--- /dev/null
+From 087442f17f403f0a2af0559a0b6142849066dcf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 13:32:52 -0600
+Subject: accel/qaic: Fix the for loop used to walk SG table
+
+From: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
+
+[ Upstream commit c5e8e93897b7bb0a336bf3332f82f8d9f2b33f14 ]
+
+Only for_each_sgtable_dma_sg() should be used to walk through a SG table
+to grab correct bus address and length pair after calling DMA MAP API on
+a SG table as DMA MAP APIs updates the SG table and for_each_sgtable_sg()
+walks through the original SG table.
+
+Fixes: ff13be830333 ("accel/qaic: Add datapath")
+Fixes: 129776ac2e38 ("accel/qaic: Add control path")
+Signed-off-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241004193252.3888544-1-quic_jhugo@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/accel/qaic/qaic_control.c | 2 +-
+ drivers/accel/qaic/qaic_data.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
+index 388abd40024ba..f3db3fa91dd52 100644
+--- a/drivers/accel/qaic/qaic_control.c
++++ b/drivers/accel/qaic/qaic_control.c
+@@ -496,7 +496,7 @@ static int encode_addr_size_pairs(struct dma_xfer *xfer, struct wrapper_list *wr
+ nents = sgt->nents;
+ nents_dma = nents;
+ *size = QAIC_MANAGE_EXT_MSG_LENGTH - msg_hdr_len - sizeof(**out_trans);
+- for_each_sgtable_sg(sgt, sg, i) {
++ for_each_sgtable_dma_sg(sgt, sg, i) {
+ *size -= sizeof(*asp);
+ /* Save 1K for possible follow-up transactions. */
+ if (*size < SZ_1K) {
+diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
+index ed1a5af434f24..d2f8c70a77a5b 100644
+--- a/drivers/accel/qaic/qaic_data.c
++++ b/drivers/accel/qaic/qaic_data.c
+@@ -177,7 +177,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl
+ nents = 0;
+
+ size = size ? size : PAGE_SIZE;
+- for (sg = sgt_in->sgl; sg; sg = sg_next(sg)) {
++ for_each_sgtable_dma_sg(sgt_in, sg, j) {
+ len = sg_dma_len(sg);
+
+ if (!len)
+@@ -214,7 +214,7 @@ static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_tabl
+
+ /* copy relevant sg node and fix page and length */
+ sgn = sgf;
+- for_each_sgtable_sg(sgt, sg, j) {
++ for_each_sgtable_dma_sg(sgt, sg, j) {
+ memcpy(sg, sgn, sizeof(*sg));
+ if (sgn == sgf) {
+ sg_dma_address(sg) += offf;
+@@ -294,7 +294,7 @@ static int encode_reqs(struct qaic_device *qdev, struct bo_slice *slice,
+ * fence.
+ */
+ dev_addr = req->dev_addr;
+- for_each_sgtable_sg(slice->sgt, sg, i) {
++ for_each_sgtable_dma_sg(slice->sgt, sg, i) {
+ slice->reqs[i].cmd = cmd;
+ slice->reqs[i].src_addr = cpu_to_le64(slice->dir == DMA_TO_DEVICE ?
+ sg_dma_address(sg) : dev_addr);
+--
+2.43.0
+
--- /dev/null
+From 050629f4187d49348f235d80f774f7825beca95f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 01:16:45 +0300
+Subject: ALSA: hda/cs8409: Fix possible NULL dereference
+
+From: Murad Masimov <m.masimov@maxima.ru>
+
+[ Upstream commit c9bd4a82b4ed32c6d1c90500a52063e6e341517f ]
+
+If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then
+NULL pointer dereference will occur in the next line.
+
+Since dolphin_fixups function is a hda_fixup function which is not supposed
+to return any errors, add simple check before dereference, ignore the fail.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin")
+Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
+Link: https://patch.msgid.link/20241010221649.1305-1-m.masimov@maxima.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_cs8409.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c
+index e41316e2e9833..892223d9e64ab 100644
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -1411,8 +1411,9 @@ void dolphin_fixups(struct hda_codec *codec, const struct hda_fixup *fix, int ac
+ kctrl = snd_hda_gen_add_kctl(&spec->gen, "Line Out Playback Volume",
+ &cs42l42_dac_volume_mixer);
+ /* Update Line Out kcontrol template */
+- kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1,
+- HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE;
++ if (kctrl)
++ kctrl->private_value = HDA_COMPOSE_AMP_VAL_OFS(DOLPHIN_HP_PIN_NID, 3, CS8409_CODEC1,
++ HDA_OUTPUT, CS42L42_VOL_DAC) | HDA_AMP_VAL_MIN_MUTE;
+ cs8409_enable_ur(codec, 0);
+ snd_hda_codec_set_name(codec, "CS8409/CS42L42");
+ break;
+--
+2.43.0
+
--- /dev/null
+From cd0d3111802015d87e22970c4196f90e0cd1f5d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 02:03:11 +0300
+Subject: ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin
+
+From: Florian Klink <flokli@flokli.de>
+
+[ Upstream commit dc7785e4723510616d776862ddb4c08857a1bdb2 ]
+
+HDMI_HPD_N_1V8 is connected to GPIO pin 0, not 1.
+
+This fixes HDMI hotplug/output detection.
+
+See https://datasheets.raspberrypi.com/cm/cm3-schematics.pdf
+
+Signed-off-by: Florian Klink <flokli@flokli.de>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20240715230311.685641-1-flokli@flokli.de
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Fixes: a54fe8a6cf66 ("ARM: dts: add Raspberry Pi Compute Module 3 and IO board")
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
+index 72d26d130efaa..85f54fa595aa8 100644
+--- a/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
++++ b/arch/arm/boot/dts/broadcom/bcm2837-rpi-cm3-io3.dts
+@@ -77,7 +77,7 @@
+ };
+
+ &hdmi {
+- hpd-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>;
++ hpd-gpios = <&expgpio 0 GPIO_ACTIVE_LOW>;
+ power-domains = <&power RPI_POWER_DOMAIN_HDMI>;
+ status = "okay";
+ };
+--
+2.43.0
+
--- /dev/null
+From 0fc8b8e9934cc29aabaa70020e3ed1f8a189c0b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 17:07:08 +0800
+Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ]
+
+There's issue as follows:
+ KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
+ CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W
+ RIP: 0010:proto_unregister+0xee/0x400
+ Call Trace:
+ <TASK>
+ __do_sys_delete_module+0x318/0x580
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
+will cleanup all resource. Then when remove bnep module will call
+bnep_sock_cleanup() to cleanup sock's resource.
+To solve above issue just return bnep_sock_init()'s return value in
+bnep_exit().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index a660c428e2207..38f542665f196 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -745,8 +745,7 @@ static int __init bnep_init(void)
+ if (flt[0])
+ BT_INFO("BNEP filters: %s", flt);
+
+- bnep_sock_init();
+- return 0;
++ return bnep_sock_init();
+ }
+
+ static void __exit bnep_exit(void)
+--
+2.43.0
+
--- /dev/null
+From e694863fd2d7f73184cf3a52891b3b0ae0d29512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 12:04:58 +0100
+Subject: bpf: Add cookie to perf_event bpf_link_info records
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit d5c16492c66fbfca85f36e42363d32212df5927b ]
+
+At the moment we don't store cookie for perf_event probes,
+while we do that for the rest of the probes.
+
+Adding cookie fields to struct bpf_link_info perf event
+probe records:
+
+ perf_event.uprobe
+ perf_event.kprobe
+ perf_event.tracepoint
+ perf_event.perf_event
+
+And the code to store that in bpf_link_info struct.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Song Liu <song@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20240119110505.400573-2-jolsa@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 6 ++++++
+ kernel/bpf/syscall.c | 4 ++++
+ tools/include/uapi/linux/bpf.h | 6 ++++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 6ea588d1ae149..431bc700bcfb9 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -6556,6 +6556,7 @@ struct bpf_link_info {
+ __aligned_u64 file_name; /* in/out */
+ __u32 name_len;
+ __u32 offset; /* offset from file_name */
++ __u64 cookie;
+ } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */
+ struct {
+ __aligned_u64 func_name; /* in/out */
+@@ -6563,14 +6564,19 @@ struct bpf_link_info {
+ __u32 offset; /* offset from func_name */
+ __u64 addr;
+ __u64 missed;
++ __u64 cookie;
+ } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+ struct {
+ __aligned_u64 tp_name; /* in/out */
+ __u32 name_len;
++ __u32 :32;
++ __u64 cookie;
+ } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */
+ struct {
+ __u64 config;
+ __u32 type;
++ __u32 :32;
++ __u64 cookie;
+ } event; /* BPF_PERF_EVENT_EVENT */
+ };
+ } perf_event;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 9c76f21f187f6..1d04d098f57db 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3500,6 +3500,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+ if (!kallsyms_show_value(current_cred()))
+ addr = 0;
+ info->perf_event.kprobe.addr = addr;
++ info->perf_event.kprobe.cookie = event->bpf_cookie;
+ return 0;
+ }
+ #endif
+@@ -3525,6 +3526,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+ else
+ info->perf_event.type = BPF_PERF_EVENT_UPROBE;
+ info->perf_event.uprobe.offset = offset;
++ info->perf_event.uprobe.cookie = event->bpf_cookie;
+ return 0;
+ }
+ #endif
+@@ -3552,6 +3554,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+ uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+ ulen = info->perf_event.tracepoint.name_len;
+ info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
++ info->perf_event.tracepoint.cookie = event->bpf_cookie;
+ return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
+ }
+
+@@ -3560,6 +3563,7 @@ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+ {
+ info->perf_event.event.type = event->attr.type;
+ info->perf_event.event.config = event->attr.config;
++ info->perf_event.event.cookie = event->bpf_cookie;
+ info->perf_event.type = BPF_PERF_EVENT_EVENT;
+ return 0;
+ }
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index acda713f8b4d1..977ec094bc2a6 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -6559,6 +6559,7 @@ struct bpf_link_info {
+ __aligned_u64 file_name; /* in/out */
+ __u32 name_len;
+ __u32 offset; /* offset from file_name */
++ __u64 cookie;
+ } uprobe; /* BPF_PERF_EVENT_UPROBE, BPF_PERF_EVENT_URETPROBE */
+ struct {
+ __aligned_u64 func_name; /* in/out */
+@@ -6566,14 +6567,19 @@ struct bpf_link_info {
+ __u32 offset; /* offset from func_name */
+ __u64 addr;
+ __u64 missed;
++ __u64 cookie;
+ } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+ struct {
+ __aligned_u64 tp_name; /* in/out */
+ __u32 name_len;
++ __u32 :32;
++ __u64 cookie;
+ } tracepoint; /* BPF_PERF_EVENT_TRACEPOINT */
+ struct {
+ __u64 config;
+ __u32 type;
++ __u32 :32;
++ __u64 cookie;
+ } event; /* BPF_PERF_EVENT_EVENT */
+ };
+ } perf_event;
+--
+2.43.0
+
--- /dev/null
+From a60c16cdffe27ae93b2e484fcf0744346dd59736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 23:31:39 +0200
+Subject: bpf: Add missed value to kprobe perf link info
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 3acf8ace68230e9558cf916847f1cc9f208abdf1 ]
+
+Add missed value to kprobe attached through perf link info to
+hold the stats of missed kprobe handler execution.
+
+The kprobe's missed counter gets incremented when kprobe handler
+is not executed due to another kprobe running on the same cpu.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20230920213145.1941596-4-jolsa@kernel.org
+Stable-dep-of: 4deecdd29cf2 ("bpf: fix unpopulated name_len field in perf_event link info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/trace_events.h | 6 ++++--
+ include/uapi/linux/bpf.h | 1 +
+ kernel/bpf/syscall.c | 14 ++++++++------
+ kernel/trace/bpf_trace.c | 5 +++--
+ kernel/trace/trace_kprobe.c | 14 +++++++++++---
+ tools/include/uapi/linux/bpf.h | 1 +
+ 6 files changed, 28 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h
+index cb8bd759e8005..9d799777c333c 100644
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -765,7 +765,8 @@ struct bpf_raw_event_map *bpf_get_raw_tracepoint(const char *name);
+ void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp);
+ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+ u32 *fd_type, const char **buf,
+- u64 *probe_offset, u64 *probe_addr);
++ u64 *probe_offset, u64 *probe_addr,
++ unsigned long *missed);
+ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
+ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
+ #else
+@@ -805,7 +806,7 @@ static inline void bpf_put_raw_tracepoint(struct bpf_raw_event_map *btp)
+ static inline int bpf_get_perf_event_info(const struct perf_event *event,
+ u32 *prog_id, u32 *fd_type,
+ const char **buf, u64 *probe_offset,
+- u64 *probe_addr)
++ u64 *probe_addr, unsigned long *missed)
+ {
+ return -EOPNOTSUPP;
+ }
+@@ -880,6 +881,7 @@ extern void perf_kprobe_destroy(struct perf_event *event);
+ extern int bpf_get_kprobe_info(const struct perf_event *event,
+ u32 *fd_type, const char **symbol,
+ u64 *probe_offset, u64 *probe_addr,
++ unsigned long *missed,
+ bool perf_type_tracepoint);
+ #endif
+ #ifdef CONFIG_UPROBE_EVENTS
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 4bb38409b26ad..6ea588d1ae149 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -6562,6 +6562,7 @@ struct bpf_link_info {
+ __u32 name_len;
+ __u32 offset; /* offset from func_name */
+ __u64 addr;
++ __u64 missed;
+ } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+ struct {
+ __aligned_u64 tp_name; /* in/out */
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index b1933d074f051..9c76f21f187f6 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3444,7 +3444,7 @@ static void bpf_perf_link_dealloc(struct bpf_link *link)
+ static int bpf_perf_link_fill_common(const struct perf_event *event,
+ char __user *uname, u32 ulen,
+ u64 *probe_offset, u64 *probe_addr,
+- u32 *fd_type)
++ u32 *fd_type, unsigned long *missed)
+ {
+ const char *buf;
+ u32 prog_id;
+@@ -3455,7 +3455,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+ return -EINVAL;
+
+ err = bpf_get_perf_event_info(event, &prog_id, fd_type, &buf,
+- probe_offset, probe_addr);
++ probe_offset, probe_addr, missed);
+ if (err)
+ return err;
+ if (!uname)
+@@ -3478,6 +3478,7 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+ struct bpf_link_info *info)
+ {
++ unsigned long missed;
+ char __user *uname;
+ u64 addr, offset;
+ u32 ulen, type;
+@@ -3486,7 +3487,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+ uname = u64_to_user_ptr(info->perf_event.kprobe.func_name);
+ ulen = info->perf_event.kprobe.name_len;
+ err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
+- &type);
++ &type, &missed);
+ if (err)
+ return err;
+ if (type == BPF_FD_TYPE_KRETPROBE)
+@@ -3495,6 +3496,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+ info->perf_event.type = BPF_PERF_EVENT_KPROBE;
+
+ info->perf_event.kprobe.offset = offset;
++ info->perf_event.kprobe.missed = missed;
+ if (!kallsyms_show_value(current_cred()))
+ addr = 0;
+ info->perf_event.kprobe.addr = addr;
+@@ -3514,7 +3516,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+ uname = u64_to_user_ptr(info->perf_event.uprobe.file_name);
+ ulen = info->perf_event.uprobe.name_len;
+ err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
+- &type);
++ &type, NULL);
+ if (err)
+ return err;
+
+@@ -3550,7 +3552,7 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+ uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+ ulen = info->perf_event.tracepoint.name_len;
+ info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
+- return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL);
++ return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
+ }
+
+ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+@@ -4897,7 +4899,7 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
+
+ err = bpf_get_perf_event_info(event, &prog_id, &fd_type,
+ &buf, &probe_offset,
+- &probe_addr);
++ &probe_addr, NULL);
+ if (!err)
+ err = bpf_task_fd_query_copy(attr, uattr, prog_id,
+ fd_type, buf,
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index eca858bde8047..bbdc4199748bd 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -2389,7 +2389,8 @@ int bpf_probe_unregister(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
+
+ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+ u32 *fd_type, const char **buf,
+- u64 *probe_offset, u64 *probe_addr)
++ u64 *probe_offset, u64 *probe_addr,
++ unsigned long *missed)
+ {
+ bool is_tracepoint, is_syscall_tp;
+ struct bpf_prog *prog;
+@@ -2424,7 +2425,7 @@ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id,
+ #ifdef CONFIG_KPROBE_EVENTS
+ if (flags & TRACE_EVENT_FL_KPROBE)
+ err = bpf_get_kprobe_info(event, fd_type, buf,
+- probe_offset, probe_addr,
++ probe_offset, probe_addr, missed,
+ event->attr.type == PERF_TYPE_TRACEPOINT);
+ #endif
+ #ifdef CONFIG_UPROBE_EVENTS
+diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
+index 47812aa16bb57..52f8b537dd0a0 100644
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1249,6 +1249,12 @@ static const struct file_operations kprobe_events_ops = {
+ .write = probes_write,
+ };
+
++static unsigned long trace_kprobe_missed(struct trace_kprobe *tk)
++{
++ return trace_kprobe_is_return(tk) ?
++ tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed;
++}
++
+ /* Probes profiling interfaces */
+ static int probes_profile_seq_show(struct seq_file *m, void *v)
+ {
+@@ -1260,8 +1266,7 @@ static int probes_profile_seq_show(struct seq_file *m, void *v)
+ return 0;
+
+ tk = to_trace_kprobe(ev);
+- nmissed = trace_kprobe_is_return(tk) ?
+- tk->rp.kp.nmissed + tk->rp.nmissed : tk->rp.kp.nmissed;
++ nmissed = trace_kprobe_missed(tk);
+ seq_printf(m, " %-44s %15lu %15lu\n",
+ trace_probe_name(&tk->tp),
+ trace_kprobe_nhit(tk),
+@@ -1607,7 +1612,8 @@ NOKPROBE_SYMBOL(kretprobe_perf_func);
+
+ int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type,
+ const char **symbol, u64 *probe_offset,
+- u64 *probe_addr, bool perf_type_tracepoint)
++ u64 *probe_addr, unsigned long *missed,
++ bool perf_type_tracepoint)
+ {
+ const char *pevent = trace_event_name(event->tp_event);
+ const char *group = event->tp_event->class->system;
+@@ -1626,6 +1632,8 @@ int bpf_get_kprobe_info(const struct perf_event *event, u32 *fd_type,
+ *probe_addr = kallsyms_show_value(current_cred()) ?
+ (unsigned long)tk->rp.kp.addr : 0;
+ *symbol = tk->symbol;
++ if (missed)
++ *missed = trace_kprobe_missed(tk);
+ return 0;
+ }
+ #endif /* CONFIG_PERF_EVENTS */
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index ba6e346c8d669..acda713f8b4d1 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -6565,6 +6565,7 @@ struct bpf_link_info {
+ __u32 name_len;
+ __u32 offset; /* offset from func_name */
+ __u64 addr;
++ __u64 missed;
+ } kprobe; /* BPF_PERF_EVENT_KPROBE, BPF_PERF_EVENT_KRETPROBE */
+ struct {
+ __aligned_u64 tp_name; /* in/out */
+--
+2.43.0
+
--- /dev/null
+From 8de3f8ae6f79fed297e22563dd0efd14a8f6f713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:41:18 +0200
+Subject: bpf: devmap: provide rxq after redirect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit ca9984c5f0ab3690d98b13937b2485a978c8dd73 ]
+
+rxq contains a pointer to the device from where
+the redirect happened. Currently, the BPF program
+that was executed after a redirect via BPF_MAP_TYPE_DEVMAP*
+does not have it set.
+
+This is particularly bad since accessing ingress_ifindex, e.g.
+
+SEC("xdp")
+int prog(struct xdp_md *pkt)
+{
+ return bpf_redirect_map(&dev_redirect_map, 0, 0);
+}
+
+SEC("xdp/devmap")
+int prog_after_redirect(struct xdp_md *pkt)
+{
+ bpf_printk("ifindex %i", pkt->ingress_ifindex);
+ return XDP_PASS;
+}
+
+depends on access to rxq, so a NULL pointer gets dereferenced:
+
+<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000
+<1>[ 574.475188] #PF: supervisor read access in kernel mode
+<1>[ 574.475194] #PF: error_code(0x0000) - not-present page
+<6>[ 574.475199] PGD 0 P4D 0
+<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23
+<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023
+<4>[ 574.475231] Workqueue: mld mld_ifc_work
+<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
+<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b
+<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206
+<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000
+<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0
+<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001
+<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000
+<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000
+<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000
+<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0
+<4>[ 574.475303] PKRU: 55555554
+<4>[ 574.475306] Call Trace:
+<4>[ 574.475313] <IRQ>
+<4>[ 574.475318] ? __die+0x23/0x70
+<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0
+<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490
+<4>[ 574.475346] ? kmem_cache_free+0x257/0x280
+<4>[ 574.475357] ? exc_page_fault+0x67/0x150
+<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30
+<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
+<4>[ 574.475386] bq_xmit_all+0x158/0x420
+<4>[ 574.475397] __dev_flush+0x30/0x90
+<4>[ 574.475407] veth_poll+0x216/0x250 [veth]
+<4>[ 574.475421] __napi_poll+0x28/0x1c0
+<4>[ 574.475430] net_rx_action+0x32d/0x3a0
+<4>[ 574.475441] handle_softirqs+0xcb/0x2c0
+<4>[ 574.475451] do_softirq+0x40/0x60
+<4>[ 574.475458] </IRQ>
+<4>[ 574.475461] <TASK>
+<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70
+<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40
+<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420
+<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0
+<4>[ 574.475502] ip6_finish_output2+0x2be/0x640
+<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0
+<4>[ 574.475521] ip6_finish_output+0x194/0x300
+<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10
+<4>[ 574.475538] mld_sendpack+0x17c/0x240
+<4>[ 574.475548] mld_ifc_work+0x192/0x410
+<4>[ 574.475557] process_one_work+0x15d/0x380
+<4>[ 574.475566] worker_thread+0x29d/0x3a0
+<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10
+<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10
+<4>[ 574.475587] kthread+0xcd/0x100
+<4>[ 574.475597] ? __pfx_kthread+0x10/0x10
+<4>[ 574.475606] ret_from_fork+0x31/0x50
+<4>[ 574.475615] ? __pfx_kthread+0x10/0x10
+<4>[ 574.475623] ret_from_fork_asm+0x1a/0x30
+<4>[ 574.475635] </TASK>
+<4>[ 574.475637] Modules linked in: veth br_netfilter bridge stp llc iwlmvm x86_pkg_temp_thermal iwlwifi efivarfs nvme nvme_core
+<4>[ 574.475662] CR2: 0000000000000000
+<4>[ 574.475668] ---[ end trace 0000000000000000 ]---
+
+Therefore, provide it to the program by setting rxq properly.
+
+Fixes: cb261b594b41 ("bpf: Run devmap xdp_prog on flush instead of bulk enqueue")
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20240911-devel-koalo-fix-ingress-ifindex-v4-1-5c643ae10258@linutronix.de
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index 69e78dc4bb18e..96b0345f76c2c 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -322,9 +322,11 @@ static int dev_map_hash_get_next_key(struct bpf_map *map, void *key,
+
+ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+ struct xdp_frame **frames, int n,
+- struct net_device *dev)
++ struct net_device *tx_dev,
++ struct net_device *rx_dev)
+ {
+- struct xdp_txq_info txq = { .dev = dev };
++ struct xdp_txq_info txq = { .dev = tx_dev };
++ struct xdp_rxq_info rxq = { .dev = rx_dev };
+ struct xdp_buff xdp;
+ int i, nframes = 0;
+
+@@ -335,6 +337,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+
+ xdp_convert_frame_to_buff(xdpf, &xdp);
+ xdp.txq = &txq;
++ xdp.rxq = &rxq;
+
+ act = bpf_prog_run_xdp(xdp_prog, &xdp);
+ switch (act) {
+@@ -349,7 +352,7 @@ static int dev_map_bpf_prog_run(struct bpf_prog *xdp_prog,
+ bpf_warn_invalid_xdp_action(NULL, xdp_prog, act);
+ fallthrough;
+ case XDP_ABORTED:
+- trace_xdp_exception(dev, xdp_prog, act);
++ trace_xdp_exception(tx_dev, xdp_prog, act);
+ fallthrough;
+ case XDP_DROP:
+ xdp_return_frame_rx_napi(xdpf);
+@@ -377,7 +380,7 @@ static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
+ }
+
+ if (bq->xdp_prog) {
+- to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev);
++ to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q, cnt, dev, bq->dev_rx);
+ if (!to_send)
+ goto out;
+ }
+--
+2.43.0
+
--- /dev/null
+From 12eb8ce4056e3f8939ce627d0f948877d8ef346e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 14:00:47 -0700
+Subject: bpf: Fix iter/task tid filtering
+
+From: Jordan Rome <linux@jordanrome.com>
+
+[ Upstream commit 9495a5b731fcaf580448a3438d63601c88367661 ]
+
+In userspace, you can add a tid filter by setting
+the "task.tid" field for "bpf_iter_link_info".
+However, `get_pid_task` when called for the
+`BPF_TASK_ITER_TID` type should have been using
+`PIDTYPE_PID` (tid) instead of `PIDTYPE_TGID` (pid).
+
+Fixes: f0d74c4da1f0 ("bpf: Parameterize task iterators.")
+Signed-off-by: Jordan Rome <linux@jordanrome.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20241016210048.1213935-1-linux@jordanrome.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/task_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
+index c4ab9d6cdbe9c..f7ef58090c7d0 100644
+--- a/kernel/bpf/task_iter.c
++++ b/kernel/bpf/task_iter.c
+@@ -119,7 +119,7 @@ static struct task_struct *task_seq_get_next(struct bpf_iter_seq_task_common *co
+ rcu_read_lock();
+ pid = find_pid_ns(common->pid, common->ns);
+ if (pid) {
+- task = get_pid_task(pid, PIDTYPE_TGID);
++ task = get_pid_task(pid, PIDTYPE_PID);
+ *tid = common->pid;
+ }
+ rcu_read_unlock();
+--
+2.43.0
+
--- /dev/null
+From 95792cd4e5b7702acba24370c124fe9dd8218e33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 15:27:07 +0200
+Subject: bpf: fix kfunc btf caching for modules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 6cb86a0fdece87e126323ec1bb19deb16a52aedf ]
+
+The verifier contains a cache for looking up module BTF objects when
+calling kfuncs defined in modules. This cache uses a 'struct
+bpf_kfunc_btf_tab', which contains a sorted list of BTF objects that
+were already seen in the current verifier run, and the BTF objects are
+looked up by the offset stored in the relocated call instruction using
+bsearch().
+
+The first time a given offset is seen, the module BTF is loaded from the
+file descriptor passed in by libbpf, and stored into the cache. However,
+there's a bug in the code storing the new entry: it stores a pointer to
+the new cache entry, then calls sort() to keep the cache sorted for the
+next lookup using bsearch(), and then returns the entry that was just
+stored through the stored pointer. However, because sort() modifies the
+list of entries in place *by value*, the stored pointer may no longer
+point to the right entry, in which case the wrong BTF object will be
+returned.
+
+The end result of this is an intermittent bug where, if a BPF program
+calls two functions with the same signature in two different modules,
+the function from the wrong module may sometimes end up being called.
+Whether this happens depends on the order of the calls in the BPF
+program (as that affects whether sort() reorders the array of BTF
+objects), making it especially hard to track down. Simon, credited as
+reporter below, spent significant effort analysing and creating a
+reproducer for this issue. The reproducer is added as a selftest in a
+subsequent patch.
+
+The fix is straight forward: simply don't use the stored pointer after
+calling sort(). Since we already have an on-stack pointer to the BTF
+object itself at the point where the function return, just use that, and
+populate it from the cache entry in the branch where the lookup
+succeeds.
+
+Fixes: 2357672c54c3 ("bpf: Introduce BPF support for kernel module function calls")
+Reported-by: Simon Sundberg <simon.sundberg@kau.se>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20241010-fix-kfunc-btf-caching-for-modules-v2-1-745af6c1af98@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 3032a464d31bb..d1050479cbb33 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2799,10 +2799,16 @@ static struct btf *__find_kfunc_desc_btf(struct bpf_verifier_env *env,
+ b->module = mod;
+ b->offset = offset;
+
++ /* sort() reorders entries by value, so b may no longer point
++ * to the right entry after this
++ */
+ sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]),
+ kfunc_btf_cmp_by_off, NULL);
++ } else {
++ btf = b->btf;
+ }
+- return b->btf;
++
++ return btf;
+ }
+
+ void bpf_free_kfunc_btf_tab(struct bpf_kfunc_btf_tab *tab)
+--
+2.43.0
+
--- /dev/null
+From 420ddcbfd92753965bea2e6072dfb15264583fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 19:32:51 +0000
+Subject: bpf: Fix link info netfilter flags to populate defrag flag
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 92f3715e1eba1d41e55be06159dc3d856b18326d ]
+
+This fix correctly populates the `bpf_link_info.netfilter.flags` field
+when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
+
+Fixes: 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Florian Westphal <fw@strlen.de>
+Cc: Daniel Xu <dxu@dxuuu.xyz>
+Link: https://lore.kernel.org/bpf/20241011193252.178997-1-wudevelops@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 0e4beae421f83..96015a59db09e 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -150,11 +150,12 @@ static int bpf_nf_link_fill_link_info(const struct bpf_link *link,
+ struct bpf_link_info *info)
+ {
+ struct bpf_nf_link *nf_link = container_of(link, struct bpf_nf_link, link);
++ const struct nf_defrag_hook *hook = nf_link->defrag_hook;
+
+ info->netfilter.pf = nf_link->hook_ops.pf;
+ info->netfilter.hooknum = nf_link->hook_ops.hooknum;
+ info->netfilter.priority = nf_link->hook_ops.priority;
+- info->netfilter.flags = 0;
++ info->netfilter.flags = hook ? BPF_F_NETFILTER_IP_DEFRAG : 0;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From a05e07699ca84a232fca25d368f864e4f663ba1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:09:58 +0200
+Subject: bpf: Fix memory leak in bpf_core_apply
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 45126b155e3b5201179cdc038504bf93a8ccd921 ]
+
+We need to free specs properly.
+
+Fixes: 3d2786d65aaa ("bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20241007160958.607434-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index e0e4d4f490e87..c8828016a66fd 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -8435,6 +8435,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+ if (!type) {
+ bpf_log(ctx->log, "relo #%u: bad type id %u\n",
+ relo_idx, relo->type_id);
++ kfree(specs);
+ return -EINVAL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From fc1d5959960aebc4453c53bacea0d87ee3ad9dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:11:53 +0300
+Subject: bpf: Fix truncation bug in coerce_reg_to_size_sx()
+
+From: Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
+
+[ Upstream commit ae67b9fb8c4e981e929a665dcaa070f4b05ebdb4 ]
+
+coerce_reg_to_size_sx() updates the register state after a sign-extension
+operation. However, there's a bug in the assignment order of the unsigned
+min/max values, leading to incorrect truncation:
+
+ 0: (85) call bpf_get_prandom_u32#7 ; R0_w=scalar()
+ 1: (57) r0 &= 1 ; R0_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1))
+ 2: (07) r0 += 254 ; R0_w=scalar(smin=umin=smin32=umin32=254,smax=umax=smax32=umax32=255,var_off=(0xfe; 0x1))
+ 3: (bf) r0 = (s8)r0 ; R0_w=scalar(smin=smin32=-2,smax=smax32=-1,umin=umin32=0xfffffffe,umax=0xffffffff,var_off=(0xfffffffffffffffe; 0x1))
+
+In the current implementation, the unsigned 32-bit min/max values
+(u32_min_value and u32_max_value) are assigned directly from the 64-bit
+signed min/max values (s64_min and s64_max):
+
+ reg->umin_value = reg->u32_min_value = s64_min;
+ reg->umax_value = reg->u32_max_value = s64_max;
+
+Due to the chain assigmnent, this is equivalent to:
+
+ reg->u32_min_value = s64_min; // Unintended truncation
+ reg->umin_value = reg->u32_min_value;
+ reg->u32_max_value = s64_max; // Unintended truncation
+ reg->umax_value = reg->u32_max_value;
+
+Fixes: 1f9a1ea821ff ("bpf: Support new sign-extension load insns")
+Reported-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Reported-by: Zac Ecob <zacecob@protonmail.com>
+Signed-off-by: Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20241014121155.92887-2-dimitar.kanaliev@siteground.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index d1050479cbb33..28b09ca5525f0 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6143,10 +6143,10 @@ static void coerce_reg_to_size_sx(struct bpf_reg_state *reg, int size)
+
+ /* both of s64_max/s64_min positive or negative */
+ if ((s64_max >= 0) == (s64_min >= 0)) {
+- reg->smin_value = reg->s32_min_value = s64_min;
+- reg->smax_value = reg->s32_max_value = s64_max;
+- reg->umin_value = reg->u32_min_value = s64_min;
+- reg->umax_value = reg->u32_max_value = s64_max;
++ reg->s32_min_value = reg->smin_value = s64_min;
++ reg->s32_max_value = reg->smax_value = s64_max;
++ reg->u32_min_value = reg->umin_value = s64_min;
++ reg->u32_max_value = reg->umax_value = s64_max;
+ reg->var_off = tnum_range(s64_min, s64_max);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From bceed7581c7b402570686be6902f012ffdc90fd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:43:11 +0000
+Subject: bpf: fix unpopulated name_len field in perf_event link info
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 4deecdd29cf29844c7bd164d72dc38d2e672f64e ]
+
+Previously when retrieving `bpf_link_info.perf_event` for
+kprobe/uprobe/tracepoint, the `name_len` field was not populated by the
+kernel, leaving it to reflect the value initially set by the user. This
+behavior was inconsistent with how other input/output string buffer
+fields function (e.g. `raw_tracepoint.tp_name_len`).
+
+This patch fills `name_len` with the actual size of the string name.
+
+Fixes: 1b715e1b0ec5 ("bpf: Support ->fill_link_info for perf_event")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20241008164312.46269-1-wudevelops@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 1d04d098f57db..b43302c80cac5 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3442,15 +3442,16 @@ static void bpf_perf_link_dealloc(struct bpf_link *link)
+ }
+
+ static int bpf_perf_link_fill_common(const struct perf_event *event,
+- char __user *uname, u32 ulen,
++ char __user *uname, u32 *ulenp,
+ u64 *probe_offset, u64 *probe_addr,
+ u32 *fd_type, unsigned long *missed)
+ {
+ const char *buf;
+- u32 prog_id;
++ u32 prog_id, ulen;
+ size_t len;
+ int err;
+
++ ulen = *ulenp;
+ if (!ulen ^ !uname)
+ return -EINVAL;
+
+@@ -3458,10 +3459,17 @@ static int bpf_perf_link_fill_common(const struct perf_event *event,
+ probe_offset, probe_addr, missed);
+ if (err)
+ return err;
++
++ if (buf) {
++ len = strlen(buf);
++ *ulenp = len + 1;
++ } else {
++ *ulenp = 1;
++ }
+ if (!uname)
+ return 0;
++
+ if (buf) {
+- len = strlen(buf);
+ err = bpf_copy_to_user(uname, buf, ulen, len);
+ if (err)
+ return err;
+@@ -3486,7 +3494,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+
+ uname = u64_to_user_ptr(info->perf_event.kprobe.func_name);
+ ulen = info->perf_event.kprobe.name_len;
+- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr,
+ &type, &missed);
+ if (err)
+ return err;
+@@ -3494,7 +3502,7 @@ static int bpf_perf_link_fill_kprobe(const struct perf_event *event,
+ info->perf_event.type = BPF_PERF_EVENT_KRETPROBE;
+ else
+ info->perf_event.type = BPF_PERF_EVENT_KPROBE;
+-
++ info->perf_event.kprobe.name_len = ulen;
+ info->perf_event.kprobe.offset = offset;
+ info->perf_event.kprobe.missed = missed;
+ if (!kallsyms_show_value(current_cred()))
+@@ -3516,7 +3524,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+
+ uname = u64_to_user_ptr(info->perf_event.uprobe.file_name);
+ ulen = info->perf_event.uprobe.name_len;
+- err = bpf_perf_link_fill_common(event, uname, ulen, &offset, &addr,
++ err = bpf_perf_link_fill_common(event, uname, &ulen, &offset, &addr,
+ &type, NULL);
+ if (err)
+ return err;
+@@ -3525,6 +3533,7 @@ static int bpf_perf_link_fill_uprobe(const struct perf_event *event,
+ info->perf_event.type = BPF_PERF_EVENT_URETPROBE;
+ else
+ info->perf_event.type = BPF_PERF_EVENT_UPROBE;
++ info->perf_event.uprobe.name_len = ulen;
+ info->perf_event.uprobe.offset = offset;
+ info->perf_event.uprobe.cookie = event->bpf_cookie;
+ return 0;
+@@ -3550,12 +3559,18 @@ static int bpf_perf_link_fill_tracepoint(const struct perf_event *event,
+ {
+ char __user *uname;
+ u32 ulen;
++ int err;
+
+ uname = u64_to_user_ptr(info->perf_event.tracepoint.tp_name);
+ ulen = info->perf_event.tracepoint.name_len;
++ err = bpf_perf_link_fill_common(event, uname, &ulen, NULL, NULL, NULL, NULL);
++ if (err)
++ return err;
++
+ info->perf_event.type = BPF_PERF_EVENT_TRACEPOINT;
++ info->perf_event.tracepoint.name_len = ulen;
+ info->perf_event.tracepoint.cookie = event->bpf_cookie;
+- return bpf_perf_link_fill_common(event, uname, ulen, NULL, NULL, NULL, NULL);
++ return 0;
+ }
+
+ static int bpf_perf_link_fill_perf_event(const struct perf_event *event,
+--
+2.43.0
+
--- /dev/null
+From 61bac79e02698a536beae04caf2326851c8f4ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2024 14:56:24 +0200
+Subject: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ]
+
+The bpf_redirect_info is shared between the SKB and XDP redirect paths,
+and the two paths use the same numeric flag values in the ri->flags
+field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
+if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
+subsequently, an XDP redirect is performed using the same
+bpf_redirect_info struct, the XDP path will get confused and end up
+crashing, which syzbot managed to trigger.
