
+- struct sockaddr_storage __user *p)
++ sockptr_t optval, size_t ss_offset)
+ {
+ int i, count, copycount;
+ struct sockaddr_in *psin;
+@@ -2616,15 +2618,17 @@ int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf,
+ count = psl ? psl->sl_count : 0;
+ copycount = count < gsf->gf_numsrc ? count : gsf->gf_numsrc;
+ gsf->gf_numsrc = count;
+- for (i = 0; i < copycount; i++, p++) {
++ for (i = 0; i < copycount; i++) {
+ struct sockaddr_storage ss;
+
+ psin = (struct sockaddr_in *)&ss;
+ memset(&ss, 0, sizeof(ss));
+ psin->sin_family = AF_INET;
+ psin->sin_addr.s_addr = psl->sl_addr[i];
+- if (copy_to_user(p, &ss, sizeof(ss)))
++ if (copy_to_sockptr_offset(optval, ss_offset,
++ &ss, sizeof(ss)))
+ return -EFAULT;
++ ss_offset += sizeof(ss);
+ }
+ return 0;
+ }
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 9bea014309ded..b300d0988d525 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -1460,37 +1460,37 @@ static bool getsockopt_needs_rtnl(int optname)
+ return false;
+ }
+
+-static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+- int __user *optlen, int len)
++static int ip_get_mcast_msfilter(struct sock *sk, sockptr_t optval,
++ sockptr_t optlen, int len)
+ {
+ const int size0 = offsetof(struct group_filter, gf_slist_flex);
+- struct group_filter __user *p = optval;
+ struct group_filter gsf;
+- int num;
++ int num, gsf_size;
+ int err;
+
+ if (len < size0)
+ return -EINVAL;
+- if (copy_from_user(&gsf, p, size0))
++ if (copy_from_sockptr(&gsf, optval, size0))
+ return -EFAULT;
+
+ num = gsf.gf_numsrc;
+- err = ip_mc_gsfget(sk, &gsf, p->gf_slist_flex);
++ err = ip_mc_gsfget(sk, &gsf, optval,
++ offsetof(struct group_filter, gf_slist_flex));
+ if (err)
+ return err;
+ if (gsf.gf_numsrc < num)
+ num = gsf.gf_numsrc;
+- if (put_user(GROUP_FILTER_SIZE(num), optlen) ||
+- copy_to_user(p, &gsf, size0))
++ gsf_size = GROUP_FILTER_SIZE(num);
++ if (copy_to_sockptr(optlen, &gsf_size, sizeof(int)) ||
++ copy_to_sockptr(optval, &gsf, size0))
+ return -EFAULT;
+ return 0;
+ }
+
+-static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+- int __user *optlen, int len)
++static int compat_ip_get_mcast_msfilter(struct sock *sk, sockptr_t optval,
++ sockptr_t optlen, int len)
+ {
+ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex);
+- struct compat_group_filter __user *p = optval;
+ struct compat_group_filter gf32;
+ struct group_filter gf;
+ int num;
+@@ -1498,7 +1498,7 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+
+ if (len < size0)
+ return -EINVAL;
+- if (copy_from_user(&gf32, p, size0))
++ if (copy_from_sockptr(&gf32, optval, size0))
+ return -EFAULT;
+
+ gf.gf_interface = gf32.gf_interface;
+@@ -1506,21 +1506,24 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ num = gf.gf_numsrc = gf32.gf_numsrc;
+ gf.gf_group = gf32.gf_group;
+
+- err = ip_mc_gsfget(sk, &gf, p->gf_slist_flex);
++ err = ip_mc_gsfget(sk, &gf, optval,
++ offsetof(struct compat_group_filter, gf_slist_flex));
+ if (err)
+ return err;
+ if (gf.gf_numsrc < num)
+ num = gf.gf_numsrc;
+ len = GROUP_FILTER_SIZE(num) - (sizeof(gf) - sizeof(gf32));
+- if (put_user(len, optlen) ||
+- put_user(gf.gf_fmode, &p->gf_fmode) ||
+- put_user(gf.gf_numsrc, &p->gf_numsrc))
++ if (copy_to_sockptr(optlen, &len, sizeof(int)) ||
++ copy_to_sockptr_offset(optval, offsetof(struct compat_group_filter, gf_fmode),
++ &gf.gf_fmode, sizeof(gf.gf_fmode)) ||
++ copy_to_sockptr_offset(optval, offsetof(struct compat_group_filter, gf_numsrc),
++ &gf.gf_numsrc, sizeof(gf.gf_numsrc)))
+ return -EFAULT;
+ return 0;
+ }
+
+ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+- char __user *optval, int __user *optlen)
++ sockptr_t optval, sockptr_t optlen)
+ {
+ struct inet_sock *inet = inet_sk(sk);
+ bool needs_rtnl = getsockopt_needs_rtnl(optname);
+@@ -1533,7 +1536,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ if (ip_mroute_opt(optname))
+ return ip_mroute_getsockopt(sk, optname, optval, optlen);
+
+- if (get_user(len, optlen))
++ if (copy_from_sockptr(&len, optlen, sizeof(int)))
+ return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+@@ -1558,15 +1561,17 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ inet_opt->opt.optlen);
+ release_sock(sk);
+
+- if (opt->optlen == 0)
+- return put_user(0, optlen);
++ if (opt->optlen == 0) {
++ len = 0;
++ return copy_to_sockptr(optlen, &len, sizeof(int));
++ }
+
+ ip_options_undo(opt);
+
+ len = min_t(unsigned int, len, opt->optlen);
+- if (put_user(len, optlen))
++ if (copy_to_sockptr(optlen, &len, sizeof(int)))
+ return -EFAULT;
+- if (copy_to_user(optval, opt->__data, len))
++ if (copy_to_sockptr(optval, opt->__data, len))
+ return -EFAULT;
+ return 0;
+ }
+@@ -1657,9 +1662,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ addr.s_addr = inet->mc_addr;
+ release_sock(sk);
+
+- if (put_user(len, optlen))
++ if (copy_to_sockptr(optlen, &len, sizeof(int)))
+ return -EFAULT;
+- if (copy_to_user(optval, &addr, len))
++ if (copy_to_sockptr(optval, &addr, len))
+ return -EFAULT;
+ return 0;
+ }
+@@ -1671,12 +1676,11 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ err = -EINVAL;
+ goto out;
+ }
+- if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) {
++ if (copy_from_sockptr(&msf, optval, IP_MSFILTER_SIZE(0))) {
+ err = -EFAULT;
+ goto out;
+ }
+- err = ip_mc_msfget(sk, &msf,
+- (struct ip_msfilter __user *)optval, optlen);
++ err = ip_mc_msfget(sk, &msf, optval, optlen);
+ goto out;
+ }
+ case MCAST_MSFILTER:
+@@ -1698,8 +1702,13 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ if (sk->sk_type != SOCK_STREAM)
+ return -ENOPROTOOPT;
+
+- msg.msg_control_is_user = true;
+- msg.msg_control_user = optval;
++ if (optval.is_kernel) {
++ msg.msg_control_is_user = false;
++ msg.msg_control = optval.kernel;
++ } else {
++ msg.msg_control_is_user = true;
++ msg.msg_control_user = optval.user;
++ }
+ msg.msg_controllen = len;
+ msg.msg_flags = in_compat_syscall() ? MSG_CMSG_COMPAT : 0;
+
+@@ -1720,7 +1729,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ put_cmsg(&msg, SOL_IP, IP_TOS, sizeof(tos), &tos);
+ }
+ len -= msg.msg_controllen;
+- return put_user(len, optlen);
++ return copy_to_sockptr(optlen, &len, sizeof(int));
+ }
+ case IP_FREEBIND:
+ val = inet->freebind;
+@@ -1743,15 +1752,15 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ if (len < sizeof(int) && len > 0 && val >= 0 && val <= 255) {
+ unsigned char ucval = (unsigned char)val;
+ len = 1;
+- if (put_user(len, optlen))
++ if (copy_to_sockptr(optlen, &len, sizeof(int)))
+ return -EFAULT;
+- if (copy_to_user(optval, &ucval, 1))
++ if (copy_to_sockptr(optval, &ucval, 1))
+ return -EFAULT;
+ } else {
+ len = min_t(unsigned int, sizeof(int), len);
+- if (put_user(len, optlen))
++ if (copy_to_sockptr(optlen, &len, sizeof(int)))
+ return -EFAULT;
+- if (copy_to_user(optval, &val, len))
++ if (copy_to_sockptr(optval, &val, len))
+ return -EFAULT;
+ }
+ return 0;
+@@ -1768,7 +1777,8 @@ int ip_getsockopt(struct sock *sk, int level,
+ {
+ int err;
+
+- err = do_ip_getsockopt(sk, level, optname, optval, optlen);
++ err = do_ip_getsockopt(sk, level, optname,
++ USER_SOCKPTR(optval), USER_SOCKPTR(optlen));
+
+ #if IS_ENABLED(CONFIG_BPFILTER_UMH)
+ if (optname >= BPFILTER_IPT_SO_GET_INFO &&
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index be1976536f1c0..cdc0a1781fd28 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1540,7 +1540,8 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, sockptr_t optval,
+ }
+
+ /* Getsock opt support for the multicast routing system. */
+-int ip_mroute_getsockopt(struct sock *sk, int optname, char __user *optval, int __user *optlen)
++int ip_mroute_getsockopt(struct sock *sk, int optname, sockptr_t optval,
++ sockptr_t optlen)
+ {
+ int olr;
+ int val;
+@@ -1571,14 +1572,14 @@ int ip_mroute_getsockopt(struct sock *sk, int optname, char __user *optval, int
+ return -ENOPROTOOPT;
+ }
+
+- if (get_user(olr, optlen))
++ if (copy_from_sockptr(&olr, optlen, sizeof(int)))
+ return -EFAULT;
+ olr = min_t(unsigned int, olr, sizeof(int));
+ if (olr < 0)
+ return -EINVAL;
+- if (put_user(olr, optlen))
++ if (copy_to_sockptr(optlen, &olr, sizeof(int)))
+ return -EFAULT;
+- if (copy_to_user(optval, &val, olr))
++ if (copy_to_sockptr(optval, &val, olr))
+ return -EFAULT;
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 6a9bd52f24b8380a727e29c916f7c1ffd7d143c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jan 2024 14:19:20 +0800
+Subject: bpftool: Silence build warning about calloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit f5f30386c78105cba520e443a6a9ee945ec1d066 ]
+
+There exists the following warning when building bpftool:
+
+ CC prog.o
+prog.c: In function ‘profile_open_perf_events’:
+prog.c:2301:24: warning: ‘calloc’ sizes specified with ‘sizeof’ in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
+ 2301 | sizeof(int), obj->rodata->num_cpu * obj->rodata->num_metric);
+ | ^~~
+prog.c:2301:24: note: earlier argument should specify number of elements, later size of each element
+
+Tested with the latest upstream GCC which contains a new warning option
+-Wcalloc-transposed-args. The first argument to calloc is documented to
+be number of elements in array, while the second argument is size of each
+element, just switch the first and second arguments of calloc() to silence
+the build warning, compile tested only.
+
+Fixes: 47c09d6a9f67 ("bpftool: Introduce "prog profile" command")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20240116061920.31172-1-yangtiezhu@loongson.cn
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index d2bcce627b320..d07996e7952f3 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -1946,7 +1946,7 @@ static int profile_open_perf_events(struct profiler_bpf *obj)
+ int map_fd;
+
+ profile_perf_events = calloc(
+- sizeof(int), obj->rodata->num_cpu * obj->rodata->num_metric);
++ obj->rodata->num_cpu * obj->rodata->num_metric, sizeof(int));
+ if (!profile_perf_events) {
+ p_err("failed to allocate memory for perf_event array: %s",
+ strerror(errno));
+--
+2.43.0
+
--- /dev/null
+From 553d2c62da770c121fabc8a6a283236c0f2aa8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 10:02:37 +0000
+Subject: bus: tegra-aconnect: Update dependency to ARCH_TEGRA
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 4acd21a45c1446277e2abaece97d7fa7c2e692a9 ]
+
+Update the architecture dependency to be the generic Tegra
+because the driver works on the four latest Tegra generations
+not just Tegra210, if you build a kernel with a specific
+ARCH_TEGRA_xxx_SOC option that excludes Tegra210 you don't get
+this driver.
+
+Fixes: 46a88534afb59 ("bus: Add support for Tegra ACONNECT")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/Kconfig | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig
+index 0c262c2aeaf2f..01f2349dbfaed 100644
+--- a/drivers/bus/Kconfig
++++ b/drivers/bus/Kconfig
+@@ -176,11 +176,12 @@ config SUNXI_RSB
+
+ config TEGRA_ACONNECT
+ tristate "Tegra ACONNECT Bus Driver"
+- depends on ARCH_TEGRA_210_SOC
++ depends on ARCH_TEGRA
+ depends on OF && PM
+ help
+ Driver for the Tegra ACONNECT bus which is used to interface with
+- the devices inside the Audio Processing Engine (APE) for Tegra210.
++ the devices inside the Audio Processing Engine (APE) for
++ Tegra210 and later.
+
+ config TEGRA_GMI
+ tristate "Tegra Generic Memory Interface bus driver"
+--
+2.43.0
+
--- /dev/null
+From f6bdb6229a57047a38715e29387eeadcc4ad281a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Mar 2024 00:52:14 +0000
+Subject: clk: Fix clk_core_get NULL dereference
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit e97fe4901e0f59a0bfd524578fe3768f8ca42428 ]
+
+It is possible for clk_core_get to dereference a NULL in the following
+sequence:
+
+clk_core_get()
+ of_clk_get_hw_from_clkspec()
+ __of_clk_get_hw_from_provider()
+ __clk_get_hw()
+
+__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at
+hw->core.
+
+Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based
+clk_lookups") the check IS_ERR_OR_NULL() was performed which would have
+caught the NULL.
+
+Reading the description of this function it talks about returning NULL but
+that cannot be so at the moment.
+
+Update the function to check for hw before dereferencing it and return NULL
+if hw is NULL.
+
+Fixes: dde4eff47c82 ("clk: Look for parents with clkdev based clk_lookups")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20240302-linux-next-24-03-01-simple-clock-fixes-v1-1-25f348a5982b@linaro.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 62572d59e7e38..aa2f1f8aa2994 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -425,6 +425,9 @@ static struct clk_core *clk_core_get(struct clk_core *core, u8 p_index)
+ if (IS_ERR(hw))
+ return ERR_CAST(hw);
+
++ if (!hw)
++ return NULL;
++
+ return hw->core;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 308722fa24aa18a2dcdda96599d59042dcd82f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jan 2024 19:58:21 +0100
+Subject: clk: hisilicon: hi3519: Release the correct number of gates in
+ hi3519_clk_unregister()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 74e39f526d95c0c119ada1874871ee328c59fbee ]
+
+The gates are stored in 'hi3519_gate_clks', not 'hi3519_mux_clks'.
+This is also in line with how hisi_clk_register_gate() is called in the
+probe.
+
+Fixes: 224b3b262c52 ("clk: hisilicon: hi3519: add driver remove path and fix some issues")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/c3f1877c9a0886fa35c949c8f0ef25547f284f18.1704912510.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/hisilicon/clk-hi3519.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/hisilicon/clk-hi3519.c b/drivers/clk/hisilicon/clk-hi3519.c
+index ad0c7f350cf03..60d8a27a90824 100644
+--- a/drivers/clk/hisilicon/clk-hi3519.c
++++ b/drivers/clk/hisilicon/clk-hi3519.c
+@@ -130,7 +130,7 @@ static void hi3519_clk_unregister(struct platform_device *pdev)
+ of_clk_del_provider(pdev->dev.of_node);
+
+ hisi_clk_unregister_gate(hi3519_gate_clks,
+- ARRAY_SIZE(hi3519_mux_clks),
++ ARRAY_SIZE(hi3519_gate_clks),
+ crg->clk_data);
+ hisi_clk_unregister_mux(hi3519_mux_clks,
+ ARRAY_SIZE(hi3519_mux_clks),
+--
+2.43.0
+
--- /dev/null
+From ee6797e23ab43dc169de11f1b7ba2858a96e9838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 21:20:18 +0100
+Subject: clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit 117e7dc697c2739d754db8fe0c1e2d4f1f5d5f82 ]
+
+SDM845 downstream uses non-default values for GDSC internal waits.
+Program them accordingly to avoid surprises.
+
+Fixes: 81351776c9fb ("clk: qcom: Add display clock controller driver for SDM845")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Tested-by: Caleb Connolly <caleb.connolly@linaro.org> # OnePlus 6
+Link: https://lore.kernel.org/r/20240103-topic-845gdsc-v1-1-368efbe1a61d@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sdm845.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/qcom/dispcc-sdm845.c b/drivers/clk/qcom/dispcc-sdm845.c
+index 5c932cd17b140..8cd8174ac9aa7 100644
+--- a/drivers/clk/qcom/dispcc-sdm845.c
++++ b/drivers/clk/qcom/dispcc-sdm845.c
+@@ -768,6 +768,8 @@ static struct clk_branch disp_cc_mdss_vsync_clk = {
+
+ static struct gdsc mdss_gdsc = {
+ .gdscr = 0x3000,
++ .en_few_wait_val = 0x6,
++ .en_rest_wait_val = 0x5,
+ .pd = {
+ .name = "mdss_gdsc",
+ },
+--
+2.43.0
+
--- /dev/null
+From 8b68146acba22153781962bec865a80114b350bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 19:43:35 +0100
+Subject: clk: qcom: reset: Commonize the de/assert functions
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit eda40d9c583e95e0b6ac69d2950eec10f802e0e8 ]
+
+They do the same thing, except the last argument of the last function
+call differs. Commonize them.
+
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-2-c37eba13b5ce@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/reset.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c
+index e45e32804d2c7..20d1d35aaf229 100644
+--- a/drivers/clk/qcom/reset.c
++++ b/drivers/clk/qcom/reset.c
+@@ -22,8 +22,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id)
+ return 0;
+ }
+
+-static int
+-qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id)
++static int qcom_reset_set_assert(struct reset_controller_dev *rcdev,
++ unsigned long id, bool assert)
+ {
+ struct qcom_reset_controller *rst;
+ const struct qcom_reset_map *map;
+@@ -33,21 +33,17 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id)
+ map = &rst->reset_map[id];
+ mask = map->bitmask ? map->bitmask : BIT(map->bit);
+
+- return regmap_update_bits(rst->regmap, map->reg, mask, mask);
++ return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0);
+ }
+
+-static int
+-qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id)
++static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id)
+ {
+- struct qcom_reset_controller *rst;
+- const struct qcom_reset_map *map;
+- u32 mask;
+-
+- rst = to_qcom_reset_controller(rcdev);
+- map = &rst->reset_map[id];
+- mask = map->bitmask ? map->bitmask : BIT(map->bit);
++ return qcom_reset_set_assert(rcdev, id, true);
++}
+
+- return regmap_update_bits(rst->regmap, map->reg, mask, 0);
++static int qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id)
++{
++ return qcom_reset_set_assert(rcdev, id, false);
+ }
+
+ const struct reset_control_ops qcom_reset_ops = {
+--
+2.43.0
+
--- /dev/null
+From 5e654784b258a00b3339f9039072b0cfa04f51ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 19:43:36 +0100
+Subject: clk: qcom: reset: Ensure write completion on reset de/assertion
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf ]
+
+Trying to toggle the resets in a rapid fashion can lead to the changes
+not actually arriving at the clock controller block when we expect them
+to. This was observed at least on SM8250.
+
+Read back the value after regmap_update_bits to ensure write completion.
+
+Fixes: b36ba30c8ac6 ("clk: qcom: Add reset controller support")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-3-c37eba13b5ce@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/reset.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c
+index 20d1d35aaf229..d96c96a9089f4 100644
+--- a/drivers/clk/qcom/reset.c
++++ b/drivers/clk/qcom/reset.c
+@@ -33,7 +33,12 @@ static int qcom_reset_set_assert(struct reset_controller_dev *rcdev,
+ map = &rst->reset_map[id];
+ mask = map->bitmask ? map->bitmask : BIT(map->bit);
+
+- return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0);
++ regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0);
++
++ /* Read back the register to ensure write completion, ignore the value */
++ regmap_read(rst->regmap, map->reg, &mask);
++
++ return 0;
+ }
+
+ static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id)
+--
+2.43.0
+
--- /dev/null
+From 18173352cc5079ed0dddf2e1ece6c32716d093b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jan 2024 10:12:20 +0300
+Subject: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return
+ value
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit f661017e6d326ee187db24194cabb013d81bc2a6 ]
+
+cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it
+and return 0 in case of error.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/brcmstb-avs-cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
+index f644c5e325fb2..38ec0fedb247f 100644
+--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
+@@ -481,6 +481,8 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
+ static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
+ {
+ struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
++ if (!policy)
++ return 0;
+ struct private_data *priv = policy->driver_data;
+
+ cpufreq_cpu_put(policy);
+--
+2.43.0
+
--- /dev/null
+From b01459c66a0147d6ff4c7b15974db93bb7a26ad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 14:49:46 +0100
+Subject: crypto: arm/sha - fix function cast warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 53cc9baeb9bc2a187eb9c9790d30995148852b12 ]
+
+clang-16 warns about casting between incompatible function types:
+
+arch/arm/crypto/sha256_glue.c:37:5: error: cast from 'void (*)(u32 *, const void *, unsigned int)' (aka 'void (*)(unsigned int *, const void *, unsigned int)') to 'sha256_block_fn *' (aka 'void (*)(struct sha256_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 37 | (sha256_block_fn *)sha256_block_data_order);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+arch/arm/crypto/sha512-glue.c:34:3: error: cast from 'void (*)(u64 *, const u8 *, int)' (aka 'void (*)(unsigned long long *, const unsigned char *, int)') to 'sha512_block_fn *' (aka 'void (*)(struct sha512_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 34 | (sha512_block_fn *)sha512_block_data_order);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fix the prototypes for the assembler functions to match the typedef.
+The code already relies on the digest being the first part of the
+state structure, so there is no change in behavior.
+
+Fixes: c80ae7ca3726 ("crypto: arm/sha512 - accelerated SHA-512 using ARM generic ASM and NEON")
+Fixes: b59e2ae3690c ("crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/crypto/sha256_glue.c | 13 +++++--------
+ arch/arm/crypto/sha512-glue.c | 12 +++++-------
+ 2 files changed, 10 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c
+index b8a4f79020cf8..e36b86778468e 100644
+--- a/arch/arm/crypto/sha256_glue.c
++++ b/arch/arm/crypto/sha256_glue.c
+@@ -24,8 +24,8 @@
+
+ #include "sha256_glue.h"
+
+-asmlinkage void sha256_block_data_order(u32 *digest, const void *data,
+- unsigned int num_blks);
++asmlinkage void sha256_block_data_order(struct sha256_state *state,
++ const u8 *data, int num_blks);
+
+ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data,
+ unsigned int len)
+@@ -33,23 +33,20 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data,
+ /* make sure casting to sha256_block_fn() is safe */
+ BUILD_BUG_ON(offsetof(struct sha256_state, state) != 0);
+
+- return sha256_base_do_update(desc, data, len,
+- (sha256_block_fn *)sha256_block_data_order);
++ return sha256_base_do_update(desc, data, len, sha256_block_data_order);
+ }
+ EXPORT_SYMBOL(crypto_sha256_arm_update);
+
+ static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out)
+ {
+- sha256_base_do_finalize(desc,
+- (sha256_block_fn *)sha256_block_data_order);
++ sha256_base_do_finalize(desc, sha256_block_data_order);
+ return sha256_base_finish(desc, out);
+ }
+
+ int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data,
+ unsigned int len, u8 *out)
+ {
+- sha256_base_do_update(desc, data, len,
+- (sha256_block_fn *)sha256_block_data_order);
++ sha256_base_do_update(desc, data, len, sha256_block_data_order);
+ return crypto_sha256_arm_final(desc, out);
+ }
+ EXPORT_SYMBOL(crypto_sha256_arm_finup);
+diff --git a/arch/arm/crypto/sha512-glue.c b/arch/arm/crypto/sha512-glue.c
+index 8775aa42bbbe8..1a16b98ec1085 100644
+--- a/arch/arm/crypto/sha512-glue.c
++++ b/arch/arm/crypto/sha512-glue.c
+@@ -25,27 +25,25 @@ MODULE_ALIAS_CRYPTO("sha512");
+ MODULE_ALIAS_CRYPTO("sha384-arm");
+ MODULE_ALIAS_CRYPTO("sha512-arm");
+
+-asmlinkage void sha512_block_data_order(u64 *state, u8 const *src, int blocks);
++asmlinkage void sha512_block_data_order(struct sha512_state *state,
++ u8 const *src, int blocks);
+
+ int sha512_arm_update(struct shash_desc *desc, const u8 *data,
+ unsigned int len)
+ {
+- return sha512_base_do_update(desc, data, len,
+- (sha512_block_fn *)sha512_block_data_order);
++ return sha512_base_do_update(desc, data, len, sha512_block_data_order);
+ }
+
+ static int sha512_arm_final(struct shash_desc *desc, u8 *out)
+ {
+- sha512_base_do_finalize(desc,
+- (sha512_block_fn *)sha512_block_data_order);
++ sha512_base_do_finalize(desc, sha512_block_data_order);
+ return sha512_base_finish(desc, out);
+ }
+
+ int sha512_arm_finup(struct shash_desc *desc, const u8 *data,
+ unsigned int len, u8 *out)
+ {
+- sha512_base_do_update(desc, data, len,
+- (sha512_block_fn *)sha512_block_data_order);
++ sha512_base_do_update(desc, data, len, sha512_block_data_order);
+ return sha512_arm_final(desc, out);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From dbd9508131cf9e9214a058ec19ff29f33bdcd00d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 12:29:06 +0800
+Subject: crypto: xilinx - call finalize with bh disabled
+
+From: Quanyang Wang <quanyang.wang@windriver.com>
+
+[ Upstream commit a853450bf4c752e664abab0b2fad395b7ad7701c ]
+
+When calling crypto_finalize_request, BH should be disabled to avoid
+triggering the following calltrace:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118
+ Modules linked in: cryptodev(O)
+ CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G O 6.8.0-rc1-yocto-standard #323
+ Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
+ pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : crypto_finalize_request+0xa0/0x118
+ lr : crypto_finalize_request+0x104/0x118
+ sp : ffffffc085353ce0
+ x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688
+ x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00
+ x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000
+ x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450
+ x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+ x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0
+ x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8
+ x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001
+ x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000
+ x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000
+ Call trace:
+ crypto_finalize_request+0xa0/0x118
+ crypto_finalize_aead_request+0x18/0x30
+ zynqmp_handle_aes_req+0xcc/0x388
+ crypto_pump_work+0x168/0x2d8
+ kthread_worker_fn+0xfc/0x3a0
+ kthread+0x118/0x138
+ ret_from_fork+0x10/0x20
+ irq event stamp: 40
+ hardirqs last enabled at (39): [<ffffffc0812416f8>] _raw_spin_unlock_irqrestore+0x70/0xb0
+ hardirqs last disabled at (40): [<ffffffc08122d208>] el1_dbg+0x28/0x90
+ softirqs last enabled at (36): [<ffffffc080017dec>] kernel_neon_begin+0x8c/0xf0
+ softirqs last disabled at (34): [<ffffffc080017dc0>] kernel_neon_begin+0x60/0xf0
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: 4d96f7d48131 ("crypto: xilinx - Add Xilinx AES driver")
+Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/xilinx/zynqmp-aes-gcm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/xilinx/zynqmp-aes-gcm.c b/drivers/crypto/xilinx/zynqmp-aes-gcm.c
+index bf1f421e05f25..74bd3eb63734d 100644
+--- a/drivers/crypto/xilinx/zynqmp-aes-gcm.c
++++ b/drivers/crypto/xilinx/zynqmp-aes-gcm.c
+@@ -231,7 +231,10 @@ static int zynqmp_handle_aes_req(struct crypto_engine *engine,
+ err = zynqmp_aes_aead_cipher(areq);
+ }
+
++ local_bh_disable();
+ crypto_finalize_aead_request(engine, areq, err);
++ local_bh_enable();
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 606ae1d70a585ddbf30940deab8ce72b70b3eba3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Mar 2024 15:06:39 +0100
+Subject: dm: call the resume method on internal suspend
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 65e8fbde64520001abf1c8d0e573561b4746ef38 ]
+
+There is this reported crash when experimenting with the lvm2 testsuite.
+The list corruption is caused by the fact that the postsuspend and resume
+methods were not paired correctly; there were two consecutive calls to the
+origin_postsuspend function. The second call attempts to remove the
+"hash_list" entry from a list, while it was already removed by the first
+call.
+
+Fix __dm_internal_resume so that it calls the preresume and resume
+methods of the table's targets.
+
+If a preresume method of some target fails, we are in a tricky situation.
+We can't return an error because dm_internal_resume isn't supposed to
+return errors. We can't return success, because then the "resume" and
+"postsuspend" methods would not be paired correctly. So, we set the
+DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace
+tools, but it won't cause a kernel crash.
+
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:56!
+invalid opcode: 0000 [#1] PREEMPT SMP
+CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0
+<snip>
+RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282
+RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000
+RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff
+RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058
+R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001
+R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0
+FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0
+Call Trace:
+ <TASK>
+ ? die+0x2d/0x80
+ ? do_trap+0xeb/0xf0
+ ? __list_del_entry_valid_or_report+0x77/0xc0
+ ? do_error_trap+0x60/0x80
+ ? __list_del_entry_valid_or_report+0x77/0xc0
+ ? exc_invalid_op+0x49/0x60
+ ? __list_del_entry_valid_or_report+0x77/0xc0
+ ? asm_exc_invalid_op+0x16/0x20
+ ? table_deps+0x1b0/0x1b0 [dm_mod]
+ ? __list_del_entry_valid_or_report+0x77/0xc0
+ origin_postsuspend+0x1a/0x50 [dm_snapshot]
+ dm_table_postsuspend_targets+0x34/0x50 [dm_mod]
+ dm_suspend+0xd8/0xf0 [dm_mod]
+ dev_suspend+0x1f2/0x2f0 [dm_mod]
+ ? table_deps+0x1b0/0x1b0 [dm_mod]
+ ctl_ioctl+0x300/0x5f0 [dm_mod]
+ dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]
+ __x64_compat_sys_ioctl+0x104/0x170
+ do_syscall_64+0x184/0x1b0
+ entry_SYSCALL_64_after_hwframe+0x46/0x4e
+RIP: 0033:0xf7e6aead
+<snip>
+---[ end trace 0000000000000000 ]---
+
+Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 9029c1004b933..dc8498b4b5c13 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2733,6 +2733,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla
+
+ static void __dm_internal_resume(struct mapped_device *md)
+ {
++ int r;
++ struct dm_table *map;
++
+ BUG_ON(!md->internal_suspend_count);
+
+ if (--md->internal_suspend_count)
+@@ -2741,12 +2744,23 @@ static void __dm_internal_resume(struct mapped_device *md)
+ if (dm_suspended_md(md))
+ goto done; /* resume from nested suspend */
+
+- /*
+- * NOTE: existing callers don't need to call dm_table_resume_targets
+- * (which may fail -- so best to avoid it for now by passing NULL map)
+- */
+- (void) __dm_resume(md, NULL);
+-
++ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
++ r = __dm_resume(md, map);
++ if (r) {
++ /*
++ * If a preresume method of some target failed, we are in a
++ * tricky situation. We can't return an error to the caller. We
++ * can't fake success because then the "resume" and
++ * "postsuspend" methods would not be paired correctly, and it
++ * would break various targets, for example it would cause list
++ * corruption in the "origin" target.
++ *
++ * So, we fake normal suspend here, to make sure that the
++ * "resume" and "postsuspend" methods will be paired correctly.
++ */
++ DMERR("Preresume method failed: %d", r);
++ set_bit(DMF_SUSPENDED, &md->flags);
++ }
+ done:
+ clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags);
+ smp_mb__after_atomic();
+--
+2.43.0
+
--- /dev/null
+From dbf878e1f52c60c02bba794bbf721bb96dcb53e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Mar 2024 13:42:55 -0400
+Subject: dm raid: fix false positive for requeue needed during reshape
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit b25b8f4b8ecef0f48c05f0c3572daeabefe16526 ]
+
+An empty flush doesn't have a payload, so it should never be looked at
+when considering to possibly requeue a bio for the case when a reshape
+is in progress.
+
+Fixes: 9dbd1aa3a81c ("dm raid: add reshaping support to the target")
+Reported-by: Patrick Plenefisch <simonpatp@gmail.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index 140bdf2a6ee11..e523ecdf947f4 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3329,14 +3329,14 @@ static int raid_map(struct dm_target *ti, struct bio *bio)
+ struct mddev *mddev = &rs->md;
+
+ /*
+- * If we're reshaping to add disk(s)), ti->len and
++ * If we're reshaping to add disk(s), ti->len and
+ * mddev->array_sectors will differ during the process
+ * (ti->len > mddev->array_sectors), so we have to requeue
+ * bios with addresses > mddev->array_sectors here or
+ * there will occur accesses past EOD of the component
+ * data images thus erroring the raid set.
+ */
+- if (unlikely(bio_end_sector(bio) > mddev->array_sectors))
++ if (unlikely(bio_has_data(bio) && bio_end_sector(bio) > mddev->array_sectors))
+ return DM_MAPIO_REQUEUE;
+
+ md_handle_request(mddev, bio);
+--
+2.43.0
+
--- /dev/null
+From e500f42a12ce93b524800042e0bbd2adec34f628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jan 2024 09:32:56 +0000
+Subject: dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 33b7db45533af240fe44e809f9dc4d604cf82d07 ]
+
+Update the architecture dependency to be the generic Tegra
+because the driver works on the four latest Tegra generations
+not just T210, if you build a kernel with a specific
+ARCH_TEGRA_xxx_SOC option that excludes 210 you don't get
+this driver.
+
+Fixes: 433de642a76c9 ("dmaengine: tegra210-adma: add support for Tegra186/Tegra194")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Thierry Reding <treding@nvidia.com>
+Cc: Sameer Pujar <spujar@nvidia.com>
+Cc: Laxman Dewangan <ldewangan@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/r/20240112093310.329642-2-pbrobinson@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/Kconfig | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig
+index 7e1bd79fbee8f..02b98f979479a 100644
+--- a/drivers/dma/Kconfig
++++ b/drivers/dma/Kconfig
+@@ -614,16 +614,16 @@ config TEGRA20_APB_DMA
+
+ config TEGRA210_ADMA
+ tristate "NVIDIA Tegra210 ADMA support"
+- depends on (ARCH_TEGRA_210_SOC || COMPILE_TEST)
++ depends on (ARCH_TEGRA || COMPILE_TEST)
+ select DMA_ENGINE
+ select DMA_VIRTUAL_CHANNELS
+ help
+- Support for the NVIDIA Tegra210 ADMA controller driver. The
+- DMA controller has multiple DMA channels and is used to service
+- various audio clients in the Tegra210 audio processing engine
+- (APE). This DMA controller transfers data from memory to
+- peripheral and vice versa. It does not support memory to
+- memory data transfer.
++ Support for the NVIDIA Tegra210/Tegra186/Tegra194/Tegra234 ADMA
++ controller driver. The DMA controller has multiple DMA channels
++ and is used to service various audio clients in the Tegra210
++ audio processing engine (APE). This DMA controller transfers
++ data from memory to peripheral and vice versa. It does not
++ support memory to memory data transfer.
+
+ config TIMB_DMA
+ tristate "Timberdale FPGA DMA support"
+--
+2.43.0
+
--- /dev/null
+From 683c20095e71af780f30cb1d9e527c5eaf938586 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 07:39:06 -0800
+Subject: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ]
+
+syzbot identified a kernel information leak vulnerability in
+do_sys_name_to_handle() and issued the following report [1].
+
+[1]
+"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
+ instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ _copy_to_user+0xbc/0x100 lib/usercopy.c:40
+ copy_to_user include/linux/uaccess.h:191 [inline]
+ do_sys_name_to_handle fs/fhandle.c:73 [inline]
+ __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
+ __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
+ __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
+ ...
+
+Uninit was created at:
+ slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3478 [inline]
+ __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
+ __do_kmalloc_node mm/slab_common.c:1006 [inline]
+ __kmalloc+0x121/0x3c0 mm/slab_common.c:1020
+ kmalloc include/linux/slab.h:604 [inline]
+ do_sys_name_to_handle fs/fhandle.c:39 [inline]
+ __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
+ __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
+ __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
+ ...
+
+Bytes 18-19 of 20 are uninitialized
+Memory access of size 20 starts at ffff888128a46380
+Data copied to user address 0000000020000240"
+
+Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to
+solve the problem.
+
+Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support")
+Suggested-by: Chuck Lever III <chuck.lever@oracle.com>
+Reported-and-tested-by: <syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fhandle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fhandle.c b/fs/fhandle.c
+index 01263ffbc4c08..9a5f153c8919e 100644
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -37,7 +37,7 @@ static long do_sys_name_to_handle(struct path *path,
+ if (f_handle.handle_bytes > MAX_HANDLE_SZ)
+ return -EINVAL;
+
+- handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes,
++ handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes,
+ GFP_KERNEL);
+ if (!handle)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 2098d4f6b43c80ffe1790459f9a488ec4ac1373e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 20:18:07 +0530
+Subject: drm/amd/display: Fix a potential buffer overflow in
+ 'dp_dsc_clock_en_read()'
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 4b09715f1504f1b6e8dff0e9643630610bc05141 ]
+
+Tell snprintf() to store at most 10 bytes in the output buffer
+instead of 30.
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10
+
+Fixes: c06e09b76639 ("drm/amd/display: Add DSC parameters logging to debugfs")
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index e43f82bcb231a..32dbd2a270887 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -1179,7 +1179,7 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
+ const uint32_t rd_buf_size = 10;
+ struct pipe_ctx *pipe_ctx;
+ ssize_t result = 0;
+- int i, r, str_len = 30;
++ int i, r, str_len = 10;
+
+ rd_buf = kcalloc(rd_buf_size, sizeof(char), GFP_KERNEL);
+
+--
+2.43.0
+
--- /dev/null
+From a890e623933831ebc3c386fc90d6a5dc06c9edbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jan 2024 21:16:04 +0530
+Subject: drm/amd/display: Fix potential NULL pointer dereferences in
+ 'dcn10_set_output_transfer_func()'
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 9ccfe80d022df7c595f1925afb31de2232900656 ]
+
+The 'stream' pointer is used in dcn10_set_output_transfer_func() before
+the check if 'stream' is NULL.
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)
+
+Fixes: ddef02de0d71 ("drm/amd/display: add null checks before logging")
+Cc: Wyatt Wood <wyatt.wood@amd.com>
+Cc: Anthony Koo <Anthony.Koo@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Anthony Koo <Anthony.Koo@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index 1c669f115dd80..8cf6e307ae36e 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -1669,6 +1669,9 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx,
+ {
+ struct dpp *dpp = pipe_ctx->plane_res.dpp;
+
++ if (!stream)
++ return false;
++
+ if (dpp == NULL)
+ return false;
+
+@@ -1691,8 +1694,8 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx,
+ } else
+ dpp->funcs->dpp_program_regamma_pwl(dpp, NULL, OPP_REGAMMA_BYPASS);
+
+- if (stream != NULL && stream->ctx != NULL &&
+- stream->out_transfer_func != NULL) {
++ if (stream->ctx &&
++ stream->out_transfer_func) {
+ log_tf(stream->ctx,
+ stream->out_transfer_func,
+ dpp->regamma_params.hw_points_num);
+--
+2.43.0
+
--- /dev/null
+From 41954355b4449262adfa3cbd54df98c9d2a5e93e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Feb 2024 07:48:52 +0530
+Subject: drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of
+ atom_get_src_int()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 7cf1ad2fe10634238b38442a851d89514cb14ea2 ]
+
+Missing break statement in the ATOM_ARG_IMM case of a switch statement,
+adds the missing break statement, ensuring that the program's control
+flow is as intended.
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/atom.c:323 atom_get_src_int() warn: ignoring unreachable code.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Cc: Jammy Zhou <Jammy.Zhou@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/atom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c
+index 4cfc786699c7f..c1841fa873f56 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atom.c
++++ b/drivers/gpu/drm/amd/amdgpu/atom.c
+@@ -310,7 +310,7 @@ static uint32_t atom_get_src_int(atom_exec_context *ctx, uint8_t attr,
+ DEBUG("IMM 0x%02X\n", val);
+ return val;
+ }
+- return 0;
++ break;
+ case ATOM_ARG_PLL:
+ idx = U8(*ptr);
+ (*ptr)++;
+--
+2.43.0
+
--- /dev/null
+From 928355233e8e5a36c038b9dbc668b63695a41aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Nov 2023 11:36:20 -0500
+Subject: drm: Don't treat 0 as -1 in drm_fixp2int_ceil
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+[ Upstream commit cf8837d7204481026335461629b84ac7f4538fa5 ]
+
+Unit testing this in VKMS shows that passing 0 into
+this function returns -1, which is highly counter-
+intuitive. Fix it by checking whether the input is
+>= 0 instead of > 0.
+
+Fixes: 64566b5e767f ("drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil")
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Reviewed-by: Simon Ser <contact@emersion.fr>
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231108163647.106853-2-harry.wentland@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/drm_fixed.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/drm/drm_fixed.h b/include/drm/drm_fixed.h
+index 553210c02ee0f..627efa56e59fb 100644
+--- a/include/drm/drm_fixed.h
++++ b/include/drm/drm_fixed.h
+@@ -88,7 +88,7 @@ static inline int drm_fixp2int(s64 a)
+
+ static inline int drm_fixp2int_ceil(s64 a)
+ {
+- if (a > 0)
++ if (a >= 0)
+ return drm_fixp2int(a + DRM_FIXED_ALMOST_ONE);
+ else
+ return drm_fixp2int(a - DRM_FIXED_ALMOST_ONE);
+--
+2.43.0
+
--- /dev/null
+From c4862cd028aa66e71712b1f40533f8a6ef462f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jan 2024 15:13:28 +0800
+Subject: drm/lima: fix a memleak in lima_heap_alloc
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 04ae3eb470e52a3c41babe85ff8cee195e4dcbea ]
+
+When lima_vm_map_bo fails, the resources need to be deallocated, or
+there will be memleaks.
+
+Fixes: 6aebc51d7aef ("drm/lima: support heap buffer creation")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240117071328.3811480-1-alexious@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_gem.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c
+index 11223fe348dfe..894175f2ed492 100644
+--- a/drivers/gpu/drm/lima/lima_gem.c
++++ b/drivers/gpu/drm/lima/lima_gem.c
+@@ -74,29 +74,34 @@ int lima_heap_alloc(struct lima_bo *bo, struct lima_vm *vm)
+ } else {
+ bo->base.sgt = kmalloc(sizeof(*bo->base.sgt), GFP_KERNEL);
+ if (!bo->base.sgt) {
+- sg_free_table(&sgt);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_out0;
+ }
+ }
+
+ ret = dma_map_sgtable(dev, &sgt, DMA_BIDIRECTIONAL, 0);
+- if (ret) {
+- sg_free_table(&sgt);
+- kfree(bo->base.sgt);
+- bo->base.sgt = NULL;
+- return ret;
+- }
++ if (ret)
++ goto err_out1;
+
+ *bo->base.sgt = sgt;
+
+ if (vm) {
+ ret = lima_vm_map_bo(vm, bo, old_size >> PAGE_SHIFT);
+ if (ret)
+- return ret;
++ goto err_out2;
+ }
+
+ bo->heap_size = new_size;
+ return 0;
++
++err_out2:
++ dma_unmap_sgtable(dev, &sgt, DMA_BIDIRECTIONAL, 0);
++err_out1:
++ kfree(bo->base.sgt);
++ bo->base.sgt = NULL;
++err_out0:
++ sg_free_table(&sgt);
++ return ret;
+ }
+
+ int lima_gem_create_handle(struct drm_device *dev, struct drm_file *file,
+--
+2.43.0
+
--- /dev/null
+From 2655af046dc84ad256a8328cc11820d47d457cde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 09:53:09 +0100
+Subject: drm/mediatek: dsi: Fix DSI RGB666 formats and definitions
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit fae6f815505301b92d9113764f4d76d0bfe45607 ]
+
+The register bits definitions for RGB666 formats are wrong in multiple
+ways: first, in the DSI_PS_SEL bits region, the Packed 18-bits RGB666
+format is selected with bit 1, while the Loosely Packed one is bit 2,
+and second - the definition name "LOOSELY_PS_18BIT_RGB666" is wrong
+because the loosely packed format is 24 bits instead!
+
+Either way, functions mtk_dsi_ps_control_vact() and mtk_dsi_ps_control()
+do not even agree on the DSI_PS_SEL bit to set in DSI_PSCTRL: one sets
+loosely packed (24) on RGB666, the other sets packed (18), and the other
+way around for RGB666_PACKED.
