--- /dev/null
+From 640adab17cd2c6afde6f29eb470a4b3c8cad3553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 13:44:40 -0700
+Subject: bpf: report RCU QS in cpumap kthread
+
+From: Yan Zhai <yan@cloudflare.com>
+
+[ Upstream commit 00bf63122459e87193ee7f1bc6161c83a525569f ]
+
+When there are heavy load, cpumap kernel threads can be busy polling
+packets from redirect queues and block out RCU tasks from reaching
+quiescent states. It is insufficient to just call cond_resched() in such
+context. Periodically raise a consolidated RCU QS before cond_resched
+fixes the problem.
+
+Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP")
+Reviewed-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Yan Zhai <yan@cloudflare.com>
+Acked-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Link: https://lore.kernel.org/r/c17b9f1517e19d813da3ede5ed33ee18496bb5d8.1710877680.git.yan@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/cpumap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
+index 61fbcae82f0a1..6f7548138435b 100644
+--- a/kernel/bpf/cpumap.c
++++ b/kernel/bpf/cpumap.c
+@@ -243,6 +243,7 @@ static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
+ static int cpu_map_kthread_run(void *data)
+ {
+ struct bpf_cpu_map_entry *rcpu = data;
++ unsigned long last_qs = jiffies;
+
+ set_current_state(TASK_INTERRUPTIBLE);
+
+@@ -262,10 +263,12 @@ static int cpu_map_kthread_run(void *data)
+ if (__ptr_ring_empty(rcpu->queue)) {
+ schedule();
+ sched = 1;
++ last_qs = jiffies;
+ } else {
+ __set_current_state(TASK_RUNNING);
+ }
+ } else {
++ rcu_softirq_qs_periodic(last_qs);
+ sched = cond_resched();
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 74aea71617d83e519eda61f6c9c563c3ce090cea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 00:27:19 +0900
+Subject: hsr: Fix uninit-value access in hsr_get_node()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ]
+
+KMSAN reported the following uninit-value access issue [1]:
+
+=====================================================
+BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246
+ hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246
+ fill_frame_info net/hsr/hsr_forward.c:577 [inline]
+ hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615
+ hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223
+ __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4954 [inline]
+ xmit_one net/core/dev.c:3548 [inline]
+ dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
+ __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
+ dev_queue_xmit include/linux/netdevice.h:3134 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3087 [inline]
+ packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:651
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787
+ packet_alloc_skb net/packet/af_packet.c:2936 [inline]
+ packet_snd net/packet/af_packet.c:3030 [inline]
+ packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
+=====================================================
+
+If the packet type ID field in the Ethernet header is either ETH_P_PRP or
+ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()
+reads an invalid value as a sequence number. This causes the above issue.
+
+This patch fixes the issue by returning NULL if the Ethernet header is not
+followed by an HSR tag.
+
+Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
+Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 9c5a423f0f7a3..e1ef9799762c9 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -194,6 +194,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb,
+
+ if (ethhdr->h_proto == htons(ETH_P_PRP) ||
+ ethhdr->h_proto == htons(ETH_P_HSR)) {
++ /* Check if skb contains hsr_ethhdr */
++ if (skb->mac_len < sizeof(struct hsr_ethhdr))
++ return NULL;
++
+ /* Use the existing sequence_nr from the tag as starting point
+ * for filtering duplicate frames.
+ */
+--
+2.43.0
+
--- /dev/null
+From 56c59a8418822c1cdc616eb2ec8c182b2631565b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 13:04:52 +0100
+Subject: hsr: Handle failures in module init
+
+From: Felix Maurer <fmaurer@redhat.com>
+
+[ Upstream commit 3cf28cd492308e5f63ed00b29ea03ca016264376 ]
+
+A failure during registration of the netdev notifier was not handled at
+all. A failure during netlink initialization did not unregister the netdev
+notifier.
+
+Handle failures of netdev notifier registration and netlink initialization.