+
+With the stack-allocated bpf_redirect_info, the structure is no longer
+shared between the SKB and XDP paths, so the crash doesn't happen
+anymore. However, different code paths using identically-numbered flag
+values in the same struct field still seems like a bit of a mess, so
+this patch cleans that up by moving the flag definitions together and
+redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
+with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
+sure the overlap is not re-introduced by mistake.
+
+Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
+Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
+Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 13 +++++--------
+ net/core/filter.c | 8 +++++---
+ 2 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index ba6e346c8d669..4bb38409b26ad 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -5921,11 +5921,6 @@ enum {
+ BPF_F_MARK_ENFORCE = (1ULL << 6),
+ };
+
+-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
+-enum {
+- BPF_F_INGRESS = (1ULL << 0),
+-};
+-
+ /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
+ enum {
+ BPF_F_TUNINFO_IPV6 = (1ULL << 0),
+@@ -6072,10 +6067,12 @@ enum {
+ BPF_F_BPRM_SECUREEXEC = (1ULL << 0),
+ };
+
+-/* Flags for bpf_redirect_map helper */
++/* Flags for bpf_redirect and bpf_redirect_map helpers */
+ enum {
+- BPF_F_BROADCAST = (1ULL << 3),
+- BPF_F_EXCLUDE_INGRESS = (1ULL << 4),
++ BPF_F_INGRESS = (1ULL << 0), /* used for skb path */
++ BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */
++ BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */
++#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
+ };
+
+ #define __bpf_md_ptr(type, name) \
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 8bfd46a070c16..bbb1432488430 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2423,9 +2423,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev,
+
+ /* Internal, non-exposed redirect flags. */
+ enum {
+- BPF_F_NEIGH = (1ULL << 1),
+- BPF_F_PEER = (1ULL << 2),
+- BPF_F_NEXTHOP = (1ULL << 3),
++ BPF_F_NEIGH = (1ULL << 16),
++ BPF_F_PEER = (1ULL << 17),
++ BPF_F_NEXTHOP = (1ULL << 18),
+ #define BPF_F_REDIRECT_INTERNAL (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP)
+ };
+
+@@ -2435,6 +2435,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
+ struct sk_buff *clone;
+ int ret;
+
++ BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_FLAGS);
++
+ if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))
+ return -EINVAL;
+
+--
+2.43.0
+
--- /dev/null
+From c9cee25c21add629f55c38f961bc85fcafcbfad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:39 +0200
+Subject: bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 9c5bd93edf7b8834aecaa7c340b852d5990d7c78 ]
+
+Don't mislead the callers of bpf_{sk,msg}_redirect_{map,hash}(): make sure
+to immediately and visibly fail the forwarding of unsupported af_vsock
+packets.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-1-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 5 +++++
+ net/core/sock_map.c | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index c3961050b8e39..e0be8bd983960 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2826,6 +2826,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk)
+ return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
+ }
+
++static inline bool sk_is_vsock(const struct sock *sk)
++{
++ return sk->sk_family == AF_VSOCK;
++}
++
+ /**
+ * sk_eat_skb - Release a skb if it is no longer needed
+ * @sk: socket to eat this skb from
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 2afac40bb83ca..2da881a8e7983 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -644,6 +644,8 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
+ sk = __sock_map_lookup_elem(map, key);
+ if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+ return SK_DROP;
++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
++ return SK_DROP;
+
+ skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
+ return SK_PASS;
+@@ -672,6 +674,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg,
+ return SK_DROP;
+ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
+ return SK_DROP;
++ if (sk_is_vsock(sk))
++ return SK_DROP;
+
+ msg->flags = flags;
+ msg->sk_redir = sk;
+@@ -1246,6 +1250,8 @@ BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb,
+ sk = __sock_hash_lookup_elem(map, key);
+ if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+ return SK_DROP;
++ if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
++ return SK_DROP;
+
+ skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
+ return SK_PASS;
+@@ -1274,6 +1280,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg,
+ return SK_DROP;
+ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
+ return SK_DROP;
++ if (sk_is_vsock(sk))
++ return SK_DROP;
+
+ msg->flags = flags;
+ msg->sk_redir = sk;
+--
+2.43.0
+
--- /dev/null
+From 6dc89356241833e054060bd6b5f67d49b38f98f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:42 +0200
+Subject: bpf, vsock: Drop static vsock_bpf_prot initialization
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ]
+
+vsock_bpf_prot is set up at runtime. Remove the superfluous init.
+
+No functional change intended.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/vsock_bpf.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
+index c42c5cc18f324..4aa6e74ec2957 100644
+--- a/net/vmw_vsock/vsock_bpf.c
++++ b/net/vmw_vsock/vsock_bpf.c
+@@ -114,14 +114,6 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
+ return copied;
+ }
+
+-/* Copy of original proto with updated sock_map methods */
+-static struct proto vsock_bpf_prot = {
+- .close = sock_map_close,
+- .recvmsg = vsock_bpf_recvmsg,
+- .sock_is_readable = sk_msg_is_readable,
+- .unhash = sock_map_unhash,
+-};
+-
+ static void vsock_bpf_rebuild_protos(struct proto *prot, const struct proto *base)
+ {
+ *prot = *base;
+--
+2.43.0
+
--- /dev/null
+From 164e64cfa5af69e9dd94835e60f535cb1a0f71cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 15:09:02 -0700
+Subject: cdrom: Avoid barrier_nospec() in cdrom_ioctl_media_changed()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit b0bf1afde7c34698cf61422fa8ee60e690dc25c3 ]
+
+The barrier_nospec() after the array bounds check is overkill and
+painfully slow for arches which implement it.
+
+Furthermore, most arches don't implement it, so they remain exposed to
+Spectre v1 (which can affect pretty much any CPU with branch
+prediction).
+
+Instead, clamp the user pointer to a valid range so it's guaranteed to
+be a valid array index even when the bounds check mispredicts.
+
+Fixes: 8270cb10c068 ("cdrom: Fix spectre-v1 gadget")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Link: https://lore.kernel.org/r/1d86f4d9d8fba68e5ca64cdeac2451b95a8bf872.1729202937.git.jpoimboe@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 01f46caf1f88b..54b80911f3e28 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2313,7 +2313,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
+ return -EINVAL;
+
+ /* Prevent arg from speculatively bypassing the length check */
+- barrier_nospec();
++ arg = array_index_nospec(arg, cdi->capacity);
+
+ info = kmalloc(sizeof(*info), GFP_KERNEL);
+ if (!info)
+--
+2.43.0
+
--- /dev/null
+From 599abd586b287d402752d61b1cbd8860ac1c1eba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 12:23:04 +0000
+Subject: cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory
+ systems
+
+From: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
+
+[ Upstream commit c10e50a469b5ec91eabf653526a22bdce03a9bca ]
+
+While switching the driver mode between active and passive, Collaborative
+Processor Performance Control (CPPC) is disabled in
+amd_pstate_unregister_driver(). But, it is not enabled back while registering
+the new driver (passive or active). This leads to the new driver mode not
+working correctly, so enable it back in amd_pstate_register_driver().
+
+Fixes: 3ca7bc818d8c ("cpufreq: amd-pstate: Add guided mode control support via sysfs")
+Signed-off-by: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20241004122303.94283-1-Dhananjay.Ugwekar@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/amd-pstate.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
+index f461f99eb040c..8c16d67b98bfe 100644
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -1061,11 +1061,21 @@ static int amd_pstate_register_driver(int mode)
+ return -EINVAL;
+
+ cppc_state = mode;
++
++ ret = amd_pstate_enable(true);
++ if (ret) {
++ pr_err("failed to enable cppc during amd-pstate driver registration, return %d\n",
++ ret);
++ amd_pstate_driver_cleanup();
++ return ret;
++ }
++
+ ret = cpufreq_register_driver(current_pstate_driver);
+ if (ret) {
+ amd_pstate_driver_cleanup();
+ return ret;
+ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 33ae26354641f3c2cafaf65a608d82bfb1c37ff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 19:01:48 +0530
+Subject: drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit e7457532cb7167516263150ceae86f36d6ef9683 ]
+
+This patch addresses a double unlock issue in the amdgpu_mes_add_ring
+function. The mutex was being unlocked twice under certain error
+conditions, which could lead to undefined behavior.
+
+The fix ensures that the mutex is unlocked only once before jumping to
+the clean_up_memory label. The unlock operation is moved to just before
+the goto statement within the conditional block that checks the return
+value of amdgpu_ring_init. This prevents the second unlock attempt after
+the clean_up_memory label, which is no longer necessary as the mutex is
+already unlocked by this point in the code flow.
+
+This change resolves the potential double unlock and maintains the
+correct mutex handling throughout the function.
+
+Fixes below:
+Commit d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue
+submission"), leads to the following Smatch static checker warning:
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c:1240 amdgpu_mes_add_ring()
+ warn: double unlock '&adev->mes.mutex_hidden' (orig line 1213)
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+ 1143 int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+ 1144 int queue_type, int idx,
+ 1145 struct amdgpu_mes_ctx_data *ctx_data,
+ 1146 struct amdgpu_ring **out)
+ 1147 {
+ 1148 struct amdgpu_ring *ring;
+ 1149 struct amdgpu_mes_gang *gang;
+ 1150 struct amdgpu_mes_queue_properties qprops = {0};
+ 1151 int r, queue_id, pasid;
+ 1152
+ 1153 /*
+ 1154 * Avoid taking any other locks under MES lock to avoid circular
+ 1155 * lock dependencies.
+ 1156 */
+ 1157 amdgpu_mes_lock(&adev->mes);
+ 1158 gang = idr_find(&adev->mes.gang_id_idr, gang_id);
+ 1159 if (!gang) {
+ 1160 DRM_ERROR("gang id %d doesn't exist\n", gang_id);
+ 1161 amdgpu_mes_unlock(&adev->mes);
+ 1162 return -EINVAL;
+ 1163 }
+ 1164 pasid = gang->process->pasid;
+ 1165
+ 1166 ring = kzalloc(sizeof(struct amdgpu_ring), GFP_KERNEL);
+ 1167 if (!ring) {
+ 1168 amdgpu_mes_unlock(&adev->mes);
+ 1169 return -ENOMEM;
+ 1170 }
+ 1171
+ 1172 ring->ring_obj = NULL;
+ 1173 ring->use_doorbell = true;
+ 1174 ring->is_mes_queue = true;
+ 1175 ring->mes_ctx = ctx_data;
+ 1176 ring->idx = idx;
+ 1177 ring->no_scheduler = true;
+ 1178
+ 1179 if (queue_type == AMDGPU_RING_TYPE_COMPUTE) {
+ 1180 int offset = offsetof(struct amdgpu_mes_ctx_meta_data,
+ 1181 compute[ring->idx].mec_hpd);
+ 1182 ring->eop_gpu_addr =
+ 1183 amdgpu_mes_ctx_get_offs_gpu_addr(ring, offset);
+ 1184 }
+ 1185
+ 1186 switch (queue_type) {
+ 1187 case AMDGPU_RING_TYPE_GFX:
+ 1188 ring->funcs = adev->gfx.gfx_ring[0].funcs;
+ 1189 ring->me = adev->gfx.gfx_ring[0].me;
+ 1190 ring->pipe = adev->gfx.gfx_ring[0].pipe;
+ 1191 break;
+ 1192 case AMDGPU_RING_TYPE_COMPUTE:
+ 1193 ring->funcs = adev->gfx.compute_ring[0].funcs;
+ 1194 ring->me = adev->gfx.compute_ring[0].me;
+ 1195 ring->pipe = adev->gfx.compute_ring[0].pipe;
+ 1196 break;
+ 1197 case AMDGPU_RING_TYPE_SDMA:
+ 1198 ring->funcs = adev->sdma.instance[0].ring.funcs;
+ 1199 break;
+ 1200 default:
+ 1201 BUG();
+ 1202 }
+ 1203
+ 1204 r = amdgpu_ring_init(adev, ring, 1024, NULL, 0,
+ 1205 AMDGPU_RING_PRIO_DEFAULT, NULL);
+ 1206 if (r)
+ 1207 goto clean_up_memory;
+ 1208
+ 1209 amdgpu_mes_ring_to_queue_props(adev, ring, &qprops);
+ 1210
+ 1211 dma_fence_wait(gang->process->vm->last_update, false);
+ 1212 dma_fence_wait(ctx_data->meta_data_va->last_pt_update, false);
+ 1213 amdgpu_mes_unlock(&adev->mes);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ 1214
+ 1215 r = amdgpu_mes_add_hw_queue(adev, gang_id, &qprops, &queue_id);
+ 1216 if (r)
+ 1217 goto clean_up_ring;
+ ^^^^^^^^^^^^^^^^^^
+
+ 1218
+ 1219 ring->hw_queue_id = queue_id;
+ 1220 ring->doorbell_index = qprops.doorbell_off;
+ 1221
+ 1222 if (queue_type == AMDGPU_RING_TYPE_GFX)
+ 1223 sprintf(ring->name, "gfx_%d.%d.%d", pasid, gang_id, queue_id);
+ 1224 else if (queue_type == AMDGPU_RING_TYPE_COMPUTE)
+ 1225 sprintf(ring->name, "compute_%d.%d.%d", pasid, gang_id,
+ 1226 queue_id);
+ 1227 else if (queue_type == AMDGPU_RING_TYPE_SDMA)
+ 1228 sprintf(ring->name, "sdma_%d.%d.%d", pasid, gang_id,
+ 1229 queue_id);
+ 1230 else
+ 1231 BUG();
+ 1232
+ 1233 *out = ring;
+ 1234 return 0;
+ 1235
+ 1236 clean_up_ring:
+ 1237 amdgpu_ring_fini(ring);
+ 1238 clean_up_memory:
+ 1239 kfree(ring);
+--> 1240 amdgpu_mes_unlock(&adev->mes);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ 1241 return r;
+ 1242 }
+
+Fixes: d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue submission")
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Hawking Zhang <Hawking.Zhang@amd.com>
+Suggested-by: Jack Xiao <Jack.Xiao@amd.com>
+Reported by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Jack Xiao <Jack.Xiao@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit bfaf1883605fd0c0dbabacd67ed49708470d5ea4)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+index c5c55e132af21..5e3abdd0805b6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+@@ -1053,8 +1053,10 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+
+ r = amdgpu_ring_init(adev, ring, 1024, NULL, 0,
+ AMDGPU_RING_PRIO_DEFAULT, NULL);
+- if (r)
++ if (r) {
++ amdgpu_mes_unlock(&adev->mes);
+ goto clean_up_memory;
++ }
+
+ amdgpu_mes_ring_to_queue_props(adev, ring, &qprops);
+
+@@ -1087,7 +1089,6 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int gang_id,
+ amdgpu_ring_fini(ring);
+ clean_up_memory:
+ kfree(ring);
+- amdgpu_mes_unlock(&adev->mes);
+ return r;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 38d3e410a2f2cee6984a719e165fe4b898aadb4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:36:09 -0700
+Subject: drm/msm: Allocate memory for disp snapshot with kvzalloc()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit e4a45582db1b792c57bdb52c45958264f7fcfbdc ]
+
+With the "drm/msm: add a display mmu fault handler" series [1] we saw
+issues in the field where memory allocation was failing when
+allocating space for registers in msm_disp_state_dump_regs().
+Specifically we were seeing an order 5 allocation fail. It's not
+surprising that order 5 allocations will sometimes fail after the
+system has been up and running for a while.
+
+There's no need here for contiguous memory. Change the allocation to
+kvzalloc() which should make it much less likely to fail.
+
+[1] https://lore.kernel.org/r/20240628214848.4075651-1-quic_abhinavk@quicinc.com/
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619658/
+Link: https://lore.kernel.org/r/20241014093605.2.I72441365ffe91f3dceb17db0a8ec976af8139590@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+index bb149281d31fa..4d55e3cf570f0 100644
+--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+@@ -26,7 +26,7 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
+ end_addr = base_addr + aligned_len;
+
+ if (!(*reg))
+- *reg = kzalloc(len_padded, GFP_KERNEL);
++ *reg = kvzalloc(len_padded, GFP_KERNEL);
+
+ if (*reg)
+ dump_addr = *reg;
+@@ -162,7 +162,7 @@ void msm_disp_state_free(void *data)
+
+ list_for_each_entry_safe(block, tmp, &disp_state->blocks, node) {
+ list_del(&block->node);
+- kfree(block->state);
++ kvfree(block->state);
+ kfree(block);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2ec6a32a9a9e0749e7f717e9a6f4208abd1be8f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:36:08 -0700
+Subject: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 293f53263266bc4340d777268ab4328a97f041fa ]
+
+If the allocation in msm_disp_state_dump_regs() failed then
+`block->state` can be NULL. The msm_disp_state_print_regs() function
+_does_ have code to try to handle it with:
+
+ if (*reg)
+ dump_addr = *reg;
+
+...but since "dump_addr" is initialized to NULL the above is actually
+a noop. The code then goes on to dereference `dump_addr`.
+
+Make the function print "Registers not stored" when it sees a NULL to
+solve this. Since we're touching the code, fix
+msm_disp_state_print_regs() not to pointlessly take a double-pointer
+and properly mark the pointer as `const`.
+
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619657/
+Link: https://lore.kernel.org/r/20241014093605.1.Ia1217cecec9ef09eb3c6d125360cc6c8574b0e73@changeid
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+index add72bbc28b17..bb149281d31fa 100644
+--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c
+@@ -48,20 +48,21 @@ static void msm_disp_state_dump_regs(u32 **reg, u32 aligned_len, void __iomem *b
+ }
+ }
+
+-static void msm_disp_state_print_regs(u32 **reg, u32 len, void __iomem *base_addr,
+- struct drm_printer *p)
++static void msm_disp_state_print_regs(const u32 *dump_addr, u32 len,
++ void __iomem *base_addr, struct drm_printer *p)
+ {
+ int i;
+- u32 *dump_addr = NULL;
+ void __iomem *addr;
+ u32 num_rows;
+
++ if (!dump_addr) {
++ drm_printf(p, "Registers not stored\n");
++ return;
++ }
++
+ addr = base_addr;
+ num_rows = len / REG_DUMP_ALIGN;
+
+- if (*reg)
+- dump_addr = *reg;
+-
+ for (i = 0; i < num_rows; i++) {
+ drm_printf(p, "0x%lx : %08x %08x %08x %08x\n",
+ (unsigned long)(addr - base_addr),
+@@ -89,7 +90,7 @@ void msm_disp_state_print(struct msm_disp_state *state, struct drm_printer *p)
+
+ list_for_each_entry_safe(block, tmp, &state->blocks, node) {
+ drm_printf(p, "====================%s================\n", block->name);
+- msm_disp_state_print_regs(&block->state, block->size, block->base_addr, p);
++ msm_disp_state_print_regs(block->state, block->size, block->base_addr, p);
+ }
+
+ drm_printf(p, "===================dpu drm state================\n");
+--
+2.43.0
+
--- /dev/null
+From 4b54358fd021b04d1dbe06a840fda891b17a9a2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 06:22:46 +0300
+Subject: drm/msm/dpu: check for overflow in _dpu_crtc_setup_lm_bounds()
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 3a0851b442d1f63ba42ecfa2506d3176cfabf9d4 ]
+
+Make _dpu_crtc_setup_lm_bounds() check that CRTC width is not
+overflowing LM requirements. Rename the function accordingly.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Tested-by: Abhinav Kumar <quic_abhinavk@quicinc.com> # sc7280
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/612237/
+Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-3-617e1ecc4b7a@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+index e238e4e8116ca..ad57368dc13f0 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+@@ -722,12 +722,13 @@ void dpu_crtc_complete_commit(struct drm_crtc *crtc)
+ _dpu_crtc_complete_flip(crtc);
+ }
+
+-static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc,
++static int _dpu_crtc_check_and_setup_lm_bounds(struct drm_crtc *crtc,
+ struct drm_crtc_state *state)
+ {
+ struct dpu_crtc_state *cstate = to_dpu_crtc_state(state);
+ struct drm_display_mode *adj_mode = &state->adjusted_mode;
+ u32 crtc_split_width = adj_mode->hdisplay / cstate->num_mixers;
++ struct dpu_kms *dpu_kms = _dpu_crtc_get_kms(crtc);
+ int i;
+
+ for (i = 0; i < cstate->num_mixers; i++) {
+@@ -738,7 +739,12 @@ static void _dpu_crtc_setup_lm_bounds(struct drm_crtc *crtc,
+ r->y2 = adj_mode->vdisplay;
+
+ trace_dpu_crtc_setup_lm_bounds(DRMID(crtc), i, r);
++
++ if (drm_rect_width(r) > dpu_kms->catalog->caps->max_mixer_width)
++ return -E2BIG;
+ }
++
++ return 0;
+ }
+
+ static void _dpu_crtc_get_pcc_coeff(struct drm_crtc_state *state,
+@@ -814,7 +820,7 @@ static void dpu_crtc_atomic_begin(struct drm_crtc *crtc,
+
+ DRM_DEBUG_ATOMIC("crtc%d\n", crtc->base.id);
+
+- _dpu_crtc_setup_lm_bounds(crtc, crtc->state);
++ _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc->state);
+
+ /* encoder will trigger pending mask now */
+ drm_for_each_encoder_mask(encoder, crtc->dev, crtc->state->encoder_mask)
+@@ -1208,8 +1214,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc,
+ if (crtc_state->active_changed)
+ crtc_state->mode_changed = true;
+
+- if (cstate->num_mixers)
+- _dpu_crtc_setup_lm_bounds(crtc, crtc_state);
++ if (cstate->num_mixers) {
++ rc = _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc_state);
++ if (rc)
++ return rc;
++ }
+
+ /* FIXME: move this to dpu_plane_atomic_check? */
+ drm_atomic_crtc_state_for_each_plane_state(plane, pstate, crtc_state) {
+--
+2.43.0
+
--- /dev/null
+From e582332b2eba2bc8b18b82d2f4d14cb3e271df81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 20:46:19 -0700
+Subject: drm/msm/dpu: don't always program merge_3d block
+
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+
+[ Upstream commit f87f3b80abaf7949e638dd17dfdc267066eb52d5 ]
+
+Only program the merge_3d block for the video phys encoder when the 3d
+blend mode is not NONE
+
+Fixes: 3e79527a33a8 ("drm/msm/dpu: enable merge_3d support on sm8150/sm8250")
+Suggested-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/619095/
+Link: https://lore.kernel.org/r/20241009-merge3d-fix-v1-1-0d0b6f5c244e@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+index daaf0e6047538..20c8b9af7a219 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c
+@@ -280,7 +280,7 @@ static void dpu_encoder_phys_vid_setup_timing_engine(
+ intf_cfg.stream_sel = 0; /* Don't care value for video mode */
+ intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc);
+ intf_cfg.dsc = dpu_encoder_helper_get_dsc(phys_enc);
+- if (phys_enc->hw_pp->merge_3d)
++ if (intf_cfg.mode_3d && phys_enc->hw_pp->merge_3d)
+ intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx;
+
+ spin_lock_irqsave(phys_enc->enc_spinlock, lock_flags);
+--
+2.43.0
+
--- /dev/null
+From f8ea4b0cdf9d2f2b4213aaf986440be65fa7ce01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 06:22:44 +0300
+Subject: drm/msm/dpu: make sure phys resources are properly initialized
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit bfecbc2cfba9b06d67d9d249c33d92e570e2fa70 ]
+
+The commit b954fa6baaca ("drm/msm/dpu: Refactor rm iterator") removed
+zero-init of the hw_ctl array, but didn't change the error condition,
+that checked for hw_ctl[i] being NULL. At the same time because of the
+early returns in case of an error dpu_encoder_phys might be left with
+the resources assigned in the previous state. Rework assigning of hw_pp
+/ hw_ctl to the dpu_encoder_phys in order to make sure they are always
+set correctly.
+
+Fixes: b954fa6baaca ("drm/msm/dpu: Refactor rm iterator")
+Suggested-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612233/
+Link: https://lore.kernel.org/r/20240903-dpu-mode-config-width-v6-1-617e1ecc4b7a@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+index 6262ec5e40204..10c68de1bf22c 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -1122,21 +1122,20 @@ static void dpu_encoder_virt_atomic_mode_set(struct drm_encoder *drm_enc,
+ for (i = 0; i < dpu_enc->num_phys_encs; i++) {
+ struct dpu_encoder_phys *phys = dpu_enc->phys_encs[i];
+
+- if (!dpu_enc->hw_pp[i]) {
++ phys->hw_pp = dpu_enc->hw_pp[i];
++ if (!phys->hw_pp) {
+ DPU_ERROR_ENC(dpu_enc,
+ "no pp block assigned at idx: %d\n", i);
+ return;
+ }
+
+- if (!hw_ctl[i]) {
++ phys->hw_ctl = i < num_ctl ? to_dpu_hw_ctl(hw_ctl[i]) : NULL;
++ if (!phys->hw_ctl) {
+ DPU_ERROR_ENC(dpu_enc,
+ "no ctl block assigned at idx: %d\n", i);
+ return;
+ }
+
+- phys->hw_pp = dpu_enc->hw_pp[i];
+- phys->hw_ctl = to_dpu_hw_ctl(hw_ctl[i]);
+-
+ phys->cached_mode = crtc_state->adjusted_mode;
+ if (phys->ops.atomic_mode_set)
+ phys->ops.atomic_mode_set(phys, crtc_state, conn_state);
+--
+2.43.0
+
--- /dev/null
+From f7e9c4be3421040a9782633d0a5d905aad4e337a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 01:01:49 -0400
+Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate
+ calculation
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ]
+
+When (mode->clock * 1000) is larger than (1<<31), int to unsigned long
+conversion will sign extend the int to 64 bits and the pclk_rate value
+will be incorrect.
+
+Fix this by making the result of the multiplication unsigned.
+
+Note that above (1<<32) would still be broken and require more changes, but
+its unlikely anyone will need that anytime soon.
+
+Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/618434/
+Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index fcfe612416b0b..f920329fe2e09 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -545,7 +545,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
+ {
+ unsigned long pclk_rate;
+
+- pclk_rate = mode->clock * 1000;
++ pclk_rate = mode->clock * 1000u;
+
+ if (dsc)
+ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc);
+--
+2.43.0
+
--- /dev/null
+From c36a392ff4b7a091e90e45d112ba9187379a150a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 01:01:48 -0400
+Subject: drm/msm/dsi: improve/fix dsc pclk calculation
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 24436a540d16ca6a523b8e5441180001c31b6b35 ]
+
+drm_mode_vrefresh() can introduce a large rounding error, avoid it.
+
+Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/618432/
+Link: https://lore.kernel.org/r/20241007050157.26855-1-jonathan@marek.ca
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 77b805eacb1b1..fcfe612416b0b 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -537,7 +537,7 @@ static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mo
+
+ int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay;
+
+- return new_htotal * mode->vtotal * drm_mode_vrefresh(mode);
++ return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal);
+ }
+
+ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode,
+--
+2.43.0
+
--- /dev/null
+From 3736fdfc57b508d5005a9ceb2de2671b26d8d6cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 13:37:56 -0500
+Subject: drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 4809a017a2bc42ff239d53ade4b2e70f2fe81348 ]
+
+Handle unlikely ENOMEN condition and other errors in
+vmw_stdu_connector_atomic_check.
+
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 75c3e8a26a35 ("drm/vmwgfx: Trigger a modeset when the screen moves")
+Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
+Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240809183756.27283-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+index b22ae25db4e17..52ea0c50c852c 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+@@ -881,6 +881,10 @@ static int vmw_stdu_connector_atomic_check(struct drm_connector *conn,
+ struct drm_crtc_state *new_crtc_state;
+
+ conn_state = drm_atomic_get_connector_state(state, conn);
++
++ if (IS_ERR(conn_state))
++ return PTR_ERR(conn_state);
++
+ du = vmw_connector_to_stdu(conn);
+
+ if (!conn_state->crtc)
+--
+2.43.0
+
--- /dev/null
+From 8b96623e04d3640d4824e64e0a1c7f09b66b3a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:40:02 +0800
+Subject: firmware: arm_scmi: Fix the double free in
+ scmi_debugfs_common_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 39b13dce1a91cdfc3bec9238f9e89094551bd428 ]
+
+Clang static checker(scan-build) throws below warning:
+ | drivers/firmware/arm_scmi/driver.c:line 2915, column 2
+ | Attempt to free released memory.
+
+When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()
+will run twice which causes double free of 'dbg->name'.
+
+Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.
+
+Fixes: c3d4aed763ce ("firmware: arm_scmi: Populate a common SCMI debugfs root")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Message-Id: <20241011104001.1546476-1-suhui@nfschina.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/driver.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
+index 87383c05424bd..3962683e2af9d 100644
+--- a/drivers/firmware/arm_scmi/driver.c
++++ b/drivers/firmware/arm_scmi/driver.c
+@@ -2603,10 +2603,8 @@ static struct scmi_debug_info *scmi_debugfs_common_setup(struct scmi_info *info)
+ dbg->top_dentry = top_dentry;
+
+ if (devm_add_action_or_reset(info->dev,
+- scmi_debugfs_common_cleanup, dbg)) {
+- scmi_debugfs_common_cleanup(dbg);
++ scmi_debugfs_common_cleanup, dbg))
+ return NULL;
+- }
+
+ return dbg;
+ }
+--
+2.43.0
+
--- /dev/null
+From 125a02ec9422a4e3eceed36ae5ad9e0b83985a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 09:07:17 -0700
+Subject: firmware: arm_scmi: Queue in scmi layer for mailbox implementation
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit da1642bc97c4ef67f347edcd493bd0a52f88777b ]
+
+send_message() does not block in the MBOX implementation. This is
+because the mailbox layer has its own queue. However, this confuses
+the per xfer timeouts as they all start their timeout ticks in
+parallel.
+
+Consider a case where the xfer timeout is 30ms and a SCMI transaction
+takes 25ms:
+
+ | 0ms: Message #0 is queued in mailbox layer and sent out, then sits
+ | at scmi_wait_for_message_response() with a timeout of 30ms
+ | 1ms: Message #1 is queued in mailbox layer but not sent out yet.
+ | Since send_message() doesn't block, it also sits at
+ | scmi_wait_for_message_response() with a timeout of 30ms
+ | ...
+ | 25ms: Message #0 is completed, txdone is called and message #1 is sent
+ | 31ms: Message #1 times out since the count started at 1ms. Even though
+ | it has only been inflight for 6ms.
+
+Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Message-Id: <20241014160717.1678953-1-justin.chen@broadcom.com>
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Tested-by: Cristian Marussi <cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/mailbox.c | 32 +++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c
+index b8d470417e8f9..8e513f70b75d4 100644
+--- a/drivers/firmware/arm_scmi/mailbox.c
++++ b/drivers/firmware/arm_scmi/mailbox.c
+@@ -23,6 +23,7 @@
+ * @chan_receiver: Optional Receiver mailbox unidirectional channel
+ * @cinfo: SCMI channel info
+ * @shmem: Transmit/Receive shared memory area
++ * @chan_lock: Lock that prevents multiple xfers from being queued
+ */
+ struct scmi_mailbox {
+ struct mbox_client cl;
+@@ -30,6 +31,7 @@ struct scmi_mailbox {
+ struct mbox_chan *chan_receiver;
+ struct scmi_chan_info *cinfo;
+ struct scmi_shared_mem __iomem *shmem;
++ struct mutex chan_lock;
+ };
+
+ #define client_to_scmi_mailbox(c) container_of(c, struct scmi_mailbox, cl)
+@@ -228,6 +230,7 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
+
+ cinfo->transport_info = smbox;
+ smbox->cinfo = cinfo;
++ mutex_init(&smbox->chan_lock);
+
+ return 0;
+ }
+@@ -255,13 +258,23 @@ static int mailbox_send_message(struct scmi_chan_info *cinfo,
+ struct scmi_mailbox *smbox = cinfo->transport_info;
+ int ret;
+
+- ret = mbox_send_message(smbox->chan, xfer);
++ /*
++ * The mailbox layer has its own queue. However the mailbox queue
++ * confuses the per message SCMI timeouts since the clock starts when
++ * the message is submitted into the mailbox queue. So when multiple
++ * messages are queued up the clock starts on all messages instead of
++ * only the one inflight.
++ */
++ mutex_lock(&smbox->chan_lock);
+
+- /* mbox_send_message returns non-negative value on success, so reset */
+- if (ret > 0)
+- ret = 0;
++ ret = mbox_send_message(smbox->chan, xfer);
++ /* mbox_send_message returns non-negative value on success */
++ if (ret < 0) {
++ mutex_unlock(&smbox->chan_lock);
++ return ret;
++ }
+
+- return ret;
++ return 0;
+ }
+
+ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret,
+@@ -269,13 +282,10 @@ static void mailbox_mark_txdone(struct scmi_chan_info *cinfo, int ret,
+ {
+ struct scmi_mailbox *smbox = cinfo->transport_info;
+
+- /*
+- * NOTE: we might prefer not to need the mailbox ticker to manage the
+- * transfer queueing since the protocol layer queues things by itself.
+- * Unfortunately, we have to kick the mailbox framework after we have
+- * received our message.
+- */
+ mbox_client_txdone(smbox->chan, ret);
++
++ /* Release channel */
++ mutex_unlock(&smbox->chan_lock);
+ }
+
+ static void mailbox_fetch_response(struct scmi_chan_info *cinfo,
+--
+2.43.0
+
--- /dev/null
+From f80b1af82f4a9bbc71993fe99da3e6dccc26ba77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 17:12:17 +0000
+Subject: genetlink: hold RCU in genlmsg_mcast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db ]
+
+While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw
+one lockdep splat [1].
+
+genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU.
+
+Instead of letting all callers guard genlmsg_multicast_allns()
+with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast().
+
+This also means the @flags parameter is useless, we need to always use
+GFP_ATOMIC.
+
+[1]
+[10882.424136] =============================
+[10882.424166] WARNING: suspicious RCU usage
+[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted
+[10882.424400] -----------------------------
+[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!!
+[10882.424469]
+other info that might help us debug this:
+
+[10882.424500]
+rcu_scheduler_active = 2, debug_locks = 1
+[10882.424744] 2 locks held by ip/15677:
+[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219)
+[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209)
+[10882.426465]
+stack backtrace:
+[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156
+[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[10882.427046] Call Trace:
+[10882.427131] <TASK>
+[10882.427244] dump_stack_lvl (lib/dump_stack.c:123)
+[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
+[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7))
+[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink
+[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink
+[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
+[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210)
+[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink
+[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
+[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551)
+[10882.428069] genl_rcv (net/netlink/genetlink.c:1220)
+[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357)
+[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901)
+[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1))
+
+Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Tom Parkin <tparkin@katalix.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c | 2 +-
+ include/net/genetlink.h | 3 +--
+ net/l2tp/l2tp_netlink.c | 4 ++--
+ net/netlink/genetlink.c | 28 ++++++++++++++--------------
+ net/wireless/nl80211.c | 8 ++------
+ 5 files changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index 22cc6cac0ba2b..2e100b76914a0 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -2130,7 +2130,7 @@ static int tcmu_netlink_event_send(struct tcmu_dev *udev,
+ }
+
+ ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0,
+- TCMU_MCGRP_CONFIG, GFP_KERNEL);
++ TCMU_MCGRP_CONFIG);
+
+ /* Wait during an add as the listener may not be up yet */
+ if (ret == 0 ||
+diff --git a/include/net/genetlink.h b/include/net/genetlink.h
+index c53244f204370..e8c34aa4a640d 100644
+--- a/include/net/genetlink.h
++++ b/include/net/genetlink.h
+@@ -478,13 +478,12 @@ static inline int genlmsg_multicast(const struct genl_family *family,
+ * @skb: netlink message as socket buffer
+ * @portid: own netlink portid to avoid sending to yourself
+ * @group: offset of multicast group in groups array
+- * @flags: allocation flags
+ *
+ * This function must hold the RTNL or rcu_read_lock().