+
+Fixing this entire stack of issues is done in one go:
+ - Use the correct bit for the Loosely Packed RGB666 definition
+ - Rename LOOSELY_PS_18BIT_RGB666 to LOOSELY_PS_24BIT_RGB666
+ - Change ps_bpp_mode in mtk_dsi_ps_control_vact() to set:
+ - Loosely Packed, 24-bits for MIPI_DSI_FMT_RGB666
+ - Packed, 18-bits for MIPI_DSI_FMT_RGB666_PACKED
+
+Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver")
+Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240215085316.56835-3-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
+index a6e71b7b69b83..17d45f06cedf3 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -68,8 +68,8 @@
+ #define DSI_PS_WC 0x3fff
+ #define DSI_PS_SEL (3 << 16)
+ #define PACKED_PS_16BIT_RGB565 (0 << 16)
+-#define LOOSELY_PS_18BIT_RGB666 (1 << 16)
+-#define PACKED_PS_18BIT_RGB666 (2 << 16)
++#define PACKED_PS_18BIT_RGB666 (1 << 16)
++#define LOOSELY_PS_24BIT_RGB666 (2 << 16)
+ #define PACKED_PS_24BIT_RGB888 (3 << 16)
+
+ #define DSI_VSA_NL 0x20
+@@ -365,10 +365,10 @@ static void mtk_dsi_ps_control_vact(struct mtk_dsi *dsi)
+ ps_bpp_mode |= PACKED_PS_24BIT_RGB888;
+ break;
+ case MIPI_DSI_FMT_RGB666:
+- ps_bpp_mode |= PACKED_PS_18BIT_RGB666;
++ ps_bpp_mode |= LOOSELY_PS_24BIT_RGB666;
+ break;
+ case MIPI_DSI_FMT_RGB666_PACKED:
+- ps_bpp_mode |= LOOSELY_PS_18BIT_RGB666;
++ ps_bpp_mode |= PACKED_PS_18BIT_RGB666;
+ break;
+ case MIPI_DSI_FMT_RGB565:
+ ps_bpp_mode |= PACKED_PS_16BIT_RGB565;
+@@ -419,7 +419,7 @@ static void mtk_dsi_ps_control(struct mtk_dsi *dsi)
+ dsi_tmp_buf_bpp = 3;
+ break;
+ case MIPI_DSI_FMT_RGB666:
+- tmp_reg = LOOSELY_PS_18BIT_RGB666;
++ tmp_reg = LOOSELY_PS_24BIT_RGB666;
+ dsi_tmp_buf_bpp = 3;
+ break;
+ case MIPI_DSI_FMT_RGB666_PACKED:
+--
+2.43.0
+
--- /dev/null
+From a60753c33f56189bf6921013e8f4f396a756be2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 13:23:29 -0800
+Subject: drm/mediatek: Fix a null pointer crash in
+ mtk_drm_crtc_finish_page_flip
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit c958e86e9cc1b48cac004a6e245154dfba8e163b ]
+
+It's possible that mtk_crtc->event is NULL in
+mtk_drm_crtc_finish_page_flip().
+
+pending_needs_vblank value is set by mtk_crtc->event, but in
+mtk_drm_crtc_atomic_flush(), it's is not guarded by the same
+lock in mtk_drm_finish_page_flip(), thus a race condition happens.
+
+Consider the following case:
+
+CPU1 CPU2
+step 1:
+mtk_drm_crtc_atomic_begin()
+mtk_crtc->event is not null,
+ step 1:
+ mtk_drm_crtc_atomic_flush:
+ mtk_drm_crtc_update_config(
+ !!mtk_crtc->event)
+step 2:
+mtk_crtc_ddp_irq ->
+mtk_drm_finish_page_flip:
+lock
+mtk_crtc->event set to null,
+pending_needs_vblank set to false
+unlock
+ pending_needs_vblank set to true,
+
+ step 2:
+ mtk_crtc_ddp_irq ->
+ mtk_drm_finish_page_flip called again,
+ pending_needs_vblank is still true
+ //null pointer
+
+Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more
+efficient to just check if mtk_crtc->event is null before use.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690-1-hsinyi@chromium.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+index 1eaf513166a1a..d08827803a32f 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+@@ -84,11 +84,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc)
+ struct drm_crtc *crtc = &mtk_crtc->base;
+ unsigned long flags;
+
+- spin_lock_irqsave(&crtc->dev->event_lock, flags);
+- drm_crtc_send_vblank_event(crtc, mtk_crtc->event);
+- drm_crtc_vblank_put(crtc);
+- mtk_crtc->event = NULL;
+- spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
++ if (mtk_crtc->event) {
++ spin_lock_irqsave(&crtc->dev->event_lock, flags);
++ drm_crtc_send_vblank_event(crtc, mtk_crtc->event);
++ drm_crtc_vblank_put(crtc);
++ mtk_crtc->event = NULL;
++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
++ }
+ }
+
+ static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc)
+--
+2.43.0
+
--- /dev/null
+From c389422e08a96507361ec3b638b9836112863b64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 11:39:47 -0800
+Subject: drm/msm/dpu: add division of drm_display_mode's hskew parameter
+
+From: Paloma Arellano <quic_parellan@quicinc.com>
+
+[ Upstream commit 551ee0f210991d25f336bc27262353bfe99d3eed ]
+
+Setting up the timing engine when the physical encoder has a split role
+neglects dividing the drm_display_mode's hskew parameter. Let's fix this
+since this must also be done in preparation for implementing YUV420 over
+DP.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Paloma Arellano <quic_parellan@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/579605/
+Link: https://lore.kernel.org/r/20240222194025.25329-3-quic_parellan@quicinc.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+index 805e059b50b71..33880f66625e6 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+@@ -265,12 +265,14 @@ static void dpu_encoder_phys_vid_setup_timing_engine(
+ mode.htotal >>= 1;
+ mode.hsync_start >>= 1;
+ mode.hsync_end >>= 1;
++ mode.hskew >>= 1;
+
+ DPU_DEBUG_VIDENC(phys_enc,
+- "split_role %d, halve horizontal %d %d %d %d\n",
++ "split_role %d, halve horizontal %d %d %d %d %d\n",
+ phys_enc->split_role,
+ mode.hdisplay, mode.htotal,
+- mode.hsync_start, mode.hsync_end);
++ mode.hsync_start, mode.hsync_end,
++ mode.hskew);
+ }
+
+ drm_mode_to_intf_timing_params(phys_enc, &mode, &timing_params);
+--
+2.43.0
+
--- /dev/null
+From 021da9833190c408f5d104a7bdeb2664c69c9d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:48:14 -0800
+Subject: drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit c4891d979c7668b195a0a75787967ec95a24ecef ]
+
+Clean up a typo in pr_err() erroneously printing NI MC 'rdev->mc_fw->size'
+during SMC firmware load. Log 'rdev->smc_fw->size' instead.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 6596afd48af4 ("drm/radeon/kms: add dpm support for btc (v3)")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/ni.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
+index 02feb0801fd30..50c7430f8cd33 100644
+--- a/drivers/gpu/drm/radeon/ni.c
++++ b/drivers/gpu/drm/radeon/ni.c
+@@ -826,7 +826,7 @@ int ni_init_microcode(struct radeon_device *rdev)
+ err = 0;
+ } else if (rdev->smc_fw->size != smc_req_size) {
+ pr_err("ni_mc: Bogus length %zu in firmware \"%s\"\n",
+- rdev->mc_fw->size, fw_name);
++ rdev->smc_fw->size, fw_name);
+ err = -EINVAL;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From fed715175ee37a94f8ea6fa146e72ededcb0de43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 18:41:54 +0100
+Subject: drm/rockchip: inno_hdmi: Fix video timing
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 47a145c03484d33e65d773169d5ca1b9fe2a492e ]
+
+The controller wants the difference between *total and *sync_start in the
+HDMI_VIDEO_EXT_*DELAY registers. Otherwise the signal is very unstable for
+certain non-VIC modes. See downstream commit [0].
+
+[0] https://github.com/rockchip-linux/kernel/commit/8eb559f2502c
+
+Fixes: 412d4ae6b7a5 ("drm/rockchip: hdmi: add Innosilicon HDMI support")
+Co-developed-by: Zheng Yang <zhengyang@rock-chips.com>
+Signed-off-by: Zheng Yang <zhengyang@rock-chips.com>
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231222174220.55249-4-knaerzche@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/inno_hdmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c
+index 78120da5e63aa..27540d308ccb9 100644
+--- a/drivers/gpu/drm/rockchip/inno_hdmi.c
++++ b/drivers/gpu/drm/rockchip/inno_hdmi.c
+@@ -402,7 +402,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi,
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_L, value & 0xFF);
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_H, (value >> 8) & 0xFF);
+
+- value = mode->hsync_start - mode->hdisplay;
++ value = mode->htotal - mode->hsync_start;
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_L, value & 0xFF);
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_H, (value >> 8) & 0xFF);
+
+@@ -417,7 +417,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi,
+ value = mode->vtotal - mode->vdisplay;
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VBLANK, value & 0xFF);
+
+- value = mode->vsync_start - mode->vdisplay;
++ value = mode->vtotal - mode->vsync_start;
+ hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VDELAY, value & 0xFF);
+
+ value = mode->vsync_end - mode->vsync_start;
+--
+2.43.0
+
--- /dev/null
+From 4a8a5ee6e25acfd8426686a01c121cfa9af365a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:29:48 +0100
+Subject: drm/rockchip: lvds: do not overwrite error code
+
+From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+
+[ Upstream commit 79b09453c4e369ca81cfb670d0136d089e3b92f0 ]
+
+ret variable stores the return value of drm_of_find_panel_or_bridge
+which can return error codes different from EPROBE_DEFER. Therefore,
+let's just return that error code instead of forcing it to EPROBE_DEFER.
+
+Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS")
+Cc: Quentin Schulz <foss+kernel@0leil.net>
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-1-9c59a5779cf9@theobroma-systems.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_lvds.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+index e2487937c4e3d..1ffb2f710e4bd 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+@@ -573,7 +573,6 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master,
+ goto err_put_port;
+ } else if (ret) {
+ DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n");
+- ret = -EPROBE_DEFER;
+ goto err_put_port;
+ }
+ if (lvds->panel)
+--
+2.43.0
+
--- /dev/null
+From 80e4d58a3768578c6c30f23567340c516158f065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:29:49 +0100
+Subject: drm/rockchip: lvds: do not print scary message when probing defer
+
+From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+
+[ Upstream commit 52d11c863ac92e36a0365249f7f6d27ac48c78bc ]
+
+This scary message can misled the user into thinking something bad has
+happened and needs to be fixed, however it could simply be part of a
+normal boot process where EPROBE_DEFER is taken into account. Therefore,
+let's use dev_err_probe so that this message doesn't get shown (by
+default) when the return code is EPROBE_DEFER.
+
+Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS")
+Cc: Quentin Schulz <foss+kernel@0leil.net>
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-2-9c59a5779cf9@theobroma-systems.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_lvds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+index 1ffb2f710e4bd..96c13c182809e 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
+@@ -572,7 +572,7 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master,
+ ret = -EINVAL;
+ goto err_put_port;
+ } else if (ret) {
+- DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n");
++ dev_err_probe(dev, ret, "failed to find panel and bridge node\n");
+ goto err_put_port;
+ }
+ if (lvds->panel)
+--
+2.43.0
+
--- /dev/null
+From 60c9985692ed40decad1d8abe5495fe457346fe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 08:07:38 +0000
+Subject: drm/tegra: dsi: Add missing check for of_find_device_by_node
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit afe6fcb9775882230cd29b529203eabd5d2a638d ]
+
+Add check for the return value of of_find_device_by_node() and return
+the error if it fails in order to avoid NULL pointer dereference.
+
+Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231024080738.825553-1-nichen@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
+index de1333dc0d867..0adce882f157b 100644
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -1534,9 +1534,11 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi)
+ np = of_parse_phandle(dsi->dev->of_node, "nvidia,ganged-mode", 0);
+ if (np) {
+ struct platform_device *gangster = of_find_device_by_node(np);
++ of_node_put(np);
++ if (!gangster)
++ return -EPROBE_DEFER;
+
+ dsi->slave = platform_get_drvdata(gangster);
+- of_node_put(np);
+
+ if (!dsi->slave) {
+ put_device(&gangster->dev);
+--
+2.43.0
+
--- /dev/null
+From e4292f59ebad6e54fcd6f7a9885ed532934200d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Sep 2023 17:22:09 +0200
+Subject: drm/tegra: dsi: Fix missing pm_runtime_disable() in the error
+ handling path of tegra_dsi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5286a9fc280c45b6b307ee1b07f7a997e042252c ]
+
+If an error occurs after calling pm_runtime_enable(), pm_runtime_disable()
+should be called as already done in the remove function.
+
+Fixes: ef8187d75265 ("drm/tegra: dsi: Implement runtime PM")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/ee4a15c9cd4b574a55cd67c30d2411239ba2cee9.1693667005.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
+index 815e32e05f600..7bb26655cb3cc 100644
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -1665,6 +1665,7 @@ static int tegra_dsi_probe(struct platform_device *pdev)
+ return 0;
+
+ unregister:
++ pm_runtime_disable(&pdev->dev);
+ mipi_dsi_host_unregister(&dsi->host);
+ mipi_free:
+ tegra_mipi_free(dsi->mipi);
+--
+2.43.0
+
--- /dev/null
+From 97c9280ccdd8237c32db8c0b792908afaf14ba49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Sep 2023 17:22:08 +0200
+Subject: drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 830c1ded356369cd1303e8bb87ce3fea6e744de8 ]
+
+If an error occurs after calling tegra_output_probe(),
+tegra_output_remove() should be called as already done in the remove
+function.
+
+Fixes: dec727399a4b ("drm/tegra: Add DSI support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/16820073278d031f6c474a08d5f22a255158585e.1693667005.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 54 ++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
+index 6cbba2adb6e5a..815e32e05f600 100644
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -1586,44 +1586,58 @@ static int tegra_dsi_probe(struct platform_device *pdev)
+
+ if (!pdev->dev.pm_domain) {
+ dsi->rst = devm_reset_control_get(&pdev->dev, "dsi");
+- if (IS_ERR(dsi->rst))
+- return PTR_ERR(dsi->rst);
++ if (IS_ERR(dsi->rst)) {
++ err = PTR_ERR(dsi->rst);
++ goto remove;
++ }
+ }
+
+ dsi->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(dsi->clk))
+- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk),
+- "cannot get DSI clock\n");
++ if (IS_ERR(dsi->clk)) {
++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk),
++ "cannot get DSI clock\n");
++ goto remove;
++ }
+
+ dsi->clk_lp = devm_clk_get(&pdev->dev, "lp");
+- if (IS_ERR(dsi->clk_lp))
+- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp),
+- "cannot get low-power clock\n");
++ if (IS_ERR(dsi->clk_lp)) {
++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp),
++ "cannot get low-power clock\n");
++ goto remove;
++ }
+
+ dsi->clk_parent = devm_clk_get(&pdev->dev, "parent");
+- if (IS_ERR(dsi->clk_parent))
+- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent),
+- "cannot get parent clock\n");
++ if (IS_ERR(dsi->clk_parent)) {
++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent),
++ "cannot get parent clock\n");
++ goto remove;
++ }
+
+ dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi");
+- if (IS_ERR(dsi->vdd))
+- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd),
+- "cannot get VDD supply\n");
++ if (IS_ERR(dsi->vdd)) {
++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd),
++ "cannot get VDD supply\n");
++ goto remove;
++ }
+
+ err = tegra_dsi_setup_clocks(dsi);
+ if (err < 0) {
+ dev_err(&pdev->dev, "cannot setup clocks\n");
+- return err;
++ goto remove;
+ }
+
+ regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ dsi->regs = devm_ioremap_resource(&pdev->dev, regs);
+- if (IS_ERR(dsi->regs))
+- return PTR_ERR(dsi->regs);
++ if (IS_ERR(dsi->regs)) {
++ err = PTR_ERR(dsi->regs);
++ goto remove;
++ }
+
+ dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node);
+- if (IS_ERR(dsi->mipi))
+- return PTR_ERR(dsi->mipi);
++ if (IS_ERR(dsi->mipi)) {
++ err = PTR_ERR(dsi->mipi);
++ goto remove;
++ }
+
+ dsi->host.ops = &tegra_dsi_host_ops;
+ dsi->host.dev = &pdev->dev;
+@@ -1654,6 +1668,8 @@ static int tegra_dsi_probe(struct platform_device *pdev)
+ mipi_dsi_host_unregister(&dsi->host);
+ mipi_free:
+ tegra_mipi_free(dsi->mipi);
++remove:
++ tegra_output_remove(&dsi->output);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From afb20416ebe6603d2efc0de06d74e2c3646b7151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 18:56:40 +0800
+Subject: drm/tegra: dsi: Make use of the helper function dev_err_probe()
+
+From: Cai Huoqing <caihuoqing@baidu.com>
+
+[ Upstream commit fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 ]
+
+When possible use dev_err_probe help to properly deal with the
+PROBE_DEFER error, the benefit is that DEFER issue will be logged
+in the devices_deferred debugfs file.
+And using dev_err_probe() can reduce code size, the error value
+gets printed.
+
+Signed-off-by: Cai Huoqing <caihuoqing@baidu.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/dsi.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
+index 0adce882f157b..6cbba2adb6e5a 100644
+--- a/drivers/gpu/drm/tegra/dsi.c
++++ b/drivers/gpu/drm/tegra/dsi.c
+@@ -1591,28 +1591,24 @@ static int tegra_dsi_probe(struct platform_device *pdev)
+ }
+
+ dsi->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(dsi->clk)) {
+- dev_err(&pdev->dev, "cannot get DSI clock\n");
+- return PTR_ERR(dsi->clk);
+- }
++ if (IS_ERR(dsi->clk))
++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk),
++ "cannot get DSI clock\n");
+
+ dsi->clk_lp = devm_clk_get(&pdev->dev, "lp");
+- if (IS_ERR(dsi->clk_lp)) {
+- dev_err(&pdev->dev, "cannot get low-power clock\n");
+- return PTR_ERR(dsi->clk_lp);
+- }
++ if (IS_ERR(dsi->clk_lp))
++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp),
++ "cannot get low-power clock\n");
+
+ dsi->clk_parent = devm_clk_get(&pdev->dev, "parent");
+- if (IS_ERR(dsi->clk_parent)) {
+- dev_err(&pdev->dev, "cannot get parent clock\n");
+- return PTR_ERR(dsi->clk_parent);
+- }
++ if (IS_ERR(dsi->clk_parent))
++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent),
++ "cannot get parent clock\n");
+
+ dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi");
+- if (IS_ERR(dsi->vdd)) {
+- dev_err(&pdev->dev, "cannot get VDD supply\n");
+- return PTR_ERR(dsi->vdd);
+- }
++ if (IS_ERR(dsi->vdd))
++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd),
++ "cannot get VDD supply\n");
+
+ err = tegra_dsi_setup_clocks(dsi);
+ if (err < 0) {
+--
+2.43.0
+
--- /dev/null
+From eb7f2c5ad2fc9f240063d838a04fbb84d7f4e1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Sep 2023 17:22:13 +0200
+Subject: drm/tegra: output: Fix missing i2c_put_adapter() in the error
+ handling paths of tegra_output_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2db4578ef6ffb2b52115ca0ebf897b60ec559556 ]
+
+If an error occurs after a successful of_get_i2c_adapter_by_node() call, it
+should be undone by a corresponding i2c_put_adapter().
+
+Add the missing i2c_put_adapter() call.
+
+Fixes: 9be7d864cf07 ("drm/tegra: Implement panel support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/b38604178991e1f08b2cda219103be266be2d680.1693667005.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/output.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/output.c b/drivers/gpu/drm/tegra/output.c
+index 47d26b5d99456..7ccd010a821b7 100644
+--- a/drivers/gpu/drm/tegra/output.c
++++ b/drivers/gpu/drm/tegra/output.c
+@@ -139,8 +139,10 @@ int tegra_output_probe(struct tegra_output *output)
+ GPIOD_IN,
+ "HDMI hotplug detect");
+ if (IS_ERR(output->hpd_gpio)) {
+- if (PTR_ERR(output->hpd_gpio) != -ENOENT)
+- return PTR_ERR(output->hpd_gpio);
++ if (PTR_ERR(output->hpd_gpio) != -ENOENT) {
++ err = PTR_ERR(output->hpd_gpio);
++ goto put_i2c;
++ }
+
+ output->hpd_gpio = NULL;
+ }
+@@ -149,7 +151,7 @@ int tegra_output_probe(struct tegra_output *output)
+ err = gpiod_to_irq(output->hpd_gpio);
+ if (err < 0) {
+ dev_err(output->dev, "gpiod_to_irq(): %d\n", err);
+- return err;
++ goto put_i2c;
+ }
+
+ output->hpd_irq = err;
+@@ -162,7 +164,7 @@ int tegra_output_probe(struct tegra_output *output)
+ if (err < 0) {
+ dev_err(output->dev, "failed to request IRQ#%u: %d\n",
+ output->hpd_irq, err);
+- return err;
++ goto put_i2c;
+ }
+
+ output->connector.polled = DRM_CONNECTOR_POLL_HPD;
+@@ -176,6 +178,12 @@ int tegra_output_probe(struct tegra_output *output)
+ }
+
+ return 0;
++
++put_i2c:
++ if (output->ddc)
++ i2c_put_adapter(output->ddc);
++
++ return err;
+ }
+
+ void tegra_output_remove(struct tegra_output *output)
+--
+2.43.0
+
--- /dev/null
+From 505c33419111c1c4884e1c7462b35e53c11a9d8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 12:33:55 +0300
+Subject: drm/tegra: put drm_gem_object ref on error in tegra_fb_create
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 32e5a120a5105bce01561978ee55aee8e40ac0dc ]
+
+Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of
+the found object. But if the following size check fails then the last
+found object's ref count should be put there as the unreferencing loop
+can't detect this situation.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/fb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/tegra/fb.c b/drivers/gpu/drm/tegra/fb.c
+index 01939c57fc74d..2040dbfed7e21 100644
+--- a/drivers/gpu/drm/tegra/fb.c
++++ b/drivers/gpu/drm/tegra/fb.c
+@@ -155,6 +155,7 @@ struct drm_framebuffer *tegra_fb_create(struct drm_device *drm,
+
+ if (gem->size < size) {
+ err = -EINVAL;
++ drm_gem_object_put(gem);
+ goto unreference;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 0b2c500ec225110a4e247bfc30ccf78fc7f48a0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 10:16:36 +0200
+Subject: drm/tidss: Fix initial plane zpos values
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 3ec948ccb2c4b99e8fbfdd950adbe92ea577b395 ]
+
+When the driver sets up the zpos property it sets the default zpos value
+to the HW id of the plane. That is fine as such, but as on many DSS
+versions the driver arranges the DRM planes in a different order than
+the HW planes (to keep the non-scalable planes first), this leads to odd
+initial zpos values. An example is J721e, where the initial zpos values
+for DRM planes are 1, 3, 0, 2.
+
+In theory the userspace should configure the zpos values properly when
+using multiple planes, and in that sense the initial zpos values
+shouldn't matter, but there's really no reason not to fix this and help
+the userspace apps which don't handle zpos perfectly. In particular,
+some versions of Weston seem to have issues dealing with the planes
+with the current default zpos values.
+
+So let's change the zpos values for the DRM planes to 0, 1, 2, 3.
+
+Another option would be to configure the planes marked as primary planes
+to zpos 0. On a two display system this would give us plane zpos values
+of 0, 0, 1, 2. The end result and behavior would be very similar in this
+option, and I'm not aware that this would actually help us in any way.
+So, to keep the code simple, I opted for the 0, 1, 2, 3 values.
+
+Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
+Reviewed-by: Aradhya Bhatia <a-bhatia1@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240213-tidss-fixes-v1-1-d709e8dfa505@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tidss/tidss_plane.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tidss/tidss_plane.c b/drivers/gpu/drm/tidss/tidss_plane.c
+index 43e72d0b2d84d..e2ebd5fdc1138 100644
+--- a/drivers/gpu/drm/tidss/tidss_plane.c
++++ b/drivers/gpu/drm/tidss/tidss_plane.c
+@@ -202,7 +202,7 @@ struct tidss_plane *tidss_plane_create(struct tidss_device *tidss,
+
+ drm_plane_helper_add(&tplane->plane, &tidss_plane_helper_funcs);
+
+- drm_plane_create_zpos_property(&tplane->plane, hw_plane_id, 0,
++ drm_plane_create_zpos_property(&tplane->plane, tidss->num_planes, 0,
+ num_planes - 1);
+
+ ret = drm_plane_create_color_properties(&tplane->plane,
+--
+2.43.0
+
--- /dev/null
+From 1238eed74e598b29cfdb02540ac96f70866a9ba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jan 2024 03:41:29 +0800
+Subject: f2fs: compress: fix to check unreleased compressed cluster
+
+From: Sheng Yong <shengyong@oppo.com>
+
+[ Upstream commit eb8fbaa53374e0a2d4381190abfe708481517bbb ]
+
+Compressed cluster may not be released due to we can fail in
+release_compress_blocks(), fix to handle reserved compressed
+cluster correctly in reserve_compress_blocks().
+
+Fixes: 4c8ff7095bef ("f2fs: support data compression")
+Signed-off-by: Sheng Yong <shengyong@oppo.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 55818bd510fb0..40e805014f719 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -3663,7 +3663,13 @@ static int reserve_compress_blocks(struct dnode_of_data *dn, pgoff_t count)
+ goto next;
+ }
+
+- if (__is_valid_data_blkaddr(blkaddr)) {
++ /*
++ * compressed cluster was not released due to it
++ * fails in release_compress_blocks(), so NEW_ADDR
++ * is a possible case.
++ */
++ if (blkaddr == NEW_ADDR ||
++ __is_valid_data_blkaddr(blkaddr)) {
+ compr_blocks++;
+ continue;
+ }
+@@ -3673,6 +3679,11 @@ static int reserve_compress_blocks(struct dnode_of_data *dn, pgoff_t count)
+ }
+
+ reserved = cluster_size - compr_blocks;
++
++ /* for the case all blocks in cluster were reserved */
++ if (reserved == 1)
++ goto next;
++
+ ret = inc_valid_block_count(sbi, dn->inode, &reserved);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From c5b0b90120680d9cde7dc7f416de80519dc692e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 21:23:34 +0100
+Subject: fs/select: rework stack allocation hack for clang
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 ]
+
+A while ago, we changed the way that select() and poll() preallocate
+a temporary buffer just under the size of the static warning limit of
+1024 bytes, as clang was frequently going slightly above that limit.
+
+The warnings have recently returned and I took another look. As it turns
+out, clang is not actually inherently worse at reserving stack space,
+it just happens to inline do_select() into core_sys_select(), while gcc
+never inlines it.
+
+Annotate do_select() to never be inlined and in turn remove the special
+case for the allocation size. This should give the same behavior for
+both clang and gcc all the time and once more avoids those warnings.
+
+Fixes: ad312f95d41c ("fs/select: avoid clang stack usage warning")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240216202352.2492798-1-arnd@kernel.org
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/select.c | 2 +-
+ include/linux/poll.h | 4 ----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/fs/select.c b/fs/select.c
+index 5edffee1162c2..668a5200503ae 100644
+--- a/fs/select.c
++++ b/fs/select.c
+@@ -475,7 +475,7 @@ static inline void wait_key_set(poll_table *wait, unsigned long in,
+ wait->_key |= POLLOUT_SET;
+ }
+
+-static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time)
++static noinline_for_stack int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time)
+ {
+ ktime_t expire, *to = NULL;
+ struct poll_wqueues table;
+diff --git a/include/linux/poll.h b/include/linux/poll.h
+index 1cdc32b1f1b08..7e0fdcf905d2e 100644
+--- a/include/linux/poll.h
++++ b/include/linux/poll.h
+@@ -16,11 +16,7 @@
+ extern struct ctl_table epoll_table[]; /* for sysctl */
+ /* ~832 bytes of stack space used max in sys_select/sys_poll before allocating
+ additional memory. */
+-#ifdef __clang__
+-#define MAX_STACK_ALLOC 768
+-#else
+ #define MAX_STACK_ALLOC 832
+-#endif
+ #define FRONTEND_STACK_ALLOC 256
+ #define SELECT_STACK_ALLOC FRONTEND_STACK_ALLOC
+ #define POLL_STACK_ALLOC FRONTEND_STACK_ALLOC
+--
+2.43.0
+
--- /dev/null
+From 3fa603bf1a22f1c5ca8ba9711dcb3cc8df4a8999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Dec 2023 21:12:13 +0200
+Subject: HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd
+
+From: Mikhail Khvainitski <me@khvoinitsky.org>
+
+[ Upstream commit 2814646f76f8518326964f12ff20aaee70ba154d ]
+
+Previous attempt to autodetect well-behaving patched firmware
+introduced in commit 46a0a2c96f0f ("HID: lenovo: Detect quirk-free fw
+on cptkbd and stop applying workaround") has shown that there are
+false-positives on original firmware (on both 1st gen and 2nd gen
+keyboards) which causes the middle button click workaround to be
+mistakenly disabled.
+
+This commit adds explicit parameter to sysfs to control this
+workaround.
+
+Fixes: 46a0a2c96f0f ("HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround")
+Fixes: 43527a0094c1 ("HID: lenovo: Restrict detection of patched firmware only to USB cptkbd")
+Signed-off-by: Mikhail Khvainitski <me@khvoinitsky.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-lenovo.c | 57 +++++++++++++++++++++++++++-------------
+ 1 file changed, 39 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
+index 249af8d26fe78..c9fdeffbe1a9e 100644
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -53,10 +53,10 @@ struct lenovo_drvdata {
+ /* 0: Up
+ * 1: Down (undecided)
+ * 2: Scrolling
+- * 3: Patched firmware, disable workaround
+ */
+ u8 middlebutton_state;
+ bool fn_lock;
++ bool middleclick_workaround_cptkbd;
+ };
+
+ #define map_key_clear(c) hid_map_usage_clear(hi, usage, bit, max, EV_KEY, (c))
+@@ -418,6 +418,36 @@ static ssize_t attr_sensitivity_store_cptkbd(struct device *dev,
+ return count;
+ }
+
++static ssize_t attr_middleclick_workaround_show_cptkbd(struct device *dev,
++ struct device_attribute *attr,
++ char *buf)
++{
++ struct hid_device *hdev = to_hid_device(dev);
++ struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev);
++
++ return snprintf(buf, PAGE_SIZE, "%u\n",
++ cptkbd_data->middleclick_workaround_cptkbd);
++}
++
++static ssize_t attr_middleclick_workaround_store_cptkbd(struct device *dev,
++ struct device_attribute *attr,
++ const char *buf,
++ size_t count)
++{
++ struct hid_device *hdev = to_hid_device(dev);
++ struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev);
++ int value;
++
++ if (kstrtoint(buf, 10, &value))
++ return -EINVAL;
++ if (value < 0 || value > 1)
++ return -EINVAL;
++
++ cptkbd_data->middleclick_workaround_cptkbd = !!value;
++
++ return count;
++}
++
+
+ static struct device_attribute dev_attr_fn_lock =
+ __ATTR(fn_lock, S_IWUSR | S_IRUGO,
+@@ -429,10 +459,16 @@ static struct device_attribute dev_attr_sensitivity_cptkbd =
+ attr_sensitivity_show_cptkbd,
+ attr_sensitivity_store_cptkbd);
+
++static struct device_attribute dev_attr_middleclick_workaround_cptkbd =
++ __ATTR(middleclick_workaround, S_IWUSR | S_IRUGO,
++ attr_middleclick_workaround_show_cptkbd,
++ attr_middleclick_workaround_store_cptkbd);
++
+
+ static struct attribute *lenovo_attributes_cptkbd[] = {
+ &dev_attr_fn_lock.attr,
+ &dev_attr_sensitivity_cptkbd.attr,
++ &dev_attr_middleclick_workaround_cptkbd.attr,
+ NULL
+ };
+
+@@ -483,23 +519,7 @@ static int lenovo_event_cptkbd(struct hid_device *hdev,
+ {
+ struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev);
+
+- if (cptkbd_data->middlebutton_state != 3) {
+- /* REL_X and REL_Y events during middle button pressed
+- * are only possible on patched, bug-free firmware
+- * so set middlebutton_state to 3
+- * to never apply workaround anymore
+- */
+- if (hdev->product == USB_DEVICE_ID_LENOVO_CUSBKBD &&
+- cptkbd_data->middlebutton_state == 1 &&
+- usage->type == EV_REL &&
+- (usage->code == REL_X || usage->code == REL_Y)) {
+- cptkbd_data->middlebutton_state = 3;
+- /* send middle button press which was hold before */
+- input_event(field->hidinput->input,
+- EV_KEY, BTN_MIDDLE, 1);
+- input_sync(field->hidinput->input);
+- }
+-
++ if (cptkbd_data->middleclick_workaround_cptkbd) {
+ /* "wheel" scroll events */
+ if (usage->type == EV_REL && (usage->code == REL_WHEEL ||
+ usage->code == REL_HWHEEL)) {
+@@ -976,6 +996,7 @@ static int lenovo_probe_cptkbd(struct hid_device *hdev)
+ cptkbd_data->middlebutton_state = 0;
+ cptkbd_data->fn_lock = true;
+ cptkbd_data->sensitivity = 0x05;
++ cptkbd_data->middleclick_workaround_cptkbd = true;
+ lenovo_features_set_cptkbd(hdev);
+
+ ret = sysfs_create_group(&hdev->dev.kobj, &lenovo_attr_group_cptkbd);
+--
+2.43.0
+
--- /dev/null
+From 0a0630a9ee284476021ae999ce4f471651bd9681 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 15:57:11 -0800
+Subject: igb: Fix missing time sync events
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit ee14cc9ea19ba9678177e2224a9c58cce5937c73 ]
+
+Fix "double" clearing of interrupts, which can cause external events
+or timestamps to be missed.
+
+The E1000_TSIRC Time Sync Interrupt Cause register can be cleared in two
+ways, by either reading it or by writing '1' into the specific cause
+bit. This is documented in section 8.16.1.
+
+The following flow was used:
+ 1. read E1000_TSIRC into 'tsicr';
+ 2. handle the interrupts present into 'tsirc' and mark them in 'ack';
+ 3. write 'ack' into E1000_TSICR;
+
+As both (1) and (3) will clear the interrupt cause, if the same
+interrupt happens again between (1) and (3) it will be ignored,
+causing events to be missed.
+
+Remove the extra clear in (3).
+
+Fixes: 00c65578b47b ("igb: enable internal PPS for the i210")
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 23 +++++------------------
+ 1 file changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 05dde67a69dd0..0848613c3f45a 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6806,44 +6806,31 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt)
+ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ {
+ struct e1000_hw *hw = &adapter->hw;
+- u32 ack = 0, tsicr = rd32(E1000_TSICR);
++ u32 tsicr = rd32(E1000_TSICR);
+ struct ptp_clock_event event;
+
+ if (tsicr & TSINTR_SYS_WRAP) {
+ event.type = PTP_CLOCK_PPS;
+ if (adapter->ptp_caps.pps)
+ ptp_clock_event(adapter->ptp_clock, &event);
+- ack |= TSINTR_SYS_WRAP;
+ }
+
+ if (tsicr & E1000_TSICR_TXTS) {
+ /* retrieve hardware timestamp */
+ schedule_work(&adapter->ptp_tx_work);
+- ack |= E1000_TSICR_TXTS;
+ }
+
+- if (tsicr & TSINTR_TT0) {
++ if (tsicr & TSINTR_TT0)
+ igb_perout(adapter, 0);
+- ack |= TSINTR_TT0;
+- }
+
+- if (tsicr & TSINTR_TT1) {
++ if (tsicr & TSINTR_TT1)
+ igb_perout(adapter, 1);
+- ack |= TSINTR_TT1;
+- }
+
+- if (tsicr & TSINTR_AUTT0) {
++ if (tsicr & TSINTR_AUTT0)
+ igb_extts(adapter, 0);
+- ack |= TSINTR_AUTT0;
+- }
+
+- if (tsicr & TSINTR_AUTT1) {
++ if (tsicr & TSINTR_AUTT1)
+ igb_extts(adapter, 1);
+- ack |= TSINTR_AUTT1;
+- }
+-
+- /* acknowledge the interrupts */
+- wr32(E1000_TSICR, ack);
+ }
+
+ static irqreturn_t igb_msix_other(int irq, void *data)
+--
+2.43.0
+
--- /dev/null
+From caf937db3ed5d38d7f3354e07b6ca91e55cd0db8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 16:34:57 +0200
+Subject: igb: move PEROUT and EXTTS isr logic to separate functions
+
+From: Ruud Bos <kernel.hbk@gmail.com>
+
+[ Upstream commit cf99c1dd7b7729091043374b90807c7a5f9fd9b1 ]
+
+Remove code duplication in the tsync interrupt handler function by moving
+this logic to separate functions. This keeps the interrupt handler readable
+and allows the new functions to be extended for adapter types other than
+i210.
+
+Signed-off-by: Ruud Bos <kernel.hbk@gmail.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: ee14cc9ea19b ("igb: Fix missing time sync events")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 81 +++++++++++++----------
+ 1 file changed, 46 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 01176c86be125..05dde67a69dd0 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6762,12 +6762,52 @@ void igb_update_stats(struct igb_adapter *adapter)
+ }
+ }
+
++static void igb_perout(struct igb_adapter *adapter, int tsintr_tt)
++{
++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_PEROUT, tsintr_tt);
++ struct e1000_hw *hw = &adapter->hw;
++ struct timespec64 ts;
++ u32 tsauxc;
++
++ if (pin < 0 || pin >= IGB_N_PEROUT)
++ return;
++
++ spin_lock(&adapter->tmreg_lock);
++ ts = timespec64_add(adapter->perout[pin].start,
++ adapter->perout[pin].period);
++ /* u32 conversion of tv_sec is safe until y2106 */
++ wr32((tsintr_tt == 1) ? E1000_TRGTTIML1 : E1000_TRGTTIML0, ts.tv_nsec);
++ wr32((tsintr_tt == 1) ? E1000_TRGTTIMH1 : E1000_TRGTTIMH0, (u32)ts.tv_sec);
++ tsauxc = rd32(E1000_TSAUXC);
++ tsauxc |= TSAUXC_EN_TT0;
++ wr32(E1000_TSAUXC, tsauxc);
++ adapter->perout[pin].start = ts;
++ spin_unlock(&adapter->tmreg_lock);
++}
++
++static void igb_extts(struct igb_adapter *adapter, int tsintr_tt)
++{
++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_EXTTS, tsintr_tt);
++ struct e1000_hw *hw = &adapter->hw;
++ struct ptp_clock_event event;
++ u32 sec, nsec;
++
++ if (pin < 0 || pin >= IGB_N_EXTTS)
++ return;
++
++ nsec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPL1 : E1000_AUXSTMPL0);
++ sec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPH1 : E1000_AUXSTMPH0);
++ event.type = PTP_CLOCK_EXTTS;
++ event.index = tsintr_tt;
++ event.timestamp = sec * 1000000000ULL + nsec;
++ ptp_clock_event(adapter->ptp_clock, &event);
++}
++
+ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ {
+ struct e1000_hw *hw = &adapter->hw;
++ u32 ack = 0, tsicr = rd32(E1000_TSICR);
+ struct ptp_clock_event event;
+- struct timespec64 ts;
+- u32 ack = 0, tsauxc, sec, nsec, tsicr = rd32(E1000_TSICR);
+
+ if (tsicr & TSINTR_SYS_WRAP) {
+ event.type = PTP_CLOCK_PPS;
+@@ -6783,51 +6823,22 @@ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ }
+
+ if (tsicr & TSINTR_TT0) {
+- spin_lock(&adapter->tmreg_lock);
+- ts = timespec64_add(adapter->perout[0].start,
+- adapter->perout[0].period);
+- /* u32 conversion of tv_sec is safe until y2106 */
+- wr32(E1000_TRGTTIML0, ts.tv_nsec);
+- wr32(E1000_TRGTTIMH0, (u32)ts.tv_sec);
+- tsauxc = rd32(E1000_TSAUXC);
+- tsauxc |= TSAUXC_EN_TT0;
+- wr32(E1000_TSAUXC, tsauxc);
+- adapter->perout[0].start = ts;
+- spin_unlock(&adapter->tmreg_lock);
++ igb_perout(adapter, 0);
+ ack |= TSINTR_TT0;
+ }
+
+ if (tsicr & TSINTR_TT1) {
+- spin_lock(&adapter->tmreg_lock);
+- ts = timespec64_add(adapter->perout[1].start,
+- adapter->perout[1].period);
+- wr32(E1000_TRGTTIML1, ts.tv_nsec);
+- wr32(E1000_TRGTTIMH1, (u32)ts.tv_sec);
+- tsauxc = rd32(E1000_TSAUXC);
+- tsauxc |= TSAUXC_EN_TT1;
+- wr32(E1000_TSAUXC, tsauxc);
+- adapter->perout[1].start = ts;
+- spin_unlock(&adapter->tmreg_lock);
++ igb_perout(adapter, 1);
+ ack |= TSINTR_TT1;
+ }
+
+ if (tsicr & TSINTR_AUTT0) {
+- nsec = rd32(E1000_AUXSTMPL0);
+- sec = rd32(E1000_AUXSTMPH0);
+- event.type = PTP_CLOCK_EXTTS;
+- event.index = 0;
+- event.timestamp = sec * 1000000000ULL + nsec;
+- ptp_clock_event(adapter->ptp_clock, &event);
++ igb_extts(adapter, 0);
+ ack |= TSINTR_AUTT0;
+ }
+
+ if (tsicr & TSINTR_AUTT1) {
+- nsec = rd32(E1000_AUXSTMPL1);
+- sec = rd32(E1000_AUXSTMPH1);
+- event.type = PTP_CLOCK_EXTTS;
+- event.index = 1;
+- event.timestamp = sec * 1000000000ULL + nsec;
+- ptp_clock_event(adapter->ptp_clock, &event);
++ igb_extts(adapter, 1);
+ ack |= TSINTR_AUTT1;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e6d4b5c45c7ee54ebc1d157be6ce44c2f026a91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 11:25:56 +0000
+Subject: inet_diag: annotate data-races around inet_diag_table[]
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e50e10ae5d81ddb41547114bfdc5edc04422f082 ]
+
+inet_diag_lock_handler() reads inet_diag_table[proto] locklessly.
+
+Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues.
+
+Fixes: d523a328fb02 ("[INET]: Fix inet_diag dead-lock regression")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_diag.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index fa9f1de58df46..27a5a7d66d184 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -57,7 +57,7 @@ static const struct inet_diag_handler *inet_diag_lock_handler(int proto)
+ return ERR_PTR(-ENOENT);
+ }
+
+- if (!inet_diag_table[proto])
++ if (!READ_ONCE(inet_diag_table[proto]))
+ sock_load_diag_module(AF_INET, proto);
+
+ mutex_lock(&inet_diag_table_mutex);
+@@ -1413,7 +1413,7 @@ int inet_diag_register(const struct inet_diag_handler *h)
+ mutex_lock(&inet_diag_table_mutex);
+ err = -EEXIST;
+ if (!inet_diag_table[type]) {
+- inet_diag_table[type] = h;
++ WRITE_ONCE(inet_diag_table[type], h);
+ err = 0;
+ }
+ mutex_unlock(&inet_diag_table_mutex);
+@@ -1430,7 +1430,7 @@ void inet_diag_unregister(const struct inet_diag_handler *h)
+ return;
+
+ mutex_lock(&inet_diag_table_mutex);
+- inet_diag_table[type] = NULL;
++ WRITE_ONCE(inet_diag_table[type], NULL);
+ mutex_unlock(&inet_diag_table_mutex);
+ }
+ EXPORT_SYMBOL_GPL(inet_diag_unregister);
+--
+2.43.0
+
--- /dev/null
+From adf82c839f7b53526d5b764f35f5fc5a1eebdd01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 17:34:00 -0600
+Subject: iommu/amd: Mark interrupt as managed
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 0feda94c868d396fac3b3cb14089d2d989a07c72 ]
+
+On many systems that have an AMD IOMMU the following sequence of
+warnings is observed during bootup.
+
+```
+pci 0000:00:00.2 can't derive routing for PCI INT A
+pci 0000:00:00.2: PCI INT A: not connected
+```
+
+This series of events happens because of the IOMMU initialization
+sequence order and the lack of _PRT entries for the IOMMU.
+
+During initialization the IOMMU driver first enables the PCI device
+using pci_enable_device(). This will call acpi_pci_irq_enable()
+which will check if the interrupt is declared in a PCI routing table
+(_PRT) entry. According to the PCI spec [1] these routing entries
+are only required under PCI root bridges:
+ The _PRT object is required under all PCI root bridges
+
+The IOMMU is directly connected to the root complex, so there is no
+parent bridge to look for a _PRT entry. The first warning is emitted
+since no entry could be found in the hierarchy. The second warning is
+then emitted because the interrupt hasn't yet been configured to any
+value. The pin was configured in pci_read_irq() but the byte in
+PCI_INTERRUPT_LINE return 0xff which means "Unknown".