+Both functions should only return negative values on failure and thereby
+lead to the hsr module not being loaded.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Felix Maurer <fmaurer@redhat.com>
+Reviewed-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Link: https://lore.kernel.org/r/3ce097c15e3f7ace98fc7fd9bcbf299f092e63d1.1710504184.git.fmaurer@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_main.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c
+index cd37d0011b424..c22013ff44795 100644
+--- a/net/hsr/hsr_main.c
++++ b/net/hsr/hsr_main.c
+@@ -115,14 +115,21 @@ static struct notifier_block hsr_nb = {
+
+ static int __init hsr_init(void)
+ {
+- int res;
++ int err;
+
+ BUILD_BUG_ON(sizeof(struct hsr_tag) != HSR_HLEN);
+
+- register_netdevice_notifier(&hsr_nb);
+- res = hsr_netlink_init();
++ err = register_netdevice_notifier(&hsr_nb);
++ if (err)
++ return err;
++
++ err = hsr_netlink_init();
++ if (err) {
++ unregister_netdevice_notifier(&hsr_nb);
++ return err;
++ }
+
+- return res;
++ return 0;
+ }
+
+ static void __exit hsr_exit(void)
+--
+2.43.0
+
--- /dev/null
+From 88164cd4365dd53a8c522454c94da23923f4cd7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Aug 2018 06:29:44 -0700
+Subject: ice: Rework flex descriptor programming
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+[ Upstream commit 22ef683b48182f4d6125a2fb2725eb8a141514ff ]
+
+The driver can support two flex descriptor profiles, ICE_RXDID_FLEX_NIC
+and ICE_RXDID_FLEX_NIC_2. This patch reworks the current flex programming
+logic to add support for the latter profile.
+
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Stable-dep-of: 00bf63122459 ("bpf: report RCU QS in cpumap kthread")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 102 ++++++++++++++----
+ .../net/ethernet/intel/ice/ice_lan_tx_rx.h | 24 +++--
+ 2 files changed, 92 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
+index f8d00263d9019..72a6f22ee423f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -7,16 +7,16 @@
+
+ #define ICE_PF_RESET_WAIT_COUNT 200
+
+-#define ICE_NIC_FLX_ENTRY(hw, mdid, idx) \
+- wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(ICE_RXDID_FLEX_NIC), \
++#define ICE_PROG_FLEX_ENTRY(hw, rxdid, mdid, idx) \
++ wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(rxdid), \
+ ((ICE_RX_OPC_MDID << \
+ GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_S) & \
+ GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_M) | \
+ (((mdid) << GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_S) & \
+ GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_M))
+
+-#define ICE_NIC_FLX_FLG_ENTRY(hw, flg_0, flg_1, flg_2, flg_3, idx) \
+- wr32((hw), GLFLXP_RXDID_FLAGS(ICE_RXDID_FLEX_NIC, idx), \
++#define ICE_PROG_FLG_ENTRY(hw, rxdid, flg_0, flg_1, flg_2, flg_3, idx) \
++ wr32((hw), GLFLXP_RXDID_FLAGS(rxdid, idx), \
+ (((flg_0) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_S) & \
+ GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_M) | \
+ (((flg_1) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_1_S) & \
+@@ -290,30 +290,85 @@ ice_aq_get_link_info(struct ice_port_info *pi, bool ena_lse,
+ }
+
+ /**
+- * ice_init_flex_parser - initialize rx flex parser
++ * ice_init_flex_flags
+ * @hw: pointer to the hardware structure
++ * @prof_id: Rx Descriptor Builder profile ID
+ *
+- * Function to initialize flex descriptors
++ * Function to initialize Rx flex flags
+ */
+-static void ice_init_flex_parser(struct ice_hw *hw)
++static void ice_init_flex_flags(struct ice_hw *hw, enum ice_rxdid prof_id)
+ {
+ u8 idx = 0;
+
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_LOW, 0);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_HIGH, 1);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_LOWER, 2);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_HIGH, 3);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_FRG, ICE_RXFLG_UDP_GRE,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_FIN, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_SYN, ICE_RXFLG_RST,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI,
+- ICE_RXFLG_EVLAN_x8100, ICE_RXFLG_EVLAN_x9100,
+- idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_VLAN_x8100, ICE_RXFLG_TNL_VLAN,
+- ICE_RXFLG_TNL_MAC, ICE_RXFLG_TNL0, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx);
++ /* Flex-flag fields (0-2) are programmed with FLG64 bits with layout:
++ * flexiflags0[5:0] - TCP flags, is_packet_fragmented, is_packet_UDP_GRE
++ * flexiflags1[3:0] - Not used for flag programming
++ * flexiflags2[7:0] - Tunnel and VLAN types
++ * 2 invalid fields in last index
++ */
++ switch (prof_id) {
++ /* Rx flex flags are currently programmed for the NIC profiles only.
++ * Different flag bit programming configurations can be added per
++ * profile as needed.
++ */
++ case ICE_RXDID_FLEX_NIC:
++ case ICE_RXDID_FLEX_NIC_2:
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_FRG,
++ ICE_RXFLG_UDP_GRE, ICE_RXFLG_PKT_DSI,
++ ICE_RXFLG_FIN, idx++);
++ /* flex flag 1 is not used for flexi-flag programming, skipping
++ * these four FLG64 bits.