+ */
+ int genlmsg_multicast_allns(const struct genl_family *family,
+ struct sk_buff *skb, u32 portid,
+- unsigned int group, gfp_t flags);
++ unsigned int group);
+
+ /**
+ * genlmsg_unicast - unicast a netlink message
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index a901fd14fe3bf..e27e00cb16c6b 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -115,7 +115,7 @@ static int l2tp_tunnel_notify(struct genl_family *family,
+ NLM_F_ACK, tunnel, cmd);
+
+ if (ret >= 0) {
+- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
++ ret = genlmsg_multicast_allns(family, msg, 0, 0);
+ /* We don't care if no one is listening */
+ if (ret == -ESRCH)
+ ret = 0;
+@@ -143,7 +143,7 @@ static int l2tp_session_notify(struct genl_family *family,
+ NLM_F_ACK, session, cmd);
+
+ if (ret >= 0) {
+- ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
++ ret = genlmsg_multicast_allns(family, msg, 0, 0);
+ /* We don't care if no one is listening */
+ if (ret == -ESRCH)
+ ret = 0;
+diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
+index d41c4a936ad0c..d6eee5140c8be 100644
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -1355,15 +1355,11 @@ static int genl_ctrl_event(int event, const struct genl_family *family,
+ if (IS_ERR(msg))
+ return PTR_ERR(msg);
+
+- if (!family->netnsok) {
++ if (!family->netnsok)
+ genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0,
+ 0, GFP_KERNEL);
+- } else {
+- rcu_read_lock();
+- genlmsg_multicast_allns(&genl_ctrl, msg, 0,
+- 0, GFP_ATOMIC);
+- rcu_read_unlock();
+- }
++ else
++ genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0);
+
+ return 0;
+ }
+@@ -1752,23 +1748,23 @@ static int __init genl_init(void)
+
+ core_initcall(genl_init);
+
+-static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
+- gfp_t flags)
++static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group)
+ {
+ struct sk_buff *tmp;
+ struct net *net, *prev = NULL;
+ bool delivered = false;
+ int err;
+
++ rcu_read_lock();
+ for_each_net_rcu(net) {
+ if (prev) {
+- tmp = skb_clone(skb, flags);
++ tmp = skb_clone(skb, GFP_ATOMIC);
+ if (!tmp) {
+ err = -ENOMEM;
+ goto error;
+ }
+ err = nlmsg_multicast(prev->genl_sock, tmp,
+- portid, group, flags);
++ portid, group, GFP_ATOMIC);
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
+@@ -1777,27 +1773,31 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
+
+ prev = net;
+ }
++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC);
++
++ rcu_read_unlock();
+
+- err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
+ return err;
+ return delivered ? 0 : -ESRCH;
+ error:
++ rcu_read_unlock();
++
+ kfree_skb(skb);
+ return err;
+ }
+
+ int genlmsg_multicast_allns(const struct genl_family *family,
+ struct sk_buff *skb, u32 portid,
+- unsigned int group, gfp_t flags)
++ unsigned int group)
+ {
+ if (WARN_ON_ONCE(group >= family->n_mcgrps))
+ return -EINVAL;
+
+ group = family->mcgrp_offset + group;
+- return genlmsg_mcast(skb, portid, group, flags);
++ return genlmsg_mcast(skb, portid, group);
+ }
+ EXPORT_SYMBOL(genlmsg_multicast_allns);
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 9e74f249cb45f..7979073036698 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -17905,10 +17905,8 @@ void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
+
+ genlmsg_end(msg, hdr);
+
+- rcu_read_lock();
+ genlmsg_multicast_allns(&nl80211_fam, msg, 0,
+- NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
+- rcu_read_unlock();
++ NL80211_MCGRP_REGULATORY);
+
+ return;
+
+@@ -18605,10 +18603,8 @@ void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
+
+ genlmsg_end(msg, hdr);
+
+- rcu_read_lock();
+ genlmsg_multicast_allns(&nl80211_fam, msg, 0,
+- NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
+- rcu_read_unlock();
++ NL80211_MCGRP_REGULATORY);
+
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 3ece4173b045239300a1f6b99ec0985e2a802ebd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 04:36:20 -0400
+Subject: iio: accel: bma400: Fix uninitialized variable field_value in tap
+ event handling.
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+[ Upstream commit db9795a43dc944f048a37b65e06707f60f713e34 ]
+
+In the current implementation, the local variable field_value is used
+without prior initialization, which may lead to reading uninitialized
+memory. Specifically, in the macro set_mask_bits, the initial
+(potentially uninitialized) value of the buffer is copied into old__,
+and a mask is applied to calculate new__. A similar issue was resolved in
+commit 6ee2a7058fea ("iio: accel: bma400: Fix smatch warning based on use
+of unintialized value.").
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 961db2da159d ("iio: accel: bma400: Add support for single and double tap events")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://patch.msgid.link/20240910083624.27224-1-m.lobanov@rosalinux.ru
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma400_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/bma400_core.c b/drivers/iio/accel/bma400_core.c
+index e90e2f01550ad..04083b7395ab8 100644
+--- a/drivers/iio/accel/bma400_core.c
++++ b/drivers/iio/accel/bma400_core.c
+@@ -1219,7 +1219,8 @@ static int bma400_activity_event_en(struct bma400_data *data,
+ static int bma400_tap_event_en(struct bma400_data *data,
+ enum iio_event_direction dir, int state)
+ {
+- unsigned int mask, field_value;
++ unsigned int mask;
++ unsigned int field_value = 0;
+ int ret;
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 6257c233d8d09fb76805b842b12d877c23525157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 23:04:52 +0200
+Subject: iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in
+ Kconfig
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit a985576af824426e33100554a5958a6beda60a13 ]
+
+This driver makes use of triggered buffers, but does not select the
+required modules.
+
+Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'.
+
+Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig
+index e46817cb5581c..6dee3b686effd 100644
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -1335,6 +1335,8 @@ config TI_LMP92064
+ tristate "Texas Instruments LMP92064 ADC driver"
+ depends on SPI
+ select REGMAP_SPI
++ select IIO_BUFFER
++ select IIO_TRIGGERED_BUFFER
+ help
+ Say yes here to build support for the LMP92064 Precision Current and Voltage
+ sensor.
+--
+2.43.0
+
--- /dev/null
+From b1f07d3247815b6ab9cb8db42945cf88c8aa811f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 22:06:38 +0200
+Subject: iio: frequency: {admv4420,adrf6780}: format Kconfig entries
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 5c9644a683e1690387a476a4f5f6bd5cf9a1d695 ]
+
+Format the entries of these drivers in the Kconfig, where spaces
+instead of tabs were used.
+
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-1-7345d228040f@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Stable-dep-of: 6b8e9dbfaed4 ("iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/frequency/Kconfig | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig
+index 71de6cc4a1584..f7534dd8a8cae 100644
+--- a/drivers/iio/frequency/Kconfig
++++ b/drivers/iio/frequency/Kconfig
+@@ -82,25 +82,25 @@ config ADMV1014
+ module will be called admv1014.
+
+ config ADMV4420
+- tristate "Analog Devices ADMV4420 K Band Downconverter"
+- depends on SPI
+- help
+- Say yes here to build support for Analog Devices K Band
+- Downconverter with integrated Fractional-N PLL and VCO.
++ tristate "Analog Devices ADMV4420 K Band Downconverter"
++ depends on SPI
++ help
++ Say yes here to build support for Analog Devices K Band
++ Downconverter with integrated Fractional-N PLL and VCO.
+
+- To compile this driver as a module, choose M here: the
+- module will be called admv4420.
++ To compile this driver as a module, choose M here: the
++ module will be called admv4420.
+
+ config ADRF6780
+- tristate "Analog Devices ADRF6780 Microwave Upconverter"
+- depends on SPI
+- depends on COMMON_CLK
+- help
+- Say yes here to build support for Analog Devices ADRF6780
+- 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter.
+-
+- To compile this driver as a module, choose M here: the
+- module will be called adrf6780.
++ tristate "Analog Devices ADRF6780 Microwave Upconverter"
++ depends on SPI
++ depends on COMMON_CLK
++ help
++ Say yes here to build support for Analog Devices ADRF6780
++ 5.9 GHz to 23.6 GHz, Wideband, Microwave Upconverter.
++
++ To compile this driver as a module, choose M here: the
++ module will be called adrf6780.
+
+ endmenu
+ endmenu
+--
+2.43.0
+
--- /dev/null
+From e2cd37b7a18f49688d34e54bf78a811896169e7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 22:06:39 +0200
+Subject: iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 6b8e9dbfaed471627f7b863633b9937717df1d4d ]
+
+This driver makes use of regmap_spi, but does not select the required
+module.
+Add the missing 'select REGMAP_SPI'.
+
+Fixes: b59c04155901 ("iio: frequency: admv4420.c: Add support for ADMV4420")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241007-ad2s1210-select-v2-2-7345d228040f@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/frequency/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig
+index f7534dd8a8cae..036763d3e84c6 100644
+--- a/drivers/iio/frequency/Kconfig
++++ b/drivers/iio/frequency/Kconfig
+@@ -84,6 +84,7 @@ config ADMV1014
+ config ADMV4420
+ tristate "Analog Devices ADMV4420 K Band Downconverter"
+ depends on SPI
++ select REGMAP_SPI
+ help
+ Say yes here to build support for Analog Devices K Band
+ Downconverter with integrated Fractional-N PLL and VCO.
+--
+2.43.0
+
--- /dev/null
+From cf6cac963605c3ba9846ec383bd6803706d77c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 14:47:13 -0400
+Subject: ipv4: give an IPv4 dev to blackhole_netdev
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 22600596b6756b166fd052d5facb66287e6f0bad ]
+
+After commit 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to
+invalidate dst entries"), blackhole_netdev was introduced to invalidate
+dst cache entries on the TX path whenever the cache times out or is
+flushed.
+
+When two UDP sockets (sk1 and sk2) send messages to the same destination
+simultaneously, they are using the same dst cache. If the dst cache is
+invalidated on one path (sk2) while the other (sk1) is still transmitting,
+sk1 may try to use the invalid dst entry.
+
+ CPU1 CPU2
+
+ udp_sendmsg(sk1) udp_sendmsg(sk2)
+ udp_send_skb()
+ ip_output()
+ <--- dst timeout or flushed
+ dst_dev_put()
+ ip_finish_output2()
+ ip_neigh_for_gw()
+
+This results in a scenario where ip_neigh_for_gw() returns -EINVAL because
+blackhole_dev lacks an in_dev, which is needed to initialize the neigh in
+arp_constructor(). This error is then propagated back to userspace,
+breaking the UDP application.
+
+The patch fixes this issue by assigning an in_dev to blackhole_dev for
+IPv4, similar to what was done for IPv6 in commit e5f80fcf869a ("ipv6:
+give an IPv6 dev to blackhole_netdev"). This ensures that even when the
+dst entry is invalidated with blackhole_dev, it will not fail to create
+the neigh entry.
+
+As devinet_init() is called ealier than blackhole_netdev_init() in system
+booting, it can not assign the in_dev to blackhole_dev in devinet_init().
+As Paolo suggested, add a separate late_initcall() in devinet.c to ensure
+inet_blackhole_dev_init() is called after blackhole_netdev_init().
+
+Fixes: 8d7017fd621d ("blackhole_netdev: use blackhole_netdev to invalidate dst entries")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/3000792d45ca44e16c785ebe2b092e610e5b3df1.1728499633.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index cb0c80328eebf..4822f68edbf08 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -283,17 +283,19 @@ static struct in_device *inetdev_init(struct net_device *dev)
+ /* Account for reference dev->ip_ptr (below) */
+ refcount_set(&in_dev->refcnt, 1);
+
+- err = devinet_sysctl_register(in_dev);
+- if (err) {
+- in_dev->dead = 1;
+- neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+- in_dev_put(in_dev);
+- in_dev = NULL;
+- goto out;
++ if (dev != blackhole_netdev) {
++ err = devinet_sysctl_register(in_dev);
++ if (err) {
++ in_dev->dead = 1;
++ neigh_parms_release(&arp_tbl, in_dev->arp_parms);
++ in_dev_put(in_dev);
++ in_dev = NULL;
++ goto out;
++ }
++ ip_mc_init_dev(in_dev);
++ if (dev->flags & IFF_UP)
++ ip_mc_up(in_dev);
+ }
+- ip_mc_init_dev(in_dev);
+- if (dev->flags & IFF_UP)
+- ip_mc_up(in_dev);
+
+ /* we can receive as soon as ip_ptr is set -- do this last */
+ rcu_assign_pointer(dev->ip_ptr, in_dev);
+@@ -332,6 +334,19 @@ static void inetdev_destroy(struct in_device *in_dev)
+ in_dev_put(in_dev);
+ }
+
++static int __init inet_blackhole_dev_init(void)
++{
++ int err = 0;
++
++ rtnl_lock();
++ if (!inetdev_init(blackhole_netdev))
++ err = -ENOMEM;
++ rtnl_unlock();
++
++ return err;
++}
++late_initcall(inet_blackhole_dev_init);
++
+ int inet_addr_onlink(struct in_device *in_dev, __be32 a, __be32 b)
+ {
+ const struct in_ifaddr *ifa;
+--
+2.43.0
+
--- /dev/null
+From 09fc4ae271bc0ff3ed4b345fb6f235c81c82275c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:18 +0200
+Subject: irqchip/renesas-rzg2l: Add support for suspend to RAM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 74d2ef5f6f4b2437e6292ab2502400e8048db4aa ]
+
+The irqchip-renesas-rzg2l driver is used on RZ/G3S SoC. RZ/G3S can go into
+deep sleep states where power to different SoC's parts is cut off and RAM
+is switched to self-refresh. The resume from these states is done with the
+help of the bootloader.
+
+The IA55 IRQ controller needs to be reconfigured when resuming from deep
+sleep state. For this the IA55 registers are cached in suspend and restored
+in resume.
+
+The IA55 IRQ controller is connected to GPIO controller and GIC as follows:
+
+ ┌──────────┐ ┌──────────┐
+ │ │ SPIX │ │
+ │ ├─────────►│ │
+ │ │ │ │
+ │ │ │ │
+ ┌────────┐IRQ0-7 │ IA55 │ │ GIC │
+ Pin0 ───────►│ ├─────────────►│ │ │ │
+ │ │ │ │ PPIY │ │
+ ... │ GPIO │ │ ├─────────►│ │
+ │ │GPIOINT0-127 │ │ │ │
+ PinN ───────►│ ├─────────────►│ │ │ │
+ └────────┘ └──────────┘ └──────────┘
+
+where:
+ - Pin0 is the first GPIO controller pin
+ - PinN is the last GPIO controller pin
+
+ - SPIX is the SPI interrupt with identifier X
+ - PPIY is the PPI interrupt with identifier Y
+
+Implement suspend/resume functionality with syscore_ops to be able to
+cache/restore the registers after/before the GPIO controller suspend/resume
+functions are invoked.
+
+As the syscore_ops suspend/resume functions do not take any argument make
+the driver private data static so it can be accessed from the
+suspend/resume functions.
+
+The IA55 interrupt controller is resumed before the GPIO controller. As
+GPIO pins could be in an a state which causes spurious interrupts, the
+reconfiguration of the interrupt controller is restricted to restore the
+interrupt type and leave them disabled.
+
+An eventually required interrupt enable operation will be done as part of
+the GPIO controller resume function after restoring the GPIO state.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20231120111820.87398-8-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 68 ++++++++++++++++++++++++-----
+ 1 file changed, 57 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index ac925da17876c..00688043697f0 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -18,6 +18,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <linux/spinlock.h>
++#include <linux/syscore_ops.h>
+
+ #define IRQC_IRQ_START 1
+ #define IRQC_IRQ_COUNT 8
+@@ -55,17 +56,29 @@
+ #define TINT_EXTRACT_HWIRQ(x) FIELD_GET(GENMASK(15, 0), (x))
+ #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x))
+
++/**
++ * struct rzg2l_irqc_reg_cache - registers cache (necessary for suspend/resume)
++ * @iitsr: IITSR register
++ * @titsr: TITSR registers
++ */
++struct rzg2l_irqc_reg_cache {
++ u32 iitsr;
++ u32 titsr[2];
++};
++
+ /**
+ * struct rzg2l_irqc_priv - IRQ controller private data structure
+ * @base: Controller's base address
+ * @fwspec: IRQ firmware specific data
+ * @lock: Lock to serialize access to hardware registers
++ * @cache: Registers cache for suspend/resume
+ */
+-struct rzg2l_irqc_priv {
++static struct rzg2l_irqc_priv {
+ void __iomem *base;
+ struct irq_fwspec fwspec[IRQC_NUM_IRQ];
+ raw_spinlock_t lock;
+-};
++ struct rzg2l_irqc_reg_cache cache;
++} *rzg2l_irqc_data;
+
+ static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data)
+ {
+@@ -282,6 +295,38 @@ static int rzg2l_irqc_set_type(struct irq_data *d, unsigned int type)
+ return irq_chip_set_type_parent(d, IRQ_TYPE_LEVEL_HIGH);
+ }
+
++static int rzg2l_irqc_irq_suspend(void)
++{
++ struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache;
++ void __iomem *base = rzg2l_irqc_data->base;
++
++ cache->iitsr = readl_relaxed(base + IITSR);
++ for (u8 i = 0; i < 2; i++)
++ cache->titsr[i] = readl_relaxed(base + TITSR(i));
++
++ return 0;
++}
++
++static void rzg2l_irqc_irq_resume(void)
++{
++ struct rzg2l_irqc_reg_cache *cache = &rzg2l_irqc_data->cache;
++ void __iomem *base = rzg2l_irqc_data->base;
++
++ /*
++ * Restore only interrupt type. TSSRx will be restored at the
++ * request of pin controller to avoid spurious interrupts due
++ * to invalid PIN states.
++ */
++ for (u8 i = 0; i < 2; i++)
++ writel_relaxed(cache->titsr[i], base + TITSR(i));
++ writel_relaxed(cache->iitsr, base + IITSR);
++}
++
++static struct syscore_ops rzg2l_irqc_syscore_ops = {
++ .suspend = rzg2l_irqc_irq_suspend,
++ .resume = rzg2l_irqc_irq_resume,
++};
++
+ static const struct irq_chip irqc_chip = {
+ .name = "rzg2l-irqc",
+ .irq_eoi = rzg2l_irqc_eoi,
+@@ -366,7 +411,6 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+ struct irq_domain *irq_domain, *parent_domain;
+ struct platform_device *pdev;
+ struct reset_control *resetn;
+- struct rzg2l_irqc_priv *priv;
+ int ret;
+
+ pdev = of_find_device_by_node(node);
+@@ -379,15 +423,15 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+ return -ENODEV;
+ }
+
+- priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+- if (!priv)
++ rzg2l_irqc_data = devm_kzalloc(&pdev->dev, sizeof(*rzg2l_irqc_data), GFP_KERNEL);
++ if (!rzg2l_irqc_data)
+ return -ENOMEM;
+
+- priv->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL);
+- if (IS_ERR(priv->base))
+- return PTR_ERR(priv->base);
++ rzg2l_irqc_data->base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL);
++ if (IS_ERR(rzg2l_irqc_data->base))
++ return PTR_ERR(rzg2l_irqc_data->base);
+
+- ret = rzg2l_irqc_parse_interrupts(priv, node);
++ ret = rzg2l_irqc_parse_interrupts(rzg2l_irqc_data, node);
+ if (ret) {
+ dev_err(&pdev->dev, "cannot parse interrupts: %d\n", ret);
+ return ret;
+@@ -410,17 +454,19 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+ goto pm_disable;
+ }
+
+- raw_spin_lock_init(&priv->lock);
++ raw_spin_lock_init(&rzg2l_irqc_data->lock);
+
+ irq_domain = irq_domain_add_hierarchy(parent_domain, 0, IRQC_NUM_IRQ,
+ node, &rzg2l_irqc_domain_ops,
+- priv);
++ rzg2l_irqc_data);
+ if (!irq_domain) {
+ dev_err(&pdev->dev, "failed to add irq domain\n");
+ ret = -ENOMEM;
+ goto pm_put;
+ }
+
++ register_syscore_ops(&rzg2l_irqc_syscore_ops);
++
+ return 0;
+
+ pm_put:
+--
+2.43.0
+
--- /dev/null
+From 2c0b357c4b3271d3b5f42e24431049bfbd66a81b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:14 +0200
+Subject: irqchip/renesas-rzg2l: Align struct member names to tabs
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 02f6507640173addeeb3af035d2c6f0b3cff1567 ]
+
+Align struct member names to tabs to follow the requirements from
+maintainer-tip file. 3 tabs were used at the moment as the next commits
+will add a new member which requires 3 tabs for a better view.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20231120111820.87398-4-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index ea4b921e5e158..3ea312a27492b 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -56,9 +56,9 @@
+ #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x))
+
+ struct rzg2l_irqc_priv {
+- void __iomem *base;
+- struct irq_fwspec fwspec[IRQC_NUM_IRQ];
+- raw_spinlock_t lock;
++ void __iomem *base;
++ struct irq_fwspec fwspec[IRQC_NUM_IRQ];
++ raw_spinlock_t lock;
+ };
+
+ static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data)
+--
+2.43.0
+
--- /dev/null
+From 7870098b4f9546fee29b86408f129113837d303a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:18:15 +0200
+Subject: irqchip/renesas-rzg2l: Document structure members
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit b94f455372ad6e6b4da8e8ed9864d9c7daaf54b8 ]
+
+Document structure members to follow the requirements specified in
+maintainer-tip, section 4.3.7. Struct declarations and initializers.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20231120111820.87398-5-claudiu.beznea.uj@bp.renesas.com
+Stable-dep-of: d038109ac1c6 ("irqchip/renesas-rzg2l: Fix missing put_device")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index 3ea312a27492b..ac925da17876c 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -55,6 +55,12 @@
+ #define TINT_EXTRACT_HWIRQ(x) FIELD_GET(GENMASK(15, 0), (x))
+ #define TINT_EXTRACT_GPIOINT(x) FIELD_GET(GENMASK(31, 16), (x))
+
++/**
++ * struct rzg2l_irqc_priv - IRQ controller private data structure
++ * @base: Controller's base address
++ * @fwspec: IRQ firmware specific data
++ * @lock: Lock to serialize access to hardware registers
++ */
+ struct rzg2l_irqc_priv {
+ void __iomem *base;
+ struct irq_fwspec fwspec[IRQC_NUM_IRQ];
+--
+2.43.0
+
--- /dev/null
+From 5c0b32edd8d8c889fcee25db19f8c33729bc658b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:20:03 +0100
+Subject: irqchip/renesas-rzg2l: Fix missing put_device
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit d038109ac1c6bf619473dda03a16a6de58170f7f ]
+
+rzg2l_irqc_common_init() calls of_find_device_by_node(), but the
+corresponding put_device() call is missing. This also gets reported by
+make coccicheck.
+
+Make use of the cleanup interfaces from cleanup.h to call into
+__free_put_device(), which in turn calls into put_device when leaving
+function rzg2l_irqc_common_init() and variable "dev" goes out of scope.
+
+To prevent that the device is put on successful completion, assign NULL to
+"dev" to prevent __free_put_device() from calling into put_device() within
+the successful path.
+
+"make coccicheck" will still complain about missing put_device() calls,
+but those are false positives now.
+
+Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20241011172003.1242841-1-fabrizio.castro.jz@renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index 00688043697f0..5a7836186fd41 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/clk.h>
+ #include <linux/err.h>
+ #include <linux/io.h>
+@@ -408,12 +409,12 @@ static int rzg2l_irqc_parse_interrupts(struct rzg2l_irqc_priv *priv,
+
+ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+ {
++ struct platform_device *pdev = of_find_device_by_node(node);
++ struct device *dev __free(put_device) = pdev ? &pdev->dev : NULL;
+ struct irq_domain *irq_domain, *parent_domain;
+- struct platform_device *pdev;
+ struct reset_control *resetn;
+ int ret;
+
+- pdev = of_find_device_by_node(node);
+ if (!pdev)
+ return -ENODEV;
+
+@@ -467,6 +468,17 @@ static int rzg2l_irqc_init(struct device_node *node, struct device_node *parent)
+
+ register_syscore_ops(&rzg2l_irqc_syscore_ops);
+
++ /*
++ * Prevent the cleanup function from invoking put_device by assigning
++ * NULL to dev.
++ *
++ * make coccicheck will complain about missing put_device calls, but
++ * those are false positives, as dev will be automatically "put" via
++ * __free_put_device on the failing path.
++ * On the successful path we don't actually want to "put" dev.
++ */
++ dev = NULL;
++
+ return 0;
+
+ pm_put:
+--
+2.43.0
+
--- /dev/null
+From 64f56409384b5eb2b3a82c0c9ef725f63a8a5359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:31 +0100
+Subject: khugepaged: convert alloc_charge_hpage to alloc_charge_folio
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit d5ab50b9412c0bba750eef5a34fd2937de1aee55 ]
+
+Both callers want to deal with a folio, so return a folio from this
+function.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-3-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index d0fcfa47085b4..b197323450b5a 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1041,7 +1041,7 @@ static int __collapse_huge_page_swapin(struct mm_struct *mm,
+ return result;
+ }
+
+-static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
++static int alloc_charge_folio(struct folio **foliop, struct mm_struct *mm,
+ struct collapse_control *cc)
+ {
+ gfp_t gfp = (cc->is_khugepaged ? alloc_hugepage_khugepaged_gfpmask() :
+@@ -1051,7 +1051,7 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+
+ folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask);
+ if (!folio) {
+- *hpage = NULL;
++ *foliop = NULL;
+ count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+ return SCAN_ALLOC_HUGE_PAGE_FAIL;
+ }
+@@ -1059,13 +1059,13 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+ count_vm_event(THP_COLLAPSE_ALLOC);
+ if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+ folio_put(folio);
+- *hpage = NULL;
++ *foliop = NULL;
+ return SCAN_CGROUP_CHARGE_FAIL;
+ }
+
+ count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1);
+
+- *hpage = folio_page(folio, 0);
++ *foliop = folio;
+ return SCAN_SUCCEED;
+ }
+
+@@ -1094,7 +1094,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+ */
+ mmap_read_unlock(mm);
+
+- result = alloc_charge_hpage(&hpage, mm, cc);
++ result = alloc_charge_folio(&folio, mm, cc);
++ hpage = &folio->page;
+ if (result != SCAN_SUCCEED)
+ goto out_nolock;
+
+@@ -1197,7 +1198,6 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+ if (unlikely(result != SCAN_SUCCEED))
+ goto out_up_write;
+
+- folio = page_folio(hpage);
+ /*
+ * The smp_wmb() inside __folio_mark_uptodate() ensures the
+ * copy_huge_page writes become visible before the set_pmd_at()
+@@ -1786,7 +1786,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ struct page *hpage;
+ struct page *page;
+ struct page *tmp;
+- struct folio *folio;
++ struct folio *folio, *new_folio;
+ pgoff_t index = 0, end = start + HPAGE_PMD_NR;
+ LIST_HEAD(pagelist);
+ XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER);
+@@ -1797,7 +1797,8 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem);
+ VM_BUG_ON(start & (HPAGE_PMD_NR - 1));
+
+- result = alloc_charge_hpage(&hpage, mm, cc);
++ result = alloc_charge_folio(&new_folio, mm, cc);
++ hpage = &new_folio->page;
+ if (result != SCAN_SUCCEED)
+ goto out;
+
+--
+2.43.0
+
--- /dev/null
+From 6c6042af6a00795d06a79bedb447d718fb96c75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:30 +0100
+Subject: khugepaged: inline hpage_collapse_alloc_folio()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 4746f5ce0fa52e21b5fe432970fe9516d1a45ebc ]
+
+Patch series "khugepaged folio conversions".
+
+We've been kind of hacking piecemeal at converting khugepaged to use
+folios instead of compound pages, and so this patchset is a little larger
+than it should be as I undo some of our wrong moves in the past. In
+particular, collapse_file() now consistently uses 'new_folio' for the
+freshly allocated folio and 'folio' for the one that's currently in use.
+
+This patch (of 7):
+
+This function has one caller, and the combined function is simpler to
+read, reason about and modify.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-1-willy@infradead.org
+Link: https://lkml.kernel.org/r/20240403171838.1445826-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index cb6a243688045..d0fcfa47085b4 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -887,20 +887,6 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc)
+ }
+ #endif
+
+-static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node,
+- nodemask_t *nmask)
+-{
+- *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask);
+-
+- if (unlikely(!*folio)) {
+- count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+- return false;
+- }
+-
+- count_vm_event(THP_COLLAPSE_ALLOC);
+- return true;
+-}
+-
+ /*
+ * If mmap_lock temporarily dropped, revalidate vma
+ * before taking mmap_lock.
+@@ -1063,11 +1049,14 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+ int node = hpage_collapse_find_target_node(cc);
+ struct folio *folio;
+
+- if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) {
++ folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, &cc->alloc_nmask);
++ if (!folio) {
+ *hpage = NULL;
++ count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+ return SCAN_ALLOC_HUGE_PAGE_FAIL;
+ }
+
++ count_vm_event(THP_COLLAPSE_ALLOC);
+ if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+ folio_put(folio);
+ *hpage = NULL;
+--
+2.43.0
+
--- /dev/null
+From 96cb391700104bba00e7908da152de0e959b42ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 18:18:34 +0100
+Subject: khugepaged: remove hpage from collapse_file()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 610ff817b981921213ae51e5c5f38c76c6f0405e ]
+
+Use new_folio throughout where we had been using hpage.
+
+Link: https://lkml.kernel.org/r/20240403171838.1445826-6-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/huge_memory.h | 6 +--
+ mm/khugepaged.c | 77 +++++++++++++++---------------
+ 2 files changed, 42 insertions(+), 41 deletions(-)
+
+diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h
+index 6e2ef1d4b0028..dc6eeef2d3dac 100644
+--- a/include/trace/events/huge_memory.h
++++ b/include/trace/events/huge_memory.h
+@@ -207,10 +207,10 @@ TRACE_EVENT(mm_khugepaged_scan_file,
+ );
+
+ TRACE_EVENT(mm_khugepaged_collapse_file,
+- TP_PROTO(struct mm_struct *mm, struct page *hpage, pgoff_t index,
++ TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index,
+ bool is_shmem, unsigned long addr, struct file *file,
+ int nr, int result),
+- TP_ARGS(mm, hpage, index, addr, is_shmem, file, nr, result),
++ TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result),
+ TP_STRUCT__entry(
+ __field(struct mm_struct *, mm)
+ __field(unsigned long, hpfn)
+@@ -224,7 +224,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file,
+
+ TP_fast_assign(
+ __entry->mm = mm;
+- __entry->hpfn = hpage ? page_to_pfn(hpage) : -1;
++ __entry->hpfn = new_folio ? folio_pfn(new_folio) : -1;
+ __entry->index = index;
+ __entry->addr = addr;
+ __entry->is_shmem = is_shmem;
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index b197323450b5a..4b00592548f59 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1783,30 +1783,27 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ struct collapse_control *cc)
+ {
+ struct address_space *mapping = file->f_mapping;
+- struct page *hpage;
+ struct page *page;
+- struct page *tmp;
++ struct page *tmp, *dst;
+ struct folio *folio, *new_folio;
+ pgoff_t index = 0, end = start + HPAGE_PMD_NR;
+ LIST_HEAD(pagelist);
+ XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER);
+ int nr_none = 0, result = SCAN_SUCCEED;
+ bool is_shmem = shmem_file(file);
+- int nr = 0;
+
+ VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem);
+ VM_BUG_ON(start & (HPAGE_PMD_NR - 1));
+
+ result = alloc_charge_folio(&new_folio, mm, cc);
+- hpage = &new_folio->page;
+ if (result != SCAN_SUCCEED)
+ goto out;
+
+- __SetPageLocked(hpage);
++ __folio_set_locked(new_folio);
+ if (is_shmem)
+- __SetPageSwapBacked(hpage);
+- hpage->index = start;
+- hpage->mapping = mapping;
++ __folio_set_swapbacked(new_folio);
++ new_folio->index = start;
++ new_folio->mapping = mapping;
+
+ /*
+ * Ensure we have slots for all the pages in the range. This is
+@@ -2039,20 +2036,24 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ * The old pages are locked, so they won't change anymore.
+ */
+ index = start;
++ dst = folio_page(new_folio, 0);
+ list_for_each_entry(page, &pagelist, lru) {
+ while (index < page->index) {
+- clear_highpage(hpage + (index % HPAGE_PMD_NR));
++ clear_highpage(dst);
+ index++;
++ dst++;
+ }
+- if (copy_mc_highpage(hpage + (page->index % HPAGE_PMD_NR), page) > 0) {
++ if (copy_mc_highpage(dst, page) > 0) {
+ result = SCAN_COPY_MC;
+ goto rollback;
+ }
+ index++;
++ dst++;
+ }
+ while (index < end) {
+- clear_highpage(hpage + (index % HPAGE_PMD_NR));
++ clear_highpage(dst);
+ index++;
++ dst++;
+ }
+
+ if (nr_none) {
+@@ -2080,16 +2081,17 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ }
+
+ /*
+- * If userspace observed a missing page in a VMA with a MODE_MISSING
+- * userfaultfd, then it might expect a UFFD_EVENT_PAGEFAULT for that
+- * page. If so, we need to roll back to avoid suppressing such an
+- * event. Since wp/minor userfaultfds don't give userspace any
+- * guarantees that the kernel doesn't fill a missing page with a zero
+- * page, so they don't matter here.
++ * If userspace observed a missing page in a VMA with
++ * a MODE_MISSING userfaultfd, then it might expect a
++ * UFFD_EVENT_PAGEFAULT for that page. If so, we need to
++ * roll back to avoid suppressing such an event. Since
++ * wp/minor userfaultfds don't give userspace any
++ * guarantees that the kernel doesn't fill a missing
++ * page with a zero page, so they don't matter here.
+ *
+- * Any userfaultfds registered after this point will not be able to
+- * observe any missing pages due to the previously inserted retry
+- * entries.
++ * Any userfaultfds registered after this point will
++ * not be able to observe any missing pages due to the
++ * previously inserted retry entries.
+ */
+ vma_interval_tree_foreach(vma, &mapping->i_mmap, start, end) {
+ if (userfaultfd_missing(vma)) {
+@@ -2114,33 +2116,32 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ xas_lock_irq(&xas);
+ }
+
+- folio = page_folio(hpage);
+- nr = folio_nr_pages(folio);
+ if (is_shmem)
+- __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr);
++ __lruvec_stat_mod_folio(new_folio, NR_SHMEM_THPS, HPAGE_PMD_NR);
+ else
+- __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr);
++ __lruvec_stat_mod_folio(new_folio, NR_FILE_THPS, HPAGE_PMD_NR);
+
+ if (nr_none) {
+- __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none);
++ __lruvec_stat_mod_folio(new_folio, NR_FILE_PAGES, nr_none);
+ /* nr_none is always 0 for non-shmem. */
+- __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none);
++ __lruvec_stat_mod_folio(new_folio, NR_SHMEM, nr_none);
+ }
+
+ /*
+- * Mark hpage as uptodate before inserting it into the page cache so
+- * that it isn't mistaken for an fallocated but unwritten page.
++ * Mark new_folio as uptodate before inserting it into the
++ * page cache so that it isn't mistaken for an fallocated but
++ * unwritten page.
+ */
+- folio_mark_uptodate(folio);
+- folio_ref_add(folio, HPAGE_PMD_NR - 1);
++ folio_mark_uptodate(new_folio);
++ folio_ref_add(new_folio, HPAGE_PMD_NR - 1);
+
+ if (is_shmem)
+- folio_mark_dirty(folio);
+- folio_add_lru(folio);
++ folio_mark_dirty(new_folio);
++ folio_add_lru(new_folio);
+
+ /* Join all the small entries into a single multi-index entry. */
+ xas_set_order(&xas, start, HPAGE_PMD_ORDER);
+- xas_store(&xas, folio);
++ xas_store(&xas, new_folio);
+ WARN_ON_ONCE(xas_error(&xas));
+ xas_unlock_irq(&xas);
+
+@@ -2151,7 +2152,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ retract_page_tables(mapping, start);
+ if (cc && !cc->is_khugepaged)
+ result = SCAN_PTE_MAPPED_HUGEPAGE;
+- folio_unlock(folio);
++ folio_unlock(new_folio);
+
+ /*
+ * The collapse has succeeded, so free the old pages.
+@@ -2196,13 +2197,13 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ smp_mb();
+ }
+
+- hpage->mapping = NULL;
++ new_folio->mapping = NULL;
+
+- unlock_page(hpage);
+- put_page(hpage);
++ folio_unlock(new_folio);
++ folio_put(new_folio);
+ out:
+ VM_BUG_ON(!list_empty(&pagelist));
+- trace_mm_khugepaged_collapse_file(mm, hpage, index, is_shmem, addr, file, nr, result);
++ trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result);
+ return result;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5df2ac601e6c49eb99ed68a7c2fbe1e9aeb9f08b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 16:02:44 +0200
+Subject: lib/Kconfig.debug: fix grammar in RUST_BUILD_ASSERT_ALLOW
+
+From: Timo Grautstueck <timo.grautstueck@web.de>
+
+[ Upstream commit ab8851431bef5cc44f0f3f0da112e883fd4d0df5 ]
+
+Just a grammar fix in lib/Kconfig.debug, under the config option
+RUST_BUILD_ASSERT_ALLOW.
+
+Reported-by: Miguel Ojeda <ojeda@kernel.org>
+Closes: https://github.com/Rust-for-Linux/linux/issues/1006
+Fixes: ecaa6ddff2fd ("rust: add `build_error` crate")
+Signed-off-by: Timo Grautstueck <timo.grautstueck@web.de>
+Link: https://lore.kernel.org/r/20241006140244.5509-1-timo.grautstueck@web.de
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index da5513cfc1258..f94c3e957b829 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -2999,7 +2999,7 @@ config RUST_BUILD_ASSERT_ALLOW
+ bool "Allow unoptimized build-time assertions"
+ depends on RUST
+ help
+- Controls how are `build_error!` and `build_assert!` handled during build.
++ Controls how `build_error!` and `build_assert!` are handled during the build.
+
+ If calls to them exist in the binary, it may indicate a violated invariant
+ or that the optimizer failed to verify the invariant during compilation.
+--
+2.43.0
+
--- /dev/null
+From a071ba4d8ce55b3e87576ab0ffb7d1de0555f41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 17:16:37 +0200
+Subject: macsec: don't increment counters for an unrelated SA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ]
+
+On RX, we shouldn't be incrementing the stats for an arbitrary SA in
+case the actual SA hasn't been set up. Those counters are intended to
+track packets for their respective AN when the SA isn't currently
+configured. Due to the way MACsec is implemented, we don't keep
+counters unless the SA is configured, so we can't track those packets,
+and those counters will remain at 0.
+
+The RXSC's stats keeps track of those packets without telling us which
+AN they belonged to. We could add counters for non-existent SAs, and
+then find a way to integrate them in the dump to userspace, but I
+don't think it's worth the effort.