+
+After that sequence of events pci_enable_msi() is called and this
+will allocate an interrupt.
+
+That is both of these warnings are totally harmless because the IOMMU
+uses MSI for interrupts. To avoid even trying to probe for a _PRT
+entry mark the IOMMU as IRQ managed. This avoids both warnings.
+
+Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/06_Device_Configuration/Device_Configuration.html?highlight=_prt#prt-pci-routing-table [1]
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Fixes: cffe0a2b5a34 ("x86, irq: Keep balance of IOAPIC pin reference count")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://lore.kernel.org/r/20240122233400.1802-1-mario.limonciello@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 603f625a74e54..91cc3a5643caf 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -1827,6 +1827,9 @@ static int __init iommu_init_pci(struct amd_iommu *iommu)
+ /* Prevent binding other PCI device drivers to IOMMU devices */
+ iommu->dev->match_driver = false;
+
++ /* ACPI _PRT won't have an IRQ for IOMMU */
++ iommu->dev->irq_managed = 1;
++
+ pci_read_config_dword(iommu->dev, cap_ptr + MMIO_CAP_HDR_OFFSET,
+ &iommu->cap);
+
+--
+2.43.0
+
--- /dev/null
+From 8a0e393aa2ced661688fc7cd85173a63f1571e46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 20:21:15 +0800
+Subject: iommu/vt-d: Don't issue ATS Invalidation request when device is
+ disconnected
+
+From: Ethan Zhao <haifeng.zhao@linux.intel.com>
+
+[ Upstream commit 4fc82cd907ac075648789cc3a00877778aa1838b ]
+
+For those endpoint devices connect to system via hotplug capable ports,
+users could request a hot reset to the device by flapping device's link
+through setting the slot's link control register, as pciehp_ist() DLLSC
+interrupt sequence response, pciehp will unload the device driver and
+then power it off. thus cause an IOMMU device-TLB invalidation (Intel
+VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence
+target device to be sent and deadly loop to retry that request after ITE
+fault triggered in interrupt context.
+
+That would cause following continuous hard lockup warning and system hang
+
+[ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down
+[ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present
+[ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144
+[ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S
+ OE kernel version xxxx
+[ 4223.822623] Hardware name: vendorname xxxx 666-106,
+BIOS 01.01.02.03.01 05/15/2023
+[ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490
+[ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b
+ 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1
+0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39
+[ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093
+[ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005
+[ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340
+[ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000
+[ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200
+[ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004
+[ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000)
+knlGS:0000000000000000
+[ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0
+[ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 4223.822628] PKRU: 55555554
+[ 4223.822628] Call Trace:
+[ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0
+[ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250
+[ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50
+[ 4223.822629] intel_iommu_release_device+0x1f/0x30
+[ 4223.822629] iommu_release_device+0x33/0x60
+[ 4223.822629] iommu_bus_notifier+0x7f/0x90
+[ 4223.822630] blocking_notifier_call_chain+0x60/0x90
+[ 4223.822630] device_del+0x2e5/0x420
+[ 4223.822630] pci_remove_bus_device+0x70/0x110
+[ 4223.822630] pciehp_unconfigure_device+0x7c/0x130
+[ 4223.822631] pciehp_disable_slot+0x6b/0x100
+[ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320
+[ 4223.822631] pciehp_ist+0x176/0x180
+[ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110
+[ 4223.822632] irq_thread_fn+0x19/0x50
+[ 4223.822632] irq_thread+0x104/0x190
+[ 4223.822632] ? irq_forced_thread_fn+0x90/0x90
+[ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0
+[ 4223.822633] kthread+0x114/0x130
+[ 4223.822633] ? __kthread_cancel_work+0x40/0x40
+[ 4223.822633] ret_from_fork+0x1f/0x30
+[ 4223.822633] Kernel panic - not syncing: Hard LOCKUP
+[ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S
+ OE kernel version xxxx
+[ 4223.822634] Hardware name: vendorname xxxx 666-106,
+BIOS 01.01.02.03.01 05/15/2023
+[ 4223.822634] Call Trace:
+[ 4223.822634] <NMI>
+[ 4223.822635] dump_stack+0x6d/0x88
+[ 4223.822635] panic+0x101/0x2d0
+[ 4223.822635] ? ret_from_fork+0x11/0x30
+[ 4223.822635] nmi_panic.cold.14+0xc/0xc
+[ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81
+[ 4223.822636] __perf_event_overflow+0x4f/0xf0
+[ 4223.822636] handle_pmi_common+0x1ef/0x290
+[ 4223.822636] ? __set_pte_vaddr+0x28/0x40
+[ 4223.822637] ? flush_tlb_one_kernel+0xa/0x20
+[ 4223.822637] ? __native_set_fixmap+0x24/0x30
+[ 4223.822637] ? ghes_copy_tofrom_phys+0x70/0x100
+[ 4223.822637] ? __ghes_peek_estatus.isra.16+0x49/0xa0
+[ 4223.822637] intel_pmu_handle_irq+0xba/0x2b0
+[ 4223.822638] perf_event_nmi_handler+0x24/0x40
+[ 4223.822638] nmi_handle+0x4d/0xf0
+[ 4223.822638] default_do_nmi+0x49/0x100
+[ 4223.822638] exc_nmi+0x134/0x180
+[ 4223.822639] end_repeat_nmi+0x16/0x67
+[ 4223.822639] RIP: 0010:qi_submit_sync+0x2c0/0x490
+[ 4223.822639] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b
+ 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 10
+ 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39
+[ 4223.822640] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093
+[ 4223.822640] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005
+[ 4223.822640] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340
+[ 4223.822641] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000
+[ 4223.822641] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200
+[ 4223.822641] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004
+[ 4223.822641] ? qi_submit_sync+0x2c0/0x490
+[ 4223.822642] ? qi_submit_sync+0x2c0/0x490
+[ 4223.822642] </NMI>
+[ 4223.822642] qi_flush_dev_iotlb+0xb1/0xd0
+[ 4223.822642] __dmar_remove_one_dev_info+0x224/0x250
+[ 4223.822643] dmar_remove_one_dev_info+0x3e/0x50
+[ 4223.822643] intel_iommu_release_device+0x1f/0x30
+[ 4223.822643] iommu_release_device+0x33/0x60
+[ 4223.822643] iommu_bus_notifier+0x7f/0x90
+[ 4223.822644] blocking_notifier_call_chain+0x60/0x90
+[ 4223.822644] device_del+0x2e5/0x420
+[ 4223.822644] pci_remove_bus_device+0x70/0x110
+[ 4223.822644] pciehp_unconfigure_device+0x7c/0x130
+[ 4223.822644] pciehp_disable_slot+0x6b/0x100
+[ 4223.822645] pciehp_handle_presence_or_link_change+0xd8/0x320
+[ 4223.822645] pciehp_ist+0x176/0x180
+[ 4223.822645] ? irq_finalize_oneshot.part.50+0x110/0x110
+[ 4223.822645] irq_thread_fn+0x19/0x50
+[ 4223.822646] irq_thread+0x104/0x190
+[ 4223.822646] ? irq_forced_thread_fn+0x90/0x90
+[ 4223.822646] ? irq_thread_check_affinity+0xe0/0xe0
+[ 4223.822646] kthread+0x114/0x130
+[ 4223.822647] ? __kthread_cancel_work+0x40/0x40
+[ 4223.822647] ret_from_fork+0x1f/0x30
+[ 4223.822647] Kernel Offset: 0x6400000 from 0xffffffff81000000 (relocation
+range: 0xffffffff80000000-0xffffffffbfffffff)
+
+Such issue could be triggered by all kinds of regular surprise removal
+hotplug operation. like:
+
+1. pull EP(endpoint device) out directly.
+2. turn off EP's power.
+3. bring the link down.
+etc.
+
+this patch aims to work for regular safe removal and surprise removal
+unplug. these hot unplug handling process could be optimized for fix the
+ATS Invalidation hang issue by calling pci_dev_is_disconnected() in
+function devtlb_invalidation_with_pasid() to check target device state to
+avoid sending meaningless ATS Invalidation request to iommu when device is
+gone. (see IMPLEMENTATION NOTE in PCIe spec r6.1 section 10.3.1)
+
+For safe removal, device wouldn't be removed until the whole software
+handling process is done, it wouldn't trigger the hard lock up issue
+caused by too long ATS Invalidation timeout wait. In safe removal path,
+device state isn't set to pci_channel_io_perm_failure in
+pciehp_unconfigure_device() by checking 'presence' parameter, calling
+pci_dev_is_disconnected() in devtlb_invalidation_with_pasid() will return
+false there, wouldn't break the function.
+
+For surprise removal, device state is set to pci_channel_io_perm_failure in
+pciehp_unconfigure_device(), means device is already gone (disconnected)
+call pci_dev_is_disconnected() in devtlb_invalidation_with_pasid() will
+return true to break the function not to send ATS Invalidation request to
+the disconnected device blindly, thus avoid to trigger further ITE fault,
+and ITE fault will block all invalidation request to be handled.
+furthermore retry the timeout request could trigger hard lockup.
+
+safe removal (present) & surprise removal (not present)
+
+pciehp_ist()
+ pciehp_handle_presence_or_link_change()
+ pciehp_disable_slot()
+ remove_board()
+ pciehp_unconfigure_device(presence) {
+ if (!presence)
+ pci_walk_bus(parent, pci_dev_set_disconnected, NULL);
+ }
+
+this patch works for regular safe removal and surprise removal of ATS
+capable endpoint on PCIe switch downstream ports.
+
+Fixes: 6f7db75e1c46 ("iommu/vt-d: Add second level page table interface")
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Tested-by: Haorong Ye <yehaorong@bytedance.com>
+Signed-off-by: Ethan Zhao <haifeng.zhao@linux.intel.com>
+Link: https://lore.kernel.org/r/20240301080727.3529832-3-haifeng.zhao@linux.intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/pasid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
+index 9b24e8224379e..586b289cf468d 100644
+--- a/drivers/iommu/intel/pasid.c
++++ b/drivers/iommu/intel/pasid.c
+@@ -489,6 +489,9 @@ devtlb_invalidation_with_pasid(struct intel_iommu *iommu,
+ if (!info || !info->ats_enabled)
+ return;
+
++ if (pci_dev_is_disconnected(to_pci_dev(dev)))
++ return;
++
+ sid = info->bus << 8 | info->devfn;
+ qdep = info->ats_qdep;
+ pfsid = info->pfsid;
+--
+2.43.0
+
--- /dev/null
+From 5f18bf59ace33ef5aaa67068b0807c377d4915c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:50 +0000
+Subject: ipmr: fix incorrect parameter validation in the
+ ip_mroute_getsockopt() function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 5c3be3e0eb44b7f978bb6cbb20ad956adb93f736 ]
+
+The 'olr' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'olr' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ipmr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index cdc0a1781fd28..db184cb826b95 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1574,9 +1574,11 @@ int ip_mroute_getsockopt(struct sock *sk, int optname, sockptr_t optval,
+
+ if (copy_from_sockptr(&olr, optlen, sizeof(int)))
+ return -EFAULT;
+- olr = min_t(unsigned int, olr, sizeof(int));
+ if (olr < 0)
+ return -EINVAL;
++
++ olr = min_t(unsigned int, olr, sizeof(int));
++
+ if (copy_to_sockptr(optlen, &olr, sizeof(int)))
+ return -EFAULT;
+ if (copy_to_sockptr(optval, &val, olr))
+--
+2.43.0
+
--- /dev/null
+From 9f9147a1d156cc2c4de67789e04ee656d82ebafb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 18:01:57 +0800
+Subject: ipv6: fib6_rules: flush route cache when rule is changed
+
+From: Shiming Cheng <shiming.cheng@mediatek.com>
+
+[ Upstream commit c4386ab4f6c600f75fdfd21143f89bac3e625d0d ]
+
+When rule policy is changed, ipv6 socket cache is not refreshed.
+The sock's skb still uses a outdated route cache and was sent to
+a wrong interface.
+
+To avoid this error we should update fib node's version when
+rule is changed. Then skb's route will be reroute checked as
+route cache version is already different with fib node version.
+The route cache is refreshed to match the latest rule.
+
+Fixes: 101367c2f8c4 ("[IPV6]: Policy Routing Rules")
+Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com>
+Signed-off-by: Lena Wang <lena.wang@mediatek.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/fib6_rules.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
+index 3e4c87b29b115..55cd23b7a9357 100644
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -446,6 +446,11 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule)
+ + nla_total_size(16); /* src */
+ }
+
++static void fib6_rule_flush_cache(struct fib_rules_ops *ops)
++{
++ rt_genid_bump_ipv6(ops->fro_net);
++}
++
+ static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = {
+ .family = AF_INET6,
+ .rule_size = sizeof(struct fib6_rule),
+@@ -458,6 +463,7 @@ static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = {
+ .compare = fib6_rule_compare,
+ .fill = fib6_rule_fill,
+ .nlmsg_payload = fib6_rule_nlmsg_payload,
++ .flush_cache = fib6_rule_flush_cache,
+ .nlgroup = RTNLGRP_IPV6_RULE,
+ .policy = fib6_rule_policy,
+ .owner = THIS_MODULE,
+--
+2.43.0
+
--- /dev/null
+From acafe4eeb2582f37cd80a0bc4f870f59c785644d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:50 +0000
+Subject: l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()
+ function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 ]
+
+The 'len' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'len' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reviewed-by: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 5ecc0f2009444..b1d89c850f686 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1357,11 +1357,11 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- len = min_t(unsigned int, len, sizeof(int));
+-
+ if (len < 0)
+ return -EINVAL;
+
++ len = min_t(unsigned int, len, sizeof(int));
++
+ err = -ENOTCONN;
+ if (!sk->sk_user_data)
+ goto end;
+--
+2.43.0
+
--- /dev/null
+From 2ef93ada08e00dbb2a8a832124845d5cb2535af3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 20:36:05 +0300
+Subject: leds: aw2013: Unlock mutex before destroying it
+
+From: George Stark <gnstark@salutedevices.com>
+
+[ Upstream commit 6969d0a2ba1adc9ba6a49b9805f24080896c255c ]
+
+In the probe() callback in case of error mutex is destroyed being locked
+which is not allowed so unlock the mutex before destroying.
+
+Fixes: 59ea3c9faf32 ("leds: add aw2013 driver")
+Signed-off-by: George Stark <gnstark@salutedevices.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20231214173614.2820929-2-gnstark@salutedevices.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-aw2013.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/leds-aw2013.c b/drivers/leds/leds-aw2013.c
+index 80d937454aeef..f7d9795ce5e1f 100644
+--- a/drivers/leds/leds-aw2013.c
++++ b/drivers/leds/leds-aw2013.c
+@@ -397,6 +397,7 @@ static int aw2013_probe(struct i2c_client *client)
+ regulator_disable(chip->vcc_regulator);
+
+ error:
++ mutex_unlock(&chip->mutex);
+ mutex_destroy(&chip->mutex);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From a0af5c9b418054bd627b41f63078bf85ef753c99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Feb 2024 20:11:30 +0100
+Subject: leds: sgm3140: Add missing timer cleanup and flash gpio control
+
+From: Ondrej Jirman <megi@xff.cz>
+
+[ Upstream commit 205c29887a333ee4b37596e6533373e38cb23947 ]
+
+Enabling strobe and then setting brightness to 0 causes the driver to enter
+invalid state after strobe end timer fires. We should cancel strobe mode
+resources when changing brightness (aka torch mode).
+
+Fixes: cef8ec8cbd21 ("leds: add sgm3140 driver")
+Signed-off-by: Ondrej Jirman <megi@xff.cz>
+Link: https://lore.kernel.org/r/20240217191133.1757553-1-megi@xff.cz
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-sgm3140.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/leds/leds-sgm3140.c b/drivers/leds/leds-sgm3140.c
+index f4f831570f11c..e72017b11098b 100644
+--- a/drivers/leds/leds-sgm3140.c
++++ b/drivers/leds/leds-sgm3140.c
+@@ -114,8 +114,11 @@ static int sgm3140_brightness_set(struct led_classdev *led_cdev,
+ "failed to enable regulator: %d\n", ret);
+ return ret;
+ }
++ gpiod_set_value_cansleep(priv->flash_gpio, 0);
+ gpiod_set_value_cansleep(priv->enable_gpio, 1);
+ } else {
++ del_timer_sync(&priv->powerdown_timer);
++ gpiod_set_value_cansleep(priv->flash_gpio, 0);
+ gpiod_set_value_cansleep(priv->enable_gpio, 0);
+ ret = regulator_disable(priv->vin_regulator);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From 2d409455a487d1f495a7728c4e7fd2510e18b55e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:40 +0800
+Subject: md: Don't clear MD_CLOSING when the raid is about to stop
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 ]
+
+The raid should not be opened anymore when it is about to be stopped.
+However, other processes can open it again if the flag MD_CLOSING is
+cleared before exiting. From now on, this flag will not be cleared when
+the raid will be stopped.
+
+Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240226031444.3606764-6-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index d6f12338cb989..09c7f52156f3f 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6243,7 +6243,15 @@ static void md_clean(struct mddev *mddev)
+ mddev->persistent = 0;
+ mddev->level = LEVEL_NONE;
+ mddev->clevel[0] = 0;
+- mddev->flags = 0;
++ /*
++ * Don't clear MD_CLOSING, or mddev can be opened again.
++ * 'hold_active != 0' means mddev is still in the creation
++ * process and will be used later.
++ */
++ if (mddev->hold_active)
++ mddev->flags = 0;
++ else
++ mddev->flags &= BIT_ULL_MASK(MD_CLOSING);
+ mddev->sb_flags = 0;
+ mddev->ro = 0;
+ mddev->metadata_type[0] = 0;
+@@ -7562,7 +7570,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ int err = 0;
+ void __user *argp = (void __user *)arg;
+ struct mddev *mddev = NULL;
+- bool did_set_md_closing = false;
+
+ if (!md_ioctl_valid(cmd))
+ return -ENOTTY;
+@@ -7649,7 +7656,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ err = -EBUSY;
+ goto out;
+ }
+- did_set_md_closing = true;
+ mutex_unlock(&mddev->open_mutex);
+ sync_blockdev(bdev);
+ }
+@@ -7813,7 +7819,7 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ mddev->hold_active = 0;
+ mddev_unlock(mddev);
+ out:
+- if(did_set_md_closing)
++ if (cmd == STOP_ARRAY_RO || (err && cmd == STOP_ARRAY))
+ clear_bit(MD_CLOSING, &mddev->flags);
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From d8cbd557280eeca67de30eacc5ef3419993cbda4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 11:00:13 +0100
+Subject: md: implement ->set_read_only to hook into BLKROSET processing
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 118cf084adb3964d06e1667cf7d702e56e5cd2c5 ]
+
+Implement the ->set_read_only method instead of parsing the actual
+ioctl command.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Song Liu <song@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 62 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 03d2e31dda2f6..d6f12338cb989 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7536,7 +7536,6 @@ static inline bool md_ioctl_valid(unsigned int cmd)
+ {
+ switch (cmd) {
+ case ADD_NEW_DISK:
+- case BLKROSET:
+ case GET_ARRAY_INFO:
+ case GET_BITMAP_FILE:
+ case GET_DISK_INFO:
+@@ -7563,7 +7562,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ int err = 0;
+ void __user *argp = (void __user *)arg;
+ struct mddev *mddev = NULL;
+- int ro;
+ bool did_set_md_closing = false;
+
+ if (!md_ioctl_valid(cmd))
+@@ -7746,35 +7744,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ goto unlock;
+ }
+ break;
+-
+- case BLKROSET:
+- if (get_user(ro, (int __user *)(arg))) {
+- err = -EFAULT;
+- goto unlock;
+- }
+- err = -EINVAL;
+-
+- /* if the bdev is going readonly the value of mddev->ro
+- * does not matter, no writes are coming
+- */
+- if (ro)
+- goto unlock;
+-
+- /* are we are already prepared for writes? */
+- if (mddev->ro != 1)
+- goto unlock;
+-
+- /* transitioning to readauto need only happen for
+- * arrays that call md_write_start
+- */
+- if (mddev->pers) {
+- err = restart_array(mddev);
+- if (err == 0) {
+- mddev->ro = 2;
+- set_disk_ro(mddev->gendisk, 0);
+- }
+- }
+- goto unlock;
+ }
+
+ /*
+@@ -7868,6 +7837,36 @@ static int md_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ }
+ #endif /* CONFIG_COMPAT */
+
++static int md_set_read_only(struct block_device *bdev, bool ro)
++{
++ struct mddev *mddev = bdev->bd_disk->private_data;
++ int err;
++
++ err = mddev_lock(mddev);
++ if (err)
++ return err;
++
++ if (!mddev->raid_disks && !mddev->external) {
++ err = -ENODEV;
++ goto out_unlock;
++ }
++
++ /*
++ * Transitioning to read-auto need only happen for arrays that call
++ * md_write_start and which are not ready for writes yet.
++ */
++ if (!ro && mddev->ro == 1 && mddev->pers) {
++ err = restart_array(mddev);
++ if (err)
++ goto out_unlock;
++ mddev->ro = 2;
++ }
++
++out_unlock:
++ mddev_unlock(mddev);
++ return err;
++}
++
+ static int md_open(struct block_device *bdev, fmode_t mode)
+ {
+ /*
+@@ -7944,6 +7943,7 @@ const struct block_device_operations md_fops =
+ #endif
+ .getgeo = md_getgeo,
+ .check_events = md_check_events,
++ .set_read_only = md_set_read_only,
+ };
+
+ static int md_thread(void *arg)
+--
+2.43.0
+
--- /dev/null
+From f83a80d25fc86d11e703f8b25fb7ea1ade872140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 17:31:44 +0100
+Subject: media: dvb-frontends: avoid stack overflow warnings with clang
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7a4cf27d1f0538f779bf31b8c99eda394e277119 ]
+
+A previous patch worked around a KASAN issue in stv0367, now a similar
+problem showed up with clang:
+
+drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]
+ 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)
+
+Rework the stv0367_writereg() function to be simpler and mark both
+register access functions as noinline_for_stack so the temporary
+i2c_msg structures do not get duplicated on the stack when KASAN_STACK
+is enabled.
+
+Fixes: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/stv0367.c | 34 +++++++--------------------
+ 1 file changed, 8 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/stv0367.c b/drivers/media/dvb-frontends/stv0367.c
+index 0bfca1174e9e7..8cbae8235b174 100644
+--- a/drivers/media/dvb-frontends/stv0367.c
++++ b/drivers/media/dvb-frontends/stv0367.c
+@@ -118,50 +118,32 @@ static const s32 stv0367cab_RF_LookUp2[RF_LOOKUP_TABLE2_SIZE][RF_LOOKUP_TABLE2_S
+ }
+ };
+
+-static
+-int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len)
++static noinline_for_stack
++int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data)
+ {
+- u8 buf[MAX_XFER_SIZE];
++ u8 buf[3] = { MSB(reg), LSB(reg), data };
+ struct i2c_msg msg = {
+ .addr = state->config->demod_address,
+ .flags = 0,
+ .buf = buf,
+- .len = len + 2
++ .len = 3,
+ };
+ int ret;
+
+- if (2 + len > sizeof(buf)) {
+- printk(KERN_WARNING
+- "%s: i2c wr reg=%04x: len=%d is too big!\n",
+- KBUILD_MODNAME, reg, len);
+- return -EINVAL;
+- }
+-
+-
+- buf[0] = MSB(reg);
+- buf[1] = LSB(reg);
+- memcpy(buf + 2, data, len);
+-
+ if (i2cdebug)
+ printk(KERN_DEBUG "%s: [%02x] %02x: %02x\n", __func__,
+- state->config->demod_address, reg, buf[2]);
++ state->config->demod_address, reg, data);
+
+ ret = i2c_transfer(state->i2c, &msg, 1);
+ if (ret != 1)
+ printk(KERN_ERR "%s: i2c write error! ([%02x] %02x: %02x)\n",
+- __func__, state->config->demod_address, reg, buf[2]);
++ __func__, state->config->demod_address, reg, data);
+
+ return (ret != 1) ? -EREMOTEIO : 0;
+ }
+
+-static int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data)
+-{
+- u8 tmp = data; /* see gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 */
+-
+- return stv0367_writeregs(state, reg, &tmp, 1);
+-}
+-
+-static u8 stv0367_readreg(struct stv0367_state *state, u16 reg)
++static noinline_for_stack
++u8 stv0367_readreg(struct stv0367_state *state, u16 reg)
+ {
+ u8 b0[] = { 0, 0 };
+ u8 b1[] = { 0 };
+--
+2.43.0
+
--- /dev/null
+From f5e89100513ab52301067195dd979ffe2063e566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Feb 2024 14:40:43 +0100
+Subject: media: edia: dvbdev: fix a use-after-free
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 ]
+
+In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed
+in several error-handling paths. However, *pdvbdev is not set to NULL
+after dvbdev's deallocation, causing use-after-frees in many places,
+for example, in the following call chain:
+
+budget_register
+ |-> dvb_dmxdev_init
+ |-> dvb_register_device
+ |-> dvb_dmxdev_release
+ |-> dvb_unregister_device
+ |-> dvb_remove_device
+ |-> dvb_device_put
+ |-> kref_put
+
+When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in
+dvb_register_device) could point to memory that had been freed in
+dvb_register_device. Thereafter, this pointer is transferred to
+kref_put and triggering a use-after-free.
+
+Link: https://lore.kernel.org/linux-media/20240203134046.3120099-1-alexious@zju.edu.cn
+Fixes: b61901024776 ("V4L/DVB (5244): Dvbdev: fix illegal re-usage of fileoperations struct")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 3a83e8e092568..23a0c209744dc 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -504,6 +504,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL);
+ if (!dvbdevfops) {
+ kfree(dvbdev);
++ *pdvbdev = NULL;
+ mutex_unlock(&dvbdev_register_lock);
+ return -ENOMEM;
+ }
+@@ -512,6 +513,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ if (!new_node) {
+ kfree(dvbdevfops);
+ kfree(dvbdev);
++ *pdvbdev = NULL;
+ mutex_unlock(&dvbdev_register_lock);
+ return -ENOMEM;
+ }
+@@ -545,6 +547,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ }
+ list_del (&dvbdev->list_head);
+ kfree(dvbdev);
++ *pdvbdev = NULL;
+ up_write(&minor_rwsem);
+ mutex_unlock(&dvbdev_register_lock);
+ return -EINVAL;
+@@ -567,6 +570,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ dvb_media_device_free(dvbdev);
+ list_del (&dvbdev->list_head);
+ kfree(dvbdev);
++ *pdvbdev = NULL;
+ mutex_unlock(&dvbdev_register_lock);
+ return ret;
+ }
+@@ -585,6 +589,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ dvb_media_device_free(dvbdev);
+ list_del (&dvbdev->list_head);
+ kfree(dvbdev);
++ *pdvbdev = NULL;
+ mutex_unlock(&dvbdev_register_lock);
+ return PTR_ERR(clsdev);
+ }
+--
+2.43.0
+
--- /dev/null
+From 6154786f86e700de44b77046bbc38d42219ecbda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jan 2024 05:42:26 -0800
+Subject: media: em28xx: annotate unchecked call to media_device_register()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 ]
+
+Static analyzers generate alerts for an unchecked call to
+`media_device_register()`. However, in this case, the device will work
+reliably without the media controller API.
+
+Add a comment above the call to prevent future unnecessary changes.
+
+Suggested-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
+index 26408a972b443..5deee83132c62 100644
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -4049,6 +4049,10 @@ static int em28xx_usb_probe(struct usb_interface *intf,
+ * topology will likely change after the load of the em28xx subdrivers.
+ */
+ #ifdef CONFIG_MEDIA_CONTROLLER
++ /*
++ * No need to check the return value, the device will still be
++ * usable without media controller API.
++ */
+ retval = media_device_register(dev->media_dev);
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From ed55dfbe73f264b361173abbcb814a9dd2897395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Feb 2024 07:07:05 -0800
+Subject: media: go7007: add check of return value of go7007_read_addr()
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 0b70530ee740861f4776ff724fcc25023df1799a ]
+
+If go7007_read_addr() returns error channel is not assigned a value.
+In this case go to allocfail.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 866b8695d67e ("Staging: add the go7007 video driver")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
+index eeb85981e02b6..762c13e49bfa5 100644
+--- a/drivers/media/usb/go7007/go7007-usb.c
++++ b/drivers/media/usb/go7007/go7007-usb.c
+@@ -1201,7 +1201,9 @@ static int go7007_usb_probe(struct usb_interface *intf,
+ u16 channel;
+
+ /* read channel number from GPIO[1:0] */
+- go7007_read_addr(go, 0x3c81, &channel);
++ if (go7007_read_addr(go, 0x3c81, &channel))
++ goto allocfail;
++
+ channel &= 0x3;
+ go->board_id = GO7007_BOARDID_ADLINK_MPG24;
+ usb->board = board = &board_adlink_mpg24;
+--
+2.43.0
+
--- /dev/null
+From 6f8578cb3d5f4bc7623fe83e63d44c3cd0fff4c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 12:37:13 +0800
+Subject: media: go7007: fix a memleak in go7007_load_encoder
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ]
+
+In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
+a deallocation thereafter. After the following call chain:
+
+saa7134_go7007_init
+ |-> go7007_boot_encoder
+ |-> go7007_load_encoder
+ |-> kfree(go)
+
+go is freed and thus bounce is leaked.
+
+Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-driver.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
+index 6650eab913d81..3c66542ce284a 100644
+--- a/drivers/media/usb/go7007/go7007-driver.c
++++ b/drivers/media/usb/go7007/go7007-driver.c
+@@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
+ const struct firmware *fw_entry;
+ char fw_name[] = "go7007/go7007fw.bin";
+ void *bounce;
+- int fw_len, rv = 0;
++ int fw_len;
+ u16 intr_val, intr_data;
+
+ if (go->boot_fw == NULL) {
+@@ -109,9 +109,11 @@ static int go7007_load_encoder(struct go7007 *go)
+ go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
+ (intr_val & ~0x1) != 0x5a5a) {
+ v4l2_err(go, "error transferring firmware\n");
+- rv = -1;
++ kfree(go->boot_fw);
++ go->boot_fw = NULL;
++ return -1;
+ }
+- return rv;
++ return 0;
+ }
+
+ MODULE_FIRMWARE("go7007/go7007fw.bin");
+--
+2.43.0
+
--- /dev/null
+From 9ed10c83831cedffc4194226c806c3c0dc064af9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 13:00:33 +0100
+Subject: media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 4797a3dd46f220e6d83daf54d70c5b33db6deb01 ]
+
+Free the memory allocated in v4l2_ctrl_handler_init on release.
+
+Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-csc-scaler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/media/imx/imx-media-csc-scaler.c b/drivers/staging/media/imx/imx-media-csc-scaler.c
+index 63a0204502a8b..939843b895440 100644
+--- a/drivers/staging/media/imx/imx-media-csc-scaler.c
++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c
+@@ -803,6 +803,7 @@ static int ipu_csc_scaler_release(struct file *file)
+
+ dev_dbg(priv->dev, "Releasing instance %p\n", ctx);
+
++ v4l2_ctrl_handler_free(&ctx->ctrl_hdlr);
+ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+ v4l2_fh_del(&ctx->fh);
+ v4l2_fh_exit(&ctx->fh);
+--
+2.43.0
+
--- /dev/null
+From 6b6bf108432b78ceba00b25de2ac96a7805455ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Feb 2024 13:10:22 +0100
+Subject: media: mediatek: vcodec: avoid -Wcast-function-type-strict warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit bfb1b99802ef16045402deb855c197591dc78886 ]
+
+The ipi handler here tries hard to maintain const-ness of its argument,
+but by doing that causes a warning about function type casts:
+
+drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c:38:32: error: cast from 'mtk_vcodec_ipi_handler' (aka 'void (*)(void *, unsigned int, void *)') to 'ipi_handler_t' (aka 'void (*)(const void *, unsigned int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 38 | ipi_handler_t handler_const = (ipi_handler_t)handler;
+ | ^~~~~~~~~~~~~~~~~~~~~~
+
+Remove the hack and just use a non-const argument.
+
+Fixes: bf1d556ad4e0 ("media: mtk-vcodec: abstract firmware interface")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c | 2 +-
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 10 +---------
+ drivers/media/platform/mtk-vpu/mtk_vpu.c | 2 +-
+ drivers/media/platform/mtk-vpu/mtk_vpu.h | 2 +-
+ 4 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c b/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c
+index b065ccd069140..378a1cba0144f 100644
+--- a/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c
++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c
+@@ -26,7 +26,7 @@ static void mtk_mdp_vpu_handle_init_ack(const struct mdp_ipi_comm_ack *msg)
+ vpu->inst_addr = msg->vpu_inst_addr;
+ }
+
+-static void mtk_mdp_vpu_ipi_handler(const void *data, unsigned int len,
++static void mtk_mdp_vpu_ipi_handler(void *data, unsigned int len,
+ void *priv)
+ {
+ const struct mdp_ipi_comm_ack *msg = data;
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
+index cfc7ebed8fb7a..1ec29f1b163a1 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
+@@ -29,15 +29,7 @@ static int mtk_vcodec_vpu_set_ipi_register(struct mtk_vcodec_fw *fw, int id,
+ mtk_vcodec_ipi_handler handler,
+ const char *name, void *priv)
+ {
+- /*
+- * The handler we receive takes a void * as its first argument. We
+- * cannot change this because it needs to be passed down to the rproc
+- * subsystem when SCP is used. VPU takes a const argument, which is
+- * more constrained, so the conversion below is safe.
+- */
+- ipi_handler_t handler_const = (ipi_handler_t)handler;
+-
+- return vpu_ipi_register(fw->pdev, id, handler_const, name, priv);
++ return vpu_ipi_register(fw->pdev, id, handler, name, priv);
+ }
+
+ static int mtk_vcodec_vpu_ipi_send(struct mtk_vcodec_fw *fw, int id, void *buf,
+diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+index e7c4b0dd588a9..a2f61d97ffeb1 100644
+--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c
++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+@@ -612,7 +612,7 @@ int vpu_load_firmware(struct platform_device *pdev)
+ }
+ EXPORT_SYMBOL_GPL(vpu_load_firmware);
+
+-static void vpu_init_ipi_handler(const void *data, unsigned int len, void *priv)
++static void vpu_init_ipi_handler(void *data, unsigned int len, void *priv)
+ {
+ struct mtk_vpu *vpu = priv;
+ const struct vpu_run *run = data;
+diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.h b/drivers/media/platform/mtk-vpu/mtk_vpu.h
+index ee7c552ce9289..d4453b4bcee92 100644
+--- a/drivers/media/platform/mtk-vpu/mtk_vpu.h
++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.h
+@@ -15,7 +15,7 @@
+ * VPU interfaces with other blocks by share memory and interrupt.
+ **/
+
+-typedef void (*ipi_handler_t) (const void *data,
++typedef void (*ipi_handler_t) (void *data,
+ unsigned int len,
+ void *priv);
+
+--
+2.43.0
+
--- /dev/null
+From d042f52bd57f0026d5e72187ad1732d5c3b9cc88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 11:04:27 +0100
+Subject: media: pvrusb2: fix pvr2_stream_callback casts
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 30baa4a96b23add91a87305baaeba82c4e109e1f ]
+
+clang-16 complains about a control flow integrity (KCFI) issue in pvrusb2,
+which casts three different prototypes into pvr2_stream_callback:
+
+drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1070:30: error: cast from 'void (*)(struct pvr2_v4l2_fh *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1070 | pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/media/usb/pvrusb2/pvrusb2-context.c:110:6: error: cast from 'void (*)(struct pvr2_context *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 110 | (void (*)(void *))pvr2_context_notify,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/media/usb/pvrusb2/pvrusb2-dvb.c:152:6: error: cast from 'void (*)(struct pvr2_dvb_adapter *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 152 | (pvr2_stream_callback) pvr2_dvb_notify, adap);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Change the functions to actually take a void* argument so the cast is no longer
+needed.
+
+Fixes: bb8ce9d9143c ("V4L/DVB (7682): pvrusb2-dvb: finish up stream & buffer handling")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-context.c | 8 ++++----
+ drivers/media/usb/pvrusb2/pvrusb2-dvb.c | 6 ++++--
+ drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 6 ++++--
+ 3 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+index 1764674de98bc..58f2f3ff10ee2 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+@@ -90,8 +90,10 @@ static void pvr2_context_destroy(struct pvr2_context *mp)
+ }
+
+
+-static void pvr2_context_notify(struct pvr2_context *mp)
++static void pvr2_context_notify(void *ptr)
+ {
++ struct pvr2_context *mp = ptr;
++
+ pvr2_context_set_notify(mp,!0);
+ }
+
+@@ -106,9 +108,7 @@ static void pvr2_context_check(struct pvr2_context *mp)
+ pvr2_trace(PVR2_TRACE_CTXT,
+ "pvr2_context %p (initialize)", mp);
+ /* Finish hardware initialization */
+- if (pvr2_hdw_initialize(mp->hdw,
+- (void (*)(void *))pvr2_context_notify,
+- mp)) {
++ if (pvr2_hdw_initialize(mp->hdw, pvr2_context_notify, mp)) {
+ mp->video_stream.stream =
+ pvr2_hdw_get_video_stream(mp->hdw);
+ /* Trigger interface initialization. By doing this
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c
+index 6954584526a32..1b768e7466721 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c
+@@ -88,8 +88,10 @@ static int pvr2_dvb_feed_thread(void *data)
+ return stat;
+ }
+
+-static void pvr2_dvb_notify(struct pvr2_dvb_adapter *adap)
++static void pvr2_dvb_notify(void *ptr)
+ {
++ struct pvr2_dvb_adapter *adap = ptr;
++
+ wake_up(&adap->buffer_wait_data);
+ }
+
+@@ -149,7 +151,7 @@ static int pvr2_dvb_stream_do_start(struct pvr2_dvb_adapter *adap)
+ }
+
+ pvr2_stream_set_callback(pvr->video_stream.stream,
+- (pvr2_stream_callback) pvr2_dvb_notify, adap);
++ pvr2_dvb_notify, adap);
+
+ ret = pvr2_stream_set_buffer_count(stream, PVR2_DVB_BUFFER_COUNT);
+ if (ret < 0) return ret;
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+index c872868becbdc..29f2e767f236f 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+@@ -1037,8 +1037,10 @@ static int pvr2_v4l2_open(struct file *file)
+ }
+
+
+-static void pvr2_v4l2_notify(struct pvr2_v4l2_fh *fhp)
++static void pvr2_v4l2_notify(void *ptr)
+ {
++ struct pvr2_v4l2_fh *fhp = ptr;
++
+ wake_up(&fhp->wait_data);
+ }
+
+@@ -1071,7 +1073,7 @@ static int pvr2_v4l2_iosetup(struct pvr2_v4l2_fh *fh)
+
+ hdw = fh->channel.mc_head->hdw;
+ sp = fh->pdi->stream->stream;
+- pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh);
++ pvr2_stream_set_callback(sp, pvr2_v4l2_notify, fh);
+ pvr2_hdw_set_stream_type(hdw,fh->pdi->config);
+ if ((ret = pvr2_hdw_set_streaming(hdw,!0)) < 0) return ret;
+ return pvr2_ioread_set_enabled(fh->rhp,!0);
+--
+2.43.0
+
--- /dev/null
+From aabfb7269f88c563c9ed7c9e87f57bae7fe093bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 15:30:47 +0800
+Subject: media: pvrusb2: fix uaf in pvr2_context_set_notify
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee ]
+
+[Syzbot reported]
+BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35
+Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26
+
+CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0xc4/0x620 mm/kasan/report.c:488
+ kasan_report+0xda/0x110 mm/kasan/report.c:601
+ pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35
+ pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]
+ pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272
+
+Freed by task 906:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
+kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
+poison_slab_object mm/kasan/common.c:241 [inline]
+__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257
+kasan_slab_free include/linux/kasan.h:184 [inline]
+slab_free_hook mm/slub.c:2121 [inline]
+slab_free mm/slub.c:4299 [inline]
+kfree+0x105/0x340 mm/slub.c:4409
+pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
+pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158
+
+[Analyze]
+Task A set disconnect_flag = !0, which resulted in Task B's condition being met
+and releasing mp, leading to this issue.
+
+[Fix]
+Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect()
+to avoid this issue.
+
+Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com
+Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+index 58f2f3ff10ee2..73c95ba2328a4 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+@@ -267,9 +267,9 @@ static void pvr2_context_exit(struct pvr2_context *mp)
+ void pvr2_context_disconnect(struct pvr2_context *mp)
+ {
+ pvr2_hdw_disconnect(mp->hdw);
+- mp->disconnect_flag = !0;
+ if (!pvr2_context_shutok())
+ pvr2_context_notify(mp);
++ mp->disconnect_flag = !0;
+ }
+
+
+--
+2.43.0
+
--- /dev/null
+From bd9d661f4c7706666695c801d619cf327bde4bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Feb 2024 07:07:25 -0800
+Subject: media: pvrusb2: remove redundant NULL check
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 95ac1210fb2753f968ebce0730d4fbc553c2a3dc ]
+
+Pointer dip->stream cannot be NULL due to a shift, thus remove redundant
+NULL check.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: c74e0062684b ("V4L/DVB (5059): Pvrusb2: Be smarter about mode restoration")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+index 9657c18833116..c872868becbdc 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+@@ -1202,11 +1202,6 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
+ dip->minor_type = pvr2_v4l_type_video;
+ nr_ptr = video_nr;
+ caps |= V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_AUDIO;
+- if (!dip->stream) {
+- pr_err(KBUILD_MODNAME
+- ": Failed to set up pvrusb2 v4l video dev due to missing stream instance\n");
+- return;
+- }
+ break;
+ case VFL_TYPE_VBI:
+ dip->config = pvr2_config_vbi;
+--
+2.43.0
+
--- /dev/null
+From 62079d6af60fddacbf05f546da2c6d41c6259e6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 14:34:22 +0100
+Subject: media: sun8i-di: Fix chroma difference threshold
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 856525e8db272b0ce6d9c6e6c2eeb97892b485a6 ]
+
+While there is no good explanation what this value does, vendor driver
+uses value 31 for it. Align driver with it.
+
+Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sunxi/sun8i-di/sun8i-di.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+index cb6d32c59191f..f0d2bcbe20b0d 100644
+--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+@@ -304,7 +304,7 @@ static void deinterlace_init(struct deinterlace_dev *dev)
+
+ deinterlace_clr_set_bits(dev, DEINTERLACE_CHROMA_DIFF,
+ DEINTERLACE_CHROMA_DIFF_TH_MSK,
+- DEINTERLACE_CHROMA_DIFF_TH(5));
++ DEINTERLACE_CHROMA_DIFF_TH(31));
+ }
+
+ static inline struct deinterlace_ctx *deinterlace_file2ctx(struct file *file)
+--
+2.43.0
+
--- /dev/null
+From 75aac5998678340b6fe76a54d37adb5d0acd5109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 14:34:20 +0100
+Subject: media: sun8i-di: Fix coefficient writes
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 794b581f8c6eb7b60fe468ccb96dd3cd38ff779f ]
+
+Currently coefficients are applied only once, since they don't change.
+However, this is done before enable bit is set and thus it doesn't get
+applied properly.
+
+Fix that by applying coefficients after enable bit is set. While this
+means that it will be done evey time, it doesn't bring much time
+penalty.