++ */
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_SYN, ICE_RXFLG_RST,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_DSI,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_EVLAN_x8100,
++ ICE_RXFLG_EVLAN_x9100, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_VLAN_x8100,
++ ICE_RXFLG_TNL_VLAN, ICE_RXFLG_TNL_MAC,
++ ICE_RXFLG_TNL0, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx);
++ break;
++
++ default:
++ ice_debug(hw, ICE_DBG_INIT,
++ "Flag programming for profile ID %d not supported\n",
++ prof_id);
++ }
++}
++
++/**
++ * ice_init_flex_flds
++ * @hw: pointer to the hardware structure
++ * @prof_id: Rx Descriptor Builder profile ID
++ *
++ * Function to initialize flex descriptors
++ */
++static void ice_init_flex_flds(struct ice_hw *hw, enum ice_rxdid prof_id)
++{
++ enum ice_flex_rx_mdid mdid;
++
++ switch (prof_id) {
++ case ICE_RXDID_FLEX_NIC:
++ case ICE_RXDID_FLEX_NIC_2:
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_LOW, 0);
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_HIGH, 1);
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_FLOW_ID_LOWER, 2);
++
++ mdid = (prof_id == ICE_RXDID_FLEX_NIC_2) ?
++ ICE_RX_MDID_SRC_VSI : ICE_RX_MDID_FLOW_ID_HIGH;
++
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, mdid, 3);
++
++ ice_init_flex_flags(hw, prof_id);
++ break;
++
++ default:
++ ice_debug(hw, ICE_DBG_INIT,
++ "Field init for profile ID %d not supported\n",
++ prof_id);
++ }
+ }
+
+ /**
+@@ -494,7 +549,8 @@ enum ice_status ice_init_hw(struct ice_hw *hw)
+ if (status)
+ goto err_unroll_fltr_mgmt_struct;
+
+- ice_init_flex_parser(hw);
++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC);
++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC_2);
+
+ return 0;
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+index 068dbc740b766..94504023d86e2 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+@@ -188,23 +188,25 @@ struct ice_32b_rx_flex_desc_nic {
+ * with a specific metadata (profile 7 reserved for HW)
+ */
+ enum ice_rxdid {
+- ICE_RXDID_START = 0,
+- ICE_RXDID_LEGACY_0 = ICE_RXDID_START,
+- ICE_RXDID_LEGACY_1,
+- ICE_RXDID_FLX_START,
+- ICE_RXDID_FLEX_NIC = ICE_RXDID_FLX_START,
+- ICE_RXDID_FLX_LAST = 63,
+- ICE_RXDID_LAST = ICE_RXDID_FLX_LAST
++ ICE_RXDID_LEGACY_0 = 0,
++ ICE_RXDID_LEGACY_1 = 1,
++ ICE_RXDID_FLEX_NIC = 2,
++ ICE_RXDID_FLEX_NIC_2 = 6,
++ ICE_RXDID_HW = 7,
++ ICE_RXDID_LAST = 63,
+ };
+
+ /* Receive Flex Descriptor Rx opcode values */
+ #define ICE_RX_OPC_MDID 0x01
+
+ /* Receive Descriptor MDID values */
+-#define ICE_RX_MDID_FLOW_ID_LOWER 5
+-#define ICE_RX_MDID_FLOW_ID_HIGH 6
+-#define ICE_RX_MDID_HASH_LOW 56
+-#define ICE_RX_MDID_HASH_HIGH 57
++enum ice_flex_rx_mdid {
++ ICE_RX_MDID_FLOW_ID_LOWER = 5,
++ ICE_RX_MDID_FLOW_ID_HIGH,
++ ICE_RX_MDID_SRC_VSI = 19,
++ ICE_RX_MDID_HASH_LOW = 56,
++ ICE_RX_MDID_HASH_HIGH,
++};
+
+ /* Rx Flag64 packet flag bits */
+ enum ice_rx_flg64_bits {
+--
+2.43.0
+
--- /dev/null
+From 85a7db233defac1d3b3cc0e95495bd70084cc402 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Feb 2024 00:57:59 +0900
+Subject: kconfig: fix infinite loop when expanding a macro at the end of file
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit af8bbce92044dc58e4cc039ab94ee5d470a621f5 ]
+
+A macro placed at the end of a file with no newline causes an infinite
+loop.
+
+[Test Kconfig]
+ $(info,hello)
+ \ No newline at end of file
+
+I realized that flex-provided input() returns 0 instead of EOF when it
+reaches the end of a file.