+
+Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 778fb77c5a937..2ada8baf815b1 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -151,19 +151,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
+ return sa;
+ }
+
+-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc)
+-{
+- struct macsec_rx_sa *sa = NULL;
+- int an;
+-
+- for (an = 0; an < MACSEC_NUM_AN; an++) {
+- sa = macsec_rxsa_get(rx_sc->sa[an]);
+- if (sa)
+- break;
+- }
+- return sa;
+-}
+-
+ static void free_rx_sc_rcu(struct rcu_head *head)
+ {
+ struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
+@@ -1205,15 +1192,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+ /* If validateFrames is Strict or the C bit in the
+ * SecTAG is set, discard
+ */
+- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc);
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsNotUsingSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ DEV_STATS_INC(secy->netdev, rx_errors);
+- if (active_rx_sa)
+- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA);
+ goto drop_nosa;
+ }
+
+@@ -1223,8 +1207,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsUnusedSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+- if (active_rx_sa)
+- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA);
+ goto deliver;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1027a453bcac73c5978b5a542057c2ebc2d00e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 16:22:13 +0000
+Subject: mm: convert collapse_huge_page() to use a folio
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 5432726848bb27a01badcbc93b596f39ee6c5ffb ]
+
+Replace three calls to compound_head() with one.
+
+Link: https://lkml.kernel.org/r/20231211162214.2146080-9-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 97cc4ef061832..24d05e0a672dc 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1088,6 +1088,7 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+ pmd_t *pmd, _pmd;
+ pte_t *pte;
+ pgtable_t pgtable;
++ struct folio *folio;
+ struct page *hpage;
+ spinlock_t *pmd_ptl, *pte_ptl;
+ int result = SCAN_FAIL;
+@@ -1207,13 +1208,13 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+ if (unlikely(result != SCAN_SUCCEED))
+ goto out_up_write;
+
++ folio = page_folio(hpage);
+ /*
+- * spin_lock() below is not the equivalent of smp_wmb(), but
+- * the smp_wmb() inside __SetPageUptodate() can be reused to
+- * avoid the copy_huge_page writes to become visible after
+- * the set_pmd_at() write.
++ * The smp_wmb() inside __folio_mark_uptodate() ensures the
++ * copy_huge_page writes become visible before the set_pmd_at()
++ * write.
+ */
+- __SetPageUptodate(hpage);
++ __folio_mark_uptodate(folio);
+ pgtable = pmd_pgtable(_pmd);
+
+ _pmd = mk_huge_pmd(hpage, vma->vm_page_prot);
+@@ -1221,8 +1222,8 @@ static int collapse_huge_page(struct mm_struct *mm, unsigned long address,
+
+ spin_lock(pmd_ptl);
+ BUG_ON(!pmd_none(*pmd));
+- page_add_new_anon_rmap(hpage, vma, address);
+- lru_cache_add_inactive_or_unevictable(hpage, vma);
++ folio_add_new_anon_rmap(folio, vma, address);
++ folio_add_lru_vma(folio, vma);
+ pgtable_trans_huge_deposit(mm, pmd, pgtable);
+ set_pmd_at(mm, address, pmd, _pmd);
+ update_mmu_cache_pmd(vma, address, pmd);
+--
+2.43.0
+
--- /dev/null
+From 7f4c7302b5c4a2c4a695a3870390d32f8c792181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 11:33:30 -0700
+Subject: mm/khugepaged: convert alloc_charge_hpage() to use folios
+
+From: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+
+[ Upstream commit b455f39d228935f88eebcd1f7c1a6981093c6a3b ]
+
+Also remove count_memcg_page_event now that its last caller no longer uses
+it and reword hpage_collapse_alloc_page() to hpage_collapse_alloc_folio().
+
+This removes 1 call to compound_head() and helps convert khugepaged to
+use folios throughout.
+
+Link: https://lkml.kernel.org/r/20231020183331.10770-5-vishal.moola@gmail.com
+Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/memcontrol.h | 14 --------------
+ mm/khugepaged.c | 17 ++++++++++-------
+ 2 files changed, 10 insertions(+), 21 deletions(-)
+
+diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
+index e4e24da16d2c3..b1fdb1554f2f9 100644
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -1080,15 +1080,6 @@ static inline void count_memcg_events(struct mem_cgroup *memcg,
+ local_irq_restore(flags);
+ }
+
+-static inline void count_memcg_page_event(struct page *page,
+- enum vm_event_item idx)
+-{
+- struct mem_cgroup *memcg = page_memcg(page);
+-
+- if (memcg)
+- count_memcg_events(memcg, idx, 1);
+-}
+-
+ static inline void count_memcg_folio_events(struct folio *folio,
+ enum vm_event_item idx, unsigned long nr)
+ {
+@@ -1565,11 +1556,6 @@ static inline void __count_memcg_events(struct mem_cgroup *memcg,
+ {
+ }
+
+-static inline void count_memcg_page_event(struct page *page,
+- int idx)
+-{
+-}
+-
+ static inline void count_memcg_folio_events(struct folio *folio,
+ enum vm_event_item idx, unsigned long nr)
+ {
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 88433cc25d8a5..97cc4ef061832 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -887,16 +887,16 @@ static int hpage_collapse_find_target_node(struct collapse_control *cc)
+ }
+ #endif
+
+-static bool hpage_collapse_alloc_page(struct page **hpage, gfp_t gfp, int node,
++static bool hpage_collapse_alloc_folio(struct folio **folio, gfp_t gfp, int node,
+ nodemask_t *nmask)
+ {
+- *hpage = __alloc_pages(gfp, HPAGE_PMD_ORDER, node, nmask);
+- if (unlikely(!*hpage)) {
++ *folio = __folio_alloc(gfp, HPAGE_PMD_ORDER, node, nmask);
++
++ if (unlikely(!*folio)) {
+ count_vm_event(THP_COLLAPSE_ALLOC_FAILED);
+ return false;
+ }
+
+- folio_prep_large_rmappable((struct folio *)*hpage);
+ count_vm_event(THP_COLLAPSE_ALLOC);
+ return true;
+ }
+@@ -1063,17 +1063,20 @@ static int alloc_charge_hpage(struct page **hpage, struct mm_struct *mm,
+ int node = hpage_collapse_find_target_node(cc);
+ struct folio *folio;
+
+- if (!hpage_collapse_alloc_page(hpage, gfp, node, &cc->alloc_nmask))
++ if (!hpage_collapse_alloc_folio(&folio, gfp, node, &cc->alloc_nmask)) {
++ *hpage = NULL;
+ return SCAN_ALLOC_HUGE_PAGE_FAIL;
++ }
+
+- folio = page_folio(*hpage);
+ if (unlikely(mem_cgroup_charge(folio, mm, gfp))) {
+ folio_put(folio);
+ *hpage = NULL;
+ return SCAN_CGROUP_CHARGE_FAIL;
+ }
+- count_memcg_page_event(*hpage, THP_COLLAPSE_ALLOC);
+
++ count_memcg_folio_events(folio, THP_COLLAPSE_ALLOC, 1);
++
++ *hpage = folio_page(folio, 0);
+ return SCAN_SUCCEED;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 777dadbb80b9caed50e442d28afd2c31e2e33ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 18:17:02 -0700
+Subject: mm: khugepaged: fix the arguments order in khugepaged_collapse_file
+ trace point
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+[ Upstream commit 37f0b47c5143c2957909ced44fc09ffb118c99f7 ]
+
+The "addr" and "is_shmem" arguments have different order in TP_PROTO and
+TP_ARGS. This resulted in the incorrect trace result:
+
+text-hugepage-644429 [276] 392092.878683: mm_khugepaged_collapse_file:
+mm=0xffff20025d52c440, hpage_pfn=0x200678c00, index=512, addr=1, is_shmem=0,
+filename=text-hugepage, nr=512, result=failed
+
+The value of "addr" is wrong because it was treated as bool value, the
+type of is_shmem.
+
+Fix the order in TP_PROTO to keep "addr" is before "is_shmem" since the
+original patch review suggested this order to achieve best packing.
+
+And use "lx" for "addr" instead of "ld" in TP_printk because address is
+typically shown in hex.
+
+After the fix, the trace result looks correct:
+
+text-hugepage-7291 [004] 128.627251: mm_khugepaged_collapse_file:
+mm=0xffff0001328f9500, hpage_pfn=0x20016ea00, index=512, addr=0x400000,
+is_shmem=0, filename=text-hugepage, nr=512, result=failed
+
+Link: https://lkml.kernel.org/r/20241012011702.1084846-1-yang@os.amperecomputing.com
+Fixes: 4c9473e87e75 ("mm/khugepaged: add tracepoint to collapse_file()")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Cc: Gautam Menghani <gautammenghani201@gmail.com>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org> [6.2+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/huge_memory.h | 4 ++--
+ mm/khugepaged.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge_memory.h
+index dc6eeef2d3dac..37f2443b3cdb0 100644
+--- a/include/trace/events/huge_memory.h
++++ b/include/trace/events/huge_memory.h
+@@ -208,7 +208,7 @@ TRACE_EVENT(mm_khugepaged_scan_file,
+
+ TRACE_EVENT(mm_khugepaged_collapse_file,
+ TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index,
+- bool is_shmem, unsigned long addr, struct file *file,
++ unsigned long addr, bool is_shmem, struct file *file,
+ int nr, int result),
+ TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result),
+ TP_STRUCT__entry(
+@@ -233,7 +233,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file,
+ __entry->result = result;
+ ),
+
+- TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%ld, is_shmem=%d, filename=%s, nr=%d, result=%s",
++ TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%lx, is_shmem=%d, filename=%s, nr=%d, result=%s",
+ __entry->mm,
+ __entry->hpfn,
+ __entry->index,
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 4b00592548f59..a87cfe1d4b7be 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -2203,7 +2203,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ folio_put(new_folio);
+ out:
+ VM_BUG_ON(!list_empty(&pagelist));
+- trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result);
++ trace_mm_khugepaged_collapse_file(mm, new_folio, index, addr, is_shmem, file, HPAGE_PMD_NR, result);
+ return result;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 4dc450d895ee3abc843cae039c29fc80a5a6ac86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Dec 2023 08:57:47 +0000
+Subject: mm/khugepaged: use a folio more in collapse_file()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit b54d60b18e850561e8bdb4264ae740676c3b7658 ]
+
+This function is not yet fully converted to the folio API, but this
+removes a few uses of old APIs.
+
+Link: https://lkml.kernel.org/r/20231228085748.1083901-6-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 37f0b47c5143 ("mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 24d05e0a672dc..cb6a243688045 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -2124,23 +2124,23 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ xas_lock_irq(&xas);
+ }
+
+- nr = thp_nr_pages(hpage);
++ folio = page_folio(hpage);
++ nr = folio_nr_pages(folio);
+ if (is_shmem)
+- __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr);
++ __lruvec_stat_mod_folio(folio, NR_SHMEM_THPS, nr);
+ else
+- __mod_lruvec_page_state(hpage, NR_FILE_THPS, nr);
++ __lruvec_stat_mod_folio(folio, NR_FILE_THPS, nr);
+
+ if (nr_none) {
+- __mod_lruvec_page_state(hpage, NR_FILE_PAGES, nr_none);
++ __lruvec_stat_mod_folio(folio, NR_FILE_PAGES, nr_none);
+ /* nr_none is always 0 for non-shmem. */
+- __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none);
++ __lruvec_stat_mod_folio(folio, NR_SHMEM, nr_none);
+ }
+
+ /*
+ * Mark hpage as uptodate before inserting it into the page cache so
+ * that it isn't mistaken for an fallocated but unwritten page.
+ */
+- folio = page_folio(hpage);
+ folio_mark_uptodate(folio);
+ folio_ref_add(folio, HPAGE_PMD_NR - 1);
+
+@@ -2150,7 +2150,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+
+ /* Join all the small entries into a single multi-index entry. */
+ xas_set_order(&xas, start, HPAGE_PMD_ORDER);
+- xas_store(&xas, hpage);
++ xas_store(&xas, folio);
+ WARN_ON_ONCE(xas_error(&xas));
+ xas_unlock_irq(&xas);
+
+@@ -2161,7 +2161,7 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
+ retract_page_tables(mapping, start);
+ if (cc && !cc->is_khugepaged)
+ result = SCAN_PTE_MAPPED_HUGEPAGE;
+- unlock_page(hpage);
++ folio_unlock(folio);
+
+ /*
+ * The collapse has succeeded, so free the old pages.
+--
+2.43.0
+
--- /dev/null
+From a8bfc25654afd7c56607493aa1b025a3e0555730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:59:01 +0800
+Subject: net: bcmasp: fix potential memory leak in bcmasp_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit fed07d3eb8a8d9fcc0e455175a89bc6445d6faed ]
+
+The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb
+in case of mapping fails, add dev_kfree_skb() to fix it.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20241014145901.48940-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index 6bf149d645941..f0647286c68b2 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -322,6 +322,7 @@ static netdev_tx_t bcmasp_xmit(struct sk_buff *skb, struct net_device *dev)
+ }
+ /* Rewind so we do not have a hole */
+ spb_index = intf->tx_spb_index;
++ dev_kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 186c9720b66379f19bebd6ca0faf864f49fac98f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 13:43:42 -0700
+Subject: net: dsa: mv88e6xxx: Fix the max_vid definition for the MV88E6361
+
+From: Peter Rashleigh <peter@rashleigh.ca>
+
+[ Upstream commit 1833d8a26f057128fd63e126b4428203ece84684 ]
+
+According to the Marvell datasheet the 88E6361 has two VTU pages
+(4k VIDs per page) so the max_vid should be 8191, not 4095.
+
+In the current implementation mv88e6xxx_vtu_walk() gives unexpected
+results because of this error. I verified that mv88e6xxx_vtu_walk()
+works correctly on the MV88E6361 with this patch in place.
+
+Fixes: 12899f299803 ("net: dsa: mv88e6xxx: enable support for 88E6361 switch")
+Signed-off-by: Peter Rashleigh <peter@rashleigh.ca>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241014204342.5852-1-peter@rashleigh.ca
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 3877744193e2a..062bcbe6255cf 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -6208,7 +6208,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .invalid_port_mask = BIT(1) | BIT(2) | BIT(8),
+ .num_internal_phys = 5,
+ .internal_phys_offset = 3,
+- .max_vid = 4095,
++ .max_vid = 8191,
+ .max_sid = 63,
+ .port_base_addr = 0x0,
+ .phy_base_addr = 0x0,
+--
+2.43.0
+
--- /dev/null
+From 4f83b7b4b67e44b009977fbc0204fef5ce64b8b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 19:04:34 +0800
+Subject: net: ethernet: aeroflex: fix potential memory leak in
+ greth_start_xmit_gbit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ]
+
+The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb
+in case of skb->len being too long, add dev_kfree_skb() to fix it.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 597a02c75d527..e624d31d20d89 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -484,7 +484,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+
+ if (unlikely(skb->len > MAX_FRAME_SIZE)) {
+ dev->stats.tx_errors++;
+- goto out;
++ goto len_error;
+ }
+
+ /* Save skb pointer. */
+@@ -575,6 +575,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+ map_error:
+ if (net_ratelimit())
+ dev_warn(greth->dev, "Could not create TX DMA mapping\n");
++len_error:
+ dev_kfree_skb(skb);
+ out:
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 3080538f11d037c07166d10c0b6049a20fe1b3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:05 +0300
+Subject: net/mlx5: Check for invalid vector index on EQ creation
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit d4f25be27e3ef7e23998fbd3dd4bff0602de7ae5 ]
+
+Currently, mlx5 driver does not enforce vector index to be lower than
+the maximum number of supported completion vectors when requesting a
+new completion EQ. Thus, mlx5_comp_eqn_get() fails when trying to
+acquire an IRQ with an improper vector index.
+
+To prevent the case above, enforce that vector index value is
+valid and lower than maximum in mlx5_comp_eqn_get() before handling the
+request.
+
+Fixes: f14c1a14e632 ("net/mlx5: Allocate completion EQs dynamically")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+index 40a6cb052a2da..07a0419549092 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+@@ -1073,6 +1073,12 @@ int mlx5_comp_eqn_get(struct mlx5_core_dev *dev, u16 vecidx, int *eqn)
+ struct mlx5_eq_comp *eq;
+ int ret = 0;
+
++ if (vecidx >= table->max_comp_eqs) {
++ mlx5_core_dbg(dev, "Requested vector index %u should be less than %u",
++ vecidx, table->max_comp_eqs);
++ return -EINVAL;
++ }
++
+ mutex_lock(&table->comp_lock);
+ eq = xa_load(&table->comp_eqs, vecidx);
+ if (eq) {
+--
+2.43.0
+
--- /dev/null
+From a06f71712c4c7450d2564891d62e1402a316d866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:06 +0300
+Subject: net/mlx5: Fix command bitmask initialization
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit d62b14045c6511a7b2d4948d1a83a4e592deeb05 ]
+
+Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit
+isn't Initialize during command bitmask Initialization, only during
+MANAGE_PAGES.
+
+In addition, mlx5_cmd_trigger_completions() is trying to trigger
+completion for MANAGE_PAGES command as well.
+
+Hence, in case health error occurred before any MANAGE_PAGES command
+have been invoke (for example, during mlx5_enable_hca()),
+mlx5_cmd_trigger_completions() will try to trigger completion for
+MANAGE_PAGES command, which will result in null-ptr-deref error.[1]
+
+Fix it by Initialize command bitmask correctly.
+
+While at it, re-write the code for better understanding.
+
+[1]
+BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
+Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078
+CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7e/0xc0
+ kasan_report+0xb9/0xf0
+ kasan_check_range+0xec/0x190
+ mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
+ mlx5_cmd_flush+0x94/0x240 [mlx5_core]
+ enter_error_state+0x6c/0xd0 [mlx5_core]
+ mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]
+ process_one_work+0x787/0x1490
+ ? lockdep_hardirqs_on_prepare+0x400/0x400
+ ? pwq_dec_nr_in_flight+0xda0/0xda0
+ ? assign_work+0x168/0x240
+ worker_thread+0x586/0xd30
+ ? rescuer_thread+0xae0/0xae0
+ kthread+0x2df/0x3b0
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x2d/0x70
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Fixes: 9b98d395b85d ("net/mlx5: Start health poll at earlier stage of driver load")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 48dc4ae87af09..80af0fc7101fd 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1758,6 +1758,10 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+ }
+ }
+
++#define MLX5_MAX_MANAGE_PAGES_CMD_ENT 1
++#define MLX5_CMD_MASK ((1UL << (cmd->vars.max_reg_cmds + \
++ MLX5_MAX_MANAGE_PAGES_CMD_ENT)) - 1)
++
+ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_cmd *cmd = &dev->cmd;
+@@ -1769,7 +1773,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ /* wait for pending handlers to complete */
+ mlx5_eq_synchronize_cmd_irq(dev);
+ spin_lock_irqsave(&dev->cmd.alloc_lock, flags);
+- vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1);
++ vector = ~dev->cmd.vars.bitmask & MLX5_CMD_MASK;
+ if (!vector)
+ goto no_trig;
+
+@@ -2275,7 +2279,7 @@ int mlx5_cmd_enable(struct mlx5_core_dev *dev)
+
+ cmd->state = MLX5_CMDIF_STATE_DOWN;
+ cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1;
+- cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1;
++ cmd->vars.bitmask = MLX5_CMD_MASK;
+
+ sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds);
+ sema_init(&cmd->vars.pages_sem, 1);
+--
+2.43.0
+
--- /dev/null
+From 21ebaa098a4ad18718c93055303f21aed06e8876 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:32:07 +0300
+Subject: net/mlx5: Unregister notifier on eswitch init failure
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit 1da9cfd6c41c2e6bbe624d0568644e1521c33e12 ]
+
+It otherwise remains registered and a subsequent attempt at eswitch
+enabling might trigger warnings of the sort:
+
+[ 682.589148] ------------[ cut here ]------------
+[ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered
+[ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90
+[...snipped]
+[ 682.610052] Call Trace:
+[ 682.610369] <TASK>
+[ 682.610663] ? __warn+0x7c/0x110
+[ 682.611050] ? notifier_chain_register+0x3e/0x90
+[ 682.611556] ? report_bug+0x148/0x170
+[ 682.611977] ? handle_bug+0x36/0x70
+[ 682.612384] ? exc_invalid_op+0x13/0x60
+[ 682.612817] ? asm_exc_invalid_op+0x16/0x20
+[ 682.613284] ? notifier_chain_register+0x3e/0x90
+[ 682.613789] atomic_notifier_chain_register+0x25/0x40
+[ 682.614322] mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core]
+[ 682.614965] mlx5_eswitch_enable+0xc9/0x100 [mlx5_core]
+[ 682.615551] mlx5_device_enable_sriov+0x25/0x340 [mlx5_core]
+[ 682.616170] mlx5_core_sriov_configure+0x50/0x170 [mlx5_core]
+[ 682.616789] sriov_numvfs_store+0xb0/0x1b0
+[ 682.617248] kernfs_fop_write_iter+0x117/0x1a0
+[ 682.617734] vfs_write+0x231/0x3f0
+[ 682.618138] ksys_write+0x63/0xe0
+[ 682.618536] do_syscall_64+0x4c/0x100
+[ 682.618958] entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: 7624e58a8b3a ("net/mlx5: E-switch, register event handler before arming the event")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 1789800faaeb6..f6022c135ec02 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1489,7 +1489,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+ }
+
+ if (err)
+- goto abort;
++ goto err_esw_enable;
+
+ esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED;
+
+@@ -1503,7 +1503,8 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+
+ return 0;
+
+-abort:
++err_esw_enable:
++ mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
+ mlx5_esw_acls_ns_cleanup(esw);
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 46bb6444c1e4b9b249ebdcfcccd885ea5d15e9b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 14:43:43 +0200
+Subject: net: ravb: Only advertise Rx/Tx timestamps if hardware supports it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 126e799602f45e9ce1ded03ee9eadda68bf470e0 ]
+
+Recent work moving the reporting of Rx software timestamps to the core
+[1] highlighted an issue where hardware time stamping was advertised
+for the platforms where it is not supported.
+
+Fix this by covering advertising support for hardware timestamps only if
+the hardware supports it. Due to the Tx implementation in RAVB software
+Tx timestamping is also only considered if the hardware supports
+hardware timestamps. This should be addressed in future, but this fix
+only reflects what the driver currently implements.
+
+1. Commit 277901ee3a26 ("ravb: Remove setting of RX software timestamp")
+
+Fixes: 7e09a052dc4e ("ravb: Exclude gPTP feature support for RZ/G2L")
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Tested-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://patch.msgid.link/20241014124343.3875285-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 25 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 8f62cc4517918..58fdc4f8dd483 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1673,20 +1673,19 @@ static int ravb_get_ts_info(struct net_device *ndev,
+ struct ravb_private *priv = netdev_priv(ndev);
+ const struct ravb_hw_info *hw_info = priv->info;
+
+- info->so_timestamping =
+- SOF_TIMESTAMPING_TX_SOFTWARE |
+- SOF_TIMESTAMPING_TX_HARDWARE |
+- SOF_TIMESTAMPING_RX_HARDWARE |
+- SOF_TIMESTAMPING_RAW_HARDWARE;
+- info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON);
+- info->rx_filters =
+- (1 << HWTSTAMP_FILTER_NONE) |
+- (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) |
+- (1 << HWTSTAMP_FILTER_ALL);
+- if (hw_info->gptp || hw_info->ccc_gac)
++ if (hw_info->gptp || hw_info->ccc_gac) {
++ info->so_timestamping =
++ SOF_TIMESTAMPING_TX_SOFTWARE |
++ SOF_TIMESTAMPING_TX_HARDWARE |
++ SOF_TIMESTAMPING_RX_HARDWARE |
++ SOF_TIMESTAMPING_RAW_HARDWARE;
++ info->tx_types = (1 << HWTSTAMP_TX_OFF) | (1 << HWTSTAMP_TX_ON);
++ info->rx_filters =
++ (1 << HWTSTAMP_FILTER_NONE) |
++ (1 << HWTSTAMP_FILTER_PTP_V2_L2_EVENT) |
++ (1 << HWTSTAMP_FILTER_ALL);
+ info->phc_index = ptp_clock_index(priv->ptp.clock);
+- else
+- info->phc_index = 0;
++ }
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2ba1dc430ccf87980c6bd62ddd5c3585116f7a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:56:24 +0000
+Subject: net/smc: Fix memory leak when using percpu refs
+
+From: Kai Shen <KaiShen@linux.alibaba.com>
+
+[ Upstream commit 25c12b459db8365fee84b63f3dd7910f70627f29 ]
+
+This patch adds missing percpu_ref_exit when releasing percpu refs.
+When releasing percpu refs, percpu_ref_exit should be called.
+Otherwise, memory leak happens.
+
+Fixes: 79a22238b4f2 ("net/smc: Use percpu ref for wr tx reference")
+Signed-off-by: Kai Shen <KaiShen@linux.alibaba.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://patch.msgid.link/20241010115624.7769-1-KaiShen@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_wr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
+index 0021065a600a0..994c0cd4fddbf 100644
+--- a/net/smc/smc_wr.c
++++ b/net/smc/smc_wr.c
+@@ -648,8 +648,10 @@ void smc_wr_free_link(struct smc_link *lnk)
+ smc_wr_tx_wait_no_pending_sends(lnk);
+ percpu_ref_kill(&lnk->wr_reg_refs);
+ wait_for_completion(&lnk->reg_ref_comp);
++ percpu_ref_exit(&lnk->wr_reg_refs);
+ percpu_ref_kill(&lnk->wr_tx_refs);
+ wait_for_completion(&lnk->tx_ref_comp);
++ percpu_ref_exit(&lnk->wr_tx_refs);
+
+ if (lnk->wr_rx_dma_addr) {
+ ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr,
+@@ -912,11 +914,13 @@ int smc_wr_create_link(struct smc_link *lnk)
+ init_waitqueue_head(&lnk->wr_reg_wait);
+ rc = percpu_ref_init(&lnk->wr_reg_refs, smcr_wr_reg_refs_free, 0, GFP_KERNEL);
+ if (rc)
+- goto dma_unmap;
++ goto cancel_ref;
+ init_completion(&lnk->reg_ref_comp);
+ init_waitqueue_head(&lnk->wr_rx_empty_wait);
+ return rc;
+
++cancel_ref:
++ percpu_ref_exit(&lnk->wr_tx_refs);
+ dma_unmap:
+ if (lnk->wr_rx_v2_dma_addr) {
+ ib_dma_unmap_single(ibdev, lnk->wr_rx_v2_dma_addr,
+--
+2.43.0
+
--- /dev/null
+From 5c437ea72acf2719007a7cf7dfb8cca0ebf40e9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 19:53:21 +0800
+Subject: net/smc: Fix searching in list of known pnetids in
+ smc_pnet_add_pnetid
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 82ac39ebd6db0c9f7a97a934bda1e3e101a9d201 ]
+
+pnetid of pi (not newly allocated pe) should be compared
+
+Fixes: e888a2e8337c ("net/smc: introduce list of pnetids for Ethernet devices")
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Link: https://patch.msgid.link/20241014115321.33234-1-lirongqing@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_pnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
+index 306b536fa89e9..284cec1e20ec1 100644
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -753,7 +753,7 @@ static int smc_pnet_add_pnetid(struct net *net, u8 *pnetid)
+
+ write_lock(&sn->pnetids_ndev.lock);
+ list_for_each_entry(pi, &sn->pnetids_ndev.list, list) {
+- if (smc_pnet_match(pnetid, pe->pnetid)) {
++ if (smc_pnet_match(pnetid, pi->pnetid)) {
+ refcount_inc(&pi->refcnt);
+ kfree(pe);
+ goto unlock;
+--
+2.43.0
+
--- /dev/null
+From 3b35d5ad3abbc9a6e1d65558dc4d51442d33808f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 10:29:08 -0400
+Subject: net: stmmac: dwmac-tegra: Fix link bring-up sequence
+
+From: Paritosh Dixit <paritoshd@nvidia.com>
+
+[ Upstream commit 1cff6ff302f5703a627f9ee1d99131161ea2683e ]
+
+The Tegra MGBE driver sometimes fails to initialize, reporting the
+following error, and as a result, it is unable to acquire an IP
+address with DHCP:
+
+ tegra-mgbe 6800000.ethernet: timeout waiting for link to become ready
+
+As per the recommendation from the Tegra hardware design team, fix this
+issue by:
+- clearing the PHY_RDY bit before setting the CDR_RESET bit and then
+setting PHY_RDY bit before clearing CDR_RESET bit. This ensures valid
+data is present at UPHY RX inputs before starting the CDR lock.
+- adding the required delays when bringing up the UPHY lane. Note we
+need to use delays here because there is no alternative, such as
+polling, for these cases. Using the usleep_range() instead of ndelay()
+as sleeping is preferred over busy wait loop.
+
+Without this change we would see link failures on boot sometimes as
+often as 1 in 5 boots. With this fix we have not observed any failures
+in over 1000 boots.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Paritosh Dixit <paritoshd@nvidia.com>
+Link: https://patch.msgid.link/20241010142908.602712-1-paritoshd@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index e0f3cbd36852e..e2d61a3a7712d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -127,10 +127,12 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_
+ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_AUX_RX_IDDQ;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_SLEEP;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
++ usleep_range(10, 20); /* 500ns min delay needed as per HW design */
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CAL_EN;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+@@ -143,22 +145,30 @@ static int mgbe_uphy_lane_bringup_serdes_up(struct net_device *ndev, void *mgbe_
+ return err;
+ }
+
++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_DATA_EN;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+- value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+- value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
++ usleep_range(10, 20); /* 50ns min delay needed as per HW design */
+ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+ value |= XPCS_WRAP_UPHY_RX_CONTROL_RX_PCS_PHY_RDY;
+ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
+
++ msleep(30); /* 30ms delay needed as per HW design */
++ value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++ value &= ~XPCS_WRAP_UPHY_RX_CONTROL_RX_CDR_RESET;
++ writel(value, mgbe->xpcs + XPCS_WRAP_UPHY_RX_CONTROL);
++
+ err = readl_poll_timeout(mgbe->xpcs + XPCS_WRAP_IRQ_STATUS, value,
+ value & XPCS_WRAP_IRQ_STATUS_PCS_LINK_STS,
+ 500, 500 * 2000);
+--
+2.43.0
+
--- /dev/null
+From 64309ae523059beb1d2628ea1bc7c04530fea2a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:51:15 +0800
+Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ]
+
+The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
+in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index bf1611cce974a..49e890a7e04a3 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1359,6 +1359,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
+ netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n",
+ skb->data, skb_len);
+ ret = NETDEV_TX_OK;
++ dev_kfree_skb_any(skb);
+ goto out;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 72990d13a7dbd849789e84c6627f59860cc18d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 15:19:14 +0200
+Subject: net: usb: usbnet: fix race in probe failure
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit b62f4c186c70aa235fef2da68d07325d85ca3ade ]
+
+The same bug as in the disconnect code path also exists
+in the case of a failure late during the probe process.
+The flag must also be set.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://patch.msgid.link/20241010131934.1499695-1-oneukum@suse.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 60c58dd6d2531..4f5a3a4aac89e 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1874,6 +1874,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ * may trigger an error resubmitting itself and, worse,
+ * schedule a timer. So we kill it all just in case.
+ */
++ usbnet_mark_going_away(dev);
+ cancel_work_sync(&dev->kevent);
+ del_timer_sync(&dev->delay);
+ free_percpu(net->tstats);
+--
+2.43.0
+
--- /dev/null
+From 40e644b4473d930eacfa5511d8448d5f604ba090 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:37:04 +0800
+Subject: net: xilinx: axienet: fix potential memory leak in
+ axienet_start_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 99714e37e8333bbc22496fe80f241d5b35380e83 ]
+
+The axienet_start_xmit() returns NETDEV_TX_OK without freeing skb
+in case of dma_map_single() fails, add dev_kfree_skb_any() to fix it.
+
+Fixes: 71791dc8bdea ("net: axienet: Check for DMA mapping errors")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://patch.msgid.link/20241014143704.31938-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 62c10eb4f0adf..9f779653ed622 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -845,6 +845,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ if (net_ratelimit())
+ netdev_err(ndev, "TX DMA mapping error\n");
+ ndev->stats.tx_dropped++;
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+ desc_set_phys_addr(lp, phys, cur_p);
+@@ -865,6 +866,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ ndev->stats.tx_dropped++;
+ axienet_free_tx_chain(lp, orig_tail_ptr, ii + 1,
+ true, NULL, 0);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+ desc_set_phys_addr(lp, phys, cur_p);
+--
+2.43.0
+
--- /dev/null
+From 03462d808886a3a67d4955d5f3a365e6b67de5c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 09:42:30 +0000
+Subject: netdevsim: use cond_resched() in nsim_dev_trap_report_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a1494d532e28598bde7a5544892ef9c7dbfafa93 ]
+
+I am still seeing many syzbot reports hinting that syzbot
+might fool nsim_dev_trap_report_work() with hundreds of ports [1]
+
+Lets use cond_resched(), and system_unbound_wq
+instead of implicit system_wq.
+
+[1]
+INFO: task syz-executor:20633 blocked for more than 143 seconds.
+ Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006
+...
+NMI backtrace for cpu 1
+CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: events nsim_dev_trap_report_work
+ RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210
+Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0
+RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246
+RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00
+RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577
+R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000
+R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00
+FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Call Trace:
+ <NMI>
+ </NMI>
+ <TASK>
+ __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
+ spin_unlock_bh include/linux/spinlock.h:396 [inline]
+ nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
+ nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850
+ process_one_work kernel/workqueue.c:3229 [inline]
+ process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+Fixes: ba5e1272142d ("netdevsim: avoid potential loop in nsim_dev_trap_report_work()")
+Reported-by: syzbot+d383dc9579a76f56c251@syzkaller.appspotmail.com
+Reported-by: syzbot+c596faae21a68bf7afd0@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Link: https://patch.msgid.link/20241012094230.3893510-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/dev.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
+index 92a7a36b93ac0..3e0b61202f0c9 100644
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -836,7 +836,8 @@ static void nsim_dev_trap_report_work(struct work_struct *work)
+ nsim_dev = nsim_trap_data->nsim_dev;
+
+ if (!devl_trylock(priv_to_devlink(nsim_dev))) {
+- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw, 1);
++ queue_delayed_work(system_unbound_wq,
++ &nsim_dev->trap_data->trap_report_dw, 1);
+ return;
+ }
+
+@@ -848,11 +849,12 @@ static void nsim_dev_trap_report_work(struct work_struct *work)
+ continue;
+
+ nsim_dev_trap_report(nsim_dev_port);
++ cond_resched();
+ }
+ devl_unlock(priv_to_devlink(nsim_dev));
+-
+- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw,
+- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
++ queue_delayed_work(system_unbound_wq,
++ &nsim_dev->trap_data->trap_report_dw,
++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
+ }
+
+ static int nsim_dev_traps_init(struct devlink *devlink)
+@@ -907,8 +909,9 @@ static int nsim_dev_traps_init(struct devlink *devlink)
+
+ INIT_DELAYED_WORK(&nsim_dev->trap_data->trap_report_dw,
+ nsim_dev_trap_report_work);
+- schedule_delayed_work(&nsim_dev->trap_data->trap_report_dw,
+- msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
++ queue_delayed_work(system_unbound_wq,
++ &nsim_dev->trap_data->trap_report_dw,
++ msecs_to_jiffies(NSIM_TRAP_REPORT_INTERVAL_MS));
+
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 59a81aa10080dbe0df980da52e724d3b847c9c31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 13:21:00 +0200
+Subject: nvme-pci: fix race condition between reset and nvme_dev_disable()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 26bc0a81f64ce00fc4342c38eeb2eddaad084dd2 ]
+
+nvme_dev_disable() modifies the dev->online_queues field, therefore
+nvme_pci_update_nr_queues() should avoid racing against it, otherwise
+we could end up passing invalid values to blk_mq_update_nr_hw_queues().
+
+ WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347
+ pci_irq_get_affinity+0x187/0x210
+ Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ RIP: 0010:pci_irq_get_affinity+0x187/0x210
+ Call Trace:
+ <TASK>
+ ? blk_mq_pci_map_queues+0x87/0x3c0
+ ? pci_irq_get_affinity+0x187/0x210
+ blk_mq_pci_map_queues+0x87/0x3c0
+ nvme_pci_map_queues+0x189/0x460 [nvme]
+ blk_mq_update_nr_hw_queues+0x2a/0x40
+ nvme_reset_work+0x1be/0x2a0 [nvme]
+
+Fix the bug by locking the shutdown_lock mutex before using
+dev->online_queues. Give up if nvme_dev_disable() is running or if
+it has been executed already.