+
+Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/sunxi/sun8i-di/sun8i-di.c | 42 +++++++++----------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+index 2c159483c56ba..a9d3272940be0 100644
+--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+@@ -66,6 +66,7 @@ static void deinterlace_device_run(void *priv)
+ struct vb2_v4l2_buffer *src, *dst;
+ unsigned int hstep, vstep;
+ dma_addr_t addr;
++ int i;
+
+ src = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx);
+ dst = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx);
+@@ -160,6 +161,26 @@ static void deinterlace_device_run(void *priv)
+ deinterlace_write(dev, DEINTERLACE_CH1_HORZ_FACT, hstep);
+ deinterlace_write(dev, DEINTERLACE_CH1_VERT_FACT, vstep);
+
++ /* neutral filter coefficients */
++ deinterlace_set_bits(dev, DEINTERLACE_FRM_CTRL,
++ DEINTERLACE_FRM_CTRL_COEF_ACCESS);
++ readl_poll_timeout(dev->base + DEINTERLACE_STATUS, val,
++ val & DEINTERLACE_STATUS_COEF_STATUS, 2, 40);
++
++ for (i = 0; i < 32; i++) {
++ deinterlace_write(dev, DEINTERLACE_CH0_HORZ_COEF0 + i * 4,
++ DEINTERLACE_IDENTITY_COEF);
++ deinterlace_write(dev, DEINTERLACE_CH0_VERT_COEF + i * 4,
++ DEINTERLACE_IDENTITY_COEF);
++ deinterlace_write(dev, DEINTERLACE_CH1_HORZ_COEF0 + i * 4,
++ DEINTERLACE_IDENTITY_COEF);
++ deinterlace_write(dev, DEINTERLACE_CH1_VERT_COEF + i * 4,
++ DEINTERLACE_IDENTITY_COEF);
++ }
++
++ deinterlace_clr_set_bits(dev, DEINTERLACE_FRM_CTRL,
++ DEINTERLACE_FRM_CTRL_COEF_ACCESS, 0);
++
+ deinterlace_clr_set_bits(dev, DEINTERLACE_FIELD_CTRL,
+ DEINTERLACE_FIELD_CTRL_FIELD_CNT_MSK,
+ DEINTERLACE_FIELD_CTRL_FIELD_CNT(ctx->field));
+@@ -248,7 +269,6 @@ static irqreturn_t deinterlace_irq(int irq, void *data)
+ static void deinterlace_init(struct deinterlace_dev *dev)
+ {
+ u32 val;
+- int i;
+
+ deinterlace_write(dev, DEINTERLACE_BYPASS,
+ DEINTERLACE_BYPASS_CSC);
+@@ -285,26 +305,6 @@ static void deinterlace_init(struct deinterlace_dev *dev)
+ deinterlace_clr_set_bits(dev, DEINTERLACE_CHROMA_DIFF,
+ DEINTERLACE_CHROMA_DIFF_TH_MSK,
+ DEINTERLACE_CHROMA_DIFF_TH(5));
+-
+- /* neutral filter coefficients */
+- deinterlace_set_bits(dev, DEINTERLACE_FRM_CTRL,
+- DEINTERLACE_FRM_CTRL_COEF_ACCESS);
+- readl_poll_timeout(dev->base + DEINTERLACE_STATUS, val,
+- val & DEINTERLACE_STATUS_COEF_STATUS, 2, 40);
+-
+- for (i = 0; i < 32; i++) {
+- deinterlace_write(dev, DEINTERLACE_CH0_HORZ_COEF0 + i * 4,
+- DEINTERLACE_IDENTITY_COEF);
+- deinterlace_write(dev, DEINTERLACE_CH0_VERT_COEF + i * 4,
+- DEINTERLACE_IDENTITY_COEF);
+- deinterlace_write(dev, DEINTERLACE_CH1_HORZ_COEF0 + i * 4,
+- DEINTERLACE_IDENTITY_COEF);
+- deinterlace_write(dev, DEINTERLACE_CH1_VERT_COEF + i * 4,
+- DEINTERLACE_IDENTITY_COEF);
+- }
+-
+- deinterlace_clr_set_bits(dev, DEINTERLACE_FRM_CTRL,
+- DEINTERLACE_FRM_CTRL_COEF_ACCESS, 0);
+ }
+
+ static inline struct deinterlace_ctx *deinterlace_file2ctx(struct file *file)
+--
+2.43.0
+
--- /dev/null
+From 5c1030296687a63b084dfd8fce35bca613fad7b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 14:34:21 +0100
+Subject: media: sun8i-di: Fix power on/off sequences
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit cff104e33bad38f4b2c8d58816a7accfaa2879f9 ]
+
+According to user manual, reset line should be deasserted before clocks
+are enabled. Also fix power down sequence to be reverse of that.
+
+Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/sunxi/sun8i-di/sun8i-di.c | 25 ++++++++++---------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+index a9d3272940be0..cb6d32c59191f 100644
+--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c
+@@ -937,11 +937,18 @@ static int deinterlace_runtime_resume(struct device *device)
+ return ret;
+ }
+
++ ret = reset_control_deassert(dev->rstc);
++ if (ret) {
++ dev_err(dev->dev, "Failed to apply reset\n");
++
++ goto err_exclusive_rate;
++ }
++
+ ret = clk_prepare_enable(dev->bus_clk);
+ if (ret) {
+ dev_err(dev->dev, "Failed to enable bus clock\n");
+
+- goto err_exclusive_rate;
++ goto err_rst;
+ }
+
+ ret = clk_prepare_enable(dev->mod_clk);
+@@ -958,23 +965,16 @@ static int deinterlace_runtime_resume(struct device *device)
+ goto err_mod_clk;
+ }
+
+- ret = reset_control_deassert(dev->rstc);
+- if (ret) {
+- dev_err(dev->dev, "Failed to apply reset\n");
+-
+- goto err_ram_clk;
+- }
+-
+ deinterlace_init(dev);
+
+ return 0;
+
+-err_ram_clk:
+- clk_disable_unprepare(dev->ram_clk);
+ err_mod_clk:
+ clk_disable_unprepare(dev->mod_clk);
+ err_bus_clk:
+ clk_disable_unprepare(dev->bus_clk);
++err_rst:
++ reset_control_assert(dev->rstc);
+ err_exclusive_rate:
+ clk_rate_exclusive_put(dev->mod_clk);
+
+@@ -985,11 +985,12 @@ static int deinterlace_runtime_suspend(struct device *device)
+ {
+ struct deinterlace_dev *dev = dev_get_drvdata(device);
+
+- reset_control_assert(dev->rstc);
+-
+ clk_disable_unprepare(dev->ram_clk);
+ clk_disable_unprepare(dev->mod_clk);
+ clk_disable_unprepare(dev->bus_clk);
++
++ reset_control_assert(dev->rstc);
++
+ clk_rate_exclusive_put(dev->mod_clk);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 49b0525900b6448a5cf562c7d94d35add060b666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jan 2024 10:01:11 +0100
+Subject: media: tc358743: register v4l2 async device only after successful
+ setup
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 87399f1ff92203d65f1febf5919429f4bb613a02 ]
+
+Ensure the device has been setup correctly before registering the v4l2
+async device, thus allowing userspace to access.
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Fixes: 4c5211a10039 ("[media] tc358743: register v4l2 asynchronous subdevice")
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240110090111.458115-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index f21da11caf224..8bcb4b354c895 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -2108,9 +2108,6 @@ static int tc358743_probe(struct i2c_client *client)
+ state->mbus_fmt_code = MEDIA_BUS_FMT_RGB888_1X24;
+
+ sd->dev = &client->dev;
+- err = v4l2_async_register_subdev(sd);
+- if (err < 0)
+- goto err_hdl;
+
+ mutex_init(&state->confctl_mutex);
+
+@@ -2168,6 +2165,10 @@ static int tc358743_probe(struct i2c_client *client)
+ if (err)
+ goto err_work_queues;
+
++ err = v4l2_async_register_subdev(sd);
++ if (err < 0)
++ goto err_work_queues;
++
+ v4l2_info(sd, "%s found @ 0x%x (%s)\n", client->name,
+ client->addr << 1, client->adapter->name);
+
+--
+2.43.0
+
--- /dev/null
+From a99e14dc893e4379e3153e27dcccfb51cb316524 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 13:17:04 +0800
+Subject: media: ttpci: fix two memleaks in budget_av_attach
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit d0b07f712bf61e1a3cf23c87c663791c42e50837 ]
+
+When saa7146_register_device and saa7146_vv_init fails, budget_av_attach
+should free the resources it allocates, like the error-handling of
+ttpci_budget_init does. Besides, there are two fixme comment refers to
+such deallocations.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/ttpci/budget-av.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/pci/ttpci/budget-av.c b/drivers/media/pci/ttpci/budget-av.c
+index 3cb83005cf09b..519f85e0a397d 100644
+--- a/drivers/media/pci/ttpci/budget-av.c
++++ b/drivers/media/pci/ttpci/budget-av.c
+@@ -1462,7 +1462,8 @@ static int budget_av_attach(struct saa7146_dev *dev, struct saa7146_pci_extensio
+ budget_av->has_saa7113 = 1;
+ err = saa7146_vv_init(dev, &vv_data);
+ if (err != 0) {
+- /* fixme: proper cleanup here */
++ ttpci_budget_deinit(&budget_av->budget);
++ kfree(budget_av);
+ ERR("cannot init vv subsystem\n");
+ return err;
+ }
+@@ -1471,9 +1472,10 @@ static int budget_av_attach(struct saa7146_dev *dev, struct saa7146_pci_extensio
+ vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
+
+ if ((err = saa7146_register_device(&budget_av->vd, dev, "knc1", VFL_TYPE_VIDEO))) {
+- /* fixme: proper cleanup here */
+- ERR("cannot register capture v4l2 device\n");
+ saa7146_vv_release(dev);
++ ttpci_budget_deinit(&budget_av->budget);
++ kfree(budget_av);
++ ERR("cannot register capture v4l2 device\n");
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8eb10dbb02b1696021e3fb9eff168102f689e871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Feb 2024 20:48:44 +0800
+Subject: media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 8f94b49a5b5d386c038e355bef6347298aabd211 ]
+
+The entity->name (i.e. name) is allocated in v4l2_m2m_register_entity
+but isn't freed in its following error-handling paths. This patch
+adds such deallocation to prevent memleak of entity->name.
+
+Fixes: be2fff656322 ("media: add helpers for memory-to-memory media controller")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-mem2mem.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-mem2mem.c b/drivers/media/v4l2-core/v4l2-mem2mem.c
+index ad14d52141067..56d320b1a1ca7 100644
+--- a/drivers/media/v4l2-core/v4l2-mem2mem.c
++++ b/drivers/media/v4l2-core/v4l2-mem2mem.c
+@@ -1053,11 +1053,17 @@ static int v4l2_m2m_register_entity(struct media_device *mdev,
+ entity->function = function;
+
+ ret = media_entity_pads_init(entity, num_pads, pads);
+- if (ret)
++ if (ret) {
++ kfree(entity->name);
++ entity->name = NULL;
+ return ret;
++ }
+ ret = media_device_register_entity(mdev, entity);
+- if (ret)
++ if (ret) {
++ kfree(entity->name);
++ entity->name = NULL;
+ return ret;
++ }
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 84844898d1792c9b0804637756a219311df9badb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Feb 2024 20:47:53 +0800
+Subject: media: v4l2-tpg: fix some memleaks in tpg_alloc
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c ]
+
+In tpg_alloc, resources should be deallocated in each and every
+error-handling paths, since they are allocated in for statements.
+Otherwise there would be memleaks because tpg_free is called only when
+tpg_alloc return 0.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 52 +++++++++++++++----
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+index 7607b516a7c43..68968bfa2edc1 100644
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -113,6 +113,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
+ {
+ unsigned pat;
+ unsigned plane;
++ int ret = 0;
+
+ tpg->max_line_width = max_w;
+ for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) {
+@@ -121,14 +122,18 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
+
+ tpg->lines[pat][plane] =
+ vzalloc(array3_size(max_w, 2, pixelsz));
+- if (!tpg->lines[pat][plane])
+- return -ENOMEM;
++ if (!tpg->lines[pat][plane]) {
++ ret = -ENOMEM;
++ goto free_lines;
++ }
+ if (plane == 0)
+ continue;
+ tpg->downsampled_lines[pat][plane] =
+ vzalloc(array3_size(max_w, 2, pixelsz));
+- if (!tpg->downsampled_lines[pat][plane])
+- return -ENOMEM;
++ if (!tpg->downsampled_lines[pat][plane]) {
++ ret = -ENOMEM;
++ goto free_lines;
++ }
+ }
+ }
+ for (plane = 0; plane < TPG_MAX_PLANES; plane++) {
+@@ -136,18 +141,45 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w)
+
+ tpg->contrast_line[plane] =
+ vzalloc(array_size(pixelsz, max_w));
+- if (!tpg->contrast_line[plane])
+- return -ENOMEM;
++ if (!tpg->contrast_line[plane]) {
++ ret = -ENOMEM;
++ goto free_contrast_line;
++ }
+ tpg->black_line[plane] =
+ vzalloc(array_size(pixelsz, max_w));
+- if (!tpg->black_line[plane])
+- return -ENOMEM;
++ if (!tpg->black_line[plane]) {
++ ret = -ENOMEM;
++ goto free_contrast_line;
++ }
+ tpg->random_line[plane] =
+ vzalloc(array3_size(max_w, 2, pixelsz));
+- if (!tpg->random_line[plane])
+- return -ENOMEM;
++ if (!tpg->random_line[plane]) {
++ ret = -ENOMEM;
++ goto free_contrast_line;
++ }
+ }
+ return 0;
++
++free_contrast_line:
++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) {
++ vfree(tpg->contrast_line[plane]);
++ vfree(tpg->black_line[plane]);
++ vfree(tpg->random_line[plane]);
++ tpg->contrast_line[plane] = NULL;
++ tpg->black_line[plane] = NULL;
++ tpg->random_line[plane] = NULL;
++ }
++free_lines:
++ for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++)
++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) {
++ vfree(tpg->lines[pat][plane]);
++ tpg->lines[pat][plane] = NULL;
++ if (plane == 0)
++ continue;
++ vfree(tpg->downsampled_lines[pat][plane]);
++ tpg->downsampled_lines[pat][plane] = NULL;
++ }
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(tpg_alloc);
+
+--
+2.43.0
+
--- /dev/null
+From eadf829088f3de3f98e7671ec57f48d605f5c1db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 11:50:12 +0000
+Subject: mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle()
+ takes a ref
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+[ Upstream commit e28c28a34ee9fa2ea671a20e5e7064e6220d55e7 ]
+
+of_parse_phandle() returns a device_node with refcount incremented, which
+the callee needs to call of_node_put() on when done. We should only call
+of_node_put() when the property argument is provided though as otherwise
+nothing has taken a reference on the node.
+
+Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager")
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20240220115012.471689-4-peter.griffin@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/altera-sysmgr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/altera-sysmgr.c b/drivers/mfd/altera-sysmgr.c
+index 591b300d90953..59efe7d5dcaa9 100644
+--- a/drivers/mfd/altera-sysmgr.c
++++ b/drivers/mfd/altera-sysmgr.c
+@@ -110,7 +110,9 @@ struct regmap *altr_sysmgr_regmap_lookup_by_phandle(struct device_node *np,
+
+ dev = driver_find_device_by_of_node(&altr_sysmgr_driver.driver,
+ (void *)sysmgr_np);
+- of_node_put(sysmgr_np);
++ if (property)
++ of_node_put(sysmgr_np);
++
+ if (!dev)
+ return ERR_PTR(-EPROBE_DEFER);
+
+--
+2.43.0
+
--- /dev/null
+From 5b9e914e720ce03ff6b717232264bda6f6f40ee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 11:50:10 +0000
+Subject: mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a
+ ref
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+[ Upstream commit d2b0680cf3b05490b579e71b0df6e07451977745 ]
+
+of_parse_phandle() returns a device_node with refcount incremented, which
+the callee needs to call of_node_put() on when done. We should only call
+of_node_put() when the property argument is provided though as otherwise
+nothing has taken a reference on the node.
+
+Fixes: 45330bb43421 ("mfd: syscon: Allow property as NULL in syscon_regmap_lookup_by_phandle")
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20240220115012.471689-2-peter.griffin@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/syscon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
+index 60f74144a4f88..4d536a097e8cb 100644
+--- a/drivers/mfd/syscon.c
++++ b/drivers/mfd/syscon.c
+@@ -224,7 +224,9 @@ struct regmap *syscon_regmap_lookup_by_phandle(struct device_node *np,
+ return ERR_PTR(-ENODEV);
+
+ regmap = syscon_node_to_regmap(syscon_np);
+- of_node_put(syscon_np);
++
++ if (property)
++ of_node_put(syscon_np);
+
+ return regmap;
+ }
+--
+2.43.0
+
--- /dev/null
+From e8f20b590eb4136677858cfe5308bc02c44546ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 22:37:39 +0100
+Subject: mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the
+ .remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ae5004a40a262d329039b99b62bd3fe7645b66ad ]
+
+This looks strange to call release_mem_region() in a remove function
+without any request_mem_region() in the probe or "struct resource"
+somewhere.
+
+So remove the corresponding code.
+
+Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/bb0bb1ed1e18de55e8c0547625bde271e64b8c31.1708983064.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/wmt-sdmmc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c
+index 3933195488575..3fcc81e48ad66 100644
+--- a/drivers/mmc/host/wmt-sdmmc.c
++++ b/drivers/mmc/host/wmt-sdmmc.c
+@@ -889,7 +889,6 @@ static int wmt_mci_remove(struct platform_device *pdev)
+ {
+ struct mmc_host *mmc;
+ struct wmt_mci_priv *priv;
+- struct resource *res;
+ u32 reg_tmp;
+
+ mmc = platform_get_drvdata(pdev);
+@@ -917,9 +916,6 @@ static int wmt_mci_remove(struct platform_device *pdev)
+ clk_disable_unprepare(priv->clk_sdmmc);
+ clk_put(priv->clk_sdmmc);
+
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- release_mem_region(res->start, resource_size(res));
+-
+ mmc_free_host(mmc);
+
+ dev_info(&pdev->dev, "WMT MCI device removed\n");
+--
+2.43.0
+
--- /dev/null
+From 8833225b833079d458903961aefb6effc08cea3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Feb 2024 12:34:18 +0200
+Subject: mtd: maps: physmap-core: fix flash size larger than 32-bit
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 3884f03edd34887514a0865a80769cd5362d5c3b ]
+
+mtd-ram can potentially be larger than 4GB. get_bitmask_order() uses
+fls() that is not guaranteed to work with values larger than 32-bit.
+Specifically on aarch64 fls() returns 0 when all 32 LSB bits are clear.
+Use fls64() instead.
+
+Fixes: ba32ce95cbd987 ("mtd: maps: Merge gpio-addr-flash.c into physmap-core.c")
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/9fbf3664ce00f8b07867f1011834015f21d162a5.1707388458.git.baruch@tkos.co.il
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/maps/physmap-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c
+index 9ab795f03c546..e5552093585e2 100644
+--- a/drivers/mtd/maps/physmap-core.c
++++ b/drivers/mtd/maps/physmap-core.c
+@@ -528,7 +528,7 @@ static int physmap_flash_probe(struct platform_device *dev)
+ if (!info->maps[i].phys)
+ info->maps[i].phys = res->start;
+
+- info->win_order = get_bitmask_order(resource_size(res)) - 1;
++ info->win_order = fls64(resource_size(res)) - 1;
+ info->maps[i].size = BIT(info->win_order +
+ (info->gpios ?
+ info->gpios->ndescs : 0));
+--
+2.43.0
+
--- /dev/null
+From c8a584c10f53c3cc842868d12e87e207017414b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 11:00:09 +0100
+Subject: mtd: rawnand: lpc32xx_mlc: fix irq handler prototype
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ]
+
+clang-16 warns about mismatched function prototypes:
+
+drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+
+Change the interrupt handler to the normal way of just passing
+a void* pointer and converting it inside the function..
+
+Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/lpc32xx_mlc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/lpc32xx_mlc.c b/drivers/mtd/nand/raw/lpc32xx_mlc.c
+index 9e728c7317956..db228460a9079 100644
+--- a/drivers/mtd/nand/raw/lpc32xx_mlc.c
++++ b/drivers/mtd/nand/raw/lpc32xx_mlc.c
+@@ -304,8 +304,9 @@ static int lpc32xx_nand_device_ready(struct nand_chip *nand_chip)
+ return 0;
+ }
+
+-static irqreturn_t lpc3xxx_nand_irq(int irq, struct lpc32xx_nand_host *host)
++static irqreturn_t lpc3xxx_nand_irq(int irq, void *data)
+ {
++ struct lpc32xx_nand_host *host = data;
+ uint8_t sr;
+
+ /* Clear interrupt flag by reading status */
+@@ -780,7 +781,7 @@ static int lpc32xx_nand_probe(struct platform_device *pdev)
+ goto release_dma_chan;
+ }
+
+- if (request_irq(host->irq, (irq_handler_t)&lpc3xxx_nand_irq,
++ if (request_irq(host->irq, &lpc3xxx_nand_irq,
+ IRQF_TRIGGER_HIGH, DRV_NAME, host)) {
+ dev_err(&pdev->dev, "Error requesting NAND IRQ\n");
+ res = -ENXIO;
+--
+2.43.0
+
--- /dev/null
+From db6e7425d18a3598d7e45f088eae3104de581a8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Feb 2024 20:25:38 -0800
+Subject: nbd: null check for nla_nest_start
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d ]
+
+nla_nest_start() may fail and return NULL. Insert a check and set errno
+based on other call sites within the same source code.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Fixes: 47d902b90a32 ("nbd: add a status netlink command")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20240218042534.it.206-kees@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index e0f805ca0e727..d6e3edb404748 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -2339,6 +2339,12 @@ static int nbd_genl_status(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ dev_list = nla_nest_start_noflag(reply, NBD_ATTR_DEVICE_LIST);
++ if (!dev_list) {
++ nlmsg_free(reply);
++ ret = -EMSGSIZE;
++ goto out;
++ }
++
+ if (index == -1) {
+ ret = idr_for_each(&nbd_index_idr, &status_cb, reply);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From 4758e7518a6fc28b9f6b0990808d2297ead09db0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 07:13:29 -0800
+Subject: net: blackhole_dev: fix build warning for ethh set but not used
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 843a8851e89e2e85db04caaf88d8554818319047 ]
+
+lib/test_blackhole_dev.c sets a variable that is never read, causing
+this following building warning:
+
+ lib/test_blackhole_dev.c:32:17: warning: variable 'ethh' set but not used [-Wunused-but-set-variable]
+
+Remove the variable struct ethhdr *ethh, which is unused.
+
+Fixes: 509e56b37cc3 ("blackhole_dev: add a selftest")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_blackhole_dev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/test_blackhole_dev.c b/lib/test_blackhole_dev.c
+index 4c40580a99a36..f247089d63c08 100644
+--- a/lib/test_blackhole_dev.c
++++ b/lib/test_blackhole_dev.c
+@@ -29,7 +29,6 @@ static int __init test_blackholedev_init(void)
+ {
+ struct ipv6hdr *ip6h;
+ struct sk_buff *skb;
+- struct ethhdr *ethh;
+ struct udphdr *uh;
+ int data_len;
+ int ret;
+@@ -61,7 +60,7 @@ static int __init test_blackholedev_init(void)
+ ip6h->saddr = in6addr_loopback;
+ ip6h->daddr = in6addr_loopback;
+ /* Ether */
+- ethh = (struct ethhdr *)skb_push(skb, sizeof(struct ethhdr));
++ skb_push(skb, sizeof(struct ethhdr));
+ skb_set_mac_header(skb, 0);
+
+ skb->protocol = htons(ETH_P_IPV6);
+--
+2.43.0
+
--- /dev/null
+From 6b50d075d284a782a412dcddb54181a5fd75110c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 17:31:04 -0500
+Subject: net: ena: Remove ena_select_queue
+
+From: Kamal Heib <kheib@redhat.com>
+
+[ Upstream commit 78e886ba2b549945ecada055ee0765f0ded5707a ]
+
+Avoid the following warnings by removing the ena_select_queue() function
+and rely on the net core to do the queue selection, The issue happen
+when an skb received from an interface with more queues than ena is
+forwarded to the ena interface.
+
+[ 1176.159959] eth0 selects TX queue 11, but real number of TX queues is 8
+[ 1176.863976] eth0 selects TX queue 14, but real number of TX queues is 8
+[ 1180.767877] eth0 selects TX queue 14, but real number of TX queues is 8
+[ 1188.703742] eth0 selects TX queue 14, but real number of TX queues is 8
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Kamal Heib <kheib@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index e13ae04d2f0fd..fa65971949fce 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3057,22 +3057,6 @@ static netdev_tx_t ena_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ return NETDEV_TX_OK;
+ }
+
+-static u16 ena_select_queue(struct net_device *dev, struct sk_buff *skb,
+- struct net_device *sb_dev)
+-{
+- u16 qid;
+- /* we suspect that this is good for in--kernel network services that
+- * want to loop incoming skb rx to tx in normal user generated traffic,
+- * most probably we will not get to this
+- */
+- if (skb_rx_queue_recorded(skb))
+- qid = skb_get_rx_queue(skb);
+- else
+- qid = netdev_pick_tx(dev, skb, NULL);
+-
+- return qid;
+-}
+-
+ static void ena_config_host_info(struct ena_com_dev *ena_dev, struct pci_dev *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -3242,7 +3226,6 @@ static const struct net_device_ops ena_netdev_ops = {
+ .ndo_open = ena_open,
+ .ndo_stop = ena_close,
+ .ndo_start_xmit = ena_start_xmit,
+- .ndo_select_queue = ena_select_queue,
+ .ndo_get_stats64 = ena_get_stats64,
+ .ndo_tx_timeout = ena_tx_timeout,
+ .ndo_change_mtu = ena_change_mtu,
+--
+2.43.0
+
--- /dev/null
+From 42af2890e160e7784f0c81867dc684d781712d2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 09:01:14 +0800
+Subject: net: hns3: fix port duplex configure error in IMP reset
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 11d80f79dd9f871a52feba4bf24b5ac39f448eb7 ]
+
+Currently, the mac port is fixed to configured as full dplex mode in
+hclge_mac_init() when driver initialization or reset restore. Users may
+change the mode to half duplex with ethtool, so it may cause the user
+configuration dropped after reset.
+
+To fix it, don't change the duplex mode when resetting.
+
+Fixes: 2d03eacc0b7e ("net: hns3: Only update mac configuation when necessary")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index deba485ced1bd..c14c391a0cec6 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2723,7 +2723,10 @@ static int hclge_mac_init(struct hclge_dev *hdev)
+ int ret;
+
+ hdev->support_sfp_query = true;
+- hdev->hw.mac.duplex = HCLGE_MAC_FULL;
++
++ if (!test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state))
++ hdev->hw.mac.duplex = HCLGE_MAC_FULL;
++
+ ret = hclge_cfg_mac_speed_dup_hw(hdev, hdev->hw.mac.speed,
+ hdev->hw.mac.duplex);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 62800e9dda89f136f939bd977d527e1e68019fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 10:07:16 +0000
+Subject: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b0ec2abf98267f14d032102551581c833b0659d3 ]
+
+Apply the same fix than ones found in :
+
+8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()")
+
+We have to save skb->network_header in a temporary variable
+in order to be able to recompute the network_header pointer
+after a pskb_inet_may_pull() call.
+
+pskb_inet_may_pull() makes sure the needed headers are in skb->head.
+
+syzbot reported:
+BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+ BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
+ __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
+ INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
+ IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+ ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
+ __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389
+ ipgre_rcv net/ipv4/ip_gre.c:411 [inline]
+ gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447
+ gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163
+ ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
+ dst_input include/net/dst.h:461 [inline]
+ ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
+ __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
+ __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
+ netif_receive_skb_internal net/core/dev.c:5734 [inline]
+ netif_receive_skb+0x58/0x660 net/core/dev.c:5793
+ tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556
+ tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
+ call_write_iter include/linux/fs.h:2087 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb6b/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xd0 fs/read_write.c:652
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590
+ alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
+ alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204
+ skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909
+ tun_build_skb drivers/net/tun.c:1686 [inline]
+ tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
+ call_write_iter include/linux/fs.h:2087 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb6b/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xd0 fs/read_write.c:652
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 50f8231e9daec..0953d805cbbee 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -364,7 +364,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
+ bool log_ecn_error)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+- int err;
++ int nh, err;
+
+ #ifdef CONFIG_NET_IPGRE_BROADCAST
+ if (ipv4_is_multicast(iph->daddr)) {
+@@ -390,8 +390,21 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
+ tunnel->i_seqno = ntohl(tpi->seq) + 1;
+ }
+
++ /* Save offset of outer header relative to skb->head,
++ * because we are going to reset the network header to the inner header
++ * and might change skb->head.
++ */
++ nh = skb_network_header(skb) - skb->head;
++
+ skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0);
+
++ if (!pskb_inet_may_pull(skb)) {
++ DEV_STATS_INC(tunnel->dev, rx_length_errors);
++ DEV_STATS_INC(tunnel->dev, rx_errors);
++ goto drop;
++ }
++ iph = (struct iphdr *)(skb->head + nh);
++
+ err = IP_ECN_decapsulate(iph, skb);
+ if (unlikely(err)) {
+ if (log_ecn_error)
+--
+2.43.0
+
--- /dev/null
+From a3bfeae678c4101d4302ce962a218e96a79f021f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 15:45:36 -0500
+Subject: net/ipv4/ipv6: Replace one-element arraya with flexible-array members
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit db243b796439c0caba47865564d8acd18a301d18 ]
+
+There is a regular need in the kernel to provide a way to declare having
+a dynamically sized set of trailing elements in a structure. Kernel code
+should always use “flexible array members”[1] for these cases. The older
+style of one-element or zero-length arrays should no longer be used[2].
+
+Use an anonymous union with a couple of anonymous structs in order to
+keep userspace unchanged and refactor the related code accordingly:
+
+$ pahole -C group_filter net/ipv4/ip_sockglue.o
+struct group_filter {
+ union {
+ struct {
+ __u32 gf_interface_aux; /* 0 4 */
+
+ /* XXX 4 bytes hole, try to pack */
+
+ struct __kernel_sockaddr_storage gf_group_aux; /* 8 128 */
+ /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
+ __u32 gf_fmode_aux; /* 136 4 */
+ __u32 gf_numsrc_aux; /* 140 4 */
+ struct __kernel_sockaddr_storage gf_slist[1]; /* 144 128 */
+ }; /* 0 272 */
+ struct {
+ __u32 gf_interface; /* 0 4 */
+
+ /* XXX 4 bytes hole, try to pack */
+
+ struct __kernel_sockaddr_storage gf_group; /* 8 128 */
+ /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */
+ __u32 gf_fmode; /* 136 4 */
+ __u32 gf_numsrc; /* 140 4 */
+ struct __kernel_sockaddr_storage gf_slist_flex[0]; /* 144 0 */
+ }; /* 0 144 */
+ }; /* 0 272 */
+
+ /* size: 272, cachelines: 5, members: 1 */
+ /* last cacheline: 16 bytes */
+};
+
+$ pahole -C compat_group_filter net/ipv4/ip_sockglue.o
+struct compat_group_filter {
+ union {
+ struct {
+ __u32 gf_interface_aux; /* 0 4 */
+ struct __kernel_sockaddr_storage gf_group_aux __attribute__((__aligned__(4))); /* 4 128 */
+ /* --- cacheline 2 boundary (128 bytes) was 4 bytes ago --- */
+ __u32 gf_fmode_aux; /* 132 4 */
+ __u32 gf_numsrc_aux; /* 136 4 */
+ struct __kernel_sockaddr_storage gf_slist[1] __attribute__((__aligned__(4))); /* 140 128 */
+ } __attribute__((__packed__)) __attribute__((__aligned__(4))); /* 0 268 */
+ struct {
+ __u32 gf_interface; /* 0 4 */
+ struct __kernel_sockaddr_storage gf_group __attribute__((__aligned__(4))); /* 4 128 */
+ /* --- cacheline 2 boundary (128 bytes) was 4 bytes ago --- */
+ __u32 gf_fmode; /* 132 4 */
+ __u32 gf_numsrc; /* 136 4 */
+ struct __kernel_sockaddr_storage gf_slist_flex[0] __attribute__((__aligned__(4))); /* 140 0 */
+ } __attribute__((__packed__)) __attribute__((__aligned__(4))); /* 0 140 */
+ } __attribute__((__aligned__(1))); /* 0 268 */
+
+ /* size: 268, cachelines: 5, members: 1 */
+ /* forced alignments: 1 */
+ /* last cacheline: 12 bytes */
+} __attribute__((__packed__));
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+[1] https://en.wikipedia.org/wiki/Flexible_array_member
+[2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays
+
+Link: https://github.com/KSPP/linux/issues/79
+Link: https://github.com/KSPP/linux/issues/109
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/compat.h | 27 ++++++++++++++++++++-------
+ include/uapi/linux/in.h | 21 ++++++++++++++++-----
+ net/ipv4/ip_sockglue.c | 19 ++++++++++---------
+ net/ipv6/ipv6_sockglue.c | 18 +++++++++---------
+ 4 files changed, 55 insertions(+), 30 deletions(-)
+
+diff --git a/include/net/compat.h b/include/net/compat.h
+index 745db0d605b62..52bf5f0ee236b 100644
+--- a/include/net/compat.h
++++ b/include/net/compat.h
+@@ -81,13 +81,26 @@ struct compat_group_source_req {
+ } __packed;
+
+ struct compat_group_filter {
+- __u32 gf_interface;
+- struct __kernel_sockaddr_storage gf_group
+- __aligned(4);
+- __u32 gf_fmode;
+- __u32 gf_numsrc;
+- struct __kernel_sockaddr_storage gf_slist[1]
+- __aligned(4);
++ union {
++ struct {
++ __u32 gf_interface_aux;
++ struct __kernel_sockaddr_storage gf_group_aux
++ __aligned(4);
++ __u32 gf_fmode_aux;
++ __u32 gf_numsrc_aux;
++ struct __kernel_sockaddr_storage gf_slist[1]
++ __aligned(4);
++ } __packed;
++ struct {
++ __u32 gf_interface;
++ struct __kernel_sockaddr_storage gf_group
++ __aligned(4);
++ __u32 gf_fmode;
++ __u32 gf_numsrc;
++ struct __kernel_sockaddr_storage gf_slist_flex[]
++ __aligned(4);
++ } __packed;
++ };
+ } __packed;
+
+ #endif /* NET_COMPAT_H */
+diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
+index 066098a5b9360..c4702fff64d3a 100644
+--- a/include/uapi/linux/in.h
++++ b/include/uapi/linux/in.h
+@@ -224,11 +224,22 @@ struct group_source_req {
+ };
+
+ struct group_filter {
+- __u32 gf_interface; /* interface index */
+- struct __kernel_sockaddr_storage gf_group; /* multicast address */
+- __u32 gf_fmode; /* filter mode */
+- __u32 gf_numsrc; /* number of sources */
+- struct __kernel_sockaddr_storage gf_slist[1]; /* interface index */
++ union {
++ struct {
++ __u32 gf_interface_aux; /* interface index */
++ struct __kernel_sockaddr_storage gf_group_aux; /* multicast address */
++ __u32 gf_fmode_aux; /* filter mode */
++ __u32 gf_numsrc_aux; /* number of sources */
++ struct __kernel_sockaddr_storage gf_slist[1]; /* interface index */
++ };
++ struct {
++ __u32 gf_interface; /* interface index */
++ struct __kernel_sockaddr_storage gf_group; /* multicast address */
++ __u32 gf_fmode; /* filter mode */
++ __u32 gf_numsrc; /* number of sources */
++ struct __kernel_sockaddr_storage gf_slist_flex[]; /* interface index */
++ };
++ };
+ };
+
+ #define GROUP_FILTER_SIZE(numsrc) \
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 28b9b2e85f0be..9bea014309ded 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -797,7 +797,8 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen)
+ goto out_free_gsf;
+
+ err = set_mcast_msfilter(sk, gsf->gf_interface, gsf->gf_numsrc,
+- gsf->gf_fmode, &gsf->gf_group, gsf->gf_slist);
++ gsf->gf_fmode, &gsf->gf_group,
++ gsf->gf_slist_flex);
+ out_free_gsf:
+ kfree(gsf);
+ return err;
+@@ -806,7 +807,7 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen)
+ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ int optlen)
+ {
+- const int size0 = offsetof(struct compat_group_filter, gf_slist);
++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex);
+ struct compat_group_filter *gf32;
+ unsigned int n;
+ void *p;
+@@ -820,7 +821,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ p = kmalloc(optlen + 4, GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+- gf32 = p + 4; /* we want ->gf_group and ->gf_slist aligned */
++ gf32 = p + 4; /* we want ->gf_group and ->gf_slist_flex aligned */
+
+ err = -EFAULT;
+ if (copy_from_sockptr(gf32, optval, optlen))
+@@ -833,7 +834,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ goto out_free_gsf;
+
+ err = -EINVAL;
+- if (offsetof(struct compat_group_filter, gf_slist[n]) > optlen)
++ if (offsetof(struct compat_group_filter, gf_slist_flex[n]) > optlen)
+ goto out_free_gsf;
+
+ /* numsrc >= (4G-140)/128 overflow in 32 bits */
+@@ -841,7 +842,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ if (n > READ_ONCE(sock_net(sk)->ipv4.sysctl_igmp_max_msf))
+ goto out_free_gsf;
+ err = set_mcast_msfilter(sk, gf32->gf_interface, n, gf32->gf_fmode,
+- &gf32->gf_group, gf32->gf_slist);
++ &gf32->gf_group, gf32->gf_slist_flex);
+ out_free_gsf:
+ kfree(p);
+ return err;
+@@ -1462,7 +1463,7 @@ static bool getsockopt_needs_rtnl(int optname)
+ static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ int __user *optlen, int len)
+ {
+- const int size0 = offsetof(struct group_filter, gf_slist);
++ const int size0 = offsetof(struct group_filter, gf_slist_flex);
+ struct group_filter __user *p = optval;
+ struct group_filter gsf;
+ int num;
+@@ -1474,7 +1475,7 @@ static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ return -EFAULT;
+
+ num = gsf.gf_numsrc;
+- err = ip_mc_gsfget(sk, &gsf, p->gf_slist);
++ err = ip_mc_gsfget(sk, &gsf, p->gf_slist_flex);
+ if (err)
+ return err;
+ if (gsf.gf_numsrc < num)
+@@ -1488,7 +1489,7 @@ static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ int __user *optlen, int len)
+ {
+- const int size0 = offsetof(struct compat_group_filter, gf_slist);
++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex);
+ struct compat_group_filter __user *p = optval;
+ struct compat_group_filter gf32;
+ struct group_filter gf;
+@@ -1505,7 +1506,7 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval,
+ num = gf.gf_numsrc = gf32.gf_numsrc;
+ gf.gf_group = gf32.gf_group;
+
+- err = ip_mc_gsfget(sk, &gf, p->gf_slist);
++ err = ip_mc_gsfget(sk, &gf, p->gf_slist_flex);
+ if (err)
+ return err;
+ if (gf.gf_numsrc < num)
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 7b4b457a8b87a..0ac527cd5d56d 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -225,7 +225,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen)
+ goto out_free_gsf;
+
+- ret = ip6_mc_msfilter(sk, gsf, gsf->gf_slist);
++ ret = ip6_mc_msfilter(sk, gsf, gsf->gf_slist_flex);
+ out_free_gsf:
+ kfree(gsf);
+ return ret;
+@@ -234,7 +234,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ int optlen)
+ {
+- const int size0 = offsetof(struct compat_group_filter, gf_slist);
++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex);
+ struct compat_group_filter *gf32;
+ void *p;
+ int ret;
+@@ -249,7 +249,7 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ if (!p)
+ return -ENOMEM;
+
+- gf32 = p + 4; /* we want ->gf_group and ->gf_slist aligned */
++ gf32 = p + 4; /* we want ->gf_group and ->gf_slist_flex aligned */
+ ret = -EFAULT;
+ if (copy_from_sockptr(gf32, optval, optlen))
+ goto out_free_p;
+@@ -261,14 +261,14 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
+ goto out_free_p;
+
+ ret = -EINVAL;
+- if (offsetof(struct compat_group_filter, gf_slist[n]) > optlen)
++ if (offsetof(struct compat_group_filter, gf_slist_flex[n]) > optlen)
+ goto out_free_p;
+
+ ret = ip6_mc_msfilter(sk, &(struct group_filter){
+ .gf_interface = gf32->gf_interface,
+ .gf_group = gf32->gf_group,
+ .gf_fmode = gf32->gf_fmode,
+- .gf_numsrc = gf32->gf_numsrc}, gf32->gf_slist);
++ .gf_numsrc = gf32->gf_numsrc}, gf32->gf_slist_flex);
+
+ out_free_p:
+ kfree(p);
+@@ -1051,7 +1051,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+ static int ipv6_get_msfilter(struct sock *sk, void __user *optval,
+ int __user *optlen, int len)
+ {
+- const int size0 = offsetof(struct group_filter, gf_slist);
++ const int size0 = offsetof(struct group_filter, gf_slist_flex);
+ struct group_filter __user *p = optval;
+ struct group_filter gsf;
+ int num;
+@@ -1065,7 +1065,7 @@ static int ipv6_get_msfilter(struct sock *sk, void __user *optval,
+ return -EADDRNOTAVAIL;
+ num = gsf.gf_numsrc;
+ lock_sock(sk);
+- err = ip6_mc_msfget(sk, &gsf, p->gf_slist);
++ err = ip6_mc_msfget(sk, &gsf, p->gf_slist_flex);
+ if (!err) {
+ if (num > gsf.gf_numsrc)
+ num = gsf.gf_numsrc;
+@@ -1080,7 +1080,7 @@ static int ipv6_get_msfilter(struct sock *sk, void __user *optval,
+ static int compat_ipv6_get_msfilter(struct sock *sk, void __user *optval,
+ int __user *optlen)
+ {
+- const int size0 = offsetof(struct compat_group_filter, gf_slist);
++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex);
+ struct compat_group_filter __user *p = optval;
+ struct compat_group_filter gf32;
+ struct group_filter gf;
+@@ -1103,7 +1103,7 @@ static int compat_ipv6_get_msfilter(struct sock *sk, void __user *optval,
+ return -EADDRNOTAVAIL;
+
+ lock_sock(sk);
+- err = ip6_mc_msfget(sk, &gf, p->gf_slist);
++ err = ip6_mc_msfget(sk, &gf, p->gf_slist_flex);
+ release_sock(sk);
+ if (err)
+ return err;
+--
+2.43.0
+
--- /dev/null
+From e4b1b58d8759210a2dedfa5817b2ba7088c6dc39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jul 2021 12:08:30 -0500
+Subject: net/ipv4: Replace one-element array with flexible-array member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 2d3e5caf96b9449af951e63476657acd759c1a30 ]
+
+There is a regular need in the kernel to provide a way to declare having
+a dynamically sized set of trailing elements in a structure. Kernel code
+should always use “flexible array members”[1] for these cases. The older
+style of one-element or zero-length arrays should no longer be used[2].