+
+Fixes: 104daea149c4 ("kconfig: reference environment variables directly and remove 'option env='")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/zconf.l | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/zconf.l b/scripts/kconfig/zconf.l
+index c2f577d719647..2a47ce9b219a0 100644
+--- a/scripts/kconfig/zconf.l
++++ b/scripts/kconfig/zconf.l
+@@ -292,8 +292,11 @@ static char *expand_token(const char *in, size_t n)
+ new_string();
+ append_string(in, n);
+
+- /* get the whole line because we do not know the end of token. */
+- while ((c = input()) != EOF) {
++ /*
++ * get the whole line because we do not know the end of token.
++ * input() returns 0 (not EOF!) when it reachs the end of file.
++ */
++ while ((c = input()) != 0) {
+ if (c == '\n') {
+ unput(c);
+ break;
+--
+2.43.0
+
--- /dev/null
+From b25930af55e734f452ce3fa42faa7bb96e663039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 15:55:35 -0500
+Subject: net/bnx2x: Prevent access to a freed page in page_pool
+
+From: Thinh Tran <thinhtr@linux.ibm.com>
+
+[ Upstream commit d27e2da94a42655861ca4baea30c8cd65546f25d ]
+
+Fix race condition leading to system crash during EEH error handling
+
+During EEH error recovery, the bnx2x driver's transmit timeout logic
+could cause a race condition when handling reset tasks. The
+bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),
+which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()
+SGEs are freed using bnx2x_free_rx_sge_range(). However, this could
+overlap with the EEH driver's attempt to reset the device using
+bnx2x_io_slot_reset(), which also tries to free SGEs. This race
+condition can result in system crashes due to accessing freed memory
+locations in bnx2x_free_rx_sge()
+
+799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,
+800 struct bnx2x_fastpath *fp, u16 index)
+801 {
+802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index];
+803 struct page *page = sw_buf->page;
+....
+where sw_buf was set to NULL after the call to dma_unmap_page()
+by the preceding thread.
+
+ EEH: Beginning: 'slot_reset'
+ PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()
+ bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...
+ bnx2x 0011:01:00.0: enabling device (0140 -> 0142)
+ bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload
+ Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
+ BUG: Kernel NULL pointer dereference on read at 0x00000000
+ Faulting instruction address: 0xc0080000025065fc
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ .....
+ Call Trace:
+ [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)
+ [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0
+ [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550
+ [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60
+ [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170
+ [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0
+ [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
+
+To solve this issue, we need to verify page pool allocations before
+freeing.
+
+Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element")
+Signed-off-by: Thinh Tran <thinhtr@linux.ibm.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+index df5e8c2e8eafe..844195849ae76 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -1008,9 +1008,6 @@ static inline void bnx2x_set_fw_mac_addr(__le16 *fw_hi, __le16 *fw_mid,
+ static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp,
+ struct bnx2x_alloc_pool *pool)
+ {
+- if (!pool->page)
+- return;
+-
+ put_page(pool->page);
+
+ pool->page = NULL;
+@@ -1021,6 +1018,9 @@ static inline void bnx2x_free_rx_sge_range(struct bnx2x *bp,
+ {
+ int i;
+
++ if (!fp->page_pool.page)
++ return;
++
+ if (fp->mode == TPA_MODE_DISABLED)
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From a468c608d0ca564952ec0d28f3801a677bcf1c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2019 13:31:30 -0400
+Subject: net: hsr: fix placement of logical operator in a multi-line statement
+
+From: Murali Karicheri <m-karicheri2@ti.com>
+
+[ Upstream commit 059477830022e1886f55a9641702461c249fa864 ]
+
+In a multi-line statement exceeding 80 characters, logical operator
+should be at the end of a line instead of being at the start. This
+is seen when ran checkpatch.pl -f on files under net/hsr. The change
+is per suggestion from checkpatch.
+
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: ddbec99f5857 ("hsr: Fix uninit-value access in hsr_get_node()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 8 ++++----
+ net/hsr/hsr_framereg.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index adfb497606785..886fad5922b3c 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -63,8 +63,8 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
+ return false;
+
+ /* Correct ether type?. */
+- if (!(ethHdr->h_proto == htons(ETH_P_PRP)
+- || ethHdr->h_proto == htons(ETH_P_HSR)))
++ if (!(ethHdr->h_proto == htons(ETH_P_PRP) ||
++ ethHdr->h_proto == htons(ETH_P_HSR)))
+ return false;
+
+ /* Get the supervision header from correct location. */
+@@ -336,8 +336,8 @@ static int hsr_fill_frame_info(struct hsr_frame_info *frame,
+ /* FIXME: */
+ WARN_ONCE(1, "HSR: VLAN not yet supported");
+ }
+- if (ethhdr->h_proto == htons(ETH_P_PRP)
+- || ethhdr->h_proto == htons(ETH_P_HSR)) {
++ if (ethhdr->h_proto == htons(ETH_P_PRP) ||
++ ethhdr->h_proto == htons(ETH_P_HSR)) {
+ frame->skb_std = NULL;
+ frame->skb_hsr = skb;
+ frame->sequence_nr = hsr_get_skb_sequence_nr(skb);
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 37795502bb511..9c5a423f0f7a3 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -192,8 +192,8 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb,
+
+ /* Everyone may create a node entry, connected node to a HSR device. */
+
+- if (ethhdr->h_proto == htons(ETH_P_PRP)
+- || ethhdr->h_proto == htons(ETH_P_HSR)) {
++ if (ethhdr->h_proto == htons(ETH_P_PRP) ||
++ ethhdr->h_proto == htons(ETH_P_HSR)) {
+ /* Use the existing sequence_nr from the tag as starting point
+ * for filtering duplicate frames.