+
+Fixes: 949928c1c731 ("NVMe: Fix possible queue use after freed")
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 61c9b175e035f..b701969cf1c2a 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2469,17 +2469,29 @@ static unsigned int nvme_pci_nr_maps(struct nvme_dev *dev)
+ return 1;
+ }
+
+-static void nvme_pci_update_nr_queues(struct nvme_dev *dev)
++static bool nvme_pci_update_nr_queues(struct nvme_dev *dev)
+ {
+ if (!dev->ctrl.tagset) {
+ nvme_alloc_io_tag_set(&dev->ctrl, &dev->tagset, &nvme_mq_ops,
+ nvme_pci_nr_maps(dev), sizeof(struct nvme_iod));
+- return;
++ return true;
++ }
++
++ /* Give up if we are racing with nvme_dev_disable() */
++ if (!mutex_trylock(&dev->shutdown_lock))
++ return false;
++
++ /* Check if nvme_dev_disable() has been executed already */
++ if (!dev->online_queues) {
++ mutex_unlock(&dev->shutdown_lock);
++ return false;
+ }
+
+ blk_mq_update_nr_hw_queues(&dev->tagset, dev->online_queues - 1);
+ /* free previously allocated queues that are no longer usable */
+ nvme_free_queues(dev, dev->online_queues);
++ mutex_unlock(&dev->shutdown_lock);
++ return true;
+ }
+
+ static int nvme_pci_enable(struct nvme_dev *dev)
+@@ -2760,7 +2772,8 @@ static void nvme_reset_work(struct work_struct *work)
+ nvme_dbbuf_set(dev);
+ nvme_unquiesce_io_queues(&dev->ctrl);
+ nvme_wait_freeze(&dev->ctrl);
+- nvme_pci_update_nr_queues(dev);
++ if (!nvme_pci_update_nr_queues(dev))
++ goto out;
+ nvme_unfreeze(&dev->ctrl);
+ } else {
+ dev_warn(dev->ctrl.device, "IO queues lost\n");
+--
+2.43.0
+
--- /dev/null
+From eedd08089127ccab9b3f2843e59e1d4da5aee41b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jan 2024 18:28:55 +0000
+Subject: nvme-pci: set doorbell config before unquiescing
+
+From: William Butler <wab@google.com>
+
+[ Upstream commit 06c59d427017fcde3107c236177fcc74c9db7909 ]
+
+During resets, if queues are unquiesced first, then the host can submit
+IOs to the controller using shadow doorbell logic but the controller
+won't be aware. This can lead to necessary MMIO doorbells from being
+not issued, causing requests to be delayed and timed-out.
+
+Signed-off-by: William Butler <wab@google.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Stable-dep-of: 26bc0a81f64c ("nvme-pci: fix race condition between reset and nvme_dev_disable()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 32b5cc76a0223..61c9b175e035f 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2757,10 +2757,10 @@ static void nvme_reset_work(struct work_struct *work)
+ * controller around but remove all namespaces.
+ */
+ if (dev->online_queues > 1) {
++ nvme_dbbuf_set(dev);
+ nvme_unquiesce_io_queues(&dev->ctrl);
+ nvme_wait_freeze(&dev->ctrl);
+ nvme_pci_update_nr_queues(dev);
+- nvme_dbbuf_set(dev);
+ nvme_unfreeze(&dev->ctrl);
+ } else {
+ dev_warn(dev->ctrl.device, "IO queues lost\n");
+--
+2.43.0
+
--- /dev/null
+From 5165c09ac843bbc55956267b2ff8225b20075f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 16:45:19 +0100
+Subject: octeontx2-af: Fix potential integer overflows on integer shifts
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 637c4f6fe40befa04f19c38b5d15429cbb9191d9 ]
+
+The left shift int 32 bit integer constants 1 is evaluated using 32 bit
+arithmetic and then assigned to a 64 bit unsigned integer. In the case
+where the shift is 32 or more this can lead to an overflow. Avoid this
+by shifting using the BIT_ULL macro instead.
+
+Fixes: 019aba04f08c ("octeontx2-af: Modify SMQ flush sequence to drop packets")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20241010154519.768785-1-colin.i.king@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index 224a025283ca7..29487518ca672 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -2298,7 +2298,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr,
+ NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link));
+ if (!(cfg & BIT_ULL(12)))
+ continue;
+- bmap |= (1 << i);
++ bmap |= BIT_ULL(i);
+ cfg &= ~BIT_ULL(12);
+ rvu_write64(rvu, blkaddr,
+ NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link), cfg);
+@@ -2319,7 +2319,7 @@ static int nix_smq_flush(struct rvu *rvu, int blkaddr,
+
+ /* Set NIX_AF_TL3_TL2_LINKX_CFG[ENA] for the TL3/TL2 queue */
+ for (i = 0; i < (rvu->hw->cgx_links + rvu->hw->lbk_links); i++) {
+- if (!(bmap & (1 << i)))
++ if (!(bmap & BIT_ULL(i)))
+ continue;
+ cfg = rvu_read64(rvu, blkaddr,
+ NIX_AF_TL3_TL2X_LINKX_CFG(tl2_tl3_link_schq, link));
+--
+2.43.0
+
--- /dev/null
+From 3609e0353851187557f72974ad47c7e2d533e418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 14:27:55 +0300
+Subject: ravb: Remove setting of RX software timestamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 277901ee3a2620679e2c8797377d2a72f4358068 ]
+
+The responsibility for reporting of RX software timestamp has moved to
+the core layer (see __ethtool_get_ts_info()), remove usage from the
+device drivers.
+
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://patch.msgid.link/20240901112803.212753-8-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 126e799602f4 ("net: ravb: Only advertise Rx/Tx timestamps if hardware supports it")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c6897e6ea362d..8f62cc4517918 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1675,8 +1675,6 @@ static int ravb_get_ts_info(struct net_device *ndev,
+
+ info->so_timestamping =
+ SOF_TIMESTAMPING_TX_SOFTWARE |
+- SOF_TIMESTAMPING_RX_SOFTWARE |
+- SOF_TIMESTAMPING_SOFTWARE |
+ SOF_TIMESTAMPING_TX_HARDWARE |
+ SOF_TIMESTAMPING_RX_HARDWARE |
+ SOF_TIMESTAMPING_RAW_HARDWARE;
+@@ -1687,6 +1685,8 @@ static int ravb_get_ts_info(struct net_device *ndev,
+ (1 << HWTSTAMP_FILTER_ALL);
+ if (hw_info->gptp || hw_info->ccc_gac)
+ info->phc_index = ptp_clock_index(priv->ptp.clock);
++ else
++ info->phc_index = 0;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From acf7799e4a5d76b8587b509717b1b4b286ea4995 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:58 -0700
+Subject: RDMA/bnxt_re: Add a check for memory allocation
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit c5c1ae73b7741fa3b58e6e001b407825bb971225 ]
+
+__alloc_pbl() can return error when memory allocation fails.
+Driver is not checking the status on one of the instances.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Link: https://patch.msgid.link/r/1726715161-18941-4-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index ae2bde34e785b..47406ab8879c1 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -244,6 +244,8 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ sginfo.pgsize = npde * pg_size;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
++ if (rc)
++ goto fail;
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+--
+2.43.0
+
--- /dev/null
+From a268084f0cb0819411753cd6854bce33e1ce94ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:41 -0700
+Subject: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages
+
+From: Bhargava Chenna Marreddy <bhargava.marreddy@broadcom.com>
+
+[ Upstream commit 7988bdbbb85ac85a847baf09879edcd0f70521dc ]
+
+Avoid memory corruption while setting up Level-2 PBL pages for the non MR
+resources when num_pages > 256K.
+
+There will be a single PDE page address (contiguous pages in the case of >
+PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid
+memory access after 256K PBL entries in the PDE.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Link: https://patch.msgid.link/r/1728373302-19530-10-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Bhargava Chenna Marreddy <bhargava.marreddy@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 19 +++----------------
+ 1 file changed, 3 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 1fdffd6a0f480..96ceec1e8199a 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -257,22 +257,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ dst_virt_ptr =
+ (dma_addr_t **)hwq->pbl[PBL_LVL_0].pg_arr;
+ src_phys_ptr = hwq->pbl[PBL_LVL_1].pg_map_arr;
+- if (hwq_attr->type == HWQ_TYPE_MR) {
+- /* For MR it is expected that we supply only 1 contigous
+- * page i.e only 1 entry in the PDL that will contain
+- * all the PBLs for the user supplied memory region
+- */
+- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count;
+- i++)
+- dst_virt_ptr[0][i] = src_phys_ptr[i] |
+- flag;
+- } else {
+- for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count;
+- i++)
+- dst_virt_ptr[PTR_PG(i)][PTR_IDX(i)] =
+- src_phys_ptr[i] |
+- PTU_PDE_VALID;
+- }
++ for (i = 0; i < hwq->pbl[PBL_LVL_1].pg_count; i++)
++ dst_virt_ptr[0][i] = src_phys_ptr[i] | flag;
++
+ /* Alloc or init PTEs */
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_2],
+ hwq_attr->sginfo);
+--
+2.43.0
+
--- /dev/null
+From beafbeb407d99a1638dfd0bb8cca2212d69ff1a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:56 -0700
+Subject: RDMA/bnxt_re: Fix a possible memory leak
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3fc5410f225d1651580a4aeb7c72f55e28673b53 ]
+
+In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails
+driver is not freeing the memory allocated for "rdev->chip_ctx".
+
+Fixes: 0ac20faf5d83 ("RDMA/bnxt_re: Reorg the bar mapping")
+Link: https://patch.msgid.link/r/1726715161-18941-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 039801d93ed8a..c173d0ffc6293 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -176,8 +176,11 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode)
+
+ bnxt_re_set_db_offset(rdev);
+ rc = bnxt_qplib_map_db_bar(&rdev->qplib_res);
+- if (rc)
++ if (rc) {
++ kfree(rdev->chip_ctx);
++ rdev->chip_ctx = NULL;
+ return rc;
++ }
+
+ if (bnxt_qplib_determine_atomics(en_dev->pdev))
+ ibdev_info(&rdev->ibdev,
+--
+2.43.0
+
--- /dev/null
+From 4d5ddd6bdf7cdeda2ab667a8235e4c19ffcdc2d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:57 -0700
+Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ]
+
+Driver uses internal data structure to construct WQE frame.
+It used avid type as u16 which can accommodate up to 64K AVs.
+When outstanding AVID crosses 64K, driver truncates AVID and
+hence it uses incorrect AVID to WR. This leads to WR failure
+due to invalid AV ID and QP is moved to error state with reason
+set to 19 (INVALID AVID). When RDMA CM path is used, this issue
+hits QP1 and it is moved to error state
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index a6f38d8f12efe..56ddff96b5083 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -169,7 +169,7 @@ struct bnxt_qplib_swqe {
+ };
+ u32 q_key;
+ u32 dst_qp;
+- u16 avid;
++ u32 avid;
+ } send;
+
+ /* Send Raw Ethernet and QP1 */
+--
+2.43.0
+
--- /dev/null
+From e0e5b63429ea70e268ef2baebd6b9891cd87a916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:34 -0700
+Subject: RDMA/bnxt_re: Fix out of bound check
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit a9e6e7443922ac0a48243c35d03834c96926bff1 ]
+
+Driver exports pacing stats only on GenP5 and P7 adapters. But while
+parsing the pacing stats, driver has a check for "rdev->dbr_pacing". This
+caused a trace when KASAN is enabled.
+
+BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re]
+Write of size 8 at addr ffff8885942a6340 by task modprobe/4809
+
+Fixes: 8b6573ff3420 ("bnxt_re: Update the debug counters for doorbell pacing")
+Link: https://patch.msgid.link/r/1728373302-19530-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/hw_counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+index 128651c015956..1e63f80917483 100644
+--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+@@ -366,7 +366,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
+ goto done;
+ }
+ }
+- if (rdev->pacing.dbr_pacing)
++ if (rdev->pacing.dbr_pacing && bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+ bnxt_re_copy_db_pacing_stats(rdev, stats);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 4597e420961ef907ae59b3e79db584b00dcffadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:42 -0700
+Subject: RDMA/bnxt_re: Fix the GID table length
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit dc5006cfcf62bea88076a587344ba5e00e66d1c6 ]
+
+GID table length is reported by FW. The gid index which is passed to the
+driver during modify_qp/create_ah is restricted by the sgid_index field of
+struct ib_global_route. sgid_index is u8 and the max sgid possible is
+256.
+
+Each GID entry in HW will have 2 GID entries in the kernel gid table. So
+we can support twice the gid table size reported by FW. Also, restrict the
+max GID to 256 also.
+
+Fixes: 847b97887ed4 ("RDMA/bnxt_re: Restrict the max_gids to 256")
+Link: https://patch.msgid.link/r/1728373302-19530-11-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index 7e550432ccb14..0b98577cd7082 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -156,7 +156,14 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
+ attr->l2_db_size = (sb->l2_db_space_size + 1) *
+ (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
+- attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED;
++ /*
++ * Read the max gid supported by HW.
++ * For each entry in HW GID in HW table, we consume 2
++ * GID entries in the kernel GID table. So max_gid reported
++ * to stack can be up to twice the value reported by the HW, up to 256 gids.
++ */
++ attr->max_sgid = le32_to_cpu(sb->max_gid);
++ attr->max_sgid = min_t(u32, BNXT_QPLIB_NUM_GIDS_SUPPORTED, 2 * attr->max_sgid);
+ attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags);
+
+ bnxt_qplib_query_version(rcfw, attr->fw_ver);
+--
+2.43.0
+
--- /dev/null
+From 18ef58c49583db7b33d588dde18787e37549d1b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:33 -0700
+Subject: RDMA/bnxt_re: Fix the max CQ WQEs for older adapters
+
+From: Abhishek Mohapatra <abhishek.mohapatra@broadcom.com>
+
+[ Upstream commit ac6df53738b465053d38d491fff87bd7d37fdc07 ]
+
+Older adapters doesn't support the MAX CQ WQEs reported by older FW. So
+restrict the value reported to 1M always for older adapters.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://patch.msgid.link/r/1728373302-19530-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Abhishek Mohapatra<abhishek.mohapatra@broadcom.com>
+Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 ++
+ drivers/infiniband/hw/bnxt_re/qplib_sp.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index c580bf78d4c13..2b73bb433b88c 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -137,6 +137,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+ 6 : sb->max_sge;
+ attr->max_cq = le32_to_cpu(sb->max_cq);
+ attr->max_cq_wqes = le32_to_cpu(sb->max_cqe);
++ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
++ attr->max_cq_wqes = min_t(u32, BNXT_QPLIB_MAX_CQ_WQES, attr->max_cq_wqes);
+ attr->max_cq_sges = attr->max_qp_sges;
+ attr->max_mr = le32_to_cpu(sb->max_mr);
+ attr->max_mw = le32_to_cpu(sb->max_mw);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.h b/drivers/infiniband/hw/bnxt_re/qplib_sp.h
+index d33c78b96217a..755765e68eaab 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.h
+@@ -55,6 +55,7 @@ struct bnxt_qplib_dev_attr {
+ u32 max_qp_wqes;
+ u32 max_qp_sges;
+ u32 max_cq;
++#define BNXT_QPLIB_MAX_CQ_WQES 0xfffff
+ u32 max_cq_wqes;
+ u32 max_cq_sges;
+ u32 max_mr;
+--
+2.43.0
+
--- /dev/null
+From 7531275a5debfcecf31b32918c3c086614dd3326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:36 -0700
+Subject: RDMA/bnxt_re: Return more meaningful error
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ]
+
+When the HWRM command fails, driver currently returns -EFAULT(Bad
+address). This does not look correct.
+
+Modified to return -EIO(I/O error).
+
+Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling")
+Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command")
+Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 3ffaef0c26519..7294221b3316c 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -525,7 +525,7 @@ static int __bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw,
+ /* failed with status */
+ dev_err(&rcfw->pdev->dev, "cmdq[%#x]=%#x status %#x\n",
+ cookie, opcode, evnt->status);
+- rc = -EFAULT;
++ rc = -EIO;
+ }
+
+ return rc;
+--
+2.43.0
+
--- /dev/null
+From 0cd5760031b5949d2403705893868f64869aaf71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Dec 2023 02:47:35 -0800
+Subject: RDMA/bnxt_re: Support new 5760X P7 devices
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 1801d87b3598b173bce3fbf15c5517796f38db96 ]
+
+Add basic support for 5760X P7 devices. Add new chip
+revisions. The first version support is similar to
+the existing P5 adapters. Extend the current support
+for P5 adapters to P7 also.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1701946060-13931-2-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: ac6df53738b4 ("RDMA/bnxt_re: Fix the max CQ WQEs for older adapters")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/hw_counters.c | 4 ++--
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 10 +++++-----
+ drivers/infiniband/hw/bnxt_re/main.c | 14 +++++++-------
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 ++--
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +-
+ drivers/infiniband/hw/bnxt_re/qplib_res.h | 20 +++++++++++++++++---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 6 +++---
+ 8 files changed, 38 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+index 93572405d6fae..128651c015956 100644
+--- a/drivers/infiniband/hw/bnxt_re/hw_counters.c
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+@@ -371,7 +371,7 @@ int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
+ }
+
+ done:
+- return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++ return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+ BNXT_RE_NUM_EXT_COUNTERS : BNXT_RE_NUM_STD_COUNTERS;
+ }
+
+@@ -381,7 +381,7 @@ struct rdma_hw_stats *bnxt_re_ib_alloc_hw_port_stats(struct ib_device *ibdev,
+ struct bnxt_re_dev *rdev = to_bnxt_re_dev(ibdev, ibdev);
+ int num_counters = 0;
+
+- if (bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++ if (bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+ num_counters = BNXT_RE_NUM_EXT_COUNTERS;
+ else
+ num_counters = BNXT_RE_NUM_STD_COUNTERS;
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index b4d3e7dfc939f..f2eaecef7570c 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1023,7 +1023,7 @@ static int bnxt_re_init_user_qp(struct bnxt_re_dev *rdev, struct bnxt_re_pd *pd,
+ bytes = (qplib_qp->sq.max_wqe * qplib_qp->sq.wqe_size);
+ /* Consider mapping PSN search memory only for RC QPs. */
+ if (qplib_qp->type == CMDQ_CREATE_QP_TYPE_RC) {
+- psn_sz = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++ psn_sz = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+ sizeof(struct sq_psn_search_ext) :
+ sizeof(struct sq_psn_search);
+ psn_nume = (qplib_qp->wqe_mode == BNXT_QPLIB_WQE_MODE_STATIC) ?
+@@ -1234,7 +1234,7 @@ static void bnxt_re_adjust_gsi_rq_attr(struct bnxt_re_qp *qp)
+ qplqp = &qp->qplib_qp;
+ dev_attr = &rdev->dev_attr;
+
+- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+ qplqp->rq.max_sge = dev_attr->max_qp_sges;
+ if (qplqp->rq.max_sge > dev_attr->max_qp_sges)
+ qplqp->rq.max_sge = dev_attr->max_qp_sges;
+@@ -1301,7 +1301,7 @@ static void bnxt_re_adjust_gsi_sq_attr(struct bnxt_re_qp *qp,
+ qplqp = &qp->qplib_qp;
+ dev_attr = &rdev->dev_attr;
+
+- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+ entries = bnxt_re_init_depth(init_attr->cap.max_send_wr + 1, uctx);
+ qplqp->sq.max_wqe = min_t(u32, entries,
+ dev_attr->max_qp_wqes + 1);
+@@ -1328,7 +1328,7 @@ static int bnxt_re_init_qp_type(struct bnxt_re_dev *rdev,
+ goto out;
+ }
+
+- if (bnxt_qplib_is_chip_gen_p5(chip_ctx) &&
++ if (bnxt_qplib_is_chip_gen_p5_p7(chip_ctx) &&
+ init_attr->qp_type == IB_QPT_GSI)
+ qptype = CMDQ_CREATE_QP_TYPE_GSI;
+ out:
+@@ -1527,7 +1527,7 @@ int bnxt_re_create_qp(struct ib_qp *ib_qp, struct ib_qp_init_attr *qp_init_attr,
+ goto fail;
+
+ if (qp_init_attr->qp_type == IB_QPT_GSI &&
+- !(bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))) {
++ !(bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))) {
+ rc = bnxt_re_create_gsi_qp(qp, pd, qp_init_attr);
+ if (rc == -ENODEV)
+ goto qp_destroy;
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index c173d0ffc6293..594cc6aa7b79d 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -128,7 +128,7 @@ static void bnxt_re_set_drv_mode(struct bnxt_re_dev *rdev, u8 mode)
+ struct bnxt_qplib_chip_ctx *cctx;
+
+ cctx = rdev->chip_ctx;
+- cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++ cctx->modes.wqe_mode = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+ mode : BNXT_QPLIB_WQE_MODE_STATIC;
+ if (bnxt_re_hwrm_qcaps(rdev))
+ dev_err(rdev_to_dev(rdev),
+@@ -218,7 +218,7 @@ static void bnxt_re_limit_pf_res(struct bnxt_re_dev *rdev)
+ ctx->srqc_count = min_t(u32, BNXT_RE_MAX_SRQC_COUNT,
+ attr->max_srq);
+ ctx->cq_count = min_t(u32, BNXT_RE_MAX_CQ_COUNT, attr->max_cq);
+- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+ for (i = 0; i < MAX_TQM_ALLOC_REQ; i++)
+ rdev->qplib_ctx.tqm_ctx.qcount[i] =
+ rdev->dev_attr.tqm_alloc_reqs[i];
+@@ -267,7 +267,7 @@ static void bnxt_re_set_resource_limits(struct bnxt_re_dev *rdev)
+ memset(&rdev->qplib_ctx.vf_res, 0, sizeof(struct bnxt_qplib_vf_res));
+ bnxt_re_limit_pf_res(rdev);
+
+- num_vfs = bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++ num_vfs = bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+ BNXT_RE_GEN_P5_MAX_VF : rdev->num_vfs;
+ if (num_vfs)
+ bnxt_re_limit_vf_res(&rdev->qplib_ctx, num_vfs);
+@@ -279,7 +279,7 @@ static void bnxt_re_vf_res_config(struct bnxt_re_dev *rdev)
+ if (test_bit(BNXT_RE_FLAG_ERR_DEVICE_DETACHED, &rdev->flags))
+ return;
+ rdev->num_vfs = pci_sriov_get_totalvfs(rdev->en_dev->pdev);
+- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx)) {
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx)) {
+ bnxt_re_set_resource_limits(rdev);
+ bnxt_qplib_set_func_resources(&rdev->qplib_res, &rdev->rcfw,
+ &rdev->qplib_ctx);
+@@ -1074,7 +1074,7 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq,
+ #define BNXT_RE_GEN_P5_VF_NQ_DB 0x4000
+ static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx)
+ {
+- return bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx) ?
++ return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+ (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB :
+ BNXT_RE_GEN_P5_PF_NQ_DB) :
+ rdev->en_dev->msix_entries[indx].db_offset;
+@@ -1539,7 +1539,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode)
+ bnxt_re_set_resource_limits(rdev);
+
+ rc = bnxt_qplib_alloc_ctx(&rdev->qplib_res, &rdev->qplib_ctx, 0,
+- bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx));
++ bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx));
+ if (rc) {
+ ibdev_err(&rdev->ibdev,
+ "Failed to allocate QPLIB context: %#x\n", rc);
+@@ -1662,7 +1662,7 @@ static void bnxt_re_setup_cc(struct bnxt_re_dev *rdev, bool enable)
+ return;
+
+ /* Currently enabling only for GenP5 adapters */
+- if (!bnxt_qplib_is_chip_gen_p5(rdev->chip_ctx))
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx))
+ return;
+
+ if (enable) {
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 3b28878f62062..4ee11cb4f2bd3 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -995,7 +995,7 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
+
+ /* SQ */
+ if (qp->type == CMDQ_CREATE_QP_TYPE_RC) {
+- psn_sz = bnxt_qplib_is_chip_gen_p5(res->cctx) ?
++ psn_sz = bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ?
+ sizeof(struct sq_psn_search_ext) :
+ sizeof(struct sq_psn_search);
+
+@@ -1649,7 +1649,7 @@ static void bnxt_qplib_fill_psn_search(struct bnxt_qplib_qp *qp,
+ flg_npsn = ((swq->next_psn << SQ_PSN_SEARCH_NEXT_PSN_SFT) &
+ SQ_PSN_SEARCH_NEXT_PSN_MASK);
+
+- if (bnxt_qplib_is_chip_gen_p5(qp->cctx)) {
++ if (bnxt_qplib_is_chip_gen_p5_p7(qp->cctx)) {
+ psns_ext->opcode_start_psn = cpu_to_le32(op_spsn);
+ psns_ext->flags_next_psn = cpu_to_le32(flg_npsn);
+ psns_ext->start_slot_idx = cpu_to_le16(swq->slot_idx);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 5680fe8b890ad..3ffaef0c26519 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -852,7 +852,7 @@ int bnxt_qplib_init_rcfw(struct bnxt_qplib_rcfw *rcfw,
+ */
+ if (is_virtfn)
+ goto skip_ctx_setup;
+- if (bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx))
++ if (bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx))
+ goto config_vf_res;
+
+ lvl = ctx->qpc_tbl.level;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 47406ab8879c1..1fdffd6a0f480 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -807,7 +807,7 @@ static int bnxt_qplib_alloc_dpi_tbl(struct bnxt_qplib_res *res,
+ dpit = &res->dpi_tbl;
+ reg = &dpit->wcreg;
+
+- if (!bnxt_qplib_is_chip_gen_p5(res->cctx)) {
++ if (!bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) {
+ /* Offest should come from L2 driver */
+ dbr_offset = dev_attr->l2_db_size;
+ dpit->ucreg.offset = dbr_offset;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+index 534db462216ac..f9e7aa3757cfb 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+@@ -44,6 +44,9 @@ extern const struct bnxt_qplib_gid bnxt_qplib_gid_zero;
+ #define CHIP_NUM_57508 0x1750
+ #define CHIP_NUM_57504 0x1751
+ #define CHIP_NUM_57502 0x1752
++#define CHIP_NUM_58818 0xd818
++#define CHIP_NUM_57608 0x1760
++
+
+ struct bnxt_qplib_drv_modes {
+ u8 wqe_mode;
+@@ -296,6 +299,12 @@ struct bnxt_qplib_res {
+ struct bnxt_qplib_db_pacing_data *pacing_data;
+ };
+
++static inline bool bnxt_qplib_is_chip_gen_p7(struct bnxt_qplib_chip_ctx *cctx)
++{
++ return (cctx->chip_num == CHIP_NUM_58818 ||
++ cctx->chip_num == CHIP_NUM_57608);
++}
++
+ static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx)
+ {
+ return (cctx->chip_num == CHIP_NUM_57508 ||
+@@ -303,15 +312,20 @@ static inline bool bnxt_qplib_is_chip_gen_p5(struct bnxt_qplib_chip_ctx *cctx)
+ cctx->chip_num == CHIP_NUM_57502);
+ }
+
++static inline bool bnxt_qplib_is_chip_gen_p5_p7(struct bnxt_qplib_chip_ctx *cctx)
++{
++ return bnxt_qplib_is_chip_gen_p5(cctx) || bnxt_qplib_is_chip_gen_p7(cctx);
++}
++
+ static inline u8 bnxt_qplib_get_hwq_type(struct bnxt_qplib_res *res)
+ {
+- return bnxt_qplib_is_chip_gen_p5(res->cctx) ?
++ return bnxt_qplib_is_chip_gen_p5_p7(res->cctx) ?
+ HWQ_TYPE_QUEUE : HWQ_TYPE_L2_CMPL;
+ }
+
+ static inline u8 bnxt_qplib_get_ring_type(struct bnxt_qplib_chip_ctx *cctx)
+ {
+- return bnxt_qplib_is_chip_gen_p5(cctx) ?
++ return bnxt_qplib_is_chip_gen_p5_p7(cctx) ?
+ RING_ALLOC_REQ_RING_TYPE_NQ :
+ RING_ALLOC_REQ_RING_TYPE_ROCE_CMPL;
+ }
+@@ -488,7 +502,7 @@ static inline void bnxt_qplib_ring_nq_db(struct bnxt_qplib_db_info *info,
+ u32 type;
+
+ type = arm ? DBC_DBC_TYPE_NQ_ARM : DBC_DBC_TYPE_NQ;
+- if (bnxt_qplib_is_chip_gen_p5(cctx))
++ if (bnxt_qplib_is_chip_gen_p5_p7(cctx))
+ bnxt_qplib_ring_db(info, type);
+ else
+ bnxt_qplib_ring_db32(info, arm);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index a27b685151647..c580bf78d4c13 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -59,7 +59,7 @@ static bool bnxt_qplib_is_atomic_cap(struct bnxt_qplib_rcfw *rcfw)
+ {
+ u16 pcie_ctl2 = 0;
+
+- if (!bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx))
++ if (!bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx))
+ return false;
+
+ pcie_capability_read_word(rcfw->pdev, PCI_EXP_DEVCTL2, &pcie_ctl2);
+@@ -133,7 +133,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+ * reporting the max number
+ */
+ attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1;
+- attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ?
++ attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5_p7(rcfw->res->cctx) ?
+ 6 : sb->max_sge;
+ attr->max_cq = le32_to_cpu(sb->max_cq);
+ attr->max_cq_wqes = le32_to_cpu(sb->max_cqe);
+@@ -934,7 +934,7 @@ int bnxt_qplib_modify_cc(struct bnxt_qplib_res *res,
+ req->inactivity_th = cpu_to_le16(cc_param->inact_th);
+
+ /* For chip gen P5 onwards fill extended cmd and header */
+- if (bnxt_qplib_is_chip_gen_p5(res->cctx)) {
++ if (bnxt_qplib_is_chip_gen_p5_p7(res->cctx)) {
+ struct roce_tlv *hdr;
+ u32 payload;
+ u32 chunks;
+--
+2.43.0
+
--- /dev/null
+From 6c0cc86be6d8e080c87b49b37b1972ef138a81ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Dec 2023 02:47:36 -0800
+Subject: RDMA/bnxt_re: Update the BAR offsets
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit a62d685814416647fbb28b3eb2617744adef2d4f ]
+
+Update the BAR offsets for handling GenP7 adapters.
+Use the values populated by L2 driver for getting the
+Doorbell offsets.
+
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://lore.kernel.org/r/1701946060-13931-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: dc5006cfcf62 ("RDMA/bnxt_re: Fix the GID table length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 21 +++++++--------------
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 5 +++--
+ 2 files changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 594cc6aa7b79d..607293794b924 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -107,8 +107,11 @@ static void bnxt_re_set_db_offset(struct bnxt_re_dev *rdev)
+ dev_info(rdev_to_dev(rdev),
+ "Couldn't get DB bar size, Low latency framework is disabled\n");
+ /* set register offsets for both UC and WC */
+- res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET :
+- BNXT_QPLIB_DBR_PF_DB_OFFSET;
++ if (bnxt_qplib_is_chip_gen_p7(cctx))
++ res->dpi_tbl.ucreg.offset = offset;
++ else
++ res->dpi_tbl.ucreg.offset = res->is_vf ? BNXT_QPLIB_DBR_VF_DB_OFFSET :
++ BNXT_QPLIB_DBR_PF_DB_OFFSET;
+ res->dpi_tbl.wcreg.offset = res->dpi_tbl.ucreg.offset;
+
+ /* If WC mapping is disabled by L2 driver then en_dev->l2_db_size
+@@ -1070,16 +1073,6 @@ static int bnxt_re_cqn_handler(struct bnxt_qplib_nq *nq,
+ return 0;
+ }
+
+-#define BNXT_RE_GEN_P5_PF_NQ_DB 0x10000
+-#define BNXT_RE_GEN_P5_VF_NQ_DB 0x4000
+-static u32 bnxt_re_get_nqdb_offset(struct bnxt_re_dev *rdev, u16 indx)
+-{
+- return bnxt_qplib_is_chip_gen_p5_p7(rdev->chip_ctx) ?
+- (rdev->is_virtfn ? BNXT_RE_GEN_P5_VF_NQ_DB :
+- BNXT_RE_GEN_P5_PF_NQ_DB) :
+- rdev->en_dev->msix_entries[indx].db_offset;
+-}
+-
+ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
+ {
+ int i;
+@@ -1100,7 +1093,7 @@ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
+ bnxt_qplib_init_res(&rdev->qplib_res);
+
+ for (i = 1; i < rdev->num_msix ; i++) {
+- db_offt = bnxt_re_get_nqdb_offset(rdev, i);
++ db_offt = rdev->en_dev->msix_entries[i].db_offset;
+ rc = bnxt_qplib_enable_nq(rdev->en_dev->pdev, &rdev->nq[i - 1],
+ i - 1, rdev->en_dev->msix_entries[i].vector,
+ db_offt, &bnxt_re_cqn_handler,
+@@ -1511,7 +1504,7 @@ static int bnxt_re_dev_init(struct bnxt_re_dev *rdev, u8 wqe_mode)
+ ibdev_err(&rdev->ibdev, "Failed to allocate CREQ: %#x\n", rc);
+ goto free_rcfw;
+ }
+- db_offt = bnxt_re_get_nqdb_offset(rdev, BNXT_RE_AEQ_IDX);
++ db_offt = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].db_offset;
+ vid = rdev->en_dev->msix_entries[BNXT_RE_AEQ_IDX].vector;
+ rc = bnxt_qplib_enable_rcfw_channel(&rdev->rcfw,
+ vid, db_offt,
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index 2b73bb433b88c..7e550432ccb14 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -153,8 +153,9 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+ attr->max_srq_sges = sb->max_srq_sge;
+ attr->max_pkey = 1;
+ attr->max_inline_data = le32_to_cpu(sb->max_inline_data);
+- attr->l2_db_size = (sb->l2_db_space_size + 1) *
+- (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
++ if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
++ attr->l2_db_size = (sb->l2_db_space_size + 1) *
++ (0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
+ attr->max_sgid = BNXT_QPLIB_NUM_GIDS_SUPPORTED;
+ attr->dev_cap_flags = le16_to_cpu(sb->dev_cap_flags);
+
+--
+2.43.0
+
--- /dev/null
+From 4823f638846364973118db6f32d66c709f5a72c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 17:13:34 +0530
+Subject: RDMA/core: Fix ENODEV error for iWARP test over vlan
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit 5069d7e202f640a36cf213a432296c85113a52f7 ]
+
+If traffic is over vlan, cma_validate_port() fails to match vlan
+net_device ifindex with bound_if_index and results in ENODEV error.
+It is because rdma_copy_src_l2_addr() always assigns bound_if_index with
+real net_device ifindex.
+This patch fixes the issue by assigning bound_if_index with vlan
+net_device index if traffic is over vlan.
+
+Fixes: f8ef1be816bf ("RDMA/cma: Avoid GID lookups on iWARP devices")
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://patch.msgid.link/20241008114334.146702-1-anumula@chelsio.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/addr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
+index f253295795f0a..fd78d678877c4 100644
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -269,6 +269,8 @@ rdma_find_ndev_for_src_ip_rcu(struct net *net, const struct sockaddr *src_in)
+ break;
+ #endif
+ }
++ if (!ret && dev && is_vlan_dev(dev))
++ dev = vlan_dev_real_dev(dev);
+ return ret ? ERR_PTR(ret) : dev;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From c05ef2e03d7744d1b4f5db4571c3b06dc7924103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:53:11 +0530
+Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ]
+
+ip_dev_find() always returns real net_device address, whether traffic is
+running on a vlan or real device, if traffic is over vlan, filling
+endpoint struture with real ndev and an attempt to send a connect request
+will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the
+issue by using vlan_dev_real_dev().
+
+Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address")
+Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index b3757c6a0457a..8d753e6e0c719 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2086,7 +2086,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ err = -ENOMEM;
+ if (n->dev->flags & IFF_LOOPBACK) {
+ if (iptype == 4)
+- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip);
++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false);
+ else if (IS_ENABLED(CONFIG_IPV6))
+ for_each_netdev(&init_net, pdev) {
+ if (ipv6_chk_addr(&init_net,
+@@ -2101,12 +2101,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ err = -ENODEV;
+ goto out;
+ }
++ if (is_vlan_dev(pdev))
++ pdev = vlan_dev_real_dev(pdev);
+ ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+ n, pdev, rt_tos2priority(tos));
+- if (!ep->l2t) {
+- dev_put(pdev);
++ if (!ep->l2t)
+ goto out;
+- }
+ ep->mtu = pdev->mtu;
+ ep->tx_chan = cxgb4_port_chan(pdev);
+ ep->smac_idx = ((struct port_info *)netdev_priv(pdev))->smt_idx;
+@@ -2119,7 +2119,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ ep->rss_qid = cdev->rdev.lldi.rxq_ids[
+ cxgb4_port_idx(pdev) * step];
+ set_tcp_window(ep, (struct port_info *)netdev_priv(pdev));
+- dev_put(pdev);
+ } else {
+ pdev = get_real_dev(n->dev);
+ ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+--
+2.43.0
+
--- /dev/null
+From 11adf49d89bc33e26330fb7783897117c4a76431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 18:19:13 +0200
+Subject: RDMA/irdma: Fix misspelling of "accept*"
+
+From: Alexander Zubkov <green@qrator.net>
+
+[ Upstream commit 8cddfa535c931b8d8110c73bfed7354a94cbf891 ]
+
+There is "accept*" misspelled as "accpet*" in the comments. Fix the
+spelling.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Link: https://patch.msgid.link/r/20241008161913.19965-1-green@qrator.net
+Signed-off-by: Alexander Zubkov <green@qrator.net>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
+index 42d1e97710669..1916daa8c3323 100644
+--- a/drivers/infiniband/hw/irdma/cm.c
++++ b/drivers/infiniband/hw/irdma/cm.c
+@@ -3630,7 +3630,7 @@ void irdma_free_lsmm_rsrc(struct irdma_qp *iwqp)
+ /**
+ * irdma_accept - registered call for connection to be accepted
+ * @cm_id: cm information for passive connection
+- * @conn_param: accpet parameters
++ * @conn_param: accept parameters
+ */
+ int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ {
+--
+2.43.0
+
--- /dev/null
+From 5abe11d8c0bc2a26890e215d888c9b809c3130db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 14:00:48 -0700
+Subject: RDMA/srpt: Make slab cache names unique
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 4d784c042d164f10fc809e2338457036cd7c653d ]
+
+Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when
+DEBUG_VM=y"), slab complains about duplicate cache names. Hence this
+patch. The approach is as follows:
+- Maintain an xarray with the slab size as index and a reference count
+ and a kmem_cache pointer as contents. Use srpt-${slab_size} as kmem
+ cache name.
+- Use 512-byte alignment for all slabs instead of only for some of the
+ slabs.