+
+Use an anonymous union with a couple of anonymous structs in order to
+keep userspace unchanged:
+
+$ pahole -C ip_msfilter net/ipv4/ip_sockglue.o
+struct ip_msfilter {
+ union {
+ struct {
+ __be32 imsf_multiaddr_aux; /* 0 4 */
+ __be32 imsf_interface_aux; /* 4 4 */
+ __u32 imsf_fmode_aux; /* 8 4 */
+ __u32 imsf_numsrc_aux; /* 12 4 */
+ __be32 imsf_slist[1]; /* 16 4 */
+ }; /* 0 20 */
+ struct {
+ __be32 imsf_multiaddr; /* 0 4 */
+ __be32 imsf_interface; /* 4 4 */
+ __u32 imsf_fmode; /* 8 4 */
+ __u32 imsf_numsrc; /* 12 4 */
+ __be32 imsf_slist_flex[0]; /* 16 0 */
+ }; /* 0 16 */
+ }; /* 0 20 */
+
+ /* size: 20, cachelines: 1, members: 1 */
+ /* last cacheline: 20 bytes */
+};
+
+Also, refactor the code accordingly and make use of the struct_size()
+and flex_array_size() helpers.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+[1] https://en.wikipedia.org/wiki/Flexible_array_member
+[2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays
+
+Link: https://github.com/KSPP/linux/issues/79
+Link: https://github.com/KSPP/linux/issues/109
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/in.h | 21 ++++++++++++++++-----
+ net/ipv4/igmp.c | 12 ++++++------
+ net/ipv4/ip_sockglue.c | 15 ++++++++-------
+ 3 files changed, 30 insertions(+), 18 deletions(-)
+
+diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
+index 3960bc3da6b30..066098a5b9360 100644
+--- a/include/uapi/linux/in.h
++++ b/include/uapi/linux/in.h
+@@ -190,11 +190,22 @@ struct ip_mreq_source {
+ };
+
+ struct ip_msfilter {
+- __be32 imsf_multiaddr;
+- __be32 imsf_interface;
+- __u32 imsf_fmode;
+- __u32 imsf_numsrc;
+- __be32 imsf_slist[1];
++ union {
++ struct {
++ __be32 imsf_multiaddr_aux;
++ __be32 imsf_interface_aux;
++ __u32 imsf_fmode_aux;
++ __u32 imsf_numsrc_aux;
++ __be32 imsf_slist[1];
++ };
++ struct {
++ __be32 imsf_multiaddr;
++ __be32 imsf_interface;
++ __u32 imsf_fmode;
++ __u32 imsf_numsrc;
++ __be32 imsf_slist_flex[];
++ };
++ };
+ };
+
+ #define IP_MSFILTER_SIZE(numsrc) \
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index cb55fede03c04..134f1682a7e9b 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -2493,8 +2493,8 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
+ goto done;
+ }
+ newpsl->sl_max = newpsl->sl_count = msf->imsf_numsrc;
+- memcpy(newpsl->sl_addr, msf->imsf_slist,
+- msf->imsf_numsrc * sizeof(msf->imsf_slist[0]));
++ memcpy(newpsl->sl_addr, msf->imsf_slist_flex,
++ flex_array_size(msf, imsf_slist_flex, msf->imsf_numsrc));
+ err = ip_mc_add_src(in_dev, &msf->imsf_multiaddr,
+ msf->imsf_fmode, newpsl->sl_count, newpsl->sl_addr, 0);
+ if (err) {
+@@ -2571,14 +2571,14 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+ count = psl->sl_count;
+ }
+ copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc;
+- len = copycount * sizeof(psl->sl_addr[0]);
++ len = flex_array_size(psl, sl_addr, copycount);
+ msf->imsf_numsrc = count;
+- if (put_user(IP_MSFILTER_SIZE(copycount), optlen) ||
+- copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) {
++ if (put_user(struct_size(optval, imsf_slist_flex, copycount), optlen) ||
++ copy_to_user(optval, msf, struct_size(optval, imsf_slist_flex, 0))) {
+ return -EFAULT;
+ }
+ if (len &&
+- copy_to_user(&optval->imsf_slist[0], psl->sl_addr, len))
++ copy_to_user(&optval->imsf_slist_flex[0], psl->sl_addr, len))
+ return -EFAULT;
+ return 0;
+ done:
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 1b35afd326b8d..2cfc507712300 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -670,12 +670,11 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex,
+ struct sockaddr_storage *group,
+ struct sockaddr_storage *list)
+ {
+- int msize = IP_MSFILTER_SIZE(numsrc);
+ struct ip_msfilter *msf;
+ struct sockaddr_in *psin;
+ int err, i;
+
+- msf = kmalloc(msize, GFP_KERNEL);
++ msf = kmalloc(struct_size(msf, imsf_slist_flex, numsrc), GFP_KERNEL);
+ if (!msf)
+ return -ENOBUFS;
+
+@@ -691,7 +690,7 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex,
+
+ if (psin->sin_family != AF_INET)
+ goto Eaddrnotavail;
+- msf->imsf_slist[i] = psin->sin_addr.s_addr;
++ msf->imsf_slist_flex[i] = psin->sin_addr.s_addr;
+ }
+ err = ip_mc_msfilter(sk, msf, ifindex);
+ kfree(msf);
+@@ -1236,7 +1235,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
+ {
+ struct ip_msfilter *msf;
+
+- if (optlen < IP_MSFILTER_SIZE(0))
++ if (optlen < struct_size(msf, imsf_slist_flex, 0))
+ goto e_inval;
+ if (optlen > READ_ONCE(sysctl_optmem_max)) {
+ err = -ENOBUFS;
+@@ -1254,7 +1253,8 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
+ err = -ENOBUFS;
+ break;
+ }
+- if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
++ if (struct_size(msf, imsf_slist_flex, msf->imsf_numsrc) >
++ optlen) {
+ kfree(msf);
+ err = -EINVAL;
+ break;
+@@ -1667,11 +1667,12 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ {
+ struct ip_msfilter msf;
+
+- if (len < IP_MSFILTER_SIZE(0)) {
++ if (len < struct_size(&msf, imsf_slist_flex, 0)) {
+ err = -EINVAL;
+ goto out;
+ }
+- if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) {
++ if (copy_from_user(&msf, optval,
++ struct_size(&msf, imsf_slist_flex, 0))) {
+ err = -EFAULT;
+ goto out;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2374687a2fd9982fe6edc38927565b7e97f1d03a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 13:23:25 -0500
+Subject: net/ipv4: Revert use of struct_size() helper
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 4167a960574fcadc9067f4280951a35b8c021c68 ]
+
+Revert the use of structr_size() and stay with IP_MSFILTER_SIZE() for
+now, as in this case, the size of struct ip_msfilter didn't change with
+the addition of the flexible array imsf_slist_flex[]. So, if we use
+struct_size() we will be allocating and calculating the size of
+struct ip_msfilter with one too many items for imsf_slist_flex[].
+
+We might use struct_size() in the future, but for now let's stay
+with IP_MSFILTER_SIZE().
+
+Fixes: 2d3e5caf96b9 ("net/ipv4: Replace one-element array with flexible-array member")
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 4 ++--
+ net/ipv4/ip_sockglue.c | 12 +++++-------
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 134f1682a7e9b..4ba1c92fb3524 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -2573,8 +2573,8 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
+ copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc;
+ len = flex_array_size(psl, sl_addr, copycount);
+ msf->imsf_numsrc = count;
+- if (put_user(struct_size(optval, imsf_slist_flex, copycount), optlen) ||
+- copy_to_user(optval, msf, struct_size(optval, imsf_slist_flex, 0))) {
++ if (put_user(IP_MSFILTER_SIZE(copycount), optlen) ||
++ copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) {
+ return -EFAULT;
+ }
+ if (len &&
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 2cfc507712300..28b9b2e85f0be 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -674,7 +674,7 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex,
+ struct sockaddr_in *psin;
+ int err, i;
+
+- msf = kmalloc(struct_size(msf, imsf_slist_flex, numsrc), GFP_KERNEL);
++ msf = kmalloc(IP_MSFILTER_SIZE(numsrc), GFP_KERNEL);
+ if (!msf)
+ return -ENOBUFS;
+
+@@ -1235,7 +1235,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
+ {
+ struct ip_msfilter *msf;
+
+- if (optlen < struct_size(msf, imsf_slist_flex, 0))
++ if (optlen < IP_MSFILTER_SIZE(0))
+ goto e_inval;
+ if (optlen > READ_ONCE(sysctl_optmem_max)) {
+ err = -ENOBUFS;
+@@ -1253,8 +1253,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
+ err = -ENOBUFS;
+ break;
+ }
+- if (struct_size(msf, imsf_slist_flex, msf->imsf_numsrc) >
+- optlen) {
++ if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
+ kfree(msf);
+ err = -EINVAL;
+ break;
+@@ -1667,12 +1666,11 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+ {
+ struct ip_msfilter msf;
+
+- if (len < struct_size(&msf, imsf_slist_flex, 0)) {
++ if (len < IP_MSFILTER_SIZE(0)) {
+ err = -EINVAL;
+ goto out;
+ }
+- if (copy_from_user(&msf, optval,
+- struct_size(&msf, imsf_slist_flex, 0))) {
++ if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) {
+ err = -EFAULT;
+ goto out;
+ }
+--
+2.43.0
+
--- /dev/null
+From 42c1895b5a118d06d9839c6a0f81fa4130431072 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:50 +0000
+Subject: net: kcm: fix incorrect parameter validation in the kcm_getsockopt)
+ function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 ]
+
+The 'len' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'len' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 39b3c7fbf9f66..7420b4f19b45e 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1275,10 +1275,11 @@ static int kcm_getsockopt(struct socket *sock, int level, int optname,
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- len = min_t(unsigned int, len, sizeof(int));
+ if (len < 0)
+ return -EINVAL;
+
++ len = min_t(unsigned int, len, sizeof(int));
++
+ switch (optname) {
+ case KCM_RECV_DISABLE:
+ val = kcm->rx_disabled;
+--
+2.43.0
+
--- /dev/null
+From e19b5973b60a45519fd8a3ad1e623c077eeaba3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 May 2022 01:58:46 +0200
+Subject: net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii
+
+From: Tommaso Merciai <tommaso.merciai@amarulasolutions.com>
+
+[ Upstream commit 621427fbdada788f18f77238e1c36f463c2cb9d1 ]
+
+RGMII mode can be enable from dp83822 straps, and also writing bit 9
+of register 0x17 - RMII and Status Register (RCSR).
+When phy_interface_is_rgmii rgmii mode must be enabled, same for
+contrary, this prevents malconfigurations of hw straps
+
+References:
+ - https://www.ti.com/lit/gpn/dp83822i p66
+
+Signed-off-by: Tommaso Merciai <tommaso.merciai@amarulasolutions.com>
+Co-developed-by: Michael Trimarchi <michael@amarulasolutions.com>
+Suggested-by: Alberto Bianchi <alberto.bianchi@amarulasolutions.com>
+Tested-by: Tommaso Merciai <tommaso.merciai@amarulasolutions.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: c8a5c731fd12 ("net: phy: dp83822: Fix RGMII TX delay configuration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83822.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c
+index 81412999445d8..dce87589b1120 100644
+--- a/drivers/net/phy/dp83822.c
++++ b/drivers/net/phy/dp83822.c
+@@ -94,7 +94,8 @@
+ #define DP83822_WOL_INDICATION_SEL BIT(8)
+ #define DP83822_WOL_CLR_INDICATION BIT(11)
+
+-/* RSCR bits */
++/* RCSR bits */
++#define DP83822_RGMII_MODE_EN BIT(9)
+ #define DP83822_RX_CLK_SHIFT BIT(12)
+ #define DP83822_TX_CLK_SHIFT BIT(11)
+
+@@ -386,6 +387,12 @@ static int dp83822_config_init(struct phy_device *phydev)
+ if (err)
+ return err;
+ }
++
++ phy_set_bits_mmd(phydev, DP83822_DEVADDR,
++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
++ } else {
++ phy_clear_bits_mmd(phydev, DP83822_DEVADDR,
++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
+ }
+
+ if (dp83822->fx_enabled) {
+--
+2.43.0
+
--- /dev/null
+From 3f463e12e0af57b8c8f23fd1c045397bd2938df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 12:06:08 +0100
+Subject: net: phy: dp83822: Fix RGMII TX delay configuration
+
+From: Tim Pambor <tp@osasysteme.de>
+
+[ Upstream commit c8a5c731fd1223090af57da33838c671a7fc6a78 ]
+
+The logic for enabling the TX clock shift is inverse of enabling the RX
+clock shift. The TX clock shift is disabled when DP83822_TX_CLK_SHIFT is
+set. Correct the current behavior and always write the delay configuration
+to ensure consistent delay settings regardless of bootloader configuration.
+
+Reference: https://www.ti.com/lit/ds/symlink/dp83822i.pdf p. 69
+
+Fixes: 8095295292b5 ("net: phy: DP83822: Add setting the fixed internal delay")
+Signed-off-by: Tim Pambor <tp@osasysteme.de>
+Link: https://lore.kernel.org/r/20240305110608.104072-1-tp@osasysteme.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83822.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c
+index dce87589b1120..14c5e082ccc8f 100644
+--- a/drivers/net/phy/dp83822.c
++++ b/drivers/net/phy/dp83822.c
+@@ -359,7 +359,7 @@ static int dp83822_config_init(struct phy_device *phydev)
+ {
+ struct dp83822_private *dp83822 = phydev->priv;
+ struct device *dev = &phydev->mdio.dev;
+- int rgmii_delay;
++ int rgmii_delay = 0;
+ s32 rx_int_delay;
+ s32 tx_int_delay;
+ int err = 0;
+@@ -369,30 +369,33 @@ static int dp83822_config_init(struct phy_device *phydev)
+ rx_int_delay = phy_get_internal_delay(phydev, dev, NULL, 0,
+ true);
+
+- if (rx_int_delay <= 0)
+- rgmii_delay = 0;
+- else
+- rgmii_delay = DP83822_RX_CLK_SHIFT;
++ /* Set DP83822_RX_CLK_SHIFT to enable rx clk internal delay */
++ if (rx_int_delay > 0)
++ rgmii_delay |= DP83822_RX_CLK_SHIFT;
+
+ tx_int_delay = phy_get_internal_delay(phydev, dev, NULL, 0,
+ false);
++
++ /* Set DP83822_TX_CLK_SHIFT to disable tx clk internal delay */
+ if (tx_int_delay <= 0)
+- rgmii_delay &= ~DP83822_TX_CLK_SHIFT;
+- else
+ rgmii_delay |= DP83822_TX_CLK_SHIFT;
+
+- if (rgmii_delay) {
+- err = phy_set_bits_mmd(phydev, DP83822_DEVADDR,
+- MII_DP83822_RCSR, rgmii_delay);
+- if (err)
+- return err;
+- }
++ err = phy_modify_mmd(phydev, DP83822_DEVADDR, MII_DP83822_RCSR,
++ DP83822_RX_CLK_SHIFT | DP83822_TX_CLK_SHIFT, rgmii_delay);
++ if (err)
++ return err;
++
++ err = phy_set_bits_mmd(phydev, DP83822_DEVADDR,
++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
+
+- phy_set_bits_mmd(phydev, DP83822_DEVADDR,
+- MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
++ if (err)
++ return err;
+ } else {
+- phy_clear_bits_mmd(phydev, DP83822_DEVADDR,
+- MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
++ err = phy_clear_bits_mmd(phydev, DP83822_DEVADDR,
++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN);
++
++ if (err)
++ return err;
+ }
+
+ if (dp83822->fx_enabled) {
+--
+2.43.0
+
--- /dev/null
+From a4d41c0b1e24cc08b6cbdc1a6a260392c9053e5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 12:19:06 +0100
+Subject: net: phy: fix phy_get_internal_delay accessing an empty array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kévin L'hôpital <kevin.lhopital@savoirfairelinux.com>
+
+[ Upstream commit 4469c0c5b14a0919f5965c7ceac96b523eb57b79 ]
+
+The phy_get_internal_delay function could try to access to an empty
+array in the case that the driver is calling phy_get_internal_delay
+without defining delay_values and rx-internal-delay-ps or
+tx-internal-delay-ps is defined to 0 in the device-tree.
+This will lead to "unable to handle kernel NULL pointer dereference at
+virtual address 0". To avoid this kernel oops, the test should be delay
+>= 0. As there is already delay < 0 test just before, the test could
+only be size == 0.
+
+Fixes: 92252eec913b ("net: phy: Add a helper to return the index for of the internal delay")
+Co-developed-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
+Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
+Signed-off-by: Kévin L'hôpital <kevin.lhopital@savoirfairelinux.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 095d16ceafcf8..8654e05ddc415 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -2769,7 +2769,7 @@ s32 phy_get_internal_delay(struct phy_device *phydev, struct device *dev,
+ if (delay < 0)
+ return delay;
+
+- if (delay && size == 0)
++ if (size == 0)
+ return delay;
+
+ if (delay < delay_values[0] || delay > delay_values[size - 1]) {
+--
+2.43.0
+
--- /dev/null
+From 26aa46f45f017bc23e3e6a2fbd4e82e8c2709ea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 23:58:20 +0200
+Subject: net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d6f4de70f73a106986ee315d7d512539f2f3303a ]
+
+The intent is to check if the strings' are truncated or not. So, >= should
+be used instead of >, because strlcat() and snprintf() return the length of
+the output, excluding the trailing NULL.
+
+Fixes: a02d69261134 ("SUNRPC: Provide functions for managing universal addresses")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/addr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c
+index d435bffc61999..97ff11973c493 100644
+--- a/net/sunrpc/addr.c
++++ b/net/sunrpc/addr.c
+@@ -284,10 +284,10 @@ char *rpc_sockaddr2uaddr(const struct sockaddr *sap, gfp_t gfp_flags)
+ }
+
+ if (snprintf(portbuf, sizeof(portbuf),
+- ".%u.%u", port >> 8, port & 0xff) > (int)sizeof(portbuf))
++ ".%u.%u", port >> 8, port & 0xff) >= (int)sizeof(portbuf))
+ return NULL;
+
+- if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) > sizeof(addrbuf))
++ if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) >= sizeof(addrbuf))
+ return NULL;
+
+ return kstrdup(addrbuf, gfp_flags);
+--
+2.43.0
+
--- /dev/null
+From f12b4d205a24729c4d340b85ce7db349667b9852 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:50 +0000
+Subject: net/x25: fix incorrect parameter validation in the x25_getsockopt()
+ function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit d6eb8de2015f0c24822e47356f839167ebde2945 ]
+
+The 'len' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'len' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/af_x25.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 161dc194e6342..a7ecf2956cdd6 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -470,12 +470,12 @@ static int x25_getsockopt(struct socket *sock, int level, int optname,
+ if (get_user(len, optlen))
+ goto out;
+
+- len = min_t(unsigned int, len, sizeof(int));
+-
+ rc = -EINVAL;
+ if (len < 0)
+ goto out;
+
++ len = min_t(unsigned int, len, sizeof(int));
++
+ rc = -EFAULT;
+ if (put_user(len, optlen))
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From fd865a5c0b150b861d4f196dba71fe5beeafc5aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 22:25:40 +0800
+Subject: nfp: flower: handle acti_netdevs allocation failure
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 84e95149bd341705f0eca6a7fcb955c548805002 ]
+
+The kmalloc_array() in nfp_fl_lag_do_work() will return null, if
+the physical memory has run out. As a result, if we dereference
+the acti_netdevs, the null pointer dereference bugs will happen.
+
+This patch adds a check to judge whether allocation failure occurs.
+If it happens, the delayed work will be rescheduled and try again.
+
+Fixes: bb9a8d031140 ("nfp: flower: monitor and offload LAG groups")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Link: https://lore.kernel.org/r/20240308142540.9674-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/lag_conf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c
+index 63907aeb3884e..3167f9675ae0f 100644
+--- a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c
+@@ -308,6 +308,11 @@ static void nfp_fl_lag_do_work(struct work_struct *work)
+
+ acti_netdevs = kmalloc_array(entry->slave_cnt,
+ sizeof(*acti_netdevs), GFP_KERNEL);
++ if (!acti_netdevs) {
++ schedule_delayed_work(&lag->work,
++ NFP_FL_LAG_DELAY);
++ continue;
++ }
+
+ /* Include sanity check in the loop. It may be that a bond has
+ * changed between processing the last notification and the
+--
+2.43.0
+
--- /dev/null
+From 2985fa111a80ab8dbd06a8c1fa5c383a288281eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Feb 2024 22:16:53 +0100
+Subject: NFS: Fix an off by one in root_nfs_cat()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 698ad1a538da0b6bf969cfee630b4e3a026afb87 ]
+
+The intent is to check if 'dest' is truncated or not. So, >= should be
+used instead of >, because strlcat() returns the length of 'dest' and 'src'
+excluding the trailing NULL.
+
+Fixes: 56463e50d1fc ("NFS: Use super.c for NFSROOT mount option parsing")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfsroot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfsroot.c b/fs/nfs/nfsroot.c
+index fa148308822cc..c2cf4ff628811 100644
+--- a/fs/nfs/nfsroot.c
++++ b/fs/nfs/nfsroot.c
+@@ -175,10 +175,10 @@ static int __init root_nfs_cat(char *dest, const char *src,
+ size_t len = strlen(dest);
+
+ if (len && dest[len - 1] != ',')
+- if (strlcat(dest, ",", destlen) > destlen)
++ if (strlcat(dest, ",", destlen) >= destlen)
+ return -1;
+
+- if (strlcat(dest, src, destlen) > destlen)
++ if (strlcat(dest, src, destlen) >= destlen)
+ return -1;
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From e203721fed0dd218ffa41af6bf12468e4d6302f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jan 2024 07:51:28 -0700
+Subject: NFSv4.2: fix listxattr maximum XDR buffer size
+
+From: Jorge Mora <jmora1300@gmail.com>
+
+[ Upstream commit bcac8bff90a6ee1629f90669cdb9d28fb86049b0 ]
+
+Switch order of operations to avoid creating a short XDR buffer:
+e.g., buflen = 12, old xdrlen = 12, new xdrlen = 20.
+
+Having a short XDR buffer leads to lxa_maxcount be a few bytes
+less than what is needed to retrieve the whole list when using
+a buflen as returned by a call with size = 0:
+ buflen = listxattr(path, NULL, 0);
+ buf = malloc(buflen);
+ buflen = listxattr(path, buf, buflen);
+
+For a file with one attribute (name = '123456'), the first call
+with size = 0 will return buflen = 12 ('user.123456\x00').
+The second call with size = 12, sends LISTXATTRS with
+lxa_maxcount = 12 + 8 (cookie) + 4 (array count) = 24. The
+XDR buffer needs 8 (cookie) + 4 (array count) + 4 (name count)
++ 6 (name len) + 2 (padding) + 4 (eof) = 28 which is 4 bytes
+shorter than the lxa_maxcount provided in the call.
+
+Fixes: 04a5da690e8f ("NFSv4.2: define limits and sizes for user xattr handling")
+Signed-off-by: Jorge Mora <mora@netapp.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs42.h b/fs/nfs/nfs42.h
+index 0fe5aacbcfdf1..e7192d0eea3de 100644
+--- a/fs/nfs/nfs42.h
++++ b/fs/nfs/nfs42.h
+@@ -54,11 +54,14 @@ int nfs42_proc_removexattr(struct inode *inode, const char *name);
+ * They would be 7 bytes long in the eventual buffer ("user.x\0"), and
+ * 8 bytes long XDR-encoded.
+ *
+- * Include the trailing eof word as well.
++ * Include the trailing eof word as well and make the result a multiple
++ * of 4 bytes.
+ */
+ static inline u32 nfs42_listxattr_xdrsize(u32 buflen)
+ {
+- return ((buflen / (XATTR_USER_PREFIX_LEN + 2)) * 8) + 4;
++ u32 size = 8 * buflen / (XATTR_USER_PREFIX_LEN + 2) + 4;
++
++ return (size + 3) & ~3;
+ }
+ #endif /* CONFIG_NFS_V4_2 */
+ #endif /* __LINUX_FS_NFS_NFS4_2_H */
+--
+2.43.0
+
--- /dev/null
+From 44fca5669b200c61fcb31b92f06a35e87bdd0673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jan 2024 07:56:12 -0700
+Subject: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
+
+From: Jorge Mora <jmora1300@gmail.com>
+
+[ Upstream commit 251a658bbfceafb4d58c76b77682c8bf7bcfad65 ]
+
+A call to listxattr() with a buffer size = 0 returns the actual
+size of the buffer needed for a subsequent call. When size > 0,
+nfs4_listxattr() does not return an error because either
+generic_listxattr() or nfs4_listxattr_nfs4_label() consumes
+exactly all the bytes then size is 0 when calling
+nfs4_listxattr_nfs4_user() which then triggers the following
+kernel BUG:
+
+ [ 99.403778] kernel BUG at mm/usercopy.c:102!
+ [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+ [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1
+ [ 99.415827] Call trace:
+ [ 99.415985] usercopy_abort+0x70/0xa0
+ [ 99.416227] __check_heap_object+0x134/0x158
+ [ 99.416505] check_heap_object+0x150/0x188
+ [ 99.416696] __check_object_size.part.0+0x78/0x168
+ [ 99.416886] __check_object_size+0x28/0x40
+ [ 99.417078] listxattr+0x8c/0x120
+ [ 99.417252] path_listxattr+0x78/0xe0
+ [ 99.417476] __arm64_sys_listxattr+0x28/0x40
+ [ 99.417723] invoke_syscall+0x78/0x100
+ [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0
+ [ 99.418186] do_el0_svc+0x24/0x38
+ [ 99.418376] el0_svc+0x3c/0x110
+ [ 99.418554] el0t_64_sync_handler+0x120/0x130
+ [ 99.418788] el0t_64_sync+0x194/0x198
+ [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)
+
+Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl',
+thus calling lisxattr() with size = 16 will trigger the bug.
+
+Add check on nfs4_listxattr() to return ERANGE error when it is
+called with size > 0 and the return value is greater than size.
+
+Fixes: 012a211abd5d ("NFSv4.2: hook in the user extended attribute handlers")
+Signed-off-by: Jorge Mora <mora@netapp.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 7c3c96ed60853..8e546e6a56198 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -10370,29 +10370,33 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {
+ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
+ {
+ ssize_t error, error2, error3;
++ size_t left = size;
+
+- error = generic_listxattr(dentry, list, size);
++ error = generic_listxattr(dentry, list, left);
+ if (error < 0)
+ return error;
+ if (list) {
+ list += error;
+- size -= error;
++ left -= error;
+ }
+
+- error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, size);
++ error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left);
+ if (error2 < 0)
+ return error2;
+
+ if (list) {
+ list += error2;
+- size -= error2;
++ left -= error2;
+ }
+
+- error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, size);
++ error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left);
+ if (error3 < 0)
+ return error3;
+
+- return error + error2 + error3;
++ error += error2 + error3;
++ if (size && error > size)
++ return -ERANGE;
++ return error;
+ }
+
+ static void nfs4_enable_swap(struct inode *inode)
+--
+2.43.0
+
--- /dev/null
+From 2c9f346c943df30d43a954cddd3be82b75b32239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:48:28 +0530
+Subject: OPP: debugfs: Fix warning around icc_get_name()
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 28330ceb953e39880ea77da4895bb902a1244860 ]
+
+If the kernel isn't built with interconnect support, icc_get_name()
+returns NULL and we get following warning:
+
+drivers/opp/debugfs.c: In function 'bw_name_read':
+drivers/opp/debugfs.c:43:42: error: '%.62s' directive argument is null [-Werror=format-overflow=]
+ i = scnprintf(buf, sizeof(buf), "%.62s\n", icc_get_name(path));
+
+Fix it.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202402141313.81ltVF5g-lkp@intel.com/
+Fixes: 0430b1d5704b0 ("opp: Expose bandwidth information via debugfs")
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/opp/debugfs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/opp/debugfs.c b/drivers/opp/debugfs.c
+index 60f4ff8e044d1..016dea5a412be 100644
+--- a/drivers/opp/debugfs.c
++++ b/drivers/opp/debugfs.c
+@@ -36,10 +36,12 @@ static ssize_t bw_name_read(struct file *fp, char __user *userbuf,
+ size_t count, loff_t *ppos)
+ {
+ struct icc_path *path = fp->private_data;
++ const char *name = icc_get_name(path);
+ char buf[64];
+- int i;
++ int i = 0;
+
+- i = scnprintf(buf, sizeof(buf), "%.62s\n", icc_get_name(path));
++ if (name)
++ i = scnprintf(buf, sizeof(buf), "%.62s\n", name);
+
+ return simple_read_from_buffer(userbuf, count, ppos, buf, i);
+ }
+--
+2.43.0
+
--- /dev/null
+From f4be41356780b1c9ccf78b5e533bcf8ce69e5060 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 14:16:34 +0100
+Subject: PCI/AER: Fix rootport attribute paths in ABI docs
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 0e7d29a39a546161ea3a49e8e282a43212d7ff68 ]
+
+The 'aer_stats' directory never made it into the sixth and final revision
+of the series adding the sysfs AER attributes.
+
+Link: https://lore.kernel.org/r/20240202131635.11405-2-johan+linaro@kernel.org
+Link: https://lore.kernel.org/lkml/20180621184822.GB14136@bhelgaas-glaptop.roam.corp.google.com/
+Fixes: 12833017e581 ("PCI/AER: Add sysfs attributes for rootport cumulative stats")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats
+index 860db53037a58..24087d5fd417a 100644
+--- a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats
++++ b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats
+@@ -100,19 +100,19 @@ collectors) that are AER capable. These indicate the number of error messages as
+ device, so these counters include them and are thus cumulative of all the error
+ messages on the PCI hierarchy originating at that root port.
+
+-What: /sys/bus/pci/devices/<dev>/aer_stats/aer_rootport_total_err_cor
++What: /sys/bus/pci/devices/<dev>/aer_rootport_total_err_cor
+ Date: July 2018
+ KernelVersion: 4.19.0
+ Contact: linux-pci@vger.kernel.org, rajatja@google.com
+ Description: Total number of ERR_COR messages reported to rootport.
+
+-What: /sys/bus/pci/devices/<dev>/aer_stats/aer_rootport_total_err_fatal
++What: /sys/bus/pci/devices/<dev>/aer_rootport_total_err_fatal
+ Date: July 2018
+ KernelVersion: 4.19.0
+ Contact: linux-pci@vger.kernel.org, rajatja@google.com
+ Description: Total number of ERR_FATAL messages reported to rootport.
+
+-What: /sys/bus/pci/devices/<dev>/aer_stats/aer_rootport_total_err_nonfatal
++What: /sys/bus/pci/devices/<dev>/aer_rootport_total_err_nonfatal
+ Date: July 2018
+ KernelVersion: 4.19.0
+ Contact: linux-pci@vger.kernel.org, rajatja@google.com
+--
+2.43.0
+
--- /dev/null
+From 2dccacd9b62d873f6e05cbaec88a79b444427f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 13:08:15 +0200
+Subject: PCI/DPC: Print all TLP Prefixes, not just the first
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 6568d82512b0a64809acff3d7a747362fa4288c8 ]
+
+The TLP Prefix Log Register consists of multiple DWORDs (PCIe r6.1 sec
+7.9.14.13) but the loop in dpc_process_rp_pio_error() keeps reading from
+the first DWORD, so we print only the first PIO TLP Prefix (duplicated
+several times), and we never print the second, third, etc., Prefixes.
+
+Add the iteration count based offset calculation into the config read.
+
+Fixes: f20c4ea49ec4 ("PCI/DPC: Add eDPC support")
+Link: https://lore.kernel.org/r/20240118110815.3867-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+[bhelgaas: add user-visible details to commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
+index f21d64ae4ffcc..cf0d4ba2e157a 100644
+--- a/drivers/pci/pcie/dpc.c
++++ b/drivers/pci/pcie/dpc.c
+@@ -231,7 +231,7 @@ static void dpc_process_rp_pio_error(struct pci_dev *pdev)
+
+ for (i = 0; i < pdev->dpc_rp_log_size - 5; i++) {
+ pci_read_config_dword(pdev,
+- cap + PCI_EXP_DPC_RP_PIO_TLPPREFIX_LOG, &prefix);
++ cap + PCI_EXP_DPC_RP_PIO_TLPPREFIX_LOG + i * 4, &prefix);
+ pci_err(pdev, "TLP Prefix Header: dw%d, %#010x\n", i, prefix);
+ }
+ clear_status:
+--
+2.43.0
+
--- /dev/null
+From 0c1a0b6916bd37e604e6105e06e1719be6abebae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 20:21:14 +0800
+Subject: PCI: Make pci_dev_is_disconnected() helper public for other drivers
+
+From: Ethan Zhao <haifeng.zhao@linux.intel.com>
+
+[ Upstream commit 39714fd73c6b60a8d27bcc5b431afb0828bf4434 ]
+
+Make pci_dev_is_disconnected() public so that it can be called from
+Intel VT-d driver to quickly fix/workaround the surprise removal
+unplug hang issue for those ATS capable devices on PCIe switch downstream
+hotplug capable ports.
+
+Beside pci_device_is_present() function, this one has no config space
+space access, so is light enough to optimize the normal pure surprise
+removal and safe removal flow.
+
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Tested-by: Haorong Ye <yehaorong@bytedance.com>
+Signed-off-by: Ethan Zhao <haifeng.zhao@linux.intel.com>
+Link: https://lore.kernel.org/r/20240301080727.3529832-2-haifeng.zhao@linux.intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.h | 5 -----
+ include/linux/pci.h | 5 +++++
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index 72436000ff252..32fa07bfc448e 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -399,11 +399,6 @@ static inline int pci_dev_set_disconnected(struct pci_dev *dev, void *unused)
+ return 0;
+ }
+
+-static inline bool pci_dev_is_disconnected(const struct pci_dev *dev)
+-{
+- return dev->error_state == pci_channel_io_perm_failure;
+-}
+-
+ /* pci_dev priv_flags */
+ #define PCI_DEV_ADDED 0
+ #define PCI_DPC_RECOVERED 1
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 550e1cdb473fa..bf46453475e31 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -2191,6 +2191,11 @@ static inline struct pci_dev *pcie_find_root_port(struct pci_dev *dev)
+ return NULL;
+ }
+
++static inline bool pci_dev_is_disconnected(const struct pci_dev *dev)
++{
++ return dev->error_state == pci_channel_io_perm_failure;
++}
++
+ void pci_request_acs(void);
+ bool pci_acs_enabled(struct pci_dev *pdev, u16 acs_flags);
+ bool pci_acs_path_enabled(struct pci_dev *start,
+--
+2.43.0
+
--- /dev/null
+From 916652cafaa183717295cf9841250145ebfb8599 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 14:28:11 +0100
+Subject: PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jörg Wedekind <joerg@wedekind.de>
+
+[ Upstream commit baf67aefbe7d7deafa59ca49612d163f8889934c ]
+
+Per PCIe r6.1, sec 2.2.6.2 and 7.5.3.4, a Requester may not use 8-bit Tags
+unless its Extended Tag Field Enable is set, but all Receivers/Completers
+must handle 8-bit Tags correctly regardless of their Extended Tag Field
+Enable.
+
+Some devices do not handle 8-bit Tags as Completers, so add a quirk for
+them. If we find such a device, we disable Extended Tags for the entire
+hierarchy to make peer-to-peer DMA possible.
+
+The 3ware 9650SE seems to have issues with handling 8-bit tags. Mark it as
+broken.
+
+This fixes PCI Parity Errors like :
+
+ 3w-9xxx: scsi0: ERROR: (0x06:0x000C): PCI Parity Error: clearing.
+ 3w-9xxx: scsi0: ERROR: (0x06:0x000D): PCI Abort: clearing.
+ 3w-9xxx: scsi0: ERROR: (0x06:0x000E): Controller Queue Error: clearing.
+ 3w-9xxx: scsi0: ERROR: (0x06:0x0010): Microcontroller Error: clearing.
+
+Link: https://lore.kernel.org/r/20240219132811.8351-1-joerg@wedekind.de
+Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202425
+Signed-off-by: Jörg Wedekind <joerg@wedekind.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index b67aea8d8f197..646807a443e2d 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -5364,6 +5364,7 @@ static void quirk_no_ext_tags(struct pci_dev *pdev)
+
+ pci_walk_bus(bridge->bus, pci_configure_extended_tags, NULL);
+ }
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_3WARE, 0x1004, quirk_no_ext_tags);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0132, quirk_no_ext_tags);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0140, quirk_no_ext_tags);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0141, quirk_no_ext_tags);
+--
+2.43.0
+
--- /dev/null
+From 5fbc7c628e8fc16831d4cc0ab1368448e3947607 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 15:30:01 +0100
+Subject: PCI: switchtec: Fix an error handling path in switchtec_pci_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit dec529b0b0572b32f9eb91c882dd1f08ca657efb ]
+
+The commit in Fixes changed the logic on how resources are released and
+introduced a new switchtec_exit_pci() that need to be called explicitly in
+order to undo a corresponding switchtec_init_pci().
+
+This was done in the remove function, but not in the probe.
+
+Fix the probe now.
+
+Fixes: df25461119d9 ("PCI: switchtec: Fix stdev_release() crash after surprise hot remove")
+Link: https://lore.kernel.org/r/01446d2ccb91a578239915812f2b7dfbeb2882af.1703428183.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/switch/switchtec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c
+index 5cea3ad290c54..9aa230c3208ab 100644
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -1615,7 +1615,7 @@ static int switchtec_pci_probe(struct pci_dev *pdev,
+ rc = switchtec_init_isr(stdev);
+ if (rc) {
+ dev_err(&stdev->dev, "failed to init isr.\n");
+- goto err_put;
++ goto err_exit_pci;
+ }
+
+ iowrite32(SWITCHTEC_EVENT_CLEAR |
+@@ -1636,6 +1636,8 @@ static int switchtec_pci_probe(struct pci_dev *pdev,
+
+ err_devadd:
+ stdev_kill(stdev);
++err_exit_pci:
++ switchtec_exit_pci(stdev);
+ err_put:
+ ida_simple_remove(&switchtec_minor_ida, MINOR(stdev->dev.devt));
+ put_device(&stdev->dev);
+--
+2.43.0
+
--- /dev/null
+From e59771c82c0aaea122adc952ec065119fd79ece8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jan 2024 02:57:56 +0000
+Subject: perf evsel: Fix duplicate initialization of data->id in
+ evsel__parse_sample()
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit 4962aec0d684c8edb14574ccd0da53e4926ff834 ]
+
+data->id has been initialized at line 2362, remove duplicate initialization.
+
+Fixes: 3ad31d8a0df2 ("perf evsel: Centralize perf_sample initialization")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240127025756.4041808-1-yangjihong1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 1a1cbd16d76d4..d9a4c0202a8c3 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -2109,7 +2109,6 @@ int evsel__parse_sample(struct evsel *evsel, union perf_event *event,
+ data->period = evsel->core.attr.sample_period;
+ data->cpumode = event->header.misc & PERF_RECORD_MISC_CPUMODE_MASK;
+ data->misc = event->header.misc;
+- data->id = -1ULL;
+ data->data_src = PERF_MEM_DATA_SRC_NONE;
+
+ if (event->header.type != PERF_RECORD_SAMPLE) {
+--
+2.43.0
+
--- /dev/null
+From a057ed9cf1d73f5ca343862df7b044bb96ce73ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 04:03:02 +0000
+Subject: perf record: Fix possible incorrect free in record__switch_output()
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit aff10a165201f6f60cff225083ce301ad3f5d8f1 ]
+
+perf_data__switch() may not assign a legal value to 'new_filename'.
+In this case, 'new_filename' uses the on-stack value, which may cause a
+incorrect free and unexpected result.
+
+Fixes: 03724b2e9c45 ("perf record: Allow to limit number of reported perf.data files")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240119040304.3708522-2-yangjihong1@huawei.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index e5c938d538ee5..167cd8d3b7a21 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -1264,8 +1264,8 @@ static int
+ record__switch_output(struct record *rec, bool at_exit)
+ {
+ struct perf_data *data = &rec->data;
++ char *new_filename = NULL;
+ int fd, err;
+- char *new_filename;
+
+ /* Same Size: "2015122520103046"*/
+ char timestamp[] = "InvalidTimestamp";
+--
+2.43.0
+
--- /dev/null
+From 1c1cdadb6a98eb784a090336f4c15055f40b0940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 12:49:46 -0800
+Subject: perf stat: Avoid metric-only segv
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 2543947c77e0e224bda86b4e7220c2f6714da463 ]
+
+Cycles is recognized as part of a hard coded metric in stat-shadow.c,
+it may call print_metric_only with a NULL fmt string leading to a
+segfault. Handle the NULL fmt explicitly.
+
+Fixes: 088519f318be ("perf stat: Move the display functions to stat-display.c")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: K Prateek Nayak <kprateek.nayak@amd.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Kaige Ye <ye@kaige.org>
+Cc: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240209204947.3873294-4-irogers@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index 4688e39de52af..971fd77bd3e61 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -271,7 +271,7 @@ static void print_metric_only(struct perf_stat_config *config,
+ if (color)
+ mlen += strlen(color) + sizeof(PERF_COLOR_RESET) - 1;
+
+- color_snprintf(str, sizeof(str), color ?: "", fmt, val);
++ color_snprintf(str, sizeof(str), color ?: "", fmt ?: "", val);
+ fprintf(out, "%*s ", mlen, str);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ba75a29e68f922e849d054d88636d949f925524d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:32:28 +0000
+Subject: perf thread_map: Free strlist on normal path in
+ thread_map__new_by_tid_str()
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit 1eb3d924e3c0b8c27388b0583a989d757866efb6 ]
+
+slist needs to be freed in both error path and normal path in
+thread_map__new_by_tid_str().
+
+Fixes: b52956c961be3a04 ("perf tools: Allow multiple threads or processes in record, stat, top")
+Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240206083228.172607-6-yangjihong1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/thread_map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/thread_map.c b/tools/perf/util/thread_map.c
+index c9bfe4696943b..cee7fc3b5bb0c 100644
+--- a/tools/perf/util/thread_map.c
++++ b/tools/perf/util/thread_map.c
+@@ -279,13 +279,13 @@ struct perf_thread_map *thread_map__new_by_tid_str(const char *tid_str)
+ threads->nr = ntasks;
+ }
+ out:
++ strlist__delete(slist);
+ if (threads)
+ refcount_set(&threads->refcnt, 1);
+ return threads;
+
+ out_free_threads:
+ zfree(&threads);
+- strlist__delete(slist);
+ goto out;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 80fdbe621f3aab3899ec7cc013ca03f19837a48a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 15:19:08 +0800
+Subject: pinctrl: mediatek: Drop bogus slew rate register range for MT8192
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit e15ab05a6b3ed42f2f43f8bd1a1abdbde64afecd ]
+
+The MT8192 does not support configuring pin slew rate. This is evident
+from both the datasheet, and the fact that the driver points the slew
+rate register range at the GPIO direction register range.
+
+Drop the bogus setting.
+
+Fixes: d32f38f2a8fc ("pinctrl: mediatek: Add pinctrl driver for mt8192")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20240131071910.3950450-2-wenst@chromium.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mt8192.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8192.c b/drivers/pinctrl/mediatek/pinctrl-mt8192.c
+index 0c16b2c756bf3..f3020e3c8533b 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mt8192.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mt8192.c
+@@ -1346,7 +1346,6 @@ static const struct mtk_pin_reg_calc mt8192_reg_cals[PINCTRL_PIN_REG_MAX] = {
+ [PINCTRL_PIN_REG_DIR] = MTK_RANGE(mt8192_pin_dir_range),
+ [PINCTRL_PIN_REG_DI] = MTK_RANGE(mt8192_pin_di_range),
+ [PINCTRL_PIN_REG_DO] = MTK_RANGE(mt8192_pin_do_range),
+- [PINCTRL_PIN_REG_SR] = MTK_RANGE(mt8192_pin_dir_range),
+ [PINCTRL_PIN_REG_SMT] = MTK_RANGE(mt8192_pin_smt_range),
+ [PINCTRL_PIN_REG_IES] = MTK_RANGE(mt8192_pin_ies_range),
+ [PINCTRL_PIN_REG_PU] = MTK_RANGE(mt8192_pin_pu_range),
+--
+2.43.0
+
--- /dev/null
+From 851a397f49bd785db9185c44b72886f9d83d0fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 23:34:08 +1100
+Subject: powerpc/embedded6xx: Fix no previous prototype for avr_uart_send()
+ etc.
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 20933531be0577cdd782216858c26150dbc7936f ]
+
+Move the prototypes into mpc10x.h which is included by all the relevant
+C files, fixes:
+
+ arch/powerpc/platforms/embedded6xx/ls_uart.c:59:6: error: no previous prototype for 'avr_uart_configure'
+ arch/powerpc/platforms/embedded6xx/ls_uart.c:82:6: error: no previous prototype for 'avr_uart_send'
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240305123410.3306253-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/embedded6xx/linkstation.c | 3 ---
+ arch/powerpc/platforms/embedded6xx/mpc10x.h | 3 +++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/platforms/embedded6xx/linkstation.c b/arch/powerpc/platforms/embedded6xx/linkstation.c
+index f514d5d28cd4f..3f3821eb4c36b 100644
+--- a/arch/powerpc/platforms/embedded6xx/linkstation.c
++++ b/arch/powerpc/platforms/embedded6xx/linkstation.c
+@@ -97,9 +97,6 @@ static void __init linkstation_init_IRQ(void)
+ mpic_init(mpic);
+ }
+
+-extern void avr_uart_configure(void);
+-extern void avr_uart_send(const char);
+-
+ static void __noreturn linkstation_restart(char *cmd)
+ {
+ local_irq_disable();
+diff --git a/arch/powerpc/platforms/embedded6xx/mpc10x.h b/arch/powerpc/platforms/embedded6xx/mpc10x.h
+index 5ad12023e5628..ebc258fa4858d 100644
+--- a/arch/powerpc/platforms/embedded6xx/mpc10x.h
++++ b/arch/powerpc/platforms/embedded6xx/mpc10x.h
+@@ -156,4 +156,7 @@ int mpc10x_disable_store_gathering(struct pci_controller *hose);
+ /* For MPC107 boards that use the built-in openpic */
+ void mpc10x_set_openpic(void);
+
++void avr_uart_configure(void);
++void avr_uart_send(const char c);
++
+ #endif /* __PPC_KERNEL_MPC10X_H */
+--
+2.43.0
+
--- /dev/null
+From c6ff616cbb5e3fc757645580f68a17956f7652b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 17:58:47 +0530
+Subject: powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value
+ checks
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit ad86d7ee43b22aa2ed60fb982ae94b285c1be671 ]
+
+Running event hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/
+in one of the system throws below error:
+
+ ---Logs---
+ # perf list | grep hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles
+ hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=?/[Kernel PMU event]
+
+ # perf stat -v -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2
+Using CPUID 00800200
+Control descriptor is not initialized
+Warning:
+hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event is not supported by the kernel.
+failed to read counter hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/
+
+ Performance counter stats for 'system wide':
+
+ <not supported> hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/
+
+ 2.000700771 seconds time elapsed
+
+The above error is because of the hcall failure as required
+permission "Enable Performance Information Collection" is not set.
+Based on current code, single_gpci_request function did not check the
+error type incase hcall fails and by default returns EINVAL. But we can
+have other reasons for hcall failures like H_AUTHORITY/H_PARAMETER with
+detail_rc as GEN_BUF_TOO_SMALL, for which we need to act accordingly.
+
+Fix this issue by adding new checks in the single_gpci_request and
+h_gpci_event_init functions.
+
+Result after fix patch changes:
+
+ # perf stat -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2
+Error:
+No permission to enable hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event.