+ */
+--
+2.43.0
+
--- /dev/null
+From 7f8ef8fa7550564abba9bdeaf20658d97938cf49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 13:44:34 -0700
+Subject: rcu: add a helper to report consolidated flavor QS
+
+From: Yan Zhai <yan@cloudflare.com>
+
+[ Upstream commit 1a77557d48cff187a169c2aec01c0dd78a5e7e50 ]
+
+When under heavy load, network processing can run CPU-bound for many
+tens of seconds. Even in preemptible kernels (non-RT kernel), this can
+block RCU Tasks grace periods, which can cause trace-event removal to
+take more than a minute, which is unacceptably long.
+
+This commit therefore creates a new helper function that passes through
+both RCU and RCU-Tasks quiescent states every 100 milliseconds. This
+hard-coded value suffices for current workloads.
+
+Suggested-by: Paul E. McKenney <paulmck@kernel.org>
+Reviewed-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Yan Zhai <yan@cloudflare.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Link: https://lore.kernel.org/r/90431d46ee112d2b0af04dbfe936faaca11810a5.1710877680.git.yan@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 00bf63122459 ("bpf: report RCU QS in cpumap kthread")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index cf139d6e5c1d3..38a9730b685b9 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -196,6 +196,37 @@ do { \
+ cond_resched(); \
+ } while (0)
+
++/**
++ * rcu_softirq_qs_periodic - Report RCU and RCU-Tasks quiescent states
++ * @old_ts: jiffies at start of processing.
++ *
++ * This helper is for long-running softirq handlers, such as NAPI threads in
++ * networking. The caller should initialize the variable passed in as @old_ts
++ * at the beginning of the softirq handler. When invoked frequently, this macro
++ * will invoke rcu_softirq_qs() every 100 milliseconds thereafter, which will
++ * provide both RCU and RCU-Tasks quiescent states. Note that this macro
++ * modifies its old_ts argument.
++ *
++ * Because regions of code that have disabled softirq act as RCU read-side
++ * critical sections, this macro should be invoked with softirq (and
++ * preemption) enabled.
++ *
++ * The macro is not needed when CONFIG_PREEMPT_RT is defined. RT kernels would
++ * have more chance to invoke schedule() calls and provide necessary quiescent
++ * states. As a contrast, calling cond_resched() only won't achieve the same
++ * effect because cond_resched() does not provide RCU-Tasks quiescent states.
++ */
++#define rcu_softirq_qs_periodic(old_ts) \
++do { \
++ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && \
++ time_after(jiffies, (old_ts) + HZ / 10)) { \
++ preempt_disable(); \
++ rcu_softirq_qs(); \
++ preempt_enable(); \
++ (old_ts) = jiffies; \
++ } \
++} while (0)
++
+ /*
+ * Infrastructure to implement the synchronize_() primitives in
+ * TREE_RCU and rcu_barrier_() primitives in TINY_RCU.
+--
+2.43.0
+
--- /dev/null
+From f6ac3624db2fea5a2366e7a24829d932bfba8a7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 18:28:38 +0900
+Subject: rds: introduce acquire/release ordering in acquire/release_in_xmit()
+
+From: Yewon Choi <woni9911@gmail.com>
+
+[ Upstream commit 1422f28826d2a0c11e5240b3e951c9e214d8656e ]
+
+acquire/release_in_xmit() work as bit lock in rds_send_xmit(), so they
+are expected to ensure acquire/release memory ordering semantics.
+However, test_and_set_bit/clear_bit() don't imply such semantics, on
+top of this, following smp_mb__after_atomic() does not guarantee release
+ordering (memory barrier actually should be placed before clear_bit()).