+- Increment the reference count instead of calling kmem_cache_create().
+- Decrement the reference count instead of calling kmem_cache_destroy().
+
+Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data")
+Link: https://patch.msgid.link/r/20241009210048.4122518-1-bvanassche@acm.org
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Closes: https://lore.kernel.org/linux-block/xpe6bea7rakpyoyfvspvin2dsozjmjtjktpph7rep3h25tv7fb@ooz4cu5z6bq6/
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 80 +++++++++++++++++++++++----
+ 1 file changed, 68 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 45547bf281e31..4bebc34a2929b 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -68,6 +68,8 @@ MODULE_LICENSE("Dual BSD/GPL");
+ static u64 srpt_service_guid;
+ static DEFINE_SPINLOCK(srpt_dev_lock); /* Protects srpt_dev_list. */
+ static LIST_HEAD(srpt_dev_list); /* List of srpt_device structures. */
++static DEFINE_MUTEX(srpt_mc_mutex); /* Protects srpt_memory_caches. */
++static DEFINE_XARRAY(srpt_memory_caches); /* See also srpt_memory_cache_entry */
+
+ static unsigned srp_max_req_size = DEFAULT_MAX_REQ_SIZE;
+ module_param(srp_max_req_size, int, 0444);
+@@ -105,6 +107,63 @@ static void srpt_recv_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void srpt_send_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void srpt_process_wait_list(struct srpt_rdma_ch *ch);
+
++/* Type of the entries in srpt_memory_caches. */
++struct srpt_memory_cache_entry {
++ refcount_t ref;
++ struct kmem_cache *c;
++};
++
++static struct kmem_cache *srpt_cache_get(unsigned int object_size)
++{
++ struct srpt_memory_cache_entry *e;
++ char name[32];
++ void *res;
++
++ guard(mutex)(&srpt_mc_mutex);
++ e = xa_load(&srpt_memory_caches, object_size);
++ if (e) {
++ refcount_inc(&e->ref);
++ return e->c;
++ }
++ snprintf(name, sizeof(name), "srpt-%u", object_size);
++ e = kmalloc(sizeof(*e), GFP_KERNEL);
++ if (!e)
++ return NULL;
++ refcount_set(&e->ref, 1);
++ e->c = kmem_cache_create(name, object_size, /*align=*/512, 0, NULL);
++ if (!e->c)
++ goto free_entry;
++ res = xa_store(&srpt_memory_caches, object_size, e, GFP_KERNEL);
++ if (xa_is_err(res))
++ goto destroy_cache;
++ return e->c;
++
++destroy_cache:
++ kmem_cache_destroy(e->c);
++
++free_entry:
++ kfree(e);
++ return NULL;
++}
++
++static void srpt_cache_put(struct kmem_cache *c)
++{
++ struct srpt_memory_cache_entry *e = NULL;
++ unsigned long object_size;
++
++ guard(mutex)(&srpt_mc_mutex);
++ xa_for_each(&srpt_memory_caches, object_size, e)
++ if (e->c == c)
++ break;
++ if (WARN_ON_ONCE(!e))
++ return;
++ if (!refcount_dec_and_test(&e->ref))
++ return;
++ WARN_ON_ONCE(xa_erase(&srpt_memory_caches, object_size) != e);
++ kmem_cache_destroy(e->c);
++ kfree(e);
++}
++
+ /*
+ * The only allowed channel state changes are those that change the channel
+ * state into a state with a higher numerical value. Hence the new > prev test.
+@@ -2119,13 +2178,13 @@ static void srpt_release_channel_work(struct work_struct *w)
+ ch->sport->sdev, ch->rq_size,
+ ch->rsp_buf_cache, DMA_TO_DEVICE);
+
+- kmem_cache_destroy(ch->rsp_buf_cache);
++ srpt_cache_put(ch->rsp_buf_cache);
+
+ srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_recv_ring,
+ sdev, ch->rq_size,
+ ch->req_buf_cache, DMA_FROM_DEVICE);
+
+- kmem_cache_destroy(ch->req_buf_cache);
++ srpt_cache_put(ch->req_buf_cache);
+
+ kref_put(&ch->kref, srpt_free_ch);
+ }
+@@ -2245,8 +2304,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+ INIT_LIST_HEAD(&ch->cmd_wait_list);
+ ch->max_rsp_size = ch->sport->port_attrib.srp_max_rsp_size;
+
+- ch->rsp_buf_cache = kmem_cache_create("srpt-rsp-buf", ch->max_rsp_size,
+- 512, 0, NULL);
++ ch->rsp_buf_cache = srpt_cache_get(ch->max_rsp_size);
+ if (!ch->rsp_buf_cache)
+ goto free_ch;
+
+@@ -2280,8 +2338,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+ alignment_offset = round_up(imm_data_offset, 512) -
+ imm_data_offset;
+ req_sz = alignment_offset + imm_data_offset + srp_max_req_size;
+- ch->req_buf_cache = kmem_cache_create("srpt-req-buf", req_sz,
+- 512, 0, NULL);
++ ch->req_buf_cache = srpt_cache_get(req_sz);
+ if (!ch->req_buf_cache)
+ goto free_rsp_ring;
+
+@@ -2478,7 +2535,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+ ch->req_buf_cache, DMA_FROM_DEVICE);
+
+ free_recv_cache:
+- kmem_cache_destroy(ch->req_buf_cache);
++ srpt_cache_put(ch->req_buf_cache);
+
+ free_rsp_ring:
+ srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
+@@ -2486,7 +2543,7 @@ static int srpt_cm_req_recv(struct srpt_device *const sdev,
+ ch->rsp_buf_cache, DMA_TO_DEVICE);
+
+ free_rsp_cache:
+- kmem_cache_destroy(ch->rsp_buf_cache);
++ srpt_cache_put(ch->rsp_buf_cache);
+
+ free_ch:
+ if (rdma_cm_id)
+@@ -3055,7 +3112,7 @@ static void srpt_free_srq(struct srpt_device *sdev)
+ srpt_free_ioctx_ring((struct srpt_ioctx **)sdev->ioctx_ring, sdev,
+ sdev->srq_size, sdev->req_buf_cache,
+ DMA_FROM_DEVICE);
+- kmem_cache_destroy(sdev->req_buf_cache);
++ srpt_cache_put(sdev->req_buf_cache);
+ sdev->srq = NULL;
+ }
+
+@@ -3082,8 +3139,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev)
+ pr_debug("create SRQ #wr= %d max_allow=%d dev= %s\n", sdev->srq_size,
+ sdev->device->attrs.max_srq_wr, dev_name(&device->dev));
+
+- sdev->req_buf_cache = kmem_cache_create("srpt-srq-req-buf",
+- srp_max_req_size, 0, 0, NULL);
++ sdev->req_buf_cache = srpt_cache_get(srp_max_req_size);
+ if (!sdev->req_buf_cache)
+ goto free_srq;
+
+@@ -3105,7 +3161,7 @@ static int srpt_alloc_srq(struct srpt_device *sdev)
+ return 0;
+
+ free_cache:
+- kmem_cache_destroy(sdev->req_buf_cache);
++ srpt_cache_put(sdev->req_buf_cache);
+
+ free_srq:
+ ib_destroy_srq(srq);
+--
+2.43.0
+
--- /dev/null
+From 8a732a04f6626a6c3aba840a08ac7f8ca03889ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 17:36:28 +0300
+Subject: riscv, bpf: Make BPF_CMPXCHG fully ordered
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrea Parri <parri.andrea@gmail.com>
+
+[ Upstream commit e59db0623f6955986d1be0880b351a1f56e7fd6d ]
+
+According to the prototype formal BPF memory consistency model
+discussed e.g. in [1] and following the ordering properties of
+the C/in-kernel macro atomic_cmpxchg(), a BPF atomic operation
+with the BPF_CMPXCHG modifier is fully ordered. However, the
+current RISC-V JIT lowerings fail to meet such memory ordering
+property. This is illustrated by the following litmus test:
+
+BPF BPF__MP+success_cmpxchg+fence
+{
+ 0:r1=x; 0:r3=y; 0:r5=1;
+ 1:r2=y; 1:r4=f; 1:r7=x;
+}
+ P0 | P1 ;
+ *(u64 *)(r1 + 0) = 1 | r1 = *(u64 *)(r2 + 0) ;
+ r2 = cmpxchg_64 (r3 + 0, r4, r5) | r3 = atomic_fetch_add((u64 *)(r4 + 0), r5) ;
+ | r6 = *(u64 *)(r7 + 0) ;
+exists (1:r1=1 /\ 1:r6=0)
+
+whose "exists" clause is not satisfiable according to the BPF
+memory model. Using the current RISC-V JIT lowerings, the test
+can be mapped to the following RISC-V litmus test:
+
+RISCV RISCV__MP+success_cmpxchg+fence
+{
+ 0:x1=x; 0:x3=y; 0:x5=1;
+ 1:x2=y; 1:x4=f; 1:x7=x;
+}
+ P0 | P1 ;
+ sd x5, 0(x1) | ld x1, 0(x2) ;
+ L00: | amoadd.d.aqrl x3, x5, 0(x4) ;
+ lr.d x2, 0(x3) | ld x6, 0(x7) ;
+ bne x2, x4, L01 | ;
+ sc.d x6, x5, 0(x3) | ;
+ bne x6, x4, L00 | ;
+ fence rw, rw | ;
+ L01: | ;
+exists (1:x1=1 /\ 1:x6=0)
+
+where the two stores in P0 can be reordered. Update the RISC-V
+JIT lowerings/implementation of BPF_CMPXCHG to emit an SC with
+RELEASE ("rl") annotation in order to meet the expected memory
+ordering guarantees. The resulting RISC-V JIT lowerings of
+BPF_CMPXCHG match the RISC-V lowerings of the C atomic_cmpxchg().
+
+Other lowerings were fixed via 20a759df3bba ("riscv, bpf: make
+some atomic operations fully ordered").
+
+Fixes: dd642ccb45ec ("riscv, bpf: Implement more atomic operations for RV64")
+Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
+Acked-by: Björn Töpel <bjorn@kernel.org>
+Link: https://lpc.events/event/18/contributions/1949/attachments/1665/3441/bpfmemmodel.2024.09.19p.pdf [1]
+Link: https://lore.kernel.org/bpf/20241017143628.2673894-1-parri.andrea@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index 2f041b5cea970..26eeb39736319 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -555,8 +555,8 @@ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64,
+ rv_lr_w(r0, 0, rd, 0, 0), ctx);
+ jmp_offset = ninsns_rvoff(8);
+ emit(rv_bne(RV_REG_T2, r0, jmp_offset >> 1), ctx);
+- emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 0) :
+- rv_sc_w(RV_REG_T3, rs, rd, 0, 0), ctx);
++ emit(is64 ? rv_sc_d(RV_REG_T3, rs, rd, 0, 1) :
++ rv_sc_w(RV_REG_T3, rs, rd, 0, 1), ctx);
+ jmp_offset = ninsns_rvoff(-6);
+ emit(rv_bne(RV_REG_T3, 0, jmp_offset >> 1), ctx);
+ emit(rv_fence(0x3, 0x3), ctx);
+--
+2.43.0
+
--- /dev/null
+From 9d41d3560575dc9fce646fb9c176716088ddcf81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 17:52:39 +0200
+Subject: s390: Initialize psw mask in perf_arch_fetch_caller_regs()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 223e7fb979fa06934f1595b6ad0ae1d4ead1147f ]
+
+Also initialize regs->psw.mask in perf_arch_fetch_caller_regs().
+This way user_mode(regs) will return false, like it should.
+
+It looks like all current users initialize regs to zero, so that this
+doesn't fix a bug currently. However it is better to not rely on callers
+to do this.
+
+Fixes: 914d52e46490 ("s390: implement perf_arch_fetch_caller_regs")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/perf_event.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/include/asm/perf_event.h b/arch/s390/include/asm/perf_event.h
+index 9917e2717b2b4..66aff768f8151 100644
+--- a/arch/s390/include/asm/perf_event.h
++++ b/arch/s390/include/asm/perf_event.h
+@@ -73,6 +73,7 @@ struct perf_sf_sde_regs {
+ #define SAMPLE_FREQ_MODE(hwc) (SAMPL_FLAGS(hwc) & PERF_CPUM_SF_FREQ_MODE)
+
+ #define perf_arch_fetch_caller_regs(regs, __ip) do { \
++ (regs)->psw.mask = 0; \
+ (regs)->psw.addr = (__ip); \
+ (regs)->gprs[15] = (unsigned long)__builtin_frame_address(0) - \
+ offsetof(struct stack_frame, back_chain); \
+--
+2.43.0
+
--- /dev/null
+From 8c4bac4cf809b14f66810491ccd1d7c242621727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 14:01:39 +0200
+Subject: s390/pci: Handle PCI error codes other than 0x3a
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit 3cd03ea57e8e16cc78cc357d5e9f26078426f236 ]
+
+The Linux implementation of PCI error recovery for s390 was based on the
+understanding that firmware error recovery is a two step process with an
+optional initial error event to indicate the cause of the error if known
+followed by either error event 0x3A (Success) or 0x3B (Failure) to
+indicate whether firmware was able to recover. While this has been the
+case in testing and the error cases seen in the wild it turns out this
+is not correct. Instead firmware only generates 0x3A for some error and
+service scenarios and expects the OS to perform recovery for all PCI
+events codes except for those indicating permanent error (0x3B, 0x40)
+and those indicating errors on the function measurement block (0x2A,
+0x2B, 0x2C). Align Linux behavior with these expectations.
+
+Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery")
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_event.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c
+index b9324ca2eb940..b3961f1016ea0 100644
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -272,18 +272,19 @@ static void __zpci_event_error(struct zpci_ccdf_err *ccdf)
+ goto no_pdev;
+
+ switch (ccdf->pec) {
+- case 0x003a: /* Service Action or Error Recovery Successful */
++ case 0x002a: /* Error event concerns FMB */
++ case 0x002b:
++ case 0x002c:
++ break;
++ case 0x0040: /* Service Action or Error Recovery Failed */
++ case 0x003b:
++ zpci_event_io_failure(pdev, pci_channel_io_perm_failure);
++ break;
++ default: /* PCI function left in the error state attempt to recover */
+ ers_res = zpci_event_attempt_error_recovery(pdev);
+ if (ers_res != PCI_ERS_RESULT_RECOVERED)
+ zpci_event_io_failure(pdev, pci_channel_io_perm_failure);
+ break;
+- default:
+- /*
+- * Mark as frozen not permanently failed because the device
+- * could be subsequently recovered by the platform.
+- */
+- zpci_event_io_failure(pdev, pci_channel_io_frozen);
+- break;
+ }
+ pci_dev_put(pdev);
+ no_pdev:
+--
+2.43.0
+
--- /dev/null
+From 3c2218fd9d59b14e7a365fa96c3b22b6f1525d7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 21:44:32 -0400
+Subject: sched/core: Disable page allocation in task_tick_mm_cid()
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 73ab05aa46b02d96509cb029a8d04fca7bbde8c7 ]
+
+With KASAN and PREEMPT_RT enabled, calling task_work_add() in
+task_tick_mm_cid() may cause the following splat.
+
+[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
+[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
+[ 63.696416] preempt_count: 10001, expected: 0
+[ 63.696416] RCU nest depth: 1, expected: 1
+
+This problem is caused by the following call trace.
+
+ sched_tick() [ acquire rq->__lock ]
+ -> task_tick_mm_cid()
+ -> task_work_add()
+ -> __kasan_record_aux_stack()
+ -> kasan_save_stack()
+ -> stack_depot_save_flags()
+ -> alloc_pages_mpol_noprof()
+ -> __alloc_pages_noprof()
+ -> get_page_from_freelist()
+ -> rmqueue()
+ -> rmqueue_pcplist()
+ -> __rmqueue_pcplist()
+ -> rmqueue_bulk()
+ -> rt_spin_lock()
+
+The rq lock is a raw_spinlock_t. We can't sleep while holding
+it. IOW, we can't call alloc_pages() in stack_depot_save_flags().
+
+The task_tick_mm_cid() function with its task_work_add() call was
+introduced by commit 223baf9d17f2 ("sched: Fix performance regression
+introduced by mm_cid") in v6.4 kernel.
+
+Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
+calls stack_depot_save_flags() while not allowing it to allocate
+new pages. To allow task_tick_mm_cid() to use task_work without
+page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
+kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
+if set. The task_tick_mm_cid() function is modified to add this new flag.
+
+The possible downside is the missing stack trace in a KASAN report due
+to new page allocation required when task_work_add_noallloc() is called
+which should be rare.
+
+Fixes: 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20241010014432.194742-1-longman@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/task_work.h | 5 ++++-
+ kernel/sched/core.c | 4 +++-
+ kernel/task_work.c | 15 +++++++++++++--
+ 3 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/task_work.h b/include/linux/task_work.h
+index cf5e7e891a776..2964171856e00 100644
+--- a/include/linux/task_work.h
++++ b/include/linux/task_work.h
+@@ -14,11 +14,14 @@ init_task_work(struct callback_head *twork, task_work_func_t func)
+ }
+
+ enum task_work_notify_mode {
+- TWA_NONE,
++ TWA_NONE = 0,
+ TWA_RESUME,
+ TWA_SIGNAL,
+ TWA_SIGNAL_NO_IPI,
+ TWA_NMI_CURRENT,
++
++ TWA_FLAGS = 0xff00,
++ TWAF_NO_ALLOC = 0x0100,
+ };
+
+ static inline bool task_work_pending(struct task_struct *task)
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9b406d9886541..b6f922a20f83a 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -12050,7 +12050,9 @@ void task_tick_mm_cid(struct rq *rq, struct task_struct *curr)
+ return;
+ if (time_before(now, READ_ONCE(curr->mm->mm_cid_next_scan)))
+ return;
+- task_work_add(curr, work, TWA_RESUME);
++
++ /* No page allocation under rq lock */
++ task_work_add(curr, work, TWA_RESUME | TWAF_NO_ALLOC);
+ }
+
+ void sched_mm_cid_exit_signals(struct task_struct *t)
+diff --git a/kernel/task_work.c b/kernel/task_work.c
+index 5c2daa7ad3f90..8aa43204cb7dd 100644
+--- a/kernel/task_work.c
++++ b/kernel/task_work.c
+@@ -53,13 +53,24 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+ enum task_work_notify_mode notify)
+ {
+ struct callback_head *head;
++ int flags = notify & TWA_FLAGS;
+
++ notify &= ~TWA_FLAGS;
+ if (notify == TWA_NMI_CURRENT) {
+ if (WARN_ON_ONCE(task != current))
+ return -EINVAL;
+ } else {
+- /* record the work call stack in order to print it in KASAN reports */
+- kasan_record_aux_stack(work);
++ /*
++ * Record the work call stack in order to print it in KASAN
++ * reports.
++ *
++ * Note that stack allocation can fail if TWAF_NO_ALLOC flag
++ * is set and new page is needed to expand the stack buffer.
++ */
++ if (flags & TWAF_NO_ALLOC)
++ kasan_record_aux_stack_noalloc(work);
++ else
++ kasan_record_aux_stack(work);
+ }
+
+ head = READ_ONCE(task->task_works);
+--
+2.43.0
+
--- /dev/null
+From edf3ce9f550835e178a339413f5f87807f395706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 19:34:44 +0800
+Subject: scsi: target: core: Fix null-ptr-deref in target_alloc_device()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ]
+
+There is a null-ptr-deref issue reported by KASAN:
+
+BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
+...
+ kasan_report+0xb9/0xf0
+ target_alloc_device+0xbc4/0xbe0 [target_core_mod]
+ core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
+ target_core_init_configfs+0x205/0x420 [target_core_mod]
+ do_one_initcall+0xdd/0x4e0
+...
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+In target_alloc_device(), if allocing memory for dev queues fails, then
+dev will be freed by dev->transport->free_device(), but dev->transport
+is not initialized at that time, which will lead to a null pointer
+reference problem.
+
+Fixing this bug by freeing dev with hba->backend->ops->free_device().
+
+Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index 86590a7e29f6a..dd041ee18ac9b 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -692,7 +692,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+
+ dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL);
+ if (!dev->queues) {
+- dev->transport->free_device(dev);
++ hba->backend->ops->free_device(dev);
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From afb9a8cfb5e85f124dd3c6ccc33c52bca9635a4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 12:05:02 +0100
+Subject: selftests/bpf: Add cookies check for perf_event fill_link_info test
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit d74179708473c649c653f1db280e29875a532e99 ]
+
+Now that we get cookies for perf_event probes, adding tests
+for cookie for kprobe/uprobe/tracepoint.
+
+The perf_event test needs to be added completely and is coming
+in following change.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240119110505.400573-6-jolsa@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/fill_link_info.c | 26 +++++++++++++++----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 7db7f9bd9d58e..9eb93258614f9 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -30,6 +30,8 @@ static noinline void uprobe_func(void)
+ asm volatile ("");
+ }
+
++#define PERF_EVENT_COOKIE 0xdeadbeef
++
+ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long addr,
+ ssize_t offset, ssize_t entry_offset)
+ {
+@@ -61,6 +63,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+ ASSERT_EQ(info.perf_event.kprobe.addr, addr + entry_offset,
+ "kprobe_addr");
+
++ ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie");
++
+ if (!info.perf_event.kprobe.func_name) {
+ ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len");
+ info.perf_event.kprobe.func_name = ptr_to_u64(&buf);
+@@ -80,6 +84,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+ goto again;
+ }
+
++ ASSERT_EQ(info.perf_event.tracepoint.cookie, PERF_EVENT_COOKIE, "tracepoint_cookie");
++
+ err = strncmp(u64_to_ptr(info.perf_event.tracepoint.tp_name), TP_NAME,
+ strlen(TP_NAME));
+ ASSERT_EQ(err, 0, "cmp_tp_name");
+@@ -95,6 +101,8 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+ goto again;
+ }
+
++ ASSERT_EQ(info.perf_event.uprobe.cookie, PERF_EVENT_COOKIE, "uprobe_cookie");
++
+ err = strncmp(u64_to_ptr(info.perf_event.uprobe.file_name), UPROBE_FILE,
+ strlen(UPROBE_FILE));
+ ASSERT_EQ(err, 0, "cmp_file_name");
+@@ -138,6 +146,7 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+ DECLARE_LIBBPF_OPTS(bpf_kprobe_opts, opts,
+ .attach_mode = PROBE_ATTACH_MODE_LINK,
+ .retprobe = type == BPF_PERF_EVENT_KRETPROBE,
++ .bpf_cookie = PERF_EVENT_COOKIE,
+ );
+ ssize_t entry_offset = 0;
+ struct bpf_link *link;
+@@ -162,10 +171,13 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+
+ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ {
++ DECLARE_LIBBPF_OPTS(bpf_tracepoint_opts, opts,
++ .bpf_cookie = PERF_EVENT_COOKIE,
++ );
+ struct bpf_link *link;
+ int link_fd, err;
+
+- link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
++ link = bpf_program__attach_tracepoint_opts(skel->progs.tp_run, TP_CAT, TP_NAME, &opts);
+ if (!ASSERT_OK_PTR(link, "attach_tp"))
+ return;
+
+@@ -178,13 +190,17 @@ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ static void test_uprobe_fill_link_info(struct test_fill_link_info *skel,
+ enum bpf_perf_event_type type)
+ {
++ DECLARE_LIBBPF_OPTS(bpf_uprobe_opts, opts,
++ .retprobe = type == BPF_PERF_EVENT_URETPROBE,
++ .bpf_cookie = PERF_EVENT_COOKIE,
++ );
+ struct bpf_link *link;
+ int link_fd, err;
+
+- link = bpf_program__attach_uprobe(skel->progs.uprobe_run,
+- type == BPF_PERF_EVENT_URETPROBE,
+- 0, /* self pid */
+- UPROBE_FILE, uprobe_offset);
++ link = bpf_program__attach_uprobe_opts(skel->progs.uprobe_run,
++ 0, /* self pid */
++ UPROBE_FILE, uprobe_offset,
++ &opts);
+ if (!ASSERT_OK_PTR(link, "attach_uprobe"))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 3567b5adfc612cbfc420950c27c3d70bc4eff317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 21:07:20 -0700
+Subject: selftests/bpf: Fix cross-compiling urandom_read
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit fd526e121c4d6f71aed82d21a8b8277b03e60b43 ]
+
+Linking of urandom_read and liburandom_read.so prefers LLVM's 'ld.lld' but
+falls back to using 'ld' if unsupported. However, this fallback discards
+any existing makefile macro for LD and can break cross-compilation.
+
+Fix by changing the fallback to use the target linker $(LD), passed via
+'-fuse-ld=' using an absolute path rather than a linker "flavour".
+
+Fixes: 08c79c9cd67f ("selftests/bpf: Don't force lld on non-x86 architectures")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20241009040720.635260-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index ab364e95a9b23..f5a3a84fac955 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -200,7 +200,7 @@ $(OUTPUT)/%:%.c
+ ifeq ($(SRCARCH),x86)
+ LLD := lld
+ else
+-LLD := ld
++LLD := $(shell command -v $(LD))
+ endif
+
+ # Filter out -static for liburandom_read.so and its dependent targets so that static builds
+--
+2.43.0
+
--- /dev/null
+From 1ebc1cc49eeba301123d44e88a582312fd685cec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:43:12 +0000
+Subject: selftests/bpf: fix perf_event link info name_len assertion
+
+From: Tyrone Wu <wudevelops@gmail.com>
+
+[ Upstream commit 4538a38f654a1c292fe489a9b66179262bfed088 ]
+
+Fix `name_len` field assertions in `bpf_link_info.perf_event` for
+kprobe/uprobe/tracepoint to validate correct name size instead of 0.
+
+Fixes: 23cf7aa539dc ("selftests/bpf: Add selftest for fill_link_info")
+Signed-off-by: Tyrone Wu <wudevelops@gmail.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20241008164312.46269-2-wudevelops@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 9eb93258614f9..5b0c6a04cdbfe 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -65,8 +65,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+
+ ASSERT_EQ(info.perf_event.kprobe.cookie, PERF_EVENT_COOKIE, "kprobe_cookie");
+
++ ASSERT_EQ(info.perf_event.kprobe.name_len, strlen(KPROBE_FUNC) + 1,
++ "name_len");
+ if (!info.perf_event.kprobe.func_name) {
+- ASSERT_EQ(info.perf_event.kprobe.name_len, 0, "name_len");
+ info.perf_event.kprobe.func_name = ptr_to_u64(&buf);
+ info.perf_event.kprobe.name_len = sizeof(buf);
+ goto again;
+@@ -77,8 +78,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+ ASSERT_EQ(err, 0, "cmp_kprobe_func_name");
+ break;
+ case BPF_PERF_EVENT_TRACEPOINT:
++ ASSERT_EQ(info.perf_event.tracepoint.name_len, strlen(TP_NAME) + 1,
++ "name_len");
+ if (!info.perf_event.tracepoint.tp_name) {
+- ASSERT_EQ(info.perf_event.tracepoint.name_len, 0, "name_len");
+ info.perf_event.tracepoint.tp_name = ptr_to_u64(&buf);
+ info.perf_event.tracepoint.name_len = sizeof(buf);
+ goto again;
+@@ -94,8 +96,9 @@ static int verify_perf_link_info(int fd, enum bpf_perf_event_type type, long add
+ case BPF_PERF_EVENT_URETPROBE:
+ ASSERT_EQ(info.perf_event.uprobe.offset, offset, "uprobe_offset");
+
++ ASSERT_EQ(info.perf_event.uprobe.name_len, strlen(UPROBE_FILE) + 1,
++ "name_len");
+ if (!info.perf_event.uprobe.file_name) {
+- ASSERT_EQ(info.perf_event.uprobe.name_len, 0, "name_len");
+ info.perf_event.uprobe.file_name = ptr_to_u64(&buf);
+ info.perf_event.uprobe.name_len = sizeof(buf);
+ goto again;
+--
+2.43.0
+
--- /dev/null
+From 8b29b8ac97de278e2ad336a4f5713e6b1e3afb89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Nov 2023 20:31:28 +0100
+Subject: selftests/bpf: Use bpf_link__destroy in fill_link_info tests
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 1703612885723869064f18e8816c6f3f87987748 ]
+
+The fill_link_info test keeps skeleton open and just creates
+various links. We are wrongly calling bpf_link__detach after
+each test to close them, we need to call bpf_link__destroy.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/bpf/20231125193130.834322-5-jolsa@kernel.org
+Stable-dep-of: 4538a38f654a ("selftests/bpf: fix perf_event link info name_len assertion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/fill_link_info.c | 44 ++++++++++---------
+ 1 file changed, 23 insertions(+), 21 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+index 9d768e0837149..7db7f9bd9d58e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c
+@@ -140,14 +140,14 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+ .retprobe = type == BPF_PERF_EVENT_KRETPROBE,
+ );
+ ssize_t entry_offset = 0;
++ struct bpf_link *link;
+ int link_fd, err;
+
+- skel->links.kprobe_run = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run,
+- KPROBE_FUNC, &opts);
+- if (!ASSERT_OK_PTR(skel->links.kprobe_run, "attach_kprobe"))
++ link = bpf_program__attach_kprobe_opts(skel->progs.kprobe_run, KPROBE_FUNC, &opts);
++ if (!ASSERT_OK_PTR(link, "attach_kprobe"))
+ return;
+
+- link_fd = bpf_link__fd(skel->links.kprobe_run);
++ link_fd = bpf_link__fd(link);
+ if (!invalid) {
+ /* See also arch_adjust_kprobe_addr(). */
+ if (skel->kconfig->CONFIG_X86_KERNEL_IBT)
+@@ -157,39 +157,41 @@ static void test_kprobe_fill_link_info(struct test_fill_link_info *skel,
+ } else {
+ kprobe_fill_invalid_user_buffer(link_fd);
+ }
+- bpf_link__detach(skel->links.kprobe_run);
++ bpf_link__destroy(link);
+ }
+
+ static void test_tp_fill_link_info(struct test_fill_link_info *skel)
+ {
++ struct bpf_link *link;
+ int link_fd, err;
+
+- skel->links.tp_run = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
+- if (!ASSERT_OK_PTR(skel->links.tp_run, "attach_tp"))
++ link = bpf_program__attach_tracepoint(skel->progs.tp_run, TP_CAT, TP_NAME);
++ if (!ASSERT_OK_PTR(link, "attach_tp"))
+ return;
+
+- link_fd = bpf_link__fd(skel->links.tp_run);
++ link_fd = bpf_link__fd(link);
+ err = verify_perf_link_info(link_fd, BPF_PERF_EVENT_TRACEPOINT, 0, 0, 0);
+ ASSERT_OK(err, "verify_perf_link_info");
+- bpf_link__detach(skel->links.tp_run);
++ bpf_link__destroy(link);
+ }
+
+ static void test_uprobe_fill_link_info(struct test_fill_link_info *skel,
+ enum bpf_perf_event_type type)
+ {
++ struct bpf_link *link;
+ int link_fd, err;
+
+- skel->links.uprobe_run = bpf_program__attach_uprobe(skel->progs.uprobe_run,
+- type == BPF_PERF_EVENT_URETPROBE,
+- 0, /* self pid */
+- UPROBE_FILE, uprobe_offset);
+- if (!ASSERT_OK_PTR(skel->links.uprobe_run, "attach_uprobe"))
++ link = bpf_program__attach_uprobe(skel->progs.uprobe_run,
++ type == BPF_PERF_EVENT_URETPROBE,
++ 0, /* self pid */
++ UPROBE_FILE, uprobe_offset);
++ if (!ASSERT_OK_PTR(link, "attach_uprobe"))
+ return;
+
+- link_fd = bpf_link__fd(skel->links.uprobe_run);
++ link_fd = bpf_link__fd(link);
+ err = verify_perf_link_info(link_fd, type, 0, uprobe_offset, 0);
+ ASSERT_OK(err, "verify_perf_link_info");
+- bpf_link__detach(skel->links.uprobe_run);
++ bpf_link__destroy(link);
+ }
+
+ static int verify_kmulti_link_info(int fd, bool retprobe)
+@@ -278,24 +280,24 @@ static void test_kprobe_multi_fill_link_info(struct test_fill_link_info *skel,
+ bool retprobe, bool invalid)
+ {
+ LIBBPF_OPTS(bpf_kprobe_multi_opts, opts);
++ struct bpf_link *link;
+ int link_fd, err;
+
+ opts.syms = kmulti_syms;
+ opts.cnt = KMULTI_CNT;
+ opts.retprobe = retprobe;
+- skel->links.kmulti_run = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run,
+- NULL, &opts);
+- if (!ASSERT_OK_PTR(skel->links.kmulti_run, "attach_kprobe_multi"))
++ link = bpf_program__attach_kprobe_multi_opts(skel->progs.kmulti_run, NULL, &opts);
++ if (!ASSERT_OK_PTR(link, "attach_kprobe_multi"))
+ return;
+
+- link_fd = bpf_link__fd(skel->links.kmulti_run);
++ link_fd = bpf_link__fd(link);
+ if (!invalid) {
+ err = verify_kmulti_link_info(link_fd, retprobe);
+ ASSERT_OK(err, "verify_kmulti_link_info");
+ } else {
+ verify_kmulti_invalid_user_buffer(link_fd);
+ }
+- bpf_link__detach(skel->links.kmulti_run);
++ bpf_link__destroy(link);
+ }
+
+ void test_fill_link_info(void)
+--
+2.43.0
+
+iio-accel-bma400-fix-uninitialized-variable-field_va.patch
+bpf-make-sure-internal-and-uapi-bpf_redirect-flags-d.patch
+bpf-devmap-provide-rxq-after-redirect.patch
+cpufreq-amd-pstate-fix-amd_pstate-mode-switch-on-sha.patch
+lib-kconfig.debug-fix-grammar-in-rust_build_assert_a.patch
+bpf-fix-memory-leak-in-bpf_core_apply.patch
+rdma-bnxt_re-fix-a-possible-memory-leak.patch
+rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch
+rdma-bnxt_re-add-a-check-for-memory-allocation.patch
+rdma-core-fix-enodev-error-for-iwarp-test-over-vlan.patch
+x86-resctrl-avoid-overflow-in-mb-settings-in-bw_vali.patch
+arm-dts-bcm2837-rpi-cm3-io3-fix-hdmi-hpd-gpio-pin.patch
+bpf-add-missed-value-to-kprobe-perf-link-info.patch
+bpf-add-cookie-to-perf_event-bpf_link_info-records.patch
+bpf-fix-unpopulated-name_len-field-in-perf_event-lin.patch
+selftests-bpf-use-bpf_link__destroy-in-fill_link_inf.patch
+selftests-bpf-add-cookies-check-for-perf_event-fill_.patch
+selftests-bpf-fix-perf_event-link-info-name_len-asse.patch
+s390-pci-handle-pci-error-codes-other-than-0x3a.patch
+bpf-fix-kfunc-btf-caching-for-modules.patch
+iio-frequency-admv4420-adrf6780-format-kconfig-entri.patch
+iio-frequency-admv4420-fix-missing-select-remap_spi-.patch
+drm-vmwgfx-handle-possible-enomem-in-vmw_stdu_connec.patch
+selftests-bpf-fix-cross-compiling-urandom_read.patch
+task_work-add-twa_nmi_current-as-an-additional-notif.patch
+sched-core-disable-page-allocation-in-task_tick_mm_c.patch
+alsa-hda-cs8409-fix-possible-null-dereference.patch
+firmware-arm_scmi-fix-the-double-free-in-scmi_debugf.patch
+rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch
+rdma-irdma-fix-misspelling-of-accept.patch
+rdma-srpt-make-slab-cache-names-unique.patch
+ipv4-give-an-ipv4-dev-to-blackhole_netdev.patch
+rdma-bnxt_re-support-new-5760x-p7-devices.patch
+rdma-bnxt_re-fix-the-max-cq-wqes-for-older-adapters.patch
+rdma-bnxt_re-fix-out-of-bound-check.patch
+rdma-bnxt_re-return-more-meaningful-error.patch
+rdma-bnxt_re-fix-a-bug-while-setting-up-level-2-pbl-.patch
+rdma-bnxt_re-update-the-bar-offsets.patch
+rdma-bnxt_re-fix-the-gid-table-length.patch
+accel-qaic-fix-the-for-loop-used-to-walk-sg-table.patch
+drm-msm-dpu-make-sure-phys-resources-are-properly-in.patch
+drm-msm-dpu-check-for-overflow-in-_dpu_crtc_setup_lm.patch
+drm-msm-dsi-improve-fix-dsc-pclk-calculation.patch
+drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch
+drm-msm-avoid-null-dereference-in-msm_disp_state_pri.patch
+drm-msm-allocate-memory-for-disp-snapshot-with-kvzal.patch
+firmware-arm_scmi-queue-in-scmi-layer-for-mailbox-im.patch
+net-smc-fix-memory-leak-when-using-percpu-refs.patch
+net-usb-usbnet-fix-race-in-probe-failure.patch
+net-stmmac-dwmac-tegra-fix-link-bring-up-sequence.patch
+octeontx2-af-fix-potential-integer-overflows-on-inte.patch
+drm-amd-amdgpu-fix-double-unlock-in-amdgpu_mes_add_r.patch
+macsec-don-t-increment-counters-for-an-unrelated-sa.patch
+netdevsim-use-cond_resched-in-nsim_dev_trap_report_w.patch
+net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch
+net-smc-fix-searching-in-list-of-known-pnetids-in-sm.patch
+net-xilinx-axienet-fix-potential-memory-leak-in-axie.patch
+bpf-fix-truncation-bug-in-coerce_reg_to_size_sx.patch
+net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch
+irqchip-renesas-rzg2l-align-struct-member-names-to-t.patch
+irqchip-renesas-rzg2l-document-structure-members.patch
+irqchip-renesas-rzg2l-add-support-for-suspend-to-ram.patch
+irqchip-renesas-rzg2l-fix-missing-put_device.patch
+drm-msm-dpu-don-t-always-program-merge_3d-block.patch
+net-bcmasp-fix-potential-memory-leak-in-bcmasp_xmit.patch
+tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unli.patch
+net-dsa-mv88e6xxx-fix-the-max_vid-definition-for-the.patch
+genetlink-hold-rcu-in-genlmsg_mcast.patch
+ravb-remove-setting-of-rx-software-timestamp.patch
+net-ravb-only-advertise-rx-tx-timestamps-if-hardware.patch
+scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch
+smb-client-fix-possible-double-free-in-smb2_set_ea.patch
+smb-client-fix-oobs-when-building-smb2_ioctl-request.patch
+usb-typec-altmode-should-keep-reference-to-parent.patch
+s390-initialize-psw-mask-in-perf_arch_fetch_caller_r.patch
+bpf-fix-link-info-netfilter-flags-to-populate-defrag.patch
+bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch
+vmxnet3-fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch
+net-mlx5-check-for-invalid-vector-index-on-eq-creati.patch
+net-mlx5-fix-command-bitmask-initialization.patch
+net-mlx5-unregister-notifier-on-eswitch-init-failure.patch
+bpf-sockmap-sk_drop-on-attempted-redirects-of-unsupp.patch
+vsock-update-rx_bytes-on-read_skb.patch
+vsock-update-msg_count-on-read_skb.patch
+bpf-vsock-drop-static-vsock_bpf_prot-initialization.patch
+riscv-bpf-make-bpf_cmpxchg-fully-ordered.patch
+nvme-pci-set-doorbell-config-before-unquiescing.patch
+nvme-pci-fix-race-condition-between-reset-and-nvme_d.patch
+bpf-fix-iter-task-tid-filtering.patch
+cdrom-avoid-barrier_nospec-in-cdrom_ioctl_media_chan.patch
+mm-khugepaged-convert-alloc_charge_hpage-to-use-foli.patch
+mm-convert-collapse_huge_page-to-use-a-folio.patch
+mm-khugepaged-use-a-folio-more-in-collapse_file.patch
+khugepaged-inline-hpage_collapse_alloc_folio.patch
+khugepaged-convert-alloc_charge_hpage-to-alloc_charg.patch
+khugepaged-remove-hpage-from-collapse_file.patch
+mm-khugepaged-fix-the-arguments-order-in-khugepaged_.patch
+iio-adc-ti-lmp92064-add-missing-select-iio_-triggere.patch
+xhci-dbgtty-remove-kfifo_out-wrapper.patch
+xhci-dbgtty-use-kfifo-from-tty_port-struct.patch
+xhci-dbc-honor-usb-transfer-size-boundaries.patch
+usb-gadget-f_uac2-replace-snprintf-with-the-safer-sc.patch
+usb-gadget-f_uac2-fix-non-newline-terminated-functio.patch
+usb-gadget-f_uac2-fix-return-value-for-uac2_attribut.patch
+xhci-separate-port-and-caps-macros-into-dedicated-fi.patch
+usb-dwc3-core-fix-system-suspend-on-ti-am62-platform.patch
--- /dev/null
+From 25ad60a90215e41f62c8a537eaae9a80d29f935c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 19:04:04 -0300
+Subject: smb: client: fix OOBs when building SMB2_IOCTL request
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit 1ab60323c5201bef25f2a3dc0ccc404d9aca77f1 ]
+
+When using encryption, either enforced by the server or when using
+'seal' mount option, the client will squash all compound request buffers
+down for encryption into a single iov in smb2_set_next_command().