+
+Fixes: 220a0c609ad1 ("powerpc/perf: Add support for the hv gpci (get performance counter info) interface")
+Reported-by: Akanksha J N <akanksha@linux.ibm.com>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240229122847.101162-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-gpci.c | 29 +++++++++++++++++++++++++++--
+ 1 file changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c
+index 28b770bbc10b4..2a054de80e50b 100644
+--- a/arch/powerpc/perf/hv-gpci.c
++++ b/arch/powerpc/perf/hv-gpci.c
+@@ -164,6 +164,20 @@ static unsigned long single_gpci_request(u32 req, u32 starting_index,
+
+ ret = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO,
+ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE);
++
++ /*
++ * ret value as 'H_PARAMETER' with detail_rc as 'GEN_BUF_TOO_SMALL',
++ * specifies that the current buffer size cannot accommodate
++ * all the information and a partial buffer returned.
++ * Since in this function we are only accessing data for a given starting index,
++ * we don't need to accommodate whole data and can get required count by
++ * accessing first entry data.
++ * Hence hcall fails only incase the ret value is other than H_SUCCESS or
++ * H_PARAMETER with detail_rc value as GEN_BUF_TOO_SMALL(0x1B).
++ */
++ if (ret == H_PARAMETER && be32_to_cpu(arg->params.detail_rc) == 0x1B)
++ ret = 0;
++
+ if (ret) {
+ pr_devel("hcall failed: 0x%lx\n", ret);
+ goto out;
+@@ -228,6 +242,7 @@ static int h_gpci_event_init(struct perf_event *event)
+ {
+ u64 count;
+ u8 length;
++ unsigned long ret;
+
+ /* Not our event */
+ if (event->attr.type != event->pmu->type)
+@@ -258,13 +273,23 @@ static int h_gpci_event_init(struct perf_event *event)
+ }
+
+ /* check if the request works... */
+- if (single_gpci_request(event_get_request(event),
++ ret = single_gpci_request(event_get_request(event),
+ event_get_starting_index(event),
+ event_get_secondary_index(event),
+ event_get_counter_info_version(event),
+ event_get_offset(event),
+ length,
+- &count)) {
++ &count);
++
++ /*
++ * ret value as H_AUTHORITY implies that partition is not permitted to retrieve
++ * performance information, and required to set
++ * "Enable Performance Information Collection" option.
++ */
++ if (ret == H_AUTHORITY)
++ return -EPERM;
++
++ if (ret) {
+ pr_devel("gpci hcall failed\n");
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From 39a193250eef2ead8b1eff317ba76941c2188c82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Feb 2022 09:18:18 -0800
+Subject: printk: Add panic_in_progress helper
+
+From: Stephen Brennan <stephen.s.brennan@oracle.com>
+
+[ Upstream commit 77498617857f68496b360081dde1a492d40c28b2 ]
+
+This will be used help avoid deadlocks during panics. Although it would
+be better to include this in linux/panic.h, it would require that header
+to include linux/atomic.h as well. On some architectures, this results
+in a circular dependency as well. So instead add the helper directly to
+printk.c.
+
+Suggested-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20220202171821.179394-2-stephen.s.brennan@oracle.com
+Stable-dep-of: d04d5882cd67 ("printk: Disable passing console lock owner completely during panic()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 17a310dcb6d96..94af80b7fa9b5 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -258,6 +258,11 @@ static void __up_console_sem(unsigned long ip)
+ }
+ #define up_console_sem() __up_console_sem(_RET_IP_)
+
++static bool panic_in_progress(void)
++{
++ return unlikely(atomic_read(&panic_cpu) != PANIC_CPU_INVALID);
++}
++
+ /*
+ * This is used for debugging the mess that is the VT code by
+ * keeping track if we have the console semaphore held. It's
+--
+2.43.0
+
--- /dev/null
+From b8b3bf167cb2439f091179cd6054ab6927273a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 14:47:00 +0106
+Subject: printk: Disable passing console lock owner completely during panic()
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit d04d5882cd678b898a9d7c5aee6afbe9e6e77fcd ]
+
+The commit d51507098ff91 ("printk: disable optimistic spin
+during panic") added checks to avoid becoming a console waiter
+if a panic is in progress.
+
+However, the transition to panic can occur while there is
+already a waiter. The current owner should not pass the lock to
+the waiter because it might get stopped or blocked anytime.
+
+Also the panic context might pass the console lock owner to an
+already stopped waiter by mistake. It might happen when
+console_flush_on_panic() ignores the current lock owner, for
+example:
+
+CPU0 CPU1
+---- ----
+console_lock_spinning_enable()
+ console_trylock_spinning()
+ [CPU1 now console waiter]
+NMI: panic()
+ panic_other_cpus_shutdown()
+ [stopped as console waiter]
+ console_flush_on_panic()
+ console_lock_spinning_enable()
+ [print 1 record]
+ console_lock_spinning_disable_and_check()
+ [handover to stopped CPU1]
+
+This results in panic() not flushing the panic messages.
+
+Fix these problems by disabling all spinning operations
+completely during panic().
+
+Another advantage is that it prevents possible deadlocks caused
+by "console_owner_lock". The panic() context does not need to
+take it any longer. The lockless checks are safe because the
+functions become NOPs when they see the panic in progress. All
+operations manipulating the state are still synchronized by the
+lock even when non-panic CPUs would notice the panic
+synchronously.
+
+The current owner might stay spinning. But non-panic() CPUs
+would get stopped anyway and the panic context will never start
+spinning.
+
+Fixes: dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Link: https://lore.kernel.org/r/20240207134103.1357162-12-john.ogness@linutronix.de
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 94af80b7fa9b5..d109411f108f9 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1760,10 +1760,23 @@ static bool console_waiter;
+ */
+ static void console_lock_spinning_enable(void)
+ {
++ /*
++ * Do not use spinning in panic(). The panic CPU wants to keep the lock.
++ * Non-panic CPUs abandon the flush anyway.
++ *
++ * Just keep the lockdep annotation. The panic-CPU should avoid
++ * taking console_owner_lock because it might cause a deadlock.
++ * This looks like the easiest way how to prevent false lockdep
++ * reports without handling races a lockless way.
++ */
++ if (panic_in_progress())
++ goto lockdep;
++
+ raw_spin_lock(&console_owner_lock);
+ console_owner = current;
+ raw_spin_unlock(&console_owner_lock);
+
++lockdep:
+ /* The waiter may spin on us after setting console_owner */
+ spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_);
+ }
+@@ -1787,6 +1800,22 @@ static int console_lock_spinning_disable_and_check(void)
+ {
+ int waiter;
+
++ /*
++ * Ignore spinning waiters during panic() because they might get stopped
++ * or blocked at any time,
++ *
++ * It is safe because nobody is allowed to start spinning during panic
++ * in the first place. If there has been a waiter then non panic CPUs
++ * might stay spinning. They would get stopped anyway. The panic context
++ * will never start spinning and an interrupted spin on panic CPU will
++ * never continue.
++ */
++ if (panic_in_progress()) {
++ /* Keep lockdep happy. */
++ spin_release(&console_owner_dep_map, _THIS_IP_);
++ return 0;
++ }
++
+ raw_spin_lock(&console_owner_lock);
+ waiter = READ_ONCE(console_waiter);
+ console_owner = NULL;
+--
+2.43.0
+
--- /dev/null
+From 6330fb3e1b8393949c3a3a5d4d87070c81fe8d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 16:18:52 +0800
+Subject: quota: Fix potential NULL pointer dereference
+
+From: Wang Jianjian <wangjianjian3@huawei.com>
+
+[ Upstream commit d0aa72604fbd80c8aabb46eda00535ed35570f1f ]
+
+Below race may cause NULL pointer dereference
+
+P1 P2
+dquot_free_inode quota_off
+ drop_dquot_ref
+ remove_dquot_ref
+ dquots = i_dquot(inode)
+ dquots = i_dquot(inode)
+ srcu_read_lock
+ dquots[cnt]) != NULL (1)
+ dquots[type] = NULL (2)
+ spin_lock(&dquots[cnt]->dq_dqb_lock) (3)
+ ....
+
+If dquot_free_inode(or other routines) checks inode's quota pointers (1)
+before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer
+dereference will be triggered.
+
+So let's fix it by using a temporary pointer to avoid this issue.
+
+Signed-off-by: Wang Jianjian <wangjianjian3@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20240202081852.2514092-1-wangjianjian3@huawei.com>
+Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 98 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 57 insertions(+), 41 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 77578332e35ae..3f19ef2cc186d 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -401,15 +401,17 @@ int dquot_mark_dquot_dirty(struct dquot *dquot)
+ EXPORT_SYMBOL(dquot_mark_dquot_dirty);
+
+ /* Dirtify all the dquots - this can block when journalling */
+-static inline int mark_all_dquot_dirty(struct dquot * const *dquot)
++static inline int mark_all_dquot_dirty(struct dquot * const *dquots)
+ {
+ int ret, err, cnt;
++ struct dquot *dquot;
+
+ ret = err = 0;
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- if (dquot[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (dquot)
+ /* Even in case of error we have to continue */
+- ret = mark_dquot_dirty(dquot[cnt]);
++ ret = mark_dquot_dirty(dquot);
+ if (!err)
+ err = ret;
+ }
+@@ -1686,6 +1688,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags)
+ struct dquot_warn warn[MAXQUOTAS];
+ int reserve = flags & DQUOT_SPACE_RESERVE;
+ struct dquot **dquots;
++ struct dquot *dquot;
+
+ if (!inode_quota_active(inode)) {
+ if (reserve) {
+@@ -1705,27 +1708,26 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags)
+ index = srcu_read_lock(&dquot_srcu);
+ spin_lock(&inode->i_lock);
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+ if (reserve) {
+- ret = dquot_add_space(dquots[cnt], 0, number, flags,
+- &warn[cnt]);
++ ret = dquot_add_space(dquot, 0, number, flags, &warn[cnt]);
+ } else {
+- ret = dquot_add_space(dquots[cnt], number, 0, flags,
+- &warn[cnt]);
++ ret = dquot_add_space(dquot, number, 0, flags, &warn[cnt]);
+ }
+ if (ret) {
+ /* Back out changes we already did */
+ for (cnt--; cnt >= 0; cnt--) {
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+- spin_lock(&dquots[cnt]->dq_dqb_lock);
++ spin_lock(&dquot->dq_dqb_lock);
+ if (reserve)
+- dquot_free_reserved_space(dquots[cnt],
+- number);
++ dquot_free_reserved_space(dquot, number);
+ else
+- dquot_decr_space(dquots[cnt], number);
+- spin_unlock(&dquots[cnt]->dq_dqb_lock);
++ dquot_decr_space(dquot, number);
++ spin_unlock(&dquot->dq_dqb_lock);
+ }
+ spin_unlock(&inode->i_lock);
+ goto out_flush_warn;
+@@ -1756,6 +1758,7 @@ int dquot_alloc_inode(struct inode *inode)
+ int cnt, ret = 0, index;
+ struct dquot_warn warn[MAXQUOTAS];
+ struct dquot * const *dquots;
++ struct dquot *dquot;
+
+ if (!inode_quota_active(inode))
+ return 0;
+@@ -1766,17 +1769,19 @@ int dquot_alloc_inode(struct inode *inode)
+ index = srcu_read_lock(&dquot_srcu);
+ spin_lock(&inode->i_lock);
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+- ret = dquot_add_inodes(dquots[cnt], 1, &warn[cnt]);
++ ret = dquot_add_inodes(dquot, 1, &warn[cnt]);
+ if (ret) {
+ for (cnt--; cnt >= 0; cnt--) {
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+ /* Back out changes we already did */
+- spin_lock(&dquots[cnt]->dq_dqb_lock);
+- dquot_decr_inodes(dquots[cnt], 1);
+- spin_unlock(&dquots[cnt]->dq_dqb_lock);
++ spin_lock(&dquot->dq_dqb_lock);
++ dquot_decr_inodes(dquot, 1);
++ spin_unlock(&dquot->dq_dqb_lock);
+ }
+ goto warn_put_all;
+ }
+@@ -1798,6 +1803,7 @@ EXPORT_SYMBOL(dquot_alloc_inode);
+ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number)
+ {
+ struct dquot **dquots;
++ struct dquot *dquot;
+ int cnt, index;
+
+ if (!inode_quota_active(inode)) {
+@@ -1813,9 +1819,8 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number)
+ spin_lock(&inode->i_lock);
+ /* Claim reserved quotas to allocated quotas */
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- if (dquots[cnt]) {
+- struct dquot *dquot = dquots[cnt];
+-
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (dquot) {
+ spin_lock(&dquot->dq_dqb_lock);
+ if (WARN_ON_ONCE(dquot->dq_dqb.dqb_rsvspace < number))
+ number = dquot->dq_dqb.dqb_rsvspace;
+@@ -1840,6 +1845,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty);
+ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number)
+ {
+ struct dquot **dquots;
++ struct dquot *dquot;
+ int cnt, index;
+
+ if (!inode_quota_active(inode)) {
+@@ -1855,9 +1861,8 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number)
+ spin_lock(&inode->i_lock);
+ /* Claim reserved quotas to allocated quotas */
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- if (dquots[cnt]) {
+- struct dquot *dquot = dquots[cnt];
+-
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (dquot) {
+ spin_lock(&dquot->dq_dqb_lock);
+ if (WARN_ON_ONCE(dquot->dq_dqb.dqb_curspace < number))
+ number = dquot->dq_dqb.dqb_curspace;
+@@ -1884,6 +1889,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags)
+ unsigned int cnt;
+ struct dquot_warn warn[MAXQUOTAS];
+ struct dquot **dquots;
++ struct dquot *dquot;
+ int reserve = flags & DQUOT_SPACE_RESERVE, index;
+
+ if (!inode_quota_active(inode)) {
+@@ -1904,17 +1910,18 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags)
+ int wtype;
+
+ warn[cnt].w_type = QUOTA_NL_NOWARN;
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+- spin_lock(&dquots[cnt]->dq_dqb_lock);
+- wtype = info_bdq_free(dquots[cnt], number);
++ spin_lock(&dquot->dq_dqb_lock);
++ wtype = info_bdq_free(dquot, number);
+ if (wtype != QUOTA_NL_NOWARN)
+- prepare_warning(&warn[cnt], dquots[cnt], wtype);
++ prepare_warning(&warn[cnt], dquot, wtype);
+ if (reserve)
+- dquot_free_reserved_space(dquots[cnt], number);
++ dquot_free_reserved_space(dquot, number);
+ else
+- dquot_decr_space(dquots[cnt], number);
+- spin_unlock(&dquots[cnt]->dq_dqb_lock);
++ dquot_decr_space(dquot, number);
++ spin_unlock(&dquot->dq_dqb_lock);
+ }
+ if (reserve)
+ *inode_reserved_space(inode) -= number;
+@@ -1939,6 +1946,7 @@ void dquot_free_inode(struct inode *inode)
+ unsigned int cnt;
+ struct dquot_warn warn[MAXQUOTAS];
+ struct dquot * const *dquots;
++ struct dquot *dquot;
+ int index;
+
+ if (!inode_quota_active(inode))
+@@ -1949,16 +1957,16 @@ void dquot_free_inode(struct inode *inode)
+ spin_lock(&inode->i_lock);
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+ int wtype;
+-
+ warn[cnt].w_type = QUOTA_NL_NOWARN;
+- if (!dquots[cnt])
++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu);
++ if (!dquot)
+ continue;
+- spin_lock(&dquots[cnt]->dq_dqb_lock);
+- wtype = info_idq_free(dquots[cnt], 1);
++ spin_lock(&dquot->dq_dqb_lock);
++ wtype = info_idq_free(dquot, 1);
+ if (wtype != QUOTA_NL_NOWARN)
+- prepare_warning(&warn[cnt], dquots[cnt], wtype);
+- dquot_decr_inodes(dquots[cnt], 1);
+- spin_unlock(&dquots[cnt]->dq_dqb_lock);
++ prepare_warning(&warn[cnt], dquot, wtype);
++ dquot_decr_inodes(dquot, 1);
++ spin_unlock(&dquot->dq_dqb_lock);
+ }
+ spin_unlock(&inode->i_lock);
+ mark_all_dquot_dirty(dquots);
+@@ -1985,7 +1993,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ qsize_t rsv_space = 0;
+ qsize_t inode_usage = 1;
+ struct dquot *transfer_from[MAXQUOTAS] = {};
+- int cnt, ret = 0;
++ int cnt, index, ret = 0;
+ char is_valid[MAXQUOTAS] = {};
+ struct dquot_warn warn_to[MAXQUOTAS];
+ struct dquot_warn warn_from_inodes[MAXQUOTAS];
+@@ -2074,8 +2082,16 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&dq_data_lock);
+
++ /*
++ * These arrays are local and we hold dquot references so we don't need
++ * the srcu protection but still take dquot_srcu to avoid warning in
++ * mark_all_dquot_dirty().
++ */
++ index = srcu_read_lock(&dquot_srcu);
+ mark_all_dquot_dirty(transfer_from);
+ mark_all_dquot_dirty(transfer_to);
++ srcu_read_unlock(&dquot_srcu, index);
++
+ flush_warnings(warn_to);
+ flush_warnings(warn_from_inodes);
+ flush_warnings(warn_from_space);
+--
+2.43.0
+
--- /dev/null
+From 72289a260921786a28b1060c522a6b213b0fd890 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 15:32:09 +0100
+Subject: quota: Fix rcu annotations of inode dquot pointers
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 179b8c97ebf63429589f5afeba59a181fe70603e ]
+
+Dquot pointers in i_dquot array in the inode are protected by
+dquot_srcu. Annotate the array pointers with __rcu, perform the locked
+dereferences with srcu_dereference_check() instead of plain reads, and
+set the array elements with rcu_assign_pointer().
+
+Fixes: b9ba6f94b238 ("quota: remove dqptr_sem")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202402061900.rTuYDlo6-lkp@intel.com/
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 66 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 39 insertions(+), 27 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 3f19ef2cc186d..6a7b7d44753a3 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -401,7 +401,7 @@ int dquot_mark_dquot_dirty(struct dquot *dquot)
+ EXPORT_SYMBOL(dquot_mark_dquot_dirty);
+
+ /* Dirtify all the dquots - this can block when journalling */
+-static inline int mark_all_dquot_dirty(struct dquot * const *dquots)
++static inline int mark_all_dquot_dirty(struct dquot __rcu * const *dquots)
+ {
+ int ret, err, cnt;
+ struct dquot *dquot;
+@@ -1008,14 +1008,15 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
+ }
+ EXPORT_SYMBOL(dqget);
+
+-static inline struct dquot **i_dquot(struct inode *inode)
++static inline struct dquot __rcu **i_dquot(struct inode *inode)
+ {
+- return inode->i_sb->s_op->get_dquots(inode);
++ /* Force __rcu for now until filesystems are fixed */
++ return (struct dquot __rcu **)inode->i_sb->s_op->get_dquots(inode);
+ }
+
+ static int dqinit_needed(struct inode *inode, int type)
+ {
+- struct dquot * const *dquots;
++ struct dquot __rcu * const *dquots;
+ int cnt;
+
+ if (IS_NOQUOTA(inode))
+@@ -1105,14 +1106,16 @@ static void remove_dquot_ref(struct super_block *sb, int type)
+ */
+ spin_lock(&dq_data_lock);
+ if (!IS_NOQUOTA(inode)) {
+- struct dquot **dquots = i_dquot(inode);
+- struct dquot *dquot = dquots[type];
++ struct dquot __rcu **dquots = i_dquot(inode);
++ struct dquot *dquot = srcu_dereference_check(
++ dquots[type], &dquot_srcu,
++ lockdep_is_held(&dq_data_lock));
+
+ #ifdef CONFIG_QUOTA_DEBUG
+ if (unlikely(inode_get_rsv_space(inode) > 0))
+ reserved = 1;
+ #endif
+- dquots[type] = NULL;
++ rcu_assign_pointer(dquots[type], NULL);
+ if (dquot)
+ dqput(dquot);
+ }
+@@ -1465,7 +1468,8 @@ static int inode_quota_active(const struct inode *inode)
+ static int __dquot_initialize(struct inode *inode, int type)
+ {
+ int cnt, init_needed = 0;
+- struct dquot **dquots, *got[MAXQUOTAS] = {};
++ struct dquot __rcu **dquots;
++ struct dquot *got[MAXQUOTAS] = {};
+ struct super_block *sb = inode->i_sb;
+ qsize_t rsv;
+ int ret = 0;
+@@ -1540,7 +1544,7 @@ static int __dquot_initialize(struct inode *inode, int type)
+ if (!got[cnt])
+ continue;
+ if (!dquots[cnt]) {
+- dquots[cnt] = got[cnt];
++ rcu_assign_pointer(dquots[cnt], got[cnt]);
+ got[cnt] = NULL;
+ /*
+ * Make quota reservation system happy if someone
+@@ -1548,12 +1552,16 @@ static int __dquot_initialize(struct inode *inode, int type)
+ */
+ rsv = inode_get_rsv_space(inode);
+ if (unlikely(rsv)) {
++ struct dquot *dquot = srcu_dereference_check(
++ dquots[cnt], &dquot_srcu,
++ lockdep_is_held(&dq_data_lock));
++
+ spin_lock(&inode->i_lock);
+ /* Get reservation again under proper lock */
+ rsv = __inode_get_rsv_space(inode);
+- spin_lock(&dquots[cnt]->dq_dqb_lock);
+- dquots[cnt]->dq_dqb.dqb_rsvspace += rsv;
+- spin_unlock(&dquots[cnt]->dq_dqb_lock);
++ spin_lock(&dquot->dq_dqb_lock);
++ dquot->dq_dqb.dqb_rsvspace += rsv;
++ spin_unlock(&dquot->dq_dqb_lock);
+ spin_unlock(&inode->i_lock);
+ }
+ }
+@@ -1575,7 +1583,7 @@ EXPORT_SYMBOL(dquot_initialize);
+
+ bool dquot_initialize_needed(struct inode *inode)
+ {
+- struct dquot **dquots;
++ struct dquot __rcu **dquots;
+ int i;
+
+ if (!inode_quota_active(inode))
+@@ -1600,13 +1608,14 @@ EXPORT_SYMBOL(dquot_initialize_needed);
+ static void __dquot_drop(struct inode *inode)
+ {
+ int cnt;
+- struct dquot **dquots = i_dquot(inode);
++ struct dquot __rcu **dquots = i_dquot(inode);
+ struct dquot *put[MAXQUOTAS];
+
+ spin_lock(&dq_data_lock);
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- put[cnt] = dquots[cnt];
+- dquots[cnt] = NULL;
++ put[cnt] = srcu_dereference_check(dquots[cnt], &dquot_srcu,
++ lockdep_is_held(&dq_data_lock));
++ rcu_assign_pointer(dquots[cnt], NULL);
+ }
+ spin_unlock(&dq_data_lock);
+ dqput_all(put);
+@@ -1614,7 +1623,7 @@ static void __dquot_drop(struct inode *inode)
+
+ void dquot_drop(struct inode *inode)
+ {
+- struct dquot * const *dquots;
++ struct dquot __rcu * const *dquots;
+ int cnt;
+
+ if (IS_NOQUOTA(inode))
+@@ -1687,7 +1696,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags)
+ int cnt, ret = 0, index;
+ struct dquot_warn warn[MAXQUOTAS];
+ int reserve = flags & DQUOT_SPACE_RESERVE;
+- struct dquot **dquots;
++ struct dquot __rcu **dquots;
+ struct dquot *dquot;
+
+ if (!inode_quota_active(inode)) {
+@@ -1757,7 +1766,7 @@ int dquot_alloc_inode(struct inode *inode)
+ {
+ int cnt, ret = 0, index;
+ struct dquot_warn warn[MAXQUOTAS];
+- struct dquot * const *dquots;
++ struct dquot __rcu * const *dquots;
+ struct dquot *dquot;
+
+ if (!inode_quota_active(inode))
+@@ -1802,7 +1811,7 @@ EXPORT_SYMBOL(dquot_alloc_inode);
+ */
+ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number)
+ {
+- struct dquot **dquots;
++ struct dquot __rcu **dquots;
+ struct dquot *dquot;
+ int cnt, index;
+
+@@ -1844,7 +1853,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty);
+ */
+ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number)
+ {
+- struct dquot **dquots;
++ struct dquot __rcu **dquots;
+ struct dquot *dquot;
+ int cnt, index;
+
+@@ -1888,7 +1897,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags)
+ {
+ unsigned int cnt;
+ struct dquot_warn warn[MAXQUOTAS];
+- struct dquot **dquots;
++ struct dquot __rcu **dquots;
+ struct dquot *dquot;
+ int reserve = flags & DQUOT_SPACE_RESERVE, index;
+
+@@ -1945,7 +1954,7 @@ void dquot_free_inode(struct inode *inode)
+ {
+ unsigned int cnt;
+ struct dquot_warn warn[MAXQUOTAS];
+- struct dquot * const *dquots;
++ struct dquot __rcu * const *dquots;
+ struct dquot *dquot;
+ int index;
+
+@@ -1992,6 +2001,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ qsize_t cur_space;
+ qsize_t rsv_space = 0;
+ qsize_t inode_usage = 1;
++ struct dquot __rcu **dquots;
+ struct dquot *transfer_from[MAXQUOTAS] = {};
+ int cnt, index, ret = 0;
+ char is_valid[MAXQUOTAS] = {};
+@@ -2024,6 +2034,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ }
+ cur_space = __inode_get_bytes(inode);
+ rsv_space = __inode_get_rsv_space(inode);
++ dquots = i_dquot(inode);
+ /*
+ * Build the transfer_from list, check limits, and update usage in
+ * the target structures.
+@@ -2038,7 +2049,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ if (!sb_has_quota_active(inode->i_sb, cnt))
+ continue;
+ is_valid[cnt] = 1;
+- transfer_from[cnt] = i_dquot(inode)[cnt];
++ transfer_from[cnt] = srcu_dereference_check(dquots[cnt],
++ &dquot_srcu, lockdep_is_held(&dq_data_lock));
+ ret = dquot_add_inodes(transfer_to[cnt], inode_usage,
+ &warn_to[cnt]);
+ if (ret)
+@@ -2077,7 +2089,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ rsv_space);
+ spin_unlock(&transfer_from[cnt]->dq_dqb_lock);
+ }
+- i_dquot(inode)[cnt] = transfer_to[cnt];
++ rcu_assign_pointer(dquots[cnt], transfer_to[cnt]);
+ }
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&dq_data_lock);
+@@ -2088,8 +2100,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ * mark_all_dquot_dirty().
+ */
+ index = srcu_read_lock(&dquot_srcu);
+- mark_all_dquot_dirty(transfer_from);
+- mark_all_dquot_dirty(transfer_to);
++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_from);
++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_to);
+ srcu_read_unlock(&dquot_srcu, index);
+
+ flush_warnings(warn_to);
+--
+2.43.0
+
--- /dev/null
+From fbc03900e2e3802925fff2338c1eb745426208e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jun 2023 19:08:22 +0800
+Subject: quota: simplify drop_dquot_ref()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 7bce48f0fec602b3b6c335963b26d9eefa417788 ]
+
+As Honza said, remove_inode_dquot_ref() currently does not release the
+last dquot reference but instead adds the dquot to tofree_head list. This
+is because dqput() can sleep while dropping of the last dquot reference
+(writing back the dquot and calling ->release_dquot()) and that must not
+happen under dq_list_lock. Now that dqput() queues the final dquot cleanup
+into a workqueue, remove_inode_dquot_ref() can call dqput() unconditionally
+and we can significantly simplify it.
+
+Here we open code the simplified code of remove_inode_dquot_ref() into
+remove_dquot_ref() and remove the function put_dquot_list() which is no
+longer used.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230630110822.3881712-6-libaokun1@huawei.com>
+Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 70 +++++++-----------------------------------------
+ 1 file changed, 9 insertions(+), 61 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 4bb4b4b79827a..77578332e35ae 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -1086,59 +1086,7 @@ static int add_dquot_ref(struct super_block *sb, int type)
+ return err;
+ }
+
+-/*
+- * Remove references to dquots from inode and add dquot to list for freeing
+- * if we have the last reference to dquot
+- */
+-static void remove_inode_dquot_ref(struct inode *inode, int type,
+- struct list_head *tofree_head)
+-{
+- struct dquot **dquots = i_dquot(inode);
+- struct dquot *dquot = dquots[type];
+-
+- if (!dquot)
+- return;
+-
+- dquots[type] = NULL;
+- if (list_empty(&dquot->dq_free)) {
+- /*
+- * The inode still has reference to dquot so it can't be in the
+- * free list
+- */
+- spin_lock(&dq_list_lock);
+- list_add(&dquot->dq_free, tofree_head);
+- spin_unlock(&dq_list_lock);
+- } else {
+- /*
+- * Dquot is already in a list to put so we won't drop the last
+- * reference here.
+- */
+- dqput(dquot);
+- }
+-}
+-
+-/*
+- * Free list of dquots
+- * Dquots are removed from inodes and no new references can be got so we are
+- * the only ones holding reference
+- */
+-static void put_dquot_list(struct list_head *tofree_head)
+-{
+- struct list_head *act_head;
+- struct dquot *dquot;
+-
+- act_head = tofree_head->next;
+- while (act_head != tofree_head) {
+- dquot = list_entry(act_head, struct dquot, dq_free);
+- act_head = act_head->next;
+- /* Remove dquot from the list so we won't have problems... */
+- list_del_init(&dquot->dq_free);
+- dqput(dquot);
+- }
+-}
+-
+-static void remove_dquot_ref(struct super_block *sb, int type,
+- struct list_head *tofree_head)
++static void remove_dquot_ref(struct super_block *sb, int type)
+ {
+ struct inode *inode;
+ #ifdef CONFIG_QUOTA_DEBUG
+@@ -1155,11 +1103,16 @@ static void remove_dquot_ref(struct super_block *sb, int type,
+ */
+ spin_lock(&dq_data_lock);
+ if (!IS_NOQUOTA(inode)) {
++ struct dquot **dquots = i_dquot(inode);
++ struct dquot *dquot = dquots[type];
++
+ #ifdef CONFIG_QUOTA_DEBUG
+ if (unlikely(inode_get_rsv_space(inode) > 0))
+ reserved = 1;
+ #endif
+- remove_inode_dquot_ref(inode, type, tofree_head);
++ dquots[type] = NULL;
++ if (dquot)
++ dqput(dquot);
+ }
+ spin_unlock(&dq_data_lock);
+ }
+@@ -1176,13 +1129,8 @@ static void remove_dquot_ref(struct super_block *sb, int type,
+ /* Gather all references from inodes and drop them */
+ static void drop_dquot_ref(struct super_block *sb, int type)
+ {
+- LIST_HEAD(tofree_head);
+-
+- if (sb->dq_op) {
+- remove_dquot_ref(sb, type, &tofree_head);
+- synchronize_srcu(&dquot_srcu);
+- put_dquot_list(&tofree_head);
+- }
++ if (sb->dq_op)
++ remove_dquot_ref(sb, type);
+ }
+
+ static inline
+--
+2.43.0
+
--- /dev/null
+From db9ba63ab679f4d5c4c73650fe5af0b04c81af52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 19:53:13 -0800
+Subject: RDMA/device: Fix a race between mad_client and cm_client init
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit 7a8bccd8b29c321ac181369b42b04fecf05f98e2 ]
+
+The mad_client will be initialized in enable_device_and_get(), while the
+devices_rwsem will be downgraded to a read semaphore. There is a window
+that leads to the failed initialization for cm_client, since it can not
+get matched mad port from ib_mad_port_list, and the matched mad port will
+be added to the list after that.
+
+ mad_client | cm_client
+------------------|--------------------------------------------------------
+ib_register_device|
+enable_device_and_get
+down_write(&devices_rwsem)
+xa_set_mark(&devices, DEVICE_REGISTERED)
+downgrade_write(&devices_rwsem)
+ |
+ |ib_cm_init
+ |ib_register_client(&cm_client)
+ |down_read(&devices_rwsem)
+ |xa_for_each_marked (&devices, DEVICE_REGISTERED)
+ |add_client_context
+ |cm_add_one
+ |ib_register_mad_agent
+ |ib_get_mad_port
+ |__ib_get_mad_port
+ |list_for_each_entry(entry, &ib_mad_port_list, port_list)
+ |return NULL
+ |up_read(&devices_rwsem)
+ |
+add_client_context|
+ib_mad_init_device|
+ib_mad_port_open |
+list_add_tail(&port_priv->port_list, &ib_mad_port_list)
+up_read(&devices_rwsem)
+ |
+
+Fix it by using down_write(&devices_rwsem) in ib_register_client().
+
+Fixes: d0899892edd0 ("RDMA/device: Provide APIs from the core code to help unregistration")
+Link: https://lore.kernel.org/r/20240203035313.98991-1-lishifeng@sangfor.com.cn
+Suggested-by: Jason Gunthorpe <jgg@ziepe.ca>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 37 +++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index 3c29fd04b3016..94c3bad72cc59 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -1686,7 +1686,7 @@ static int assign_client_id(struct ib_client *client)
+ {
+ int ret;
+
+- down_write(&clients_rwsem);
++ lockdep_assert_held(&clients_rwsem);
+ /*
+ * The add/remove callbacks must be called in FIFO/LIFO order. To
+ * achieve this we assign client_ids so they are sorted in
+@@ -1695,14 +1695,11 @@ static int assign_client_id(struct ib_client *client)
+ client->client_id = highest_client_id;
+ ret = xa_insert(&clients, client->client_id, client, GFP_KERNEL);
+ if (ret)
+- goto out;
++ return ret;
+
+ highest_client_id++;
+ xa_set_mark(&clients, client->client_id, CLIENT_REGISTERED);
+-
+-out:
+- up_write(&clients_rwsem);
+- return ret;
++ return 0;
+ }
+
+ static void remove_client_id(struct ib_client *client)
+@@ -1732,25 +1729,35 @@ int ib_register_client(struct ib_client *client)
+ {
+ struct ib_device *device;
+ unsigned long index;
++ bool need_unreg = false;
+ int ret;
+
+ refcount_set(&client->uses, 1);
+ init_completion(&client->uses_zero);
++
++ /*
++ * The devices_rwsem is held in write mode to ensure that a racing
++ * ib_register_device() sees a consisent view of clients and devices.
++ */
++ down_write(&devices_rwsem);
++ down_write(&clients_rwsem);
+ ret = assign_client_id(client);
+ if (ret)
+- return ret;
++ goto out;
+
+- down_read(&devices_rwsem);
++ need_unreg = true;
+ xa_for_each_marked (&devices, index, device, DEVICE_REGISTERED) {
+ ret = add_client_context(device, client);
+- if (ret) {
+- up_read(&devices_rwsem);
+- ib_unregister_client(client);
+- return ret;
+- }
++ if (ret)
++ goto out;
+ }
+- up_read(&devices_rwsem);
+- return 0;
++ ret = 0;
++out:
++ up_write(&clients_rwsem);
++ up_write(&devices_rwsem);
++ if (need_unreg && ret)
++ ib_unregister_client(client);
++ return ret;
+ }
+ EXPORT_SYMBOL(ib_register_client);
+
+--
+2.43.0
+
--- /dev/null
+From d8f78a572fbe9f10cd76187e261c0953e7a20d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Feb 2024 02:15:49 -0700
+Subject: RDMA/srpt: Do not register event handler until srpt device is fully
+ setup
+
+From: William Kucharski <william.kucharski@oracle.com>
+
+[ Upstream commit c21a8870c98611e8f892511825c9607f1e2cd456 ]
+
+Upon rare occasions, KASAN reports a use-after-free Write
+in srpt_refresh_port().
+
+This seems to be because an event handler is registered before the
+srpt device is fully setup and a race condition upon error may leave a
+partially setup event handler in place.
+
+Instead, only register the event handler after srpt device initialization
+is complete.
+
+Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
+Signed-off-by: William Kucharski <william.kucharski@oracle.com>
+Link: https://lore.kernel.org/r/20240202091549.991784-2-william.kucharski@oracle.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 41abf9cf11c67..960f870a952a5 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -3205,7 +3205,6 @@ static int srpt_add_one(struct ib_device *device)
+
+ INIT_IB_EVENT_HANDLER(&sdev->event_handler, sdev->device,
+ srpt_event_handler);
+- ib_register_event_handler(&sdev->event_handler);
+
+ for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
+ sport = &sdev->port[i - 1];
+@@ -3228,6 +3227,7 @@ static int srpt_add_one(struct ib_device *device)
+ }
+ }
+
++ ib_register_event_handler(&sdev->event_handler);
+ spin_lock(&srpt_dev_lock);
+ list_add_tail(&sdev->list, &srpt_dev_list);
+ spin_unlock(&srpt_dev_lock);
+@@ -3238,7 +3238,6 @@ static int srpt_add_one(struct ib_device *device)
+
+ err_port:
+ srpt_unregister_mad_agent(sdev, i);
+- ib_unregister_event_handler(&sdev->event_handler);
+ err_cm:
+ if (sdev->cm_id)
+ ib_destroy_cm_id(sdev->cm_id);
+--
+2.43.0
+
--- /dev/null
+From 1e795c472a4825643a7a495ca1a4ab3db0684be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 13:44:06 +0100
+Subject: scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b69600231f751304db914c63b937f7098ed2895c ]
+
+Some callback functions used here take a boolean argument, others take a
+status argument. This breaks KCFI type checking, so clang now warns about
+the function pointer cast:
+
+drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+
+Assuming the code is actually correct here and the callers always match the
+argument types of the callee, rework this to replace the explicit cast with
+a union of the two pointer types. This does not change the behavior of the
+code, so if something is actually broken here, a larger rework may be
+necessary.
+
+Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats")
+Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.")
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfa.h | 9 ++++++++-
+ drivers/scsi/bfa/bfa_core.c | 4 +---
+ drivers/scsi/bfa/bfa_ioc.h | 8 ++++++--
+ drivers/scsi/bfa/bfad_bsg.c | 11 ++++-------
+ 4 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfa.h b/drivers/scsi/bfa/bfa.h
+index 7bd2ba1ad4d11..f30fe324e6ecc 100644
+--- a/drivers/scsi/bfa/bfa.h
++++ b/drivers/scsi/bfa/bfa.h
+@@ -20,7 +20,6 @@
+ struct bfa_s;
+
+ typedef void (*bfa_isr_func_t) (struct bfa_s *bfa, struct bfi_msg_s *m);
+-typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status);
+
+ /*
+ * Interrupt message handlers
+@@ -437,4 +436,12 @@ struct bfa_cb_pending_q_s {
+ (__qe)->data = (__data); \
+ } while (0)
+
++#define bfa_pending_q_init_status(__qe, __cbfn, __cbarg, __data) do { \
++ bfa_q_qe_init(&((__qe)->hcb_qe.qe)); \
++ (__qe)->hcb_qe.cbfn_status = (__cbfn); \
++ (__qe)->hcb_qe.cbarg = (__cbarg); \
++ (__qe)->hcb_qe.pre_rmv = BFA_TRUE; \
++ (__qe)->data = (__data); \
++} while (0)
++
+ #endif /* __BFA_H__ */
+diff --git a/drivers/scsi/bfa/bfa_core.c b/drivers/scsi/bfa/bfa_core.c
+index 6846ca8f7313c..3438d0b8ba062 100644
+--- a/drivers/scsi/bfa/bfa_core.c
++++ b/drivers/scsi/bfa/bfa_core.c
+@@ -1907,15 +1907,13 @@ bfa_comp_process(struct bfa_s *bfa, struct list_head *comp_q)
+ struct list_head *qe;
+ struct list_head *qen;
+ struct bfa_cb_qe_s *hcb_qe;
+- bfa_cb_cbfn_status_t cbfn;
+
+ list_for_each_safe(qe, qen, comp_q) {
+ hcb_qe = (struct bfa_cb_qe_s *) qe;
+ if (hcb_qe->pre_rmv) {
+ /* qe is invalid after return, dequeue before cbfn() */
+ list_del(qe);
+- cbfn = (bfa_cb_cbfn_status_t)(hcb_qe->cbfn);
+- cbfn(hcb_qe->cbarg, hcb_qe->fw_status);
++ hcb_qe->cbfn_status(hcb_qe->cbarg, hcb_qe->fw_status);
+ } else
+ hcb_qe->cbfn(hcb_qe->cbarg, BFA_TRUE);
+ }
+diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h
+index 933a1c3890ff5..5e568d6d7b261 100644
+--- a/drivers/scsi/bfa/bfa_ioc.h
++++ b/drivers/scsi/bfa/bfa_ioc.h
+@@ -361,14 +361,18 @@ struct bfa_reqq_wait_s {
+ void *cbarg;
+ };
+
+-typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete);
++typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete);
++typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status);
+
+ /*
+ * Generic BFA callback element.
+ */
+ struct bfa_cb_qe_s {
+ struct list_head qe;
+- bfa_cb_cbfn_t cbfn;
++ union {
++ bfa_cb_cbfn_status_t cbfn_status;
++ bfa_cb_cbfn_t cbfn;
++ };
+ bfa_boolean_t once;
+ bfa_boolean_t pre_rmv; /* set for stack based qe(s) */
+ bfa_status_t fw_status; /* to access fw status in comp proc */
+diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c
+index fc515424ca88d..eb589f9e8cfb5 100644
+--- a/drivers/scsi/bfa/bfad_bsg.c
++++ b/drivers/scsi/bfa/bfad_bsg.c
+@@ -2135,8 +2135,7 @@ bfad_iocmd_fcport_get_stats(struct bfad_s *bfad, void *cmd)
+ struct bfa_cb_pending_q_s cb_qe;
+
+ init_completion(&fcomp.comp);
+- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp,
+- &fcomp, &iocmd->stats);
++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats);
+ spin_lock_irqsave(&bfad->bfad_lock, flags);
+ iocmd->status = bfa_fcport_get_stats(&bfad->bfa, &cb_qe);
+ spin_unlock_irqrestore(&bfad->bfad_lock, flags);
+@@ -2159,7 +2158,7 @@ bfad_iocmd_fcport_reset_stats(struct bfad_s *bfad, void *cmd)
+ struct bfa_cb_pending_q_s cb_qe;
+
+ init_completion(&fcomp.comp);
+- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, &fcomp, NULL);
++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL);
+
+ spin_lock_irqsave(&bfad->bfad_lock, flags);
+ iocmd->status = bfa_fcport_clear_stats(&bfad->bfa, &cb_qe);
+@@ -2443,8 +2442,7 @@ bfad_iocmd_qos_get_stats(struct bfad_s *bfad, void *cmd)
+ struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa);
+
+ init_completion(&fcomp.comp);
+- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp,
+- &fcomp, &iocmd->stats);
++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats);
+
+ spin_lock_irqsave(&bfad->bfad_lock, flags);
+ WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc));
+@@ -2474,8 +2472,7 @@ bfad_iocmd_qos_reset_stats(struct bfad_s *bfad, void *cmd)
+ struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa);
+
+ init_completion(&fcomp.comp);
+- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp,
+- &fcomp, NULL);
++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL);
+
+ spin_lock_irqsave(&bfad->bfad_lock, flags);
+ WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc));
+--
+2.43.0
+
--- /dev/null
+From 28c22659aef8774285a2afdbf8d4d903f14404f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 11:05:00 +0100
+Subject: scsi: csiostor: Avoid function pointer casts
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 9f3dbcb5632d6876226031d552ef6163bb3ad215 ]
+
+csiostor uses function pointer casts to keep the csio_ln_ev state machine
+hidden, but this causes warnings about control flow integrity (KCFI)
+violations in clang-16 and higher:
+
+drivers/scsi/csiostor/csio_lnode.c:1098:33: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1098 | return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/csiostor/csio_lnode.c:1369:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1369 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) {
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/csiostor/csio_lnode.c:1373:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1373 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) {
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/scsi/csiostor/csio_lnode.c:1377:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 1377 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) {
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Move the enum into a shared header so the correct types can be used without
+the need for casts.