+
+Instead, we use clear_bit_unlock/test_and_set_bit_lock() here.
+
+Fixes: 0f4b1c7e89e6 ("rds: fix rds_send_xmit() serialization")
+Fixes: 1f9ecd7eacfd ("RDS: Pass rds_conn_path to rds_send_xmit()")
+Signed-off-by: Yewon Choi <woni9911@gmail.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://lore.kernel.org/r/ZfQUxnNTO9AJmzwc@libra05
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/send.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/rds/send.c b/net/rds/send.c
+index c856e6c963af9..dcb338339b717 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -103,13 +103,12 @@ EXPORT_SYMBOL_GPL(rds_send_path_reset);
+
+ static int acquire_in_xmit(struct rds_conn_path *cp)
+ {
+- return test_and_set_bit(RDS_IN_XMIT, &cp->cp_flags) == 0;
++ return test_and_set_bit_lock(RDS_IN_XMIT, &cp->cp_flags) == 0;
+ }
+
+ static void release_in_xmit(struct rds_conn_path *cp)
+ {
+- clear_bit(RDS_IN_XMIT, &cp->cp_flags);
+- smp_mb__after_atomic();
++ clear_bit_unlock(RDS_IN_XMIT, &cp->cp_flags);
+ /*
+ * We don't use wait_on_bit()/wake_up_bit() because our waking is in a
+ * hot path and finding waiters is very rare. We don't want to walk
+--
+2.43.0
+
--- /dev/null
+From c5b0a53d5b8fcf11582f132c5ebafbdb6752da14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 21:02:58 -0800
+Subject: rtc: mt6397: select IRQ_DOMAIN instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 544c42f798e1651dcb04fb0395219bf0f1c2607e ]
+
+IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set
+it directly thru "make *config", so drivers should select it instead
+of depending on it if they need it.
+Relying on it being set for a dependency is risky.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on" for IRQ_DOMAIN to
+"select" for RTC_DRV_MT6397.
+
+Fixes: 04d3ba70a3c9 ("rtc: mt6397: add IRQ domain dependency")
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Eddie Huang <eddie.huang@mediatek.com>
+Cc: Sean Wang <sean.wang@mediatek.com>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-mediatek@lists.infradead.org
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: linux-rtc@vger.kernel.org
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Peter Rosin <peda@axentia.se>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20240213050258.6167-1-rdunlap@infradead.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig
+index b5845f16a3a26..199cc39459198 100644
+--- a/drivers/rtc/Kconfig
++++ b/drivers/rtc/Kconfig
+@@ -1719,7 +1719,8 @@ config RTC_DRV_MOXART
+
+ config RTC_DRV_MT6397
+ tristate "MediaTek PMIC based RTC"
+- depends on MFD_MT6397 || (COMPILE_TEST && IRQ_DOMAIN)
++ depends on MFD_MT6397 || COMPILE_TEST
++ select IRQ_DOMAIN
+ help
+ This selects the MediaTek(R) RTC driver. RTC is part of MediaTek
+ MT6397 PMIC. You should enable MT6397 PMIC MFD before select
+--
+2.43.0
+
--- /dev/null
+From 22c40184b5020a4a3f60bd07aafa2eaf7639235b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 17:04:57 +0200
+Subject: serial: 8250_exar: Don't remove GPIO device on suspend
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 73b5a5c00be39e23b194bad10e1ea8bb73eee176 ]
+
+It seems a copy&paste mistake that suspend callback removes the GPIO
+device. There is no counterpart of this action, means once suspended
+there is no more GPIO device available untile full unbind-bind cycle
+is performed. Remove suspicious GPIO device removal in suspend.
+
+Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240219150627.2101198-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_exar.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
+index 195f58c5b477f..319737919381d 100644
+--- a/drivers/tty/serial/8250/8250_exar.c
++++ b/drivers/tty/serial/8250/8250_exar.c
+@@ -553,6 +553,7 @@ static void exar_pci_remove(struct pci_dev *pcidev)
+ for (i = 0; i < priv->nr; i++)
+ serial8250_unregister_port(priv->line[i]);
+
++ /* Ensure that every init quirk is properly torn down */
+ if (priv->board->exit)
+ priv->board->exit(pcidev);
+ }
+@@ -567,10 +568,6 @@ static int __maybe_unused exar_suspend(struct device *dev)
+ if (priv->line[i] >= 0)
+ serial8250_suspend_port(priv->line[i]);
+
+- /* Ensure that every init quirk is properly torn down */
+- if (priv->board->exit)
+- priv->board->exit(pcidev);
+-
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3911d2d30418b66aaf1e5ef09d08470d2dd98d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 10:22:01 -0500
+Subject: serial: max310x: fix syntax error in IRQ error message
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+[ Upstream commit 8ede8c6f474255b2213cccd7997b993272a8e2f9 ]
+
+Replace g with q.