+
+SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
+SMB2_IOCTL request in the first iov, and if the user passes an input
+buffer that is greater than 328 bytes, smb2_set_next_command() will
+end up writing off the end of @rqst->iov[0].iov_base as shown below:
+
+ mount.cifs //srv/share /mnt -o ...,seal
+ ln -s $(perl -e "print('a')for 1..1024") /mnt/link
+
+ BUG: KASAN: slab-out-of-bounds in
+ smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ Write of size 4116 at addr ffff8881148fcab8 by task ln/859
+
+ CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ 1.16.3-2.fc40 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ print_report+0x156/0x4d9
+ ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ ? __virt_addr_valid+0x145/0x310
+ ? __phys_addr+0x46/0x90
+ ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ kasan_report+0xda/0x110
+ ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ kasan_check_range+0x10f/0x1f0
+ __asan_memcpy+0x3c/0x60
+ smb2_set_next_command.cold+0x1d6/0x24c [cifs]
+ smb2_compound_op+0x238c/0x3840 [cifs]
+ ? kasan_save_track+0x14/0x30
+ ? kasan_save_free_info+0x3b/0x70
+ ? vfs_symlink+0x1a1/0x2c0
+ ? do_symlinkat+0x108/0x1c0
+ ? __pfx_smb2_compound_op+0x10/0x10 [cifs]
+ ? kmem_cache_free+0x118/0x3e0
+ ? cifs_get_writable_path+0xeb/0x1a0 [cifs]
+ smb2_get_reparse_inode+0x423/0x540 [cifs]
+ ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
+ ? rcu_is_watching+0x20/0x50
+ ? __kmalloc_noprof+0x37c/0x480
+ ? smb2_create_reparse_symlink+0x257/0x490 [cifs]
+ ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
+ smb2_create_reparse_symlink+0x38f/0x490 [cifs]
+ ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
+ ? find_held_lock+0x8a/0xa0
+ ? hlock_class+0x32/0xb0
+ ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
+ cifs_symlink+0x24f/0x960 [cifs]
+ ? __pfx_make_vfsuid+0x10/0x10
+ ? __pfx_cifs_symlink+0x10/0x10 [cifs]
+ ? make_vfsgid+0x6b/0xc0
+ ? generic_permission+0x96/0x2d0
+ vfs_symlink+0x1a1/0x2c0
+ do_symlinkat+0x108/0x1c0
+ ? __pfx_do_symlinkat+0x10/0x10
+ ? strncpy_from_user+0xaa/0x160
+ __x64_sys_symlinkat+0xb9/0xf0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f08d75c13bb
+
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: e77fe73c7e38 ("cifs: we can not use small padding iovs together with encryption")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2pdu.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index 83a03201bb862..a86a3fbfb5a49 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -3300,6 +3300,15 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
+ return rc;
+
+ if (indatalen) {
++ unsigned int len;
++
++ if (WARN_ON_ONCE(smb3_encryption_required(tcon) &&
++ (check_add_overflow(total_len - 1,
++ ALIGN(indatalen, 8), &len) ||
++ len > MAX_CIFS_SMALL_BUFFER_SIZE))) {
++ cifs_small_buf_release(req);
++ return -EIO;
++ }
+ /*
+ * indatalen is usually small at a couple of bytes max, so
+ * just allocate through generic pool
+--
+2.43.0
+
--- /dev/null
+From ec49a220243c32ab6b5ee7b287112908fbd53eee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 18:20:37 +0800
+Subject: smb: client: fix possible double free in smb2_set_ea()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 19ebc1e6cab334a8193398d4152deb76019b5d34 ]
+
+Clang static checker(scan-build) warning:
+fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
+ 1304 | kfree(ea);
+ | ^~~~~~~~~
+
+There is a double free in such case:
+'ea is initialized to NULL' -> 'first successful memory allocation for
+ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
+-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
+for ea' -> 'second memory release for ea resulted in double free'.
+
+Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
+double free problem.
+
+Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
+index 450e3050324c6..ab6e79be2c15d 100644
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -1122,7 +1122,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_fid fid;
+ unsigned int size[1];
+ void *data[1];
+- struct smb2_file_full_ea_info *ea = NULL;
++ struct smb2_file_full_ea_info *ea;
+ struct smb2_query_info_rsp *rsp;
+ int rc, used_len = 0;
+ int retries = 0, cur_sleep = 1;
+@@ -1143,6 +1143,7 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+ if (!utf16_path)
+ return -ENOMEM;
+
++ ea = NULL;
+ resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
+ vars = kzalloc(sizeof(*vars), GFP_KERNEL);
+ if (!vars) {
+--
+2.43.0
+
--- /dev/null
+From 1afb31e5d0133295e6d94bb678f382e288029092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2024 19:03:36 +0200
+Subject: task_work: Add TWA_NMI_CURRENT as an additional notify mode.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 466e4d801cd438a1ab2c8a2cce1bef6b65c31bbb ]
+
+Adding task_work from NMI context requires the following:
+- The kasan_record_aux_stack() is not NMU safe and must be avoided.
+- Using TWA_RESUME is NMI safe. If the NMI occurs while the CPU is in
+ userland then it will continue in userland and not invoke the `work'
+ callback.
+
+Add TWA_NMI_CURRENT as an additional notify mode. In this mode skip
+kasan and use irq_work in hardirq-mode to for needed interrupt. Set
+TIF_NOTIFY_RESUME within the irq_work callback due to k[ac]san
+instrumentation in test_and_set_bit() which does not look NMI safe in
+case of a report.
+
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240704170424.1466941-3-bigeasy@linutronix.de
+Stable-dep-of: 73ab05aa46b0 ("sched/core: Disable page allocation in task_tick_mm_cid()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/task_work.h | 1 +
+ kernel/task_work.c | 24 +++++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/task_work.h b/include/linux/task_work.h
+index 26b8a47f41fca..cf5e7e891a776 100644
+--- a/include/linux/task_work.h
++++ b/include/linux/task_work.h
+@@ -18,6 +18,7 @@ enum task_work_notify_mode {
+ TWA_RESUME,
+ TWA_SIGNAL,
+ TWA_SIGNAL_NO_IPI,
++ TWA_NMI_CURRENT,
+ };
+
+ static inline bool task_work_pending(struct task_struct *task)
+diff --git a/kernel/task_work.c b/kernel/task_work.c
+index 2134ac8057a94..5c2daa7ad3f90 100644
+--- a/kernel/task_work.c
++++ b/kernel/task_work.c
+@@ -1,10 +1,18 @@
+ // SPDX-License-Identifier: GPL-2.0
++#include <linux/irq_work.h>
+ #include <linux/spinlock.h>
+ #include <linux/task_work.h>
+ #include <linux/resume_user_mode.h>
+
+ static struct callback_head work_exited; /* all we need is ->next == NULL */
+
++static void task_work_set_notify_irq(struct irq_work *entry)
++{
++ test_and_set_tsk_thread_flag(current, TIF_NOTIFY_RESUME);
++}
++static DEFINE_PER_CPU(struct irq_work, irq_work_NMI_resume) =
++ IRQ_WORK_INIT_HARD(task_work_set_notify_irq);
++
+ /**
+ * task_work_add - ask the @task to execute @work->func()
+ * @task: the task which should run the callback
+@@ -12,7 +20,7 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */
+ * @notify: how to notify the targeted task
+ *
+ * Queue @work for task_work_run() below and notify the @task if @notify
+- * is @TWA_RESUME, @TWA_SIGNAL, or @TWA_SIGNAL_NO_IPI.
++ * is @TWA_RESUME, @TWA_SIGNAL, @TWA_SIGNAL_NO_IPI or @TWA_NMI_CURRENT.
+ *
+ * @TWA_SIGNAL works like signals, in that the it will interrupt the targeted
+ * task and run the task_work, regardless of whether the task is currently
+@@ -24,6 +32,8 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */
+ * kernel anyway.
+ * @TWA_RESUME work is run only when the task exits the kernel and returns to
+ * user mode, or before entering guest mode.
++ * @TWA_NMI_CURRENT works like @TWA_RESUME, except it can only be used for the
++ * current @task and if the current context is NMI.
+ *
+ * Fails if the @task is exiting/exited and thus it can't process this @work.
+ * Otherwise @work->func() will be called when the @task goes through one of
+@@ -44,8 +54,13 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+ {
+ struct callback_head *head;
+
+- /* record the work call stack in order to print it in KASAN reports */
+- kasan_record_aux_stack(work);
++ if (notify == TWA_NMI_CURRENT) {
++ if (WARN_ON_ONCE(task != current))
++ return -EINVAL;
++ } else {
++ /* record the work call stack in order to print it in KASAN reports */
++ kasan_record_aux_stack(work);
++ }
+
+ head = READ_ONCE(task->task_works);
+ do {
+@@ -66,6 +81,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
+ case TWA_SIGNAL_NO_IPI:
+ __set_notify_signal(task);
+ break;
++ case TWA_NMI_CURRENT:
++ irq_work_queue(this_cpu_ptr(&irq_work_NMI_resume));
++ break;
+ default:
+ WARN_ON_ONCE(1);
+ break;
+--
+2.43.0
+
--- /dev/null
+From 15804082f0431cb357bf3aa25ec2c153206f3cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:33:12 -0700
+Subject: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ]
+
+Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
+
+ """
+ We are seeing a use-after-free from a bpf prog attached to
+ trace_tcp_retransmit_synack. The program passes the req->sk to the
+ bpf_sk_storage_get_tracing kernel helper which does check for null
+ before using it.
+ """
+
+The commit 83fccfc3940c ("inet: fix potential deadlock in
+reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
+to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
+small race window.
+
+Before the timer is called, expire_timers() calls detach_timer(timer, true)
+to clear timer->entry.pprev and marks it as not pending.
+
+If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
+calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
+continue running and send multiple SYN+ACKs until it expires.
+
+The reported UAF could happen if req->sk is close()d earlier than the timer
+expiration, which is 63s by default.
+
+The scenario would be
+
+ 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
+ but del_timer_sync() is missed
+
+ 2. reqsk timer is executed and scheduled again
+
+ 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
+ reqsk timer still has another one, and inet_csk_accept() does not
+ clear req->sk for non-TFO sockets
+
+ 4. sk is close()d
+
+ 5. reqsk timer is executed again, and BPF touches req->sk
+
+Let's not use timer_pending() by passing the caller context to
+__inet_csk_reqsk_queue_drop().
+
+Note that reqsk timer is pinned, so the issue does not happen in most
+use cases. [1]
+
+[0]
+BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
+
+Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
+bpf_sk_storage_get_tracing+0x2e/0x1b0
+bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
+bpf_trace_run2+0x4c/0xc0
+tcp_rtx_synack+0xf9/0x100
+reqsk_timer_handler+0xda/0x3d0
+run_timer_softirq+0x292/0x8a0
+irq_exit_rcu+0xf5/0x320
+sysvec_apic_timer_interrupt+0x6d/0x80
+asm_sysvec_apic_timer_interrupt+0x16/0x20
+intel_idle_irq+0x5a/0xa0
+cpuidle_enter_state+0x94/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
+
+allocated by task 0 on cpu 9 at 260507.901592s:
+sk_prot_alloc+0x35/0x140
+sk_clone_lock+0x1f/0x3f0
+inet_csk_clone_lock+0x15/0x160
+tcp_create_openreq_child+0x1f/0x410
+tcp_v6_syn_recv_sock+0x1da/0x700
+tcp_check_req+0x1fb/0x510
+tcp_v6_rcv+0x98b/0x1420
+ipv6_list_rcv+0x2258/0x26e0
+napi_complete_done+0x5b1/0x2990
+mlx5e_napi_poll+0x2ae/0x8d0
+net_rx_action+0x13e/0x590
+irq_exit_rcu+0xf5/0x320
+common_interrupt+0x80/0x90
+asm_common_interrupt+0x22/0x40
+cpuidle_enter_state+0xfb/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+freed by task 0 on cpu 9 at 260507.927527s:
+rcu_core_si+0x4ff/0xf10
+irq_exit_rcu+0xf5/0x320
+sysvec_apic_timer_interrupt+0x6d/0x80
+asm_sysvec_apic_timer_interrupt+0x16/0x20
+cpuidle_enter_state+0xfb/0x273
+cpu_startup_entry+0x15e/0x260
+start_secondary+0x8a/0x90
+secondary_startup_64_no_verify+0xfa/0xfb
+
+Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()")
+Reported-by: Martin KaFai Lau <martin.lau@kernel.org>
+Closes: https://lore.kernel.org/netdev/eb6684d0-ffd9-4bdc-9196-33f690c25824@linux.dev/
+Link: https://lore.kernel.org/netdev/b55e2ca0-42f2-4b7c-b445-6ffd87ca74a0@linux.dev/ [1]
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_connection_sock.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 8720f3840b698..ca8cc0988b618 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -980,21 +980,31 @@ static bool reqsk_queue_unlink(struct request_sock *req)
+ found = __sk_nulls_del_node_init_rcu(sk);
+ spin_unlock(lock);
+ }
+- if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
+- reqsk_put(req);
++
+ return found;
+ }
+
+-bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
++static bool __inet_csk_reqsk_queue_drop(struct sock *sk,
++ struct request_sock *req,
++ bool from_timer)
+ {
+ bool unlinked = reqsk_queue_unlink(req);
+
++ if (!from_timer && timer_delete_sync(&req->rsk_timer))
++ reqsk_put(req);
++
+ if (unlinked) {
+ reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req);
+ reqsk_put(req);
+ }
++
+ return unlinked;
+ }
++
++bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
++{
++ return __inet_csk_reqsk_queue_drop(sk, req, false);
++}
+ EXPORT_SYMBOL(inet_csk_reqsk_queue_drop);
+
+ void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req)
+@@ -1087,7 +1097,7 @@ static void reqsk_timer_handler(struct timer_list *t)
+
+ if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
+ /* delete timer */
+- inet_csk_reqsk_queue_drop(sk_listener, nreq);
++ __inet_csk_reqsk_queue_drop(sk_listener, nreq, true);
+ goto no_ownership;
+ }
+
+@@ -1113,7 +1123,8 @@ static void reqsk_timer_handler(struct timer_list *t)
+ }
+
+ drop:
+- inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq);
++ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
++ reqsk_put(req);
+ }
+
+ static bool reqsk_queue_hash_req(struct request_sock *req,
+--
+2.43.0
+
--- /dev/null
+From 7424de57ecea906d4e6e15ac9aeb2fc78939fedd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 13:53:24 +0300
+Subject: usb: dwc3: core: Fix system suspend on TI AM62 platforms
+
+From: Roger Quadros <rogerq@kernel.org>
+
+[ Upstream commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 ]
+
+Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"),
+system suspend is broken on AM62 TI platforms.
+
+Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY
+bits (hence forth called 2 SUSPHY bits) were being set during core
+initialization and even during core re-initialization after a system
+suspend/resume.
+
+These bits are required to be set for system suspend/resume to work correctly
+on AM62 platforms.
+
+Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget
+driver is not loaded and started.
+For Host mode, the 2 SUSPHY bits are set before the first system suspend but
+get cleared at system resume during core re-init and are never set again.
+
+This patch resovles these two issues by ensuring the 2 SUSPHY bits are set
+before system suspend and restored to the original state during system resume.
+
+Cc: stable@vger.kernel.org # v6.9+
+Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
+Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Tested-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Link: https://lore.kernel.org/r/20241011-am62-lpm-usb-v3-1-562d445625b5@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 19 +++++++++++++++++++
+ drivers/usb/dwc3/core.h | 3 +++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index af851e4e8c8a7..8cbe19574bbcb 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -2106,6 +2106,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ {
+ u32 reg;
+
++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) &
++ DWC3_GUSB2PHYCFG_SUSPHY) ||
++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) &
++ DWC3_GUSB3PIPECTL_SUSPHY);
++
+ switch (dwc->current_dr_role) {
+ case DWC3_GCTL_PRTCAP_DEVICE:
+ if (pm_runtime_suspended(dwc->dev))
+@@ -2153,6 +2158,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ break;
+ }
+
++ if (!PMSG_IS_AUTO(msg)) {
++ /*
++ * TI AM62 platform requires SUSPHY to be
++ * enabled for system suspend to work.
++ */
++ if (!dwc->susphy_state)
++ dwc3_enable_susphy(dwc, true);
++ }
++
+ return 0;
+ }
+
+@@ -2215,6 +2229,11 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg)
+ break;
+ }
+
++ if (!PMSG_IS_AUTO(msg)) {
++ /* restore SUSPHY state to that before system suspend. */
++ dwc3_enable_susphy(dwc, dwc->susphy_state);
++ }
++
+ return 0;
+ }
+
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 420753205fafa..3325796f3cb45 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -1127,6 +1127,8 @@ struct dwc3_scratchpad_array {
+ * @sys_wakeup: set if the device may do system wakeup.
+ * @wakeup_configured: set if the device is configured for remote wakeup.
+ * @suspended: set to track suspend event due to U3/L2.
++ * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY + DWC3_GUSB3PIPECTL_SUSPHY
++ * before PM suspend.
+ * @imod_interval: set the interrupt moderation interval in 250ns
+ * increments or 0 to disable.
+ * @max_cfg_eps: current max number of IN eps used across all USB configs.
+@@ -1351,6 +1353,7 @@ struct dwc3 {
+ unsigned sys_wakeup:1;
+ unsigned wakeup_configured:1;
+ unsigned suspended:1;
++ unsigned susphy_state:1;
+
+ u16 imod_interval;
+
+--
+2.43.0
+
--- /dev/null
+From 66102547c4f13d3f9412326241603124030423d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 15:25:53 +0100
+Subject: usb: gadget: f_uac2: fix non-newline-terminated function name
+
+From: John Keeping <jkeeping@inmusicbrands.com>
+
+[ Upstream commit e60284b63245b84c3ae352427ed5ff8b79266b91 ]
+
+Most writes to configfs handle an optional newline, but do not require
+it. By using the number of bytes written as the limit for scnprintf()
+it is guaranteed that the final character in the buffer will be
+overwritten.
+
+This is expected if it is a newline but is undesirable when a string is
+written "as-is" (as libusbgx does, for example).
+
+Update the store function to strip an optional newline, matching the
+behaviour of usb_string_copy().
+
+Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
+Link: https://lore.kernel.org/r/20240708142553.3995022-1-jkeeping@inmusicbrands.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 55a4f07bc9cc1..79d1f87c6cc59 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2060,7 +2060,10 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
+ goto end; \
+ } \
+ \
+- ret = scnprintf(opts->name, min(sizeof(opts->name), len), \
++ if (len && page[len - 1] == '\n') \
++ len--; \
++ \
++ ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \
+ "%s", page); \
+ \
+ end: \
+--
+2.43.0
+
--- /dev/null
+From 5a42d949e31f2c7cfeffe28f267f29e590091080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 19:26:31 -0400
+Subject: usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store
+
+From: Kevin Groeneveld <kgroeneveld@lenbrook.com>
+
+[ Upstream commit 9499327714de7bc5cf6c792112c1474932d8ad31 ]
+
+The configfs store callback should return the number of bytes consumed
+not the total number of bytes we actually stored. These could differ if
+for example the passed in string had a newline we did not store.
+
+If the returned value does not match the number of bytes written the
+writer might assume a failure or keep trying to write the remaining bytes.
+
+For example the following command will hang trying to write the final
+newline over and over again (tested on bash 2.05b):
+
+ echo foo > function_name
+
+Fixes: 993a44fa85c1 ("usb: gadget: f_uac2: allow changing interface name via configfs")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Kevin Groeneveld <kgroeneveld@lenbrook.com>
+Link: https://lore.kernel.org/r/20241006232637.4267-1-kgroeneveld@lenbrook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 79d1f87c6cc59..b3dc5f5164f42 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2052,7 +2052,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
+ const char *page, size_t len) \
+ { \
+ struct f_uac2_opts *opts = to_f_uac2_opts(item); \
+- int ret = 0; \
++ int ret = len; \
+ \
+ mutex_lock(&opts->lock); \
+ if (opts->refcnt) { \
+@@ -2063,8 +2063,8 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
+ if (len && page[len - 1] == '\n') \
+ len--; \
+ \
+- ret = scnprintf(opts->name, min(sizeof(opts->name), len + 1), \
+- "%s", page); \
++ scnprintf(opts->name, min(sizeof(opts->name), len + 1), \
++ "%s", page); \
+ \
+ end: \
+ mutex_unlock(&opts->lock); \
+--
+2.43.0
+
--- /dev/null
+From d4614c7cd1eb5e09e25fc61b47d17b6701c98b51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 16:42:32 +0000
+Subject: usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf()
+ variant
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 60034e0aedf507888c4a880f57011bb7f5d7700c ]
+
+There is a general misunderstanding amongst engineers that {v}snprintf()
+returns the length of the data *actually* encoded into the destination
+array. However, as per the C99 standard {v}snprintf() really returns
+the length of the data that *would have been* written if there were
+enough space for it. This misunderstanding has led to buffer-overruns
+in the past. It's generally considered safer to use the {v}scnprintf()
+variants in their place (or even sprintf() in simple cases). So let's
+do that.
+
+Link: https://lwn.net/Articles/69419/
+Link: https://github.com/KSPP/linux/issues/105
+Cc: James Gruber <jimmyjgruber@gmail.com>
+Cc: Yadwinder Singh <yadi.brar01@gmail.com>
+Cc: Jaswinder Singh <jaswinder.singh@linaro.org>
+Cc: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20231213164246.1021885-4-lee@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 9499327714de ("usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 0219cd79493a7..55a4f07bc9cc1 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -2042,7 +2042,7 @@ static ssize_t f_uac2_opts_##name##_show(struct config_item *item, \
+ int result; \
+ \
+ mutex_lock(&opts->lock); \
+- result = snprintf(page, sizeof(opts->name), "%s", opts->name); \
++ result = scnprintf(page, sizeof(opts->name), "%s", opts->name); \
+ mutex_unlock(&opts->lock); \
+ \
+ return result; \
+@@ -2060,7 +2060,7 @@ static ssize_t f_uac2_opts_##name##_store(struct config_item *item, \
+ goto end; \
+ } \
+ \
+- ret = snprintf(opts->name, min(sizeof(opts->name), len), \
++ ret = scnprintf(opts->name, min(sizeof(opts->name), len), \
+ "%s", page); \
+ \
+ end: \
+@@ -2178,7 +2178,7 @@ static struct usb_function_instance *afunc_alloc_inst(void)
+ opts->req_number = UAC2_DEF_REQ_NUM;
+ opts->fb_max = FBACK_FAST_MAX;
+
+- snprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink");
++ scnprintf(opts->function_name, sizeof(opts->function_name), "Source/Sink");
+
+ return &opts->func_inst;
+ }
+--
+2.43.0
+
--- /dev/null
+From e1c3f9214e9889e3135881d5346772204e6b6af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 09:37:38 -0300
+Subject: usb: typec: altmode should keep reference to parent
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ]
+
+The altmode device release refers to its parent device, but without keeping
+a reference to it.
+
+When registering the altmode, get a reference to the parent and put it in
+the release function.
+
+Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
+like this:
+
+[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
+[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 46.612867] ==================================================================
+[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
+[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
+[ 46.614538]
+[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
+[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 46.616042] Workqueue: events kobject_delayed_cleanup
+[ 46.616446] Call Trace:
+[ 46.616648] <TASK>
+[ 46.616820] dump_stack_lvl+0x5b/0x7c
+[ 46.617112] ? typec_altmode_release+0x38/0x129
+[ 46.617470] print_report+0x14c/0x49e
+[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69
+[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab
+[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d
+[ 46.618807] ? typec_altmode_release+0x38/0x129
+[ 46.619161] kasan_report+0x8d/0xb4
+[ 46.619447] ? typec_altmode_release+0x38/0x129
+[ 46.619809] ? process_scheduled_works+0x3cb/0x85f
+[ 46.620185] typec_altmode_release+0x38/0x129
+[ 46.620537] ? process_scheduled_works+0x3cb/0x85f
+[ 46.620907] device_release+0xaf/0xf2
+[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a
+[ 46.621584] process_scheduled_works+0x4f6/0x85f
+[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10
+[ 46.622353] ? hlock_class+0x31/0x9a
+[ 46.622647] ? lock_acquired+0x361/0x3c3
+[ 46.622956] ? move_linked_works+0x46/0x7d
+[ 46.623277] worker_thread+0x1ce/0x291
+[ 46.623582] ? __kthread_parkme+0xc8/0xdf
+[ 46.623900] ? __pfx_worker_thread+0x10/0x10
+[ 46.624236] kthread+0x17e/0x190
+[ 46.624501] ? kthread+0xfb/0x190
+[ 46.624756] ? __pfx_kthread+0x10/0x10
+[ 46.625015] ret_from_fork+0x20/0x40
+[ 46.625268] ? __pfx_kthread+0x10/0x10
+[ 46.625532] ret_from_fork_asm+0x1a/0x30
+[ 46.625805] </TASK>
+[ 46.625953]
+[ 46.626056] Allocated by task 678:
+[ 46.626287] kasan_save_stack+0x24/0x44
+[ 46.626555] kasan_save_track+0x14/0x2d
+[ 46.626811] __kasan_kmalloc+0x3f/0x4d
+[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0
+[ 46.627362] typec_register_port+0x23/0x491
+[ 46.627698] cros_typec_probe+0x634/0xbb6
+[ 46.628026] platform_probe+0x47/0x8c
+[ 46.628311] really_probe+0x20a/0x47d
+[ 46.628605] device_driver_attach+0x39/0x72
+[ 46.628940] bind_store+0x87/0xd7
+[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218
+[ 46.629574] vfs_write+0x1d6/0x29b
+[ 46.629856] ksys_write+0xcd/0x13b
+[ 46.630128] do_syscall_64+0xd4/0x139
+[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 46.630820]
+[ 46.630946] Freed by task 48:
+[ 46.631182] kasan_save_stack+0x24/0x44
+[ 46.631493] kasan_save_track+0x14/0x2d
+[ 46.631799] kasan_save_free_info+0x3f/0x4d
+[ 46.632144] __kasan_slab_free+0x37/0x45
+[ 46.632474] kfree+0x1d4/0x252
+[ 46.632725] device_release+0xaf/0xf2
+[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a
+[ 46.633388] process_scheduled_works+0x4f6/0x85f
+[ 46.633764] worker_thread+0x1ce/0x291
+[ 46.634065] kthread+0x17e/0x190
+[ 46.634324] ret_from_fork+0x20/0x40
+[ 46.634621] ret_from_fork_asm+0x1a/0x30
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/class.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
+index f92fc2acfcba0..79cad8d61dacd 100644
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -502,6 +502,7 @@ static void typec_altmode_release(struct device *dev)
+ typec_altmode_put_partner(alt);
+
+ altmode_id_remove(alt->adev.dev.parent, alt->id);
++ put_device(alt->adev.dev.parent);
+ kfree(alt);
+ }
+
+@@ -551,6 +552,8 @@ typec_register_altmode(struct device *parent,
+ alt->adev.dev.type = &typec_altmode_dev_type;
+ dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id);
+
++ get_device(alt->adev.dev.parent);
++
+ /* Link partners and plugs with the ports */
+ if (!is_port)
+ typec_altmode_set_partner(alt);
+--
+2.43.0
+
--- /dev/null
+From a8854db35f7526b0b3fe20199a6321a82c3a7e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 21:03:11 +0200
+Subject: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 4678adf94da4a9e9683817b246b58ce15fb81782 ]
+
+Andrew and Nikolay reported connectivity issues with Cilium's service
+load-balancing in case of vmxnet3.
+
+If a BPF program for native XDP adds an encapsulation header such as
+IPIP and transmits the packet out the same interface, then in case
+of vmxnet3 a corrupted packet is being sent and subsequently dropped
+on the path.
+
+vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()
+through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:
+
+ page = virt_to_page(xdpf->data);
+ tbi->dma_addr = page_pool_get_dma_addr(page) +
+ VMXNET3_XDP_HEADROOM;
+ dma_sync_single_for_device(&adapter->pdev->dev,
+ tbi->dma_addr, buf_size,
+ DMA_TO_DEVICE);
+
+The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP
+BPF program could have moved xdp->data. While the passed buf_size is
+correct (xdpf->len), the dma_addr needs to have a dynamic offset which
+can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data -
+xdp->data_hard_start.
+
+Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.")
+Reported-by: Andrew Sauber <andrew.sauber@isovalent.com>
+Reported-by: Nikolay Nikolaev <nikolay.nikolaev@isovalent.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Nikolay Nikolaev <nikolay.nikolaev@isovalent.com>
+Acked-by: Anton Protopopov <aspsk@isovalent.com>
+Cc: William Tu <witu@nvidia.com>
+Cc: Ronak Doshi <ronak.doshi@broadcom.com>
+Link: https://patch.msgid.link/a0888656d7f09028f9984498cc698bb5364d89fc.1728931137.git.daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_xdp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_xdp.c b/drivers/net/vmxnet3/vmxnet3_xdp.c
+index a6c787454a1ae..1341374a4588a 100644
+--- a/drivers/net/vmxnet3/vmxnet3_xdp.c
++++ b/drivers/net/vmxnet3/vmxnet3_xdp.c
+@@ -148,7 +148,7 @@ vmxnet3_xdp_xmit_frame(struct vmxnet3_adapter *adapter,
+ } else { /* XDP buffer from page pool */
+ page = virt_to_page(xdpf->data);
+ tbi->dma_addr = page_pool_get_dma_addr(page) +
+- VMXNET3_XDP_HEADROOM;
++ (xdpf->data - (void *)xdpf);
+ dma_sync_single_for_device(&adapter->pdev->dev,
+ tbi->dma_addr, buf_size,
+ DMA_TO_DEVICE);
+--
+2.43.0
+
--- /dev/null
+From f8608ae0fff5c2f60d60d1f2676ba4b9367b34ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:41 +0200
+Subject: vsock: Update msg_count on read_skb()
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ]
+
+Dequeuing via vsock_transport::read_skb() left msg_count outdated, which
+then confused SOCK_SEQPACKET recv(). Decrease the counter.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index 072878012b51e..78b5f4f8808b9 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1524,6 +1524,9 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+ }
+
+ hdr = virtio_vsock_hdr(skb);
++ if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM)
++ vvs->msg_count--;
++
+ virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len));
+ spin_unlock_bh(&vvs->rx_lock);
+
+--
+2.43.0
+
--- /dev/null
+From 0883d1310735592f4f1d3b035c845a0ccc5cd707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 18:26:40 +0200
+Subject: vsock: Update rx_bytes on read_skb()
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ]
+
+Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()
+calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after
+vsock_transport::read_skb().
+
+While here, also inform the peer that we've freed up space and it has more
+credit.
+
+Failing to update rx_bytes after packet is dequeued leads to a warning on
+SOCK_STREAM recv():
+
+[ 233.396654] rx_queue is empty, but rx_bytes is non-zero
+[ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index e87fd9480acda..072878012b51e 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1508,6 +1508,7 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+ {
+ struct virtio_vsock_sock *vvs = vsk->trans;
+ struct sock *sk = sk_vsock(vsk);
++ struct virtio_vsock_hdr *hdr;
+ struct sk_buff *skb;
+ int off = 0;
+ int err;
+@@ -1517,10 +1518,16 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto
+ * works for types other than dgrams.
+ */
+ skb = __skb_recv_datagram(sk, &vvs->rx_queue, MSG_DONTWAIT, &off, &err);
++ if (!skb) {
++ spin_unlock_bh(&vvs->rx_lock);
++ return err;
++ }
++
++ hdr = virtio_vsock_hdr(skb);
++ virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len));
+ spin_unlock_bh(&vvs->rx_lock);
+
+- if (!skb)
+- return err;
++ virtio_transport_send_credit_update(vsk);
+
+ return recv_actor(sk, skb);
+ }
+--
+2.43.0
+
--- /dev/null
+From 8a00844fe54ac475f532cd0547677cb95caf6ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 13:43:56 +0200
+Subject: x86/resctrl: Avoid overflow in MB settings in bw_validate()
+
+From: Martin Kletzander <nert.pinx@gmail.com>
+
+[ Upstream commit 2b5648416e47933939dc310c4ea1e29404f35630 ]
+
+The resctrl schemata file supports specifying memory bandwidth associated with
+the Memory Bandwidth Allocation (MBA) feature via a percentage (this is the
+default) or bandwidth in MiBps (when resctrl is mounted with the "mba_MBps"
+option).
+
+The allowed range for the bandwidth percentage is from
+/sys/fs/resctrl/info/MB/min_bandwidth to 100, using a granularity of
+/sys/fs/resctrl/info/MB/bandwidth_gran. The supported range for the MiBps
+bandwidth is 0 to U32_MAX.
+
+There are two issues with parsing of MiBps memory bandwidth:
+
+* The user provided MiBps is mistakenly rounded up to the granularity
+ that is unique to percentage input.
+
+* The user provided MiBps is parsed using unsigned long (thus accepting
+ values up to ULONG_MAX), and then assigned to u32 that could result in
+ overflow.
+
+Do not round up the MiBps value and parse user provided bandwidth as the u32
+it is intended to be. Use the appropriate kstrtou32() that can detect out of
+range values.
+
+Fixes: 8205a078ba78 ("x86/intel_rdt/mba_sc: Add schemata support")
+Fixes: 6ce1560d35f6 ("x86/resctrl: Switch over to the resctrl mbps_val list")
+Co-developed-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Martin Kletzander <nert.pinx@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+index b44c487727d45..a701e7921ea5c 100644
+--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+@@ -27,10 +27,10 @@
+ * hardware. The allocated bandwidth percentage is rounded to the next
+ * control step available on the hardware.
+ */
+-static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r)
++static bool bw_validate(char *buf, u32 *data, struct rdt_resource *r)
+ {
+- unsigned long bw;
+ int ret;
++ u32 bw;
+
+ /*
+ * Only linear delay values is supported for current Intel SKUs.