+
+Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240213100518.457623-1-arnd@kernel.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_defs.h | 18 ++++++++++++++++--
+ drivers/scsi/csiostor/csio_lnode.c | 8 ++++----
+ drivers/scsi/csiostor/csio_lnode.h | 13 -------------
+ 3 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/scsi/csiostor/csio_defs.h b/drivers/scsi/csiostor/csio_defs.h
+index c38017b4af982..e50e93e7fe5a1 100644
+--- a/drivers/scsi/csiostor/csio_defs.h
++++ b/drivers/scsi/csiostor/csio_defs.h
+@@ -73,7 +73,21 @@ csio_list_deleted(struct list_head *list)
+ #define csio_list_prev(elem) (((struct list_head *)(elem))->prev)
+
+ /* State machine */
+-typedef void (*csio_sm_state_t)(void *, uint32_t);
++struct csio_lnode;
++
++/* State machine evets */
++enum csio_ln_ev {
++ CSIO_LNE_NONE = (uint32_t)0,
++ CSIO_LNE_LINKUP,
++ CSIO_LNE_FAB_INIT_DONE,
++ CSIO_LNE_LINK_DOWN,
++ CSIO_LNE_DOWN_LINK,
++ CSIO_LNE_LOGO,
++ CSIO_LNE_CLOSE,
++ CSIO_LNE_MAX_EVENT,
++};
++
++typedef void (*csio_sm_state_t)(struct csio_lnode *ln, enum csio_ln_ev evt);
+
+ struct csio_sm {
+ struct list_head sm_list;
+@@ -83,7 +97,7 @@ struct csio_sm {
+ static inline void
+ csio_set_state(void *smp, void *state)
+ {
+- ((struct csio_sm *)smp)->sm_state = (csio_sm_state_t)state;
++ ((struct csio_sm *)smp)->sm_state = state;
+ }
+
+ static inline void
+diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c
+index d5ac938970232..5b3ffefae476d 100644
+--- a/drivers/scsi/csiostor/csio_lnode.c
++++ b/drivers/scsi/csiostor/csio_lnode.c
+@@ -1095,7 +1095,7 @@ csio_handle_link_down(struct csio_hw *hw, uint8_t portid, uint32_t fcfi,
+ int
+ csio_is_lnode_ready(struct csio_lnode *ln)
+ {
+- return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready));
++ return (csio_get_state(ln) == csio_lns_ready);
+ }
+
+ /*****************************************************************************/
+@@ -1366,15 +1366,15 @@ csio_free_fcfinfo(struct kref *kref)
+ void
+ csio_lnode_state_to_str(struct csio_lnode *ln, int8_t *str)
+ {
+- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) {
++ if (csio_get_state(ln) == csio_lns_uninit) {
+ strcpy(str, "UNINIT");
+ return;
+ }
+- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) {
++ if (csio_get_state(ln) == csio_lns_ready) {
+ strcpy(str, "READY");
+ return;
+ }
+- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) {
++ if (csio_get_state(ln) == csio_lns_offline) {
+ strcpy(str, "OFFLINE");
+ return;
+ }
+diff --git a/drivers/scsi/csiostor/csio_lnode.h b/drivers/scsi/csiostor/csio_lnode.h
+index 372a67d122d38..607698a0f0631 100644
+--- a/drivers/scsi/csiostor/csio_lnode.h
++++ b/drivers/scsi/csiostor/csio_lnode.h
+@@ -53,19 +53,6 @@
+ extern int csio_fcoe_rnodes;
+ extern int csio_fdmi_enable;
+
+-/* State machine evets */
+-enum csio_ln_ev {
+- CSIO_LNE_NONE = (uint32_t)0,
+- CSIO_LNE_LINKUP,
+- CSIO_LNE_FAB_INIT_DONE,
+- CSIO_LNE_LINK_DOWN,
+- CSIO_LNE_DOWN_LINK,
+- CSIO_LNE_LOGO,
+- CSIO_LNE_CLOSE,
+- CSIO_LNE_MAX_EVENT,
+-};
+-
+-
+ struct csio_fcf_info {
+ struct list_head list;
+ uint8_t priority;
+--
+2.43.0
+
asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch
asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch
x86-paravirt-fix-build-due-to-__text_gen_insn-backpo.patch
+do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch
+nbd-null-check-for-nla_nest_start.patch
+fs-select-rework-stack-allocation-hack-for-clang.patch
+block-add-a-new-set_read_only-method.patch
+md-implement-set_read_only-to-hook-into-blkroset-pro.patch
+md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch
+aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
+timekeeping-fix-cross-timestamp-interpolation-on-cou.patch
+timekeeping-fix-cross-timestamp-interpolation-corner.patch
+timekeeping-fix-cross-timestamp-interpolation-for-no.patch
+wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch
+wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch
+wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch
+wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch
+wifi-b43-disable-qos-for-bcm4331.patch
+wifi-wilc1000-fix-declarations-ordering.patch
+wifi-wilc1000-fix-rcu-usage-in-connect-path.patch
+wifi-rtl8xxxu-add-cancel_work_sync-for-c2hcmd_work.patch
+wifi-wilc1000-fix-multi-vif-management-when-deleting.patch
+wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch
+arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch
+cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch
+sock_diag-annotate-data-races-around-sock_diag_handl.patch
+inet_diag-annotate-data-races-around-inet_diag_table.patch
+bpftool-silence-build-warning-about-calloc.patch
+af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch
+wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch
+wifi-iwlwifi-dbg-tlv-ensure-nul-termination.patch
+wifi-iwlwifi-fix-ewrd-table-validity-check.patch
+net-blackhole_dev-fix-build-warning-for-ethh-set-but.patch
+wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch
+arm64-dts-qcom-msm8996-fix-ufs-phy-clocks.patch
+arm64-dts-qcom-msm8998-fix-ufs-phy-clocks.patch
+printk-add-panic_in_progress-helper.patch
+printk-disable-passing-console-lock-owner-completely.patch
+arm64-dts-mediatek-mt7622-add-missing-device_type-to.patch
+bpf-factor-out-bpf_spin_lock-into-helpers.patch
+bpf-mark-bpf_spin_-lock-unlock-helpers-with-notrace-.patch
+arm64-dts-qcom-msm8996-define-ufs-unipro-clock-limit.patch
+wireless-remove-redundant-flush_workqueue-calls.patch
+wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch
+acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch
+bus-tegra-aconnect-update-dependency-to-arch_tegra.patch
+iommu-amd-mark-interrupt-as-managed.patch
+wifi-brcmsmac-avoid-function-pointer-casts.patch
+net-ena-remove-ena_select_queue.patch
+arm-dts-arm-realview-fix-development-chip-rom-compat.patch
+arm-dts-imx6dl-yapp4-move-phy-reset-into-switch-node.patch
+arm-dts-imx6dl-yapp4-fix-typo-in-the-qca-switch-regi.patch
+arm-dts-imx6dl-yapp4-move-the-internal-switch-phys-u.patch
+arm64-dts-marvell-reorder-crypto-interrupts-on-armad.patch
+acpi-scan-fix-device-check-notification-handling.patch
+x86-relocs-ignore-relocations-in-.notes-section.patch
+sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch
+mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch
+wifi-rtw88-8821c-fix-false-alarm-count.patch
+pci-make-pci_dev_is_disconnected-helper-public-for-o.patch
+iommu-vt-d-don-t-issue-ats-invalidation-request-when.patch
+igb-move-perout-and-extts-isr-logic-to-separate-func.patch
+igb-fix-missing-time-sync-events.patch
+bluetooth-remove-superfluous-call-to-hci_conn_check_.patch
+bluetooth-hci_core-fix-possible-buffer-overflow.patch
+sr9800-add-check-for-usbnet_get_endpoints.patch
+bpf-eliminate-rlimit-based-memory-accounting-for-dev.patch
+bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch
+bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch
+bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch
+ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch
+net-ip_tunnel-make-sure-to-pull-inner-header-in-ip_t.patch
+net-phy-fix-phy_get_internal_delay-accessing-an-empt.patch
+net-hns3-fix-port-duplex-configure-error-in-imp-rese.patch
+net-phy-dp83822-enable-rgmii-mode-if-phy_interface_i.patch
+net-phy-dp83822-fix-rgmii-tx-delay-configuration.patch
+opp-debugfs-fix-warning-around-icc_get_name.patch
+tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch
+net-ipv4-replace-one-element-array-with-flexible-arr.patch
+net-ipv4-revert-use-of-struct_size-helper.patch
+net-ipv4-ipv6-replace-one-element-arraya-with-flexib.patch
+bpf-net-change-do_ip_getsockopt-to-take-the-sockptr_.patch
+ipmr-fix-incorrect-parameter-validation-in-the-ip_mr.patch
+l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch
+udp-fix-incorrect-parameter-validation-in-the-udp_li.patch
+net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch
+net-x25-fix-incorrect-parameter-validation-in-the-x2.patch
+nfp-flower-handle-acti_netdevs-allocation-failure.patch
+dm-raid-fix-false-positive-for-requeue-needed-during.patch
+dm-call-the-resume-method-on-internal-suspend.patch
+drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch
+drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch
+drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch
+drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch
+drm-tegra-output-fix-missing-i2c_put_adapter-in-the-.patch
+drm-rockchip-inno_hdmi-fix-video-timing.patch
+drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch
+drm-rockchip-lvds-do-not-overwrite-error-code.patch
+drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch
+drm-lima-fix-a-memleak-in-lima_heap_alloc.patch
+dmaengine-tegra210-adma-update-dependency-to-arch_te.patch
+media-tc358743-register-v4l2-async-device-only-after.patch
+pci-dpc-print-all-tlp-prefixes-not-just-the-first.patch
+perf-record-fix-possible-incorrect-free-in-record__s.patch
+hid-lenovo-add-middleclick_workaround-sysfs-knob-for.patch
+drm-amd-display-fix-a-potential-buffer-overflow-in-d.patch
+drm-amd-display-fix-potential-null-pointer-dereferen.patch
+perf-evsel-fix-duplicate-initialization-of-data-id-i.patch
+pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch
+media-em28xx-annotate-unchecked-call-to-media_device.patch
+media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch
+media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch
+media-edia-dvbdev-fix-a-use-after-free.patch
+pinctrl-mediatek-drop-bogus-slew-rate-register-range.patch
+clk-qcom-reset-commonize-the-de-assert-functions.patch
+clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch
+quota-simplify-drop_dquot_ref.patch
+quota-fix-potential-null-pointer-dereference.patch
+quota-fix-rcu-annotations-of-inode-dquot-pointers.patch
+pci-switchtec-fix-an-error-handling-path-in-switchte.patch
+crypto-xilinx-call-finalize-with-bh-disabled.patch
+perf-thread_map-free-strlist-on-normal-path-in-threa.patch
+drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch
+alsa-seq-fix-function-cast-warnings.patch
+perf-stat-avoid-metric-only-segv.patch
+asoc-meson-use-dev_err_probe-helper.patch
+asoc-meson-aiu-fix-function-pointer-type-mismatch.patch
+asoc-meson-t9015-fix-function-pointer-type-mismatch.patch
+media-sun8i-di-fix-coefficient-writes.patch
+media-sun8i-di-fix-power-on-off-sequences.patch
+media-sun8i-di-fix-chroma-difference-threshold.patch
+media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch
+media-go7007-add-check-of-return-value-of-go7007_rea.patch
+media-pvrusb2-remove-redundant-null-check.patch
+media-pvrusb2-fix-pvr2_stream_callback-casts.patch
+clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch
+drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch
+pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch
+clk-hisilicon-hi3519-release-the-correct-number-of-g.patch
+drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch
+mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch
+mfd-altera-sysmgr-call-of_node_put-only-when-of_pars.patch
+crypto-arm-sha-fix-function-cast-warnings.patch
+drm-tidss-fix-initial-plane-zpos-values.patch
+mtd-maps-physmap-core-fix-flash-size-larger-than-32-.patch
+mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch
+asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch
+asoc-meson-axg-tdm-interface-add-frame-rate-constrai.patch
+drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch
+media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch
+media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch
+media-go7007-fix-a-memleak-in-go7007_load_encoder.patch
+media-ttpci-fix-two-memleaks-in-budget_av_attach.patch
+media-mediatek-vcodec-avoid-wcast-function-type-stri.patch
+drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch
+powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch
+drm-msm-dpu-add-division-of-drm_display_mode-s-hskew.patch
+powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch
+leds-aw2013-unlock-mutex-before-destroying-it.patch
+leds-sgm3140-add-missing-timer-cleanup-and-flash-gpi.patch
+backlight-lm3630a-initialize-backlight_properties-on.patch
+backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch
+backlight-da9052-fully-initialize-backlight_properti.patch
+backlight-lm3639-fully-initialize-backlight_properti.patch
+backlight-lp8788-fully-initialize-backlight_properti.patch
+arch-powerpc-remove-linux-fb.h-from-backlight-code.patch
+sparc32-fix-section-mismatch-in-leon_pci_grpci.patch
+clk-fix-clk_core_get-null-dereference.patch
+alsa-hda-realtek-fix-alc285-issues-on-hp-envy-x360-l.patch
+alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch
+rdma-srpt-do-not-register-event-handler-until-srpt-d.patch
+f2fs-compress-fix-to-check-unreleased-compressed-clu.patch
+scsi-csiostor-avoid-function-pointer-casts.patch
+rdma-device-fix-a-race-between-mad_client-and-cm_cli.patch
+scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch
+net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch
+nfsv4.2-fix-nfs4_listxattr-kernel-bug-at-mm-usercopy.patch
+nfsv4.2-fix-listxattr-maximum-xdr-buffer-size.patch
+watchdog-stm32_iwdg-initialize-default-timeout.patch
+nfs-fix-an-off-by-one-in-root_nfs_cat.patch
+afs-revert-afs-hide-silly-rename-files-from-userspac.patch
--- /dev/null
+From e6feac9dc24f4c817014481cd98565c82ac255cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 11:25:55 +0000
+Subject: sock_diag: annotate data-races around sock_diag_handlers[family]
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit efd402537673f9951992aea4ef0f5ff51d858f4b ]
+
+__sock_diag_cmd() and sock_diag_bind() read sock_diag_handlers[family]
+without a lock held.
+
+Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues.
+
+Fixes: 8ef874bfc729 ("sock_diag: Move the sock_ code to net/core/")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_diag.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index c9c45b935f990..bce65b519ee80 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -189,7 +189,7 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
+ if (sock_diag_handlers[hndl->family])
+ err = -EBUSY;
+ else
+- sock_diag_handlers[hndl->family] = hndl;
++ WRITE_ONCE(sock_diag_handlers[hndl->family], hndl);
+ mutex_unlock(&sock_diag_table_mutex);
+
+ return err;
+@@ -205,7 +205,7 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
+
+ mutex_lock(&sock_diag_table_mutex);
+ BUG_ON(sock_diag_handlers[family] != hnld);
+- sock_diag_handlers[family] = NULL;
++ WRITE_ONCE(sock_diag_handlers[family], NULL);
+ mutex_unlock(&sock_diag_table_mutex);
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_unregister);
+@@ -223,7 +223,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
+ return -EINVAL;
+ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
+
+- if (sock_diag_handlers[req->sdiag_family] == NULL)
++ if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL)
+ sock_load_diag_module(req->sdiag_family, 0);
+
+ mutex_lock(&sock_diag_table_mutex);
+@@ -282,12 +282,12 @@ static int sock_diag_bind(struct net *net, int group)
+ switch (group) {
+ case SKNLGRP_INET_TCP_DESTROY:
+ case SKNLGRP_INET_UDP_DESTROY:
+- if (!sock_diag_handlers[AF_INET])
++ if (!READ_ONCE(sock_diag_handlers[AF_INET]))
+ sock_load_diag_module(AF_INET, 0);
+ break;
+ case SKNLGRP_INET6_TCP_DESTROY:
+ case SKNLGRP_INET6_UDP_DESTROY:
+- if (!sock_diag_handlers[AF_INET6])
++ if (!READ_ONCE(sock_diag_handlers[AF_INET6]))
+ sock_load_diag_module(AF_INET6, 0);
+ break;
+ }
+--
+2.43.0
+
--- /dev/null
+From e8e9fbcd2f188520313e3b93686c61be8055871d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Feb 2024 18:42:28 +0100
+Subject: sparc32: Fix section mismatch in leon_pci_grpci
+
+From: Sam Ravnborg <sam@ravnborg.org>
+
+[ Upstream commit 24338a6ae13cb743ced77da1b3a12c83f08a0c96 ]
+
+Passing a datastructre marked _initconst to platform_driver_register()
+is wrong. Drop the __initconst notation.
+
+This fixes the following warnings:
+
+WARNING: modpost: vmlinux: section mismatch in reference: grpci1_of_driver+0x30 (section: .data) -> grpci1_of_match (section: .init.rodata)
+WARNING: modpost: vmlinux: section mismatch in reference: grpci2_of_driver+0x30 (section: .data) -> grpci2_of_match (section: .init.rodata)
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Andreas Larsson <andreas@gaisler.com>
+Fixes: 4154bb821f0b ("sparc: leon: grpci1: constify of_device_id")
+Fixes: 03949b1cb9f1 ("sparc: leon: grpci2: constify of_device_id")
+Tested-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Reviewed-by: Andreas Larsson <andreas@gaisler.com>
+Tested-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Link: https://lore.kernel.org/r/20240224-sam-fix-sparc32-all-builds-v2-7-1f186603c5c4@ravnborg.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/leon_pci_grpci1.c | 2 +-
+ arch/sparc/kernel/leon_pci_grpci2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sparc/kernel/leon_pci_grpci1.c b/arch/sparc/kernel/leon_pci_grpci1.c
+index e6935d0ac1ec9..c32590bdd3120 100644
+--- a/arch/sparc/kernel/leon_pci_grpci1.c
++++ b/arch/sparc/kernel/leon_pci_grpci1.c
+@@ -696,7 +696,7 @@ static int grpci1_of_probe(struct platform_device *ofdev)
+ return err;
+ }
+
+-static const struct of_device_id grpci1_of_match[] __initconst = {
++static const struct of_device_id grpci1_of_match[] = {
+ {
+ .name = "GAISLER_PCIFBRG",
+ },
+diff --git a/arch/sparc/kernel/leon_pci_grpci2.c b/arch/sparc/kernel/leon_pci_grpci2.c
+index ca22f93d90454..dd06abc61657f 100644
+--- a/arch/sparc/kernel/leon_pci_grpci2.c
++++ b/arch/sparc/kernel/leon_pci_grpci2.c
+@@ -887,7 +887,7 @@ static int grpci2_of_probe(struct platform_device *ofdev)
+ return err;
+ }
+
+-static const struct of_device_id grpci2_of_match[] __initconst = {
++static const struct of_device_id grpci2_of_match[] = {
+ {
+ .name = "GAISLER_GRPCI2",
+ },
+--
+2.43.0
+
--- /dev/null
+From a76c3bb97349f39ea5bdf17b6bb6c2b1b288736f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 07:59:27 +0000
+Subject: sr9800: Add check for usbnet_get_endpoints
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ]
+
+Add check for usbnet_get_endpoints() and return the error if it fails
+in order to transfer the error.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
+Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9800.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index 681e0def6356b..a5332e99102a5 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -736,7 +736,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+
+ data->eeprom_len = SR9800_EEPROM_LEN;
+
+- usbnet_get_endpoints(dev, intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ goto out;
+
+ /* LED Setting Rule :
+ * AABB:CCDD
+--
+2.43.0
+
--- /dev/null
+From c5320f67c66b9a4ec249b54b49c45b6e603a0ca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jan 2024 13:38:13 +0800
+Subject: SUNRPC: fix some memleaks in gssx_dec_option_array
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 3cfcfc102a5e57b021b786a755a38935e357797d ]
+
+The creds and oa->data need to be freed in the error-handling paths after
+their allocation. So this patch add these deallocations in the
+corresponding paths.
+
+Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS auth")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/gss_rpc_xdr.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
+index 2ff7b7083ebab..e265b8d38aa14 100644
+--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
+@@ -250,8 +250,8 @@ static int gssx_dec_option_array(struct xdr_stream *xdr,
+
+ creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL);
+ if (!creds) {
+- kfree(oa->data);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto free_oa;
+ }
+
+ oa->data[0].option.data = CREDS_VALUE;
+@@ -265,29 +265,40 @@ static int gssx_dec_option_array(struct xdr_stream *xdr,
+
+ /* option buffer */
+ p = xdr_inline_decode(xdr, 4);
+- if (unlikely(p == NULL))
+- return -ENOSPC;
++ if (unlikely(p == NULL)) {
++ err = -ENOSPC;
++ goto free_creds;
++ }
+
+ length = be32_to_cpup(p);
+ p = xdr_inline_decode(xdr, length);
+- if (unlikely(p == NULL))
+- return -ENOSPC;
++ if (unlikely(p == NULL)) {
++ err = -ENOSPC;
++ goto free_creds;
++ }
+
+ if (length == sizeof(CREDS_VALUE) &&
+ memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) {
+ /* We have creds here. parse them */
+ err = gssx_dec_linux_creds(xdr, creds);
+ if (err)
+- return err;
++ goto free_creds;
+ oa->data[0].value.len = 1; /* presence */
+ } else {
+ /* consume uninteresting buffer */
+ err = gssx_dec_buffer(xdr, &dummy);
+ if (err)
+- return err;
++ goto free_creds;
+ }
+ }
+ return 0;
++
++free_creds:
++ kfree(creds);
++free_oa:
++ kfree(oa->data);
++ oa->data = NULL;
++ return err;
+ }
+
+ static int gssx_dec_status(struct xdr_stream *xdr,
+--
+2.43.0
+
--- /dev/null
+From c9227223ece390ecdf8d64bc31806769fba4d49b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:49 +0000
+Subject: tcp: fix incorrect parameter validation in the do_tcp_getsockopt()
+ function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 716edc9706deb3bb2ff56e2eeb83559cea8f22db ]
+
+The 'len' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'len' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index a5c15e2d193f6..2e874ec859715 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3742,11 +3742,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- len = min_t(unsigned int, len, sizeof(int));
+-
+ if (len < 0)
+ return -EINVAL;
+
++ len = min_t(unsigned int, len, sizeof(int));
++
+ switch (optname) {
+ case TCP_MAXSEG:
+ val = tp->mss_cache;
+--
+2.43.0
+
--- /dev/null
+From 2b93b8b3152334f66b84b136e99e5c9c162e4ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 08:38:40 +0100
+Subject: timekeeping: Fix cross-timestamp interpolation corner case decision
+
+From: Peter Hilber <peter.hilber@opensynergy.com>
+
+[ Upstream commit 87a41130881995f82f7adbafbfeddaebfb35f0ef ]
+
+The cycle_between() helper checks if parameter test is in the open interval
+(before, after). Colloquially speaking, this also applies to the counter
+wrap-around special case before > after. get_device_system_crosststamp()
+currently uses cycle_between() at the first call site to decide whether to
+interpolate for older counter readings.
+
+get_device_system_crosststamp() has the following problem with
+cycle_between() testing against an open interval: Assume that, by chance,
+cycles == tk->tkr_mono.cycle_last (in the following, "cycle_last" for
+brevity). Then, cycle_between() at the first call site, with effective
+argument values cycle_between(cycle_last, cycles, now), returns false,
+enabling interpolation. During interpolation,
+get_device_system_crosststamp() will then call cycle_between() at the
+second call site (if a history_begin was supplied). The effective argument
+values are cycle_between(history_begin->cycles, cycles, cycles), since
+system_counterval.cycles == interval_start == cycles, per the assumption.
+Due to the test against the open interval, cycle_between() returns false
+again. This causes get_device_system_crosststamp() to return -EINVAL.
+
+This failure should be avoided, since get_device_system_crosststamp() works
+both when cycles follows cycle_last (no interpolation), and when cycles
+precedes cycle_last (interpolation). For the case cycles == cycle_last,
+interpolation is actually unneeded.
+
+Fix this by changing cycle_between() into timestamp_in_interval(), which
+now checks against the closed interval, rather than the open interval.
+
+This changes the get_device_system_crosststamp() behavior for three corner
+cases:
+
+1. Bypass interpolation in the case cycles == tk->tkr_mono.cycle_last,
+ fixing the problem described above.
+
+2. At the first timestamp_in_interval() call site, cycles == now no longer
+ causes failure.
+
+3. At the second timestamp_in_interval() call site, history_begin->cycles
+ == system_counterval.cycles no longer causes failure.
+ adjust_historical_crosststamp() also works for this corner case,
+ where partial_history_cycles == total_history_cycles.
+
+These behavioral changes should not cause any problems.
+
+Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices")
+Signed-off-by: Peter Hilber <peter.hilber@opensynergy.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20231218073849.35294-3-peter.hilber@opensynergy.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timekeeping.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 6a8a610b19717..6f615db414769 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1167,13 +1167,15 @@ static int adjust_historical_crosststamp(struct system_time_snapshot *history,
+ }
+
+ /*
+- * cycle_between - true if test occurs chronologically between before and after
++ * timestamp_in_interval - true if ts is chronologically in [start, end]
++ *
++ * True if ts occurs chronologically at or after start, and before or at end.
+ */
+-static bool cycle_between(u64 before, u64 test, u64 after)
++static bool timestamp_in_interval(u64 start, u64 end, u64 ts)
+ {
+- if (test > before && test < after)
++ if (ts >= start && ts <= end)
+ return true;
+- if (before > after && (test > before || test < after))
++ if (start > end && (ts >= start || ts <= end))
+ return true;
+ return false;
+ }
+@@ -1233,7 +1235,7 @@ int get_device_system_crosststamp(int (*get_time_fn)
+ */
+ now = tk_clock_read(&tk->tkr_mono);
+ interval_start = tk->tkr_mono.cycle_last;
+- if (!cycle_between(interval_start, cycles, now)) {
++ if (!timestamp_in_interval(interval_start, now, cycles)) {
+ clock_was_set_seq = tk->clock_was_set_seq;
+ cs_was_changed_seq = tk->cs_was_changed_seq;
+ cycles = interval_start;
+@@ -1264,13 +1266,13 @@ int get_device_system_crosststamp(int (*get_time_fn)
+ bool discontinuity;
+
+ /*
+- * Check that the counter value occurs after the provided
++ * Check that the counter value is not before the provided
+ * history reference and that the history doesn't cross a
+ * clocksource change
+ */
+ if (!history_begin ||
+- !cycle_between(history_begin->cycles,
+- system_counterval.cycles, cycles) ||
++ !timestamp_in_interval(history_begin->cycles,
++ cycles, system_counterval.cycles) ||
+ history_begin->cs_was_changed_seq != cs_was_changed_seq)
+ return -EINVAL;
+ partial_history_cycles = cycles - system_counterval.cycles;
+--
+2.43.0
+
--- /dev/null
+From 69621d4243673b3fb24ca02f8573006d279ca02a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 08:38:41 +0100
+Subject: timekeeping: Fix cross-timestamp interpolation for non-x86
+
+From: Peter Hilber <peter.hilber@opensynergy.com>
+
+[ Upstream commit 14274d0bd31b4debf28284604589f596ad2e99f2 ]
+
+So far, get_device_system_crosststamp() unconditionally passes
+system_counterval.cycles to timekeeping_cycles_to_ns(). But when
+interpolating system time (do_interp == true), system_counterval.cycles is
+before tkr_mono.cycle_last, contrary to the timekeeping_cycles_to_ns()
+expectations.
+
+On x86, CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE will mitigate on
+interpolating, setting delta to 0. With delta == 0, xtstamp->sys_monoraw
+and xtstamp->sys_realtime are then set to the last update time, as
+implicitly expected by adjust_historical_crosststamp(). On other
+architectures, the resulting nonsense xtstamp->sys_monoraw and
+xtstamp->sys_realtime corrupt the xtstamp (ts) adjustment in
+adjust_historical_crosststamp().
+
+Fix this by deriving xtstamp->sys_monoraw and xtstamp->sys_realtime from
+the last update time when interpolating, by using the local variable
+"cycles". The local variable already has the right value when
+interpolating, unlike system_counterval.cycles.
+
+Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices")
+Signed-off-by: Peter Hilber <peter.hilber@opensynergy.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://lore.kernel.org/r/20231218073849.35294-4-peter.hilber@opensynergy.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timekeeping.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 6f615db414769..629a07e6a0bfc 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1248,10 +1248,8 @@ int get_device_system_crosststamp(int (*get_time_fn)
+ tk_core.timekeeper.offs_real);
+ base_raw = tk->tkr_raw.base;
+
+- nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono,
+- system_counterval.cycles);
+- nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw,
+- system_counterval.cycles);
++ nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, cycles);
++ nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, cycles);
+ } while (read_seqcount_retry(&tk_core.seq, seq));
+
+ xtstamp->sys_realtime = ktime_add_ns(base_real, nsec_real);
+--
+2.43.0
+
--- /dev/null
+From e8eaf7d47e03167c19431c65a05fc236c4cb0f9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 08:38:39 +0100
+Subject: timekeeping: Fix cross-timestamp interpolation on counter wrap
+
+From: Peter Hilber <peter.hilber@opensynergy.com>
+
+[ Upstream commit 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 ]
+
+cycle_between() decides whether get_device_system_crosststamp() will
+interpolate for older counter readings.
+
+cycle_between() yields wrong results for a counter wrap-around where after
+< before < test, and for the case after < test < before.
+
+Fix the comparison logic.
+
+Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices")
+Signed-off-by: Peter Hilber <peter.hilber@opensynergy.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://lore.kernel.org/r/20231218073849.35294-2-peter.hilber@opensynergy.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timekeeping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index d9b48f7a35e0d..6a8a610b19717 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1173,7 +1173,7 @@ static bool cycle_between(u64 before, u64 test, u64 after)
+ {
+ if (test > before && test < after)
+ return true;
+- if (test < before && before > after)
++ if (before > after && (test > before || test < after))
+ return true;
+ return false;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5a8a979d77e07872716a53a9bab350905f37ed00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:23:50 +0000
+Subject: udp: fix incorrect parameter validation in the udp_lib_getsockopt()
+ function
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 4bb3ba7b74fceec6f558745b25a43c6521cf5506 ]
+
+The 'len' variable can't be negative when assigned the result of
+'min_t' because all 'min_t' parameters are cast to unsigned int,
+and then the minimum one is chosen.
+
+To fix the logic, check 'len' as read from 'optlen',
+where the types of relevant variables are (signed) int.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 476f79f1563a8..b2541c7d7c87f 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2748,11 +2748,11 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname,
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- len = min_t(unsigned int, len, sizeof(int));
+-
+ if (len < 0)
+ return -EINVAL;
+
++ len = min_t(unsigned int, len, sizeof(int));
++
+ switch (optname) {
+ case UDP_CORK:
+ val = READ_ONCE(up->corkflag);
+--
+2.43.0
+
--- /dev/null
+From 2160477ac787a4d299b2d59af1d7af8e59afe074 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 13:27:23 -0500
+Subject: watchdog: stm32_iwdg: initialize default timeout
+
+From: Ben Wolsieffer <ben.wolsieffer@hefring.com>
+
+[ Upstream commit dbd7c0088b7f44aa0b9276ed3449df075a7b5b54 ]
+
+The driver never sets a default timeout value, therefore it is
+initialized to zero. When CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED is
+enabled, the watchdog is started during probe. The kernel is supposed to
+automatically ping the watchdog from this point until userspace takes
+over, but this does not happen if the configured timeout is zero. A zero
+timeout causes watchdog_need_worker() to return false, so the heartbeat
+worker does not run and the system therefore resets soon after the
+driver is probed.
+
+This patch fixes this by setting an arbitrary non-zero default timeout.
+The default could be read from the hardware instead, but I didn't see
+any reason to add this complexity.
+
+This has been tested on an STM32F746.
+
+Fixes: 85fdc63fe256 ("drivers: watchdog: stm32_iwdg: set WDOG_HW_RUNNING at probe")
+Signed-off-by: Ben Wolsieffer <ben.wolsieffer@hefring.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20240228182723.12855-1-ben.wolsieffer@hefring.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/stm32_iwdg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/watchdog/stm32_iwdg.c b/drivers/watchdog/stm32_iwdg.c
+index 25188d6bbe152..16dd1aab7c676 100644
+--- a/drivers/watchdog/stm32_iwdg.c
++++ b/drivers/watchdog/stm32_iwdg.c
+@@ -21,6 +21,8 @@
+ #include <linux/platform_device.h>
+ #include <linux/watchdog.h>
+
++#define DEFAULT_TIMEOUT 10
++
+ /* IWDG registers */
+ #define IWDG_KR 0x00 /* Key register */
+ #define IWDG_PR 0x04 /* Prescaler Register */
+@@ -254,6 +256,7 @@ static int stm32_iwdg_probe(struct platform_device *pdev)
+ wdd->parent = dev;
+ wdd->info = &stm32_iwdg_info;
+ wdd->ops = &stm32_iwdg_ops;
++ wdd->timeout = DEFAULT_TIMEOUT;
+ wdd->min_timeout = DIV_ROUND_UP((RLR_MIN + 1) * PR_MIN, wdt->rate);
+ wdd->max_hw_heartbeat_ms = ((RLR_MAX + 1) * wdt->data->max_prescaler *
+ 1000) / wdt->rate;
+--
+2.43.0
+
--- /dev/null
+From ad6e3a384ed9e966aec5e3736af23bd01dafc26d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Dec 2023 13:29:01 +0200
+Subject: wifi: ath10k: fix NULL pointer dereference in
+ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
+
+From: Xingyuan Mo <hdthky0@gmail.com>
+
+[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ]
+
+We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is
+present before accessing it, otherwise a null pointer deference error will
+occur.
+
+Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
+Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index 4f2fbc610d798..0eeb74245372f 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb,
+ }
+
+ ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT];
++ if (!ev) {
++ kfree(tb);
++ return -EPROTO;
++ }
+
+ arg->desc_id = ev->desc_id;
+ arg->status = ev->status;
+--
+2.43.0
+
--- /dev/null
+From e19bf486923dc1967895c1ba16bdbc353db48ed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jan 2024 15:02:17 +0100
+Subject: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is
+ complete
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 24355fcb0d4cbcb6ddda262596558e8cfba70f11 ]
+
+The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data
+structures have been fully initialised by the time it runs. However, because of
+the order in which things are initialised, this is not guaranteed to be the
+case, because the device is exposed to the USB subsystem before the ath9k driver
+initialisation is completed.
+
+We already committed a partial fix for this in commit:
+8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")
+
+However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event
+tasklet, pairing it with an "initialisation complete" bit in the TX struct. It
+seems syzbot managed to trigger the race for one of the other commands as well,
+so let's just move the existing synchronisation bit to cover the whole
+tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside
+ath9k_tx_init()).
+
+Link: https://lore.kernel.org/r/ed1d2c66-1193-4c81-9542-d514c29ba8b8.bugreport@ubisectech.com
+Fixes: 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")
+Reported-by: Ubisectech Sirius <bugreport@ubisectech.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240126140218.1033443-1-toke@toke.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc.h | 2 +-
+ drivers/net/wireless/ath/ath9k/htc_drv_init.c | 4 ++++
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 4 ----
+ drivers/net/wireless/ath/ath9k/wmi.c | 10 ++++++----
+ 4 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
+index 237f4ec2cffd7..6c33e898b3000 100644
+--- a/drivers/net/wireless/ath/ath9k/htc.h
++++ b/drivers/net/wireless/ath/ath9k/htc.h
+@@ -306,7 +306,6 @@ struct ath9k_htc_tx {
+ DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM);
+ struct timer_list cleanup_timer;
+ spinlock_t tx_lock;
+- bool initialized;
+ };
+
+ struct ath9k_htc_tx_ctl {
+@@ -515,6 +514,7 @@ struct ath9k_htc_priv {
+ unsigned long ps_usecount;
+ bool ps_enabled;
+ bool ps_idle;
++ bool initialized;
+
+ #ifdef CONFIG_MAC80211_LEDS
+ enum led_brightness brightness;
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+index 96a3185a96d75..b014185373f34 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+@@ -966,6 +966,10 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev,
+
+ htc_handle->drv_priv = priv;
+
++ /* Allow ath9k_wmi_event_tasklet() to operate. */
++ smp_wmb();
++ priv->initialized = true;
++
+ return 0;
+
+ err_init:
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index 5037142c5a822..95146ec754d5c 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -810,10 +810,6 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
+ skb_queue_head_init(&priv->tx.data_vo_queue);
+ skb_queue_head_init(&priv->tx.tx_failed);
+
+- /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */
+- smp_wmb();
+- priv->tx.initialized = true;
+-
+ return 0;
+ }
+
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index 1476b42b52a91..805ad31edba2b 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -155,6 +155,12 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
+ }
+ spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+
++ /* Check if ath9k_htc_probe_device() completed. */
++ if (!data_race(priv->initialized)) {
++ kfree_skb(skb);
++ continue;
++ }
++
+ hdr = (struct wmi_cmd_hdr *) skb->data;
+ cmd_id = be16_to_cpu(hdr->command_id);
+ wmi_event = skb_pull(skb, sizeof(struct wmi_cmd_hdr));
+@@ -169,10 +175,6 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
+ &wmi->drv_priv->fatal_work);
+ break;
+ case WMI_TXSTATUS_EVENTID:
+- /* Check if ath9k_tx_init() completed. */
+- if (!data_race(priv->tx.initialized))
+- break;
+-
+ spin_lock_bh(&priv->tx.tx_lock);
+ if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) {
+ spin_unlock_bh(&priv->tx.tx_lock);
+--
+2.43.0
+
--- /dev/null
+From 0dfb9f523bc6523a9da5e529e66705a29068ff22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2023 05:03:58 +0000
+Subject: wifi: b43: Disable QoS for bcm4331
+
+From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+
+[ Upstream commit 09795bded2e725443fe4a4803cae2079cdaf7b26 ]
+
+bcm4331 seems to not function correctly with QoS support. This may be due
+to issues with currently available firmware or potentially a device
+specific issue.
+
+When queues that are not of the default "best effort" priority are
+selected, traffic appears to not transmit out of the hardware while no
+errors are returned. This behavior is present among all the other priority
+queues: video, voice, and background. While this can be worked around by
+setting a kernel parameter, the default behavior is problematic for most
+users and may be difficult to debug. This patch offers a working out-of-box
+experience for bcm4331 users.
+
+Log of the issue (using ssh low-priority traffic as an example):
+ ssh -T -vvvv git@github.com
+ OpenSSH_9.6p1, OpenSSL 3.0.12 24 Oct 2023
+ debug1: Reading configuration data /etc/ssh/ssh_config
+ debug2: checking match for 'host * exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'"' host github.com originally github.com
+ debug3: /etc/ssh/ssh_config line 5: matched 'host "github.com"'
+ debug1: Executing command: '/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
+ debug3: command returned status 0
+ debug3: /etc/ssh/ssh_config line 5: matched 'exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0r"'
+ debug2: match found
+ debug1: /etc/ssh/ssh_config line 9: Applying options for *
+ debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/binary-eater/.ssh/known_hosts'
+ debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/binary-eater/.ssh/known_hosts2'
+ debug2: resolving "github.com" port 22
+ debug3: resolve_host: lookup github.com:22
+ debug3: channel_clear_timeouts: clearing
+ debug3: ssh_connect_direct: entering
+ debug1: Connecting to github.com [192.30.255.113] port 22.
+ debug3: set_sock_tos: set socket 3 IP_TOS 0x48
+
+Fixes: e6f5b934fba8 ("b43: Add QOS support")
+Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231231050300.122806-5-sergeantsagara@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c
+index 6100c0d2a7f3c..29f97ab9b72a6 100644
+--- a/drivers/net/wireless/broadcom/b43/main.c
++++ b/drivers/net/wireless/broadcom/b43/main.c
+@@ -2587,7 +2587,8 @@ static void b43_request_firmware(struct work_struct *work)
+
+ start_ieee80211:
+ wl->hw->queues = B43_QOS_QUEUE_NUM;
+- if (!modparam_qos || dev->fw.opensource)
++ if (!modparam_qos || dev->fw.opensource ||
++ dev->dev->chip_id == BCMA_CHIP_ID_BCM4331)
+ wl->hw->queues = 1;
+
+ err = ieee80211_register_hw(wl->hw);
+--
+2.43.0
+
--- /dev/null
+From 1ec48c3a9a3b2317b445a9929226d2481346d0f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2023 05:03:51 +0000
+Subject: wifi: b43: Stop correct queue in DMA worker when QoS is disabled
+
+From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+
+[ Upstream commit 581c8967d66c4961076dbbee356834e9c6777184 ]
+
+When QoS is disabled, the queue priority value will not map to the correct
+ieee80211 queue since there is only one queue. Stop queue 0 when QoS is
+disabled to prevent trying to stop a non-existent queue and failing to stop
+the actual queue instantiated.
+
+Fixes: bad691946966 ("b43: avoid packet losses in the dma worker code.")
+Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231231050300.122806-4-sergeantsagara@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/main.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c
+index f175dbaffc300..6100c0d2a7f3c 100644
+--- a/drivers/net/wireless/broadcom/b43/main.c
++++ b/drivers/net/wireless/broadcom/b43/main.c
+@@ -3603,7 +3603,7 @@ static void b43_tx_work(struct work_struct *work)
+ err = b43_dma_tx(dev, skb);
+ if (err == -ENOSPC) {
+ wl->tx_queue_stopped[queue_num] = true;
+- ieee80211_stop_queue(wl->hw, queue_num);
++ b43_stop_queue(dev, queue_num);
+ skb_queue_head(&wl->tx_queue[queue_num], skb);
+ break;
+ }
+@@ -3627,6 +3627,7 @@ static void b43_op_tx(struct ieee80211_hw *hw,
+ struct sk_buff *skb)
+ {
+ struct b43_wl *wl = hw_to_b43_wl(hw);
++ u16 skb_queue_mapping;
+
+ if (unlikely(skb->len < 2 + 2 + 6)) {
+ /* Too short, this can't be a valid frame. */
+@@ -3635,12 +3636,12 @@ static void b43_op_tx(struct ieee80211_hw *hw,
+ }
+ B43_WARN_ON(skb_shinfo(skb)->nr_frags);
+
+- skb_queue_tail(&wl->tx_queue[skb->queue_mapping], skb);
+- if (!wl->tx_queue_stopped[skb->queue_mapping]) {
++ skb_queue_mapping = skb_get_queue_mapping(skb);
++ skb_queue_tail(&wl->tx_queue[skb_queue_mapping], skb);
++ if (!wl->tx_queue_stopped[skb_queue_mapping])
+ ieee80211_queue_work(wl->hw, &wl->tx_work);
+- } else {
+- ieee80211_stop_queue(wl->hw, skb->queue_mapping);
+- }
++ else
++ b43_stop_queue(wl->current_dev, skb_queue_mapping);
+ }
+
+ static void b43_qos_params_upload(struct b43_wldev *dev,
+--
+2.43.0
+
--- /dev/null
+From ee8259e069114d3e955b471b9367a201b839d1a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2023 05:03:33 +0000
+Subject: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is
+ disabled
+
+From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+
+[ Upstream commit 9636951e4468f02c72cc75a82dc65d003077edbc ]
+
+When QoS is disabled, the queue priority value will not map to the correct
+ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS
+is disabled to prevent trying to stop/wake a non-existent queue and failing
+to stop/wake the actual queue instantiated.