+
+Helpful when grepping thru source code or logs for
+"request" keyword.
+
+Fixes: f65444187a66 ("serial: New serial driver MAX310X")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Link: https://lore.kernel.org/r/20240118152213.2644269-6-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/max310x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
+index e68dbd13110ba..1c8fd06befec4 100644
+--- a/drivers/tty/serial/max310x.c
++++ b/drivers/tty/serial/max310x.c
+@@ -1363,7 +1363,7 @@ static int max310x_probe(struct device *dev, struct max310x_devtype *devtype,
+ if (!ret)
+ return 0;
+
+- dev_err(dev, "Unable to reguest IRQ %i\n", irq);
++ dev_err(dev, "Unable to request IRQ %i\n", irq);
+
+ out_uart:
+ for (i = 0; i < devtype->nr; i++) {
+--
+2.43.0
+
net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch
nfs-fix-an-off-by-one-in-root_nfs_cat.patch
clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch
+usb-phy-generic-get-the-vbus-supply.patch
+serial-max310x-fix-syntax-error-in-irq-error-message.patch
+tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch
+kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch
+rtc-mt6397-select-irq_domain-instead-of-depending-on.patch
+serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch
+staging-greybus-fix-get_channel_from_mode-failure-pa.patch
+usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch
+net-hsr-fix-placement-of-logical-operator-in-a-multi.patch
+hsr-fix-uninit-value-access-in-hsr_get_node.patch
+rds-introduce-acquire-release-ordering-in-acquire-re.patch
+hsr-handle-failures-in-module-init.patch
+net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch
+ice-rework-flex-descriptor-programming.patch
+rcu-add-a-helper-to-report-consolidated-flavor-qs.patch
+bpf-report-rcu-qs-in-cpumap-kthread.patch
+spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch
--- /dev/null
+From bf2871fea56f942aab44542980195d4844227556 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Mar 2024 15:08:57 +0800
+Subject: spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
+
+From: Fei Shao <fshao@chromium.org>
+
+[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ]
+
+The TX buffer in spi_transfer can be a NULL pointer, so the interrupt
+handler may end up writing to the invalid memory and cause crashes.
+
+Add a check to trans->tx_buf before using it.
+
+Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers")
+Signed-off-by: Fei Shao <fshao@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index faca2ab758992..89ec119215371 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -524,17 +524,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
+ mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);
+ mtk_spi_setup_packet(master);
+
+- cnt = mdata->xfer_len / 4;
+- iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
+- trans->tx_buf + mdata->num_xfered, cnt);
++ if (trans->tx_buf) {
++ cnt = mdata->xfer_len / 4;
++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
++ trans->tx_buf + mdata->num_xfered, cnt);
+
+- remainder = mdata->xfer_len % 4;
+- if (remainder > 0) {
+- reg_val = 0;
+- memcpy(®_val,
+- trans->tx_buf + (cnt * 4) + mdata->num_xfered,
+- remainder);
+- writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ remainder = mdata->xfer_len % 4;
++ if (remainder > 0) {
++ reg_val = 0;
++ memcpy(®_val,
++ trans->tx_buf + (cnt * 4) + mdata->num_xfered,
++ remainder);
++ writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ }
+ }
+
+ mtk_spi_enable_transfer(master);
+--
+2.43.0
+
--- /dev/null
+From 639427305cd60733fdef5d2f8a6a38bd8902f6b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 10:04:48 +0300
+Subject: staging: greybus: fix get_channel_from_mode() failure path
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 34164202a5827f60a203ca9acaf2d9f7d432aac8 ]
+
+The get_channel_from_mode() function is supposed to return the channel
+which matches the mode. But it has a bug where if it doesn't find a
+matching channel then it returns the last channel. It should return
+NULL instead.
+
+Also remove an unnecessary NULL check on "channel".