+@@ -40,16 +40,21 @@ static bool bw_validate(char *buf, unsigned long *data, struct rdt_resource *r)
+ return false;
+ }
+
+- ret = kstrtoul(buf, 10, &bw);
++ ret = kstrtou32(buf, 10, &bw);
+ if (ret) {
+- rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf);
++ rdt_last_cmd_printf("Invalid MB value %s\n", buf);
+ return false;
+ }
+
+- if ((bw < r->membw.min_bw || bw > r->default_ctrl) &&
+- !is_mba_sc(r)) {
+- rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", bw,
+- r->membw.min_bw, r->default_ctrl);
++ /* Nothing else to do if software controller is enabled. */
++ if (is_mba_sc(r)) {
++ *data = bw;
++ return true;
++ }
++
++ if (bw < r->membw.min_bw || bw > r->default_ctrl) {
++ rdt_last_cmd_printf("MB value %u out of range [%d,%d]\n",
++ bw, r->membw.min_bw, r->default_ctrl);
+ return false;
+ }
+
+@@ -63,7 +68,7 @@ int parse_bw(struct rdt_parse_data *data, struct resctrl_schema *s,
+ struct resctrl_staged_config *cfg;
+ u32 closid = data->rdtgrp->closid;
+ struct rdt_resource *r = s->res;
+- unsigned long bw_val;
++ u32 bw_val;
+
+ cfg = &d->staged_config[s->conf_type];
+ if (cfg->have_new_ctrl) {
+--
+2.43.0
+
--- /dev/null
+From deaef71ec0891952ff491629f52bfcdc27a988d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 17:00:00 +0300
+Subject: xhci: dbc: honor usb transfer size boundaries.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 30c9ae5ece8ecd69d36e6912c2c0896418f2468c ]
+
+Treat each completed full size write to /dev/ttyDBC0 as a separate usb
+transfer. Make sure the size of the TRBs matches the size of the tty
+write by first queuing as many max packet size TRBs as possible up to
+the last TRB which will be cut short to match the size of the tty write.
+
+This solves an issue where userspace writes several transfers back to
+back via /dev/ttyDBC0 into a kfifo before dbgtty can find available
+request to turn that kfifo data into TRBs on the transfer ring.
+
+The boundary between transfer was lost as xhci-dbgtty then turned
+everyting in the kfifo into as many 'max packet size' TRBs as possible.
+
+DbC would then send more data to the host than intended for that
+transfer, causing host to issue a babble error.
+
+Refuse to write more data to kfifo until previous tty write data is
+turned into properly sized TRBs with data size boundaries matching tty
+write size
+
+Tested-by: Uday M Bhat <uday.m.bhat@intel.com>
+Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20241016140000.783905-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgcap.h | 1 +
+ drivers/usb/host/xhci-dbgtty.c | 55 ++++++++++++++++++++++++++++++----
+ 2 files changed, 51 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h
+index 54fafebb7bd1f..76170d7a7e7c3 100644
+--- a/drivers/usb/host/xhci-dbgcap.h
++++ b/drivers/usb/host/xhci-dbgcap.h
+@@ -108,6 +108,7 @@ struct dbc_port {
+ struct tasklet_struct push;
+
+ struct list_head write_pool;
++ unsigned int tx_boundary;
+
+ bool registered;
+ };
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index 881f5a7e6e0e1..0266c2f5bc0d8 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -24,6 +24,29 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc)
+ return dbc->priv;
+ }
+
++static unsigned int
++dbc_kfifo_to_req(struct dbc_port *port, char *packet)
++{
++ unsigned int len;
++
++ len = kfifo_len(&port->port.xmit_fifo);
++
++ if (len == 0)
++ return 0;
++
++ len = min(len, DBC_MAX_PACKET);
++
++ if (port->tx_boundary)
++ len = min(port->tx_boundary, len);
++
++ len = kfifo_out(&port->port.xmit_fifo, packet, len);
++
++ if (port->tx_boundary)
++ port->tx_boundary -= len;
++
++ return len;
++}
++
+ static int dbc_start_tx(struct dbc_port *port)
+ __releases(&port->port_lock)
+ __acquires(&port->port_lock)
+@@ -36,7 +59,7 @@ static int dbc_start_tx(struct dbc_port *port)
+
+ while (!list_empty(pool)) {
+ req = list_entry(pool->next, struct dbc_request, list_pool);
+- len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET);
++ len = dbc_kfifo_to_req(port, req->buf);
+ if (len == 0)
+ break;
+ do_tty_wake = true;
+@@ -200,14 +223,32 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf,
+ {
+ struct dbc_port *port = tty->driver_data;
+ unsigned long flags;
++ unsigned int written = 0;
+
+ spin_lock_irqsave(&port->port_lock, flags);
+- if (count)
+- count = kfifo_in(&port->port.xmit_fifo, buf, count);
+- dbc_start_tx(port);
++
++ /*
++ * Treat tty write as one usb transfer. Make sure the writes are turned
++ * into TRB request having the same size boundaries as the tty writes.
++ * Don't add data to kfifo before previous write is turned into TRBs
++ */
++ if (port->tx_boundary) {
++ spin_unlock_irqrestore(&port->port_lock, flags);
++ return 0;
++ }
++
++ if (count) {
++ written = kfifo_in(&port->port.xmit_fifo, buf, count);
++
++ if (written == count)
++ port->tx_boundary = kfifo_len(&port->port.xmit_fifo);
++
++ dbc_start_tx(port);
++ }
++
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+- return count;
++ return written;
+ }
+
+ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch)
+@@ -241,6 +282,10 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty)
+
+ spin_lock_irqsave(&port->port_lock, flags);
+ room = kfifo_avail(&port->port.xmit_fifo);
++
++ if (port->tx_boundary)
++ room = 0;
++
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+ return room;
+--
+2.43.0
+
--- /dev/null
+From 1bbfed58a2bb2afe9acd6c7ad988f44a748fce99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 12:35:40 +0200
+Subject: xhci: dbgtty: remove kfifo_out() wrapper
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 2b217514436744dd98c4d9fa48d60610f9f67d61 ]
+
+There is no need to check against kfifo_len() before kfifo_out(). Just
+ask the latter for data and it tells how much it retrieved. Or returns 0
+in case there are no more.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Link: https://lore.kernel.org/r/20240808103549.429349-5-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgtty.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index b74e98e943932..64ea964949975 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -24,19 +24,6 @@ static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc)
+ return dbc->priv;
+ }
+
+-static unsigned int
+-dbc_send_packet(struct dbc_port *port, char *packet, unsigned int size)
+-{
+- unsigned int len;
+-
+- len = kfifo_len(&port->write_fifo);
+- if (len < size)
+- size = len;
+- if (size != 0)
+- size = kfifo_out(&port->write_fifo, packet, size);
+- return size;
+-}
+-
+ static int dbc_start_tx(struct dbc_port *port)
+ __releases(&port->port_lock)
+ __acquires(&port->port_lock)
+@@ -49,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port)
+
+ while (!list_empty(pool)) {
+ req = list_entry(pool->next, struct dbc_request, list_pool);
+- len = dbc_send_packet(port, req->buf, DBC_MAX_PACKET);
++ len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET);
+ if (len == 0)
+ break;
+ do_tty_wake = true;
+--
+2.43.0
+
--- /dev/null
+From 050f69ebb8cc84a3e85919ffdbc7c4bcfb5ed0fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 12:35:41 +0200
+Subject: xhci: dbgtty: use kfifo from tty_port struct
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 866025f0237609532bc8e4af5ef4d7252d3b55b6 ]
+
+There is no need to define one in a custom structure. The tty_port one
+is free to use.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Link: https://lore.kernel.org/r/20240808103549.429349-6-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 30c9ae5ece8e ("xhci: dbc: honor usb transfer size boundaries.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-dbgcap.h | 1 -
+ drivers/usb/host/xhci-dbgtty.c | 17 +++++++++--------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h
+index 51a7ab3ba0cac..54fafebb7bd1f 100644
+--- a/drivers/usb/host/xhci-dbgcap.h
++++ b/drivers/usb/host/xhci-dbgcap.h
+@@ -108,7 +108,6 @@ struct dbc_port {
+ struct tasklet_struct push;
+
+ struct list_head write_pool;
+- struct kfifo write_fifo;
+
+ bool registered;
+ };
+diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c
+index 64ea964949975..881f5a7e6e0e1 100644
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -36,7 +36,7 @@ static int dbc_start_tx(struct dbc_port *port)
+
+ while (!list_empty(pool)) {
+ req = list_entry(pool->next, struct dbc_request, list_pool);
+- len = kfifo_out(&port->write_fifo, req->buf, DBC_MAX_PACKET);
++ len = kfifo_out(&port->port.xmit_fifo, req->buf, DBC_MAX_PACKET);
+ if (len == 0)
+ break;
+ do_tty_wake = true;
+@@ -203,7 +203,7 @@ static ssize_t dbc_tty_write(struct tty_struct *tty, const u8 *buf,
+
+ spin_lock_irqsave(&port->port_lock, flags);
+ if (count)
+- count = kfifo_in(&port->write_fifo, buf, count);
++ count = kfifo_in(&port->port.xmit_fifo, buf, count);
+ dbc_start_tx(port);
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+@@ -217,7 +217,7 @@ static int dbc_tty_put_char(struct tty_struct *tty, u8 ch)
+ int status;
+
+ spin_lock_irqsave(&port->port_lock, flags);
+- status = kfifo_put(&port->write_fifo, ch);
++ status = kfifo_put(&port->port.xmit_fifo, ch);
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+ return status;
+@@ -240,7 +240,7 @@ static unsigned int dbc_tty_write_room(struct tty_struct *tty)
+ unsigned int room;
+
+ spin_lock_irqsave(&port->port_lock, flags);
+- room = kfifo_avail(&port->write_fifo);
++ room = kfifo_avail(&port->port.xmit_fifo);
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+ return room;
+@@ -253,7 +253,7 @@ static unsigned int dbc_tty_chars_in_buffer(struct tty_struct *tty)
+ unsigned int chars;
+
+ spin_lock_irqsave(&port->port_lock, flags);
+- chars = kfifo_len(&port->write_fifo);
++ chars = kfifo_len(&port->port.xmit_fifo);
+ spin_unlock_irqrestore(&port->port_lock, flags);
+
+ return chars;
+@@ -411,7 +411,8 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc)
+ goto err_idr;
+ }
+
+- ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL);
++ ret = kfifo_alloc(&port->port.xmit_fifo, DBC_WRITE_BUF_SIZE,
++ GFP_KERNEL);
+ if (ret)
+ goto err_exit_port;
+
+@@ -440,7 +441,7 @@ static int xhci_dbc_tty_register_device(struct xhci_dbc *dbc)
+ xhci_dbc_free_requests(&port->read_pool);
+ xhci_dbc_free_requests(&port->write_pool);
+ err_free_fifo:
+- kfifo_free(&port->write_fifo);
++ kfifo_free(&port->port.xmit_fifo);
+ err_exit_port:
+ idr_remove(&dbc_tty_minors, port->minor);
+ err_idr:
+@@ -465,7 +466,7 @@ static void xhci_dbc_tty_unregister_device(struct xhci_dbc *dbc)
+ idr_remove(&dbc_tty_minors, port->minor);
+ mutex_unlock(&dbc_tty_minors_lock);
+
+- kfifo_free(&port->write_fifo);
++ kfifo_free(&port->port.xmit_fifo);
+ xhci_dbc_free_requests(&port->read_pool);
+ xhci_dbc_free_requests(&port->read_queue);
+ xhci_dbc_free_requests(&port->write_pool);
+--
+2.43.0
+
--- /dev/null
+From 852baa08d7eded220a2788d9eef267a14782a3aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 10:25:23 -0500
+Subject: XHCI: Separate PORT and CAPs macros into dedicated file
+
+From: Frank Li <Frank.Li@nxp.com>
+
+[ Upstream commit c35ba0ac48355df1d11fcce85945f76c42d250ac ]
+
+Split the PORT and CAPs macro definitions into a separate file to
+facilitate sharing with other files without the need to include the entire
+xhci.h.
+
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240124152525.3910311-2-Frank.Li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-caps.h | 85 ++++++++++++
+ drivers/usb/host/xhci-port.h | 176 +++++++++++++++++++++++
+ drivers/usb/host/xhci.h | 262 +----------------------------------
+ 3 files changed, 264 insertions(+), 259 deletions(-)
+ create mode 100644 drivers/usb/host/xhci-caps.h
+ create mode 100644 drivers/usb/host/xhci-port.h
+
+diff --git a/drivers/usb/host/xhci-caps.h b/drivers/usb/host/xhci-caps.h
+new file mode 100644
+index 0000000000000..9e94cebf4a56d
+--- /dev/null
++++ b/drivers/usb/host/xhci-caps.h
+@@ -0,0 +1,85 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++/* hc_capbase bitmasks */
++/* bits 7:0 - how long is the Capabilities register */
++#define HC_LENGTH(p) XHCI_HC_LENGTH(p)
++/* bits 31:16 */
++#define HC_VERSION(p) (((p) >> 16) & 0xffff)
++
++/* HCSPARAMS1 - hcs_params1 - bitmasks */
++/* bits 0:7, Max Device Slots */
++#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff)
++#define HCS_SLOTS_MASK 0xff
++/* bits 8:18, Max Interrupters */
++#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff)
++/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */
++#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f)
++
++/* HCSPARAMS2 - hcs_params2 - bitmasks */
++/* bits 0:3, frames or uframes that SW needs to queue transactions
++ * ahead of the HW to meet periodic deadlines */
++#define HCS_IST(p) (((p) >> 0) & 0xf)
++/* bits 4:7, max number of Event Ring segments */
++#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf)
++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
++/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
++#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
++
++/* HCSPARAMS3 - hcs_params3 - bitmasks */
++/* bits 0:7, Max U1 to U0 latency for the roothub ports */
++#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff)
++/* bits 16:31, Max U2 to U0 latency for the roothub ports */
++#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff)
++
++/* HCCPARAMS - hcc_params - bitmasks */
++/* true: HC can use 64-bit address pointers */
++#define HCC_64BIT_ADDR(p) ((p) & (1 << 0))
++/* true: HC can do bandwidth negotiation */
++#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1))
++/* true: HC uses 64-byte Device Context structures
++ * FIXME 64-byte context structures aren't supported yet.
++ */
++#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2))
++/* true: HC has port power switches */
++#define HCC_PPC(p) ((p) & (1 << 3))
++/* true: HC has port indicators */
++#define HCS_INDICATOR(p) ((p) & (1 << 4))
++/* true: HC has Light HC Reset Capability */
++#define HCC_LIGHT_RESET(p) ((p) & (1 << 5))
++/* true: HC supports latency tolerance messaging */
++#define HCC_LTC(p) ((p) & (1 << 6))
++/* true: no secondary Stream ID Support */
++#define HCC_NSS(p) ((p) & (1 << 7))
++/* true: HC supports Stopped - Short Packet */
++#define HCC_SPC(p) ((p) & (1 << 9))
++/* true: HC has Contiguous Frame ID Capability */
++#define HCC_CFC(p) ((p) & (1 << 11))
++/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */
++#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1))
++/* Extended Capabilities pointer from PCI base - section 5.3.6 */
++#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p)
++
++#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32)
++
++/* db_off bitmask - bits 0:1 reserved */
++#define DBOFF_MASK (~0x3)
++
++/* run_regs_off bitmask - bits 0:4 reserved */
++#define RTSOFF_MASK (~0x1f)
++
++/* HCCPARAMS2 - hcc_params2 - bitmasks */
++/* true: HC supports U3 entry Capability */
++#define HCC2_U3C(p) ((p) & (1 << 0))
++/* true: HC supports Configure endpoint command Max exit latency too large */
++#define HCC2_CMC(p) ((p) & (1 << 1))
++/* true: HC supports Force Save context Capability */
++#define HCC2_FSC(p) ((p) & (1 << 2))
++/* true: HC supports Compliance Transition Capability */
++#define HCC2_CTC(p) ((p) & (1 << 3))
++/* true: HC support Large ESIT payload Capability > 48k */
++#define HCC2_LEC(p) ((p) & (1 << 4))
++/* true: HC support Configuration Information Capability */
++#define HCC2_CIC(p) ((p) & (1 << 5))
++/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */
++#define HCC2_ETC(p) ((p) & (1 << 6))
+diff --git a/drivers/usb/host/xhci-port.h b/drivers/usb/host/xhci-port.h
+new file mode 100644
+index 0000000000000..f19efb966d180
+--- /dev/null
++++ b/drivers/usb/host/xhci-port.h
+@@ -0,0 +1,176 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++/* PORTSC - Port Status and Control Register - port_status_base bitmasks */
++/* true: device connected */
++#define PORT_CONNECT (1 << 0)
++/* true: port enabled */
++#define PORT_PE (1 << 1)
++/* bit 2 reserved and zeroed */
++/* true: port has an over-current condition */
++#define PORT_OC (1 << 3)
++/* true: port reset signaling asserted */
++#define PORT_RESET (1 << 4)
++/* Port Link State - bits 5:8
++ * A read gives the current link PM state of the port,
++ * a write with Link State Write Strobe set sets the link state.
++ */
++#define PORT_PLS_MASK (0xf << 5)
++#define XDEV_U0 (0x0 << 5)
++#define XDEV_U1 (0x1 << 5)
++#define XDEV_U2 (0x2 << 5)
++#define XDEV_U3 (0x3 << 5)
++#define XDEV_DISABLED (0x4 << 5)
++#define XDEV_RXDETECT (0x5 << 5)
++#define XDEV_INACTIVE (0x6 << 5)
++#define XDEV_POLLING (0x7 << 5)
++#define XDEV_RECOVERY (0x8 << 5)
++#define XDEV_HOT_RESET (0x9 << 5)
++#define XDEV_COMP_MODE (0xa << 5)
++#define XDEV_TEST_MODE (0xb << 5)
++#define XDEV_RESUME (0xf << 5)
++
++/* true: port has power (see HCC_PPC) */
++#define PORT_POWER (1 << 9)
++/* bits 10:13 indicate device speed:
++ * 0 - undefined speed - port hasn't be initialized by a reset yet
++ * 1 - full speed
++ * 2 - low speed
++ * 3 - high speed
++ * 4 - super speed
++ * 5-15 reserved
++ */
++#define DEV_SPEED_MASK (0xf << 10)
++#define XDEV_FS (0x1 << 10)
++#define XDEV_LS (0x2 << 10)
++#define XDEV_HS (0x3 << 10)
++#define XDEV_SS (0x4 << 10)
++#define XDEV_SSP (0x5 << 10)
++#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10))
++#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS)
++#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS)
++#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS)
++#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS)
++#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
++#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
++#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f)
++
++/* Bits 20:23 in the Slot Context are the speed for the device */
++#define SLOT_SPEED_FS (XDEV_FS << 10)
++#define SLOT_SPEED_LS (XDEV_LS << 10)
++#define SLOT_SPEED_HS (XDEV_HS << 10)
++#define SLOT_SPEED_SS (XDEV_SS << 10)
++#define SLOT_SPEED_SSP (XDEV_SSP << 10)
++/* Port Indicator Control */
++#define PORT_LED_OFF (0 << 14)
++#define PORT_LED_AMBER (1 << 14)
++#define PORT_LED_GREEN (2 << 14)
++#define PORT_LED_MASK (3 << 14)
++/* Port Link State Write Strobe - set this when changing link state */
++#define PORT_LINK_STROBE (1 << 16)
++/* true: connect status change */
++#define PORT_CSC (1 << 17)
++/* true: port enable change */
++#define PORT_PEC (1 << 18)
++/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port
++ * into an enabled state, and the device into the default state. A "warm" reset
++ * also resets the link, forcing the device through the link training sequence.
++ * SW can also look at the Port Reset register to see when warm reset is done.
++ */
++#define PORT_WRC (1 << 19)
++/* true: over-current change */
++#define PORT_OCC (1 << 20)
++/* true: reset change - 1 to 0 transition of PORT_RESET */
++#define PORT_RC (1 << 21)
++/* port link status change - set on some port link state transitions:
++ * Transition Reason
++ * ------------------------------------------------------------------------------
++ * - U3 to Resume Wakeup signaling from a device
++ * - Resume to Recovery to U0 USB 3.0 device resume
++ * - Resume to U0 USB 2.0 device resume
++ * - U3 to Recovery to U0 Software resume of USB 3.0 device complete
++ * - U3 to U0 Software resume of USB 2.0 device complete
++ * - U2 to U0 L1 resume of USB 2.1 device complete
++ * - U0 to U0 (???) L1 entry rejection by USB 2.1 device
++ * - U0 to disabled L1 entry error with USB 2.1 device
++ * - Any state to inactive Error on USB 3.0 port
++ */
++#define PORT_PLC (1 << 22)
++/* port configure error change - port failed to configure its link partner */
++#define PORT_CEC (1 << 23)
++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
++ PORT_RC | PORT_PLC | PORT_CEC)
++
++
++/* Cold Attach Status - xHC can set this bit to report device attached during
++ * Sx state. Warm port reset should be perfomed to clear this bit and move port
++ * to connected state.
++ */
++#define PORT_CAS (1 << 24)
++/* wake on connect (enable) */
++#define PORT_WKCONN_E (1 << 25)
++/* wake on disconnect (enable) */
++#define PORT_WKDISC_E (1 << 26)
++/* wake on over-current (enable) */
++#define PORT_WKOC_E (1 << 27)
++/* bits 28:29 reserved */
++/* true: device is non-removable - for USB 3.0 roothub emulation */
++#define PORT_DEV_REMOVE (1 << 30)
++/* Initiate a warm port reset - complete when PORT_WRC is '1' */
++#define PORT_WR (1 << 31)
++
++/* We mark duplicate entries with -1 */
++#define DUPLICATE_ENTRY ((u8)(-1))
++
++/* Port Power Management Status and Control - port_power_base bitmasks */
++/* Inactivity timer value for transitions into U1, in microseconds.
++ * Timeout can be up to 127us. 0xFF means an infinite timeout.
++ */
++#define PORT_U1_TIMEOUT(p) ((p) & 0xff)
++#define PORT_U1_TIMEOUT_MASK 0xff
++/* Inactivity timer value for transitions into U2 */
++#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8)
++#define PORT_U2_TIMEOUT_MASK (0xff << 8)
++/* Bits 24:31 for port testing */
++
++/* USB2 Protocol PORTSPMSC */
++#define PORT_L1S_MASK 7
++#define PORT_L1S_SUCCESS 1
++#define PORT_RWE (1 << 3)
++#define PORT_HIRD(p) (((p) & 0xf) << 4)
++#define PORT_HIRD_MASK (0xf << 4)
++#define PORT_L1DS_MASK (0xff << 8)
++#define PORT_L1DS(p) (((p) & 0xff) << 8)
++#define PORT_HLE (1 << 16)
++#define PORT_TEST_MODE_SHIFT 28
++
++/* USB3 Protocol PORTLI Port Link Information */
++#define PORT_RX_LANES(p) (((p) >> 16) & 0xf)
++#define PORT_TX_LANES(p) (((p) >> 20) & 0xf)
++
++/* USB2 Protocol PORTHLPMC */
++#define PORT_HIRDM(p)((p) & 3)
++#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2)
++#define PORT_BESLD(p)(((p) & 0xf) << 10)
++
++/* use 512 microseconds as USB2 LPM L1 default timeout. */
++#define XHCI_L1_TIMEOUT 512
++
++/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency.
++ * Safe to use with mixed HIRD and BESL systems (host and device) and is used
++ * by other operating systems.
++ *
++ * XHCI 1.0 errata 8/14/12 Table 13 notes:
++ * "Software should choose xHC BESL/BESLD field values that do not violate a
++ * device's resume latency requirements,
++ * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached,
++ * or not program values < '4' if BLC = '0' and a BESL device is attached.
++ */
++#define XHCI_DEFAULT_BESL 4
++
++/*
++ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
++ * to complete link training. usually link trainig completes much faster
++ * so check status 10 times with 36ms sleep in places we need to wait for
++ * polling to complete.
++ */
++#define XHCI_PORT_POLLING_LFPS_TIME 36
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 7754ed55d220b..f2190d121233b 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -23,6 +23,9 @@
+ #include "xhci-ext-caps.h"
+ #include "pci-quirks.h"
+
++#include "xhci-port.h"
++#include "xhci-caps.h"
++
+ /* max buffer size for trace and debug messages */
+ #define XHCI_MSG_MAX 500
+
+@@ -63,90 +66,6 @@ struct xhci_cap_regs {
+ /* Reserved up to (CAPLENGTH - 0x1C) */
+ };
+
+-/* hc_capbase bitmasks */
+-/* bits 7:0 - how long is the Capabilities register */
+-#define HC_LENGTH(p) XHCI_HC_LENGTH(p)
+-/* bits 31:16 */
+-#define HC_VERSION(p) (((p) >> 16) & 0xffff)
+-
+-/* HCSPARAMS1 - hcs_params1 - bitmasks */
+-/* bits 0:7, Max Device Slots */
+-#define HCS_MAX_SLOTS(p) (((p) >> 0) & 0xff)
+-#define HCS_SLOTS_MASK 0xff
+-/* bits 8:18, Max Interrupters */
+-#define HCS_MAX_INTRS(p) (((p) >> 8) & 0x7ff)
+-/* bits 24:31, Max Ports - max value is 0x7F = 127 ports */
+-#define HCS_MAX_PORTS(p) (((p) >> 24) & 0x7f)
+-
+-/* HCSPARAMS2 - hcs_params2 - bitmasks */
+-/* bits 0:3, frames or uframes that SW needs to queue transactions
+- * ahead of the HW to meet periodic deadlines */
+-#define HCS_IST(p) (((p) >> 0) & 0xf)
+-/* bits 4:7, max number of Event Ring segments */
+-#define HCS_ERST_MAX(p) (((p) >> 4) & 0xf)
+-/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
+-/* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
+-/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
+-#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
+-
+-/* HCSPARAMS3 - hcs_params3 - bitmasks */
+-/* bits 0:7, Max U1 to U0 latency for the roothub ports */
+-#define HCS_U1_LATENCY(p) (((p) >> 0) & 0xff)
+-/* bits 16:31, Max U2 to U0 latency for the roothub ports */
+-#define HCS_U2_LATENCY(p) (((p) >> 16) & 0xffff)
+-
+-/* HCCPARAMS - hcc_params - bitmasks */
+-/* true: HC can use 64-bit address pointers */
+-#define HCC_64BIT_ADDR(p) ((p) & (1 << 0))
+-/* true: HC can do bandwidth negotiation */
+-#define HCC_BANDWIDTH_NEG(p) ((p) & (1 << 1))
+-/* true: HC uses 64-byte Device Context structures
+- * FIXME 64-byte context structures aren't supported yet.
+- */
+-#define HCC_64BYTE_CONTEXT(p) ((p) & (1 << 2))
+-/* true: HC has port power switches */
+-#define HCC_PPC(p) ((p) & (1 << 3))
+-/* true: HC has port indicators */
+-#define HCS_INDICATOR(p) ((p) & (1 << 4))
+-/* true: HC has Light HC Reset Capability */
+-#define HCC_LIGHT_RESET(p) ((p) & (1 << 5))
+-/* true: HC supports latency tolerance messaging */
+-#define HCC_LTC(p) ((p) & (1 << 6))
+-/* true: no secondary Stream ID Support */
+-#define HCC_NSS(p) ((p) & (1 << 7))
+-/* true: HC supports Stopped - Short Packet */
+-#define HCC_SPC(p) ((p) & (1 << 9))
+-/* true: HC has Contiguous Frame ID Capability */
+-#define HCC_CFC(p) ((p) & (1 << 11))
+-/* Max size for Primary Stream Arrays - 2^(n+1), where n is bits 12:15 */
+-#define HCC_MAX_PSA(p) (1 << ((((p) >> 12) & 0xf) + 1))
+-/* Extended Capabilities pointer from PCI base - section 5.3.6 */
+-#define HCC_EXT_CAPS(p) XHCI_HCC_EXT_CAPS(p)
+-
+-#define CTX_SIZE(_hcc) (HCC_64BYTE_CONTEXT(_hcc) ? 64 : 32)
+-
+-/* db_off bitmask - bits 0:1 reserved */
+-#define DBOFF_MASK (~0x3)
+-
+-/* run_regs_off bitmask - bits 0:4 reserved */
+-#define RTSOFF_MASK (~0x1f)
+-
+-/* HCCPARAMS2 - hcc_params2 - bitmasks */
+-/* true: HC supports U3 entry Capability */
+-#define HCC2_U3C(p) ((p) & (1 << 0))
+-/* true: HC supports Configure endpoint command Max exit latency too large */
+-#define HCC2_CMC(p) ((p) & (1 << 1))
+-/* true: HC supports Force Save context Capability */
+-#define HCC2_FSC(p) ((p) & (1 << 2))
+-/* true: HC supports Compliance Transition Capability */
+-#define HCC2_CTC(p) ((p) & (1 << 3))
+-/* true: HC support Large ESIT payload Capability > 48k */
+-#define HCC2_LEC(p) ((p) & (1 << 4))
+-/* true: HC support Configuration Information Capability */
+-#define HCC2_CIC(p) ((p) & (1 << 5))
+-/* true: HC support Extended TBC Capability, Isoc burst count > 65535 */
+-#define HCC2_ETC(p) ((p) & (1 << 6))
+-
+ /* Number of registers per port */
+ #define NUM_PORT_REGS 4
+
+@@ -292,181 +211,6 @@ struct xhci_op_regs {
+ #define CONFIG_CIE (1 << 9)
+ /* bits 10:31 - reserved and should be preserved */
+
+-/* PORTSC - Port Status and Control Register - port_status_base bitmasks */
+-/* true: device connected */
+-#define PORT_CONNECT (1 << 0)
+-/* true: port enabled */
+-#define PORT_PE (1 << 1)
+-/* bit 2 reserved and zeroed */
+-/* true: port has an over-current condition */
+-#define PORT_OC (1 << 3)
+-/* true: port reset signaling asserted */
+-#define PORT_RESET (1 << 4)
+-/* Port Link State - bits 5:8
+- * A read gives the current link PM state of the port,
+- * a write with Link State Write Strobe set sets the link state.
+- */
+-#define PORT_PLS_MASK (0xf << 5)
+-#define XDEV_U0 (0x0 << 5)
+-#define XDEV_U1 (0x1 << 5)
+-#define XDEV_U2 (0x2 << 5)
+-#define XDEV_U3 (0x3 << 5)
+-#define XDEV_DISABLED (0x4 << 5)
+-#define XDEV_RXDETECT (0x5 << 5)
+-#define XDEV_INACTIVE (0x6 << 5)
+-#define XDEV_POLLING (0x7 << 5)
+-#define XDEV_RECOVERY (0x8 << 5)
+-#define XDEV_HOT_RESET (0x9 << 5)
+-#define XDEV_COMP_MODE (0xa << 5)
+-#define XDEV_TEST_MODE (0xb << 5)
+-#define XDEV_RESUME (0xf << 5)
+-
+-/* true: port has power (see HCC_PPC) */
+-#define PORT_POWER (1 << 9)
+-/* bits 10:13 indicate device speed:
+- * 0 - undefined speed - port hasn't be initialized by a reset yet
+- * 1 - full speed
+- * 2 - low speed
+- * 3 - high speed
+- * 4 - super speed
+- * 5-15 reserved
+- */
+-#define DEV_SPEED_MASK (0xf << 10)
+-#define XDEV_FS (0x1 << 10)
+-#define XDEV_LS (0x2 << 10)
+-#define XDEV_HS (0x3 << 10)
+-#define XDEV_SS (0x4 << 10)
+-#define XDEV_SSP (0x5 << 10)
+-#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0<<10))
+-#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS)
+-#define DEV_LOWSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_LS)
+-#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS)
+-#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS)
+-#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
+-#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
+-#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f)
+-
+-/* Bits 20:23 in the Slot Context are the speed for the device */
+-#define SLOT_SPEED_FS (XDEV_FS << 10)
+-#define SLOT_SPEED_LS (XDEV_LS << 10)
+-#define SLOT_SPEED_HS (XDEV_HS << 10)
+-#define SLOT_SPEED_SS (XDEV_SS << 10)
+-#define SLOT_SPEED_SSP (XDEV_SSP << 10)
+-/* Port Indicator Control */
+-#define PORT_LED_OFF (0 << 14)
+-#define PORT_LED_AMBER (1 << 14)
+-#define PORT_LED_GREEN (2 << 14)
+-#define PORT_LED_MASK (3 << 14)
+-/* Port Link State Write Strobe - set this when changing link state */
+-#define PORT_LINK_STROBE (1 << 16)
+-/* true: connect status change */
+-#define PORT_CSC (1 << 17)
+-/* true: port enable change */
+-#define PORT_PEC (1 << 18)
+-/* true: warm reset for a USB 3.0 device is done. A "hot" reset puts the port
+- * into an enabled state, and the device into the default state. A "warm" reset
+- * also resets the link, forcing the device through the link training sequence.
+- * SW can also look at the Port Reset register to see when warm reset is done.
+- */
+-#define PORT_WRC (1 << 19)
+-/* true: over-current change */
+-#define PORT_OCC (1 << 20)
+-/* true: reset change - 1 to 0 transition of PORT_RESET */
+-#define PORT_RC (1 << 21)
+-/* port link status change - set on some port link state transitions:
+- * Transition Reason
+- * ------------------------------------------------------------------------------
+- * - U3 to Resume Wakeup signaling from a device
+- * - Resume to Recovery to U0 USB 3.0 device resume
+- * - Resume to U0 USB 2.0 device resume
+- * - U3 to Recovery to U0 Software resume of USB 3.0 device complete
+- * - U3 to U0 Software resume of USB 2.0 device complete
+- * - U2 to U0 L1 resume of USB 2.1 device complete
+- * - U0 to U0 (???) L1 entry rejection by USB 2.1 device
+- * - U0 to disabled L1 entry error with USB 2.1 device
+- * - Any state to inactive Error on USB 3.0 port
+- */
+-#define PORT_PLC (1 << 22)
+-/* port configure error change - port failed to configure its link partner */
+-#define PORT_CEC (1 << 23)
+-#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
+- PORT_RC | PORT_PLC | PORT_CEC)
+-
+-
+-/* Cold Attach Status - xHC can set this bit to report device attached during
+- * Sx state. Warm port reset should be perfomed to clear this bit and move port
+- * to connected state.
+- */
+-#define PORT_CAS (1 << 24)
+-/* wake on connect (enable) */
+-#define PORT_WKCONN_E (1 << 25)
+-/* wake on disconnect (enable) */
+-#define PORT_WKDISC_E (1 << 26)
+-/* wake on over-current (enable) */
+-#define PORT_WKOC_E (1 << 27)
+-/* bits 28:29 reserved */
+-/* true: device is non-removable - for USB 3.0 roothub emulation */
+-#define PORT_DEV_REMOVE (1 << 30)
+-/* Initiate a warm port reset - complete when PORT_WRC is '1' */
+-#define PORT_WR (1 << 31)
+-
+-/* We mark duplicate entries with -1 */
+-#define DUPLICATE_ENTRY ((u8)(-1))
+-
+-/* Port Power Management Status and Control - port_power_base bitmasks */
+-/* Inactivity timer value for transitions into U1, in microseconds.
+- * Timeout can be up to 127us. 0xFF means an infinite timeout.
+- */
+-#define PORT_U1_TIMEOUT(p) ((p) & 0xff)
+-#define PORT_U1_TIMEOUT_MASK 0xff
+-/* Inactivity timer value for transitions into U2 */
+-#define PORT_U2_TIMEOUT(p) (((p) & 0xff) << 8)
+-#define PORT_U2_TIMEOUT_MASK (0xff << 8)
+-/* Bits 24:31 for port testing */
+-
+-/* USB2 Protocol PORTSPMSC */
+-#define PORT_L1S_MASK 7
+-#define PORT_L1S_SUCCESS 1
+-#define PORT_RWE (1 << 3)
+-#define PORT_HIRD(p) (((p) & 0xf) << 4)
+-#define PORT_HIRD_MASK (0xf << 4)
+-#define PORT_L1DS_MASK (0xff << 8)
+-#define PORT_L1DS(p) (((p) & 0xff) << 8)
+-#define PORT_HLE (1 << 16)
+-#define PORT_TEST_MODE_SHIFT 28
+-
+-/* USB3 Protocol PORTLI Port Link Information */
+-#define PORT_RX_LANES(p) (((p) >> 16) & 0xf)
+-#define PORT_TX_LANES(p) (((p) >> 20) & 0xf)
+-
+-/* USB2 Protocol PORTHLPMC */
+-#define PORT_HIRDM(p)((p) & 3)
+-#define PORT_L1_TIMEOUT(p)(((p) & 0xff) << 2)
+-#define PORT_BESLD(p)(((p) & 0xf) << 10)
+-
+-/* use 512 microseconds as USB2 LPM L1 default timeout. */
+-#define XHCI_L1_TIMEOUT 512
+-
+-/* Set default HIRD/BESL value to 4 (350/400us) for USB2 L1 LPM resume latency.
+- * Safe to use with mixed HIRD and BESL systems (host and device) and is used
+- * by other operating systems.
+- *
+- * XHCI 1.0 errata 8/14/12 Table 13 notes:
+- * "Software should choose xHC BESL/BESLD field values that do not violate a
+- * device's resume latency requirements,
+- * e.g. not program values > '4' if BLC = '1' and a HIRD device is attached,
+- * or not program values < '4' if BLC = '0' and a BESL device is attached.
+- */
+-#define XHCI_DEFAULT_BESL 4
+-
+-/*
+- * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
+- * to complete link training. usually link trainig completes much faster
+- * so check status 10 times with 36ms sleep in places we need to wait for
+- * polling to complete.
+- */
+-#define XHCI_PORT_POLLING_LFPS_TIME 36
+-
+ /**
+ * struct xhci_intr_reg - Interrupt Register Set
+ * @irq_pending: IMAN - Interrupt Management Register. Used to enable
+--
+2.43.0
+