+
+Log of issue before change (with kernel parameter qos=0):
+ [ +5.112651] ------------[ cut here ]------------
+ [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]
+ [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3
+ [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common
+ [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]
+ [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS
+ [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019
+ [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]
+ [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00
+ [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097
+ [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000
+ [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900
+ [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0
+ [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000
+ [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40
+ [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000
+ [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ +0.000001] CR2: 00007fafda7ae008 CR3: 000000046d220005 CR4: 00000000000606e0
+ [ +0.000002] Call Trace:
+ [ +0.000003] <TASK>
+ [ +0.000001] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211]
+ [ +0.000044] ? __warn+0x81/0x130
+ [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211]
+ [ +0.000045] ? report_bug+0x171/0x1a0
+ [ +0.000004] ? handle_bug+0x41/0x70
+ [ +0.000004] ? exc_invalid_op+0x17/0x70
+ [ +0.000003] ? asm_exc_invalid_op+0x1a/0x20
+ [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211]
+ [ +0.000043] ieee80211_wake_queue+0x4a/0x80 [mac80211]
+ [ +0.000044] b43_dma_handle_txstatus+0x29c/0x3a0 [b43]
+ [ +0.000016] ? __pfx_irq_thread_fn+0x10/0x10
+ [ +0.000002] b43_handle_txstatus+0x61/0x80 [b43]
+ [ +0.000012] b43_interrupt_thread_handler+0x3f9/0x6b0 [b43]
+ [ +0.000011] irq_thread_fn+0x23/0x60
+ [ +0.000002] irq_thread+0xfe/0x1c0
+ [ +0.000002] ? __pfx_irq_thread_dtor+0x10/0x10
+ [ +0.000001] ? __pfx_irq_thread+0x10/0x10
+ [ +0.000001] kthread+0xe8/0x120
+ [ +0.000003] ? __pfx_kthread+0x10/0x10
+ [ +0.000003] ret_from_fork+0x34/0x50
+ [ +0.000002] ? __pfx_kthread+0x10/0x10
+ [ +0.000002] ret_from_fork_asm+0x1b/0x30
+ [ +0.000004] </TASK>
+ [ +0.000001] ---[ end trace 0000000000000000 ]---
+
+ [ +0.000065] ------------[ cut here ]------------
+ [ +0.000001] WARNING: CPU: 0 PID: 56077 at net/mac80211/util.c:514 __ieee80211_stop_queue+0xcc/0xe0 [mac80211]
+ [ +0.000077] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3
+ [ +0.000073] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common
+ [ +0.000084] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43]
+ [ +0.000012] CPU: 0 PID: 56077 Comm: kworker/u16:17 Tainted: G W O 6.6.7 #1-NixOS
+ [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019
+ [ +0.000001] Workqueue: phy7 b43_tx_work [b43]
+ [ +0.000019] RIP: 0010:__ieee80211_stop_queue+0xcc/0xe0 [mac80211]
+ [ +0.000076] Code: 74 11 48 8b 78 08 0f b7 d6 89 e9 4c 89 e6 e8 ab f4 00 00 65 ff 0d 9c b7 34 3f 0f 85 55 ff ff ff 0f 1f 44 00 00 e9 4b ff ff ff <0f> 0b 5b 5d 41 5c 41 5d c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90
+ [ +0.000002] RSP: 0000:ffffc90004157d50 EFLAGS: 00010097
+ [ +0.000002] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000
+ [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882d65d0900
+ [ +0.000002] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
+ [ +0.000001] R10: 00000000000000ff R11: ffff88814d0155a0 R12: ffff8882d65d0900
+ [ +0.000002] R13: 0000000000000000 R14: ffff8881002d2800 R15: 00000000000000d0
+ [ +0.000002] FS: 0000000000000000(0000) GS:ffff88846f800000(0000) knlGS:0000000000000000
+ [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ +0.000002] CR2: 00007f2e8c10c880 CR3: 0000000385b66005 CR4: 00000000000606f0
+ [ +0.000002] Call Trace:
+ [ +0.000001] <TASK>
+ [ +0.000001] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211]
+ [ +0.000075] ? __warn+0x81/0x130
+ [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211]
+ [ +0.000075] ? report_bug+0x171/0x1a0
+ [ +0.000005] ? handle_bug+0x41/0x70
+ [ +0.000003] ? exc_invalid_op+0x17/0x70
+ [ +0.000004] ? asm_exc_invalid_op+0x1a/0x20
+ [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211]
+ [ +0.000076] ieee80211_stop_queue+0x36/0x50 [mac80211]
+ [ +0.000077] b43_dma_tx+0x550/0x780 [b43]
+ [ +0.000023] b43_tx_work+0x90/0x130 [b43]
+ [ +0.000018] process_one_work+0x174/0x340
+ [ +0.000003] worker_thread+0x27b/0x3a0
+ [ +0.000004] ? __pfx_worker_thread+0x10/0x10
+ [ +0.000002] kthread+0xe8/0x120
+ [ +0.000003] ? __pfx_kthread+0x10/0x10
+ [ +0.000004] ret_from_fork+0x34/0x50
+ [ +0.000002] ? __pfx_kthread+0x10/0x10
+ [ +0.000003] ret_from_fork_asm+0x1b/0x30
+ [ +0.000006] </TASK>
+ [ +0.000001] ---[ end trace 0000000000000000 ]---
+
+Fixes: e6f5b934fba8 ("b43: Add QOS support")
+Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231231050300.122806-2-sergeantsagara@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/b43.h | 16 ++++++++++++++++
+ drivers/net/wireless/broadcom/b43/dma.c | 4 ++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h
+index 67b4bac048e58..c0d8fc0b22fb2 100644
+--- a/drivers/net/wireless/broadcom/b43/b43.h
++++ b/drivers/net/wireless/broadcom/b43/b43.h
+@@ -1082,6 +1082,22 @@ static inline bool b43_using_pio_transfers(struct b43_wldev *dev)
+ return dev->__using_pio_transfers;
+ }
+
++static inline void b43_wake_queue(struct b43_wldev *dev, int queue_prio)
++{
++ if (dev->qos_enabled)
++ ieee80211_wake_queue(dev->wl->hw, queue_prio);
++ else
++ ieee80211_wake_queue(dev->wl->hw, 0);
++}
++
++static inline void b43_stop_queue(struct b43_wldev *dev, int queue_prio)
++{
++ if (dev->qos_enabled)
++ ieee80211_stop_queue(dev->wl->hw, queue_prio);
++ else
++ ieee80211_stop_queue(dev->wl->hw, 0);
++}
++
+ /* Message printing */
+ __printf(2, 3) void b43info(struct b43_wl *wl, const char *fmt, ...);
+ __printf(2, 3) void b43err(struct b43_wl *wl, const char *fmt, ...);
+diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
+index 9a7c62bd5e431..cfaf2f9d67b22 100644
+--- a/drivers/net/wireless/broadcom/b43/dma.c
++++ b/drivers/net/wireless/broadcom/b43/dma.c
+@@ -1399,7 +1399,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb)
+ should_inject_overflow(ring)) {
+ /* This TX ring is full. */
+ unsigned int skb_mapping = skb_get_queue_mapping(skb);
+- ieee80211_stop_queue(dev->wl->hw, skb_mapping);
++ b43_stop_queue(dev, skb_mapping);
+ dev->wl->tx_queue_stopped[skb_mapping] = true;
+ ring->stopped = true;
+ if (b43_debug(dev, B43_DBG_DMAVERBOSE)) {
+@@ -1570,7 +1570,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev,
+ } else {
+ /* If the driver queue is running wake the corresponding
+ * mac80211 queue. */
+- ieee80211_wake_queue(dev->wl->hw, ring->queue_prio);
++ b43_wake_queue(dev, ring->queue_prio);
+ if (b43_debug(dev, B43_DBG_DMAVERBOSE)) {
+ b43dbg(dev->wl, "Woke up TX ring %d\n", ring->index);
+ }
+--
+2.43.0
+
--- /dev/null
+From 15c13277fdc7f05930d4ddce6e448975356e087c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2023 05:03:45 +0000
+Subject: wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is
+ disabled
+
+From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+
+[ Upstream commit 77135a38f6c2f950d2306ac3d37cbb407e6243f2 ]
+
+When QoS is disabled, the queue priority value will not map to the correct
+ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS
+is disabled to prevent trying to stop/wake a non-existent queue and failing
+to stop/wake the actual queue instantiated.
+
+Fixes: 5100d5ac81b9 ("b43: Add PIO support for PCMCIA devices")
+Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231231050300.122806-3-sergeantsagara@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/pio.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/pio.c b/drivers/net/wireless/broadcom/b43/pio.c
+index 8c28a9250cd19..cc19b589fa70d 100644
+--- a/drivers/net/wireless/broadcom/b43/pio.c
++++ b/drivers/net/wireless/broadcom/b43/pio.c
+@@ -525,7 +525,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb)
+ if (total_len > (q->buffer_size - q->buffer_used)) {
+ /* Not enough memory on the queue. */
+ err = -EBUSY;
+- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb));
++ b43_stop_queue(dev, skb_get_queue_mapping(skb));
+ q->stopped = true;
+ goto out;
+ }
+@@ -552,7 +552,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb)
+ if (((q->buffer_size - q->buffer_used) < roundup(2 + 2 + 6, 4)) ||
+ (q->free_packet_slots == 0)) {
+ /* The queue is full. */
+- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb));
++ b43_stop_queue(dev, skb_get_queue_mapping(skb));
+ q->stopped = true;
+ }
+
+@@ -587,7 +587,7 @@ void b43_pio_handle_txstatus(struct b43_wldev *dev,
+ list_add(&pack->list, &q->packets_list);
+
+ if (q->stopped) {
+- ieee80211_wake_queue(dev->wl->hw, q->queue_prio);
++ b43_wake_queue(dev, q->queue_prio);
+ q->stopped = false;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 63a4e436ca9511d4aaf660aada2f6ac7afa3b24c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 11:05:37 +0100
+Subject: wifi: brcmsmac: avoid function pointer casts
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit e1ea6db35fc3ba5ff063f097385e9f7a88c25356 ]
+
+An old cleanup went a little too far and causes a warning with clang-16
+and higher as it breaks control flow integrity (KCFI) rules:
+
+drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c:64:34: error: cast from 'void (*)(struct brcms_phy *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ 64 | brcms_init_timer(physhim->wl, (void (*)(void *))fn,
+ | ^~~~~~~~~~~~~~~~~~~~
+
+Change this one instance back to passing a void pointer so it can be
+used with the timer callback interface.
+
+Fixes: d89a4c80601d ("staging: brcm80211: removed void * from softmac phy")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240213100548.457854-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c | 3 ++-
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c | 5 ++---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c
+index ccc621b8ed9f2..4a1fe982a948e 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c
+@@ -383,8 +383,9 @@ struct shared_phy *wlc_phy_shared_attach(struct shared_phy_params *shp)
+ return sh;
+ }
+
+-static void wlc_phy_timercb_phycal(struct brcms_phy *pi)
++static void wlc_phy_timercb_phycal(void *ptr)
+ {
++ struct brcms_phy *pi = ptr;
+ uint delay = 5;
+
+ if (PHY_PERICAL_MPHASE_PENDING(pi)) {
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c
+index a0de5db0cd646..b723817915365 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c
+@@ -57,12 +57,11 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim)
+ }
+
+ struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim,
+- void (*fn)(struct brcms_phy *pi),
++ void (*fn)(void *pi),
+ void *arg, const char *name)
+ {
+ return (struct wlapi_timer *)
+- brcms_init_timer(physhim->wl, (void (*)(void *))fn,
+- arg, name);
++ brcms_init_timer(physhim->wl, fn, arg, name);
+ }
+
+ void wlapi_free_timer(struct wlapi_timer *t)
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h
+index dd8774717adee..27d0934e600ed 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h
+@@ -131,7 +131,7 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim);
+
+ /* PHY to WL utility functions */
+ struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim,
+- void (*fn)(struct brcms_phy *pi),
++ void (*fn)(void *pi),
+ void *arg, const char *name);
+ void wlapi_free_timer(struct wlapi_timer *t);
+ void wlapi_add_timer(struct wlapi_timer *t, uint ms, int periodic);
+--
+2.43.0
+
--- /dev/null
+From aff3be5f79a90c7f62bd2ab3fae72cc912d8cba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 08:53:53 +0200
+Subject: wifi: iwlwifi: dbg-tlv: ensure NUL termination
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea ]
+
+The iwl_fw_ini_debug_info_tlv is used as a string, so we must
+ensure the string is terminated correctly before using it.
+
+Fixes: a9248de42464 ("iwlwifi: dbg_ini: add TLV allocation new API support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240128084842.be15e858ee89.Ibff93429cf999eafc7b26f3eef4c055dc84984a0@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+index bcaec8a184cd6..299819d2d1904 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+@@ -155,6 +155,12 @@ static int iwl_dbg_tlv_alloc_debug_info(struct iwl_trans *trans,
+ if (le32_to_cpu(tlv->length) != sizeof(*debug_info))
+ return -EINVAL;
+
++ /* we use this as a string, ensure input was NUL terminated */
++ if (strnlen(debug_info->debug_cfg_name,
++ sizeof(debug_info->debug_cfg_name)) ==
++ sizeof(debug_info->debug_cfg_name))
++ return -EINVAL;
++
+ IWL_DEBUG_FW(trans, "WRT: Loading debug cfg: %s\n",
+ debug_info->debug_cfg_name);
+
+--
+2.43.0
+
--- /dev/null
+From 2580704741086cfc2d2d2325e0dfcad59561309c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jan 2024 21:21:49 +0200
+Subject: wifi: iwlwifi: fix EWRD table validity check
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit c8d8f3911135921ace8e939ea0956b55f74bf8a0 ]
+
+EWRD ACPI table contains up to 3 additional sar profiles.
+According to the BIOS spec, the table contains a n_profile
+variable indicating how many additional profiles exist in the
+table.
+Currently we check that n_profiles is not <= 0.
+But according to the BIOS spec, 0 is a valid value,
+and it can't be < 0 anyway because we receive that from ACPI as
+an unsigned integer.
+
+Fixes: 39c1a9728f93 ("iwlwifi: refactor the SAR tables from mvm to acpi")
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://msgid.link/20240129211905.448ea2f40814.Iffd2aadf8e8693e6cb599bee0406a800a0c1e081@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+index 5e4faf9ce4bbe..fc35f8f84376c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -555,7 +555,7 @@ int iwl_sar_get_ewrd_table(struct iwl_fw_runtime *fwrt)
+ * from index 1, so the maximum value allowed here is
+ * ACPI_SAR_PROFILES_NUM - 1.
+ */
+- if (n_profiles <= 0 || n_profiles >= ACPI_SAR_PROFILE_NUM) {
++ if (n_profiles >= ACPI_SAR_PROFILE_NUM) {
+ ret = -EINVAL;
+ goto out_free;
+ }
+--
+2.43.0
+
--- /dev/null
+From 1bef42e9c8f196c763e3c3739012a5a6a7f8c3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jan 2024 15:53:34 +0800
+Subject: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 5f0e4aede01cb01fa633171f0533affd25328c3a ]
+
+In the for statement of lbs_allocate_cmd_buffer(), if the allocation of
+cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to
+be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().
+
+Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240126075336.2825608-1-alexious@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cmd.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cmd.c b/drivers/net/wireless/marvell/libertas/cmd.c
+index a4d9dd73b2588..db9a852fa58a3 100644
+--- a/drivers/net/wireless/marvell/libertas/cmd.c
++++ b/drivers/net/wireless/marvell/libertas/cmd.c
+@@ -1133,7 +1133,7 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv)
+ if (!cmdarray[i].cmdbuf) {
+ lbs_deb_host("ALLOC_CMD_BUF: ptempvirtualaddr is NULL\n");
+ ret = -1;
+- goto done;
++ goto free_cmd_array;
+ }
+ }
+
+@@ -1141,8 +1141,17 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv)
+ init_waitqueue_head(&cmdarray[i].cmdwait_q);
+ lbs_cleanup_and_insert_cmd(priv, &cmdarray[i]);
+ }
+- ret = 0;
++ return 0;
+
++free_cmd_array:
++ for (i = 0; i < LBS_NUM_CMD_BUFFERS; i++) {
++ if (cmdarray[i].cmdbuf) {
++ kfree(cmdarray[i].cmdbuf);
++ cmdarray[i].cmdbuf = NULL;
++ }
++ }
++ kfree(priv->cmd_array);
++ priv->cmd_array = NULL;
+ done:
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 7808ba7627a5640b1df307d54e1d5aed72a93621 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 11:02:15 +0800
+Subject: wifi: mwifiex: debugfs: Drop unnecessary error check for
+ debugfs_create_dir()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 50180c7f8e3de7c2d87f619131776598fcb1478d ]
+
+debugfs_create_dir() returns ERR_PTR and never return NULL.
+
+As Russell suggested, this patch removes the error checking for
+debugfs_create_dir(). This is because the DebugFS kernel API is developed
+in a way that the caller can safely ignore the errors that occur during
+the creation of DebugFS nodes. The debugfs APIs have a IS_ERR() judge in
+start_creating() which can handle it gracefully. So these checks are
+unnecessary.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Suggested-by: Russell King (Oracle) <linux@armlinux.org.uk>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20230903030216.1509013-3-ruanjinjie@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c
+index 1e7dc724c6a94..d48a3e0b36060 100644
+--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c
++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c
+@@ -976,9 +976,6 @@ mwifiex_dev_debugfs_init(struct mwifiex_private *priv)
+ priv->dfs_dev_dir = debugfs_create_dir(priv->netdev->name,
+ mwifiex_dfs_dir);
+
+- if (!priv->dfs_dev_dir)
+- return;
+-
+ MWIFIEX_DFS_ADD_FILE(info);
+ MWIFIEX_DFS_ADD_FILE(debug);
+ MWIFIEX_DFS_ADD_FILE(getlog);
+--
+2.43.0
+
--- /dev/null
+From 2971b6c8e2c29005cdd77734f4e10e527a5b1a14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jan 2024 17:36:27 +0100
+Subject: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
+
+From: Martin Kaistra <martin.kaistra@linutronix.de>
+
+[ Upstream commit 1213acb478a7181cd73eeaf00db430f1e45b1361 ]
+
+The workqueue might still be running, when the driver is stopped. To
+avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().
+
+Fixes: e542e66b7c2e ("rtl8xxxu: add bluetooth co-existence support for single antenna")
+Signed-off-by: Martin Kaistra <martin.kaistra@linutronix.de>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240111163628.320697-2-martin.kaistra@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 3051fb358fdd5..9efc15e69ae82 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -6483,6 +6483,7 @@ static void rtl8xxxu_stop(struct ieee80211_hw *hw)
+ if (priv->usb_interrupts)
+ rtl8xxxu_write32(priv, REG_USB_HIMR, 0);
+
++ cancel_work_sync(&priv->c2hcmd_work);
+ cancel_delayed_work_sync(&priv->ra_watchdog);
+
+ rtl8xxxu_free_rx_resources(priv);
+--
+2.43.0
+
--- /dev/null
+From 08a6ce351037678057703d62466aa461be5d1cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 00:35:58 +0200
+Subject: wifi: rtw88: 8821c: Fix false alarm count
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit c238adbc578eeb70cbc8fdd1bef3666b0f585b13 ]
+
+total_fa_cnt is supposed to include cck_fa_cnt and ofdm_fa_cnt, not just
+ofdm_fa_cnt.
+
+Fixes: 960361238b86 ("rtw88: 8821c: add false alarm statistics")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/f3cb6d17-e4e4-44a7-9c9b-72aed994b5c9@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8821c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.c b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+index f9615f76f1734..d517f92b6180b 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+@@ -579,9 +579,9 @@ static void rtw8821c_false_alarm_statistics(struct rtw_dev *rtwdev)
+
+ dm_info->cck_fa_cnt = cck_fa_cnt;
+ dm_info->ofdm_fa_cnt = ofdm_fa_cnt;
++ dm_info->total_fa_cnt = ofdm_fa_cnt;
+ if (cck_enable)
+ dm_info->total_fa_cnt += cck_fa_cnt;
+- dm_info->total_fa_cnt = ofdm_fa_cnt;
+
+ crc32_cnt = rtw_read32(rtwdev, REG_CRC_CCK);
+ dm_info->cck_ok_cnt = FIELD_GET(GENMASK(15, 0), crc32_cnt);
+--
+2.43.0
+
--- /dev/null
+From fda7a1ad0770e30c13fefb8f2392165dc5a3ce3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jan 2024 08:57:32 +0100
+Subject: wifi: wilc1000: fix declarations ordering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit 535733e90e5d8912ebeccebb05b354a2d06ff459 ]
+
+Reorder parameters declaration in wilc_parse_join_bss_param to enforce
+reverse christmas tree
+
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240105075733.36331-2-alexis.lothore@bootlin.com
+Stable-dep-of: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
+index 884f45e627a72..bff33f39605b9 100644
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -359,13 +359,13 @@ static void handle_connect_timeout(struct work_struct *work)
+ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ struct cfg80211_crypto_settings *crypto)
+ {
+- struct wilc_join_bss_param *param;
+- struct ieee80211_p2p_noa_attr noa_attr;
+- u8 rates_len = 0;
++ const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies);
+ const u8 *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie;
+ const u8 *ht_ie, *wpa_ie, *wmm_ie, *rsn_ie;
++ struct ieee80211_p2p_noa_attr noa_attr;
++ struct wilc_join_bss_param *param;
++ u8 rates_len = 0;
+ int ret;
+- const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies);
+
+ param = kzalloc(sizeof(*param), GFP_KERNEL);
+ if (!param)
+--
+2.43.0
+
--- /dev/null
+From b9743ffbe56b2d0ad7d3e863c34eca0db3884944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jan 2024 15:56:34 +0100
+Subject: wifi: wilc1000: fix multi-vif management when deleting a vif
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ajay Singh <ajay.kathat@microchip.com>
+
+[ Upstream commit 12cfc9c8d3faf887a202c89bc312202445fca7e8 ]
+
+Adding then removing a second vif currently makes the first vif not working
+anymore. This is visible for example when we have a first interface
+connected to some access point:
+- create a wpa_supplicant.conf with some AP credentials
+- wpa_supplicant -Dnl80211 -c /etc/wpa_supplicant.conf -i wlan0
+- dhclient wlan0
+- iw phy phy0 interface add wlan1 type managed
+- iw dev wlan1 del
+wlan0 does not manage properly traffic anymore (eg: ping not working)
+
+This is due to vif mode being incorrectly reconfigured with some default
+values in del_virtual_intf, affecting by default first vif.
+
+Prevent first vif from being affected on second vif removal by removing vif
+mode change command in del_virtual_intf
+
+Fixes: 9bc061e88054 ("staging: wilc1000: added support to dynamically add/remove interfaces")
+Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
+Co-developed-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240115-wilc_1000_fixes-v1-5-54d29463a738@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/cfg80211.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+index dd26f20861807..5d4f9e9a81e05 100644
+--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+@@ -1562,7 +1562,6 @@ static int del_virtual_intf(struct wiphy *wiphy, struct wireless_dev *wdev)
+ unregister_netdevice(vif->ndev);
+ vif->monitor_flag = 0;
+
+- wilc_set_operation_mode(vif, 0, 0, 0);
+ mutex_lock(&wl->vif_mutex);
+ list_del_rcu(&vif->list);
+ wl->vif_num--;
+--
+2.43.0
+
--- /dev/null
+From 73f05380c4d82ccb8437f35df28a0f9bc5b75c00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jan 2024 08:57:33 +0100
+Subject: wifi: wilc1000: fix RCU usage in connect path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit 205c50306acf58a335eb19fa84e40140f4fe814f ]
+
+With lockdep enabled, calls to the connect function from cfg802.11 layer
+lead to the following warning:
+
+=============================
+WARNING: suspicious RCU usage
+6.7.0-rc1-wt+ #333 Not tainted
+-----------------------------
+drivers/net/wireless/microchip/wilc1000/hif.c:386
+suspicious rcu_dereference_check() usage!
+[...]
+stack backtrace:
+CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333
+Hardware name: Atmel SAMA5
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x34/0x48
+ dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4
+ wilc_parse_join_bss_param from connect+0x2c4/0x648
+ connect from cfg80211_connect+0x30c/0xb74
+ cfg80211_connect from nl80211_connect+0x860/0xa94
+ nl80211_connect from genl_rcv_msg+0x3fc/0x59c
+ genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8
+ netlink_rcv_skb from genl_rcv+0x2c/0x3c
+ genl_rcv from netlink_unicast+0x3b0/0x550
+ netlink_unicast from netlink_sendmsg+0x368/0x688
+ netlink_sendmsg from ____sys_sendmsg+0x190/0x430
+ ____sys_sendmsg from ___sys_sendmsg+0x110/0x158
+ ___sys_sendmsg from sys_sendmsg+0xe8/0x150
+ sys_sendmsg from ret_fast_syscall+0x0/0x1c
+
+This warning is emitted because in the connect path, when trying to parse
+target BSS parameters, we dereference a RCU pointer whithout being in RCU
+critical section.
+Fix RCU dereference usage by moving it to a RCU read critical section. To
+avoid wrapping the whole wilc_parse_join_bss_param under the critical
+section, just use the critical section to copy ies data
+
+Fixes: c460495ee072 ("staging: wilc1000: fix incorrent type in initializer")
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240105075733.36331-3-alexis.lothore@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 36 ++++++++++++-------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
+index bff33f39605b9..457386f9de990 100644
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -359,38 +359,49 @@ static void handle_connect_timeout(struct work_struct *work)
+ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ struct cfg80211_crypto_settings *crypto)
+ {
+- const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies);
+- const u8 *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie;
++ const u8 *ies_data, *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie;
+ const u8 *ht_ie, *wpa_ie, *wmm_ie, *rsn_ie;
+ struct ieee80211_p2p_noa_attr noa_attr;
++ const struct cfg80211_bss_ies *ies;
+ struct wilc_join_bss_param *param;
+- u8 rates_len = 0;
++ u8 rates_len = 0, ies_len;
+ int ret;
+
+ param = kzalloc(sizeof(*param), GFP_KERNEL);
+ if (!param)
+ return NULL;
+
++ rcu_read_lock();
++ ies = rcu_dereference(bss->ies);
++ ies_data = kmemdup(ies->data, ies->len, GFP_ATOMIC);
++ if (!ies_data) {
++ rcu_read_unlock();
++ kfree(param);
++ return NULL;
++ }
++ ies_len = ies->len;
++ rcu_read_unlock();
++
+ param->beacon_period = cpu_to_le16(bss->beacon_interval);
+ param->cap_info = cpu_to_le16(bss->capability);
+ param->bss_type = WILC_FW_BSS_TYPE_INFRA;
+ param->ch = ieee80211_frequency_to_channel(bss->channel->center_freq);
+ ether_addr_copy(param->bssid, bss->bssid);
+
+- ssid_elm = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
++ ssid_elm = cfg80211_find_ie(WLAN_EID_SSID, ies_data, ies_len);
+ if (ssid_elm) {
+ if (ssid_elm[1] <= IEEE80211_MAX_SSID_LEN)
+ memcpy(param->ssid, ssid_elm + 2, ssid_elm[1]);
+ }
+
+- tim_elm = cfg80211_find_ie(WLAN_EID_TIM, ies->data, ies->len);
++ tim_elm = cfg80211_find_ie(WLAN_EID_TIM, ies_data, ies_len);
+ if (tim_elm && tim_elm[1] >= 2)
+ param->dtim_period = tim_elm[3];
+
+ memset(param->p_suites, 0xFF, 3);
+ memset(param->akm_suites, 0xFF, 3);
+
+- rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len);
++ rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies_data, ies_len);
+ if (rates_ie) {
+ rates_len = rates_ie[1];
+ if (rates_len > WILC_MAX_RATES_SUPPORTED)
+@@ -401,7 +412,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+
+ if (rates_len < WILC_MAX_RATES_SUPPORTED) {
+ supp_rates_ie = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
+- ies->data, ies->len);
++ ies_data, ies_len);
+ if (supp_rates_ie) {
+ u8 ext_rates = supp_rates_ie[1];
+
+@@ -416,11 +427,11 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ }
+ }
+
+- ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies->data, ies->len);
++ ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies_data, ies_len);
+ if (ht_ie)
+ param->ht_capable = true;
+
+- ret = cfg80211_get_p2p_attr(ies->data, ies->len,
++ ret = cfg80211_get_p2p_attr(ies_data, ies_len,
+ IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
+ (u8 *)&noa_attr, sizeof(noa_attr));
+ if (ret > 0) {
+@@ -444,7 +455,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ }
+ wmm_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
+ WLAN_OUI_TYPE_MICROSOFT_WMM,
+- ies->data, ies->len);
++ ies_data, ies_len);
+ if (wmm_ie) {
+ struct ieee80211_wmm_param_ie *ie;
+
+@@ -459,13 +470,13 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+
+ wpa_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
+ WLAN_OUI_TYPE_MICROSOFT_WPA,
+- ies->data, ies->len);
++ ies_data, ies_len);
+ if (wpa_ie) {
+ param->mode_802_11i = 1;
+ param->rsn_found = true;
+ }
+
+- rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len);
++ rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies_data, ies_len);
+ if (rsn_ie) {
+ int rsn_ie_len = sizeof(struct element) + rsn_ie[1];
+ int offset = 8;
+@@ -499,6 +510,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ param->akm_suites[i] = crypto->akm_suites[i] & 0xFF;
+ }
+
++ kfree(ies_data);
+ return (void *)param;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a7b33ff852b99df514351fa0fab377d6bbaf2e80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 13:57:37 +0100
+Subject: wifi: wilc1000: prevent use-after-free on vif when cleaning up all
+ interfaces
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit cb5942b77c05d54310a0420cac12935e9b6aa21c ]
+
+wilc_netdev_cleanup currently triggers a KASAN warning, which can be
+observed on interface registration error path, or simply by
+removing the module/unbinding device from driver:
+
+echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind
+
+==================================================================
+BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc
+Read of size 4 at addr c54d1ce8 by task sh/86
+
+CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117
+Hardware name: Atmel SAMA5
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x34/0x58
+ dump_stack_lvl from print_report+0x154/0x500
+ print_report from kasan_report+0xac/0xd8
+ kasan_report from wilc_netdev_cleanup+0x508/0x5cc
+ wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec
+ wilc_bus_remove from spi_remove+0x8c/0xac
+ spi_remove from device_release_driver_internal+0x434/0x5f8
+ device_release_driver_internal from unbind_store+0xbc/0x108
+ unbind_store from kernfs_fop_write_iter+0x398/0x584
+ kernfs_fop_write_iter from vfs_write+0x728/0xf88
+ vfs_write from ksys_write+0x110/0x1e4
+ ksys_write from ret_fast_syscall+0x0/0x1c
+
+[...]
+
+Allocated by task 1:
+ kasan_save_track+0x30/0x5c
+ __kasan_kmalloc+0x8c/0x94
+ __kmalloc_node+0x1cc/0x3e4
+ kvmalloc_node+0x48/0x180
+ alloc_netdev_mqs+0x68/0x11dc
+ alloc_etherdev_mqs+0x28/0x34
+ wilc_netdev_ifc_init+0x34/0x8ec
+ wilc_cfg80211_init+0x690/0x910
+ wilc_bus_probe+0xe0/0x4a0
+ spi_probe+0x158/0x1b0
+ really_probe+0x270/0xdf4
+ __driver_probe_device+0x1dc/0x580
+ driver_probe_device+0x60/0x140
+ __driver_attach+0x228/0x5d4
+ bus_for_each_dev+0x13c/0x1a8
+ bus_add_driver+0x2a0/0x608
+ driver_register+0x24c/0x578
+ do_one_initcall+0x180/0x310
+ kernel_init_freeable+0x424/0x484
+ kernel_init+0x20/0x148
+ ret_from_fork+0x14/0x28
+
+Freed by task 86:
+ kasan_save_track+0x30/0x5c
+ kasan_save_free_info+0x38/0x58
+ __kasan_slab_free+0xe4/0x140
+ kfree+0xb0/0x238
+ device_release+0xc0/0x2a8
+ kobject_put+0x1d4/0x46c
+ netdev_run_todo+0x8fc/0x11d0
+ wilc_netdev_cleanup+0x1e4/0x5cc
+ wilc_bus_remove+0xc8/0xec
+ spi_remove+0x8c/0xac
+ device_release_driver_internal+0x434/0x5f8
+ unbind_store+0xbc/0x108
+ kernfs_fop_write_iter+0x398/0x584
+ vfs_write+0x728/0xf88
+ ksys_write+0x110/0x1e4
+ ret_fast_syscall+0x0/0x1c
+ [...]
+
+David Mosberger-Tan initial investigation [1] showed that this
+use-after-free is due to netdevice unregistration during vif list
+traversal. When unregistering a net device, since the needs_free_netdev has
+been set to true during registration, the netdevice object is also freed,
+and as a consequence, the corresponding vif object too, since it is
+attached to it as private netdevice data. The next occurrence of the loop
+then tries to access freed vif pointer to the list to move forward in the
+list.
+
+Fix this use-after-free thanks to two mechanisms:
+- navigate in the list with list_for_each_entry_safe, which allows to
+ safely modify the list as we go through each element. For each element,
+ remove it from the list with list_del_rcu
+- make sure to wait for RCU grace period end after each vif removal to make
+ sure it is safe to free the corresponding vif too (through
+ unregister_netdev)
+
+Since we are in a RCU "modifier" path (not a "reader" path), and because
+such path is expected not to be concurrent to any other modifier (we are
+using the vif_mutex lock), we do not need to use RCU list API, that's why
+we can benefit from list_for_each_entry_safe.
+
+[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/
+
+Fixes: 8399918f3056 ("staging: wilc1000: use RCU list to maintain vif interfaces list")
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/microchip/wilc1000/netdev.c | 28 +++++--------------
+ 1 file changed, 7 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c
+index 463f3bfc3064d..ab84b146aa272 100644
+--- a/drivers/net/wireless/microchip/wilc1000/netdev.c
++++ b/drivers/net/wireless/microchip/wilc1000/netdev.c
+@@ -821,8 +821,7 @@ static const struct net_device_ops wilc_netdev_ops = {
+
+ void wilc_netdev_cleanup(struct wilc *wilc)
+ {
+- struct wilc_vif *vif;
+- int srcu_idx, ifc_cnt = 0;
++ struct wilc_vif *vif, *vif_tmp;
+
+ if (!wilc)
+ return;
+@@ -832,32 +831,19 @@ void wilc_netdev_cleanup(struct wilc *wilc)
+ wilc->firmware = NULL;
+ }
+
+- srcu_idx = srcu_read_lock(&wilc->srcu);
+- list_for_each_entry_rcu(vif, &wilc->vif_list, list) {
++ list_for_each_entry_safe(vif, vif_tmp, &wilc->vif_list, list) {
++ mutex_lock(&wilc->vif_mutex);
++ list_del_rcu(&vif->list);
++ wilc->vif_num--;
++ mutex_unlock(&wilc->vif_mutex);
++ synchronize_srcu(&wilc->srcu);
+ if (vif->ndev)
+ unregister_netdev(vif->ndev);
+ }
+- srcu_read_unlock(&wilc->srcu, srcu_idx);
+
+ wilc_wfi_deinit_mon_interface(wilc, false);
+ destroy_workqueue(wilc->hif_workqueue);
+
+- while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) {
+- mutex_lock(&wilc->vif_mutex);
+- if (wilc->vif_num <= 0) {
+- mutex_unlock(&wilc->vif_mutex);
+- break;
+- }
+- vif = wilc_get_wl_to_vif(wilc);
+- if (!IS_ERR(vif))
+- list_del_rcu(&vif->list);
+-
+- wilc->vif_num--;
+- mutex_unlock(&wilc->vif_mutex);
+- synchronize_srcu(&wilc->srcu);
+- ifc_cnt++;
+- }
+-
+ wilc_wlan_cfg_deinit(wilc);
+ wlan_deinit_locks(wilc);
+ kfree(wilc->bus_data);
+--
+2.43.0
+
--- /dev/null
+From c1287ba367968983d2aba723795d4878a800de4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Oct 2021 09:09:11 +0200
+Subject: wireless: Remove redundant 'flush_workqueue()' calls
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ff1cc2fa3055ee4c83839f38b74b4ee370a2291c ]
+
+'destroy_workqueue()' already drains the queue before destroying it, so
+there is no need to flush it explicitly.
+
+Remove the redundant 'flush_workqueue()' calls.
+
+This was generated with coccinelle:
+
+@@
+expression E;
+@@
+- flush_workqueue(E);
+ destroy_workqueue(E);
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/0855d51423578ad019c0264dad3fe47a2e8af9c7.1633849511.git.christophe.jaillet@wanadoo.fr
+Stable-dep-of: cb5942b77c05 ("wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 3 ---
+ drivers/net/wireless/ath/ath10k/sdio.c | 1 -
+ drivers/net/wireless/intel/iwlegacy/3945-mac.c | 1 -
+ drivers/net/wireless/intel/iwlegacy/4965-mac.c | 1 -
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 1 -
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 --
+ drivers/net/wireless/marvell/mwifiex/main.c | 2 --
+ drivers/net/wireless/microchip/wilc1000/netdev.c | 1 -
+ drivers/net/wireless/quantenna/qtnfmac/core.c | 2 --
+ drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c | 2 --
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 1 -
+ drivers/net/wireless/rndis_wlan.c | 2 --
+ drivers/net/wireless/st/cw1200/bh.c | 2 --
+ 13 files changed, 21 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index d0967bb1f3871..57ac80997319b 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -3381,13 +3381,10 @@ EXPORT_SYMBOL(ath10k_core_create);
+
+ void ath10k_core_destroy(struct ath10k *ar)
+ {
+- flush_workqueue(ar->workqueue);
+ destroy_workqueue(ar->workqueue);
+
+- flush_workqueue(ar->workqueue_aux);
+ destroy_workqueue(ar->workqueue_aux);
+
+- flush_workqueue(ar->workqueue_tx_complete);
+ destroy_workqueue(ar->workqueue_tx_complete);
+
+ ath10k_debug_destroy(ar);
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index 0fe639710a8bb..9d1b0890f3105 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -2651,7 +2651,6 @@ static void ath10k_sdio_remove(struct sdio_func *func)
+
+ ath10k_core_destroy(ar);
+
+- flush_workqueue(ar_sdio->workqueue);
+ destroy_workqueue(ar_sdio->workqueue);
+ }
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c
+index ef0ac42a55a2a..55c00a07bc4d3 100644
+--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c
+@@ -3831,7 +3831,6 @@ il3945_pci_remove(struct pci_dev *pdev)
+ il3945_unset_hw_params(il);
+
+ /*netif_stop_queue(dev); */
+- flush_workqueue(il->workqueue);
+
+ /* ieee80211_unregister_hw calls il3945_mac_stop, which flushes
+ * il->workqueue... so we can't take down the workqueue
+diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+index 12cf22d0e9949..2549902552e1d 100644
+--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+@@ -6745,7 +6745,6 @@ il4965_pci_remove(struct pci_dev *pdev)
+ il_eeprom_free(il);
+
+ /*netif_stop_queue(dev); */
+- flush_workqueue(il->workqueue);
+
+ /* ieee80211_unregister_hw calls il_mac_stop, which flushes
+ * il->workqueue... so we can't take down the workqueue
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index 461af58311561..6a19fc4c68604 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1526,7 +1526,6 @@ static void iwl_op_mode_dvm_stop(struct iwl_op_mode *op_mode)
+ kfree(priv->nvm_data);
+
+ /*netif_stop_queue(dev); */
+- flush_workqueue(priv->workqueue);
+
+ /* ieee80211_unregister_hw calls iwlagn_mac_stop, which flushes
+ * priv->workqueue... so we can't take down the workqueue
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 2f5f1ff22a601..e1196c565a62f 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -3155,13 +3155,11 @@ int mwifiex_del_virtual_intf(struct wiphy *wiphy, struct wireless_dev *wdev)
+ unregister_netdevice(wdev->netdev);
+
+ if (priv->dfs_cac_workqueue) {
+- flush_workqueue(priv->dfs_cac_workqueue);
+ destroy_workqueue(priv->dfs_cac_workqueue);
+ priv->dfs_cac_workqueue = NULL;
+ }
+
+ if (priv->dfs_chan_sw_workqueue) {
+- flush_workqueue(priv->dfs_chan_sw_workqueue);
+ destroy_workqueue(priv->dfs_chan_sw_workqueue);
+ priv->dfs_chan_sw_workqueue = NULL;
+ }
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
+index 6283df5aaaf8b..b8b79fe50dbc2 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -498,13 +498,11 @@ static void mwifiex_free_adapter(struct mwifiex_adapter *adapter)
+ static void mwifiex_terminate_workqueue(struct mwifiex_adapter *adapter)
+ {
+ if (adapter->workqueue) {
+- flush_workqueue(adapter->workqueue);
+ destroy_workqueue(adapter->workqueue);
+ adapter->workqueue = NULL;
+ }
+
+ if (adapter->rx_workqueue) {
+- flush_workqueue(adapter->rx_workqueue);
+ destroy_workqueue(adapter->rx_workqueue);
+ adapter->rx_workqueue = NULL;
+ }
+diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c
+index c508f429984ab..463f3bfc3064d 100644
+--- a/drivers/net/wireless/microchip/wilc1000/netdev.c
++++ b/drivers/net/wireless/microchip/wilc1000/netdev.c
+@@ -840,7 +840,6 @@ void wilc_netdev_cleanup(struct wilc *wilc)
+ srcu_read_unlock(&wilc->srcu, srcu_idx);
+
+ wilc_wfi_deinit_mon_interface(wilc, false);
+- flush_workqueue(wilc->hif_workqueue);
+ destroy_workqueue(wilc->hif_workqueue);
+
+ while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) {
+diff --git a/drivers/net/wireless/quantenna/qtnfmac/core.c b/drivers/net/wireless/quantenna/qtnfmac/core.c
+index bf6dbeb618423..d39c210da68e2 100644
+--- a/drivers/net/wireless/quantenna/qtnfmac/core.c
++++ b/drivers/net/wireless/quantenna/qtnfmac/core.c
+@@ -816,13 +816,11 @@ void qtnf_core_detach(struct qtnf_bus *bus)
+ bus->fw_state = QTNF_FW_STATE_DETACHED;
+
+ if (bus->workqueue) {
+- flush_workqueue(bus->workqueue);
+ destroy_workqueue(bus->workqueue);
+ bus->workqueue = NULL;
+ }
+
+ if (bus->hprio_workqueue) {
+- flush_workqueue(bus->hprio_workqueue);
+ destroy_workqueue(bus->hprio_workqueue);
+ bus->hprio_workqueue = NULL;
+ }
+diff --git a/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c b/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c
+index 0f328ce47fee3..f65eb6e5b8d59 100644
+--- a/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c
++++ b/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c
+@@ -387,7 +387,6 @@ static int qtnf_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ error:
+- flush_workqueue(pcie_priv->workqueue);
+ destroy_workqueue(pcie_priv->workqueue);
+ pci_set_drvdata(pdev, NULL);
+ return ret;
+@@ -416,7 +415,6 @@ static void qtnf_pcie_remove(struct pci_dev *dev)
+ qtnf_core_detach(bus);
+
+ netif_napi_del(&bus->mux_napi);
+- flush_workqueue(priv->workqueue);
+ destroy_workqueue(priv->workqueue);
+ tasklet_kill(&priv->reclaim_tq);
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 679ae786cf450..6d9f2a6233a21 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1704,7 +1704,6 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
+ tasklet_kill(&rtlpriv->works.irq_tasklet);
+ cancel_work_sync(&rtlpriv->works.lps_change_work);
+
+- flush_workqueue(rtlpriv->works.rtl_wq);
+ destroy_workqueue(rtlpriv->works.rtl_wq);
+ }
+
+diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
+index dc076d8448680..75c78e1c924b0 100644
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -3497,7 +3497,6 @@ static int rndis_wlan_bind(struct usbnet *usbdev, struct usb_interface *intf)
+ cancel_delayed_work_sync(&priv->dev_poller_work);
+ cancel_delayed_work_sync(&priv->scan_work);
+ cancel_work_sync(&priv->work);
+- flush_workqueue(priv->workqueue);
+ destroy_workqueue(priv->workqueue);
+
+ wiphy_free(wiphy);
+@@ -3514,7 +3513,6 @@ static void rndis_wlan_unbind(struct usbnet *usbdev, struct usb_interface *intf)
+ cancel_delayed_work_sync(&priv->dev_poller_work);
+ cancel_delayed_work_sync(&priv->scan_work);
+ cancel_work_sync(&priv->work);
+- flush_workqueue(priv->workqueue);
+ destroy_workqueue(priv->workqueue);
+
+ rndis_unbind(usbdev, intf);
+diff --git a/drivers/net/wireless/st/cw1200/bh.c b/drivers/net/wireless/st/cw1200/bh.c
+index 02efe8483cba6..361fef6e1eeaa 100644
+--- a/drivers/net/wireless/st/cw1200/bh.c
++++ b/drivers/net/wireless/st/cw1200/bh.c
+@@ -88,8 +88,6 @@ void cw1200_unregister_bh(struct cw1200_common *priv)
+ atomic_add(1, &priv->bh_term);
+ wake_up(&priv->bh_wq);
+
+- flush_workqueue(priv->bh_workqueue);
+-
+ destroy_workqueue(priv->bh_workqueue);
+ priv->bh_workqueue = NULL;
+
+--
+2.43.0
+
--- /dev/null
+From 271f8fc9fab6b1e8ce89e98fcd4bc495d1c17efb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Feb 2024 09:51:12 -0800
+Subject: x86, relocs: Ignore relocations in .notes section
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit aaa8736370db1a78f0e8434344a484f9fd20be3b ]
+
+When building with CONFIG_XEN_PV=y, .text symbols are emitted into
+the .notes section so that Xen can find the "startup_xen" entry point.
+This information is used prior to booting the kernel, so relocations
+are not useful. In fact, performing relocations against the .notes
+section means that the KASLR base is exposed since /sys/kernel/notes
+is world-readable.
+
+To avoid leaking the KASLR base without breaking unprivileged tools that
+are expecting to read /sys/kernel/notes, skip performing relocations in
+the .notes section. The values readable in .notes are then identical to
+those found in System.map.
+
+Reported-by: Guixiong Wei <guixiongwei@gmail.com>
+Closes: https://lore.kernel.org/all/20240218073501.54555-1-guixiongwei@gmail.com/
+Fixes: 5ead97c84fa7 ("xen: Core Xen implementation")
+Fixes: da1a679cde9b ("Add /sys/kernel/notes")
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/tools/relocs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
+index 1c3a1962cade6..0043fd374a62f 100644
+--- a/arch/x86/tools/relocs.c
++++ b/arch/x86/tools/relocs.c
+@@ -596,6 +596,14 @@ static void print_absolute_relocs(void)
+ if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) {
+ continue;
+ }
++ /*
++ * Do not perform relocations in .notes section; any
++ * values there are meant for pre-boot consumption (e.g.
++ * startup_xen).
++ */
++ if (sec_applies->shdr.sh_type == SHT_NOTE) {
++ continue;
++ }
+ sh_symtab = sec_symtab->symtab;
+ sym_strtab = sec_symtab->link->strtab;
+ for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