+
+Fixes: 2870b52bae4c ("greybus: lights: add lights implementation")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Reviewed-by: Alex Elder <elder@linaro.org>
+Link: https://lore.kernel.org/r/379c0cb4-39e0-4293-8a18-c7b1298e5420@moroto.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/light.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c
+index db06cd544af58..8c5819d1e1abe 100644
+--- a/drivers/staging/greybus/light.c
++++ b/drivers/staging/greybus/light.c
+@@ -102,15 +102,15 @@ static struct led_classdev *get_channel_cdev(struct gb_channel *channel)
+ static struct gb_channel *get_channel_from_mode(struct gb_light *light,
+ u32 mode)
+ {
+- struct gb_channel *channel = NULL;
++ struct gb_channel *channel;
+ int i;
+
+ for (i = 0; i < light->channels_count; i++) {
+ channel = &light->channels[i];
+- if (channel && channel->mode == mode)
+- break;
++ if (channel->mode == mode)
++ return channel;
+ }
+- return channel;
++ return NULL;
+ }
+
+ static int __gb_lights_flash_intensity_set(struct gb_channel *channel,
+--
+2.43.0
+
--- /dev/null
+From 342e4cb30122e00a183d135ab843b78c2e47b18e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 10:45:08 +0000
+Subject: tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+[ Upstream commit 314c2b399288f0058a8c5b6683292cbde5f1531b ]
+
+The core expects for tx_empty() either TIOCSER_TEMT when the tx is
+empty or 0 otherwise. s3c24xx_serial_txempty_nofifo() might return
+0x4, and at least uart_get_lsr_info() tries to clear exactly
+TIOCSER_TEMT (BIT(1)). Fix tx_empty() to return TIOCSER_TEMT.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20240119104526.1221243-2-tudor.ambarus@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/samsung.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
+index 5f1f52cc63951..c76bf1c11e6fd 100644
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -800,11 +800,10 @@ static unsigned int s3c24xx_serial_tx_empty(struct uart_port *port)
+ if ((ufstat & info->tx_fifomask) != 0 ||
+ (ufstat & info->tx_fifofull))
+ return 0;
+-
+- return 1;
++ return TIOCSER_TEMT;
+ }
+
+- return s3c24xx_serial_txempty_nofifo(port);
++ return s3c24xx_serial_txempty_nofifo(port) ? TIOCSER_TEMT : 0;
+ }
+
+ /* no modem control lines */
+--
+2.43.0
+
--- /dev/null
+From c30ee767556eff77753a428889e08b34538b62d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 18:17:34 +0000
+Subject: usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 600556809f04eb3bbccd05218215dcd7b285a9a9 ]
+
+Currently the variable irqflags is being set but is not being used,
+it appears it should be used in the call to net2272_probe_fin
+rather than IRQF_TRIGGER_LOW being used. Kudos to Uwe Kleine-König
+for suggesting the fix.
+
+Cleans up clang scan build warning:
+drivers/usb/gadget/udc/net2272.c:2610:15: warning: variable 'irqflags'
+set but not used [-Wunused-but-set-variable]
+
+Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20240307181734.2034407-1-colin.i.king@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2272.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
+index 077fa9304618d..2004442d791cf 100644
+--- a/drivers/usb/gadget/udc/net2272.c
++++ b/drivers/usb/gadget/udc/net2272.c
+@@ -2638,7 +2638,7 @@ net2272_plat_probe(struct platform_device *pdev)
+ goto err_req;
+ }
+
+- ret = net2272_probe_fin(dev, IRQF_TRIGGER_LOW);
++ ret = net2272_probe_fin(dev, irqflags);
+ if (ret)
+ goto err_io;
+
+--
+2.43.0
+
--- /dev/null
+From 506472a209a7a1d611415b39a853973d0f81b8d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Apr 2022 13:14:09 -0400
+Subject: usb: phy: generic: Get the vbus supply
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit 03e607cbb2931374db1825f371e9c7f28526d3f4 ]
+
+While support for working with a vbus was added, the regulator was never
+actually gotten (despite what was documented). Fix this by actually
+getting the supply from the device tree.
+
+Fixes: 7acc9973e3c4 ("usb: phy: generic: add vbus support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/20220425171412.1188485-3-sean.anderson@seco.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-generic.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/usb/phy/phy-generic.c b/drivers/usb/phy/phy-generic.c
+index a53b89be53248..8a04b157f19f3 100644
+--- a/drivers/usb/phy/phy-generic.c
++++ b/drivers/usb/phy/phy-generic.c
+@@ -283,6 +283,13 @@ int usb_phy_gen_create_phy(struct device *dev, struct usb_phy_generic *nop,
+ return -EPROBE_DEFER;
+ }
+
++ nop->vbus_draw = devm_regulator_get_exclusive(dev, "vbus");
++ if (PTR_ERR(nop->vbus_draw) == -ENODEV)
++ nop->vbus_draw = NULL;
++ if (IS_ERR(nop->vbus_draw))
++ return dev_err_probe(dev, PTR_ERR(nop->vbus_draw),
++ "could not get vbus regulator\n");
++
+ nop->dev = dev;
+ nop->phy.dev = nop->dev;
+ nop->phy.label = "nop-xceiv";
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
